Monday, April 6, 2009

Real MacOS Malware - Getting Over Invulnerability

A local sysadmin recently emailed me about his experience with a compromised Mac:

We recently found and removed some Mac-based malware.

The user had enabled "safe content" in Safari, (More reason to script-o-magically uncheck it as a login hook) which allowed her to download a file from a web site that Safari thought was a movie. When the file ran it was really a shell script that installed a payload into her Movies folder and assigned another shell script as a login item. Then at login she noticed the terminal would open, and then she'd close it. I presumed it was an advertising script and removed it. Interestingly enough, I just discovered that the application was actually pirating movies. The script made no attempt to elevate privileges. No passwords we asked for. It simply ran in standard user space once the user logged in.
He noted that he didn't keep a copy of the malware, and that his user wasn't sure of what she was doing when the malware ran initially. For now, keep an eye out for shell scripts in login items.

A recent survey that we conducted pointed out that a significant portion of our MacOS using community still feels that they are invulnerable. Examples like this point out that there are threats, even if they're not as common as Windows and Linux malware and compromises.

No comments: