Macs Hit With BitTorrent-Embedded Malware Attack

7 posts in this topic

For years, Mac users have long been rightfully smug about their platform's relative immunity to virus and malware attacks, but it's inevitable that those days will eventually come to an end. (As the Mac gains in popularity, it also earns more attention from malware developers, and it's this lack of malware being actively developed, not some special, inherent security, that have really kept the Mac a "safe" platform for the time being.)

Now we're seeing one of the first moderately-sized exploits to take advantage of Mac users. The iServices.A Trojan horse is an attack being distributed via BitTorrent, where it's disguised as a bootleg copy of the new iWork 09. Once installed, the malware takes administrator access and connects to remote servers over the Internet, where it can be given additional instructions as the author commands, from installing additional malware to stealing information off the Mac in question. The malware creator can also take complete remote control of any compromised machine.

Security firm Intego said that just 20,000 machines had been infected as of January 21 but that the risk of ongoing infection was "serious, and users may face extremely serious consequences" if they are stricken with the malware.

Mac users are suggested to use common sense -- that is, don't try to download and installed pirated software -- and to update any antivirus definitions immediately. If you're a Mac user and aren't using security software, well, this might be a good time to start.

And claiming to be the underdog...has left the lexicon...


Share this post

Link to post
Share on other sites

This is a stupid claim. Despite the cause of the fact that there is less malware for OS X (it's more secure, less market share so malware authors don't bother, etc.), the only way this spreads is by a user downloading and running it. This isn't some worm attacking an 0day vulnerability or some exploit taking advantage of a browser vulnerability with code being pasted all over on random sites. A user has to knowingly download something that is infected with this trojan. Most likely any user that is buying legitimate software does not have to ever deal with this trojan because nothing they get will be infected. Saying that a system in vulnerable because trojans exist is just plain stupid because trojans require a user to install it. You aren't going to get infected via auto-spreading or see this in the wild just randomly around. Just don't do stupid shit and pirate software and you will most likely never encounter it.


Share this post

Link to post
Share on other sites

I have seen 5 Macs with viruses, in the last week.

IT is just common sense, the more people who use a product, the more you will have people try to explote it. I have been telling Mac users this for about 8 years (Since I was about 13) and only now do they believe. I am both sad and happy that this has happen. But it does put a smile on my face to see this happen.

Stupid Mac Elitist.


Share this post

Link to post
Share on other sites

Back on November 21st of last year, Apple issued a technical note on its website that advocated Mac users to install antivirus software. Then a week and a half later--after it had been widely publicized in tech news articles--they deleted it, claiming it was old and erroneous and the Mac is safe from viruses after all.

Here's the CNET report about the warning:

Apple suggests Mac users install antivirus software

December 1, 2008 5:30 PM PST

Posted by Elinor Mills

Updated 10:50 a.m. PST December 2 to correct that Apple previously recommended antivirus software to Mac users, and at 1:50 p.m. PST with call back from Apple and link to 2002 Apple anti-virus item. A follow-up blog will be posted that goes into more detail about the coverage.

Apple is recommending that Mac users install antivirus software.

But don't read this as an admission that the Mac operating system is suddenly insecure. It's more a recognition that Mac users are vulnerable to Web application exploits, which have replaced operating system vulnerabilities as the bigger threat to computer users.

On November 21 Apple updated a technical note on its Support Web site that says: "Apple encourages the widespread use of multiple antivirus utilities so that virus programmers have more than one application to circumvent, thus making the whole virus writing process more difficult."

The item offers three software suggestions: Intego VirusBarrier X5 and Symantec Norton Anti-Virus 11 for Macintosh, both available from the Apple Online Store, and McAfee VirusScan for Mac.

MacDailyNews unearthed the same note posted by Apple in June 2007 and published it on Tuesday, along with a link to a March 2002 note from Apple urging people to use an anti-virus program.

Apple representatives did not respond to e-mails seeking comment on Monday, but did return a call on Tuesday. A spokesman said he would look into the matter.

Brian Krebs, who first reported on the Apple antivirus recommendation Monday in his Security Fix blog at The Washington Post, said an Apple store employee told him he didn't need antivirus software when he purchased a MacBook three months ago.

For years, Apple has enjoyed a period free from concern over viruses, while Windows has been blasted with viruses that were written to make the biggest impact by targeting the dominant OS platform.

Microsoft's software patch releases are watched closely by the entire industry. The company overhauled its own software development practices and constantly urges Windows users to install and update antivirus and other security software.

Meanwhile, Apple's message has been that Mac users are immune to viruses, as evidenced by


Dave Marcus, director of security research and communications at McAfee, said Apple was reacting to the realities of the market, where Mac users are finding they are not immune to Trojans and other Web-based malware that malicious hackers write to steal data from computers.

"Apple is realizing that malware these days is targeting data, and valuable data exists just as much on an OS platform that is a Mac as it does on an OS platform that is Windows," he said.

Threats to applications are rising while exploits of operating system weaknesses are declining. Operating system vulnerabilities represent about 6 percent of disclosed vulnerabilities while more than 90 percent of vulnerabilities are found in applications, according to a Microsoft security report from last month.

Trojans that are secretly dropped on a computer from a malicious Web site are the most prevalent malware threat. In April, Microsoft reported a big spike--a 300 percent increase year-over-year--in the number and proportion of Trojan droppers that its Malware Protection Center detected and removed.

