New Mac Malware / Trojan in the Wild (OSX.Lamzev.A)

Computer security companies Intego and Trend Micro have issued a warning following reports that a new Mac “malware” or “Trojan horse” was on the loose. The malware, named “OSX.Lamzev.A,” actually requires the launch of an installer and giving it permission to install the payload.

“Reports have been circulating about a new Mac 'malware' or 'Trojan horse,' usually under the name 'OSX.Lamzev.A,' which is claimed to open a back door on compromised Mac OS X computers,” goes Intego's Security Memo.

Although it is claimed to open a back door on compromised Mac OS X computers, Mac users are still on the safe side, if they just avoid installing applications from untrusted sources, or visit unreliable websites. Basically, the malicious code is added to an unsigned third-party application that is installed manually on a Mac, and, when the application is run, the backdoor is activated. Should the user not install the app, the Mac and its owner will be safe.

There are only two modes of transmission of this hacker tool, one of which implies that someone sends another user an infected application. The second way of doing this is when a hacker obtains network access to a Mac and replaces an existing application with an infected version, according to the security firm.

“Intego discovered this hacker tool in August 2008, and determined that it was not a serious threat,” the company reveals. “Unlike true malware and Trojan horses, OSX.TrojanKit.Malez requires that a hacker already have access to a Mac in order to install the code. As of the present, no Trojan horses or other means of replication have been found in the wild using this tool.”

Intego itself admits that, “in spite of recent reports, this represents no serious threat to Macintosh computers.” Nevertheless, the company advises Mac owners to use its VirusBarrier X5 for protection against this exploit.

For its part, Trend Micro notes that the backdoor may be installed manually by a user, and that it may be downloaded unknowingly when visiting malicious Web sites. “It prompts the user to select an application and port number above 1024. This may serve as a backdoor whenever the application is opened,” the company says.