Current Mac Malware, 2011-07: Introduction

In order to help Mac users understand the current state of malware on the platform, I am providing a review  of each current form. This will not be an exhaustive review, but should help relieve much misunderstanding and concern about the ongoing, many years old, anti-Apple security FUD Fest.

I will be going through the malware in reverse chronological order, featuring the most current concerns first and the oldies but gnarlies last.

The first thing to know is that technically, ALL currently active Mac malware are Trojan horses. That means that they are entirely inert until such time as a user (or 'LUSER', in cynical terminology) inadvertently installs them.

I am NOT including any hacker tools or 'legal' spyware in my details articles. These require a third party to be able to physically access your computer and directly install them for their nefarious purposes. You won't personally be in any danger of installing them unless a hacker or IT administrator directs you to do so. They require hackers or administrators to access your computer in order for them to do any harm. I may address these forms of software at another time. I am more concerned about what YOU might mistakenly install.

THE LIST:

1) Trojan.OSX.MACDefender.A - O [15 strains]

2) Trojan.OSX.BlackHoleRAT.A - C [3 strains]

3) Trojan.OSX.Boonana.A

4) Trojan.OSX.OpinionSpy.A - B [2 strains]

5) Trojan.OSX.iServices.A - C [3 strains]

6) Trojan.OSX.PokerStealer.A

7) Trojan.OSX.RSPlug.A - Q [17 strains]

The total number of Mac malware species are 7.
The total number of Mac malware strains are 42.


The 'Malware' Hacker Tools I Am Leaving Out:

'Trojan'.OSX.Lamzev.A

'Trojan'.OSX.Hellraiser.A - D [4 strains]

There are a number of inert malware as well as 'Proof of Concept' malware of no concern which I have also left out of my list. You may find them on other lists but you won't find them infecting anyone with up-to-date computers, apart for test computers in a lab. (A famous example of 'Proof of Concept' malware is Trojan.OSX.Oomp.A, aka Trojan.OSX.Leap.A. It is of no consequence or importance).

If you'd like a list of current 'legal' spyware, I suggest the list kindly provided at the MacScan/SecureMac site.

Note that, due to the lack of adherence to standards within the anti-malware community, there are a lot of name variations for the exact same malware. In the case of the MAC Defender Trojan I discovered 15 different names. I am not including them here in my list as these alternative names are irrelevant and needlessly confusing. What I have listed here are the 'official' names from my point of view as well as those whom I consider to be professional experts and original malware discoverers in the field. However, I will be listing a number of the alternative names in my subsequent articles that provide details about each of the current malware species.

As ever, I request corrections to my information. If I have missed a malware species or strain, please let me know asap. Much appreciated!

A Primer on Trojan Horses and Their Aliases

--
There actually is a standard naming system for malware. But very few anti-malware developers care. Therefore, we end up with a bunch of names for exactly the same malware. The CNET POS article mentioned previously, not worth reading HERE, demonstrates the problem. Here are some translations. I list the standard name first, then the extraneous names after:

The Trojan.OSX.RSPlug series is aka "DNSChanger" and "Jahlav" and "Puter".

Trojan.OSX.Lamzev is aka "Malez"

Trojan.OSX.PokerStealer is aka "Corpref"

The Trojan.OSX.iServices series is the fourth current Trojan type for Mac OS X. I'm unaware of any aliases so far.

Scan backward through my previous posts for coverage on each of these Trojans.




Count with me!





As of today:

• The RSPlug series has variants A through P. That equals 16 variants. (When I checked last week there were 13 variants, so some mean old crackers have been very busy).
• The Lamzev Trojan has no variants. Add 1.
• The iServices series has variants A through C. That equals 3 variants. (The C variant is recent).
• The PokerStealer Trojan has no variants. Add 1.

Count them all together and what do we got?

The number 21!
That's 21 Trojans!

BwaHaHa!

I am using the iAntiVirus Threat Database maintained by PC Tools as my source. Their list of Mac malware has flaws, but at least they have one. Who else bothers? Certainly not Intego! (Ahem! hint! hint!)

