OS X Crimeware Kit Emerges

Trailrunner7 writes "Crimeware kits have become a ubiquitous part of the malware scene in the last few years, but they have mainly been confined to the Windows platform. Now, reports are surfacing that the first such kit targeting Apple's Mac OS X operating system has appeared. The kit is being compared to the Zeus kit, which has been one of the more popular and pervasive crimeware kits for several years now. A report by CSIS, a Danish security firm, said that the OS X kit uses a template that's quite similar to the Zeus construction and has the ability to steal forms from Firefox." Mac users are also being targeted by a new piece of scareware called MAC Defender.

Masses reaction

[TaoPhoenix]

"It can't be! Macs don't get malware! Protect us, Steve J!"

Re:Masses reaction

[fuzzyfuzzyfungus]

Not to worry, my faithful, mandatory binary signing will be here soon enough.

Sent from my iPad.

Re:Masses reaction

[jo_ham]

Not wanting to go for a cheap "FTFY", I'll just say that the reaction of everyone imitating a Mac user's reaction will be yours.

The rest of us actual Mac users carry on as normal, just like the Linux users.

Interestingly, does this count as the 44th malware threat on OS X (based on a cited post from the AV thread yesterday that said there are 43 threats over the life of OS X), or does it count as more than one, since it's a tool kit. Is a swiss army knife one tool or several? :p

Re:Masses reaction

[bmo]

Nobody with a brain has ever claimed that OSX is impervious. And nobody with a brain has ever claimed that OSX is impervious to PEBCAK.

What *has* been claimed is that the automatic propagation of evil over OSX (and BSD and Linux and *every other sane OS out there*) is terribly inefficient, because unless you pack the evil in a container, permissions (including the permission to execute) are stripped as soon as you send your file. And then you have to either unpack it or you have to manually assign the execute bit through right clicking and using the dialog or using chmod. And only then can you run the file.

Compare and contrast this to the Windows world where the execute bit is tied to 3 letters in the file name and Windows will duly execute the file as soon as it's double-clicked. Malware in this system goes from machine to machine because Windows assumes that a file is permitted to execute if it whispers the correct shibboleth of "exe, com, scr" or what have you.

While OSX's advantage of using the Unix model of tossing permissions does not cover warez, the equivalent of purple gorillas on OSX or braindead users, even the small amounts of protection that OSX gives goes a long way in preventing network effects on the spread of malware.

--
BMO

Re:Masses reaction

[melikamp]

The funny thing about signing binaries, it only helps to authenticate the author and to defend against the random memory corruption. It does nothing at all for defending from things like local and remote exploits, which corrupt the memory intentionally by using bugs already present in the signed binaries.

Re:Masses reaction

[mysidia]

Not to worry, my faithful, mandatory binary signing will be here soon enough.

Yes, worry. The "malware" binary will be validly signed; and in some way, not technically malware -- the malware will be part of the unsigned data payload loaded by the benign binary. The benign binary will be something like /usr/bin/python, and may be shipped with the OS itself... (how much higher a level of trust can you get for a binary?)

Re:Masses reaction

[mrnobo1024]

This might have been a good point in 1987, but today most serious malware spreads by exploiting bugs in legitimate software. Why rely on the user to run your evil program manually when buffer overflows and such are so abundant?

Having an "execute bit" doesn't do anything to stop that (unless you mark all your programs non-executable, of course; that'll make sure you're secure ;))

Re:Masses reaction

[mysidia]

What *has* been claimed is that the automatic propagation of evil over OSX (and BSD and Linux and *every other sane OS out there*) is terribly inefficient, because unless you pack the evil in a container, permissions (including the permission to execute) are stripped as soon as you send your file. And then you have to either unpack it or you have to manually assign the execute bit through right clicking and using the dialog or using chmod. And only then can you run the file.

Or you can just distribute through a .dmg with script that executes as soon as the user mounts the .dmg file by downloading it in safari, or double clicking it in Firefox. The scripted portion runs as soon as the .dmg is mounted, so the malware can be deployed without further user intervention.

By the way, downloading a .dmg file, mounting, and copying its contents to /Applications is the de-facto standard practice for software deployment on MacOS.

Re:Masses reaction

[scot4875]

Compare and contrast this to the Windows world where the execute bit is tied to 3 letters in the file name and Windows will duly execute the file as soon as it's double-clicked. Malware in this system goes from machine to machine because Windows assumes that a file is permitted to execute if it whispers the correct shibboleth of "exe, com, scr" or what have you.

This hasn't been true for a *long* time. Go ahead; try downloading something and run it on any patched and updated XP, Vista, or Win7 box. At the very least, it will give you the "run unsigned application from ?", and you'll get multiple warnings on Vista or Win7.

The thing is, though, it doesn't matter how many warnings you throw up; users will simply keep clicking through everything until they get their shiny cursors. Of course, maybe Macs still have an advantage here, in that the OSX is the pinnacle of design perfection, so no user would ever *want* to download and install a purely cosmetic change.

--Jeremy

Re:Masses reaction

[errandum]

You miss the point, I think.

Whoever double clicks something to install assuming it is legit will also gladly insert their username/password.

In terms of security windows is actually more robust from a security standpoint than mac os, but it's also targeted a lot more. And I don't mean file permissions, I mean actual design flaws.

You're safer while using a mac, no doubt about it. But the OS with the most security features IS windows.

And if you don't believe me, I'll quote:

"Paul Kocher, president and chief scientist at Cryptography Research: "The fair answer is that with the latest versions of each operating system there isn't a compelling security reason to pick one or the other. It used to be that Apple was doing a better job, but with Windows 7 Microsoft has caught up. There are some differences; Windows has a better security ecosystem. On the other hand, Apple tends to have more expensive hardware and has a smaller market share, so it attracts fewer malware writers. Both have security bugs. Both need patches. Both can be broken if someone finds a zero-day exploit."

or

"Charlie Miller, a principal analyst at consultancy Independent Security Evaluators: "Technologically speaking, PCs are a little more secure than Macs. Macs have a larger attack surface out of the box (Flash, Java, support for a million file formats, etc.) and lack some anti-exploitation technologies found in PCs like full ASLR [Address Space Layout Randomization]. This means Macs have more vulnerabilities and it's easier to turn a vulnerability into an exploit on the platform. Despite the fact it is less secure, paradoxically, Macs are actually safer to use for most people. This is because there simply isn't much risk of being exploited or installing malware."

or even

"Rich Mogull, CEO at Securosis: "It depends on which version of Windows we're talking about. Clearly there are major differences between Windows XP and Windows 7. Second is, are we talking about safety versus security? Microsoft has done more in terms of its inherent security features than Apple has in the operating system. All of that said, Microsoft gets attacked a lot more than Apple does. Right now your odds of being infected as a Mac user by malicious software are quite a bit lower than a Windows user, unless you do stupid things, such as download free versions of commercial software. And some of the pornography sites on the Internet, the dark corners of the Internet have stuff that will hurt a Mac."

It's not my opinion. It's the expert's opinion.

Re:Masses reaction

[rsborg]

"Charlie Miller, a principal analyst at consultancy Independent Security Evaluators: "Technologically speaking, PCs are a little more secure than Macs. Macs have a larger attack surface out of the box (Flash, Java, support for a million file formats, etc.) and lack some anti-exploitation technologies found in PCs like full ASLR [Address Space Layout Randomization]...."

Your quote from Mr. Miller is way out of date. Apple now doesn't include Flash or Java by default, and does implement (although weakly) ASLR.

Re:Masses reaction

[MeNeXT]

You missed his point. The software runs as the user and does not run as ROOT or SYSTEM, meaning limited access at most. You may infect the user account with a buffer overflow but you won't get SYSTEM access. Now compare that to Windows and be real about it.

Re:Masses reaction

[mcdermd]

Not to say he's biased but I remember getting into middle school PC/Mac wars with Kocher in 1985.

Re:Masses reaction

[Haedrian]

Nobody with a brain has ever claimed that OSX is impervious

There you go. There's your problem right there.

Re:Masses reaction

[DeadCatX2]

In Windows, software doesn't run as root or system by default, either. Since Vista, there has been UAC, unless you turned it off. Modern Windows applications cannot even write anything to Program Files without elevated permission.

That said, you seem to wrongly think that there are no privilege escalation exploits that allow malware to gain root or system privileges.

Re:Masses reaction

Compare that to a supported version of Windows and you get exactly the same situation. People haven't been gunnin' for root/system for a long time because it has become much more difficult to achieve and is frankly unnecessary. It's not about p0wning the machine, it's about running a zombie, and all you need is standard user access on any of the OSes in order to drop in something that runs at login and can connect to the Internet.

Re:Masses reaction

[cybermage]

Of course, Faust's deal with the devil was signed too.

Re:Masses reaction

[errandum]

Didn't notice this, but I've never installed Java on m Snow Leopard, so I assumed it was still true.

Either way, the point stands. Having a password prompt and file permissions is a start, but not the holy grail of security, not by a long shot.

Re:Masses reaction

[exomondo]

Compare and contrast this to the Windows world where the execute bit is tied to 3 letters in the file name and Windows will duly execute the file as soon as it's double-clicked.

No it doesn't, don't spread FUD. You will always get security warnings when trying to run unsigned executables.

Re:Masses reaction

[mellon]

This is true. The next step up from this is restricting what apps can access, which Apple does in iOS and to some degree Google does in Android. I don't see how they'd do this for every MacOS application, but there are plenty of MacOS applications they *could* do this for. It doesn't matter if your C compiler is vulnerable to a stack smash if there's no way for a network attacker to get to it.

Re:Masses reaction

[Jezza]

Sadly I know of (because we have the bl**dy thing deployed) Windows applications that don't run with UAC switched on OR the user running as anything other than administrator... I know!

In fact, in the UK pretty much EVERY school administration system is setup this way - because the software demands it. On Windows 'legacy' is one of the greatest enemies of security. On Mac OS X there is very little legacy, "Classic" is long gone, and PowerPC isn't installed by default on Snow Leopard. Expect more of the same with Lion. It makes Mac OS X a bit more of a challenge (because in every release some legacy item or other goes away) but it does help security.

Re:Masses reaction

[mellon]

You may find this less comforting when all your bank account information, which is owned by you, not by root, gets scooped off of your computer over the net. Likewise, it's trivial to add startup items; these run with your permissions, so they don't have total control over the machine, but they can still stick around and propogate.

