Crimeware comes to OS X
Wednesday October 31, 2007 at 5:58 pm CST
Posted by Allysa Myers
There has been a family of malware called Puper which has been plaguing Windows users in increasing numbers since 2005. It’s a nasty beast which has been in the news quite a bit lately for its nefarious installation tactics. Most notably it’s been found to install itself by way of exploits on infected MySpace pages.
Suddenly Puper has its eye on Macs.
What happens is this: Say you’re out searching for a bit of porn with your blissfully malware-free Mac. You’re led to a site which says you need to install a new codec to view the videos they offer. You try to install this codec, but instead you get a nasty and silent surprise. After all that, you still get no videos.
When the newest Puper fake codec site is accessed by a Mac, the file which is offered is a DMG file rather than the usual EXE file one would see on Windows. Depending on your browser settings, this may run automatically. Once it runs, it begins installing an application called “MacCodec”.
The authors behind some of the most wide-spread PC malware (Puper, aka Zlob) have released a Mac version; authors who have experience distributing malware to the masses. This is no PoC. This is not a drill.
Dozens of fake codec sites are serving the malicious disk image file to Mac web browsers (based on the user-agent):

In the background, a script is created which then creates a scheduled task to change the DNS to point to a malicious server. In effect, instead of getting valid entries for websites like you would expect, you’re now getting whatever this malicious site decides to point you to. That could be a phishing site, that could be more malicious files, you can no longer trust that the URL you expected to get will be what is delivered to you.
Again, Avert Labs has identified dozens of different fake codec sites currently serving this Mac malware.
People have been predicting that as soon as financially motivated malware came to the Mac neighborhood, its denizens could no longer be so smug about security issues. This is a very simple piece of malware, and yet it works. Time will tell if this family will wreak as much havoc as it has on Windows.

November 1st, 2007 at 07:58
A few educated guesses:
- As you are using an installer, you have to authenticate, and the installer script will be able to do as it pleases because it is now authenticated. Still, the installer .bom file should point to all installed files for removal.
- This is not exactly a fault of Mac OS X, it is caused by shrewd social engineering: “the user is programmed” to dismiss all of the OS warnings because the user is motivated to complete the install.
- The use of fake DNS lookup makes it very difficult for web-service based phising detection techniques to find out, other than pointing out that the phising detection mechanism cannot work with a working internet connection.
November 1st, 2007 at 09:20
Desde la LSPM: Troyano de alto riesgo para Mac OS X…
Considero esta entrada tan importante que voy a irla escribiendo poco a poco. Retiraré este primer párrafo cuando esté terminada, aunque lo básico ya está disponible. Refrescad la página para comprobar si hay …
November 1st, 2007 at 13:37
Great post Allysa. It may sound simplistic, but I think Apple has become too big to ignore by the “criminal” element with successes of the iPhone & iPod. It is easy to be Anti-Microsoft, but for criminals it is all about numbers and Apple is starting to get them with these products.
Michael Rowles
CopiaTECH SMB Security
November 1st, 2007 at 22:53
Please can someone give a (non-clickable is you must) URL for a website that actually does this?
We’ve seen the theories, now where are the actual sites that install this on a Mac?
November 7th, 2007 at 06:55
[quote]Dozens of fake codec sites are serving the malicious disk image file to Mac web browsers [/quote]
Do you really need a link?
January 31st, 2008 at 15:58
Usenet – a set of machines which exchange clauses marked with one or is more universal-recognized labels, the named teleconferences (or “groups” for short). If the above definition Usenet seems uncertain, therefore it. It is almost impossible to draw a conclusion on all sites Usenet in any not trivial way. Usenet covers the governmental agencies, greater universities, high schools, firms of all sizes, house computers of all descriptions, etc.
April 30th, 2008 at 10:07
[...] McAfee Avert Labs announced that the authors of Puper have unleashed a similar piece of malware that affects Mac OS X. The [...]
June 17th, 2008 at 19:00
any ideas on how to remove such malware?
December 4th, 2008 at 17:28
[...] For insight into some of what the DNSChanger gang is after, see this post. [...]
February 4th, 2009 at 06:55
[...] un troyano para Mac OS X de alto riesgo y de gran difusión. En ese mensaje se hacía referencia a una entrada titulada Crimeware comes to Mac OS X en la bitácora McAffee Avert Blogs, en la que se explica el funcionamiento de este código [...]
March 26th, 2010 at 08:17
[...] Well, I guess it was bound to happen! Malware for the Mac. Great explanation of the fake codec by Allysa Myers of McAfee Avert Labs. [...]