About those gangs of Russian hackers targeting Macs by Philip Elmer-DeWitt @FortuneMagazine September 27, 2009, 1:35 PM EDT E-mail Tweet Facebook Google Plus Linkedin Share icons MacCodec.com. Source: SophosLabs “Hey Dimwitt here’s a pcworld article about russian hackers targeting Macs. http://tiny.cc/dL4Yi.” I assume that message, sent via Twitter by “chalupatime” Saturday afternoon, was directed at me because I wrote something a few weeks ago called “Why are there no Mac viruses?” My tortilla-loving friend is correct. There is indeed an article by Gregg Keizer in PC World (as well as in Computerworld) about Apple AAPL computers being targeted for malware. Keizer’s source is Graham Cluley, who quotes Paul Ducklin, who in turn offers a pointer to the source of all this chatter: a presentation at last week’s Virus Bulletin conference in Geneva by Dmitry Samosseiko, a Russian-born researcher for Sophos, the U.K.-based security software vendor. Samosseiko’s paper, “ The Partnerka — what is it, and why should you care? ,” is available for free as a pdf. It’s a fascinating behind-the-scenes look at the hundreds of well-organized affiliate networks — known in Russian as “partnerkas” — that traffic, in Samosseiko’s words, in “fake watches, fake anti-virus software, fake pills and fake love” for commissions that generate thousands of dollars a day for “webmasters” all around the world. The six-page paper contains exactly one paragraph about the Mac: “Mac users are not immune to the scareware threat. In fact, there are ‘codec-partnerka’ dedicated to the sale and promotion of fake Mac software. One of the recent examples is Mac-codec.com. At the time of writing this article, the site is no longer available, but just a few months ago it was offering $0.43 for each install and offered various promo materials in the form of MacOS ‘video players’.” Although there’s nothing in that paragraph about targeting Macs for malware, that’s the idea. Samosseiko’s paper describes a new kind of Web- and social network-based spam he calls Spam 2.0. Using so-called DNS Changer trojans and other programs designed to exploit loopholes in various Web-traffic-directing and search-engine-optimization systems, the partnerkas flood the Internet with come-ons for the Web equivalent of fake gold watches. In the case of Mac-codec.com, what they were selling was software that promised to help Mac owners run videos created using Microsoft MSFT Windows-based protocols. Although Cluley and Keizer singled out the Mac paragraph as the most newsworthy thing in Samosseiko’s paper, neither bothered to ask the author how many Mac partnerkas he’d come across. Dan Goodin, writing for The Register, did. “It’s very infrequent,” Samosseiko told Goodin. “We discover new ones extremely rarely compared to Windows platforms.” Samosseiko also pointed out in that interview that the $0.43 bounty Mac-codec was offering is slightly lower than the $0.50 to $0.55 typically paid for Windows hits. And although the site was operating in January and February, it disappeared soon after. “I suspect that it wasn’t as profitable to target the Mac platform at that point,” he told Goodin. “[It] probably closed because it wasn’t commercially viable for them to conduct business.” As we wrote a few weeks ago, Apple’s computers are not immune to malware. But the threat to Mac OS X pales in comparison to that faced by various Windows platforms. By the way, Samosseiko’s paper provides a handy list of the products that generate the most traffic for the partnerkas. The biggest draws: Online pharmacies selling generic versions of popular drugs. Networks promoting ‘scareware’, a.k.a. ‘rogue anti-virus’ products. Counterfeit luxury products such as fake Rolex watches. Casinos. Adult sites. Dating services. Affiliate traffic generated via IFRAME insertions. Note No. 2 on that list: “Scareware” — fake anti-virus software offering to protect computer users from threats that might exist only in the victims’ mind. Thanks, chalupatime, for the warning.