Jump to content
7 posts in this topic

Recommended Posts

Well, I was surfing the web all innocently a couple days ago, and went to download something on some site somewhere....

and instead of the file I requested, which should have been a media file approximately 3-4 MB in size, I get a Mac disk image file about 22KB in size!

I immediately thought "{censored}, a virus." And I din't run the {censored} obviously.

It's a file called "track.mp3.7005.dmg"

Tonite I got brave and mounted the DMG, and found an installer package inside. I opened the package contents, looked at the Info.plist file, and found this:

 

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>CFBundleGetInfoString</key>

<string>who cares</string>

<key>CFBundleIdentifier</key>

<string>MacAccess</string>

<key>CFBundleShortVersionString</key>

<string>5.0</string>

<key>IFMajorVersion</key>

<integer>0</integer>

<key>IFMinorVersion</key>

<integer>1</integer>

<key>IFPkgFlagAllowBackRev</key>

<false/>

<key>IFPkgFlagAuthorizationAction</key>

<string>RootAuthorization</string>

<key>IFPkgFlagBackgroundAlignment</key>

<string>topleft</string>

<key>IFPkgFlagBackgroundScaling</key>

<string>none</string>

<key>IFPkgFlagDefaultLocation</key>

<string>/Library/Internet Plug-Ins/</string>

<key>IFPkgFlagFollowLinks</key>

<true/>

<key>IFPkgFlagInstallFat</key>

<false/>

<key>IFPkgFlagInstalledSize</key>

<integer>376</integer>

<key>IFPkgFlagIsRequired</key>

<false/>

<key>IFPkgFlagOverwritePermissions</key>

<false/>

<key>IFPkgFlagRelocatable</key>

<false/>

<key>IFPkgFlagRestartAction</key>

<string>NoRestart</string>

<key>IFPkgFlagRootVolumeOnly</key>

<false/>

<key>IFPkgFlagUpdateInstalledLanguages</key>

<false/>

<key>IFPkgFormatVersion</key>

<real>0.10000000149011612</real>

</dict>

</plist>

 

 

Notice the lines with strings like "MacAccess" and "RootAuthorization" ???

Yeah. I don't think I'll be installing it.

 

[edit] It appears to be this:

http://www.f-secure.com/v-descs/trojan-dow..._jahlev_a.shtml

 

This is why you should have "Open safe files after downloading" unchecked in Safari.

Note that this is not the previously described variant masquerading as a video codec. This was found with a simple Google search for a type of media file.

Link to comment
https://www.insanelymac.com/forum/topic/140291-found-a-mac-trojan-by-accident/
Share on other sites

That's interesting... and they probably could've tricked you into installing had they simply included some other hidden, even innocuous, files within the installer.

 

Have you checked to see whether ClamxAV recognizes the file?

 

Nope, too late. Already deleted it.

But it wasn't a very clever trick, as I found it where an MP3 should have been. You don't have to install MP3's, so you really wouldn't be in danger of getting it unless it was pretending to be some 22KB application you wanted to install.

Malware An exploit requiring admin privileges is NOT an exploit!

 

Kids these days.... :rolleyes:

 

Well, I was surfing the web all innocently a couple days ago, and went to download something on some site somewhere....

...

[edit] It appears to be this:

http://www.f-secure.com/v-descs/trojan-dow..._jahlev_a.shtml

 

This is why you should have "Open safe files after downloading" unchecked in Safari.

Note that this is not the previously described variant masquerading as a video codec. This was found with a simple Google search for a type of media file.

 

This is very similar to an experience I had last Spring:

http://forum.insanelymac.com/index.php?showtopic=98643

×
×
  • Create New...