418 / I'm a teapot

Imagine that a friend of yours tells you: “I’ve been told that eating some kind of food you’re going to be very, very sick”. He doesn’t tell you what food it is, he just knows that it could be “red”. You get worried and look for confirmation – and you get it: three trusted sources of medical informations say: “Be careful: there’s a red food somewhere that can make you very sick”.

Suddenly everybody’s talking about it and panic spreads. Let’s pretend you’re a doctor and you want to find out more, so you do some research and it turns out that this dangerous red food is rotten tomato. Yes: if you find a very rotten tomato and you have the guts to eat it, maybe you’ll be sick.

This is exactly what happened few days ago when Sophos – a company that sells antivirus software for different platforms including the Mac – published a post about a new trojan wannabe that could do some horrible things to your computer. The article links to a similar post from a website called ithreats. A link for a free antivirus tool from Sophos is kindly provided.

The following day Slashdot writes:

An anonymous reader writes:
“A Remote Access Trojan (RAT) for Windows, known as darkComet, has been ported to Mac OS X. The new backdoor Trojan is not yet finished, but it could be indicative of more underground programmers attempting to take advantage of Apple’s growing market share.”

No link is provided, nor any other useful information (a link was added the following day). Few hours later it’s AppleInsider’s turn, with a post called “Security firm details new Trojan written for Apple’s Mac OS X”. AppleInsider adds some details and talks about security in general on the Mac, but still gives credit to this news.

Then we come to TUAW, with a more alarming “New trojan MusMinim-A written for Mac OS X”. After one more day CultOfMac writes its point of view in a slightly more balanced way in the post “Report: New Remote Trojan Targets Growing Number of Mac OS X Users”.

Well, in few days four of my most trusted sources are talking about a “threat”. Let’s take a look to this threat:

1. Someone (who? we don’t know) apparently sent some code (that we don’t have) to someone else. The code is not in the wild and it’s considered a “beta”.
2. This code asks for some user actions (still not clear which ones) to install itself.
3. Once installed, it allows remote access to your machine, as any remote access tool is supposed to do.
4. Once a remote command is issued, this program does something (again, as any remote access tool is supposed to do): for example it tells you that your machine is infected by a trojan or a virus (as it calls itself both a trojan and a virus, showing some confusion – moreover because it’s neither of them).
5. This software is apparently a port from a similar windows remote access tool (a port from windows?).
6. Let me say that it has an ugly interface.

So, this is your threat: you have to download and install a software that allows remote access to your machine. This is not a virus, this is not a trojan, this is just a remote access tool. I can write it and you bet it would have a nicer GUI.

Let’s draw some conclusions:

1. There are few trojans and worms for Mac out there, which are considered quite harmless.
2. Despite that, if you decide to download pirate software from an unknown and untrusted source and install crappy stuff on your Mac allowing it to take control of your machine when it asks, you should expect some danger sooner or later.
3. On the Mac, the weak link is always the user: if you reply to an e-mail that offers ten nights of pure pleasure and give your credit card number, you’re not victim of a virus, you’re victim of your stupidity. And you’re going to get exactly what you’re looking for: ten nights of pleasure (not for you: for whom receives your money).
4. If you want a deeper control of your connections, install the wonderful LittleSnitch. And please buy it, don’t look for a crack. Please, buy well done shareware applications: it costs you few bucks and you support independent developers, helping them to do great stuff and to keep prices low.

If you want some details about this story (because I didn’t provide specific informations about this “not-a-trojan-nor-a-virus” but there are many available if you’re curious), don’t read the posts I linked: read their comments which are much more insightful (and funny).

• Feb 25th – iThreats: RAT ‘BlackHole’
• Feb 26th – Sophos: Mac OS X backdoor Trojan, now in beta?
• Feb 27th – Slashdot: Backdoor Trojan For Windows Ported To Mac OS (read the comments!)
• Feb 28th – AppleInsider: Security firm details new Trojan written for Apple’s Mac OS X
• Feb 28th – TUAW: New trojan MusMinim-A written for Mac OS X (read the comments!)
• Mar 1st – CultOfMac: Report: New Remote Trojan Targets Growing Number of Mac OS X Users