The end of innocence for Mac users

Posted on by

Great BBC column by Bill Thompson on the first Mac trojan.

The first serious threat to Mac users has been observed “in the wild”.

It’s a Trojan Horse, a piece of code that pretends to do one thing but actually compromises your computer.

This one spreads through online video sites, taking advantage of the fact that there are many different ways to display video, each requiring slightly different software to encode and decode moving images.

That puts my son right in the middle of the vulnerable population because he likes to watch video clips via sites like YouTube and Flixster.

Although Quicktime, the Apple media player that comes bundles with every Mac, makes a good shot of dealing with most common formats, if it can’t figure out what to do with a particular file type it can go online to find the right “codec”.

The Trojan sits behind an online video and when you try to play it you get a message from Quicktime telling you to get a new codec, and if you follow the link you’ll be sent to a site that hosts the malicious software.

Click “ok” and enter your systems adminstrator’s password and it will be installed on your computer with full system access after which you are, to use the jargon, “pwned”, or scuppered.

And you don’t even get to see the video you were after.

At the moment the fake codec is being spread via porn sites, but it will quickly spread to more mainstream sites, and that’s when it will get dangerous and could affect a lot of Mac users who believe that they don’t need to worry about system security…

Richard Earney emails:

It’s unfortunate, because this Trojan is an actual attempt by Ukrainian criminals to hijack Macs, but it’s not exploiting any sort of security hole in any version of Mac OS X. To get hit by it, you must (a) be the sort of moron who downloads “video codecs” from porno sites; (b) mount the disk image and launch the installer; and (c) grant the installer administrator privileges to install whatever it wants, wherever it wants on your system. No system can prevent that.

If anything, the fact that you have to manually install the software and supply your administrator password is a sign that Mac OS X security works.

Hmmm…. I’ve just looked at Safari Preferences, which has a check-box for “Open ‘safe’ files after downloading” which some users might leave checked in their innocence.

Later: Charles Arthur emailed to point out that ” it’s not strictly the first; but it does seem to be the first *commercial* one, where the professional malware writers have gotten into the game”.