Graham Cluley’s blog

Hi everyone.

I owe you all an apology.

Earlier this week, I blogged about some Apple Mac malware that was making minor headlines. In the process I managed to get my wires badly crossed, and confused the Troj/RKOSX Trojan horse that we have been detecting since August, and that Symantec and Trend published information about recently under the name of Lamzev, with a new variant of the Mac OS X worm RSPlug that Intego warned about this week.

So, in truth there do indeed seem to be two separate pieces of OS X malware being talked about at the moment. Intego were talking about RSPlug-D. Symantec and Trend have been talking about Lamzev (now also reported by Intego as OSX.TrojanKit.Malez).

As far as I know there is no link between OSX/RSPlug and Troj/RKOSX (also known as Lamzev or Malez).

So, dear readers, Symantec, Trend and Intego… I apologise.

I always try and get my facts straight on the blog, but I let you down on this occasion. I’ve included a link to this correction from the original blog entry, and we have also fixed Numaan’s entry on the SophosLabs blog to correct an incorrect link to Intego’s website.

Cheers

As Numaan points out on the SophosLabs blog, a “new” Trojan horse for the Apple Mac OS X operating system has been discussed in the security community for the last few days.

For instance,

• Trend Micro: New Malware Threatens Mac Users
• Intego: Intego Issues Security Memo about New Variant of RSPlug Trojan Horse
• SecuriTeam: OS X malware family has a new member: OSX.Lamzev.A

The Trojan horse is closely related to the OSX/RSPlug Trojan horse for Mac OS X that we have seen being distributed in the wild since November 2007.

As with RSPlug, this most recent Trojan horse is being spread in an unoriginal way. Joe User visits a website expecting to see a video of something pornographic, but is told that they have to install a ‘missing Video ActiveX object’ before it can be viewed. The downloaded software, however, is in reality a piece of Mac OS X malware.

Of course, Apple Mac malware is still relatively unusual compared to the thousands of new Windows-based samples we see every day - so it’s not a surprise to see people talking about this. But what did surprise us in the labs was that this “new” piece of Apple Mac malware was ..err.. news.

Sophos has been detecting this malware for customers as Troj/RKOSX-A since 29 August 2008.

Following all the new interest, we’re going to have to go back to our analysis and add “Lamzev” as an alias in case our customers are searching for it. It’s a shame the other vendors didn’t scan the file with our Mac anti-virus product before deciding on their own name for this “new” piece of malware.

Correction: Read my correction to this story.

Guest blogger Graham Lee, who is not only a near namesake of mine, but also the author of “Ten tips to secure Apple Mac laptops” and a senior Mac software engineer at Sophos, gives his personal opinion on the possibility of malware authors targeting Apple devices more in future. Over to you Graham…

Security researchers like to tell us that malware authors have largely ignored the Mac because there aren’t enough users.

I think there are two reasons that they say this: the first is that it’s hard to disprove.

The Mac user base is rapidly growing (according to Apple, at 3-4 times the rate that the rest of the PC industry is growing) so when the next attack comes around the market share will indeed be bigger; and a little bit of hand-waving lets the experts navigate us past the fact that there isn’t necessarily a causal relation.

The second reason I’d like to offer is that it’s true; the “return on investment” for writing Mac malware is lower than that for Windows malware just because there are more infectable Windows systems.

While I’m channeling the marketing department, I could possibly investigate whether Mac support for a botnet is a “value-added differentiator” for cybercriminals ;-).

Anyway, readers with a mathematical bent might like to read When Malware Attacks (anything but Windows), a game-theory treatment which estimates that the tipping point comes when Macs account for 1/6th of the market share. When that magic number is reached, it will become financially worthwhile for a Windows malware author to “get a Mac”.

That seems a long way off, but I’m going to propose firstly that our idea of “Mac market share” is flawed, and secondly that the magic number is too high.

The proportion of computers on the internet running Mac OS X was estimated at 8% last month, and we know from Apple’s sales figures that there must be about 30 million Macs in use.

But what about the “other” OS X platform? What about the iPhone?

We also know from the fruity salespeople that there are at least 10 million iPhones knocking around (and presumably a few million iPod Touches have been sold, too).

If a bad guy can use a generic “OS X” exploit which targets the technology or features common to the Mac and the iPhone, maybe the Safari web browser, then the number of boxes they can reach shoots past 40 million, turning that 8% figure into 11% or 12% - still not close to 18%.

As for my second statement, that we need to reduce that magic tipping point number, my reason is simple. A compromised iPhone (or “0wned”, hence iPh0wn) is worth a lot more than a compromised Mac.

Macs, particularly laptops where Apple’s sales are strongest, are not necessarily always on and when they are not necessarily connected to the network; and when they’re off or disconnected, they aren’t going to be very productive as spam zombies.

Mobile phones on the other hand tend to be left on all day, and whenever they’re on, they’re online. So the amount of use the botnets get out of an iPh0wn is much greater than that they get out of a Mac.

The way people interact with each device is also different; when I’m at my Mac I’m absorbed in whatever I’m doing, but for most of the day my phone is left in my pocket. Perhaps I’m just not as popular as some other people. Not only would I then not notice if the phone in my pocket was running slowly or connecting to the network more, but in fact I wouldn’t know what it means to have a “slow” mobile phone, as there’s no CPU meter or process viewer.

