First Scareware For the Mac

I Don't Believe in Imaginary Property sends us news from F-Secure of what they claim is the first rogue cleaning tool for the Mac. MacSweeper is a Mac version of Cleanator, hosted from a colo somewhere in the Ukraine. The article points out that the company's About page is lifted verbatim from Symantec's site. With the Mac's market share closing in on double digits, perhaps it's not surprising to see the platform targeted with crapware as PCs have been for years. The F-Secure author adds as a footnote that a journalist said to him something you don't hear every day: "I visited the macsweeper.com website. I know I probably shouldn't have but I used a Windows PC so I knew I wouldn't get infected."

Re:the shit hits the fan!

[necro2607]

Yeah the difference is, you can't get spyware installed on a Mac by clicking a banner ad in a browser. The software doesn't even have permission to do software installation, so it would be asking for a password (unless some unknown vulnerability is exploited). Frankly if you're entering your password for your computer when some arbitrary website asks for it, you've already got have way worse problems than spyware on your Mac.

Re:Isn't any "cleaning tool" rogue on a mac?

[moderatorrater]

It's been my experience that 90% of the PCs that require cleaning got in that state because the owner's installed something they shouldn't have. In a way, this program is attempting to create an environment where one would be needed.

Re:the shit hits the fan!

[sqlrob]

It doesn't take special permissions to put stuff in ~/Applications. It's not done by default, but some users do do it, and Finder supports it.

Or heck, just put it on the desktop where the user can click it. No special permissions needed. Most .Apps don't need an installer, nor need to be in /Applications.

Re:Yeah and moon is made from..

[moderatorrater]

It's been my experience that 90% of the hosed computers in this world have had something installed that shouldn't have been. This is just the sort of malware that typically plagues windows computers.

What's wrong with /.?

Why do almost all of the articles on the slashdot main page say only "25 comments"? Is it some kind of bug? (I'm not logged in, and I'm using IE7 on Vista. Flame me. :))

Re:Yeah and moon is made from..

[willyhill]

Come back again when you understand how Windows machines are largely compromised. Crapware vendors don't need to wait for the next IE vulnerability to target people, all they need is social engineering and lack of common sense. The last few major botnet herding attacks have been perpetrated like that. The fastest-spreading worms have been perpetrated like that. Coming a close second is exploiting vulnerabilities that people can't be bothered to patch. Yet all of this has somehow become Microsoft's fault, but in this case I guess it's the user's fault, right?

Idiocy can and will spread happily across platform boundaries. It really does not matter what OS you are using. And this article proves it. It's just that until now Windows was losing by the weight of sheer numbers. It has more vulnerabilities, sure. But those are irrelevant to the people who make big $$$ compromising machines. They simply don't need them.

Contact Us page changed already

[caseih]

Looks like they read slashdot. Their "Contact Us" page is already edited now to remove the text copied from Symantec. Now the page doesn't say much of anything at all. No phone numbers, no addresses. Just a bare e-mail address. Hard to believe how scam artists can operate out in the open these days.

Re:the shit hits the fan!

[sqlrob]

Depends on what version of OS X you're talking about. Drop something in ~/Library/Input Managers in Tiger and below, and every cocoa app is infected when you run it. Or put something in ~/Library/LaunchAgents and watch for Safari and inject code (non-root for PPC only,special group or root for Intel). Or rewrite plugins residing in ~/Library/Internet Plugins...

With some more thought I can probably come up with a pile more.

Re:Hi i'm MacSweeper Developer

[ncryptd]

Well... a quick disasm of your binary doesn't show anything blatantly malicious, which is good... but I also don't see anything really useful. Pretty much everything your program does (and much, much more) can be done with OnyX. For free.

Oh, and you mis-spelled "purchase" in two methods in MacSweeperDaemon. ;-)

(void) purchaise
(void) purchaiseThread

I also noticed you left a somewhat interesting TODO list in the app bundle.

The binaries have references to KIVViSoftware throughout them -- you wouldn't happen to be one and the same with these guys, would you?

Disclaimer: I didn't find anything blatantly malicious -- but I only took a quick look. Given the folders that it tinkers around with, any bugs could do some damage to your Mac, so be careful.

Re:Oh no!

[MachineShedFred]

As an administrator of 100-odd macs myself, used in advertising design and textile design, let me give you a foolproof recipe to making your life 95% easier:

1 Mac OS X Server, configured with all users in Open Directory, and policy to lock out users from system preference panes they have no business being in

1 FileWave server for application deployment and file integrity checking, obtainable from www.filewave.com (note, this will cost money, but will pay for itself the first time you don't have to reinstall an application, because whatever file the user just fucked up just got checksum'd and rewritten)

x users NOT running as a local administrators of the machine

1 unlimited license of Apple Remote Desktop, so that you can remote control / observe, execute code, get system reports, etc.

Mix ingredients together, bake at 350 (or 177 C) for 20 minutes.