Mac Malware/poisoned images

Several people in the past few weeks have reported getting the Trojan download from hotmail. Has anyone figured out how this is happening? Though it's not at all clear from his initial post if it's the Trojan, here's someone who may be getting it from gmail.

https://discussions.apple.com/thread/3055969?tstart=0

ds store wrote:

MadMacs0 wrote:

I just want to point out that you don't give the Trojan your password, only the installer.

So a root level installer from the same people who are attempting to deliver a Trojan is to be trusted?

The installer is an Apple application. That is the only thing that receives your password.

I'd like to challenge whoever marked this as the correct answer. I do not believe for a moment that giving the Mac OS Security popup your password when requested by the installer would allow the installer package to access the password at all, let alone send it anywhere. I would be willing to bet that even the installer application only receives an up or down from the security software and doesn't retain the password.

ds store wrote:.

Trust me, the there isn't much going on in the Lounge, just some casual chitchat and alerting the hosts to this or that.

OK, well in that case you might want to take a look at what Derek Currie had to say about "FUD! FUD! FUD! FUD! Anti-Apple Security FUD for the last SEVEN and a half years! Hee hee hee!" for a change in pace.

Hotmail/Windows Live Mail rollout is just the mega-hot bed of malware transfer between PC users.

I know hotmail is a plague of spam and malware. I'm asking how this things operates/transfers from hotmail.

So a root level installer from the same people who are attempting to deliver a Trojan is to be trusted?

We're talking about a specific threat here, not something theoretical. Have you actually analyzed the installer or anything else about this trojan? I would swear, from some of the things you're saying, that you have not actually seen it and are just reporting on stuff you've heard third-hand... some of it not remotely accurate.

Yes, there's always the possibility this thing could change into something else. There is no evidence that that has happened, despite some wild speculations here. Lots of things could happen that never do, and if it does, it won't exactly stay a secret.

We really don't need you continuing to spread FUD and inaccurate information about this trojan here. It is not helping anyone.

Don't know if it's anything different: A new, live link from a redirect from msnbc. Can you report it for editing once you've copied it, if you want to.

https://discussions.apple.com/thread/3056402?tstart=0

That link is already down. These guys are spending a lot of effort on keeping this thing moving around from server to server, so that as they get blocked there's another ready to go.

I'm not going to play with any malware [...]

I'm certainly not going to spend the considerable effort to analyze every version of the malware [...]

Then why did you start this thread yourself, including inaccurate information obtained through third-hand (possibly fourth- or fifth-hand) sources? If you aren't willing to analyze this trojan, don't advise people on how to deal with this trojan. If you want to offer advice for dealing with malware in general, fine, I don't really have a problem with that.

ds store wrote:

Am I making sense?

Not even remotely.

In the first place, malware authors are interested in profit, not playing games. They know they may have just one shot to convince any given user to install their code, & they aren't going to waste it on some "low grade" version.

In the second, a trojan can't magically evolve into some other, more potent kind of malware threat, as you seem to think it can. Trojans are the simplest, least technically sophisticated kind of malware there is.

You seem to know very little about this particular trojan & even less about malware in general. I suspect you have read a bit about one or maybe more Black Hat proof of concept exploits, but don't understand what they actually have proven or what would be required to turn them into viable malware that could be deployed over the Internet.

You don't seem to understand what does & doesn't survive a HD erase or reformat, what part EFI plays in the boot process, the limitations on firmware-based exploits, the difference between an Apple & third party app, how processes gain root level access or the restrictions on that, or for that matter even how the anti-virus software you sometimes recommend as an effective solution to this trojan works.

Your only real justification for your latest recommendations boil down to "maybe there will be more potent stuff in the future." While that is certainly a possibility, each new type of threat will require an appropriate, measured response, based on what it actually can & can't do. Your suggestions that (variously) a "complete Zero & install" or even a hard drive replacement either will or won't completely eliminate the threat just create fear & confusion without actually helping anybody.

ds store wrote:

Rather, I'm going to advise people if the give anything malicious their admin password, to assume the worse and take appropriate action. Backup/Zero/Re-install.

And I'm going to advise people to remember that for good reason the terms of use for ASC advise users to Test your answer. When possible, make sure your Submission works on your own computer before you post it.

It would seem you have not done this, or even examined the malware without installing it, nor or you willing to defer to those like Thomas who have. I know you are trying to be helpful but you are just confusing users with hearsay & wild speculation, much of it not based on any known facts or evidence.

It might be time to give this a brief rest & do a little more research.