Slashdot Mirror
Apple Support Forums Suggest Malware Explosion
dotwhynot writes "According to ZDNet, the volume of in-the-wild malware reports on discussions.apple.com is truly exceptional. With the launch of the first malware DIY kit for OS X earlier this month, and now this, has the malware industry threat finally caught up with the growth of Apple, and what do Mac users need to do?"
Make everything install through the OS X App Store ;)
I realise you're trolling but there are two common malware paths these days: (1) Drive by Downloads - where exploits in things like PDFs, or Flash cause Remote Code Execution on the affected users box, by exploiting flaws in installed software. Hopefully privileged elevation requiriring sudo or UAC will prevent these programs running as admin/root, but often it's just enough that these apps run as a user class. (2) Stupid Users- people who have been trained to download anything from anywhere and just run it. OSX, like Windows, is vulnerable to both, because the software distribution model is totally broken. The app store may help, but i'll still put my trust, for now, in the linux repo model.
I would expect as Apple becomes more popular it will become more of a target for malware. This is not very surprising. I just hope Linux never becomes popular!
Man, you really need that seminar!
PC users knew all along that the only reason Mac users went relatively unscathed throughout all those years is that the Mac install base was too small to bother. The more popular Macs became, the bigger the target on their backs.
Likewise, if Linux ever became a big contender on the desktop, you would see a surge in Linux rootkits.
Being unpopular does not mean you are safe, but it doesn't hurt. Crackers, virus writers, malware creators, and botnets target the path of least effort.
Is it possible to protect a user from themselves? If a user chooses to install some software and it turns out to be rogue then that's not the fault of the OS, it is the nativity of the user.
If Apple made the installation of non-App Store software on the Mac possible then it would stop a lot of rogue applications. But then people would complain about lack of freedom.
The security model of OSX is fairly proven, Windows struggles due to backward compatibility at times.
That is a foolish way to look at it, since there are so many layers between the kernel and the user at this point. You can take a great foundation and put something with a poor structure on top of it, or you can work around a weak foundation with a lot of engineering on top to avoid problems. MacOS X has been proven to have a lot of weaknesses, and while the CORE of the OS may be good, there are many flaws on top that can be infected or exploited. Only an idiot would assume that they are safe with MacOS right now since Apple takes years to fix any vulnerability that is found.
Finally! I am so sick of smug Mac users talking about how Macs can't get viruses because they're so secure.
Well, this still is no virus... Manually installing malware and typing in the administrator password to do it is bad. But no virus.
It's not a virus, it's a trojan. You can't technically fix stupid; users that install everything they see will always be the weakest point in system security.
"I use a Mac because I'm just better than you are."
and don't underestimate the effect of the over confidence many Mac users have towards these events.
Hell, just attending a local users group was more than enough to convince me we have a sufficient number of idiots to open the door. Far too many reflexively type their password in when prompted it makes you realize nothing is secure with a user
* Winners compare their achievements to their goals, losers compare theirs to that of others.
The thing to keep in mind is that this malware going around is a trojan. The user has to enter a username and password to install the malware. It can't propagate itself nor install itself automatically from a web site. People are just blindly typing their password to anything asking. Interestingly, it claims to be an antivirus suite and uses SEO to show up on searches for Mac antiviruses per Arstechnica (http://arstechnica.com/apple/news/2011/05/fake-mac-defender-antivirus-app-scams-users-for-money-cc-numbers.ars), so ironically, the people getting infected are people who think they need virus protection on a Mac. Expect to hear people continuing to proclaim this as the beginning of Mac viruses, however.
You are up to three examples on. There are 30,000 packages available for Ubuntu. Sounds like a pretty good ratio to me.
The soylentnews experiment has been a dismal failure.
Pffft! Whatever.
At work I worry about our Dells running Windows. But not our Red Hat server.
But hey, we use AV on our machines.
At home I don't worry about my Mac.
Much ado about one malware kit. Overblown.
And the air positively reeks in here of anti-Mac schadenfreude. Sour grapes, I say. Xenophobia, I say. Dumbassedness, I say.
This isn't exploiting privileges.
"Your computer has been infected. Please install this program to clean it."
It's social engineering, and you can't protect against that. The installer needs admin rights to install, so people have to enter their password - and they do.
Seriously - how are you supposed to protect against that?
When they "explosion", do they mean more than a dozen?
Because if there weren't ANY Malware calls last month, and a dozen script kiddies used the new "Home Malware Kit" du jour,... then indeed, numerically we have an "explosion."
I'd also have to say there are an explosion of explosions as well. Because of course -- last month there were NO explosions, and this month there is ONE.
>> The problems for Apple don't end, however, since the iPad market caught up with back-orders, there has been an IMPLOSION of orders. In other words, less people are buying, than last month.
I think I'll implode and explode my lungs ten times, before I act on this urgent matter, however.
>>"ad space available -- low rates!!!"