Re:Masses reaction

[man_of_mr_e]

Except, of course, when the software with the vulnerability is already running as root or SYSTEM. Perhaps the flaw is even in the kernel (which happens from time to time).

Seriously, the execute bit argument is stupid. If someone sends a user an attachment of lady gaga nude, they're going to set the damn execute bit to view it. And malware can be malware even if it runs as the user (it can still send tons of spam and be used as part of a zombie network to DDoS people, it can still rape your address book and mail itself to everyone).

Re:Masses reaction

[man_of_mr_e]

And people can configure software to run as root as well. Intentionally disabling your security system should not be a valid argument.

Re:Masses reaction

[oakgrove]

On my machine, every single userspace program runs with a different uid. No program has read or write permissions to any other program's data. And that's just one line of defence. And for people that run everything as themselves, there is http://en.m.wikipedia.org/wiki/AppArmor"> apparmor that will effectively do the same thing.

Re:Masses reaction

[Jezza]

My point is there are a whole lot of Windows systems that HAVE to run in a way that anyone at Microsoft would probably weep at, to run legacy software. This "I'll just keep running it" attitude is endemic. It is one thing that just doesn't exist on the Mac - you simply can't, Apple take the legacy support away - quite quickly actually. It would be possible to improve Windows security a great deal faster, if they took a more "Apple approach" to legacy.

My point is legacy is the enemy of security.

When people complain that Windows Vista/7 won't run this or that bit of legacy software, and that they want better security - they are trying to argue both ends of the problem. You can't have your cake and eat it.

Re:Masses reaction

[peragrin]

The reason "Legacy" on OS X is long gone, is because Apple forces developers to upgrade to NEW API's by turning off the insecure ones. old api Carbon, is gone now only Cocoa remains.

MSFT screwed up with vista and 7 in one way. all the old API's should have been left behind. If a program needed old API's then an XP-compatible mode should have been launched sandboxed to run said program.

Instead MSFT simply ported over all the old code bugs and all and wrapped a couple of layers of plastic wrap around them and called it a sandbox.(it is why the first Vista Virus came right from windows XP with no modification.

Re:Masses reaction

Malware in this system goes from machine to machine because Windows assumes that a file is permitted to execute if it whispers the correct shibboleth of "exe, com, scr" or what have you.

Don't you mean, "sibboleth" ;)

Re:Masses reaction

[hairyfeet]

Actually, and I'll probably get flamed for saying this, you'd be surprised how many have bought the "you just can't infect a Mac!" meme. I got called into an SMB a few years back, where the guy instead of listening to me and paying me to set up a sensible top to bottom least permission approach bought into the "can't infect a Mac!" meme and then was shocked! shocked I tell you, when he found out he got pwned thanks to one of his kids wanting to watch a naughty video and getting the DNS changer bug.

You see the problem is something we that have been in the trenches for quite awhile (I started with Win 3.x, what was that? 20 years ago?) sadly run into far too often, it is what I like to call "magical thinking". it is the "If I use product X I won't have to change my habits or anything, and I'll be unhackable" bullshit. Hell I remember when firewall resellers were pushing the "if you have a firewall you are invisible and untouchable!" and it was bullshit then and it is bullshit now.

NEWS FLASH...ALL OSes can be hacked, full stop. ALL OSes are extremely complex pieces of code, with interactions on top of interactions with third party code thrown in the mix just for shits and giggles. There is NO perfectly unhackable OS and if there was one that person could hire Bill Gates to shine his shoes. The last real legitimate gripe about Windows, the brain dead "hey lets run everyone as admin!" finally died hard with Vista, so frankly all OSes are on about the same footing, as in TFA it all comes down to what the malware writer thinks is profitable.

Think OSX is immune? Read TFA. Think Linux can't be pwned? Look at the Android malware or the KDE screensaver malware that spread awhile back or even this handy how to guide on writing Linux malware.

The ONLY solution is a top to bottom least permissions approach, not magical thinking. Least permissions and users not being so brain dead they actively help the malware writer is the ONLY solution.

As a final note let me give a recent example. I set up a box, had it locked down nicely, required password for admin, least permissions, yet it got pwned in under 45 days. Did I miss something? Nope, the user decided he just had to have Limewire, even though I told him not to, so he disabled the antivirus because it wouldn't in his words "shut up" and then promptly gave permissions to Limewire to do whatever it wanted. And boy did it, 60+ pieces of malware.

So in the end it doesn't matter what the OS, it doesn't matter what kind of permissions model you set up, if you have someone with admin rights that says "I want my emails from Melissa and you WILL let me have them!" then no matter what OS, you're screwed. An OS is only as good as the PEBKAC sitting in front of it.

Re:Masses reaction

[YoshiDan]

And how does the malware running only with the user's permissions make anything better? So it can't mess with the rest of the system. Big deal. The user's home directory is where the user will store all their important personal documents and what have you, which will still be accessible by malware. These things being destroyed are what matter most to the user, not whether their OS gets hosed or not.

Re:Masses reaction

[YoshiDan]

>old api Carbon, is gone now only Cocoa remains.

Since when? Apple dropped their plans to update carbon to 64 bit and they are no longer adding new features to the API but it still exists and they still release patches for it. If they dropped carbon completely there would be a lot of major applications that would not run. Adobe Fireworks and MS Office come to mind as applications I use frequently which are still largely carbon.

Re:Masses reaction

[hairyfeet]

Uhhh...you DO know there is a butt simple way around this, yes? 1.-Install the software, 2.-Install Deep Freeze or other similar software. 3.-There is no step three because at every boot you have a clean system and if there is any doubt at any time a simple reboot gets you a clean slate.

Now personally I wish MSFT would have simply built this ability into the OS, but with antitrust they'd probably be slammed by both the AV and the companies like Deep Freeze if they tried it. They offered a free version on XP called Steady State but they never bothered to update it and quietly let it die.

But in the end you really can't blame MSFT for this one, since their recommendations on writing permissions has been the same since Win2K pro, it is just nearly every third party vendor just gave MSFT the bird and wrote everything as admin because it was the lazy way to go. But if you are dealing with a vendor who after FOUR YEARS of UAC STILL hasn't bothered to write an acceptable program with normal permissions I would seriously be pushing for another vendor. After all if they can't even code correct permissions, what other shoddy code have they let slip by?

Re:Masses reaction

[Jeremi]

If someone sends a user an attachment of lady gaga nude, they're going to set the damn execute bit to view it.

One would hope that anyone smart enough to know how to set the execute bit, would be smart enough to know not to set the execute bit.

(One would probably be disappointed, though ;^))

Re:Masses reaction

[Jezza]

Look I totally agree with you. The system is a mess (I'm talking about the application - "SIMS") it is shocking that it simply doesn't work properly with Windows (because it really is working against Windows). I don't "blame" Microsoft at all for this. Pretty much EVERY UK school has the same setup. I can't change it, as I'm not the one looking after SIMS - it is frequently updated (mostly because stuff doesn't work properly, usually the updates break something else) again by the local authority, and wow they don't know what they're doing.

No matter what either of us think of it, this is the situation "on the ground". I have first hand experience of this, and seeing it installed is like watching someone wilfully break Windows security. The software just doesn't run otherwise. Users have to run it as administrator, up until very recently it didn't run in 64bit Windows (I know!) and UAC has to be switched off. It also makes Windows run VERY slowly. After the install, when the system reboots (yes the system has to reboot several times during install) the system is far slower than it was before the software was installed.

As I say, this is VERY common in UK schools (far in excess of 95% of schools run this stuff).

Re:Masses reaction

[farnsworth]

Apple now doesn't include Flash or Java by default

I have an Air from a couple months ago, and it came with Java right there in /usr/bin/. I haven't installed Lion yet, but I would be surprised if Java was absent. It's not impossible, but that would be a fairly sudden removal.

Re:Masses reaction

[hairyfeet]

Actually your point would better be phrased "MSFT should just say I quit and tell everyone to buy an iPhone" as backwards compatibility is what sells Windows and if I can't run my programs why in the hell am I gonna pay for Windows? I can run Linux for free or just buy a Macbook.

And you know what? For all the Linux and Apple guys creaming about legacy cruft we Windows guys like backwards compatibility same as most of us happen to like the registry, thank you VERY much! I LIKE having a new quad core with 8Gb of RAM and a 64bit OS and still being able to play NOLF 2. I LIKE the fact that the couple of thousand bucks I got invested in games still work (well as long as I go to Gamecopyworld for a crack, thanks SecuROM, you ass muncher) and my customers LIKE having all their expensive photo and business software "just work" even after getting a new OS!

To get rid of backwards compatibility would frankly be suicide, because it is the huge third party library of software and games that keeps people on Windows. Hell if I figured it up I probably have over 10,000 dollars in Windows software, is MSFT gonna give me that money back? Hell it is all the third party software that keeps the Wine guys working nights, as they know that its the programs NOT the OS that keeps people on Windows. lose that and they may as well close up shop.

The ONLY way to get rid of backwards compatibility with all the billions of dollars users have invested and hundreds of millions of Windows users is to write the baddest ass VM in the history of mankind, a VM so damned simple your grandma wouldn't even have to know what a VM was, while at the same time working on no less than THREE CPUs (AMD,Intel,Via) with both in order AND out of order execution (Atom through the latest Intel and AMD multicores) and on top of all that having to support no less than THREE GPU manufacturers and give at least enough acceleration that everything that runs on XP would run (actually I'd include Win98 as well, since currently Win9X software will run most of the time).

So frankly it would be probably one of the most expensive R&D projects in the history of MSFT, and if they boned it? People would be paying guys like me to wipe their OS in mass, just as I spent a year making Vista disappear for XP. If it comes down to several thousand dollars in software or having to run an old OS? Well fuck MSFT I have a firewall, and so do most other folks. It would be suicide.

Re:Masses reaction

[aztracker1]

This doesn't matter much.. most home users have only one account on their computer, and is often set to automatically login... what do you need root privileges for when you can execute as a user, and access all the user's data. What would be needed would be separate data stores protected per application, per user... This isn't the case in windows, linux, or osx.

Re:Masses reaction

Equivocate much?

Re:Masses reaction

[YoshiDan]

This is something that annoys the shit out of me. Safari by default has the "open safe files" when you download. I always forget to turn this off when I do a fresh OS X install. I don't call mounting disk images and automatically extracting the contents of an archive "safe". I wonder what the hell Apple was thinking.

