Slashdot Mirror
Apple Quietly Goes After Mac Trojan With Update
Th'Inquisitor was one of several readers to point out coverage of Apple's stealth security fix, included along with the recent Snow Leopard 10.6.4 update. Graham Cluley of Sophos first noticed the update to protect Mac computers from a Trojan, and the fact that Apple didn't mention it in the release notes. The malware opens a back door to a Mac that can allow attackers to gain control of the machine and snoop about on it or turn it into a zombie. "You have to wonder," writes Cluley, "whether their keeping quiet about an anti-malware security update like this was for marketing reasons." While he certainly has a point that Apple benefits by its users' belief that the platform is secure, you also have to wonder whether any such publicity from a security company has a marketing subtext, as well.
Why is the information publicly available? Why would most generic Mac users care to seek it on their own? Should Apple shove it in their face?
I would hardly call release notes for a bugfix "shoving it in their face."
It makes a lot of sense to say what you fixed in a bugfix, so people clearly know if a system needs a bugfix, or is safe.
Hiding it makes a lot of sense if you don't want to look bad, but is unhelpful to users who want to know if they need to update their systems or if it can wait.
This is probably more of an issue for enterprise users, and in that case their are fewer macs for sure, but its a good practice to be honest about what you're fixing, and covering that up is dishonest.
-Taylor
Worldwide Military budgets: $2100 billion. Worldwide Space Exploration budgets: $38 billion. Really, world? Really?
I know.. this is Bill Gates and Linus Trovalds secret plot to make Apple look bad. Theres no such thing as mac malware, Steve Jobs would never allow it. He has out best interests at heart.. right.. RIGHT?!?!
Anyways even if there was mac malware, They would be forthcoming, and quit claiming to be malware free... I mean they would never lie or mislead us right.. RIGHT!?!?
Disclaimer to the mac fanbois, if you cant take a joke, don't bother replying.
You are entitled to your own opinions, not your own facts.
trojan != virus
Sometimes a trojan prevents a virus.
Let's face it, most of us are scoffers. But moments before zero hour, it does not pay to take chances.
many people go their whole lives without visiting tech sites
They don't? What an unintresting life they must lead with their travels and friends and social life. Repulsive.
Hiding it makes a lot of sense if you don't want to look bad,
It's really hard for me to believe that's the reason they did it, given the number of ugly things they did announce, including a few bugs that give complete control of the computer just by opening a web page. They could have added a line about updating malware signatures, and if they worded it right, avoided the bad press (I mean, it's not like it's the first time there has been a trojan for OSX).
It is more likely that the internal communication processes at Apple got mixed up, and the people in charge of updating the malware signatures haven't gotten in contact with the people in charge of writing the release notes. I don't think that is an uncommon thing in large (and even small) companies.
Qxe4
There's been malware out for mac for well over a year. The big one I run into is a self-decoding shell script that installs a root cronjob to redirect your dns servers. The machines get brought into me because their web browsing has gotten slower, due to the malware dns server the machine is now using being a lot slower than their ISP's.
I've actually ran into ONE example of a mac that was back-door'd, but thought it was an isolated targeted attack. (the victim was "high profile") But maybe it was just an early version of what's discussed in this thread.
BUT, tossing my hat into the ring as to whether or not Apple should be "hiding" the fix... check out the latest security update from Apple. HUGE list of security patches. (over 40?) All with accreditation to the people that brought the issues to Apple. It's not like they don't have issues, and it's not like they systematically hide them. They just tend to fix them very quickly, and have very few (relatively speaking) to fix in the first place. Apple is well-known to include security updates and fixes in their OS updates, they don't all land in security updates. That's all this one was. It's very likely there were a dozen other security-related fixes made in the 10.6.4 update. This one they just happened to notice. Apple just doesn't usually put a security-fix accreditation readme in with their OS updates. Is that the real issue here I wonder?
I work for the Department of Redundancy Department.
Part of writing serious malware, the sort that uses shellcodes and relies upon particular calling conventions and memory layouts, is very platform-specific. That kind of thing has to be learned anew for every platform one wants to target, often including different architectures of a given OS.
Trojans, on the other hand, are literally nothing other than programs that the user doesn't realize he is installing. They may attempt to hide themselves using platform-specific tricks, but at the end of the day, it's a program written like any other. OS X may emphasize Objective-C and de-emphasize its UNIX underpinnings for many things, but at the end of the day it uses a POSIX API very similar to the one found in Linux.
