Network News

X My Profile
View More Activity

Malware Writers: Will That Be OS X, or W?

Security researchers increasingly are finding that sites designed to trick the visitor into installing malicious software will serve different malware depending on whether the visitor arrives at the page using a Microsoft Windows PC or a Mac.

Trend Micro researcher Ivan Macalintal recently found a new variant of the dreaded DNS changer Trojan that checks to see which operating system the visitor's Web browser appears to be riding on, and then offers the appropriate Windows- or Mac-based installer. The malware was masquerading as a pirated version of Foxit Reader and several anti-virus applications.

This follows a similar finding last month by McAfee, which spotted the same tactic being used at sites that try to trick the user into installing a browser plug-in supposedly needed to view online videos: The bogus plug-in was offered as a ".exe" file for Windows visitors, and a ".dmg" installer file for those who browsed the site with a Mac.

Meanwhile, Symantec warned last week that it had detected several blogs that were advertising free, streaming online copies of movies that were just released in the theaters. The lure is once again a fake video plug-in, followed by either a Mac- or Windows-based version of the DNS Changer Trojan.


No doubt, threats to Windows-based systems far, far outnumber those built to run on Mac OS X machines. But these latest attacks are interesting because they show that cyber criminals more often now are thinking of Mac users when crafting their attacks.

Each time I write about threats to Mac systems, the comments I receive generally fit into two categories:

Startled: "Yikes! Does this mean I should be using anti-virus software for my Mac??"

Indignant: "Macs are soooo much more secure than Windows!! More sour grapes from a Windows fanboy!"

A couple of responses, up front.

To the Startled: No, I wouldn't recommend rushing out and buying an anti-virus solution for the Mac. Read my preemptive response to the indignant for an explanation.

To the Indignant: It's important to keep in mind that most threats, be they to Windows or Mac systems, no longer leverage security vulnerabilities. Rather. their authors target the desires, whims, and curiosities of the individuals in front the keyboard. According to Symantec's Internet Security Threat Report covering 2008, the percentage of documented malicious code samples that exploit vulnerabilities declined substantially last year, from 13 percent in 2007 to 3 percent in 2008.

Finally, Security Fix's rule of thumb on software comes in handy regardless of the operating system you're using: If you didn't go looking for it, don't install it. Also, if you can't vouch for the source of it, you're asking for trouble: Always download software from the vendor's Web site whenever possible.

By Brian Krebs  |  August 24, 2009; 11:36 AM ET
Categories:  From the Bunker , Latest Warnings , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: TwitBlock Helps Root Out Spammy Followers
Next: Tighter Security Urged for Businesses Banking Online


For those of us running VMWare Fusion or Parallels on our mac for running Windows apps, the threat is double; though hopefully if we're adept enough to be using virtualization, we are smart enough not to browse and download questionable software.

Posted by: altruisticone | August 24, 2009 11:49 AM | Report abuse

Wise words. You do a good job of avoiding being an alarmist while still recommending caution.

It just goes to show that you can't protect people from themselves and their stupidity.

Posted by: cyberfool | August 24, 2009 12:06 PM | Report abuse

"If you didn't go looking for it, don't install it."

Most succinct rule of thumb I've yet to see. Perfect.

Posted by: rzeman-post | August 24, 2009 1:58 PM | Report abuse

What about those who say: "You should use Unbutu!"?

Posted by: news5 | August 24, 2009 2:15 PM | Report abuse

What's scary about this development is the level of sophistication in the OS X exploit. This isn't simple script kiddie stuff anymore. Of course that in turn means people who are really good at the platform have begun writing hacks for it.

Posted by: Rixstep | August 24, 2009 2:56 PM | Report abuse

Nice article. I expect exploits to grow on the Mac platform proportional to its market share. I also think Conficker is an example of how security exploits are still real and can infect millions. That's some smart malware.

Posted by: dward__ | August 24, 2009 3:02 PM | Report abuse

We are observing the same trend in our RBN study group.

The original Apple post offers three software suggestions: Intego VirusBarrier X5 and Symantec Norton Anti-Virus 11 for Macintosh, both available from the Apple Online Store, and McAfee VirusScan for Mac.

We have been using Intego VirusBarrier X5, and have found it's interface easy to use, with very fast scan times.

Given the continuing effectiveness of targeted attacks, it is the wise person who uses anti-virus software and rootkit detectors for both the Mac and PC BSD.

James McQuaid

Posted by: JamesMcQuaid | August 24, 2009 11:52 PM | Report abuse

I am not clear on the difference between a virus that exploits security vulnerabilities and puts malicious code on a system and a virus that does not exploit security vulnerabilities and still puts malicious code on a system. Is the difference the way the enter or the end result?

Posted by: super8 | August 26, 2009 1:07 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company