After the catchy headline, the article (unsurprisingly) babbles on obvious platitudes, is inaccurate and skips the interesting bits entirely, focusing on the osx-has-dangerous-malware wow factor. I wish we could get over the OS wars and assess the threats and possible security flaws objectively.<p>> <i>While not widespread, the malware's ability to intercept email and IM, among other features, demonstrates that malicious applications written to target Macs can be just as powerful as malware that comes gunning for PCs.</i><p>Surprise surprise. A non-sandboxed process can access user files in ~/Library/Application Support/Mail. Shocker.<p>> <i>The rootkit also ensures that the malware can run automatically, without requiring administrator-level authentication</i><p>A non-sandboxed process can survive a reboot by writing a plist in ~/Library/LaunchAgents. Wowz. Calling it a rootkit when it does not seem to gain privileges is a bit of a stretch.<p>> <i>took the unusual step of altering OS X</i><p>Updating an OS is now 'altering', providing a security update is now 'unusual'.<p>> <i>to disable outdated versions</i><p>It does not disable outdated versions, it disables <i>all</i> versions and forces the user to manually opt-in to run applets.<p>> of Java<p>Of the Java <i>browser plugin</i>.<p>Now here are the interesting bits that I wish were elaborated on:<p>> <i>hides its malicious files and processes in the OS X system library</i><p>/System/Library is writable by root only. Does it gain privileges or not? I suppose the trojan installer asks for permissions.<p>> <i>allegedly been signed by VeriSign</i><p>What hides behind this? a forged certificate? or simply the app being signed by a legitimate certificate issued by VeriSign? Does it pass Mountain Lion's Gatekeeper?<p>> <i>Notably, the code contains hooks into the Apple OS X operating system that allow it to...</i><p>All of this is obvious. Non-sandboxed processes can do whatever they want in the user's playground. What's interesting is indeed that this forms some framework to leverage upon.<p>More importantly, the article completely sidesteps the core part: how is the payload delivered? Being "disguised as an Adobe Flash Player installer" is a bit lacking in explanation.
The original article is tripe. Here's the beef - <a href="http://www.securelist.com/en/blog/719/New_malware_for_Mac_Backdoor_OSX_Morcut" rel="nofollow">http://www.securelist.com/en/blog/719/New_malware_for_Mac_Ba...</a>
What I'm interested in is how the default setting for Gatekeeper in Mountain Lion affects this. Assuming it hasn't been signed (which would allow a quick revoke by Apple), Gatekeeper should keep it out of the system, yes?