Last night my iMac was doing a few weird things so I ran a scan and picked up a trojan. I got rid of that and things seem back to normal. Pctools puts out a free antivirus for macs. It didn't warn me of the trojan but found it in the scan. Are the nuts finally starting on the Apples,
Ken
Trojan on my iMac
Moderator: Wiz Feinberg
-
Kenny Yates
- Posts: 481
- Joined: 6 Dec 1998 1:01 am
- Location: Hattiesburg Mississippi
- State/Province: Mississippi
- Country: United States
-
Wiz Feinberg
- Posts: 6115
- Joined: 8 Jan 1999 1:01 am
- Location: Mid-Michigan, USA
- State/Province: Michigan
- Country: United States
I have been warning about Mac exploit codes for a year now. They are in the wild and you are proof of that.
Was the Trojan identified by PCTools? If so, what was it called? Is the Mac fully patched and up to date with security fixes for all applications? Do you use Safari as your browser? Do you recall allowing anything unusual to run or install with elevated privileges?
Was the Trojan identified by PCTools? If so, what was it called? Is the Mac fully patched and up to date with security fixes for all applications? Do you use Safari as your browser? Do you recall allowing anything unusual to run or install with elevated privileges?
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog
-
Kenny Yates
- Posts: 481
- Joined: 6 Dec 1998 1:01 am
- Location: Hattiesburg Mississippi
- State/Province: Mississippi
- Country: United States
Trojan.OSX.RSPlug.F
That is the name it shows that was quarantined by the pctools antivirus. I'll type in the whole thing.
:Trojan.OSX.RSPlug.F in /users/kenyat/download/tubeSetup.dmg
As far as I know the iMac has all the security patches etc, I run all the updates from apple and yes I do use Safari, I've been thinking of switching to Mozilla firefox, that is what I use on my Windows Computer.
Thanks Wiz
:Trojan.OSX.RSPlug.F in /users/kenyat/download/tubeSetup.dmg
As far as I know the iMac has all the security patches etc, I run all the updates from apple and yes I do use Safari, I've been thinking of switching to Mozilla firefox, that is what I use on my Windows Computer.
Thanks Wiz
-
Wiz Feinberg
- Posts: 6115
- Joined: 8 Jan 1999 1:01 am
- Location: Mid-Michigan, USA
- State/Province: Michigan
- Country: United States
Ken;
Safari was probably exploited by a Mac drive-by infection vector that was featured at a hacking contest a month ago. Switch to Firefox ASAP!
Safari was probably exploited by a Mac drive-by infection vector that was featured at a hacking contest a month ago. Switch to Firefox ASAP!
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog
-
Steve Norman
- Posts: 1696
- Joined: 12 Oct 2007 6:28 am
- Location: Seattle Washington, USA
- State/Province: Washington
- Country: United States
-
Jeff Agnew
- Posts: 741
- Joined: 18 Sep 1998 12:01 am
- Location: Dallas, TX
- State/Province: Texas
- Country: United States
This trojan wasn't the result of a drive-by and it's been around in various forms for quite some time. You or someone using your computer downloaded it. Read this article for details.
Please note that in order to infect your Mac, someone had to not only download it, but then install it, after first manually entering an administrator password. There isn't an OS or anti-malware app on the planet that can protect a system against that.
As with any OS, users must verify that what they are about to download is from a legitimate site, even if the web site itself looks okay. Double-check the real URL in your browser's address bar. Do a Google search on the product or web site. Don't just click a link to download something from a web article or e-mail. For example, if you're downloading a Flash player (which is one of this trojan's disguises) make sure you only do so from Adobe's actual, verified site.
I'm not saying you failed to do these things, Kenny. But someone on that machine did.
Please note that in order to infect your Mac, someone had to not only download it, but then install it, after first manually entering an administrator password. There isn't an OS or anti-malware app on the planet that can protect a system against that.