How does Linux prevent you from installing bad stuff onto your computer?
The installer asks the user to enter their admin password - and they do. That's why they get infected.
But I'm sure you can explain exactly how Linux' security model prevents a user from using sudo to install rogue programs. And if you can't come up with something better than "the user account shouldn't have have wheel rights", then you need explain how the user is ever going to install useful stuff that requires sudo.
You cannot protect a user from himself - at most you can make it difficult for him.
I would like it if all apps had to get vetted through an app store process for OSX just like the iPhone/iPad. The solution is to give up control to Apple. Steve Jobs is the smartest person. And routing all decisions through him will make sure that the best decisions are made quickly and then pushed out to all Apple controlled devices ASAP. I never understand why people want the ability to make decisions that will harm themselves when Apple is telling them that they'll handle it. The nerds need to get a life.
I have seen this "malware" in the wild. My elderly mother called me, last week, about this. She reported "something came up on my screen, telling me that my computer is infected and that I should click to remove them". I had her take a screenshot and send it to me:
http://imagebin.org/153902
She is almost as computer illiterate as one could be, but even she had a suspicion that this wasn't legitimate.
Out of curiosity, I went to the URL (which inspects the user-agent, to avoid showing this scareware screen to non-Mac users), clicked "remove all", downloaded/unzipped the file, _manually ran the installer_, and clicked through several install steps.
This is not drive-by malware, it doesn't use an exploit in a vulnerable browser plugin, etc. It's a fairly-hardmless trojan that is easily removed. A google search for "remove mac protector" will yield detailed instructions, e.g.:
http://www.bleepingcomputer.com/virus-removal/remove-mac-protector
I have saved the installer, if anyone would like a copy of it for analysis. It contains some remnants of Russian language settings from Xcode, among other interesting tidbits.
I can see exactly why this has happened. The offending malware is a trojan, that is installed via social engineering.
It have seen a couple of hits lately on google image search, where clicking on one of the images takes you to a remote server where you get the familiar-to-windows-users "this is your hard drive" trick, where the browser shows a reasonable approximation of a Finder window, and shows a "scanning for viruses" progress bar, followed by an inevitable "your computer is at risk! click here to fix the problem!". I assume the link takes you to a site that downloads the "MacProtector" trojan which is what many people have been complaining about - essentially a simple program with no close button or quit option that nags you to pay for removal software. The website clearly uses browser detection and just serves up the appropriate windows/osx version of the con page.
You can kill it using the terminal, or using command+option+escape, or from the Activity Monitor (and it's not sophisticated enough to be able to stop you, if you know how to terminate processes unlike some of the more nasty malware on windows that disables the task manager etc). I suspect that it's only a matter of time before it gets more difficult to remove.
However, the term "malware explosion" seems very sensationalist - it's *a* piece of malware that has hit a lot of clueless users all of a sudden who are not used to dealing with this sort of thing due to the generally low malware issue on OS X to date.
Mac OS X users need to be aware of social engineering scams like this and to be careful about what they install (this is not a virus or drive by install) - it's no different to the trojan that was being distributed in the warez copy of Office for Mac that deleted files etc, just that the delivery method can now target people who are simply browsing google image search.
As always with security-related stories, no Mac users don't think our platform is immune to threats. It seems the only people making those sort of wild claims are the anti-Mac people who crow that it's what they think we would say (wow, awkward sentence). There are no "immune" systems, merely "safer" vs "less safe".
When it comes to trojans though, every OS is equally vulnerable, although this is skewed by the userbase somewhat (for example, far fewer 'normal' computer users on Linux distros who would be taken in by the social engineering). If we assume the Mac and Windows user base is broadly the same in terms of distribution (ie, from clueless all the way up to power users) then it is only a matter of time before a "big" trojan comes along for OS X - and here it is.
Calling it a "malware explosion" is just inaccurate though.
I disagree, we all suffer from Malware, and malware targets the largest number of users it can expect to harm. As Apple gains a larger market share, apple's market share of malware threats will grow in parallel. Hiding in a small dark corner was a good idea, until you turned on the disco ball and threw a party.
I would, but I can't resize my screen from 640x480 - the settings window is taller than that and the ok button is off the screen with no way to select it. I sent a text from my android phone to someone who could help me fix it, but I don't think he got it. I then logged onto an unsecured wifi access point in the coffee shop I was in, and a guy next to me said "hey, I know that guy in your email address book too!".
I was so frustrated with all these security issues I instead switched to BeOS.
I can confirm that in the last week I have helped 3 people with Mac malware. I haven't even met anyone with Mac malware installed until last week. I didn;t see naything incredibly harmful, but it pretended to be an anti-virus software and repeatedly opened up various porn sites in Safari without user interaction.
The "hole" here is the user.
It's a trojan that you need to download, unpack and then manually install, giving your admin password along the way.