Hell, I've written software for the POSIX subsystem of NT on x86, and successfully ported it to Linux on ARM, with fewer than one #ifdef per KLOC. I strongly suspect that OS X is a lot closer to Linux than SUA (Microsoft's NT Subsystem for UNIX Applications) is to Linux, yet it wasn't hard at all. It wasn't malware, but if I'd wanted to I could have invisibly slipped it into an installer for some other program and then it would have been a trojan.
There's no place I could be, since I've found Serenity...
Trojans for Macs are really no different than any other OS. It just takes a bit of social engineering or something like that, because a trojan, unlike a virus, requires the user to install it. When you install something on a Mac (and windows depending on your settings) you need to type in a password and specifically give permissions to do so. Mac trojans and assorted malware have been around for awhile. What I'm not aware of are any successful Mac OS viruses in the wild, i.e. a "drive-by" infection: getting infected simply by opening an e-mail or a web page.
I still cannot find the droids I am looking for...
Trojans aren't viruses.
Please list off all the viruses that will run on Snow Leopard.
Mac users are very fond of pointing out this distinction, leaving out that trojans and malware, and social engineering, these days are the overwhelming majority of Windows issues as well. The traditional virus is mostly a thing of the past.
Actually funny you should say that, as I would say that most Windows users would be safer as they know there is malware for Windows and thus are more likely to have AV and Antimal. I had to clean up a few Macs infected with the "Mac Codec" DNSChanger awhile back, and I literally had to take them to a security site and show them a security report saying "This is Mac malware" because they completely refused to believe it was possible for a Mac to get malware, because that was what they had been told so often. One even got irate with me because "WTF is the point of spending all this money buying a Mac and a bunch of new stuff to go with it if I can still get infected!!!". I told him to go take it up with the guys at the Genius Bar, because I just fix boxes.
So I would say, especially with Windows 7 where there are features like ASLR, NX bit, and Windows Defender by default, that Windows users are probably safer because they know of the dangers out there. Many Mac users think they can run whatever they want and do anything because "Macs can't get bugs" and are therefor less likely to have good safety practices like have an AV or worry about updates. BTW all the guys that hope for a "Year of the Linux Desktop"? Guess what inevitably comes with clueless users? Can you say malware and headaches boys and girls? Believe me, I tried converting a "must click on teh pron!" Windows user to Linux once, he managed to break the OS in just three days. No matter the OS, stupid is as stupid does.
ACs don't waste your time replying, your posts are never seen by me.
I use apple's software update server to distribute patches and updates at my company. I never understood why apple gives us a mechanism to centrally control and distribute patches, but no way to automatically install them.
This is one thing that Microsoft got right. Centrally distributing and installing patches is stupidly easy in the windows world. It pains me to say this, but the lack of automatic patching will bite apple and their users one day.
So you like it when the OS vendor pushes some software onto your system without any mention in the patch notes (which is the point of the article)? If so, you're posting on the wrong website.
The kind of user that buys a Mac probably doesn't care about "details".
A virus is called a virus for a reason. It's called a virus because it
shares an important characteristic with biological organisms.
It can replicate itself.
A Trojan is just a stupid program that doesn't do what it says.
Similarly, a Trojan is called that for a reason. You have to go outside
the city walls and drag it back inside your perimeter before it does you
any damage.
Yes, these little "details" like words and terms that have actual specific meaning are important.
A Pirate and a Puritan look the same on a balance sheet.
If you're just starting to wonder now then you're gonna be in for a shock. Apple has never been a really transparent company about what they do, and they've always just pushed and bundled things however they like.
The clash of honour calls, to stand when others fall.
Sir, you're never going to get modded up here if you continue to insist on posting clear, intelligent and rational comments that actually discuss the issues involved, backed up by your personal knowledge and experience.
Wearing condoms won't protect you against water-related diseases.
That depends on where you wear the condom.
Anything can be found funny, from a certain point of view.
A virus attaches it's code to programs and spreads itself to others when you run an infected execuable on a system. Viruses are pretty much old school and are easy to detect because they modify the code of executables. They also can't infect programs outside of the priviledge level of the infected software and also cannot do a lot of crazy things outside of the user's access level. They are pretty much old school and are not very profitable, just destructive or annoying.