Options for securing the iPhone are limited - there isn’t a firewall, and availability of third-party security software currently severely lags other, clearly more popular, genres such as flashlight simulators and lightsabre-swooshy-things.

This means that from the attacker’s perspective, every iPhone is the same - hack one of them and you hack them all.

So taking 0wnership of an iPhone is cheaper than a Mac, and the chance of the user noticing is much lower.

Put all of this together and the worldwide cohort of iPhone users seem like very juicy targets for malware attacks - and if the criminals manage to bag a few thousand Macs into the bargain, well that’s just the icing on a zombie-ridden cake.

If you’re anything like me then you’ll have a favourite browser that you use most of the time. Even if you have more than one installed on your desktop, my bet is that there’s one you use in preference and that your finger naturally clicks on rather than another.

With web threats such as sites infected with malware and bogus webpages designed to phish your identity so commonplace, it’s interesting to find out which browsers people are using when they surf the web.

So every now and then I’m curious to learn what browsers people are using when they visit the Sophos website. I asked James one of our web wizards to produce a report for me on browsers visiting our site in the last week, and this is what he found:

As expected, Microsoft’s Internet Explorer rules the roost, but Mozilla Firefox has a not-to-be-sniffed-at 24.35%. This almost quarter share of the market is pretty impressive in my eyes, but I wonder if it’s been slanted by the kind of people we have visiting our site (typically IT-literate people into technology and with an interest in security), who probably know that there is more than one way of browsing the internet.

Google Chrome, which first bobbed up in beta form at the start of September, is still getting a respectable number of regular users. It’s not showing any signs of growth, but then if you’re security-conscious are you really going to be regularly relying on a beta version of your browser?

But what really caught my eye was Safari’s performance (or rather lack of it).

Safari is the default browser shipped with Apple iMacs, MacBooks and is built into the iPhone. Apple announced this week that its Mac sales are at an all-time high, and that the market performance of the 3G iPhone is “spectacular”, so why is Safari’s marketshare so weak?

Despite Apple’s attempts to get more Windows users to run Safari, the browser is barely alive on that platform. Meanwhile, on the Mac OS X platform (Apple’s home turf, remember) almost as many people have chosen to install and run Firefox as have stuck with the default installation of Safari.

Combined with reports that popular websites such as PayPal may be recommending users don’t rely on Safari for their online security, this doesn’t bode well for Apple’s slice of the internet browsing pie.

Cold-hearted hackers are taking advantage of a popular iPhone game in their attempt to infect Windows users.

Cybercriminals have resorted to spamming out emails with subject lines such as “Virtual iPhone games!”, “Take a break!”, “Apple: The most popular game!”, “Virtual iPhone toys!”, and “Beet my score! (7000 points)!”.

Attached to the emails is a file called Penguin.Panic.zip, posing as a version of the penguin-starring platform game for the Apple iPhone. In the real game, a penguin leaps from iceberg to iceberg, avoiding falling stalactites - great entertainment in the Super Mario tradition. The file attached to the email, however, is something far less fun.

Sophos detects the enclosed file as the Troj/Agent-HNY Trojan horse. It’s important to note that this Trojan only works on Windows PCs - we haven’t seen any versions which will run on Mac OS X, Apple iPhone or other mobile devices.

Users of other vendors’ anti-virus products would be wise to check their vendor to see if a protection update is available.

Here’s a typical example of a malicious email sent as part of the campaign :

Games, of course, are hugely popular with people young and old these days - and there is a real buzz about games on the new Apple iPhone, especially because of the new AppStore and the device’s use of an accelerometer to introduce some Nintendo-like innovative gameplay.

Hackers, it seems, are jumping on the bandwagon of the iPhone phenomenon and using it as a springboard to infect innocent users. Some people might have played Penguin Panic on their Apple iPhone or another portable device, and be keen to have it on the desktop of their Windows work PC too.

As always, you should exercise extreme caution if you receive an email like this - and never run unsolicited attachments.

It’s time for the black roll-neck sweater-wearing, grande nonfat cappuccino-supping, snowboard-carrying, Apple Mac lovers amongst you to update your computers again.

Apple has released Mac OS X 10.5.5, which amongst other things fixes a variety of security holes that the Cupertino vendor says can result in “arbitrary code execution”. Ouch! So, by anybody’s standards it makes sense to roll this update out to your Apple computers as soon as possible.

• Learn more about the security content of Mac OS X 10.5.5

By the way, despite not owning black roll-neck sweater, not drinking coffee, and never having snowboarded (well, I did try to on the Nintendo Wii at my cat’s 10th birthday party on Saturday night, but I was rubbish), I do love Apple products. They do a lot of things very well.

One area where they could improve, however, is in their openness about security issues. I don’t seem to be the only person who feels that it would be a positive development if Apple were to “think differently” about how they currently approach talking about security. If you missed it, take the time to read a few interesting words that Mozilla’s security chief Window Snyder has had to say about Apple’s approach to security this week.

Oh no, I just realised, somewhere in this post I may have given an identity thief vital clues as to the full date of birth of my pet cat. Fortunately he doesn’t have too much cash in his err.. kitty. Groan.