Mac OS X virus free?
There’s an article about: “Don’t bug me: why Macs are still virus free” I read today.
“The real answer is UNIX, the foundation technology Mac OS X is based on” says Neal Costello.
While it is true that Unix systems have been designed with a very different approach, it does not mean that they are impenetrable.
The reason why we see less malware on Linux is because malware authors are money driven. If I was a bad guy and wanted to infect as many people as possible, I would write a virus for Windows. It would guarantee me the highest ROI.
Thinking that you are safe because you are running a Mac is making a big mistake. In fact, in most malware infections, the weakest link is the end user. That type of thinking will get you in big trouble when a fake codec will pop up and you blindly install it. A well-educated PC user will not fall for that.
Same for phishing scams, having a Mac does not protect you any better than having Windows. You click a link in your email to “update” your bank account. It turns out it’s a fake site and it just stole your credentials. Well, Mac OS X or not you have just been a victim of Identity Theft.
There is a lot of buzz about Bots and Botnets… You may be surprised, but they exist on the Mac as well:
Extract from the source code:
At the end of the day, you may want to choose whatever OS you wish but don’t believe everything you hear. It’s good for marketing to say “Macs have no viruses” because people are genuinely concerned with security… Remember when everybody was saying “don’t use IE, use Firefox”? Well, the number of exploits for Firefox rose significantly… Again, the bad guys will go where the money is. It may take them longer to bypass a UNIX system, but if it’s worth the effort, they will gladly do it.
Updated to add:
Neal Costello from makemineamac.info, responded to my post:
Interesting to see the shift from “Virus free” to “relatively low number of exploits” 
I’ve had quite a few people tell me “you don’t have a Mac product so why the heck do you bother talking about Mac threats?”. Well, to that my answer is that I blog about security threats. They could be on your PSP, iPhone, Atari… doesn’t matter!
Jerome Segura
|
Rogue scan on the iPhone
There is a new movie out called Zombieland featuring actress Emma Stone. Well, if you Google her name you may find a site that redirects to malware, or more precisely rogueware.
Even on the iPhone!
Of course the file is for Windows, but clearly we can see the potential for running an exploit that targets the iPhone.
Thanks to Adam Wilkinson for discovering this and providing the screenshot.
Jerome Segura
|
New Mac DNS variant
A mini how-to on collecting Mac Trojans. This new variant comes from anzipfimuk.com.
1) Identify a new site that hosts the Trojan (I use a HoneyPot)
2) Unless you have the exact URL, you will not be able to download the file
3) Typing the full URL (using that series of digits) gets you the binary
This one is only detected by our friends from Sophos:
Jerome Segura
Malware ID: 4ece0e88b3527c85c2c503d3899be26b.zip
|
Mac users, beware of mac-xxx.com
Fake porntube site which downloads DNS changer Trojan.
1 detection on VirusTotal:
Jerome Segura
Malware ID: f1c11d17bd008504b9c92714de7b02b8.zip
|
New PC / Mac Trojan variants
If you browse to this site: update-media-player.com
you get the following error message.
Depending on your user-agent, a Windows or Mac file will be downloaded (from poluresuz.com)
Both files currently have low detections:
Jerome Segura
Malware ID: 5df1470b0560aefcadf14e7d3e5f0a2d.zip
Malware ID: 8f2e7d412fc9d229ac986c829b6022ef.zip
|
New Mac Trojan variant
It comes from kilerodik.com
One AV detection on VirusTotal, and once again it is Sophos!
Jerome Segura
Malware ID: ae248eb8853c2cc999bad290d795c86b.zip
|
PC and Mac malware in the same boat
It’s not often that I see a Trojan (DNS Changer) with same low detection rates on PC and Mac versions.
Well, these samples prove it. The ‘bait’ fake codec page is hosted at supertuberental.com
I downloaded and uploaded to Virus Total the two versions pretty much at the same time and here are the results
PC: 3/41
flash-plugin.45080.exe from exeloaddirect.com
Only 3 AV engines on Virus Total are detecting this threat: DrWeb, NOD32 and Sophos.
Mac: 3/41
QuickTimeUpdate.dmg from tablenoids.com
Only 3 AV engines on Virus Total are detecting this threat: F-Secure, Kaspersky and Sophos.
Congrats to Sophos for detecting both the PC and Mac version of this threat!
Our heuristics engine Zheng detects this threat (the PC version) proactively as well.
Jerome Segura
Malware ID: 04f08886a6db5f01ebc7262db9fc5c88.zip
Malware ID: 4bc22ebef0dd2dc139e5afd9b46671ea.zip
|
New Mac OS X Jahlav variant
Yet another domain pushing a new MD5 of the Jahlav Trojan for Mac OS X.
tdenuwas.com/download/78384e3034413d3db727515620090801/QuickTimeUpdate.dmg
Actually several domains on the same IP (91.214.45.73) are hosting the malware:
allincorx.com
bigdron.com
cikaredo.com
civilizxx.com
comeandtryx.com
deribrowns.com
draxxtermania.com
givendream.com
hitrowzone.com
jumborad.com
ltdkeeper.com
operationelx.com
oxxadox.com
paxxtiger.com
rednetx.com
rstdeals.com
simplexdoom.com
sinisteer.com
tniredrum.com
ufapeace.com
Only 3 vendors on Virus Total are detecting this threat:
Kaspersky, F-Secure and Sophos.
Jerome Segura
Malware ID: 7424683a943171a92d2b281da41fec9e.zip
|
New Mac Jahlav Variant
It’s new to me.
jumborad.com/download/6c307a7968513d3dcda19d5320090722/QuickTime.dmg
Only 3 vendors, on VirusTotal, detect it right now: F-Secure, Kaspersky and Sophos.
Malware ID: f5e09bd7cb91e8fe781343e5657b8d4b.zip
On Paretologic’s FTP share, as always.
Jerome Segura
|
New Trojan for the Mac and the PC
I discovered a new domain that distributes Windows/Mac Malware:
rstdeals.com
and the direct link to the malware file is:
rstdeals.com/download/4832374b52413d3dec9168ad20090701/setup.exe
Both Windows and Mac users are targeted:
The Mac installer is already known, however the Windows one is fairly undetected:
Warning, those links are dangerous!
Jerome Segura
Malware ID: 98936344e6fb1d3df872ac1107fcb0a0.zip
|
