Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
A Dispatch

« Phishing Blast from the Past | Main | Amazon Phish du Jour »

November 01, 2007

A Scary Halloween

Two items of note surfaced on Halloween.

First—and pretty much expected—came the latest Storm propagation email messages, like this one:

Subject: Happy Halloween

I know you will like this. Heck you might even pass it on. LOL
http://numeric.IP.address.removed/

The infected destination sites display a very convincing-looking page:

If you click to download and then launch the halloween.exe file, you'll have a chance to live the Nightmare on Your Street.

[I think I'll make a template for this warning, ready to fill in the name of the current holiday. That will save me time for the next posting about a Storm attack on Veteran's Day, Thanksgiving, Christmas, and New Years.]

Part Two of all things ghoulish came in the form of a Trojan discovered in the wild that affects Mac OS X computers. It takes a bit of action on the part of a Mac user to become infected, but, as is often the case, it is the social engineering behind the attack that makes it work.

The lure is a pornographic video of some kind. When you visit the site (malvertised in Mac-specific public forums) and try to watch the video, you get prompted to download a QuickTime video codec. Now, I've seen these types of codec install requests before from legitimate (non-pr0n) sites, so a user might not be deterred by this request. The problem is that to install such a real codec (or most any application on the Mac), you have to enter your administrator password. Doing so gives the installer and/or program rights to the depths of your system.

According to a couple analyses of the Trojan, this one modifies the address of the DNS server that your Mac uses for everyday Internet lookups. This is a variation on a theme I talked about recently. All DNS requests on an infected Mac go to a server in Belarus. Some requests may be resolved normally, but others, such as to financial institutions, could be redirected to lookalike sites, where your credentials can be lifted when you log in.

Frankly, I'm surprised there haven't been more attempts to crack Mac users' systems this way. Mac users receive a barrage of requests for the administrator password for countless installations and updates (Apple's and all other applications). I doubt many Mac users think twice whenever the admin password request dialog box appears.

Mindless clickity-clickity, tappity-tappity...any box can be pwned.

Posted on November 01, 2007 at 09:53 AM