Wednesday, November 07, 2007

Mac OS X Trojan Horse - Wolf in Sheep's Clothing?

Recently, a Mac OS X Trojan Horse was spotted in the wild. Pretty much everyone reported on it. But the best analysis I've seen is at SecuriTeam.

This is not a new type of attack. There is no new vulnerability exploited. This is not a novel attack, such as a driver exploit. This does not use some new social engineering technique or distribution method. This is not the first instance of organized crime (presumably) attempting to make money from exploiting systems. So why is everybody making a big deal about the new malware? People are making a big deal about this one because of what it is not: a Microsoft attack.

This new Trojan Horse is the first one to take an established commercial malware framework to the Apple platform. For years, these fake codecs have troubled the Windows platform, making untold amounts of money for their creators. They hijack the user's Internet experience and target people inexperienced with computers. But until now, the relatively simple task of adapting these programs for the decade old operating system has been left undone. I believe that there are two reasons for this shift.

The number of people using Apple computers (and therefore OS X) has exploded over the last year and a half. I am currently sitting at a coffee shop and an informal survey shows that there are 12 Macs and only 6 PCs (including, unfortunately, mine). While this is an atypical distribution of hardware, it underscores the point. I know that most of these have been purchased within the last year and a half because they are almost all running on the Intel platform.

As the proportion of Mac users increases, the community is bound to decrease in computer experience. For the last few years, Apple has had a loyal core of customers who are technologically savvy and educated about proper use and maintenance of their machines. However, the recent adopters are typically more casual computer users. This statistic is based on anecdotal evidence, but it seems that most other observers have drawn the same conclusion.

These two trends, increased install base and decreased expertise, will continue upward as computer activities become increasingly platform independent. As more and more services are moved to a Web based format, the importance of a single operating system will diminish. However, malware will continue to exploit the underlying system resources because this is a viable source of income.

Criminal organizations' involvement in computer based crime has drastically risen in prevalence and sophistication over the last few years and there is no reason to believe that this will change. Just like with any money-making organization, these enterprises wish to maximize their revenue streams by exploiting new markets. In order to grow, new resources must be acquired. It appears that Apple computers have been firmly identified as a new resource for criminals.

And like any other emerging market, what is pioneered by one group will quickly be followed by other players. In other words, other criminal organizations will follow suit and develop their software for the OS X operating system to compete with this group's product offering. Eventually, this market segment will become more mature with a high percentage of organized criminals developing for both Windows and OS X platforms the way that other software makers do. What used to be a hobbiest market will be filled by mature product offerings.

If there is nothing new about a piece of malware, it should not be a big deal. But this one is a big deal that many people will only recognize too late. This Trojan Horse is something new precisely because it's just business as usual.

Sunday, November 04, 2007

Long Time, No Post

It's been quite a while since I posted last. Sorry, I've been busy. But I do keep my "Interesting Articles" section updated. That is over on the right side of your screen (assuming you're looking at my blog and not the RSS feed). That list is all of the articles that I have read in Google Reader and chosen to "share" via the button at the bottom of each story. I wish that there was a way that you could click to get all of the links, not just the last five or so. I'm sure that there is, I just don't know how to do it so if anybody does, drop me a line.

For the record, I am working on some other public stuff, but I'm going to keep that under wraps for now. Nothing groundbreaking or significant, just adding to the general InfoSec fluff out there. If I had as much time as I do ideas I'd live forever. Hopefully I can gt better at figuring out which ones are worth pursuing so I don't spend my time starting into things that I don't end up finishing.