Bit9

It’s a relatively simple game: Inject a fake installer across a bevy of websites, entice Web users to download and execute the installer on their systems and prompt for unnecessary credentials during installation. That’s all the new Mac trojan, dubbed “Trojan.SMSSend.3666” by Russian antivirus company Doctor Web, needed to acquire enough credentials to obtain victims’ cell numbers in order to charge a subscription and recurring fee by sending premium text messages.

This is just one of several new attacks on the Mac OS, like those that have been commonplace on Windows machines for years. As I’ve mentioned before, with regard to Mac’s recent Flashback malware outbreak, which impacted more than 600,000 Mac computers earlier this year, with increased market share comes increased volumes of malicious attacks.

In the past, Mac’s security was defined through unpopularity – meaning it didn’t have large enough market share to justify any targeted efforts from attackers. In September, OS X (10.4 and above) surpassed Windows Vista in market share, climbing to 7.1 percent (Vista had 6.1 percent share). But as Apple’s desktop operating system grows in popularity, what it gains in adoption, it loses in security.

As Macs move more broadly into the workplace, the increased growth and immersion of OS X will draw greater interest from attackers. For now, it appears that this specific malicious installer is targeting Russian OS X users, but this program (like others used on U.S. Windows machines) was developed using the affiliate program ZipMonster – just one of several solutions on the Internet used to craft fake installers. So it’s almost a guarantee that this type of attack will find its way to U.S. Macs in the future.

The best way to prevent this type of fraudulent application from racking up charges on your personal or work devices is to recognize what it’s asking and when. Installers such as Trojan.SMSSend.3666 ask for your cell number to complete installation, but installers typically do not need that type of credential to execute and install on your desktop. Only Web-based applications, like banking, cloud services, and email accounts ask for cell numbers to activate two-step verification. But this is prompted by the user and usually not mandatory. Also, even if a site asks for such credentials, ensure that the URL is consistent with what you are used to (in order to prevent phishing attacks). Of course, the best solution to prevent execution of these malicious installers is the use of application control. Establishing trust across all of the known good applications in your environment is the best way to alleviate the burden and stress of the potentially dangerous Web and the fraudulent and malicious apps it hosts.

Leave a Reply