Thursday, October 28, 2010

Welcome to the world of dangerous malware, OS X

We have another piece of malware for MacOS X. Once again, it had a few moments of fame, but is a dud because it doesn't actually do anything. But there is a difference this time, and that difference makes OSX/Koobface.A potentially a serious threat to Mac users.

Until now all of the malware created for OS X has been distributed through relatively limited channels. Compared to Facebook and Twitter, extremely limited channels. A few porn sites and a couple of infected pirated programs add up to next to no traction for Mac malware. But a variant of a successful Windows trojan written in Java so it attacks all the major computing platforms and spreads through Facebook and/or Twitter and you have malware gold. The only thing that prevented a major outbreak of MacOS malware was what appears to be a bug in the malware that prevents it from downloading the files that would infect the computer.

This piece of malware suffers from the same weakness any Mac malware has - the user has to ok the install. You hope that Mac users wouldn't be that careless, but the truth is Mac users are people, and a lot of people hit those dialogs without thinking.

With somewhere around 600,000,000 users on Facebook there should be about 60,000,000 Mac users. If only 10% of them allowed the trojan to be installed that would be 6 MILLION infected Mac's. Plus all the infected Windows computers since it's a cross platform piece of malware. All it will take is a bug fix and OSX/Koobface.A will be the first successful piece of OS X malware.

But even if it does get fixed you and I don't have to be victims. Don't click on links posted to your wall or twitter feed without verifying their authenticity. Don't authorize any installations that you don't initiate yourself.

It always feels like there should be a third item in the list. But those two will probably be enough. Until someone finds and uses an OS X exploit that allows privilege escalation.

If you want more details about all the things OSX/Koobface.A will do once it's fixed, check out Intego's writeup.