Friday, May 15, 2009

Proof Of Concept Trojan.OSX.Tored.A & Related Rants

Last month an eMail distributed proof of concept (aka nonfunctional) malware program was discovered for Mac OS X. A couple different companies claim they 'discovered' it. It is being labeled as a 'worm' because it is able to replicate itself after infection. It does not qualify as a virus because it does not damage the host computer. However, it is actually a Trojan horse because it requires user error in order to be installed. Its worm behavior is therefore secondary and cannot be used in its name. Sorry. (;_;)

Rant: I'm a biologist who became addicted to Mac technology and works as a professional Mac technologist. So how come I, without a computer science degree, am able to distinguish a Trojan horse from a worm while professional computer security companies can't? I am thoroughly baffled. Was there perhaps one person who made the initial error and everyone followed along like good little sheep? Likely. It became evident eight years ago in the USA that sheep are the 'in' thing to be. Shameful. End of rant.

The best reports I found on Tored.A are over at Intego, F-Secure and CA. The lamest report is at Sophos, not worth linking.

An interesting short article about Tored.A was posted over at the HowStuffWorks blog. I wrote a reply to the article and tossed in some of my usual educational chatter. Here is a repost for your pleasure:

Here are some useful facts:

1) Symantec started the Anti-Mac security FUD campaign back in August 2005. In the intervening three and a half years Mac OS X has failed to be deluged in malware. There was no doom and gloom. The sky did not fall. Symantec continues to make the single worst anti-malware app for Mac. Figures.

2) There is a standard naming system for malware. This is how it works: First comes the type of malware. Tored-A is a Trojan horse. It is NOT a 'worm' until AFTER it has been installed by a computer user, which is of secondary importance. Therefore, the first part of its standard name is 'Trojan'. Second comes the name of the operating system on which it runs. In this case it is 'OSX'. Third comes that identifying 'name' of the malware. The discoverer in this case chose 'Tored'. Why is up to them. Last comes the 'strain' or version of the malware. The first discovered version is called A. Next is B, etc. Take note that despite this long published standard, anti-malware companies usually don't care. That's why there are often many names for exactly the same malware, resulting in needless chaos and confusion.

3) There never was any such thing as 'security by obscurity' for Mac OS X. The fact is that Mac OS X is incredibly harder to hack than Windows. That is why there are only Trojan Horses for Mac OS X. They require user error in order to break into a Mac. There are no viruses, worms or illegal spyware/adware for Mac OS X for that reason.

Responding to the article:
"Many accounts say that the MacOS is naturally more secure than Windows."

Accounts have nothing to do with it. Mac OS X = UNIX = consistently proven to be the safest operating system commercially available. Its rivals are the Open Source operating systems FreeBSD and OpenBSD, both of which are integrated into Apple's CLI version of UNIX called 'Darwin OS', the basis of Mac OS X. That being said, UNIX / Mac OS X is NOT perfect. Security flaws are frequently being patched. Never at any time was there any myth that Mac OS X was not 'mortal'. If you want hacker heroes, applaud Dr. Charlie Miller and Dino Dai Zovi, the most revered of those who have proven how to break into a Mac (with user error required). They wrote a book about it called "The Mac Hacker's Handbook" published March 2009.

The least secure Apple software is NOT Mac OS X. It is in fact QuickTime, which Apple write and provide for both Windows and Mac OS X.

Windows was never designed to be secure until Vista. And even then Microsoft significantly failed. Theoretically Windows 7, which is mainly a paid service pack for Vista, may repair this problem, but it has not been proven at this time.

The future: Watch for the Mac malware coming out of Red China. Few people know that China formally declared a "Technology War" against the USA several years ago. China has been successfully cracking into US federal computers since 1998 when they formed The Red Hacker Alliance. Note that this was the year China was provided "Most Favored Nation Status" by the US government. Despite being caught red-handed cracking government computers all over the planet, the USA still maintains this favored status. Conclusion: We are out of our minds. Enjoy the results.


  1. Why didn't you mention all the OSX threats including the exploits used in the wild or the Spyware and Rogue software?

    Privilege escalations are available on milw0rm and I saw many of them used by hackers in the wild.

  2. Thanks Steve,

    I'd personally like to know the hacks and hacker tools currently being used. I'm not connected into the Mac hacker community on any high level. There isn't much information about it that I have found so far.

    I follow the Mac OS X vulnerability lists and all the malware lists. I read here and there about the hacking contests and have just started into 'The Mac Hacker's Handbook' by Miller and Zovi.

    I don't know the term 'Rogue' software. I'll look up it up, but I'd appreciate any enlightenment you can send my way.

    As for 'Spyware', there is nothing illicit for Mac OS X. All of it has to be installed by hand by someone with access to a user's account. This is similar to a lot of hacker tools. You can easily find it on the Internet. I found a pile of it by simply searching for 'spyware' at There is a long list over at the MacScan site:

    Detecting this sort of spyware is the main purpose of MacScan. All of it is used, as far as I am aware, by computer administrators and parents to perform surveillance on their computers, watching what the employee or kid are doing on the Internet, etc. There is no Mac OS X spyware able to 'infect' a computer, therefore it is not considered malware.

    I've had one person question whether I should include Trojan.OSX.Lamzev.A in my Mac OS X malware list because it is a hacker tool. I don't know why it is listed as a 'Trojan' by the anti-malware providers. But it is, therefore I am following their hopefully superior understanding. Theoretically it could be renamed and disguised as something else the user is fooled into installing. But apparently it doesn't phone home, so whoever is offering it to the user has to know exactly what machine it has been installed upon. If folks know more about it, please let me know.

    I've been following the proof-of-concept malware, much of which includes exploits. But I keep my notes on all of them separate from my malware notes. None of it can be caught in the wild. The possible exception is the Oompa-Loompa Trojan, aka Trojan.OSX.Leap.A. But it has no ability to spread itself over the Internet and therefore is not 'in the wild'. It can only survive of a LAN.

    The fact is that most people don't care about the behind the scenes hacking, exploits, cracks. Most people think of 'virus' infection. It is challenging enough to get them to understand the term 'malware'. I'll be giving a talk on the subject in a couple weeks to a local PC user's group. The anti-malware companies are no help at all by calling all their software 'anti-virus'. There are not viruses for Mac OS X. So what's with the incorrect name of their software?

    I focus on basic Mac OS X security, mainly because there is not single organized place on the net that does it. I wish the Intego Mac OS X Security Blog covered the bases, but it does not. Meanwhile, I am going to have to leave the high level Mac OS X vulnerability subject to the trained experts like Miller, Zovi et al. No way am I going to pretend to know what I personally don't comprehend.

    If you'd like to post higher end information into the blog under your name, I'd be happy if you did! If you have a good source of higher end information for higher end readers, please let me know and I will put it in my blog's link list.

    Best Wishes!