OSX/Puper: A Real Threat to Macs, or Just More Hype?
Friday November 2, 2007 at 4:57 pm CST
Posted by Craig Schmugar
I just read another story that talks about the overreaction to the new Mac OS Trojan, the threat first reported by Intego the other day. Generally the arguments make these points:
- There are far fewer threats for Mac OS compared with Windows
[my response: True, but it takes only one to get infected.]
- You’re at risk only if you’re surfing porn
[my response: False. Although the initial report stated porn sites were driving people to the malware, McAfee Avert Labs has found dozens of domains serving the malware, none of which was explicitly related to pornography. They are related to installing a video codec for the purpose of viewing movies in general.]
- A user must take extraordinary actions to get infected: download a file, open it, run the installer, enter in the admin password
[my response: Yeah, so? Bagle was one of the most successful pieces of malware targeting Windows users. Many variants came as a password-protected ZIP archive attached to an e-mail message. The password was sent as an image attached to the message. Before getting infected, a user would have to open the suspicious email message, open the suspicious ZIP attachment, manually enter the password provided in the other email attachment, and then run the virus. Result: many many thousands of users getting infected. Password-protected archives are an anomaly for most users, on Mac or Windows. I contend that the social engineering around installing a software package to watch a video is greater than that of having to enter a password provided in an email message simply to access what’s supposed to be a photo.]
Having said all this, these points are not what make this threat significant. What sets this threat apart from other proof-of-concept Mac threats and low-scale attacks is the entity behind it. Puper (a.k.a. Zlob) is one of the most widely reported pieces of malware for Windows. McAfee VirusScan Online users reported more than 4 million detections during the past two years. Microsoft’s latest security threat report states Zlob was the most frequently disinfected piece of malware. Unlike earlier Windows malware, this Mac Trojan is authored by professionals who likely pull in thousands of dollars a month through click fraud, hijacked affiliate sales, and other illegal activity.
I have to admit that when I first heard rumors of some new Mac Trojan being reported from a vendor I hadn’t heard of, I figured it was likely hype. But when I learned who was behind the threat, I knew this was real.
Now after all of this doom and gloom, I should say that we were able to contact two universities that have rather large Mac user bases to see if they showed traces of infected systems. Thus far their log files show no sign of infection. Thus far.
It took a long time for the Windows threat landscape to evolve to where it is now. Yes, the Mac threat landscape is far behind and will be for a long time, but what OSX/Puper represents is not something to take lightly.
November 14th, 2007 at 7:41 am
It’s far from certain that there are not already a significant amount of mac systems infected with this and other malware, but no one would ever know it, because a) mac users don’t tend to know anything about what’s going on ‘under the hood’ (i.e. under that nice shiny desktop), b) there’s no way of detecting the threats on their systems, because they’re convinced they don’t need any security software.
It’s almost amusing that these people who claim that a move to a mac is a rational defense against malware can have such blind faith in a system they so clearly know nothing about.
-AJ