MacScan Detects Spyware

← Back to Stories (view on slashdot.org)

Posted by pudge on Friday December 13, 2002 @03:53AM from the thats-no-security-problem-thats-my-boss dept.

limpymac writes "MacScan public beta was announced to the public short minutes ago. MacScan will detect, isolate and remove spyware on the Macintosh. Currently it will detect trojan horses and keystroke loggers without a hitch. The application is for Mac OS and Mac OS X and is created by the folks at SecureMac.com. I found a keystroke recorder on my Macintosh I installed a year ago and forgot to remove; hah, I have a year's worth of logs!"

43 comments

Min score:

Reason:

Sort:

Actually it was more than a few minutes ago. by BoomerSooner · 2002-12-13 04:01 · Score: 3, Insightful

MacScan Spyware Detection
posted by AcaBen on Friday December 13, @07:40AM
from the undboubtetdly-more-coming-for-x dept.

On MacSlash
1. Re:Actually it was more than a few minutes ago. by Anonymous Coward · 2002-12-13 04:34 · Score: 0
  
  Not to be trival but the user could have submitted the story in the morning and the /. editors took til now to post it.
Ummm....spyware & Macintosh.... by Nipsy356 · 2002-12-13 04:01 · Score: 5, Funny

Spyware...that's a Wintel thing isn't it?
1. Re:Ummm....spyware & Macintosh.... by Toy+G · 2002-12-14 01:34 · Score: 1
  
  If OSX really is the "killerapp" everyone thinks it is, and the Mac userbase is going to grow, we'll se more and more shitty software ported to it... will hardcore Apple users be happy of this? :)
  
  --
  -- Let's go Viridian.
2. Re:Ummm....spyware & Macintosh.... by azav · 2002-12-14 08:20 · Score: 1
  
  No. No we won't.
  
  --
  - Zav - Imagine a Beowulf cluster of insensitive clods...
In other news... by psyconaut · 2002-12-13 04:21 · Score: 5, Funny

Both CERT and SANS are warning of a new spyware package for MacOS [X] that masquerades as a spyware scanner! ;-)

-psy
1. Re:In other news... by Anonymous Coward · 2002-12-13 04:28 · Score: 2, Informative
  
  MacScan is legit, was released by SecureMac.com, Inc.
2. Re:In other news... by JasonNolan · 2002-12-14 09:40 · Score: 1
  
  Thanks for the heads up on the CERT and SANS, but it would have been even nicer if you'd included a url. ...off to hunk the snark.
  
  --
  https://www.tandfonline.com/doi/full/10.1080/1369118X.2013.808365
3. Re:In other news... by psyconaut · 2002-12-14 11:16 · Score: 2
  
  I guess humour is lost on you :-p
  
  -psy
4. Re:In other news... by JasonNolan · 2002-12-17 01:28 · Score: 1
  
  When it comes to referencing CERT stuff, and computer security, yep. No sense of humour there.
  
  --
  https://www.tandfonline.com/doi/full/10.1080/1369118X.2013.808365
Now all we need by mithras+the+prophet · 2002-12-13 04:46 · Score: 5, Funny

is for someone to hurry up and port some spyware to the Mac, so this product will have something useful to do.

--
four nine eighteen twenty-7 thirty-nine forty-7 fiftyeight sixty-nine seventy-9 eighty-8 one-hundred-and-nine one-twenty
1. Re:Now all we need by alfaiomega · 2002-12-14 05:15 · Score: 5, Interesting
  
  Now all we need is for someone to hurry up and port some spyware to the Mac, so this product will have something useful to do.
  
  It is not so funny as it may sound. This is exactly my attitude when I installed Debian stable release few years ago and never minded checking security updates. I laughed at my Windows-using friends every time there was a new worm or virus, telling them that it's not fair that GNU/Linux is not supported by all of this malware, until someone exploited my old bind buffer overflow and installed a kernel level rootkit.
  
