DISQUS

Matasano Chargen: The Silly New Mac OS X Trojan or HoHum.A

  • tim · 2 years ago
    What is it with Windows 98 anyways? Somebody compared the iPhone to it a few weeks ago. Why not 2000? Or Redhat 9? Two OSs that were more full of holes when released than 98.
  • Alex · 2 years ago
    Well, he's a little better than SC Magazine's Dan Kaplan who originally wrote the following today:

    "I just IM’d my buddy Ryan, who has a Mac, to determine whether he runs AV on his machine. His response: “I don’t think so.”

    Mac users are so arrogant and clueless about security, they don’t even know if they have AV installed in the first place. I love it.”

    So I suppose that makes us clueless about security, huh?
  • jjarmoc · 2 years ago
    Thanks for bringing some sanity to the discussion of this trojan. From the way this is playing out elsewhere, you'd think we had a full blown self-replicating virus which required no user intervention.

    The most secure systems in the world can't defend against user ignorance...
  • dragonfrog · 2 years ago
    One thing I find interesting is that the blogs are just writing about the behaviour of the preinstall and postinstall scripts. They don't mention anywhere that I've seen, what the plugin itself actually does put a plugin bundle in /Library/Internet Plugins/. But no one describes what this plugin does.

    In general, this thing is the most well-behaved malware installer I've seen - nice clean well-indented perl scripts with explanatory variable names and all. So I can't imagine they'd have obfuscated the function of their plugin either.
  • Just out of curiosity... · 2 years ago
  • Thomas Ptacek · 2 years ago
    It's complete nonsense.

    There is very little about the "Unix architecture" that makes Unix safer than Win32.

    The distinction people are actually talking about is not "Unix vs. Win32". It's "single user environment" versus "server environment".

    From a security perspective:

    OS X has more in common with Windows XP SP 2 than it does with Solaris 10.

    Windows Server 2007 has more in common with Solaris 10 than it does with Windows XP SP 2.
  • sigsegv · 2 years ago
    Once again, Gadi Evron has shown himself to be quite the "expert" (read: Fat guy with a CISSP cert who gets beer cans thrown at him at DEFCON). While I am by no means a fan of Mac OS X, Gadi's claims are simply insane. While malware that requires user interaction can produce a decent yield (think Storm Worm), I don't see this one getting a +10,000 userbase anytime soon. It really all comes down to what type of people watch pr0n, and what percentage of those will be surfing on a Mac running OS X, as opposed to their parents' Windows XP Home Edition box. Don't quote me on that though, I don't run a pr0n site and can't conduct an analysis of useragents used by visitors, nor do I have the type of statistical data avalible to me that AV vendors and the HoneyNet research alliance do ("Hey, looks like the .br and .ro kiddies are ./sshbrute'ing again...).

    Perhaps I'm missing something here, but Gadi's comment seems to be the work of a half-brained moron, rather than a BugTraq $uper$tar. Oh well... what can you do...

    Oh, and for the record, I'm not saying that there will not be a yield for this trojan; I'm just saying we're not talking OpenSSH remote root 0day here. Or xnu remote root 0day. Whatever.
  • Lori · 2 years ago
    "What unpatched vulnerabilities is he referring to?"

    The users who find it ok to run questionable files on their machines. We forgot to create a patch for them. Would this be like a nicotine patch?
  • JP · 2 years ago
    You said something unbelievably stupid:

    "To this day, I am not entirely convinced that it makes sense to invest in security before it costs you."


    So you are saying you should wait until after blaster hits before investing in security?

    sheesh
  • Thomas Ptacek · 2 years ago
    By your logic, JP, we should all invest in Linux antivirus.
  • JP · 2 years ago
    AV is pretty useless. I would say invest in making your browsers and mail clients secure, invest in hardening your OS, invest in training your end users, invest in blah, blah, yadda, yadda, etc, etc,....

    Waiting until its "worth it" to invest in security means you have to be compromised many times over before you will get a good ROI. Of course a single compromise can lead to a string of misdeeds that can cost a company hundreds of millions. This was TJX's plan, and look where it got us.

    -JP
  • Thomas Ptacek · 2 years ago
    Security and cost are two sides of the same coin. You have finite resources. There are more countermeasures available to you than you can afford.

    What should you invest in? OS X antivirus? No? Then what point are you making?
  • JP · 2 years ago
    well, I dont think the OP was talking AV, but since you asked..

    why not "invest" in teh free clamXav?
  • zazou · 2 years ago
    Gadi Evron being a fame whore again? BREAKING NEWS!
  • Thomas Ptacek · 2 years ago
    It's not free. It takes effort to deploy and maintain it.
  • Hal B · 2 years ago
    This story was recently picked up by the Onion.

    http://www.theonion.com/content/amvo/new_trojan...