Slashdot Mirror
Two Trojans For Mac OS X
I Don't Believe in Imaginary Property writes "F-Secure is reporting that there are two new Mac OS X trojans. The first is just a proof-of-concept from the MacShadows people that takes advantage of the unpatched ARDAgent vulnerability to get root access when run by the user. The second relies on social engineering: it's a poker game that requests the user's password, claiming to have detected a 'corrupt preference file.' It then takes control of the computer. Now that the source of the proof-of-concept is publicly available, we can expect that future trojans won't just politely request your password."
Let the flamewars begin!
One for you, one for your partner.
Hey guys, I've got a great new idea for a worm, I'm gonna start a e-mail chain letter that tells people they'll have bad 7 years bad luck if they don't forward the e-mail to 10 friends and send me their root passwords, IP address and their bank account and credit card numbers. It's sure to be a smashing success!
Hi Slashdot User!
We have detected your Slashdot account preferences have been corrupted.
To fix this, please post your user id and password in response to this message, and one of our customer service operatives will fix your account and recover posting privileges as soon as possible.
Yours Sincerely, Trojan
On windows they do that without asking for password
iTrojan, custom trojan, personally designed by Steve Jobs' evil twin Rodney Jobs, the UI would be beautiful, white, sterile. Mass infection through Starbucks WiFi.
Task Mangler
We go through this about twice a year with the same results every time. "Someone" releases a trojan, presumably as proof that Mac OS X has security holes. Then everyone gets whipped in a frenzy and ultimately no one is infected by the damn thing in the first place. Mac OS X does have its holes (some of which are quite unreasonable), but trying to scare the users (in to buying anti-virus software, perhaps?) gets tiring after a while. No one has yet to do anything that matters with these trojans and security vulnerabilities, the real troublemakers continue to target Windows.
Mac OS X's day will definitely come at some point, but if people keep crying wolf every time someone whips up a theoretical and entirely implausible situation, no one is going to believe the security community once some black-hat does finally decide to attack the Macs.
The ARDAgent vulnerability is pretty serious and stupid, but social engineering is not OS specific. The "poker game" could just as easily be implemented on Windows or Linux.
There is nothing that any OS can do to prevent trojans. (At least not without seriously limiting the functionality of legitimate programs.)
Slashdot's own summarry of the ARDAgent vulnerability included a "proof-of-concept" it is trivially easy to exploit and should be fixed ASAP.
There is no news here.
For crying out loud people, the poker game one is applicable to any system you want to code it on! What does this have to do with being a Mac OS X security hole? It would work on Linux, BSD, RandomOSMadeUpOnTheSpurOfTheMoment (Infinium labs).
It's F-Secure's business to cry wolf.
'Once scientists, even the dim-witted social scientists, get muzzled, the Western Civilization is finished.' - oldhack
Not on Ubuntu - the sudo command in the grandparent will still do the usual rm -rf /
Consider that a lot of people running ubuntu (myself incuded) would be the only users on the machines, and as such would be in the admin group. This means that effectively the same person and same password is used for both normal activities and sysadmin activities.
I swear, some people go out of their way to infect their machines. The one that stands out in my mind the most was a virus for Windows a number of years ago. Came as an attachment in a message that said "Hi I send you the file in order to have your advice." So never mind the bad grammar and such, but before campus got hit we got wind of the thing and sent out an e-mail message to all users saying "Don't open this shit it's bad news." One of the users called in saying she was having problems with e-mail, we came and looked. The "problem" was that she wasn't an admin and so, thankfully, couldn't run the damn virus.
Or somewhat more recently we had a virus that slipped by our e-mail scanner. It did so by sending itself in encrypted zip files, and then putting the decryption key in the message. That meant you had to open the mail, save the zip, open the zip, enter the code, extract the executable, and run it. Two users did just that and got infected.
So while it seems armature to do a "Download this then enter your password," kind of trojan, that shit works waaaay more than you'd think.
not even first post, do you guys ever think about killing yourselves instead of bothering with this crap, i mean even twitter managed to get FP around here today, what happend to you GNAA, i thought u \/\/3R3 +3h 1337?