  Remember that Darwin, the base of Mac OS X, is based on FreeBSD. chkrootkit, a tool to locally check for signs of a rootkit, is constantly tested on FreeBSD 2.2.x, 3.x and 4.x, not without a reason.
  
  Read the paper Attacking FreeBSD with Kernel Modules: The System Call Approach written by pragmatic/THC on June 1999 to have some idea on how well those issues were understood three and a half years ago. This is only one paper, the first thing about FreeBSD rootkits I just found.
  
  So, of course it's funny what you said, of course your Mac is indeed much more secure than an average Wintel box out there, but it doesn't mean there's no spyware. Your Mac is not a toy, it's a powerful Unix box under the hood, which may mean that it's harder to exploit than Windows box, but it also means that when it's exploited, it's probably easier to write and install spyware there (like a simple kernel module which would intercept read syscall, for example). Never forget about that.
  
  --
  root@aio:~# nmap -sX -iR -p1- # Ho, ho, ho! Merry Xmas, everyone!
May I suggest... by Hubert_Shrump · 2002-12-13 05:07 · Score: 5, Funny

I found a keystroke recorder on my Macintosh I installed a year ago and forgot to remove; hah, I have a year's worth of logs!

They may not actually be as interesting / immersive as the year of typing itself.

--
Keep your packets off my GNU/Girlfriend!
Is it just me... by Triv · 2002-12-13 05:13 · Score: 5, Informative

...or is apple.slashdot.org mirroring macslash more and more recently? The interesting thing is that macslash usually beats slashdot to it, but the interesting discussions happen here. :)

Triv
1. Re:Is it just me... by Anonymous Coward · 2002-12-13 07:13 · Score: 0
  
  Macslash is GAY!!! They don't believe in free speech!
  
  www.macrumors.com is better, they don't delete posts like Macslash does!
2. Re:Is it just me... by Anonymous Coward · 2002-12-13 08:35 · Score: 0
  
  Macslash just posted another story about the ebay scammer, Michael Christmas. Lets dupe it again here too....
  
  Aren't Mac/ and /. affiliated?
3. Re:Is it just me... by Anonymous Coward · 2002-12-14 02:57 · Score: 0
  
  Macslash is such a piece of shit....
  
  They definitely censor everything...you post something controversial and you are modded down to a troll.
  
  I saw one fat ass at the Clarendon store wearing a Macslash shirt. Reminded me of that creepy fat kid from "Better Off Dead." The one who lived across the street from John Cusack's character.
The Spy Who Loved Me by BibelBiber · 2002-12-13 05:25 · Score: 3, Funny

Be nice to your friends and let them spy at you :-) Doesnt that make you feel special. Nobody would spy at ordinary people....
1. Re:The Spy Who Loved Me by h0tblack · 2002-12-13 06:23 · Score: 4, Funny
  
  Nah, people setup blogs for that sorta self-gratification ;)
  (or should that read self-delusion)
hey I know that name by wilton · 2002-12-13 06:10 · Score: 2, Interesting

My company is called MacScan Ltd. Although it is nowt to do with this product, scanning or macs.
It comes from Macdonald and Scanlon.

--
per mere, per terras
1. Re:hey I know that name by Anonymous Coward · 2002-12-16 17:20 · Score: 0
  
  You should hire that bird to pose for your website though, it's well boring...
PC World desperately needs this by mnmn · 2002-12-13 06:12 · Score: 1

The wintel world (win9x) needs something that can get Gator and friends out the door. Ive had Gator, Netdotdomains, and a hoard of other spyware install itself, take the free system resources from 95% to 65%, and not get out. Anitivirus software just cannot detect it.

--
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
1. Re:PC World desperately needs this by GeorgeH · 2002-12-13 06:30 · Score: 5, Informative
  
  The wintel world has something that can get Gator and friends out the door - AdAware from Lavasoft.
  
