See your link here
Anatomy of a Mac OS X malware sample
6 comments- TAGS:DNS, Jahlav-C, Mac OS X, Paretologic, phishing, trojan
- IT TOPICS:Cybercrime & Hacking, Enterprise Software & Services, Internet, Macintosh & Apple, Security, Security Hardware & Software
This week on Security Levity: the growing threat of Mac malware. Let's look at just one example...
Earlier this year, security researcher Jerome Segura from Paretologic, a Commtouch Security Alliance member, discovered a new Mac OS X malware variant: OSX/Jahlav-C.
The payload is a DNS changer. It redirects domain name system requests to malicious servers, so when you think you're reading a trusted Web site, you're might actually be connected to a forged version of it.
This is a particular problem for bank sites. No need for criminals to fool users into opening fakebank.com with a phishing attack, when realbank.com actually resolves to an imposter Web server.
Unless the users pay close attention, they won't notice that they're not connected via SSL/TLS. And why would they? They're clicking on the bookmark or favorite that always took them to their bank before.
Other problems include legitimate Web links redirecting to adult sites or advertisements, inserted advertisements, or warning pop-ups promoting scareware programs (e.g., rogue anti-virus applications). Once your browser is connecting to a forged Web server, it can do whatever it likes.
The malicious sites pushing this Trojan target both Windows and Mac OS. Depending on the browser's user-agent string, it delivers a .EXE file or a .DMG file. The file masquerades as a video codec or software crack keygen, using names such as QuickTime.dmg, MacTubePlayer.dmg, or crack_photoshop.dmg.
(Although, if you squint at the screenshot above, you may be able to make out that the user is being enticed to download a codec with what looks like a Windows XP dialog box!)
While the debate still rages about whether Mac OS is more secure than Windows, ParetoLogic researchers agree with me that malware authors are expanding their targeted attack surface by adding as many platforms and browsers as they can. We're seeing an increasing volume of Mac malware in the wild and expect this trend to continue.
I want to make this an interactive place: where I can answer questions and cover topics that you suggest. Feel free to add comments and ask Amir!
When he's not being wary of Greeks bearing gifts, Amir Lev is the CTO, President, and co-founder of Commtouch (NASDAQ:CTCH), an e-mail and Web defense technology provider. MORE...
Print
Email this
Digg this
