DukeRaoul Posted December 10, 2008 Share Posted December 10, 2008 Well, I was surfing the web all innocently a couple days ago, and went to download something on some site somewhere.... and instead of the file I requested, which should have been a media file approximately 3-4 MB in size, I get a Mac disk image file about 22KB in size! I immediately thought "{censored}, a virus." And I din't run the {censored} obviously. It's a file called "track.mp3.7005.dmg" Tonite I got brave and mounted the DMG, and found an installer package inside. I opened the package contents, looked at the Info.plist file, and found this: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CFBundleGetInfoString</key> <string>who cares</string> <key>CFBundleIdentifier</key> <string>MacAccess</string> <key>CFBundleShortVersionString</key> <string>5.0</string> <key>IFMajorVersion</key> <integer>0</integer> <key>IFMinorVersion</key> <integer>1</integer> <key>IFPkgFlagAllowBackRev</key> <false/> <key>IFPkgFlagAuthorizationAction</key> <string>RootAuthorization</string> <key>IFPkgFlagBackgroundAlignment</key> <string>topleft</string> <key>IFPkgFlagBackgroundScaling</key> <string>none</string> <key>IFPkgFlagDefaultLocation</key> <string>/Library/Internet Plug-Ins/</string> <key>IFPkgFlagFollowLinks</key> <true/> <key>IFPkgFlagInstallFat</key> <false/> <key>IFPkgFlagInstalledSize</key> <integer>376</integer> <key>IFPkgFlagIsRequired</key> <false/> <key>IFPkgFlagOverwritePermissions</key> <false/> <key>IFPkgFlagRelocatable</key> <false/> <key>IFPkgFlagRestartAction</key> <string>NoRestart</string> <key>IFPkgFlagRootVolumeOnly</key> <false/> <key>IFPkgFlagUpdateInstalledLanguages</key> <false/> <key>IFPkgFormatVersion</key> <real>0.10000000149011612</real> </dict> </plist> Notice the lines with strings like "MacAccess" and "RootAuthorization" ??? Yeah. I don't think I'll be installing it. [edit] It appears to be this: http://www.f-secure.com/v-descs/trojan-dow..._jahlev_a.shtml This is why you should have "Open safe files after downloading" unchecked in Safari. Note that this is not the previously described variant masquerading as a video codec. This was found with a simple Google search for a type of media file. Link to comment https://www.insanelymac.com/forum/topic/140291-found-a-mac-trojan-by-accident/ Share on other sites More sharing options...
A Nonny Moose Posted December 11, 2008 Share Posted December 11, 2008 This is why ClamXAV should be scanning your download folder... Link to comment https://www.insanelymac.com/forum/topic/140291-found-a-mac-trojan-by-accident/#findComment-994793 Share on other sites More sharing options...
JestaGeek Posted December 11, 2008 Share Posted December 11, 2008 That's interesting... and they probably could've tricked you into installing had they simply included some other hidden, even innocuous, files within the installer. Have you checked to see whether ClamxAV recognizes the file? Link to comment https://www.insanelymac.com/forum/topic/140291-found-a-mac-trojan-by-accident/#findComment-994803 Share on other sites More sharing options...
DukeRaoul Posted December 11, 2008 Author Share Posted December 11, 2008 That's interesting... and they probably could've tricked you into installing had they simply included some other hidden, even innocuous, files within the installer. Have you checked to see whether ClamxAV recognizes the file? Nope, too late. Already deleted it. But it wasn't a very clever trick, as I found it where an MP3 should have been. You don't have to install MP3's, so you really wouldn't be in danger of getting it unless it was pretending to be some 22KB application you wanted to install. Link to comment https://www.insanelymac.com/forum/topic/140291-found-a-mac-trojan-by-accident/#findComment-994813 Share on other sites More sharing options...
MacNutty Posted December 11, 2008 Share Posted December 11, 2008 Is iAntivirus good? Link to comment https://www.insanelymac.com/forum/topic/140291-found-a-mac-trojan-by-accident/#findComment-994867 Share on other sites More sharing options...
InorganicMatter Posted December 11, 2008 Share Posted December 11, 2008 An exploit requiring admin privileges is NOT an exploit! http://blog.getpaint.net/2008/11/15/an-exp...not-an-exploit/ Link to comment https://www.insanelymac.com/forum/topic/140291-found-a-mac-trojan-by-accident/#findComment-995357 Share on other sites More sharing options...
bofors Posted December 16, 2008 Share Posted December 16, 2008 Malware An exploit requiring admin privileges is NOT an exploit! Kids these days.... Well, I was surfing the web all innocently a couple days ago, and went to download something on some site somewhere.... ... [edit] It appears to be this: http://www.f-secure.com/v-descs/trojan-dow..._jahlev_a.shtml This is why you should have "Open safe files after downloading" unchecked in Safari. Note that this is not the previously described variant masquerading as a video codec. This was found with a simple Google search for a type of media file. This is very similar to an experience I had last Spring: http://forum.insanelymac.com/index.php?showtopic=98643 Link to comment https://www.insanelymac.com/forum/topic/140291-found-a-mac-trojan-by-accident/#findComment-1001011 Share on other sites More sharing options...
Recommended Posts