Feeds

back to article Notorious Koobface worm ported to Mac OS X

Security researchers say they've been monitoring a Mac OS X version of the notorious Koobface worm, which uses advanced rootkit techniques to stealthily hijack infected machines. Although the Mac version isn't yet ready for prime time, it is nonetheless a sophisticated piece of software that developers put a fair amount of …

COMMENTS

This topic is closed for new posts.

What I want to know is if...

Koobface is a worm or a trojan? The article seem to imply it could be both, a blended threat possibly?

This is quite important as to date as far as Im aware OS X has never had any real problems with worms. Trojans yes but not worms.

0
0
Silver badge
Boffin

Looks like both

IIRC, it acts more like a "social worm" as it sends itself, or tricks its victims to send the worm via wall post, and then infects the target OS.

There was one actual virus for OSX though; the Leap/Oompa-Loompa virus would spread over a local network using the Bonjour protocol. That was back in 2006, not sure if that one would work these days.

0
0
Grenade

Oh no!

They're going to have to 'trick' someone into clicking allow? Users just allow whatever they think will get them to the game, web site, or porn they want to see. Not much of a hurdle.

2
0
Silver badge

There is a hurdle though

"Assuming they do, or are able to trick users into clicking “Allow” anyway, they will also need to resolve issues preventing the downloaded files from installing."

For anything to install is OSX (much like Windows 7) a user has to click allow and enter the username password combo of a user with admin rights (a sudoer effectively). Now, if your machine is setup properly that username and password is for a separate account and your plebian-most users won't know it, hence they can click away to their heart's content. That'd be a pretty high hurdle in my book and I know that my Mac and my parents PC with therefore be safe.

0
0
Gold badge
Happy

Re: Oh no!

Yes, but the standard way of doing this for Windows lusers is to fake an infection report and offer the user a FREE!!!1!111!! Antivirus scanner.

Such a technique would produce reactions of: "Bollocks" and "What the f*** would I want one of those for?" from Mac lusers.

Watch out for popups offering FREE!!!!11!!! nude photos of Steve Jobs......

0
0
Jobs Horns

Why bother?

You don't need malware to compromise an Apple system. Their OS will already crack like eggshells under the slightest malicious tinkering. Guess that's why there aren't many Apple viruses...

4
9
Joke

README

"warning, this software is pre release and may lead to data loss"

2
0
IT Angle

this shit is boonanas

I can't wait to read up on how it operates.

0
0
WTF?

A Title.

Is it just me, or does anyone else keep reading the name of the virus as "Knobface"?

3
0
Troll

Another reason

to kill off Java on the Mac.

0
4

Getting users to click 'allow' would seem the easy part ...

... no?

1
0

This post has been deleted by its author

Silver badge

I think they mean

The current implementation of the malware in its OS X incarnation is flawed.

11
1
FAIL

taken offence...

Hahahaha that is the funniest misreading I've seen in a while.. go guy take that fence...

0
1
Headmaster

@ELTIT

They are saying that the implementation of the malware for OS/X is flawed... although the sentence structure lends itself to misinterpretation, in a PT-Barnum kind of way. i.e.

"Giant man eating chicken", and when you go into the side-show tent there is an 8 foot tall muscle-bound guy eating (you guessed it by now) chicken.

0
0

Getting users to click...

... is only easy because there is some much stuff that legitimately needs to install over the web, Codecs for example. Sort that mess out and you're half way there.

0
0
FAIL

OK, let's analyze this...

Once again, we have a piece of malware that (a) nobody has ever seen in the wild except certain companies (who also happen to sell "security software" for the Mac), and which (b) is not "flawed", but "non-functional" because it does not make a serious attempt to install itself - instead it downloads and executes an installer for a trojan. I can do the same with a two-line shell script.

Guys, if you really want to create a market for "security software" on the Mac, you need to improve your FUD skills substantially.

Here's a free anti-malware package for you:

on idle

tell app "Finder" to display dialog "Do not run installers you don't trust."

end idle

0
0

Wow

OK, admitted, getting a user to click accept is not terribly hard. Getting a Mac user to ckicl accept and ehter a keychains password however, for an app they did explicityly specifiy to download and that does not present a disk image file on their desktop, from a company they never heard of on a site they did not browse to specifically to get this app? VERY high hurdle.