Re:Masses reaction

[aztracker1]

Beyond this, NTFS does have distinct execute priv's.. on XP/2K I've been known to set iexplore.exe to alow write, butnot execute privs... so that it isn't ever runnable as a browser choice... this way it doesn't break updates, but still doesn't let another user/gues execute old IE versions.

Re:Masses reaction

How the fuck is this off topic? Fuck you, mod.

Re:Masses reaction

[gmhowell]

Methinks the lady doth protest too much.

Re:Masses reaction

[DJRumpy]

This isn't a hack. It asks for an admin password and then launches an installer, assuming you have Safari set to open 'safe' packages. It's another trojan, not a virus. I seriously doubt that anyone believes a Mac is unhackable (white hat conventions put that to bed years ago as OS X is typically one of the first to be hacked). This is a lot of noise about nothing and no different than someone downloading software from an unknown source and installing it, putting in the admin password when prompted, and then feeling shocked when something bad happens. The only difference here is that they see the installer/admin password prompt while browsing which would alarm most Mac users, especially with a prompt for an admin password. Turning off the 'open safe' option in Safari would disable this vector.

This is not some clever hidden install that happens behind the scenes without some user intervention. The simple truth is that OS X, Linux, and Unix all have basic protections that Windows lacks in regards to executables, and when it comes to executables, the user is the weakest point, not the OS.

Re:Masses reaction

[weicco]

Last time I had to clean up a Windows was because my ex-wife's 13 year old cousin just needed to have smileys on Messenger. I don't know where she downloaded the package. She got smileys and couple of other things which took me 4 hours to remove.

So in my mind trojans aren't just noise about nothing. They may need user interaction to install or run but there's plenty of users who happily install every application they get their hands on.

You are right. The problem is the user. But you are wrong about Windows. Vista and 7 has plenty of protection mechanism like UAC trying to keep the system safe. Some stupid users just disable UAC and run Windows without any password because they are lazy-asses. Then they bitch about Windows when their system is running sluggishly because all the viruses running in the background.

Re:Masses reaction

[epyT-R]

Of course, maybe Macs still have an advantage here, in that the OSX is the pinnacle of design perfection, so no user would ever *want* to download and install a purely cosmetic change.

wow. fanboi much?

Re:Masses reaction

Sure thing, there has never been local root exploits in OSX/Linux.

Oh wait...

Re:Masses reaction

[mwvdlee]

So just like IOS, you won't be able to install any application that lets you create or run unpaid^wunsafe code.

Re:Masses reaction

[Runaway1956]

:"Social engineering" is indeed a "hack". The malware creator somehow enticed the user into desiring to install the malware, and the user let down whatever defenses prevented the malware from installing. H B Gary Federal was "hacked" through social engineering, along with other methods. Mac, Linux, and even Unix can be hacked in the very same way. Ask the user for whatever you need to bypass his defenses, and if he responds favorably, you have "hacked" him.

Every hacking guide that I have ever seen includes social engineering as part of it's tool kit.

Every computer securiy guide that I have ever seen tries to make the user aware of social engineering, and tries to explain how to defend against it.

Let me ask - do you have ANY SOFTWARE AT ALL that did not come directly from Mac? Personally, I run Linux. Almost everything on my machine came from an official repository - but I have a few things from unofficial sources. So far, the social engineering resulting in those installations has had no bad effects. If/when I see bad effects from downloading software from SourceForge and other places, then I'll re-think some of my assumptions about safe sources.

Re:Masses reaction

[Runaway1956]

I think that you help to make GP's point. You can't have legacy and security together. If you want good legacy support, you get crap security. If you want good security, you sacrifice the legacy. Take your choice, but you can't have both.

I quote GP: "When people complain that Windows Vista/7 won't run this or that bit of legacy software, and that they want better security - they are trying to argue both ends of the problem. You can't have your cake and eat it."

Re:Masses reaction

[Runaway1956]

"But the OS with the most security features IS windows."

By this logic, the largest military force would also be the best military force. Maybe you've missed some of the Hollywood movies, like 300, that attempt to depict the heroic efforts of small forces handing the asses of larger forces to the larger force, on a platter.

I don't want more security features, especially if those features cost a lot in terms of resources and performance. I want SAFETY, ie, efficient security. Besides - no security feature should count as such if it had to be implemented to address a security flaw in the operating system.

Re:Masses reaction

UAC is just a "are you really sure?" dialog. Do you really believe that approach would stop anyone who already got past the "are you sure?" dialog?

Passwords also don't stop viruses and trojans. It may stop some kind of worms, I recall something about the Morris internet worm used some network-available services without a password as one of it's attack vectors. However, Windows generally denies remote access until a password is specified, so running without a password can actually be MORE secure (a password can be guessed; a service with no access cannot be guessed).

What would make a difference is not giving the daughter administrative access. That way she will only be able to mess up her own account. Unfortunately, lots of programs don't work right if you don't run as administrator. So many that even Microsoft gave up, and created UAC instead.

Re:Masses reaction

[mugginz]

Think OSX is immune? Read TFA. Think Linux can't be pwned? Look at the Android malware or the KDE screensaver malware that spread awhile back or even this handy how to guide on writing Linux malware.

Still bringing that one up hairyfeet? Isn't it the case that the desktop launcher vector was shut down a long, long time ago? While the article you reference is dated 11-Feb-2009 and so can be excused, it's now 2011, the vector doesn't work, and so isn't relevant here. As I asked last time, time to update your bag.

So in the end it doesn't matter what the OS, it doesn't matter what kind of permissions model you set up, if you have someone with admin rights that says "I want my emails from Melissa and you WILL let me have them!" then no matter what OS, you're screwed. An OS is only as good as the PEBKAC sitting in front of it.

Computers are here for users, not users are here for computers. Given that, we obviously can't completely remove the PEBCAK aspect of computer security. So as you note, all OS's have the PEBCAK chink in their armor to a degree, but that doesn't mean because end users can be foolish we should accept easily compromisable OS's.

If an OS has a problem with drive-by's then that's bad. When I hear of OSX being hit hard by them, I'll then considerer it as being closer to the Windows security threat level.

Re:Masses reaction

Interestingly, does this count as the 44th malware threat on OS X (based on a cited post from the AV thread yesterday that said there are 43 threats over the life of OS X)

43 confirmed viruses for OSX. Virus is only one VERY specific type of malware, and in fact viruses are seldom seen on any platform these days.

When was the last time Apple actually claimed to be immune or secure from viruses? They don't. They make vague claims of being "more secure", and run ads which seem to imply they don't get infections although they don't actually ever say It. Instead, they just make vague comments about how "vulnerable" the "PC's" are (as if a Mac isn't a personal computer or something), and then let their hoards of rabid fanboys run around shouting about how Macs are immune to blah blah blah.

Go ask the guys who keep hacking Macs at the annual pwn2own contest how safe those boxes are. They'll laugh at you.

Re:Masses reaction

[cbhacking]

Also, technically Windows does have an Excute bit (lots of them, even - one for each ACL, allowing you to permit or deny on a fine-grained basis).

Of course, Windows also has a distinct tendency to default the Execute permission to Enabled. This is a terrible idea, but 9x didn't have file permissions at all, and most people seem completley unaware that NT has them, so it would be a huge problem for Microsoft to change the default behavior.

Re:Masses reaction

[catmistake]

OS X is typically one of the first to be hacked

And this will remain true until they give away the MacBook for hacking Windows or Linux.

Re:Masses reaction

[catmistake]

Unfortunately, lots of programs don't work right if you don't run as administrator.

That is an interesting way to put it. But we know the real issue is that lots of Windows programmers don't code right if you don't force them to test their fucking code. I believe the entire point of Vista, besides the whole 'New Coke' money grab, was to retrain Windows developers to do things correctly.

Re:Masses reaction

[hairyfeet]

Really? Frankly (knock on wood) I haven't had a single Win 7 machine come back in infected. Not a single one so far and I've been selling it since it came out. Now that Limewire has finally bit the dust the infection rates have been falling pretty steadily, especially once folks saw how easy it was to rip MP3s from Youtube. Now that UAC and sandboxing the browser with lower permissions has been killing drive bys dead my constant headaches from dealing with infected boxes has gone way down TYVM and my software still runs!

Not saying the can't get infected, but I'm just not seeing it now that least permissions on the browser and Limewire dying have killed off the big two attack vectors. But knock on wood it looks like MSFT finally got it right WITHOUT killing backwards compatibility. In fact the only program so far I've found that simply will not run on Win 7 no matter what you do is QuickBooks 04, as the damned thing demands Flash 7, not the latest flash mind, it will ONLY work on Flash 7, but for that customer I simply set up a dual boot until he got the latest QB and all was golden.

Now if you'll excuse me, I'm gonna run some NOLF 2 or maybe SOF 2, both of which run great BTW on Win 7. Can YOU run all your old programs without hassle?

Re:Masses reaction

[jbolden]

.ALL OSes can be hacked, full stop.

I'm not sure that's entirely true at least in a meaningful sense. For example moving from a permissions system to a capabilities system and really using capabilities makes an OS vastly less hackable. Systems where the OS has multiple one way penetrable barriers like VMWare view or MVS tend to be from a practical sense much less hackable. Apple's culture of being able to dictate to their developers, and a developer expectation hat OS bugs can very easily require an upgrade to applications will allow Apple to react much more quickly to security threats.

Its just not true they are all pretty much equal.

Re:Masses reaction

[jbolden]

Of course it should as disabling occurs in real life. Windows NT since the 3.51 days had an excellent capabilities security model that software (including explorer / shell) didn't use. Installers didn't use. There weren't good user commands for it. And so it was effectively disabled and worthless.

Re:Masses reaction

Not only that, all those "security" measures are simple traps to make malware writer's life a bit more "interesting". ASLR goal is to stop malware code that has already managed to run. That's just another more layer, but not the critical one, which is preventing that code from running at all. So yes, Windows has more security "features", but no, it's not safer.

Re:Masses reaction

[jbolden]

You can look at IBM. You can do it. The OS has to have capabilities for handling legacy applications which are unsafe, sandboxing them and virtualizing their interconnections with other applications.

Re:Masses reaction

[CheerfulMacFanboy]

white hat conventions put that to bed years ago as OS X is typically one of the first to be hacked

Because they require you to use zero-day exploits - IOW exploits that have never been used before even theoretically.

Re:Masses reaction

[jimicus]

Okay, so let's look at the practical differences between infecting a user account and infecting a system account.