  --
  Why can't I moderate something "Wrong" or at least "Grossly Misinformed"?
2. Re:PC World desperately needs this by kawika · 2002-12-13 06:58 · Score: 5, Informative
  
  Antivirus software just cannot detect it.
  That's because you gave permission to install it via some sneaky click-wrap license. You know, those ones you never read? AV companies have the technology, but they would probably get their pants sued off if they called another company's product malicious when it was merely annoying or nosy--and when the user supposedly consented to it being there.
  
  The wintel world (win9x) needs something that can get Gator and friends out the door.
  There are plenty of them already, like Pest Patrol, Spybot S&D, and Ad Aware.
  
  There's a lot of good information on spyware at Doxdesk and Spyware Info.
Blast from the past by MalleusEBHC · 2002-12-13 06:32 · Score: 5, Interesting

I nearly shit myself when I saw that these guys were releasing a FAT binary. Hell, I haven't seen one of those in ages. I feel a sudden urge of nostalgia to find a computer running System 7.
1. Re:Blast from the past by spheroid · 2002-12-13 13:20 · Score: 1
  
  Actually, you'll need to find a 68k-based Mac. A FAT binary application contains both code optimised for 680x0 processors (Performa/LC/Quadra/etc) and PowerPC chips. System 7 runs on both PowerPC and 68k Macs.
2. Re:Blast from the past by threephaseboy · 2002-12-13 14:59 · Score: 2, Informative
  
  System /7/, as in 7.0.0, will only run on 68k. You need (iirc, its been a while) 7.1.2P or higher for PPC. You're still right about fat binarys for 68k/ppc
  
  --
  .
3. Re:Blast from the past by Anonymous Coward · 2002-12-14 16:13 · Score: 0
  
  Almost. You need 7.1.2 to run on the 601 NuBus 6100/7100/8100 machines.
  
  The P suffix was used with the OS installed on the Performa lines from 7.0.1P on the first Performas (200, 400, etc) to later PPC machines like the Performa 611x series.
REALbasic & Security Experts by Anonymous Coward · 2002-12-13 06:37 · Score: 0, Insightful

What kind of security "experts" code with REALbasic? I'm not touching this app with a ten foot pole.
1. Re:REALbasic & Security Experts by andrewski · 2002-12-13 12:05 · Score: 1
  
  Seriously, REALbasic is kludgy as all hell. I would bet that this program really IS spyware.
Looks interesting ... by Daniel+Dvorkin · 2002-12-13 06:39 · Score: 4, Funny

... now can I get the girl on the front page to come to my house and scan me while the software is scanning my computer?

--
The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
1. Re:Looks interesting ... by sco08y · 2002-12-13 07:43 · Score: 1, Funny
  
  Hmm... try this: when you chat her up, don't say one fucking word about your computer. In fact, sell it for a down payment on a car.
  
  Just a thought.
Re:The scientician by Loco3KGT · 2002-12-13 07:18 · Score: 0, Troll

holy shit you weren't kidding. i choked on my popcorn when i saw that.

She can secure me whenever she wants to! haw haw

--
Blessed be he who reads this post, Cursed be he who tells my boss.
you trojaned your own computer? by Anonymous Coward · 2002-12-13 11:17 · Score: 3, Funny

you truely are a hacker!
The last thing she ever heard by jcsehak · 2002-12-13 12:59 · Score: 4, Funny

"NO!!! Don't mix the red and gree- *KABOOM!!!*

"George, I told you to put that stuff away. What's that, the third model we've killed? Well, see if we at least snapped the photo in time."

