UNSW Mac caught serving fake Microsoft patch

The School of Media, Film and Theatre at the University of NSW has admitted that one of its Mac servers has been compromised and used to host a potentially malicious file, which was disguised as a Microsoft security patch.

The central IT services organisation for the UNSW discovered an issue with one of its servers on Tuesday morning and alerted the department affected. The server was immediately taken offline, according to network engineer Tim Eden.

"I have basically just blocked the machine that was the target of that link. As to what is on the machine and how it got compromised, I do not have any idea at all," Eden told ZDNet Australia.

Sam Costello, system administrator and computer support for the School of Media, Film and Theatre, told ZDNet Australia that an engineer will be looking at the server to try and establish how and when it was compromised.

Costello said it was "weirder" because it was a Mac system running Apple's latest server operating system.

"That is one of my Mac servers," said Costello. "We haven't had a chance to look at it yet because it just came to our attention this morning. We are leaving it where it is for the comms guy to come and have a look at tomorrow."

Users were directed to the server because of a link contained in an e-mail that was spammed overnight.

One version of the spam seen by ZDNet Australia arrived with the subject line: "Microsoft Windows TCP/IP Protocol Security Issue -- Patch Required" and the "from" address is spoofed to read "support@microsoft.com".

The body of the message claims that Microsoft has discovered a zero-day vulnerability and warns the recipient to follow the link and apply the patch within 24 hours in order to reduce the chances of being exploited.

The link contained in the e-mail appears to point to a file on Microsoft's Web site but actually links to the recently removed UNSW server, which is located in Sydney.

• Related stories

• Alerts

Add your opinion

RE: UNSW Mac caught serving fake Microsoft patch Eric Lam -- 01/08/06 (in reply to #120139348)

I am genuinely surprised at how easy the system admin was spoofed by the email. I thought he would have known that Microsoft never sends out direct emails for particular patches (at least ones which are in the subject line). As well, the subject line for genuine Microsoft security emails say 'Microsoft Security Advisory Notification'.

• Reply to comment
• Report offensive content

Compromise not a Mac fault. Matthew Sullivan -- 02/08/06

The compromise was not a fault of the Mac or OSX, but a fault of an application hosted on the server.

As usual AusCERT was on the ball and notifying those who needed the information as soon as the alert was raised.

• Reply to comment
• Reply to story
• Report offensive content

Security on Mac Server Anonymous -- 16/10/06

This is very interesting....considering if it was runing OS X...it can only be a G5 server...well, i guess it would be a G4....and that code would have to be written in the proper way for a PowerPC chip could understand....It's 10-16-06 and this is the first I have heard about this....Interesting....and just would microsoft be sending out something for Apple......only if microsoft did some application that was being used....but I don't know of any....????...Interesting....

• Reply to comment
• Reply to story
• Report offensive content

"Virus" Alert ... or "Bad Reporting" Alert Josh -- 17/10/06 (in reply to #320070344)

uh... From my understanding this is a Spam / Phishing email that pointed to a malicious .exe file on an OS X System. This simply means the administrator allowed someone to put a file on the server.......

You can drop an virus .exe right now in my shared drop box on my OS X machine if you want.

This is very very different from an Application being remotely loaded onto the OS X Server without the specific ports being opened prior by a Server administrator and without proper security.

Furthermore, this is a lot different from malware or a virus running as an application on the OS X Server that wasn't specifically loaded by someone administering the computer.

So I think there is some follow up needed on this matter in regards to the fact checking.

Cheers

• Reply to comment
• Report offensive content

"Virus" Alert ... or "Bad Reporting" Alert Josh -- 17/10/06

uh... From my understanding this is a Spam / Phishing email that pointed to a malicious .exe file on an OS X System. This simply means the administrator allowed someone to put a file on the server.......

You can drop an virus .exe right now in my shared drop box on my OS X machine if you want.

This is very very different from an Application being remotely loaded onto the OS X Server without the specific ports being opened prior by a Server administrator and without proper security.

Furthermore, this is a lot different from malware or a virus running as an application on the OS X Server that wasn't specifically loaded by someone administering the computer.

So I think there is some follow up needed on this matter in regards to the fact checking.

Cheers

• Reply to comment
• Reply to story
• Report offensive content

So? Anonymous -- 17/10/06

I've witnessed UU technicians in the old days hunt down default Unix web server installations and root out hidden caches of malware put there. If RMS can destroy all passwords on accredited systems it's certainly possible for idiots 'thinking' they're so bloody secure with a 'Mac' to get rooted or worse. But as long as OS X retains a semblance of Unix - which it just about does - it's going to be better than anything M$ can come out with, and any security engineer knows that already.

• Reply to comment
• Reply to story
• Report offensive content

• Just In

• Most Popular

• Most Discussed

Reader Services

Popular Topics

Essentials