As with any OS, users must verify that what they are about to download is from a legitimate site, even if the web site itself looks okay. Double-check the real URL in your browser's address bar. Do a Google search on the product or web site. Don't just click a link to download something from a web article or e-mail. For example, if you're downloading a Flash player (which is one of this trojan's disguises) make sure you only do so from Adobe's actual, verified site.
I'm not saying you failed to do these things, Kenny. But someone on that machine did.
-
Edward Efira
- Posts: 426
- Joined: 28 Jul 2003 12:01 am
- Location: California, USA
- State/Province: California
- Country: United States
This article provides some kind of light on the subject:
http://www.macworld.com/article/140075/mac_botnet.html
Ed
http://www.macworld.com/article/140075/mac_botnet.html
Ed
<small><b>'75 Sho-Bud 4&4, '01 Zumsteel 8&8, 2012 Zum Hybrid 4&6</b></small>
-
Steve Norman
- Posts: 1696
- Joined: 12 Oct 2007 6:28 am
- Location: Seattle Washington, USA
- State/Province: Washington
- Country: United States
I think moving your home directory to its own partition, and backing up your data to a 3rd partition or to dvd/cd should bomb proof any unix based OS as long as you require passwords for any administration work. Keeping sudo enabled to require passwords per action should stop bots and worms from doing any damage, and trojans should be manageable as well. Worst case would be losing your data and having to restore via backup. With the advent of unix based operating systems becoming more popular hackers will eventually start attacking us.
GFI D10, Fender Steel King, Hilton Vpedal,BoBro, National D dobro, Marrs RGS
-
John Cipriano
- Posts: 449
- Joined: 13 Jun 2008 8:23 pm
- Location: San Francisco
- State/Province: -
- Country: United States
Steve, all OSes are equally vulnerable to trojan horses. A trojan is by definition a program that the user installs because it appears legitimate. You cannot secure a machine against its own administrator.
And yes there are trojans out there for Mac and Linux. Here is a list of potentially unwanted software that has Mac trojans listed:
http://macscan.securemac.com/spyware-list/
Note that most of what's on that list is either a legitimate remote control program, like VNC, or a keylogger. But there are a few trojans...literally a few. It's easy enough to just check by hand to see if you have one of them installed.
As far as more traditional Unixes, only a very small number of people use those as a desktop OS, so they are safe for that reason: you're running a server on it and not likely to just install random software. With Linux you are mostly getting your software from a trusted repository (or you should be) and in that case you can be reasonably sure that you're not going to get hit.
So, not a drive-by, not even a virus. I'm not worried about the Pwn2Own exploit since I don't think anyone but Charlie Miller and Apple know exactly what it is. If there was an automated tool based on the exploit it'd be big news right now, but I have not seen anything like that.
There are some Mac drive-bys. They happen when you use Adobe Reader as your PDF viewer and Safari is set up to automatically download and open PDFs. The fix is easy enough: use OS X's built-in PDF viewer, which is faster, safer and more convenient than Adobe's. It also renders vertical lines correctly
And yes there are trojans out there for Mac and Linux. Here is a list of potentially unwanted software that has Mac trojans listed:
http://macscan.securemac.com/spyware-list/
Note that most of what's on that list is either a legitimate remote control program, like VNC, or a keylogger. But there are a few trojans...literally a few. It's easy enough to just check by hand to see if you have one of them installed.
As far as more traditional Unixes, only a very small number of people use those as a desktop OS, so they are safe for that reason: you're running a server on it and not likely to just install random software. With Linux you are mostly getting your software from a trusted repository (or you should be) and in that case you can be reasonably sure that you're not going to get hit.
So, not a drive-by, not even a virus. I'm not worried about the Pwn2Own exploit since I don't think anyone but Charlie Miller and Apple know exactly what it is. If there was an automated tool based on the exploit it'd be big news right now, but I have not seen anything like that.
There are some Mac drive-bys. They happen when you use Adobe Reader as your PDF viewer and Safari is set up to automatically download and open PDFs. The fix is easy enough: use OS X's built-in PDF viewer, which is faster, safer and more convenient than Adobe's. It also renders vertical lines correctly