Just for comparison: I was hanging out at the ClamXav forum yesterday and someone pointed out that as of June there were 574,043 malware signatures in ClamAV. Let's see... take away 21... that's somewhere around 574,022 Windows malware in the wild. A little more math and that comes to 1 Mac OS X malware for every 27,334 Windows malware. Wait! Wait! What was that?!

1 : 27,334!

So who was the dope who thought up that 'security by obscurity' myth? I don't think so.
--

Current List of Mac OS X Active Malware

--
This evening I was busy over at the ClamXav forum. In response to a suggestion there, I provided a current list of Mac OS X active malware. I decided to cross-post the list here as well:

Below is a list of all the Mac OS X active malware I am aware of. I've been attempting to keep up to date on this subject since 2005. I have a blog where I share all my knowledge of Mac security:

http://mac-security.blogspot.com

As far as I am able to ascertain, the only active Mac OS X malware ClamAV is able to detect is Trojan.OSX.RSPlug.A (aka DNSChanger.A). In a previous thread I have asked for help trying to determine if any further Mac OS X malware are detected.

Note that there is only one official standard name for each of the 11 malware. This is what I use to name each family. However, anti-malware providers call them anything they choose. This is why I provide alternative names. There are four families of Trojans listed below with various strains/versions/variants designated by "A" through however many exist for the family. In the case of RSPlug I list A through G specifically because the PCTools site lists that many. Most other sites list only A through F.

If anyone knows of further names for these malware, or of any further ACTIVE malware (please not inert or proof-of-concept malware) please let me know at my blog.

The current list of active Mac OS X malware as of 2009-05-17:

I) Trojan.OSX.RSPlug family, aka DNSChanger or Jahlav.
01) Trojan.OSX.RSPlug.A
02) Trojan.OSX.RSPlug.B
03) Trojan.OSX.RSPlug.C
04) Trojan.OSX.RSPlug.D
05) Trojan.OSX.RSPlug.E
06) Trojan.OSX.RSPlug.F
07) Trojan.OSX.RSPlug.G

II) Trojan.OSX.Lamzev family, aka Malez.
08) Trojan.OSX.Lamzev.A

III) Trojan.OSX.PokerStealer family, aka Corpref.
09) Trojan.OSX.PokerStealer.A

IV) Trojan.OSX.iServices family.
10) Trojan.OSX.iServices.A
11) Trojan.OSX.iServices.B

Sources of these malware:

The RSPlug family are all offered by websites that tell you that you must install their file or program in order to access specific media they are offering. Originally these Trojans showed up on porn sites where you were told to download a video codec in order to view their videos. These days the websites could be telling you anything. The basic idea is to use 'Social Engineering' to fool you into installing their Trojan. The most recent of these Trojans can potentially zombie your computer and use it in a botnet.

Lamzev is a hacker tool used to create backdoor access into a computer. The only way to 'catch' it is if a hacker has physical access to your computer and hand-installs it. Note that there are plenty of other hacker tools around, but this is the only one listed as a Trojan because of the potential damage it can do to a victim computer.

PokerStealer originally called itself "PokerGame". You download it, install it and are infected. The original version put up a bogus warning message that a corrupt preference file had been detected and that your administrative password was required to repair it. It then sends your ID, password and IP address to crackers who can then access your computer via SSH and do whatever they like with it. Theoretically this Trojan can be named anything.

iServices showed up earlier this year in pirated programs, buried inside their installer. The original A and B variants were buried in pirated versions of iWorks 09 and Photoshop CS4. You install the pirated program and get infected. There are reports that the installers actually fail to install the listed program and only install the Trojan. In any case, iServices zombies your computer and makes it part of a botnet. This Trojan formed the first officially verified Mac botnet back in February. It apparently consists of thousands of computers. It has so far been used in a DDOS attack. Note that once a Mac is zombied, the 'bot wranger' or cracker-in-charge can do anything they like with the computer. This particular zombie botnet is so far is being used for money making ventures over the Internet.

If/when further Mac OS X active malware is discovered I'll list it in my blog.

--