1. If you're running as a user, you might find it harder to start an application as part of the boot process. Not the end of the world, however, because it's easy enough to start as soon as the user logs on - and this is true on Windows, OS X and Linux.
2. You can set up TCP/IP connections as any user. You can't listen on a privileged port, but that's hardly a showstopper.
3. You can still steal user data regardless of whether or not your application is running as root. You can't overwrite the OS but you probably don't want to do that because it'll draw attention.
4. You can't interfere directly with the keyboard buffer to read keystrokes as they're being typed. But you probably don't need to. Most modern operating systems have very sophisticated APIs to allow applications to communicate and little inherent security built into those APIs - for instance, under Windows it's quite easy to write an application which silently screen-scrapes another application and that process will run just fine as a normal user.
5. If your application is running as a domain user in Windows, it's arguably a bigger security risk than if it's running as a local admin. The local admin SID will be more-or-less useless beyond the confines of the PC the application is running on. This is not so for a domain user's SID. Much the same is true for NFS in Unix - any admin with half a brain will use squash_root but that doesn't help when malware isn't running as root in the first place.

Re:Masses reaction

[jimicus]

But in the end you really can't blame MSFT for this one, since their recommendations on writing permissions has been the same since Win2K pro, it is just nearly every third party vendor just gave MSFT the bird and wrote everything as admin because it was the lazy way to go. But if you are dealing with a vendor who after FOUR YEARS of UAC STILL hasn't bothered to write an acceptable program with normal permissions I would seriously be pushing for another vendor. After all if they can't even code correct permissions, what other shoddy code have they let slip by?

As would I, but the OP you're replying to is a slightly special case because they're working in a school.

Educational software tends to fall into one of two camps:

1. It does a first-class job of getting the message across to the pupils. Unfortunately the person who wrote it wouldn't know a Microsoft recommendation if it bit them on the bum. It ships to the school with installation instructions saying "Visit every PC in turn, insert the CD and go Start, Run, D:\install.exe"; there isn't an MSI. Further investigation suggests that repackaging as an MSI is somewhat awkward because the installer does all sorts of different things depending on what it finds when it runs. (This was certainly the case a few years ago, I don't know if things have improved much since but I doubt it, particularly with the mention that UAC often needs disabling).

2. It's dead easy to run it from a network location or deploy it using an MSI. Indeed, that's exactly what they recommend you do if you've got more than a couple of PCs. Unfortunately, it really doesn't do a terribly good job of getting the message across to pupils.

Guess which sort tends to get purchased by eager teachers trying to find something to make their life a little easier?

Re:Masses reaction

Macs have a larger attack surface out of the box (Flash, Java...

Check back next year!

Re:Masses reaction

[CheerfulMacFanboy]

Compare and contrast this to the Windows world where the execute bit is tied to 3 letters in the file name and Windows will duly execute the file as soon as it's double-clicked.

No it doesn't, don't spread FUD. You will always get security warnings when trying to run unsigned executables.

Which why you will soon ignore them and just click yes - because you can't easily get rid of those warnings for things you start often. Very clever design.

Re:Masses reaction

[mcgrew]

Is a swiss army knife one tool or several? :p

A Swiss army knife is one tool, a box of wrenches is a toolkit. This malware toolkit could be either.

I don't think you Mac guys need to worry too much... yet, at least. If Macs actually start getting infected, THEN worry.

Re:Masses reaction

[geminidomino]

That's the second time in this thread that I've seen you say that.

Unless pwn2own has never given away a mac, it makes absolutely no difference what the other computers are doing, it's proof that macs are not, in fact, as secure as those idiot commercials would have you (or at least Joe Clueless customer) believe.

Re:Masses reaction

[LoganDzwon]

Well, considering that list counted one virus 15 times, another 6 times, a couple twice, and 11 of them were not even for OS X? I'd say this toolkit should be good for a count of 50 or so.

Re:Masses reaction

[Known+Nutter]

Computers are here for users, not users are here for computers.

Well, in Soviet Russia, users are.... nevermind.

Re:Masses reaction

[99BottlesOfBeerInMyF]

The benign binary will be something like /usr/bin/python, and may be shipped with the OS itself... (how much higher a level of trust can you get for a binary?)

Apple has already started sandboxing binaries they ship with OS X, for example the zeroconf service which is one of the few exposed default services running on OS X. At least some people at Apple seem to "get it" that just because it ships with the OS doesn't mean it should have more access or more trust than it needs. I can't imagine Apple is going to reverse their security trend and start sandboxing fewer binaries going forward.

Re:Masses reaction

[Coren22]

I would also add to your statement, that this used to be the case. In Win 7, and maybe Vista, there is a section of your user profile to emulate the system folders so that applications that would usually require administrator access can run as a user. The only applications I have seen that still require admin privileges are applications which auto update, and just plain software updates/installers.

Re:Masses reaction

[Just+Some+Guy]

On the other hand, Apple tends to have more expensive hardware and has a smaller market share, so it attracts fewer malware writers.

Frankly, that's a load of shit. First, 10% of an enormous PC market is still a pretty damn big pool to draw from, especially since a hacker would have it to himself and not have to compete with 100 botnets. Second, nothing says "come and get me" like an easily identifiable selection of people who have more available spending money. Whether you're after personal data (a Macbook owner likely has more funding than a netbook owner, on average) or bandwidth for hosting bot stuff (more money in the tech budget likely equates to more money spent on good connectivity), Mac owners present an extremely attractive target. Any advice from "experts" who don't account for socioeconomic motives should be taken with a grain of salt.

Note: there's nothing magical about Macs in this equation, except that they cost more. You could make the exact same case about Mercedes owners, people with houses more than 3,000 square feet, or people who go to Disney World. Those subsets aren't nearly as easy to identify with nmap, though.

Re:Masses reaction

[maztuhblastah]

This might have been a good point in 1987, but today most serious malware spreads by exploiting bugs in legitimate software. Why rely on the user to run your evil program manually when buffer overflows and such are so abundant?

Having an "execute bit" doesn't do anything to stop that

Uh... actually that's kinda the point of NX. Even the best NX implementation (PaX) has its holes -- but functional NX goes a long way towards stopping buffer overflows from being a useful attack vector.

Re:Masses reaction

[maztuhblastah]

Your quote from Mr. Miller is way out of date. Apple now doesn't include Flash or Java by default, and does implement (although weakly) ASLR.

You're right about Flash and Java, but Apple's ASLR support is still quite weak -- plus it doesn't implement NX support for all binaries. Basically, NX and ASLR are there in name, but easy to bypass in practice.

Re:Masses reaction

This doesn't work - .dmg files can't auto-play a script. .mpkg files can *prompt* the user to run a script.

Re:Masses reaction

[tlhIngan]

white hat conventions put that to bed years ago as OS X is typically one of the first to be hacked

If you mean CanSecWest and Pwn2Own, it's not a valid test of OS security. For one simple reason - the machines.

You have 3 PCs you can hack, and winner gets that machine. A MacBook Pro running OS X, some Sony laptop running Windows, and I don't know what they did for Linux.

So you can probably break into the Sony easily enough (there's enough crapware in the default install that there's a vulnerability somewhere), but then you just get a crappy laptop.

Or you can go for the Mac, and get some decent shiny for your efforts.

Perhaps if they really wanted to test OS security, they'd use all MacBook Pros or something, because all Pwn2Own shows is that despite all the /. crowd pleading of "Dell/etc PCs have better specs - no one cares for shiny", it ain't true.

The smart ones go for the Linux/Windows boxes because they know the vast majority are going for the shiny laptop, so they have a better chance of walking away with something they can sell for a few hundred bucks.

Re:Masses reaction

[weicco]

I don't know why I'm answering to anonymous but care to describe how a real security works. I have decades of programming background, including Windows kernel driver programming, so you can be as precise as you like.

Re:Masses reaction

[cstacy]

"Rich Mogull, CEO at Securosis: " And some of the pornography sites on the Internet, the dark corners of the Internet have stuff that will hurt a Mac."

It's not my opinion. It's the expert's opinion.

So the expert is saying that by merely visiting a web site, presumably using Safari, your Mac will be "hurt" (infected with a virus?).

Link to sample web site showing proof of concept, please.

Re:Masses reaction

[insertwackynamehere]

It is completely undebatable that OS X has much less "in the wild" malware. Yes, OS X isn't unhackable or whatever just because, but it lacks the market for serious malware writers. Also, it is built up from UNIX so it's entire system is more secure than Windows classically was, given an intelligent user.

Re:Masses reaction

[dave420]

You've not used Windows in a while, or at least haven't been paying attention. Windows will mark any executable downloaded via a possibly-untrustworthy source as being untrustworthy, and upon attempted execution will ask whether you want to run it. It's not as easy as you seem to think it is. It's not 1997 any more.

Re:Masses reaction

[catmistake]

You missed the obvious point. You are suggesting that the first to fall is the least secure, because it is the first to be hacked, but this is not even remotely true. If the pwn2own contest had some other entries... such as a fictional computer that Ferrari designed, a one of a kind, with the sweetest slickest style that made nerds eyes pop out, encased in solid gold with diamonds encrusted, just a sick amount of ridiculous features, but was in fact the most secure computer ever conceived, you can be assured that would be the first to fall in the competition.

The flaw in using pwn2own as a yardstick for security is simpy that which ever computer is the most desired will be the first one hacked

If they mixed it up, call it pwn2ownTHEother, such that if you hack Wndows you get the Linux machine, and if you hack Linux you get the Mac, and if you have the Mac you get the Winbox, do you honestly believe that all the security experts would be rushing to hack the Mac first? Unlikely... in that situation, Linux would be the first hacked, and Mac the last, again, for the obvious reasons.

Re:Masses reaction

[catmistake]

I would also add to your statement, that this used to be the case. In Win 7, and maybe Vista, there is a section of your user profile to emulate the system folders so that poorly designed applications that unnecessarily require administrator access can run as a user. The only applications I have seen that still require admin privileges are applications which auto update, and just plain software updates/installers.

FTFY

Re:Masses reaction

[geminidomino]

Check your usernames again. I didn't suggest anything. The post you responded to contained no such assertion, and it was my first one in the thread.

You're the one missing the obvious point: If it CAN be pwned, it WILL be pwned, so the talk of being "secure" is marketing bullshit, just like it is with any machine.

Re:Masses reaction

OS X is typically one of the first to be hacked

And this will remain true until they give away the MacBook for hacking Windows or Linux.

