New Mac Spyware?

[Al]

I recieved a forwarding email from my wife today regarding new spyware for OS X.  the email was generated from an Information Security Officer from the Hawaii Education system.

Legit alert?

QUOTE

--Mac OS X Spyware Detected
(27 & 24 November 2006)
The first spyware program for Mac OS X has been detected. The
proof-of-concept code could potentially be installed without users'
knowledge. The program, known as iAdware, installs itself as a System
Library. It does not exploit a flaw, but takes advantage of a feature
in Mac OS X to run each time an application is loaded.
http://www.eweek.com/print_article2/0,1217,a=194912,00.asp
http://www.theregister.co.uk/2006/11/24/ma...ware/print.html
[Editor's Note (Skoudis): Mac users must fight the feeling that they are
invulnerable simply because they are using a different kind of computer.
As a very happy Mac user myself, I feel this temptation, but it must be
resisted. Macs are getting increased scrutiny as their numbers go up.
I'm especially concerned about client-side vulnerabilities on the Mac,
including Safari and Mail:App, which haven't gotten nearly as much
scrutiny as IE, Firefox, and Outlook. Keep your Macs patched, and
practice safe computing from them.]

Jodi Ito
Information Security Officer

[sandbox]

From the blog that started it….. F_Secure
this is only a test. beep......beep......beep  

QUOTE

We recently received a proof-of-concept sample of an adware program. Normally that wouldn't be worth blogging about, but in this case it's for Mac OS X. In theory, this program could be silently installed to your User account and hooked to each application you use… and it doesn't require Administrator rights to do so. We won't disclose the exact technique used here, it's a feature not a bug, but let's just say that installing a System Library shouldn't be allowed without prompting the user. Especially as it only requires Copy permissions. An Admin could install this globally to all users.

The result: This particular sample successfully launched the Mac's Web browser when we used any of a number of applications.

This is easier to do than with Windows. After all, it's a Mac.

http://www.f-secure.com/weblog/

[kbeartx]

'Proof-of-concept' means that the possibility exists [usually tested in a laboratory environment], NOT that any actual exploits have been seen 'in the wild'.

So don't worry.

Yet.

[kimmer]

Would this be similar to what happens when I launch "NeoOffice" (beta). Around every 3rd launch, my browser is launched and I'm taken to the "please donate" page. It's stinkin' annoying for several reasons (chief amongst them is that I've already donated and if they want money that badly then they should make their product shareware not freeware! Sorry I'll stop now).

Anyhow is this what they are talking about?
Can I remove whatever causes this in NeoOffice?
Should I be looking for something to remove regardless of NeoOffice?
And boy is it cool that FF 2.0 spell checks!

[krissel]

I believe this is the 'flaw' that references the fact that Safari is set to open downloads by default. All you have to do is change that pref.

Will find the article online....



OK, well it was mentioned in an article about the browser settings but not the same problem. Sorry.

http://www.macworld.co.uk/mac/news/index.cfm?newsid=16583

[eric j]

Just found this:

http://news.bbc.co.uk/2/hi/technology/6187302.stm

on the BBC site.

Refers to a possible exploitation of DMG.

eric j

[krissel]

That was the article mentioned in the link in my thread. They talked about the problem but failed to describe the 'workaround' was to disable automatic opening of downloads.

[kbeartx]

In my read of the article, they pointedly avoided describing the 'mechanism' by which this 'vulnerability' might be exploited, so I assume it's not something previously reported elsewhere.

[sandbox]

It also has to pass the administrative sniff test. You or your administrator has to allow the installation. Apple could have addressed the issue in this last security download?

In anycase it's not what I would classify as adward, malware, trojan, or virus if it is stopped by your administration password. That is unless you just allow things of unknow origin into your secure files.

[D76]

There's a thread at Mac-Forums about redirects to some PC site called Drive Cleaner where some Mac users end up. One post says:

QUOTE

I used safari once to dl Firefox. I did not use my PC profile, or Bookmarks and cookies to Safari. I was just browsing away and this pop up well popped up. It took me to the drivecleaner site where it made it look like it was scanning my computer and then sujessted I dl there program which is an .exe. I find that it goes away and comes back periodically. Also I can not DL from sites or log into second life since this started.

Another;

QUOTE

Yeah I'm getting the same thing! It just started today, and it's VERY annoying, but I haven't clicked OK. I clicked "cancel" the first time and it just popped up another message (not a pop-up window but what apeared to be a message from Safari itself) with only an "OK" option. So now I just force-quit Safari every time it happens rather than click on the message at all...but needless to say this is very frustrating!!

Then more of the same, with the top two posts on the second page rather ominous.