First Mac OS X fake installer pops up, racks up your mobe bill Crooks have developed a new Mac OS X-specific Trojan that mimics the behaviour of a legitimate software installer. Trojan-SMSSend-3666, which poses as an application for listening to music on a popular Russian social networking site, attempts to hoodwink marks into handing their mobile number to activate the radio app. Users …
@the AC's
It was a question to prompt further conversation...
I guess it goes to show that regardless of the platform, people will exploit any given weakness.
If memory serves, one of the popular points that Cultists would use to defend Mac OS was that there were few, if any virii available.
So, in this instance, is the vulnerabilities the user, or that the OS allows a dodgy installation to take place?
Before the downvotes start rolling in, please note that this is a genuine question as opposed to me making fun of the OS.
Sorry, you're question came across as a trollish "Isnt MAC OS X based on BSD? OMG BSD is vulnerable!"
"So, in this instance, is the vulnerabilities the user, or that the OS allows a dodgy installation to take place?"
Now that you've asked specifically, this is purely a user problem. The only prevention is the iOS model where every application is vetted by someone before being allowed onto the system and even this isn't completely secure.
I would say the best solution is educating users, unfortunately most users aren't interested in being educated and just want to get on with what they want to do.
"So, in this instance, is the vulnerabilities the user, or that the OS allows a dodgy installation to take place?"
Up to now the user is allowed to run applications of his choice on a Mac. this trojan is probably unsigned, but if the user choses to run it and states his choice several times, it will run.
"And yes - if you install an application on OS X while you have admin privs and type your admin credentials when the installer asks you to - it can pop code wherever it likes on your box."
No it won't. You obviously don't have OSX and you are extrapolating from OS's you do know. You will have to first go to settings find the relevant setting and change it. You will then be challenged with a warning. Even as an admin you have to take positive action to find the setting to change. The important point here is you won't find you can install the software simply by answering in the affirmative to a string of dialogue boxes when you try to run the installation file.
So what? if you run something, the OS asks for privilege escalation and you say "yes" then it will get installed.
OSX Mountain Lion has a gatekeeper setting which stops unsigned apps if you want to.
Unfortunately the traditional desktop OSes are always going to be vulnerable to people installing bad applications.
Not much of a threat really these days. The default setting on OS X is that software can only be installed from Mac App Store and identified developers (e.g. developers who's apps have been certified). The message is if, if you don't know what you are doing, never change that setting to the more permissive "Allow applications downloaded from anywhere" To be honest, most users who don't know what they are doing, won't even know they can change that setting anyway. So by default, the average Mac user won't be vulnerable to this type of attack.
But the article mentions ZipMonster as a resource used to create the installer.
I would assume by this that they are being used to circumvent any protection implied? Or have I read this incorrectly?
Surely anyone could write an installer that does naughty things to an OS, to get away with it you would need one that supplies dodgy credentials?
@Rafayal. No. With the default configuration, no dodgy installer will run unless it has a cert issued by Apple. Every time you try to install an app, OSX checks if it's certificate is still valid. To get the credentials to install you have to get your app (or installer) signed by Apple. They can revoke them. Of course it's possible someone could set up a dodgy account and dupe Apple, but as soon as any reports/complaints surface, the app would have its install rights rescinded and no one further would get infected beyond a few initial users. You would have to be pretty unlucky to be in that group. The world has moved on greatly since the malware storms of the late 90's and early noughties. Now threats tend to be much more targeted, with bespoke or custom malware produced to hit higher value targets. Of course The Register and the rest like to dramatise any angle they can find, but really there are relatively far fewer cases of mass malware infection than there used to be. That goes for all platforms, including Windows. Appstore's, code signing and authenticated installs are contributing a great deal to this shift. Of course zero day exploits can still be used but again, the value of a zero day exploit these days is far greater to the vertical market, where as a malware author you can get payback without bringing the "crowd source" investigative power of the internet down on your head by infecting thousands, if not hundreds of thousands of machines. Consequently zero day exploits tend to be sold into smaller professional groups who want an exclusive and don't want it shared with the world.
This is a social engineering attack, It's basically just asking users to...
The very definition of a class of social engineering attacks. Perhaps it would be useful to fight fire with fire. Instead of asking users if they would like to allow an app to access certain functions in order for it to complete its install, it would be better to ask them if they would like to fall on their respective swords.