This is the thorn in the side of the pwn2own. On the one hand the contest brings together security experts and presumably helps make computers more secure. On the other hand, the way the contest is designed, the most desired prize is always the first to be pwned. Thus the contest itself has a built in bias against the most desired piece of hardware, which will always always be the first one hacked regardless of its resilience in security.

Re:Masses reaction

[catmistake]

Check your usernames again...

fair enough... I am often a little too rough with delicate flowers...

Unless pwn2own has never given away a mac, it makes absolutely no difference what the other computers are doing

You are incorrect. It is a contest for prizes. The prizes may be equal in price (they may all be $1800 laptops, or what have you), but they are not equal. The Mac is always the first to fall, and the obvious point is NOT "oh, Macs are just as insecure as everything else" or even more incorrectly as others (not you, I don't mean you!) have espoused that "Mac is the most insecure because it is the first to fall", but the truth is, because the OTHER prizes aren't as wanted they will be hacked last, if at all. Thus it makes a big difference what the other computers are, and existing is doing. If pwn2own had all Macs as prizes, one running Windows, one running Linux and one running OS X (which they could do to remove the appearance of bias), then the attack would be directed against the easiest to compromise first, because the prizes are the same. And the results would be "computers are insecure" and over years of the contest, we would actually begin to see which among the contested OS's is indeed the easiest to hack, the least secure. As it is, pwn2own will always be biased agaist the most desired machine, whether that happens to be a Mac, or a Dell, or whatever... that will always be the case.

it's proof that macs are not, in fact, as secure as those idiot commercials would have you (or at least Joe Clueless customer) believe.

What you suggest is bizarre. No one believes a commercial increases security. However, those commercials helped quadruple marketshare, which, I know this will be difficult for you to comprehend, was in fact their sole purpose.

Re:Masses reaction

And yet another moron form the Linux Zealot Crowd who bought into that myth again :') . Just tried to change extension of a pdf file to mp3 to see what the OS would do. Guess what? The media player was trying to open it _O- lol . And the funny thing is; it "works" this way on both NT and *nix OS-es. Ergo, file permissions are not not tied to the extension; you have to set those yourself.

Really, anyone who modded parent up is braindead.

Re:Masses reaction

So wait? You're saying Steve Jobs has no brain? Afterall those mac/PC commercials ran with his approval... They certainly seemed to imply that macs can get no malware.

The file execute bit does not apply to buffer overflows and other ways to cause arbitrary code execution.

Re:Masses reaction

[errandum]

Hence, the targeting.

But 10% isn't correct actually, it's more like 7%. And you forget that most of those that use Mac OS X will still have Bootcamp / a second PC just so they can open those pesky highly formated word documents (for example) or just play (I know I do).

It's not bullshit. It's a fact and all 3 experts stated it. Developing and exploiting something isn't easy, and if it still possible to target windows users, people will go for the one with 87% market share.

Re:Masses reaction

[errandum]

http://www.404techsupport.com/2011/03/12/the-results-of-pwn2own-2011/

Re:Masses reaction

[Stupendoussteve]

You're also assuming the official repository was vetted, which is not always the case. If the original source that the packagers got it from has been compromised (as happened with Unreal IRCd, for example) then it is very possible for that compromised software to be packaged and released into a distribution. Most distros go so far as to verify the md5/shasums, but they're not reading every line of code to check for security issues. Some distros don't even sign their packages, like Arch, and so you must hope that the mirror wasn't compromised.

Re:Masses reaction

[mellon]

Your machine isn't a Mac?

Re:Masses reaction

[twebb72]

In other words. Microsoft implement security. Apple implements security by obscurity (due to market share).
I'd pick the security model any day.

Re:Masses reaction

[hairyfeet]

Sorry MR AC, but that is BS spread by Mac guys to cover up their failing. if you look at the actual rules for pwn2own in addition to the PC they get 10 grand if it were simply a case of owning the machine you'd be right but the 10 grand means the easiest target will ALWAYS be the first hit so they can grab the money.

The simple fact, whether Mac guys want to admit it or not, is since Vista Macs are easier to hack then Windows thanks to Windows having DEP, ASLR, low rights mode on IE/Chrome, and file and registry virtualization. Mac is simply behind the curve now when it comes to security as pwn2own clearly proves. Now that malware kits for OSX are out I have a feeling you'll be seeing a lot more pwned Macs thanks to too many Mac users simply believing their machines unhackable and not taking proper precautions.

It's about god damn time!

[M4n]

Mac users, welcome to the real world.

Re:It's about god damn time!

Ah, but the 10 or so years without the stress of dangerous malware or clunky AV programs has been well worth it!

I'm going to miss my smug superiority complex, though. Ah, well. Good times, good times...

Re:It's about god damn time!

[pixline]

So? What's the deal? We'll take care of virus and malware as always: with a translucent window, and no worries at all. (Man how much I hate those windows fanboys that insists on virus exclusiveness.... I can live without them!)

Re:It's about god damn time!

[bmo]

So how's that Windows system goin' for ya?

How does your schadenfreude make your own Windows system more secure?

Oh, wait... you're out from under your bridge.

--
BMO

Re:It's about god damn time!

I dunno, I dont use anti virus and seem to be doing pretty well.

Re:It's about god damn time!

[DAldredge]

My Windows systems are doing extremely well. Thanks for asking.

Re:It's about god damn time!

How does your schadenfreude make your own Windows system more secure?

What a desperate attempt at misdirection, he never suggested anything of the sort but your blind fanboi rage clearly won't let you see that.

Re:It's about god damn time!

[CheerfulMacFanboy]

Mac users, welcome to the real world.

Linux users, you can keep on believing you are safe from harm.

Well?

[fuzzyfuzzyfungus]

All I want to know is whether this malware is worthy of the Apple platform or not: Does it use Grand Central Dispatch to efficiently allocate the load of multiple form-stealing processes between all my system's cores? Are the misleading dialog boxes that frighten me further into folly fully compliant with Apple's HID guidelines?

If I'm going to get Mac malware, I damn well better have the best malware experience that the industry has to offer. Heck, I'd probably even be willing to pay $20 for something that windows users get for free and linux nerds compile from source, if the interface is good enough...

Re:Well?

[jo_ham]

Despite the obvious satire, the answer is yes, since the system handles GCD for the software running on it :p

Re:Well?

Please mod parent UP.

I just don't know if to Insightful, Informative or Funny. I would consider also Flamebait, but there's no +2 Flamebait option... :-)

Re:Well?

[Guy+Harris]

Despite the obvious satire, the answer is yes, since the system handles GCD for the software running on it :p

Well, no, actually, the system doesn't magically make all software use GCD. If it's using a framework where the run loop is inside the framework, the Snow Leopard and later version of the framework might use GCD, but if you have your own run loop....

Re:Well?

[jo_ham]

No, this is true but it was designed to make multi-threaded apps more simple to develop. If you're writing for OS X you can assume it's there for you in SL.

Re:Well?

[SimonTheSoundMan]

Just needs to be modded Flamebait then 6 people mod it "underrated".

I haven't seen a "+5 Troll" or "-1 Funny" in quite a while.

Re:Well?

[mysidia]

Sorry to disappoint, but following the Apple HID guidelines would ruin the whole beautiful malware experience.

This is one of the few things that Windows has correct.

If they are truthful to the Apple HID guidelines, they'll not be able to do things malware needs to do like display deceptive balloon boxes, masses of popups, and fake security center dialogs.

Re:Well?

[joh]

All I want to know is whether this malware is worthy of the Apple platform or not: Does it use Grand Central Dispatch to efficiently allocate the load of multiple form-stealing processes between all my system's cores? Are the misleading dialog boxes that frighten me further into folly fully compliant with Apple's HID guidelines?

Well, that "MAC defender" scamware uses Growl for its fake virus notifications and with this uses the theme you selected for notification bubbles and such. Depending on your own style it's surely stylish. And you can of course even customize the theme it uses! Try that with Windows.

Re:Well?

[Samantha+Wright]

Why, with restrictions like that, they might even have a chance of actually fooling an experienced user!

Re:Well?

[shmlco]

"If it's using a framework where the run loop is inside the framework, the Snow Leopard and later version of the framework might use GCD, but if you have your own run loop...."

GCD requires the application developer to explicitly call dispatch_async and pass in the task blocks to be executed.

Re:Well?

[Guy+Harris]

"If it's using a framework where the run loop is inside the framework, the Snow Leopard and later version of the framework might use GCD, but if you have your own run loop...."

GCD requires the application developer to explicitly call dispatch_async and pass in the task blocks to be executed.

O RLY?

Re:Well?

[ais523]

That doesn't work any more (although it did indeed work in the past). The adjective gets removed if it contradicts the number. (If people mod +1 no adjective to 0 Flamebait, then an underrated mod takes it to +1 Flamebait, but a second underrated mod to +2 no adjective. I think it's possible to get +2 Flamebait using karma-bonus modifiers, but no higher than that.) So, it's not surprising that you haven't seen it happen recently.

My bad.

This is my fault. I bought my first Mac on Saturday.

Re:My bad.

[SimonTheSoundMan]

You should have got it on Friday. Everyone is getting down on Friday! Saturday is for partyin' partyin' yeah! Sunday comes after-wards.

o_O

Re:My bad.

I squint at you. I squint long and hard.

Now, I want you to go sit over there and think about what it is you've done and don't come back over here until you promise to never do it again.

99c?

[oldmac31310]

Is it available at the app store?

Re:99c?

[danbuter]

If it was, I'm sure a few morons would download it.

Re:best malware experience

[TaoPhoenix]

Mods, parent is brilliant satire!

requires admin privileges?

"If the user continues through the installation process, and enters an administrator’s password, the software will be installed."

I suspect that will be the case with most (if not all) of the malware crafted from this kit. Rouse me from my smug slumber when my compartmentalized privileges no longer protect me from these so-called threats.

Re:requires admin privileges?

How about your grandma rouses you from your smug slumber when she "accidentally" installs the program on her own because the box just popped up and she figured it was something she asked for...

Or when she calls you to help her install this program that she's trying to download (just be sure to ask her why she's downloading it and what it is and how it happened so you don't "accidentally" install it for her without even knowing!)

Can someone tell me how "form stealing" works?

[rsborg]

I googled the phrase and I got a lot of non-meaningful results (and links to TFA). Is this some basic keylogger-type thing?

Re:Can someone tell me how "form stealing" works?

