The New Trojan: Proof You Can't Cure Stupidity

Posted by: Arik Hesseldahl on November 01, 2007

I’ve received at least two pitches from security software companies trying to get publicity traction off the disclosure of the latest social engineering Trojan for the Mac.

I chose the terminology “social engineering,” for a reason. This Trojan can infect your Mac only after you’ve given permission for it to be installed on your machine. How does that happen? In this case, it comes from clicking on a link on a porn site, that yields a message saying you have to “download a new Quicktime codec to view the video offered. Screenshot here (yes it’s safe for your Mac and for viewing at work).

Not that this Trojan, isn’t nasty. It is. It changes your Domain Name Server settings to point you to Web sites you’d rather not visit, essentially hijacking your Mac’s connection to the Internet.

The problem with something like this is that you can’t really guard against it. It doesn’t attack a weakness in OS X itself, but tricks the person using the machine into installing a piece of nasty software that in turn does the damage. That’s not an operating system weakness, but one that’s between the ears of the user. I’m not the only one saying it: See what Graham Cluley at Sophos says:

“What’s important to realise is that this Trojan doesn’t exploit a vulnerability in OS X, Leopard, Tiger, or any Apple code. This Trojan exploits the vulnerability within the person sitting in front of the keyboard. It’s the Mac user who is giving permission for the code to run and allowing their computer to be infected,” said Graham Cluley, senior technology consultant for Sophos. “This is not a red alert, but it is a wake-up call to Mac users that they can be vulnerable to the same kind of social engineering tricks as their Windows cousins. The truth is that there is very little Macintosh malware compared to Windows, but clearly criminal hacker gangs are no longer shy of targeting the platform.”

Sure they’ll try. There’s 7 million new Macs in use, 2 million of which are running Leopard. But I can’t abide by a statement I read on Dave Farber’s “Interesting People” mailing list yesterday: “Mac OS X is the new Windows 98.” Wrong. One Trojan that relies on the stupidity of the user rather than on the weakness of the underlying operating system doesn’t make that statement anywhere near accurate. I’ll have more on this as further information becomes available. But for now I’ll simply say this: Watch where you click.

Update: I just got a statement from Apple on the Trojan:

“We’ve been made aware that a small number of websites attempt to trick Mac OS X users to install malicious software, sometimes called ‘Trojans,’ on their Macs. If a user enters their administrator password to allow the installation process, the malicious software redirects their browser to unwanted websites. Apple has a great track record for keeping Mac OS X users secure, and as always, we encourage people to install software only from trusted sources.”

TrackBack URL for this entry: http://blogs.businessweek.com/mt/mt-tb.cgi/