lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <5881D232AE172C0FFB0A8C4C@paul-schmehls-powerbook59.local>
Date: Thu, 01 Nov 2007 22:21:58 -0500
From: Paul Schmehl <pauls@...allas.edu>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: mac trojan in-the-wild

--On November 1, 2007 4:53:12 PM -1000 Peter Besenbruch <prb@...a.net> 
wrote:
>>
>> There is no need to do that.  In both Macs and Gnome or KDE on Unix, if
>> you try to run rpm -i (of whatever the install paradigm is on your
>> flavor of OS), you'll be *prompted* for the root password, not asked to
>> run it as root.  Big difference, and one that many users do not
>> appreciate at all.
>
> Sadly, that doesn't seem to work on Debian. Yes, I have RPM installed.
>
Well, as with anything, YMMV.  The point is, this will work for some 
percentage of the population, particularly those who have recently moved 
from Windows to Linux because "it's more secure!"

>> When an internationally recognized Ph.D psychologist can lose $3 million
>> US to the 419 scam and be prepared to lose more, is it really a stretch
>> to think that a fake codec trojan will make inroads on the Mac?
>
> The question is, HAS it made inroads?

Considering it was discovered just 48 hours ago, I think it's too early to 
tell.  I fully expect to see some Macs trojaned by this.  How many is 
anybody's guess, but it's merely a matter of time before we start seeing 
them show up in botnets.

OSes might be "secure" or "insecure" but people don't change.

> From what I read, it hasn't. What are  the factors limiting the spread?

The number of naive users who have Macs.

> Making inroads on the Mac would be analogous  to the Nigerians tricking 
many PhDs in psychology.
>
That wasn't my meaning.  In my opinion *any* trojaned Macs would be 
newsworthy simply because we haven't seen that before.

> As I implied in my last post, the spread of malware is somewhat
> proportional  to the level of interaction. Even on a Mac, you have to go
> through a number  of steps to install this stuff.

There are (debatable) hundreds of thousands of bots trojaned with Storm. 
As I'm sure you are aware, you get a Storm trojan by clicking on the link 
in an email and then downloaded the "greeting card" that it suckers you 
into viewing.  Yes, it does take advantage of vulnerabilities in Windows 
**when those are available**, but it also takes advantage of fully patched 
machines when their owners are naive.  The same thing will happen with 
Macs or with any Unix system.

Furthermore, I think it's naive to say "you have to go through a number of 
steps to install this stuff" when you go through *exactly* the same number 
of steps to install something that someone you know recommends to you. 
For example, a friend emails you and say he/she found this fantastic 
utility that allows you to quickly determine all the running processes on 
your machine.  Curious, you click on the link, download the software and 
start the install.  Your Mac prompts you for the root password (which is 
also *your* password for most Mac users) and you type it in.  The program 
installs and you start it, eager to see what your friend is raving about.

You just completed *all* the same steps that the trojan compels you to do.

How many people do this sort of thing *every* day, without giving a 
second's thought because their friend sent the email and recommended it? 
Enough, apparently, to make it worthwhile for criminals to target Macs.

That should give a thinking person pause.  It's certainly one more thing 
that I will have to worry about at work.

Paul Schmehl (pauls@...allas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

Content of type "application/pkcs7-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