Apple Quietly Goes After Mac Trojan With Update

Th'Inquisitor was one of several readers to point out coverage of Apple's stealth security fix, included along with the recent Snow Leopard 10.6.4 update. Graham Cluley of Sophos first noticed the update to protect Mac computers from a Trojan, and the fact that Apple didn't mention it in the release notes. The malware opens a back door to a Mac that can allow attackers to gain control of the machine and snoop about on it or turn it into a zombie. "You have to wonder," writes Cluley, "whether their keeping quiet about an anti-malware security update like this was for marketing reasons." While he certainly has a point that Apple benefits by its users' belief that the platform is secure, you also have to wonder whether any such publicity from a security company has a marketing subtext, as well.

Re:You have to wonder?

[grapes911]

trojan != virus

this is anything but new

[v1]

There's been malware out for mac for well over a year. The big one I run into is a self-decoding shell script that installs a root cronjob to redirect your dns servers. The machines get brought into me because their web browsing has gotten slower, due to the malware dns server the machine is now using being a lot slower than their ISP's.

I've actually ran into ONE example of a mac that was back-door'd, but thought it was an isolated targeted attack. (the victim was "high profile") But maybe it was just an early version of what's discussed in this thread.

BUT, tossing my hat into the ring as to whether or not Apple should be "hiding" the fix... check out the latest security update from Apple. HUGE list of security patches. (over 40?) All with accreditation to the people that brought the issues to Apple. It's not like they don't have issues, and it's not like they systematically hide them. They just tend to fix them very quickly, and have very few (relatively speaking) to fix in the first place. Apple is well-known to include security updates and fixes in their OS updates, they don't all land in security updates. That's all this one was. It's very likely there were a dozen other security-related fixes made in the 10.6.4 update. This one they just happened to notice. Apple just doesn't usually put a security-fix accreditation readme in with their OS updates. Is that the real issue here I wonder?

Re:Trojan for Mac had to appear some day...

[cbhacking]

Part of writing serious malware, the sort that uses shellcodes and relies upon particular calling conventions and memory layouts, is very platform-specific. That kind of thing has to be learned anew for every platform one wants to target, often including different architectures of a given OS.

Trojans, on the other hand, are literally nothing other than programs that the user doesn't realize he is installing. They may attempt to hide themselves using platform-specific tricks, but at the end of the day, it's a program written like any other. OS X may emphasize Objective-C and de-emphasize its UNIX underpinnings for many things, but at the end of the day it uses a POSIX API very similar to the one found in Linux.

Hell, I've written software for the POSIX subsystem of NT on x86, and successfully ported it to Linux on ARM, with fewer than one #ifdef per KLOC. I strongly suspect that OS X is a lot closer to Linux than SUA (Microsoft's NT Subsystem for UNIX Applications) is to Linux, yet it wasn't hard at all. It wasn't malware, but if I'd wanted to I could have invisibly slipped it into an installer for some other program and then it would have been a trojan.

Re:Trojan for Mac had to appear some day...

[Low+Ranked+Craig]

Trojans for Macs are really no different than any other OS. It just takes a bit of social engineering or something like that, because a trojan, unlike a virus, requires the user to install it. When you install something on a Mac (and windows depending on your settings) you need to type in a password and specifically give permissions to do so. Mac trojans and assorted malware have been around for awhile. What I'm not aware of are any successful Mac OS viruses in the wild, i.e. a "drive-by" infection: getting infected simply by opening an e-mail or a web page.

Re:You have to wonder?

[jedidiah]

The kind of user that buys a Mac probably doesn't care about "details".

A virus is called a virus for a reason. It's called a virus because it
shares an important characteristic with biological organisms.

It can replicate itself.

A Trojan is just a stupid program that doesn't do what it says.

Similarly, a Trojan is called that for a reason. You have to go outside
the city walls and drag it back inside your perimeter before it does you
any damage.

Yes, these little "details" like words and terms that have actual specific meaning are important.

Re:Let's get this out of the way, shall we?

[Bungie]

Can anyone explain why there is a significant difference between virus and malware,

A virus attaches it's code to programs and spreads itself to others when you run an infected execuable on a system. Viruses are pretty much old school and are easy to detect because they modify the code of executables. They also can't infect programs outside of the priviledge level of the infected software and also cannot do a lot of crazy things outside of the user's access level. They are pretty much old school and are not very profitable, just destructive or annoying.

Malware spreads through an exploit vector or social engineering. It installs software and drivers to the system which it attempts to hide through various tricks and obscure OS functionality. Malware can often have a rootkit driver which make them invisible or impossible to remove when booted normally. Malware is designed to make a profit too (like making your machine send spam, logging passwords or other info, popping up ads...).

The reason for the two different levels of software is because malware initially was difficult for vendors to define. Some software for example, presents it's negative aspects in the EULA and it's assumed to be valid software if you install it. Who's to say that WGA isn't spyware or any software that reports activities back to a central server? Malware is also hard to detect heuristically and antimalware apps instead rely on lists of file/registry locations and hashes.

But the two AV programs shouldn't be an issue because they do their blocking and checking at different points. Antivirus needs filter drivers so it can scan files for attached virus code or activity. Antimalware just needs to periodically scan a set of locations and ensure no malware is there. But yeah, most of them can be integrated pretty easily and it makes sense.

Re:When will we get automatic patching?

[Drakino]

"man softwareupdate" for info on one way to auto install updates.

And OS X out of the box has ran software update at first boot since 10.0. Yes, a user has to click install now, and they may just ignore it. But it will come back and prompt again later.

Re:If they're trying to keep it secret

[Ash-Fox]

I've never seen an update break anything.

You obviously haven't used many Macs for a long period of time - I can recall numerous events where java updates broke things with a simple scorch game on OS X - to the point I had to put stupid warnings on the site. I can recall when my network uPnP was borked by a security update from Apple, I can recall the numerous daemons being broken in various OS X server updates too.

My anecdotal 'evidence' is based on years of experience over a wide variety and vast amount of Macs.

I shake my head when I hear the windos admins at the company test a bugfix update.

Because making sure things don't break is obviously stupid of IT.

Isn't that what the vendor is supposed to do before sending it out?

The vendor didn't test the fix in your environment, they tested it in theirs.

Re:Security as it should be

[99BottlesOfBeerInMyF]

So what are the architectural differences in OSX or Linux that would protect everyone from malware if they were the dominant platforms?

While the previous poster may be a bit vague on the details, this is not a point without merit. OS X and most desktop Linux variants do, indeed, have some significant security as a result of architectural choices. In other areas Windows has the upper hand, such as how much access control is applied in userland. Services, are a good example. Windows tends to have more open services and because of the proprietary nature of those closed services, more redundant services. A good example is Autodetection of local network services. It's a good type of service to exploit and a common target for malware on all platforms. Microsoft implements UPnP and exposes it by default, but by most accounts does not adequately sandbox it. Further, because it is proprietary, all cross-platform software has to either forgo the ability to link up with other versions of their own software running on other platforms, or they have to implement a different service. The upshot is, if you're running Adobe CS suite or any one of many other software packages on Windows you're running two services (UPnP and Zeroconf) that do the same thing, both of which have to exposed to hackers and neither of which is as sandboxed as it should be. If you're doing the same on OS X you have only one version (Zeroconf) and it is happily sandboxed so an attacker has to exploit not only the service, but also break the sandbox somehow... a very difficult task. This is all the result of how Windows handles services in comparison to OS X or Linux. On Windows more are exposed by default, they're easier to exploit, and they are usually proprietary; all of which leads to less security regardless of market share.