You enter data in a form on firefox (say, credit card info, a login to a site, registration to somewhere), hit submit, and the malware intercepts that and sends it off to your attacker. You go on your way thinking your https session protected you when your attacker now has all the info you entered and on which site.

Re:Can someone tell me how "form stealing" works?

[Lord_Jeremy]

Assuming that this software is actually intended to be running on the "compromised" system (which I find no indication of in either TFA, the article it links to, or google results), then what it does is exploit FireFox to "hijack" cgi webscripts on websites and use them to send spam email. Pretty much it would send data through a web request to a page that's intended to send email (like forum registration perhaps) that would essentially make the email handler crash or open a backdoor and then inject spam email into the form that would get sent by the website's server. It's a clever way of getting around spam filters blocking known spam email carriers - if your spam is being sent from multitudes of legitimate websites that just have poor software security it's much harder to identify and block.

My big question is how this is supposed to get on the target system. To date, the only Mac OS X malware discovered in the wild has been virtually harmless, since it all comes in the form of a trojan. Some not very nice person disguises their malware in a piece of pirated software and upload it to torrent sites or whatnot. Some people download it and get infected because they don't realize the danger of such an occurrence. From what I've read, the security firms typically classify these trojans as extremely low-risk, with something like fewer than 50 confirmed infections. The point is, there are as yet no "drive by" or otherwise spontaneous infections you can get on a Mac. Any bad things that could happen rely on some form of social engineering or deception. The way OSes work, if you can convince an Administrator (of any system) to run something then you generally can do whatever you want. The Mac OS X security model is in many ways stronger than the Windows security model, but it's certainly not infallible. Macs are immune to the type of autorun viruses that are spread by removable media because they don't support automatic execution of programs on removable media (I can't for the life of me understand why the hell anyone would want autorun enabled on their system). On the other hand, the default OS X user/first one created is an Administrator. They aren't a superuser but things like global-scope installers have the permission to use the equivalent of 'sudo' if an Administrator enters their password. It's like UAC on Vista/7 - a large majority of people don't think twice about clicking "Yes" to whatever comes up on their screen (the other day my fiancé unwitting installed a browser toolbar and changed her home page on her PC because she didn't uncheck a few boxes in the installer for some freeware). I'd like to think that by being asked to enter a password a user is more likely to consider what they're authorizing but in most cases, the user is the weakest link.

Re:Can someone tell me how "form stealing" works?

[smartr]

It sounds more like a CSRF, a sort of link-jack you might say. I believe the damage would be contained to the browser. http://en.wikipedia.org/wiki/Cross-site_request_forgery I suppose the whole grab part means there's an additional ability to scrub whatever the user is doing for other sites.

Re:Can someone tell me how "form stealing" works?

[Lord_Jeremy]

Form hijacking
That's a concise description of form hijacking. To be clear, emails contain a very large header that specifies all sorts of things. Complimentary humorous reference.

For what it's worth, the other person who responded to your post and spoke about credit card info and https is incorrect. The reason this kit is considered similar to the Zeus model is that Zeus is designed to turn machines into an email spam-generating botnet. Other malware that hooks into a web browser could potentially intercept HTTPS communication, but that's not what they are doing according to TFA. That would require a different type of exploit.

Re:Can someone tell me how "form stealing" works?

[theArtificial]

The point is, there are as yet no "drive by" or otherwise spontaneous infections you can get on a Mac. Any bad things that could happen rely on some form of social engineering or deception.

The results of the pwn2own 2011 may surprise you.

Some not very nice person disguises their malware in a piece of pirated software and upload it to torrent sites or whatnot. Some people download it and get infected because they don't realize the danger of such an occurrence

Changing the icon so people will (and did) click to run it. No torrent site or offer of pirate software required. Sample Mac Virus

The Mac OS X security model is in many ways stronger than the Windows security model, but it's certainly not infallible.

If it's so superior why does Mac require a single "hack" to bypass vs chaining three "hacks" to compromise Windows security (pwn2own 2011)? Exhibit A

I'd like to think that by being asked to enter a password a user is more likely to consider what they're authorizing but in most cases, the user is the weakest link.

I completely agree.

Security through Obscurity = FAIL

[Slotty]

Now we will see if Mac users are just as stupid as Windows users

Re:Security through Obscurity = FAIL

[Gohtar]

I submit they are more so, since they have a falsely inflated sense of security.

Re:Security through Obscurity = FAIL

[jo_ham]

Well, the answer will be "yes" - if you are stupid (which is harsh - let's say uninformed) enough to be fooled by the sorts of things that malware gets up to (like "click here for a free system check!" or "check it out, so sexy!!! - natalie-portmans-hot-grits.jpg.exe" then the penetration rate per-platform is going to be broadly similar. You're going to have a portion of your userbase who are susceptible to this, along with another portion who set blanket passwords for all of their activities and set it to "password1".

Windows has the problem that not only does it have to contend with this user problem (which is common to both platforms [win and OS X], and less common on Linux/non-Mac-BSD), but it has also faced the "swiss cheese operating system" problem that they have been trying to fix since malware first came about. OS X at least has the benefit of starting from a better platform (BSD core) than Windows' legacy issues. That's not to say it's immune to threats - the fact that there are security updates for OS X disprove that.

I'm surprised that there hasn't been a more high profile virus or malware outbreak on OS X before now, since even with the smaller marketshare (1 in 5 new computers sold in the US is a Mac, but total install base is still nearer 10%), the "kudos" for "sticking their nose in it" is high.

Re:Security through Obscurity = FAIL

[melikamp]

"check it out, so sexy!!! - natalie-portmans-hot-grits.jpg.exe"

So you are saying, the risk of being penetrated by a trojan is positively correlated with the desire to penetrate Natalie Portman? Only too true. An unfortunate corollary is that the malware can never be defeated by technological means alone.

Re:Security through Obscurity = FAIL

[ToasterMonkey]

I submit they are more so, since they have a falsely inflated sense of security.

I submit that Mac users are safer with their feelings of security because they will avoid scareware, a huge threat to platforms perceived to be less secure.

So, scareware out of the Mac side of the equation, and all else being equal, who is safer randomly downloading crap off the Internet?

I know, I know!!1

Re:Security through Obscurity = FAIL

[dkf]

I'm surprised that there hasn't been a more high profile virus or malware outbreak on OS X before now

The answer has got to be that it (and its users) have better overall security practices than is the norm on Windows. It's not just a matter of getting APIs right and strong, but also of ensuring that users are supported by the system in making normal activity secure. There's also a possibility that the users are more savvy by default due to selection effects: Mac users are more likely to better off because they usually pay for their own machines, and general intelligence is one of the things that tends to lead to earning more. Both are probabilistic effects. (I'd expect non-OSX unix users to be even more naturally resistant to malware tricks, independent of whether the system they're using is better or not.)

I suspect that the other key is that most Macs don't have many services running that listen to outside connections, and that the parts that are security-exposed are correct. That's vital, as it ensures that attacks can't auto-propagate. (Linux systems are also good that way, but are also more likely to be running externally accessible services, which inevitably increases the potential attack surface. Them's the breaks.)

Regarding MACDefender

MACDefender requires that you agree to install it. It's not able to infect your Mac without your knowledge and consent.
AND : Just drop it in the trash bin to get rid of it. Hassle free. Click and drag. That's it.

BTW : The Kit has not yet proven it's functionality and works (if it does) currently only with FireFox.

Still too early for iHate, schadenfreude or panic.
There is still no single widespread, dangerous and working malware for OS X out there. Period.

Re:Regarding MACDefender

[maxwell+demon]

MACDefender requires that you agree to install it. It's not able to infect your Mac without your knowledge and consent.

That's a common characteristic of scareware. It is in no way specific to the Mac.

Re:Regarding MACDefender

[Crash+Culligan]

MACDefender requires that you agree to install it. It's not able to infect your Mac without your knowledge and consent.
AND : Just drop it in the trash bin to get rid of it. Hassle free. Click and drag. That's it.

I know of no malware that (a) would give up so easily or (b) would not take the opportunity once it got the first privileges to run with them as far as they could.

Drag it to the trash? If it doesn't rewrite .bashrc to start a process to make sure it's installed and running when the system starts up, then it's not a proper malware. If anything, it should throw up more alerts when it detects a disruption and claim that something the user did has caused a configuration error—contact the mothership with credit card in hand to download the full version that will actually protect (snicker!) you.

The problem is the same with any other malware: once it gets its hooks into the system and a whiff of legitimacy, it should be all over the place.

Fortunately, it doesn't have to crack MacOS's security when the user either forgets to lock it down in the first place or opens the mac up specifically to let the malware in.

And the vector is the same: why crack the operating system when the user is so much more accommodating?

Re:Regarding MACDefender

[exomondo]

MACDefender requires that you agree to install it. It's not able to infect your Mac without your knowledge and consent.

That's the case with software on all platforms.

Re:Regarding MACDefender

[RyuuzakiTetsuya]

Compare that to Antivirus 2011/2010/2009/Pro/etc. Where it installs via a drive by download.

Yeah.

Consider the infection vectors, then call me.

Re:Regarding MACDefender

You really need to stop disabling UAC.

Re:Regarding MACDefender

[dzfoo]

Wait a minute. It is well understood that the biggest threat on the Windows platform comes from fly-by automagic installation of viruses and worms, or from trojans that then infect the rest of the system in order to continue propagating or give root access to remote attackers.

It is also understood that amidst all these critical threats there is a huge number of other annoyances of much less immediate danger, that require user intervention to act on their payload or do anything "useful" at all.

So far, the OS X platform has attracted a variety of this second class of threats, of which "MAC Defender" is another one. This does not put the platform in the same threat scenario as the latter, more critical threats.

            -dZ.

Congrats Apple

[nurb432]

You have enough market share to be noticed. Sux to be us Mac users tho.

There is no replacement for education

A user that is willing to run any arbitrary executable (particularly as root/administrator) can infect ANY OS, whether Windows, Linux, or OSX.

The only way to solve this problem is by people having a clue and not acting like dumfucks all the time. Think before running random untrustworthy shit. The vast majority of jacked systems get so because users *allow* the malware to run, not because of some external exploit. Those happen, but not nearly as often.

Re:There is no replacement for education

[tepples]

Think before running random untrustworthy shit.

Then how do you recommend that a developer of "random shit" make it trustworthy?

Re:There is no replacement for education

[maxwell+demon]

Think before running random untrustworthy shit.

Then how do you recommend that a developer of "random shit" make it trustworthy?

