House of the rising Moonglum

So it seems obvious at this point, but don’t open files that you don’t know where they came from.

I am excited that Leopard includes the ability for developers to sign their applications, but if you download it and run it on your own, well there is only so much they can do. One of the first trojans for Mac OS X has appeared, and it looks like some people are falling for it. Ironically the sites that are spreading it, for now, appear to be pr0n sites.

New free advice rule: If you are going to be an idiot and download and run random untrusted files, DON’T DO IT FROM A PORN SITE.

*ahem*

Having said all that, this one actually looks kind of clever. It attacks through your DNS client. (Which incidentally means that the people do ran these programs had to give it their administrator password as well.) The DNS system, in case you don’t know, is an important part of how the internet (small i, invented before Al Gore) works. You see, computers all have addresses, which are numbers. So those nice word addresses (e.g. lair.haggisnet.net) need to be translated to numbers for your computer to find them. A DNS server does that for you. Your computer has a DNS client which knows the number for a DNS server, normally run by your internet provider. Well this trojan horse changes that number to one of it’s own choosing. So let’s say you type in www.mybank.com, it can give your computer whatever address it likes. For example, some computer that looks exactly like mybank.com and waits for your password, and then hands you off to the real site, while all your funds are busily transferred to pornomatic.aw. The real question of how bad this one will get is, a) how cleverer they get about having people download it and b) how clever they are with the DNS servers once they have you hooked into theirs. Stealing all your money is the obvious thing to do, but I’m sure cleverer people than me can come up with much worse.

And the worst part of all? This affects the one security flaw that will never be fixed, the one that exists between the chair and the keyboard. (EBCAK for those following along at home.)