IranAir Flight 655 never forget!
More like warning that just because you live in a good neighbourhood, doesn't mean you should leave your door unlocked. Too many people who have Macs take the lax approach of "Well Macs don't get hacked so I don't have to worry." Ok well maybe they generally don't (though I've seen it happen due to immense user stupidity) but you should still assume that it can happen, and have security to prevent it.
I'm all about proactive security, not reactive. Don't wait until something is a problem, identify weaknesses and fix that shit BEFORE someone exploits it. If nobody ever tries, ok great. However if someone does, you are glad you set up security.
As I said it is the difference between living in a low crime neighbourhood and a high one. You live in a low crime neighbourhood and figure "Oh well there's no crime here, so I don't need to bother with a door lock or alarm." Ok, that's great right up until the criminals try, then you are screwed since you had no security. Well someone who lives in a high crime neighbourhood might have to put up with attempts more often but if they have their doors locked, windows barred, alarm on and so on it doesn't matter because their security stops it.
Computers are the same way. Just because you run a platform that isn't targeted much, doesn't mean you should just ignore security. Hope for the best but prepare for the worst, then you are ready no matter what.
It is like backups. Backups are a waste of time and money when your system has always been reliable... Right up until the moment when it isn't and you lose all your shit. You hope you never need the backups, and most won't computers are pretty reliable, but you make them anyways just in case. You prepare for the worst, even if it is unlikely, so that if it hits you aren't screwed.
To be perfectly honest with you, if you use a Linux PC as a file server (like I do) such that there are occasions when you need to delete a directory in "one hit" using rm -Rf, then you're much better off changing the ownership of those files to you first and just tightening up NFS or SAMBA (depending on how you make those files available over the LAN).
Gentoo Linux - another day, another USE flag.
Vista has it's fair share of privilege elevation exploits.
chmod +x coolGame.sh
I see what you're saying. Honestly, I would love the idea of my user accounts not being able to do anything but exactly that - use the machine (not make any system changes). But, ultimately, user processes have to at some point interact with root processes through apis and such. So, to some extent, you're always going to have the potential for a problem.
Unless Steve Jobs had his goons rig up a virtualization scheme whereby when a user logged in they were, in effect, 'booting' into a virtual machine. It could be cluggy, but I bet there's a way to do it right.
How do you think that'd be for security?
PS: I don't reply to ACs.
I think you misunderstand how it works on OS X
When an application asks for a password to get admin rights, the user is presented with a dialog, but unlike in Vista, actually needs to type the password to continue. You can't just blindly click "OK".
Yep, well, actually that's another thing UAC does too - critical file & registry read/writes are virtualized into something stored in just the users directory, so apps that try get round UAC still work & the system is still secure.
But ultimately, root stuff is still necessary, and it's only the user that can ultimately decide whether or not to allow each request.
throw new NoSignatureException();
I don't really see the difference between OS X privilege escalation using a password prompt and sudo or Vista using UAC. If you allow the program admin privileges you're screwed, and I believe it's just as easy to implement this on Vista as it is on OS X. On linux it might be a little bit harder because different distro's use different sudo configurations.
As for the ARDAgent vulnerability: that's a completely different story, it's a serious security flaw that needs to be fixed very, very fast.
It's more the impersonation I was talking about.
In windows you can launch a process impersonating a windows user if you want to run under different credentials. So with the string value from the "Enter Pa33w0rd n00b" window, you could in XP, for instance run a new process under "root" privs, and hose the system however you wanted (assuming the password was ok). In Vista this is impossible.
throw new NoSignatureException();
Interesting. Care to provide any examples?
It's official. Most of you are morons.
Sorry for copy & paste, but I just tried to clear what I meant above....
It's more the impersonation I was talking about.
In windows you can launch a process impersonating a windows user if you want to run under different credentials. So with the string value from the "Enter Pa33w0rd n00b" window, you could in XP, for instance run a new process under "root" privs, and hose the system however you wanted (assuming the password was ok). In Vista this is impossible.
throw new NoSignatureException();
That is exactly what a trojan is!
A trojan is a piece of software that appears to be benign or otherwise safe or desirable, but in fact is malign. It may or may not also act as advertised.
A virus is a piece of software that piggy-backs on other executables, "infecting" them with its own code and modifying them so that when they are launched, the virus code is also run. They spread by searching for and infecting other executables on the machine.
A worm is self-propagating, and does not require user intervention. It actively seeks out and exploits a given vulnerability or vulnerabilities, using them to covertly gain access to the machine.
Of the three broad types of malware, the only one that does not require the user to manually run it is a worm.
And if a program requests the root password and the user gives it, is this the OS's fault?
No, of course not - but you'd be amazed at the number of people who blame Windows even for such social engineering tricks, or believe that if we only all switched to Linux malware would be a thing of the past. The weakest link in any computer system is the user, and there's little or nothing an OS can do to protect itself from a naive or malicious user armed with the root/admin password. While this is a non-story, it does at least demonstrate that the same is true of other OSes than Windows.
It's official. Most of you are morons.
Let's get this entirely out in the open, okay? An inexperienced user is potentially a danger on ANY operating system, including your beloved OS X. If you make an executable or email attachment seem valid enough, then there ARE Windows/Linux/OS X users who will run it, just like there have been a lot of surprised people on Slashdot previously when they installed Apple Quicktime updates and discovered it had also installed Safari - this does NOT happen if you know what you are doing and pay attention to what is being shown to you on the screen. No debate, it's fact.
The additional hurdles that both Windows and OS X have to overcome are twofold:
1. Both make money for their respective companies who (understandably) want to shift as much volume as possible. Therefore, the core marketing strategies of both Apple and MS have been to convince Joe Public that you don't need a computer degree in order to use their OSes. Also, rightly or wrongly, the perception of Joe Public is that Linux is difficult to use. Therefore the net result is that in all probability, people who use Windows or OS X are more likely to be newbie users who are more prone to running everything with admin privileges or being duped into running a Trojan.
2. Windows and OS X present nice fat targets for people who write malware because in both cases you have big populations of users running essentially the same systems. This means that the propagation of malware within Windows or within OS X is potentially much better than it is through disparate sets of systems. Again, if Ubuntu, for example, becomes the de facto standard Linux OS then it too could also present a nice fat target to malware writers - but the fact is that at this moment in time, there are that many different distros running that it makes it very difficult to target a single Linux application with malware that would propogate to the same degree as it would potentially do on Windows or OS X.
So please don't get defensive about OS X because if you just bury your head in the sand and do nothing about it, then you put yourself more at risk of a malware attack getting onto your system.
Any piece of malware is a risk to any system but good security is about limiting that risk as much as possible - so it's about putting firewalls in place, putting updates on systems regularly, scanning systems regularly, etc. etc.
Gentoo Linux - another day, another USE flag.
why would you reinstall for a corrupted profile? I have gotten one maybe twice and both times was easily repaired. Why would your IT dept even ALLOW that?
"Slashdot, where telling the truth is overrated but lying is insightful."
I think the whole smaller market share as security is a myth... at least as a main reason, IMHO. I'm sure it has some effect but nothing as big as people say. Currently there are at least ~26 million Macs out there (being very conservative), which is still a lot of machines. Heck, even Mac OS 9 had more viruses and Macs had a much smaller market share. I'm sure somebody would have done something by now if it was easy.
On the two major used-by-many operating systems that do a lot via sudo (Mac OS X and Ubuntu flavors) the user created at OS setup is given sudoer rights right off the bat.
I know some bright OS X users, but only a handful of them could explain to you what sudo does.
A lot of websites are now suggesting changing the permissions on the ARDAgent to remove the SUID bit on it.
This works until you repair the permissions (using disk utility which consults its database of permissions) and this puts it right back making you vulnerable again.
As the island of our knowledge grows, so does the shore of our ignorance.
Really you guys are just letting us down time and time again. We need a GOOD exploit if we are ever to bridge the software divide between the two platforms! OSX Virus makers, please step up your game.
Root on OS X is off by default out-of-the-box, isn't it?
