Re: mac trojan in-the-wild

[Nick FitzGerald <nick () virus-l demon co uk>]

Matthew Leeds wrote:

> Let's see now, user must:
>
> 1) Navigate to porn site
> 2) Download Trojan
> 3) Either open file or have set 'Open Safe Files...'
> 4) Must allow install by typing admin password
>
> Oh yeah, this will clearly hit Mac users hard, not. I don't see this
> as a big deal, more as Darwin in action (if you will not mind the
> pun). How this is a big deal is hard to see. Just a few more
> machines in the bot net. 

Depends on how you define "hard".

It certainly will be "hard" for each of its victims.

And it is "hard" in the sense that Mac fanboyz are so busy denying that 
this could ever be an issue that they will collectively have a lot of 
egg on their face for each successful Mac installation it gets.

"hard" as in "mass infestation" -- almost certainly not, but then 
that's not how these things work.

Have you _any_ idea of the size of business behind these "DNS changer" 
Trojans?  A recent presentation I saw showed that one of these 
operations is clearly making enough money to run _hundreds_ of servers, 
hosted at nice, respectable major hosting services.

That's pretty "hard" too...

> Now a self-replicating virus, that might be an issue, ...

Oh, come on now -- don't tell me you think Macs are virus proof?

Care to elaborate on why self-replicating code on OS X would be 
especially noteworthy?  (Let me give you some advice before you try.  
Go read the relevant literature.  And another hint -- it starts with a 
chap named Cohen and you really only need to understand one or two of 
his papers or his Ph.D. thesis to realize why taking on this challenge 
would, for the rest of us, be a good laugh at your expense...)

> ... but this is a
> dead end.  ...

...depending on your definition of "dead".

Clearly yours is based on something so far out of touch with the real 
world of "typical users" that it really was not worth the effort you 
expended writing about it.

Or did you mean "helping organized crime make it's next few millions"?

> ...  Not even a very effective drive by. 

Hey -- something we agree on!

But then, it is clearly NOT a drive by nor ever intended to be one, so 
I guess it being a completely ineffective one is not that surprising...

It is on sites that folks will have actively sought out, either through 
choosing to follow spammed links or from (dubious) search engines 
results, etc, etc.

There is NO code on either the Mac- or Windows-specific "download" 
pages that tries to automatically exploit anything.

The whole thing is designed to appeal purely to human gullibility.

It's called "social engineering" and your obvious cluelessness about it 
means you are a prime candidate for being taken in by some form of it 
(not by _this_ form obviously, but by some other form -- this kind of 
specialist ignorance is behind well-considered physicists and 
mathematicians being taken in by demonstrations of "paranormal ability" 
that professional magicians always see through).


Regards,

Nick FitzGerald