A Trojan that targets Mac users visiting a porn site pretends to be video-decoding software, but instead installs rogue code.
Screenshot: Courtesy of Sunbelt Software The Mac has officially gone mainstream.
The proof? On Halloween, professional online criminals were found using Trojan-horse software to target, for the first time, computers running Apple's OS X operating system -- just as they have been doing for years on the more ubiquitous flavors of Windows.
"Apple's day has finally come, and Apple users are going to get hit hard," security researcher Gadi Evron said. "OS X is the new Windows 98."
The Trojan comes disguised as a video-decoding plug-in that users are told they must install to watch free porn clips. Instead, the software burrows into the operating system and diverts some of the victim's future web surfing to sites under the attacker's control. It's the professional attack on Macs that the security community has long predicted, according to Dave Marcus, security research manager at McAfee's Avert Lab, who said it was "written by people who know how to write malware."
The arrival of the Mac Trojan signals that cybercrooks have decided there are finally enough Apple systems on the internet to make attacking them profitable, according to security experts. Apple is the nation's No. 3 desktop and laptop seller in the United States, behind Dell and Hewlett Packard. And this year, the Cupertino company accounted for an impressive 8.1 percent of the personal-computer market for the third quarter, up nearly two percentage points from the same period a year ago. Evron and other observers predict that black hats will have a field day with Macs, as well as with Apple's new mobile platforms.
"With 2 million iPhones and iPod Touches, it makes sense they will think of them as an evolving market to exploit, and there are a lot of new Mac users who aren't as savvy as Mac's earlier users," said CEO Alex Eckelberry of Sunbelt Software, which sells security software for Windows machines.
But Carl Howe, an Apple analyst at Blackfriars Communications, disputes the security researchers' theories. He thinks that OS X's Linux heritage makes Apple systems less vulnerable to attack than Windows-based platforms. He argues that even if hacking Macs hasn't been profitable in the past, attackers would have done it anyway if they'd been able -- just for the attention.
"I think the market-share thing has always been a myth," Howe said. "It's a good story to talk about."
Announced Wednesday by Mac-focused security company Intego, the Mac Trojan was found on a set of pornography sites, where attackers dangled free movies that supposedly required users to install a special Quicktime codec to view.
The codec, however, is fake. Instead of unlocking a skin flick, it installs what Intego dubbed the OSX.RSPlug.A Trojan horse on the user's computer.
Black-hat hackers have been using fake codecs for more than a year to trick Windows users into installing software. In this case, when the site serving the malware determines that a user is on a Mac, it delivers a Mac-specific version.
Once installed, the Trojan hijacks the system's domain-name service. Internet-connected applications use DNS to translate the domain part of an URL, such as www.Wired.com
, into the numeric IP address of a server. By hijacking the DNS, the attacker is able to replace search results with links to sites that he controls, in hopes of making money from online purchases, according to Eckelberry.
The software could also intercept intended visits to sites such as banks, eBay and PayPal and redirect them to fake websites that harvest users' logins and passwords. The scammers could then use that info to to get money out of the real sites, but neither Sunbelt nor McAfee researchers have seen the malware harvesting personal-finance info.
Unlike many Windows-based attacks, the Trojan doesn't exploit a hole in Apple's software, and it can't install itself. Instead, it relies on social engineering, tricking users into downloading the codec, and requiring that they type in the administrator password to install it.
But the fact that the hackers aren't attacking through software bugs doesn't change the portent of this week's attack, according to Eckelberry. "I don't care if you have to type in your admin password," Eckelberry said. "If you are asked to install a QuickTime plug-in, you will."
For the past year, fake codecs have been among the top problems encountered by Windows users, according to Eckelberry. The attacks have gotten so professional-looking that the fake codecs even have fake, annoying end-license-user agreements that users have to agree to.
The Mac Trojan is created by the same malware crew that has been infecting Windows machines with the Trojans known as Zlob and DNSChanger, according to Eckelberry and Marcus.
Marcus said McAfee researchers have already found the Mac Trojan on 65 websites. But he said the malware is not living up to its full potential: It only redirects users who attempt to visit one obscure adult website.
"Truthfully, this is kind of strange," said Marcus. "If you are going to mess with someone's DNS, I would have done far more fake DNS entries. I have a sneaking suspicion is that word got out before they wanted it to, but that's just an educated guess."
Evron sees more problems for Apple users than just new Trojans that try to trick users. Hackers will find it profitable and all too easy to find holes in Apple software, because the company hasn't paid sufficient attention to security, said Evron.
He predicts Apple will experience a full-range of attacks, just as Microsoft did a decade ago when Windows machines and the internet first met.
"It's Mac season. The next two years will be interesting."