Sunday, May 8, 2011

What a Mac malware attack looks like

Well, that didn’t take long.
After I posted my analysis of why the time is right for bad guys to begin attacking the Mac in earnest, I heard from two readers who had encountered in-the-wild attacks on Macs in their respective workplaces. In both cases, the results showed up via Google Image Search. (This is an increasingly common source of malware, as security researcher Brian Krebs points out in a well-timed blog post today.)
I was able to duplicate these results and encountered an identical attempt from this same campaign to convince me to install a rather nasty Trojan on a Mac. (Sophos has an analysis of what this particular species does.) I uploaded the sample—a Mac installer package in a Zip file—to, which confirmed that it is indeed the same code.

Remember last month when I showed you a malware attack that wastargeting Google Chrome users? In a follow-up post, I wondered whether Macs would be far behind. They aren’t.
I just did a search for radioactive tsunami waves on Google and then clicked the Images button. On the second page of search results, I found one that looked legit:
When I clicked it on a PC, it redirected me to a fake AV screen that mimicked a Windows security screen. But when I did the same search on a Mac, clicking the poisoned image took me to this page:
This campaign is obviously preying on the fears of recent Mac converts and technical unsophisticates, who might believe that their Mac really is infected. After that, it tried to convince me to install the program using the same set of social engineering tricks that this sort of attack employs on a Windows PC.
Interestingly, just as on a PC, Firefox showed me a download prompt and asked me whether I wanted to save the file or not. Google Chrome downloaded the dangerous file automatically without any prompts and saved it in my Downloads folder.
It is easy to dismiss this as a crude attempt, and indeed, I don’t think many people are likely to fall for this attack. But dismissing this sample because it’s not particularly well done is like dismissing an entire computing platform because of a single poorly written app.
It is possible that this particular poisoned page contained image files or script intended to exploit a known vulnerability in OS X. According to a 2010 Google study of search poisoning, 14% of all the compromised sites they saw included drive-by download attempts in addition to this sort of social engineering. If someone visits this page on a system that doesn’t include all recent updates for OS X and their browser, they could be extremely vulnerable.
And note that the bad guys get better over time. This attack might be crude, but that doesn’t mean the next one will be. I have seen some remarkably effective phishing attempts. In the hands of a skilled gang of thieves, this approach could cull out the weaker members of the Mac herd and create some genuine headaches for the friends or co-workers who have to provide emergency technical support.


Post a Comment