Yes, it is off by default."We can categorically state we have not released man-eating badgers into the area." - UK military spokesman, July 2007
trojan
I do not think that word means what you think it means."We can categorically state we have not released man-eating badgers into the area." - UK military spokesman, July 2007
If you were a teacher, you wouldn't be surprised at the level of moronism among students and faculty. I'm convinced we see as much if not more idiocy than systems folks. Two examples from the last semester:
Story One: A freshman student this semester copied her whole paper from a graduate-student textbook written by a PhD researcher. Cut and paste. I catch it, tell her she's getting an F. She turns in her next paper, same composition method. Zero, expulsion.
Story Two: I get my teaching evaluations back from the faculty committee. They say I'm awesome, god's sliced cheese, EXCEPT for two problems: my grading rubric is too confusing and I have no schedule of readings. BUT, my grading rubric was an exact copy of the one on the department website that I was told to use, and my schedule of readings was three of the six pages I submitted for their review.
Moral: Never be surprised at how idiotic people can be on a university campus. Some days it's almost like an upperclass twit of the year contest.
I still find it strange though, since mac designers I know (and I do know a few having come from a newspaper) are usually very smart about their macs specifically because if they go to a big house there tends to be a push and pull match between them and their IT department. Are they older designers? Cause I could understand if they are holding on to the old OS 9 mentality where you DID reinstall everything (and crossed your fingers to boot) but all that went out the window 10 years ago.
"Slashdot, where telling the truth is overrated but lying is insightful."
I've tried the ARDAagent on dozens of different people's computers now and it only worked on Leopard not on Tiger.
Has anyone seen this work on Tiger? If so what's the configuration where it actually works.
It also does not work on most Leopard computers as things like Fast User switching, or having remote desktop turned on (yes on) cause it to fail.
Now as for trojans. Well what can you say. All computers are vulnerable to trojans. The poker game would run on linux too.
in the case of the poker game download the mac is going to ask you three times:
1) The item being downloaded contains an application, are you sure?
2) The application being launched for the first timw was downloaded from the internet, are you sure
3) than finally when it asks for your password.
And at best it runs as user level without the ARDAagent escalation.
Some drink at the fountain of knowledge. Others just gargle.
However, I do accept that "sudo" can have a use in true multi-user environments but I suspect Ubuntu and OS X are mostly run by single users who have both a normal and root account on their systems. In that specific scenario, using "sudo" seems a little pointless to me as it's probably more use to better understand the pitfalls of using root if you hit the wrong key rather than worrying about configuring "sudo" to cover all the bases when it comes to not letting you do everything at root.
Gentoo Linux - another day, another USE flag.
Worms for Apples. Can't you just smell the pun?
alias possession='chmod 666 satan && ls
No, of course not - but you'd be amazed at the number of people who blame Windows even for such social engineering tricks, or believe that if we only all switched to Linux malware would be a thing of the past.
People "blame" windows for their own stupidity because there are about 1,000,000 schemes out there that attack windows users. Compare that to Linux and OSX and you start to see why I believe in the security-through-obscurity "misnomer". Sure my Mac may not be any more secure, but I'm not getting assaulted 10 times a day either.your analogy needs work. Mythbusters got a lead balloon to fly. Perhaps next time you should use "go down like a fart in an elevator".
today is spelling optional day.
I now use a range of both free and commercial products that are cheaper, better and just run pretty silently in the background without bothering me every five minutes. I am an experienced computer user but I have fixed at least a dozen friend's a realtives PCs over the years that came pre-installed with Symantec software that was bugging the hell out of them for more subscription money. Having removed it completely and replaced it with legitimate versions of the products I use, each and every one of them has said their PCs run faster and they are no longer constantly interrupted with update messages.
Both Symantec & Mcafee products serve a purpose for a price - but half the stuff in the "Internet Security Suite" packages are redundant and the other half can be bought cheaper elsewhere without the nagging.
Gentoo Linux - another day, another USE flag.
Thanks for contributing.
People keep accusing Mac users (I use a Mac laptop and an XP tower myself) of being lax on security but what exactly does this mean and what exactly are "we" doing wrong?
