About Me

Allysa Myers

Allysa Myers

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

Crimeware comes to OS X

Wednesday, October 31, 2007 at 5:58pm by Allysa Myers
Allysa Myers

There has been a family of malware called Puper which has been plaguing Windows users in increasing numbers since 2005. It’s a nasty beast which has been in the news quite a bit lately for its nefarious installation tactics. Most notably it’s been found to install itself by way of exploits on infected MySpace pages.

Suddenly Puper has its eye on Macs.

What happens is this: Say you’re out searching for a bit of porn with your blissfully malware-free Mac. You’re led to a site which says you need to install a new codec to view the videos they offer. You try to install this codec, but instead you get a nasty and silent surprise. After all that, you still get no videos.

When the newest Puper fake codec site is accessed by a Mac, the file which is offered is a DMG file rather than the usual EXE file one would see on Windows. Depending on your browser settings, this may run automatically. Once it runs, it begins installing an application called “MacCodec”.

The authors behind some of the most wide-spread PC malware (Puper, aka Zlob) have released a Mac version; authors who have experience distributing malware to the masses. This is no PoC. This is not a drill.

Dozens of fake codec sites are serving the malicious disk image file to Mac web browsers (based on the user-agent):

In the background, a script is created which then creates a scheduled task to change the DNS to point to a malicious server. In effect, instead of getting valid entries for websites like you would expect, you’re now getting whatever this malicious site decides to point you to. That could be a phishing site, that could be more malicious files, you can no longer trust that the URL you expected to get will be what is delivered to you.

Again, Avert Labs has identified dozens of different fake codec sites currently serving this Mac malware.

People have been predicting that as soon as financially motivated malware came to the Mac neighborhood, its denizens could no longer be so smug about security issues. This is a very simple piece of malware, and yet it works. Time will tell if this family will wreak as much havoc as it has on Windows.

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (7)

  • Scented rocks September 3, 2010 3:14PM

    Looks like Puper has continue to dominate the net, its a sad situation everybody has to fear downloading, or visiting certain sites in fear of trojans, puper, and all the other viruses. Great article Allysa

    Reply
  • Ryan June 17, 2008 7:00PM

    any ideas on how to remove such malware?

    Reply
  • Myusenet January 31, 2008 3:58PM

    Usenet – a set of machines which exchange clauses marked with one or is more universal-recognized labels, the named teleconferences (or “groups” for short). If the above definition Usenet seems uncertain, therefore it. It is almost impossible to draw a conclusion on all sites Usenet in any not trivial way. Usenet covers the governmental agencies, greater universities, high schools, firms of all sizes, house computers of all descriptions, etc.

    Reply
  • Frowbart November 7, 2007 6:55AM

    [quote]Dozens of fake codec sites are serving the malicious disk image file to Mac web browsers [/quote]

    Do you really need a link?

    Reply
  • John G. November 1, 2007 10:53PM

    Please can someone give a (non-clickable is you must) URL for a website that actually does this?

    We’ve seen the theories, now where are the actual sites that install this on a Mac?

    Reply
  • CopiaTECH SMB Security November 1, 2007 1:37PM

    Great post Allysa. It may sound simplistic, but I think Apple has become too big to ignore by the “criminal” element with successes of the iPhone & iPod. It is easy to be Anti-Microsoft, but for criminals it is all about numbers and Apple is starting to get them with these products.

    Michael Rowles
    CopiaTECH SMB Security

    Reply
  • Juan de Dios Santander Vela November 1, 2007 7:58AM

    A few educated guesses:
    - As you are using an installer, you have to authenticate, and the installer script will be able to do as it pleases because it is now authenticated. Still, the installer .bom file should point to all installed files for removal.
    - This is not exactly a fault of Mac OS X, it is caused by shrewd social engineering: “the user is programmed” to dismiss all of the OS warnings because the user is motivated to complete the install.
    - The use of fake DNS lookup makes it very difficult for web-service based phising detection techniques to find out, other than pointing out that the phising detection mechanism cannot work with a working internet connection.

    Reply