There has been a family of malware called Puper which has been plaguing Windows users in increasing numbers since 2005. It’s a nasty beast which has been in the news quite a bit lately for its nefarious installation tactics. Most notably it’s been found to install itself by way of exploits on infected MySpace pages.
Suddenly Puper has its eye on Macs.
What happens is this: Say you’re out searching for a bit of porn with your blissfully malware-free Mac. You’re led to a site which says you need to install a new codec to view the videos they offer. You try to install this codec, but instead you get a nasty and silent surprise. After all that, you still get no videos.
When the newest Puper fake codec site is accessed by a Mac, the file which is offered is a DMG file rather than the usual EXE file one would see on Windows. Depending on your browser settings, this may run automatically. Once it runs, it begins installing an application called “MacCodec”.
The authors behind some of the most wide-spread PC malware (Puper, aka Zlob) have released a Mac version; authors who have experience distributing malware to the masses. This is no PoC. This is not a drill.
Dozens of fake codec sites are serving the malicious disk image file to Mac web browsers (based on the user-agent):
In the background, a script is created which then creates a scheduled task to change the DNS to point to a malicious server. In effect, instead of getting valid entries for websites like you would expect, you’re now getting whatever this malicious site decides to point you to. That could be a phishing site, that could be more malicious files, you can no longer trust that the URL you expected to get will be what is delivered to you.
Again, Avert Labs has identified dozens of different fake codec sites currently serving this Mac malware.
People have been predicting that as soon as financially motivated malware came to the Mac neighborhood, its denizens could no longer be so smug about security issues. This is a very simple piece of malware, and yet it works. Time will tell if this family will wreak as much havoc as it has on Windows.
November 1st, 2007 at 7:58 am
A few educated guesses:
- As you are using an installer, you have to authenticate, and the installer script will be able to do as it pleases because it is now authenticated. Still, the installer .bom file should point to all installed files for removal.
- This is not exactly a fault of Mac OS X, it is caused by shrewd social engineering: “the user is programmed” to dismiss all of the OS warnings because the user is motivated to complete the install.
- The use of fake DNS lookup makes it very difficult for web-service based phising detection techniques to find out, other than pointing out that the phising detection mechanism cannot work with a working internet connection.
November 1st, 2007 at 9:20 am
Desde la LSPM: Troyano de alto riesgo para Mac OS X…
Considero esta entrada tan importante que voy a irla escribiendo poco a poco. Retiraré este primer párrafo cuando esté terminada, aunque lo básico ya está disponible. Refrescad la página para comprobar si hay …
November 1st, 2007 at 1:37 pm
Great post Allysa. It may sound simplistic, but I think Apple has become too big to ignore by the “criminal” element with successes of the iPhone & iPod. It is easy to be Anti-Microsoft, but for criminals it is all about numbers and Apple is starting to get them with these products.
Michael Rowles
CopiaTECH SMB Security
November 1st, 2007 at 10:53 pm
Please can someone give a (non-clickable is you must) URL for a website that actually does this?
We’ve seen the theories, now where are the actual sites that install this on a Mac?
November 7th, 2007 at 6:55 am
[quote]Dozens of fake codec sites are serving the malicious disk image file to Mac web browsers [/quote]
Do you really need a link?
January 31st, 2008 at 3:58 pm
Usenet - a set of machines which exchange clauses marked with one or is more universal-recognized labels, the named teleconferences (or “groups” for short). If the above definition Usenet seems uncertain, therefore it. It is almost impossible to draw a conclusion on all sites Usenet in any not trivial way. Usenet covers the governmental agencies, greater universities, high schools, firms of all sizes, house computers of all descriptions, etc.
April 30th, 2008 at 10:07 am
[…] McAfee Avert Labs announced that the authors of Puper have unleashed a similar piece of malware that affects Mac OS X. The […]