"The malware we see today is Trojans, password-stealing Trojans," Marcus said. "They are little apps that are dropped onto the machine to do something. They don't infect files and copy themselves. They are looking for specific information and they send that information somewhere else."

Trojans, which often masquerade as legitimate applications like video players, exploit vulnerabilities in the application code or take advantage of a weakness in the browser, and thus can be equally threatening to Windows and Mac platforms, he said.

Although Windows is the more popular target, even for Trojans, there have been Trojans that target the Mac, including one that targeted porn surfers last year and one this summer called "AppleScript.THT."

Meanwhile, the biggest targets for application vulnerability exploits are Office and Internet Explorer, according to Marcus.

McAfee's antivirus software protects against viruses that target the operating system as well as Trojans and other malware that exploit weaknesses in the applications, "regardless of what type of way it is using, via the browser, Word, or Firefox," he said. (Marcus, however, didn't agree with Apple's advice to run multiple antivirus products on one computer, saying they would fight for resources and could run into conflicts.)

A Symantec representative provided this statement when asked for comment: "Symantec has long encouraged consumers to use a security solution, regardless of the platform, especially with the rise in platform-agnostic threats like malicious Web sites and online scams."

The changing threat landscape from one where attackers try to worm their way onto victims' PCs through holes in the operating system to one where more attacks are coming at computers through the applications and browser should change the nature of the Mac versus PC security debate.

No platform can claim to be safe now.

"At the end of the day, they're (Apple is) advising people to be safe and take precautions," Marcus said. "That's a prudent thing to tell people in Web 2.0 world."

Here's the follow-up story about the article's deletion from Apple's website:

Apple suggests Mac users install antivirus software

December 2, 2008 6:40 PM PST

Posted by Elinor Mill

Updated 7:45 p.m. PST with expert comment, at 7:20 p.m. PST with context on previous coverage, and at 7:08 p.m. PST with background.

Apple removed an old item from its support site late Tuesday that urged Mac customers to use multiple antivirus utilities and now says the Mac is safe "out of the box."

"We have removed the KnowledgeBase article because it was old and inaccurate," Apple spokesperson Bill Evans said.

"The Mac is designed with built-in technologies that provide protection against malicious software and security threats right out of the box," he said. "However, since no system can be 100 percent immune from every threat, running antivirus software may offer additional protection."

Apple's previous security message in its KnowledgeBase, which serves as a tutorial for Mac users, was: "Apple encourages the widespread use of multiple antivirus utilities so that virus programmers have more than one application to circumvent, thus making the whole virus writing process more difficult."

Security experts, while pleased that Apple would urge Mac users to install antivirus software, had warned that running multiple antivirus products could cause problems and recommended against it.

Apple's antivirus support note was initially published last year and was updated last month, despite reports that it was a new note.

One Apple expert speculated that Apple was merely removing a poorly worded support note and said it probably wasn't ever Apple's intention to tell Mac users they need antivirus.

"I bet you it was a low-level support note and it hadn't gone through the right approvals," said Rich Mogull, security editor of Apple news site TidBITS. "That's my guess."

To some, Apple's latest move will be seen as back-tracking given that it comes one day after those misleading reports circulated. The motive remains unclear, particularly because Apple didn't replace the previously published suggestion with an updated one.

The message that remains is that Mac users don't really need to take additional steps to protect against viruses and other malware. Telling customers they can run antivirus for "additional protection" could be interpreted as a way to protect against any liability.

There are no known viruses in the wild that exploit a vulnerability in the Mac OS, and Windows continues to be the overwhelming preference for malware writers to target their programs. But malware isn't just taking advantage of operating system weaknesses anymore. In fact, the majority of such threats now come from code that targets weaknesses in browsers and other applications that aren't platform specific.

Mogull said he doesn't recommend that the average Mac user install antivirus software because of the low-level of malicious software seen for Macs at this time.

To me, this new Apple statement poses more questions than it answers.

Regardless of the meaning of Apple's latest action, I'm pleased to now have open lines of communication with the company. Over the last few months, I have had an increasingly difficult time getting any response to my e-mails and phone calls. For instance, I got no response to my requests for comment on Monday's article about this topic. However, after talking to several Apple spokespeople on Tuesday about the matter I am confident that the situation has been cleared up.

I also was reminded of how much collective knowledge CNET readers have about Apple and would like to extend an invitation for people to feel free to contact me directly at with any feedback and tips related to Apple security issues. Edited by Colonel Panic

Share this post

Link to post
Share on other sites

I remember that. I could only laugh. I also remember reading somewhere that Mac OS (X?) only had an EAL3 assurance rating, whereas the main Windows and Linux systems had at least EAL4. While CC ratings don't provide guarantees, the reviewers at least look at the abstract design and identify security-enhancing components or practices. If Mac only had EAL3, that means it was missing some very important features in its security model. An EAL3 rating for an OS "immune to malware" is just sad... LMAO @ Mac security claims


Share this post

Link to post
Share on other sites

Interesting. I've never even heard of this "EAL" rating. Googling now...


Share this post

Link to post
Share on other sites

MacOS is way behind with anti-exploitation techniques. Leopard's splotchy ASLR just isn't going to cut it. The Mac Hacker's Handbook is due out next month.


Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now