Provide the source. Then anyone can check for himself (or, if he lacks the necessary knowledge, let a person he trusts do it).

DOS

[tepples]

Rouse me from my smug slumber when my compartmentalized privileges no longer protect me from these so-called threats.

Trojans don't need administrative privileges to DOS your Internet connection.

Where others have failed, Apple will win

[sqrt(2)]

The reason Apple will be able to win here where Windows hasn't been able to is because of the App Store for the Mac. Users who are not sufficiently savvy to vet software themselves can rely solely on the App Store to do that, and since only software that is verified by Apple can get on there, we are unlikely to see any malware sneak into the App Store or stay there for long. And if it does, Apple has the author's identity (CC info, etc), which although able to be faked could still serve as a starting point for a criminal investigation by the police. People who know enough to keep safe can still install software from other places, but for most people the App Store, privilege system based on the Unix model, and a more secure starting codebase is going to protect them.

Re:Where others have failed, Apple will win

[Skuld-Chan]

You're assuming they get this malware from installing an app - more likely they get this while browsing the net.

Anyhow who's to stupid not to know how apps work or are installed won't know not to click on a dialogue that pops up while doing something "you need to update your mac - click here!".

Re:Where others have failed, Apple will win

You may want to actually read the article BEFORE you type...not after. Just sayin...

Re:Where others have failed, Apple will win

The App Store is nothing new. Linux have had repos for more than a decade now. Apple just branded it and told everyone they invented it, just like they did with "Spaces".

Re:Where others have failed, Apple will win

[sqrt(2)]

You're absolutely right, but Apple has managed to make it easy to use, popular, and most importantly, profitable. Linux has only recently been able to achieve one of those, Ubuntu's package manager is very easy to use now but wasn't always; and that's only one distro out of many.

The success and popularity IS something new, and Apple can leverage that walled garden into a user experience no one else is going to be able to offer.

Re:Where others have failed, Apple will win

[jbolden]

And how do you trigger that by default on a mac? The default on a mac is download but not to run. If it runs it hits permission issues....

Re:Where others have failed, Apple will win

[99BottlesOfBeerInMyF]

And if it does, Apple has the author's identity (CC info, etc), which although able to be faked could still serve as a starting point for a criminal investigation by the police.

I would elaborate on this point a bit. They will have a valid credit card to charge the membership. If this is a stolen card, when the owner notices the theft and/or incorrect charges, Apple can pull the offending apps from the store and revoke their encryption keys as well as begin an investigation into the risk posed to users who had the app. If the app is one that is paid for or makes money from ads, Apple has the actual account info and identifying the criminal is easy for police. Both cases provide real benefit to end users being targeted, although there is more that can be done yet.

Re:Where others have failed, Apple will win

[twebb72]

Honestly, how in the world did you get modded up? Malware coming from the app store is about as common as it coming from best buy. It doesn't happen (but boy, when it does, it makes BIG news -- I'm thinking of flash drives and photo kiosks).
Modern malware comes from application exploits, not the application itself.

MAC ! Mac ?

[dr_turgeon]

Dead giveaway. Fools, the MALware has the capping wrong. FAIL!

Idiotware?

[Hamsterdan]

Since you have to enter the admin password for it to install, what's different from NT,*NIX and other OSes?

*ANY* OS can and will be compromised if the user sitting at the keyboard grants root access...

We're not talking about malware hidden inside freepr0n.wmv that will install via Windows Media Player or via an ActiveX control, or by itself on a pre-SP2 WinXP...

Re:Idiotware?

[Haedrian]

Ah, but we all know macs don't get viruses. So what's the problem with letting this totally legit-looking program install?

http://www.youtube.com/watch?v=M3Z386vXrt4 See? Macs don't get viruses. Only silly PCs do.

Re:Idiotware?

[F.Ultra]

Well AFAIK this is a SDK and not the malware itself that you install, with it you create malwares, and they probably don't require the user to enter the password.

Re:Idiotware?

[joh]

The difference is that only very few Mac apps require an admin password since most are just bundles you throw into your Applications folder (or where you want them to be) without actually "installing" (= spraying files and data all over the system) anything.

Maybe not a really huge difference, but most people are not really used to that and any app running an actual installer is eyed with suspicion.

It would help a lot if apps like Adobe Reader wouldn't needlessly come with such an installer. But then it's very nearly malware anyway.

Re:Idiotware?

[jesser]

On the other hand, fake-scan scams rely on Windows users' fear of Windows viruses in order to trick users into installing malware. I guess evil psychology tricks hurt users of both platforms.

Terms of Art

[PopeRatzo]

God, I love jargon.

"Crimeware", "scareware"... I heard there's a group of Buddhist cybercriminals who have created something called "Beware". When it infects your system it gives all your worldly possessions to them.

If you happen to encounter this type of malware while using your computer, kill it.

Re:actual Mac users

[TaoPhoenix]

Actually I was playing off quotes about 2-3 stories ago "Mac doesn't need anti-virus" where slahdot users were promoting that very idea.

How do you execute the script?

[SuperKendall]

Or you can just distribute through a .dmg with script that executes as soon as the user mounts the .dmg file

You can? I don't think DMGs have anything like windows Autoplay, there's no ability to automatically run a script.

Safari will automatically play some kinds of files or mount DMG, but only if you have the option for that checked (though it is the default),

Re:How do you execute the script?

[fbartho]

Mounting the DMG only opens the Disk Image, I guess in theory a DVD player app could automatically play the file inside the DMG when it appears in the finder, but you already need a pre-installed vector before you can have anything auto-run. Your attack surface also includes the Disk Image mounting software, but the spec for that could be verifiable so that nothing is executed, data is just presented at mount-time.

Re:How do you execute the script?

[mysidia]

You can? I don't think DMGs have anything like windows Autoplay, there's no ability to automatically run a script.

The DMG flag is called internet-enable.

When the file is mounted MacOS will automatically copy the files to the desktop, and execute the installer inside the DMG.

But does it F'ing work?!!??

[david.emery]

What I have not seen is a validation that the offered kit actually -works on a Mac- (or Linux) running Firefox. It's been asserted by the malware's marketing literature this works, but the Danish company does not state they've validated that claim.

Not only do we have no verification this works on Mac OS X/Firefox, but the "sales literature" also claims Safari and Chrome "real soon now". I'd be so shocked to see have a vendor's marketing literature end up being wrong....

Or could this be someone trying to scam the scammers?

Safe practices say, run an antivirus

[williamyf]

No matter if your OS is Windows 5.x, 6.x, Mac OS X 10.x or GNU/Linux Kernel 2.4.x or 2.6.x. If your machine is a desktop run an antivirus.

You owe it to the rest of the world to extermitate viruses, both the many (or few) that your machine is susceptible to, as well as those that, even though will not infect your machine, will be passed on to someone else...

. ;-) ...because YOU, saavy and enlightened slashdot user, did not catch and exterminated it. Do it for the unwashed mases, that are clogging the pipes with port scans and attempts to infect, do it to have a tad fewer cheap viagra/penis enlargement offers in your spam folder, do it for the children!!!! :-)

If you "feel confident" (note the quotes) that your OS is "safe", that you use "safe practices", and the AV is a "Waste of resources", then fine, get an AV with a small footprint, both in system resorurces, and in $£¥€.

I am writing this fom Firefox 4.1 in a Mac with 10.6.7, and I am not scared at all about these developments, but, as safe practice, run ClamAV. I scan my machine every day, and scan removable media every time it is inserted. ;-)
So, please my Linux and Mac OS X brothers and sisters, stop being a bunch of snobs, get on with the program, and run an antivirus. :-)

Re:Safe practices say, run an antivirus

I like Clam VAG. Clam AV, not so much. Slow and too many false positives.

Re:Safe practices say, run an antivirus

[RyuuzakiTetsuya]

My Amiga OS4 machine and Haiku installs are probably reasonably safe.

Re:Safe practices say, run an antivirus

You do know that the anti virus packages for Linux are supposed to run on your file- or mail server, and scan the files (mails) for Windows-viruses, so that your Windows machines don't get infected?

My Linux machine is a desktop system. It doesn't have any file shares, and doesn't run any mail server. What would an antivirus package even do there?

On the other hand, I'm one of the people who believe that not installing random software is better than installing random software, EVEN ON WINDOWS. Which is why I don't download a random antivirus program on Windows. I've had McAfee on a work PC at a previous job, and that's the worst malware infection I've ever had.

Re:actual Mac users

[jo_ham]

So was I - and the story was "Does Mac/Linux Need AV" not "It doesn't" - it was a discussion. It seemed the dissenting opinions were mainly the ones saying "virus protection lies with each OS individually, so why have it on Mac/Linux just to catch Windows threats".

My opinion is "no one is safe", plan accordingly.

CSI:S

really? now if they were located in sweden or called themselfs CSID...

In fact more Windows malware is doing this

[Sycraft-fu]

We've come across more than a few malware apps these days that don't bother to try and install in to the system, they just install for the user. The assume correctly that most systems are single user so owning a user account is as good as owning the system.

We discovered it when someone got nailed with something Malwarebytes cleans up nicely. We ran it and it came up with a big negative, however when the user logged back in, there it was. Turns out that Malwarebytes (at the time) didn't scan all users, just the current one and the system, so when we were logged in with our user, it didn't show.

Too many geeks forget that for regular users, they run in a single user system and their data IS the computer. They don't care about downtime, they don't care about apps. They care about their data. Well, by definition, all that is owned by them so no security escalation is going to do shit.

Also, as a practical matter, people will give shit the admin/root password when asked. They don't bother to think why, they just view it as a hoop to jump through.

Re:actual Mac users

[DJRumpy]

This isn't a virus. It's a trojan, and it can't do anything unless you put in your admin password, and then allow the installer to actually install. Not exactly low profile. I agree with the parent. Mac users will probably just ignore it.

How does it run the installer?

[SuperKendall]

When the file is mounted MacOS will automatically copy the files to the desktop, and execute the installer inside the DMG.

I know about the internet-enable flag, but all that does is cause the DMG to mount on download and present a Finder window. Being a flag, it has no way to specify what to run - the command to enable this is: /usr/bin/hdiutil internet-enable -yes

All it does is unpack it for you. If it could run an executable, how would you specify what to run?

Re:How does it run the installer?

[mysidia]

You just include the mpkg file in the DMG, and it should find and run the installer automatically.

Re:How does it run the installer?

[Rosyna]

You just include the mpkg file in the DMG, and it should find and run the installer automatically.