I don't run anti-virus on my Mac but I do run it on my PC. In all the years of running it on the PC I've never once had it detect anything and the only thing the malware scanners have ever flagged are cookies and Win MRU files; even when I slacked off and didn't scan for six months or more. Prior to that I used Windows 95/98 for many years without an AV program at all; never had an issue.
Security (for a home desktop) is not a difficult thing to maintain. I've basically lived by the rules I learned from watching Leo Laporte on "The Net" on C/Net TV back when I dialed up to the Internet using my 14.4 fax/modem and and Netscape Navigator 2.0 and RealPlayer were a big deal... Don't open attachments you weren't expecting, don't download files from sites you don't trust, keep your software up-to-date, use a firewall (though that one came a bit later).
That's pretty much all there is too it folks, not that I have to tell this crowd. If people are opening attachments and downloading executables from anywhere and everywhere then that has nothing to do with platform security or feeling that you are invulnerable it's just bad practice and those people need to be introduced to the very simple rules and slapped when the fail to follow them.
On the issue of Mac passwords, I'm very suspicious when any program asks me for a password to do installations because most user land apps on a Mac shouldn't need an installer at all let alone one that needs escalated privs to install or operate. A keychain prompt is not the common occurrence that the Vista equivalent is said to be. (I haven't had much hands on time with Vista.)
The big companies are guilty of prompting for passwords often with installers but I trust they won't infect my computer with malware (depending on your views on DRM...) and let them go ahead.
To summarize this lengthy post, how are Mac users acting less cautiously than anyone else? There's not a whole lot more they could be doing aside from running mostly worthless AV programs.
Guessing passwords isn't that difficult. Tell me your pet's name and I'll tell you your password.
Say hello to my little sig.
I believe you are slightly incorrect. A worm is malware that propagates without direct action of the user. Malware that executes without user interaction (but does not propagate automatically) is still a virus. A good example would be the viruses that used to find their way onto CDs and which would autorun on Windows and infect the machine without user interaction to run (just to propagate).
I'm so damn sick of people going "oooh, aaah, I thought $software was immune to $threat" when no credible commentator has made such a claim.
Just quit it, OK? It just makes you look like an utter twit.
And it's not just a lack of being targeted. It's a smaller surface area for attack, as well. OS X has nothing comparable to the rich viral petrie dish that the tight desktop-browser integration in Windows provides. Before 1997, Windows viruses were virtually all a matter of tricking people into running software, not having software automatically run when you just select an email message so you can delete it... which is how bad things were in the late '90s. Microsoft has tightened up the gaping holes in Windows since then, but they have done NOTHING to remove the underlying flaw that makes these kinds of attacks so easy there.
Compared to Windows, OS X is "virus resistant". That doesn't mean "virus proof". But it does mean that it's going to remain harder to infect than Windows until such time as Apple decides to implement something as barking mad as ActiveX.
These trojans are purely payload. The delivery mechanism is still social engineering... not remote execution. We know that "once you're penetrated you're ****ed", pointing out again the ways you can be ****ed is not news (for nerds or otherwise) nor stuff that matters.
These are not the viruses you're looking for. Nothing to see here, move along.
History shows us that even the smartest of users can catch malware.
It's been 17 years since the last time I had to remove a virus from my own computer, even when that computer's been unpatched Windows 2000 connected to the Internet. In the years that I was network and security admin and had control of the network, the only time we had any systems infected was when a user had either downloaded and run a file (that is, they were social-engineered, and in 10 years only one person came to me with an infected laptop after doing that twice) or they had violated my policy banning IE and Outlook at our location.
The potential for infection if you avoid software that supports automatic execution of remote content is very very small, even on Windows. The reason that Windows has a high infection rate is because of IE and Outlook, not simply because it's popular.
If you're on a Mac, and use Safari, here's the next steps you should take:
(1) Go into preferences and make sure "Open 'Safe' Files after Downloading" is disabled.
(2) Get a standalone FTP client and use one of the third-party LaunchServices editors (look for internet access preference panes) and change the default application for FTP: URLs from Finder to something else.
(3) Use Tinkertool or equivalent to disable Dashboard.
#1 is the most important. #2 and #3 don't allow automatic execution of untrusted content, but they do make social engineer ing easier.