--

c-hack.com |
In Soveit Russia by Anonymous Coward · 2002-12-13 14:12 · Score: 0

Mac/ = Much GHEY ness!
Crashes by wazzzup · 2002-12-13 16:18 · Score: 5, Informative

If I set it to scan everything from the root directory on down, it crashes without fail. Pretty beta so far.
1. Re:Crashes by pressman · 2002-12-14 09:16 · Score: 2
  
  here here
  
  I wouldn't even call it beta. More like pre-alpha
  
  --
  Pooty tweet
about chkroot by Anonymous Coward · 2002-12-15 07:53 · Score: 0

Just dloaded the latest version and compiled it, and it seems that my /usr/bin/passwd is infected (Checking `passwd'... INFECTED).
Has anyone tried it with the latest (official) version of OSX ? Could it be apple's updates that are not taken into account by chkroot ?

thanks ;-)
(PS I'm no coward, but I waited 15 minutes for my password to come by my mail, and I couldn't wait any longer to post ^_^)
1. Re:about chkroot by alfaiomega · 2002-12-15 13:00 · Score: 1
  
  Just dloaded the latest version and compiled it, and it seems that my /usr/bin/passwd is infected (Checking `passwd'... INFECTED). Has anyone tried it with the latest (official) version of OSX ? Could it be apple's updates that are not taken into account by chkroot ?
  
  I don't have access to any OSX system, however, according to the FAQ: 'chkrootkit looks for known "signatures" in trojaned system binaries. For example, some trojaned versions of ps have "/dev/ptyp" inside them.'
  
  Try running "chkrootkit -x passwd" to run only passwd test in expert mode. It will show any text strings inside your /usr/bin/passwd binary. (It may be a lot of text, so you'll probably need to run "chkrootkit -x passwd | less" or "chkrootkit -x passwd | more" or "chkrootkit -x passwd > some_file.txt") "chkrootkit -x passwd | grep ^/" will show you files, which are harcoded into your passwd binary, this is what I got on my Debian GNU/Linux box:
  /lib/ld-linux.so.2
  /usr/share/locale
  /var/run/nscd.pid
  /etc/passwd
  /etc/shadow
  (grep / instead of ^/ will show every line including slash, not only those beginning with slash, it may show more files, but it'll also show other text besides file paths.)
  
  If you see something suspicious there then---OK, forget about it. I see lots of suspicious strings inside my own passwd binary, like "adlqr:uSekn:x:i:w:" which could be a backdoor password or something. Besides, I have to tell you that I (and I'm not experienced in something like that) could manually trojan your /usr/bin/passwd in a way which wouldn't be detected by chkrootkit (until they add my trojan binary, which is unlikely if I do it manually, every time in a different way) and it won't show anything suspicious looking for strings in the binary.
  
  So just check if your /usr/bin/passwd is the same as some version you know is original (like on the CD, or on the freshly installed system, etc.) The best you can do is probably check md5 hash (run "md5sum /usr/bin/passwd" or "md5 /usr/bin/passwd" -- I don't know what's the command on MacOS X) and compare it with md5 hash of /usr/bin/passwd you know is clean. But in the situation I described my /usr/bin/passwd was changed, but also my /usr/bin/md5sum! So I couldn't trust anything. You have to boot from the read-only media (like CD-ROM or a floppy which has been write-protected after it has been prepared using a clean system) and check your hard drive using only software on the CD. This is the only way you'll know that at least your md5sum or ls don't lie to you (because when you find out that your passwd, md5sum, ls, ps, who, netstat and everything important has been changed by someone, it's not a nice feeling, trust me).
  
  --
  root@aio:~# nmap -sX -iR -p1- # Ho, ho, ho! Merry Xmas, everyone!
2. Re:about chkroot by commodoresloat · 2002-12-16 23:01 · Score: 2
  
  I just compiled this too and got the same result. Everything else checks out OK. Perhaps this has something to do with the way OS X writes to /etc/passwd. I don't really understand the output from running chkrootkit -x passwd, but it does seem consistent with the view that it has to do with something specific OS X is doing. It might be worth emailing the fink people about putting chkrootkit into fink and writing a version that doesn't have this error. Assuming it is an error; the alternative is, both of us have been rooted!
MacScan b2 Available by Anonymous Coward · 2002-12-17 06:12 · Score: 1, Informative

MacScan b2 is available from http://macscan.securemac.com/ which fixes many of the issues discussed here.