Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
A Dispatch

« Stormy Games, Part Deux | Main | Inside a Storm Worm Infection »

October 02, 2007

Mac vs. PC and Bad Guys

Microsoft may not like to hear it, but virtually every piece of malware released in the wild for (lower case) personal computers operates only on machines running versions of the Windows operating system. Trojans, worms, keyloggers, bots—they're running on Windows.

Unfortunately, that leads Macintosh folks (and Linux people, too) to exhibit a bit of smugness about their supposedly safe computing environments. As I discuss in Spam Wars, this is a foolish attitude to assume. There have been (and will continue to be) security holes in Mac OS X and its supporting infrastructure (e.g., QuickTime, Adobe Acrobat, MS Office, etc.). Apple doesn't issue security-related software updates just to keep their engineers busy. It's just that we've (yes, I'm primarily a Mac user) been lucky so far that Bad Guys have not made concerted efforts to come after our machines. I believe that what running a non-Windows computer buys you—for the moment—is protection against an accidental infection if your mouse finger suddenly twitches with the cursor atop a malicious email attachment.

That said, I have seen one type of Bad Guy attack that is completely thwarted by Firefox and Safari browsers running on the Mac. It's a kind of attack that doesn't care what type of computer the recipient runs, because all the action occurs on a server. I'm talking about phishing that is implemented in a way that does not (so far) affect Mac users running either of the aforesaid browsers.

At issue is the way a handful of phishers compose the URLs to the phony web sites. They're trying to be cute with a little bit of obfuscation. Fortunately for Mac users, the obfuscation causes Firefox and Safari to fail to resolve the URL addresses. Woohoo!

Allow me to demonstrate. The most common obfuscation technique I've seen in the wild uses non-decimal base-number systems to represent a site's numeric IP address. The regular numeric IP address for the spamwars.com web site is 66.39.14.38. Here are links with the regular version and one each in the octal and hexadecimal versions:

Windows browsers (including Firefox) will resolve all three; Mac OS X browsers only the first one. The same goes for yet another numeric version that converts the IP address into one long number (with no periods).

I'm not sure why phishers bother with this type of obfuscation. For the most part, phishing message recipients they're trying to scam don't look at the real URLs beneath the "Click here to update your PayPal account information" links. Those who do look at such links know instantly how to decode the addresses to find the hosting services that can shut down the sites.

(This type of operating system self-selection could be understandable if the obfuscated-URL phishing sites were attempting to load malware onto Windows machines, but I haven't seen evidence of this. A fair number of real malware-loading sites self-select by using VBScript scripts to perform some or all of the infections on the Swiss cheesiest of browsers, Internet Explorer for Windows.)

If a phishing message recipient reaches the phony web site and enters username/password data, the scam works equally well across all operating systems. If you fall for the phishing email message and slick lookalike web site, you have no reason to be smug about your "impenetrable" operating system. But if the phisher is dumb enough to build in a filter that prevents your browser from visiting the lookalike site...well, I suppose a quick smug smile may be in order.

Posted on October 02, 2007 at 08:30 AM