If you use a Gecko-based browser like Firefox or Camino, you don't need to worry about these.
If you're on Windows: avoid using any application that uses the Microsoft HTML control to access untrusted content. That includes IE, Outlook (not all versions, any more, but I believe you have to accept the Vista-style UI to avoid it), Windows Media Player, Realplayer, and some Firefox plugins and some versions of Netscape.
In Firefox, Windows or Mac or Linux, always clean out the whitelist for installing extensions after you install an extension... the installer is an autoexecution mechanism, and there have been exploits that took advantage of that even if you don't approve the install dialog.
The scary part is that most Mac OS users think they can't catch malware because they're smart enough not to install it.
At the moment that's not far from the truth. You can avoid catching malware by being smart enough to avoid running it, on Windows or OS X, if you exercise some care in the applications you use, and how they're configured. It's harder on Windows, but it's still possible.
http://www.macfixit.com/article.php?story=20080624105604884
Do you have any idea what the impact of ILOVEYOU and Code Red were on corporate Windows systems? Let me assure you, these systems had administrators. All jokes about Windows administrators aside, they're actually more competent than many of you kids think.
What about SQL Slammer? That was anything but insignificant, and I'm pretty darned sure most SQL servers do in fact have administrators taking care of them. Don't think for a damned second that the average Oracle admin knows a damn thing more about system security than a SQL admin would.
All I'm trying to say, is a good Linux worm would be the freaking cat's pajamas, and I believe there are more public, Internet facing corporate Linux servers than Windows at the moment, and these are run largely by people who regard rsync as an enterprise backup solution. These are the same people that would rather build and maintain their own iSCSI server than ask the company to plunk down for another FC HBA or two.
So, please don't just assume every "Linux admin" will have the most secured, locked down configuration in the world, unless they're only managing something like five servers. That really goes for sysadmins of any system, don't assume a Solaris, Window, Mac, Linux, whatever admin to go over the entire enterprise environment with a fine toothed comb, writing personalized firewall rules for each box.
Erm... sorry, I must be a little jaded by the goings on at work, and I've lost touch with the Linux world ever since I read a large article on storage in Linux Magazine that filed two pages with iSCSI and Infiniband of all things, with no mention of Fibre Channel. Linux admins are from a different f'ing planet or something.
Zagreus sits inside your head, Zagreus lives among the dead, Zagreus sees you in your bed and eats you in your sleep.
I'm sorry... but am I alone in thinking that its HILarious that everyone gets whipped into a frenzy when _2_ POSSIBLE exploits are discovered in Mac OS, when Windows has over the years shown... thousands if not millions?
I don't mean to be an anti-windows troll, trust me, I still have 2 Windows machines at home (and then 10 Ubuntu) but assuming that whoever discovered these vulnerabilities spends a large portion of their time looking for them, I'd say the record looks pretty good thus far...
I personally have concluded that its not possible to make a COMPLETELY secure OS, (especially given PEBKAC) but if you make one that demonstrates issues on a rare/reasonably rare basis then you've done it well.
So Hurrah Apple (and contributing OSS Devs), I say job well done!!!
Sig: Do not judge me on how high UID is, but judge me on the content of my comments.
There are actually, regular privilege escalations for Vista reported both discovered and in use in the wild. When I worked at a security firm last year, I saw about one a week in our weekly security bulletin. Here's one from the other day.
Sucks for Mac Users! I saw a poll about this on Sodahead.. http://www.sodahead.com/question/106949/
Well done, and I'm sorry you can't get more than a score of 5 for your post. That's a beautifully concise summary of the differences among trojan, virus, and worm, as well as pinning the responsibility for most malware infections where it truly belongs, on ignorant or foolish users. Kudos.
oh wait, that's winbloze . . . .
it is great that there is the scrutiny, but when most of the bugs are social engineering, or physical access hacks, it just confirms what the whole world knows:
Macs are more secure!
Oh, and for all of you people with blank passwords, please fill them in . . . . at least use the combination to your luggage. is 123456 that tough to remember or type????
"You never want a serious crisis to go to waste." - Rahm Emanuel