Even my father, who I had to walk through the install and use, click by click, to get FaceTime installed on his Mac, a guy who forwards every scam e-mail that sounds legit no matter how many times you tell him not too even after having put a link on his desktop to snopes.com, who can't figure out to reboot the router when his WiFI icon turns grey, knows in his bones that anything that asks for a keychian password means BIG SHIT is happening, and he better know why....

The only way even the tiniest percentage of Mac users might fall for this would be people led to by a scam to a site, that looks like a legit company at a web address that can be spoken (not funky characters or numbers and dots), and are tricked into thinking they're downloading a real program. Problem? That site would be off the net by takedown order from the FBI in hours. You can only avoid the FBI and ISPs from blocking and shutting down your virus distribution server if you don;t actually have one, but rely on other legit servers being infected, or boits that attack IPs directly for weaknesses. No such attack exists and Mac users don't give out passwords to rogue apps trying to install. (clicking "yes" they do, with alarming ease, but going to the next step that actually allows the virus to install they do not).

And on top, this thing is still actually FLAWED, in that it not only does not install properly, but more relies on services set to auto-run, hiding itself as a running service from the tray (the dancing icon on startup saying Hi, I'm a web Server and I just launched on my own" is a dead giveaway) and hiding itself from other linux process monitoring services, not to mention actually getting out through both the OS X and physical firewalls so someone can route down TO that server? ...and all this without actually getting permission escalation, or running as root (since that's disabled).

This is so low on the threat scale it doesn't register, other than the idea yet another person tried and failed.

There's a reason there has never been a self propagating virus on Macs. The only worm they ever had was from people installing hacked copies of iWork and OS X they torrented illegally (and thus deserved to get infected). The virus another poster mentioned was a PoC and never ITW, and didn;t spread by any means OTHER than LAN anyway (you couldn't catch it to spread it unless you plugged into a network with another infected mac and accepted the remote "driver" install from a device you did not request to use).

Getting a Virus into Linux/UNIX in general is really hard, not because it doesn't have vulnerabilities, but because the security model is simply so damned simple that getting around it is pretty much impossible (did you ASK for kernel memory, the right way, with the right permissions? no, oh, sorry -kill). The user actually has to INSTALL the virus, manually, like any other app, but then it ACTS like any other app, and is easily found and is as limited as any other program running on the OS.

Will OS X remain virus free forever? probably not, but any infection is going to take advantage of a weakness in both the user, and like a 3rd party app (java, flash, some other network service, 3rd party browser/plugin vuln...). Don't download illegal stuff, don't enable root, use a password, don't follow links in e-mail you didn;t ask to get, and you pretty much can;t get an infection on a Linux machine. Macs make it even more obvious to users through the insistance on Keychain and s very simple security model.

1
0

@Michael C

"The only way even the tiniest percentage of Mac users might fall for this would be people led to by a scam to a site, that looks like a legit company at a web address that can be spoken"

Really then you need to work at a call center for an ISP. I did. I would get calls from mac users cause they went to a web site , DL a program and it does not work. What happened is they got a pop saying windows has detected a problem.

"OK, admitted, getting a user to click accept is not terribly hard. Getting a Mac user to ckicl accept and ehter a keychains password however, for an app they did explicityly specifiy to download and that does not present a disk image file on their desktop, from a company they never heard of on a site they did not browse to specifically to get this app? VERY high hurdle."

No its not. I'd say 20% of my callers were dumb as a brick. Wait that's insulting a brick. You also have a group of people that are click happy. Will click on any thing . Then there are the class of folks that should only be allowed a type writer. I had call were the customer could not figure out how to do copy and paste. He had never done it before and had being using a mac over 3 years. This person was in their 40's. I just could not believe how clueless people were with computers.

What was more amazing is things that t people expected their ISP to fix, like forgetting their password to their online banking account or help recovering their windows or tool chain password .

0
0
This topic is closed for new posts.