More to the point, I wonder if it would be possible to automatically rate the risk of a particular set of permissions against the app being installed or the action being taken, and then communicate that to the user. Rather than a message asking, "Do you want this app to have access to this resource?" the user would be told, "Allowing this app to have this access is rated as having a high level of risk."
>>the user would be told, "Allowing this app to have this access is rated as having a high level of risk."<<
And then the malware writer changes the text so that it reads "Apple has confirmed that installing this app will have no adverse effect" - and people click on the link because they trust it.
If you have 10 "experts" telling someone "you should not do this" and 1 "expert" saying that it's OK, they will listen to the 1; because he / she is telling them what they want to hear. That's just the way that people are.
You're missing the point, The only resource this app is using is the Internet connection, it prompts the user to enter their mobile number as part of the 'activation' procedure, the user then receives a text with a code, they supply this info which is ferried back and apparently enough for the fraudsters to sign them up for premium rate SMS.
I'm guessing they take the users mobile number and supply it to a telco who send out the auth code, and should that code come back to the telco via the fraudsters the telco assumes the user has signed up, this is the bit that needs fixing, because you don't need to find an exploit, create an app, or even a website registration form to trick people into this scam, hell you could do it over the phone, by post or even face to face in the street, as all it requires to work is a lie and a telco prepared to turn a blind eye.
In the POTS world, this type of fraud is known (in the US) as cramming. (here is some FCC info on this disgusting practice: http://www.fcc.gov/guides/cramming-unauthorized-misleading-or-deceptive-charges-placed-your-telephone-bill )
The only way to put a stop to this shit is to force carriers to allow customers to be able to block third party charges to your cell bill. Now, to do so, can have unwanted consequences for those who want to use their cell phone as a wallet.
"More to the point, I wonder if it would be possible to automatically rate the risk of a particular set of permissions against the app being installed or the action being taken"
The minute you allow writing to any shared (and thus privileged) area on the system, it's basically game over and pretty much every installer needs that.
The real issue is that most OS designs (Mac OS X, Windows and Linux all included) are geared around protecting the system (and by extension other users) from the user. It's just not part of their fundamental security design to constrain permissions at an application level (every application runs as the user and can do everything the user can do). The more we've moved away from shared computers to one device per person, the less and less effective the traditional OS security is. It's one of the reasons the walled garden approach is becoming more embraced, because it (theoretically at least) compensates to some degree for this.
This post has been deleted by its author
The 'popular Russian social networking site' mentioned in the article is one that all my Russian friends know about but won't touch with a barge pole. It is notorious for being riddled with Malware. On the otherhand if you are looking for Russian 'Babes' then it is a good place to go. btw, they will also empty your wallet in no time flat.
Mines the one with a dog-eared copy of Правда in the pocket.
" Crooks have been encouraged to migrate from cooking up fake Windows installers to creating fraudulent Mac OS X apps"
understandably so. A target market that by definition has a high disposable income (or they couldn't afford a Mac), has been encouraged by marketing liars and fanbois to believe that OSX "doesn't get viruses" and is deliberately marketed toward the ignorant and computer illiterate ("it just works" translates directly to "you may not be too stupid for this").
And Pravda's improved a great deal!
This post has been deleted by its author
just to point out its NOT a Virus.... so no, OS X has not been hit with a virus that exploits a security hole.
I could be argued that this isnt even a trojan as it doesnt do anything when installed.
Its simply a social engineering trick, like someone ringing your doorbell and asking for you number for a chance to "Win 10 Million"
Of course all the Windows users would start rattling on about a "virus" because they are already dumb enough to use windows, how could they have enough cells up top, to know the difference?
"Of course all the Windows users would start rattling on about a "virus" because they are already dumb enough to use windows"
And by "ALL" you mean like 2 people on this forum thread, and you have presumed they use windows. You Sir, do no good for the current stereotyping of Apple users.
"Of course all the Windows users would start rattling on about a "virus" because they are already dumb enough to use windows, how could they have enough cells up top, to know the difference?"
You do realise that 99% or more of the Windows "viruses" out there work in exactly the same way, right? It's just that everyone on Windows stopped pretending a long time ago that there is anything but a purely academic distinction at the end of the day when real people are suffering the effects.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