It may open the installer application (which is an Apple shipped and signed application) which might open the package to be installed, in some specific cases. It does NOT run any executable code in the package whatsoever without user interaction.

Re:How does it run the installer?

[he-sk]

The installer for pkg-files does not run any code without user interaction.

Mac security advice

[Cato]

You make a valid point, but Safari seems to auto-open certain "safe" files in the case of this crimeware kit: http://www.securitynewsdaily.com/new-malware-goes-after-mac-users-0747/

However, a huge amount of malware doesn't propagate by someone running an executable - these days it frequently uses exploits in browsers, Flash, PDF readers, etc. Simply visiting an infected website or opening a malicious PDF is enough to execute the malware on your machine. Exploit kits make it easy to set up a website that will try many exploits against the visitor, based on the browser and plugins they are using.

This infection model affects Mac, Windows, Linux, etc. While there are security architecture differences between OSs, the main reason Macs haven't yet got a big malware problem is that they haven't been targetted that much.

From something I wrote earlier - short version is that using Firefox/Chrome and a commercial antivirus on Macs is a good idea:

Here''s a survey of security experts, giving a fairly balanced view: http://news.cnet.com/8301-27080_3-10444561-245.html - they believe that the Mac is less attacked but less secure than Windows and that Safari is not very secure. Using Firefox or Chrome is probably a better bet on Mac. Chrome - http://blogs.techrepublic.com.com/mac/?p=667 - probably more secure than Safari, and it now does have Adblocking, Flash blocking and NotScripts (like NoScript but a bit painful to install.)

See http://www.readwriteweb.com/archives/apple_quietly_updates_mac_anti-malware_feature.php for some comments - the OS X actually has malware detection built in, showing that Apple thinks there is something to protect against. Mostly Trojans at present. Here's a list of OS X malware: http://www.iantivirus.com/threats/

ClamXav may be OK, but Clamav, the underlying tool, is generally nowhere near as good as a commercial antivirus based on tests â" see http://en.wikipedia.org/wiki/Clam_AntiVirus#Effectiveness for a summary.

On Windows I generally recommend Kaspersky, who have good heuristic / proactive detection of zero days (the average signature AV only detects about 40-60% of in-the-wild threats). They do have a Mac version: http://www.kaspersky.co.uk/kav-mac-latest-versions

Mac reviews mention Intego as good: http://theappleblog.com/2010/02/04/antivirus-software-on-your-mac-yes-or-no/ and http://www.macworld.com/article/51438/2006/06/antivirussw.html (old review but includes ClamXav). Sophos is a reputable tool on Windows, which has a free Mac version: http://nakedsecurity.sophos.com/2010/11/02/anti-virus-mac-free/

Due to the blended threats that attack first a PC and then your website, and increasing popularity of Macs particularly for web design, it's only a matter of time before a blended threat attacks Mac+websites.

Re:actual Mac users

[mwvdlee]

Seeing as how this type of malware seems to account for some 99% of all infections in the PC world, I'm anxious to see how well it'll work for all those "I bought a mac because it looked so shiny" people.

Re:actual Mac users

[jbolden]

For all the comments of this sort most analysis show that Mac users are on average substantially more computer knowledgeable than most PC users. Neither population is great by /. standards, but your "Macs are shiny" crows is a myth.

Re:actual Mac users

Repeat after me: "a malware is not a virus".

Re:actual Mac users

[Bender+Unit+22]

Well, if people are installing warez or free programs without some background check, they are asking for it.

Market share

[benwiggy]

For years, everyone has been saying that only the small market share of OS X stops criminals from targeting it.

This must mean that OS X has now reached a significant milestone in market share! Hurrah!

Re:actual Mac users

but your "Macs are shiny" crows is a myth.

Then I have met mythical creatures. Cool. Chuppacabra next?

Re:actual Mac users

[tehcyder]

This isn't a virus. It's a trojan, and it can't do anything unless you put in your admin password, and then allow the installer to actually install. Not exactly low profile. I agree with the parent. Mac users will probably just ignore it.

Because obviously it will warn the user "I am a trojan" first.

Re:actual Mac users

[geminidomino]

Shit. I should have asked for three wishes for spending those four hours trying to explain the difference between a "Pages" file and a "Word" document, instead of just a goddamn sixpack...

HA HA

HA HA

Good news everybody!

[Bill_the_Engineer]

OS X now has enough market share to attract the attention of Malware!

Seriously, all OSes have malware. It's just a matter of someone creating a toolkit.

I'm amazed that people know about the dangers of accepting food or drink from strangers at a bar (or party) or having unprotected sex with strangers, but they will download a strange program from the internet without hesitation. It doesn't matter what OS you use, the computer can't do all the thinking for you.

iPhone exploits

[DrYak]

Yeah, right. Because, thanks to the restrictions inside iOS, no exploit has ever been made against iPhones. No one has ever successfully jail-broken them~~
Neither for the PlayStation 3 : as soon as Sony blocked the OtherOS, absolutely nobody found alternative way to get homebrew on the PS3~~

DRM gives you only the illusion of security.

Re:iPhone exploits

[dannys42]

Is that really true? I haven't done any jailbreaking, but I assumed it required a bit of work on an iPhone. I mean you can't just visit a website or run an app from the app store that would break it, can you?

Even as a developer, could I create and deploy a program that would jailbreak my own phone?

I'm asking as I really don't know.

And if it does require doing something outside the ordinary (eg. running a special program on your desktop while syncing, or deploying a new firmware)... then to me DRM is still sufficient to prevent exploits, as there's still effectively no way a rogue app will be able to do much harm.

Re:iPhone exploits

[melikamp]

Dude, seriously.

Re:iPhone exploits

[dannys42]

Yes, but from what I can tell jailbreaking requires you to install new firmware on the phone. This isn't something any app on the phone can do. And there's no way developer deployed software can do this either. Please correct me if I'm wrong.

So I don't think your argument against DRM holds. DRM on a non-jailbroken phone seems to do a reasonably good job (especially compared to alternatives) for preventing viruses.. and Apple's store model in combination with DRM does well at preventing trojans (largely because authors cannot be anonymous). However you are right that if a hole was discovered in an API that allows an application to change the firmware, then you may have an issue. But I don't think it's quite as useless as you seem to imply.

Re:iPhone exploits

[WorBlux]

A lot of the early jailbreaks were just 1.visit this site, 2.install your own rootkit (cydia, or whatever) and 3. Profit?

Re:actual Mac users

[Coren22]

Bullshit. There are just as many "Macs are shiny" by percent as there are idiots on Windows. I deal with them every day. Many of the people I work with who work on make believe the line from Apple that Macs don't have viruses, even when I point out to them that there are quite a few Trojans (43 as someone said earlier in this thread). People believe that because they use Mac, they are inherently safe, and this is quite false.

Re:actual Mac users

[Coren22]

or free programs without some background check

Damn, I better uninstall Linux then, I don't know where its been...

Re:actual Mac users

[99BottlesOfBeerInMyF]

Seeing as how this type of malware [trojans] seems to account for some 99% of all infections in the PC world

[Citation needed.]

Noting that as of a few years ago, research showed the opposite of your claim.

Re:actual Mac users

[jbolden]

They are quite safe in practice. I've been on a Mac for decade and haven't had to do much about virus or trojans. While on PCs I have workplace problems rather regularly, say once ever 18 mo or so. It just doesn't come up on the Mac. They exist but in the same sense Ebola exists as a theoretical not a practical risk. Because:

a) There are far far fewer of them
b) Their cross infection rates are much lower
c) Once they hit they do less damage

That triad makes a difference.

But even if it were the case that Macs don't have virus people were entirely wrong that wouldn't prove they were close to as ignorant as Windows users across the board. (b) is primarily true because Mac users do a better job of avoiding nasty malware.

DRM vs Legit vs Exploit

[DrYak]

DRM will only block legit application on AppStore to do unapproved things. That would theoretically protect from malicious application on AppStore (just like the dialers on Android's app Market got slashed), and is in practice abused to restrict adult content and block competing applications.

In practice, there are *bound* to be a lot of holes that could be exploited to load unapproved code.
If people interested in jail-breaking the phone could find some, virus writer could too.

Just look how Adobe's PDF and Flash plugins can be exploited by specially crafted files. The user isn't required to use any complicated software. The user just browses to some website, gets a PDF or SWF file and Bam! the machine is pwnd. Given all the problems with infected flash appearing in ads, the users aren't even in security, even if they only browse known sites.

Exactly the same could happen with viruses running on DRMed machines.
And modern machine are even more interesting :
- Most modern DRMed platforms (iPhones, consoles, etc.) are networked,
- They are used to perform financial transactions (all consoles and most phones can be used to buy applications, all phones can call premium numbers).
- They are used to browse internet (specially phones) and thus could rather easily be exposed to on-line viral code.
So you can bet that lots of efforts will be done by criminals.

Now, you know what ?
This will be the perfect excuse for OS developpers, smartphone constructors and/or service providers to try to bring back the walled garden internet concept. The kind of where everything has to go through their proxy, which is supposed to clean-up whatever reaches the phones.
Theoretically, this could be used to remove malicious files.
In practice it will be abused in every possible way :
- censoring content deemed inappropriate (Apple seems to love Disneyfying the user environment)
- blocking competing services (Microsoft and Apple would love to see Google services blocked, Apple would love to see non-AppStore games blocked)
- replacing ads with ads bringing money to the service-provider.
- blocking web-based interfaces to low-cost call solutions.
- backdoor for the government
and the like.
Yup, OS developpers, smartphone constructors and service providers are going to love it.

Re:DRM vs Legit vs Exploit

[dannys42]

In Apple's case, though, apps are DRMed apps are also jailed. As the melikamp pointed out, that ensures the apps authenticity. The jailing however is also the primary security model for the iPhone. I agree that the API is complex enough that perhaps someone will find a way to exploit a hole somewhere eventually. However the iPhone usage model is really different from that of a desktop. If a hole is discovered, Apple fixes it and users update their phones.

I'm not talking about "unofficial" users here.. the ones who jailbreak or purchase a non-standard iPhone that Apple doesn't support or whatever.

The fact is it's been 4 years now since the first iPhone... and if there was an API hole somewhere, no one's found it (you can be sure the jailbreak & Cydia crowd would be all over that exploit). And on top of it, the OS is regularly updated. So practically speaking the problem of viruses doesn't exist. And if it did, an outbreak would likely be quite limited compared to what can exist on a PC.