Malware spreads through an exploit vector or social engineering. It installs software and drivers to the system which it attempts to hide through various tricks and obscure OS functionality. Malware can often have a rootkit driver which make them invisible or impossible to remove when booted normally. Malware is designed to make a profit too (like making your machine send spam, logging passwords or other info, popping up ads...).
The reason for the two different levels of software is because malware initially was difficult for vendors to define. Some software for example, presents it's negative aspects in the EULA and it's assumed to be valid software if you install it. Who's to say that WGA isn't spyware or any software that reports activities back to a central server? Malware is also hard to detect heuristically and antimalware apps instead rely on lists of file/registry locations and hashes.
But the two AV programs shouldn't be an issue because they do their blocking and checking at different points. Antivirus needs filter drivers so it can scan files for attached virus code or activity. Antimalware just needs to periodically scan a set of locations and ensure no malware is there. But yeah, most of them can be integrated pretty easily and it makes sense.
The clash of honour calls, to stand when others fall.
Hiding it makes a lot of sense if you don't want to look bad, but is unhelpful to users who want to know if they need to update their systems or if it can wait.
I think you run too much windos. The only reason I've ever hesitated installing an OS X update right away was when it required a restart and I had something running I didn't want to interrupt. I've never seen an update break anything. I shake my head when I hear the windos admins at the company test a bugfix update. Why'd the need to do that? Isn't that what the vendor is supposed to do before sending it out?
I think you run too much Mac.
Vendors are supposed to test their updates before sending it out, but who knows if their tests were comprehensive? The best way to see if an update will work with your specific combination of hardware and software is to test it on your hardware and software. Are you using a custom app written in-house? Did your programmer rely on an outdated program interface that finally got phased out in this update? The vendor may have given plenty of warning that they were going to phase out that interface, but your programmer may have missed that, or been an idiot. In that case, the vendor *DID* test and considered it functional, but it could still break stuff.
Or the vendor thought they tested it, but screwed that up. Are you willing to trust them to always get it right 100% of the time?
Your cuddly image of Mac computers always working is great, but *NO* system is infallible, and if you have 1000 computers and you can't afford to have them all stop working on you, you have to test *EVERY* upgrade. That's just common sense.
-Taylor
Worldwide Military budgets: $2100 billion. Worldwide Space Exploration budgets: $38 billion. Really, world? Really?
You obviously haven't used many Macs for a long period of time - I can recall numerous events where java updates broke things with a simple scorch game on OS X - to the point I had to put stupid warnings on the site. I can recall when my network uPnP was borked by a security update from Apple, I can recall the numerous daemons being broken in various OS X server updates too.
My anecdotal 'evidence' is based on years of experience over a wide variety and vast amount of Macs.
Because making sure things don't break is obviously stupid of IT.
The vendor didn't test the fix in your environment, they tested it in theirs.
Change is certain; progress is not obligatory.
So what are the architectural differences in OSX or Linux that would protect everyone from malware if they were the dominant platforms?
While the previous poster may be a bit vague on the details, this is not a point without merit. OS X and most desktop Linux variants do, indeed, have some significant security as a result of architectural choices. In other areas Windows has the upper hand, such as how much access control is applied in userland. Services, are a good example. Windows tends to have more open services and because of the proprietary nature of those closed services, more redundant services. A good example is Autodetection of local network services. It's a good type of service to exploit and a common target for malware on all platforms. Microsoft implements UPnP and exposes it by default, but by most accounts does not adequately sandbox it. Further, because it is proprietary, all cross-platform software has to either forgo the ability to link up with other versions of their own software running on other platforms, or they have to implement a different service. The upshot is, if you're running Adobe CS suite or any one of many other software packages on Windows you're running two services (UPnP and Zeroconf) that do the same thing, both of which have to exposed to hackers and neither of which is as sandboxed as it should be. If you're doing the same on OS X you have only one version (Zeroconf) and it is happily sandboxed so an attacker has to exploit not only the service, but also break the sandbox somehow... a very difficult task. This is all the result of how Windows handles services in comparison to OS X or Linux. On Windows more are exposed by default, they're easier to exploit, and they are usually proprietary; all of which leads to less security regardless of market share.