The Mac has officially gone mainstream.
The proof? On Halloween, professional online criminals were found using Trojan-horse software to target, for the first time, computers running Apple's OS X operating system just as they have been doing for years on the more widely used Windows.
"Apple's day has finally came, Apple users are going to get hit hard," security researcher Gadi Evron said. "OS X is the new Windows 98."
The Trojan comes disguised as a video-decoding plug-in that users are told they must install to watch free porn clips (as screen shot above). Instead, the software burrows into the operating system- diverting some of the victim's future web surfing to sites under the attacker's control. It's the professional attack on Macs that the security community has long predicted, according to Dave Marcus, security research manager at McAfee's Avert Lab, who said it was "written by people who know how to write malware."
The arrival of the Mac Trojan signals that hackers have decided there are finally enough Apple systems on the internet to make attacking them profitable, according to security experts. Apple is the nation's No. 3 desktop & laptop seller in the United States, behind Dell & Hewlett Packard. This year, the Cupertino company accounted for an impressive 8.1 percent of the personal-computer market , up nearly two percentage points from the same period a year ago. Evron & other observers predict that black hats will have a field day with Macs, as well as with Apple's new mobile platforms.
"With over 2 million iPhones & iPod Touches, it makes sense they will think of them as an evolving market to exploit, there are a lot of new Mac users who aren't as savvy as Mac's earlier users," said CEO Alex Eckelberry of Sunbelt Software, which sells security software for Windows based machines.
Carl Howe, an Apple analyst at Blackfriars Communications, disputes the security researchers' theories. He thinks that OS X's Unix heritage makes Apple systems less vulnerable to attack than Windows-based platforms. He argues that even if hacking Macs hasn't been profitable in the past, attackers would have done it anyway if they'd been able- just for the attention.
"I think the market-share thing has always been a myth," Howe said. "It's a good story to talk about."
Announced Wednesday by Mac-focused security company Intego, the Mac Trojan was found on a set of pornography sites, where attackers dangled free movies that supposedly required users to install a special Quicktime codec to view.
The codec, however, is fake. Instead of unlocking a skin flick, it installs what Intego dubbed the OSX.RSPlug.A Trojan horse on the user's computer.
Black-hat hackers have been using fake codecs for more than a year to trick Windows users into installing software. In this case, when the site serving the malware determines that a user is on a Mac, it delivers a Mac-specific version.
Once installed, the Trojan hijacks the system's domain-name service. Internet-connected applications use DNS to translate the domain part of an URL, such as www.Wired.com, into the numeric IP address of a server. By hijacking the DNS, the attacker is able to replace search results with links to sites that he controls, in hopes of making money from online purchases, according to Eckelberry.
The software could also intercept intended visits to sites such as banks, eBay & PayPal & then redirect them to fake websites that harvest users' logins & passwords. The scammers could then use that info to to get money out of the real sites, but neither Sunbelt nor McAfee researchers have seen the malware harvesting personal-finance info.
Unlike many Windows-based attacks, the Trojan doesn't exploit a hole in Apple's software, & can't install itself. Instead, it relies on social engineering, tricking users into downloading the codec, requiring that they type in the administrator password to install it.
But the fact that the hackers aren't attacking through software bugs doesn't change this week's attack, according to Eckelberry. "I don't care if you have to type in your admin password," Eckelberry said. "If you are asked to install a QuickTime plug-in, you will."
For the past year, fake codecs have been among the top problems encountered by Windows users, according to Eckelberry. The attacks have gotten so professional-looking that the fake codecs even have fake, annoying end-license-user agreements that users have to agree to.
The Mac Trojan is created by the same malware crew that has been infecting Windows machines with the Trojans known as Zlob & also DNSChanger, according to Eckelberry & Marcus.
Marcus said McAfee researchers have already found the Mac Trojan on 65 websites. But he said the malware is not living up to its full potential: It only redirects users who attempt to visit one obscure adult website.
"Truthfully, this is kind of strange," said Marcus. "If you are going to mess with someone's DNS, I would have done far more fake DNS entries. I have a sneaking suspicion is that word got out before they wanted it to, but that's only an educated guess."
Evron sees more problems for Apple users than just new Trojans that try to trick users. Hackers will find it profitable & all too easy to find holes in Apple software, because the company hasn't paid sufficient attention to security, said Evron.
He predicts Apple will experience a full-range of attacks, just as Microsoft did a decade ago when Windows & the internet first met.
"It's Mac season. The next two years will be very interesting."


- http://www.wired.com/politics/security/ ... mac_trojan