Other than taking away the user's ability to install software (hey, isn;t everyone yelling about how evil Apple is for going for a walled harden approach on iOS?), I fail to see what they can do here, other than educating users on the dangers of installing untrusted software.
I am all for railing hard on security - if there are security issues they need to be dealt with (like the change in behaviour of Safari if 'open safe files' is checked - I do not believe any file from the internet can be classified as 'safe'), but this is such a very big storm in a socially engineered teacup.
Another user posted a screenshot of what you see if you click on a link that takes you to the malicious server (I got sent to one via clicking an image in Google Image Search, for example): http://imagebin.org/153902
It clearly uses your UA string to detect what OS you have and displays an appropriate con. The one I was shown actually animated, with a progress bar moving along as it "found" the malware you can see in the image and then "completed" to show that dialog box.
The security culture is going to have to change, but since when is that new? Social engineering is an enormous hurdle to computer security.
So, let me be clear - there is no "security update to combat that problem" that Apple will "eventually" release. Did you even read anything about it at all before posting? Oh wait, this is /. - I'm amazed you even read the summary.
2 is the gaping hole in all operating systems. Microsoft's signature system (screen, whatever the hell that is) will not stop determined dumb users from installing $INFECTION if the hook has the right bait.
You can't even stop it in NetBSD, because you can always install software as a regular user and run it from ~/bin/. The only way to get rid of such PEBCAK is to entirely give up any kind of freedom to install software on your own and go to a managed system with professional administrators. I could see it happening as a trade: Certified Public Computer Admins - you pay for your computer to be remotely administered even as a home user.
The App Store is the Linux repo model, but for money and no source code.
--
BMO
What's with the stories today? First, the headline about PSN going down, when it hasn't gone down--Sony took down the login pages on several of its websites to fix an exploit, but PSN is up and running.
Now, this story from Ed Bott, a Microsoft writer on ZDNet. This "malware explosion" the summary is referring to? It's literally just Ed Bott scouring the discussion forums "for a couple of hours" looking for posts about alleged malware, as if a couple hundred uninformed forum posts are some legitimate metric. Most people don't even know what their computers are doing half the time; anyone who's done tech support knows that people blame viruses for everything. If there was truly malware explosion, we'd hear official announcements from the usual security firms and antivirus companies. Ed cites "more than 200 posts" to prove his case. There are millions of Mac users, so his batch of clueless forum posts is tiny and hardly reputable.
The "Mac Protector" software that some of the posts he quoted were referring to? It's a website popup that displays a fake virus scanner. Clicking on it downloads an installer. The software installer on OS X asks for your confirmation before installing anything, so users doing this have to give their permission for the software to show up on their machine in the first place. It's not some silent installation like what you'd normal imagine when thinking of malware, and there's no security exploit at work here. This is just a normal software program you willingly download and install through simple social engineering. It's also much simpler to remove than the usual Windows malware; just remove it from the login items and delete the app bundle. The phrase "malware explosion" implies some hard-to-detect trojan that's quietly infecting everyone's machines, spreading automatically.
It's rather obvious why someone who writes the Microsoft blog at ZDNet would be sniping at the image of Mac security, but I think another motivation for Ed's article is mentioned in the first paragraph. He's striking back at John Gruber, whose attack on him probably generated a significant amount of traffic. And now, Slashdot is generating its own by linking to Ed's flamebait.
Could we tone down the exaggeration and deception in the headlines around here, please?
Of course, i didn't say otherwise. If you don't trust, don't install.
This is a flawed and outdated security paradigm. Frankly a binary "trust" or "don't trust" is insufficient for the modern world. We need a lot more, "need to run, but don't trust any more than necessary". Frankly, all apps should be restricted by default from messing with the vast majority of the system. How many apps really, legitimately need to modify what pages your browser visits or needs to run background apps after the main app is closed? What is wrong with asking the user BEFORE allowing an app's sandbox to have these privileges?
Malware has been "about to explode" on the Macs for the last 10 years according to pundits. People, this is Ed Bott's Microsoft blog. Why are you falling for such obvious flamebait?
I love these dramatic phrases like "about to explode" and "malware explosion."
What drive-by download is getting installed on Macs through Flash ads? "Mac Protector" is just an app you have to willingly download and install that sits there displaying pop-ups asking for your credit card until you remove the app.
1. You get the same "This program is going to delete all your data, send pictures of you with that asian hooker to your wife, list your house on eBay for $10, and kick your dog. Press OK to continue?" only multiplied by a hundred; and
2. If the ignorant end user has the ability to allow a program access, they will.
You cannot secure an unmanaged system.
Many of the Windows ones look like a specific default theme - XP's blue Luna theme or the default OS X theme. How about if the default color scheme was mildly randomized? It wouldn't change things for users who set things to something other than the defaults, but that way everyone who just leaves it at the default settings would have slightly different colored windows. They would know their 'system color' and a fake window would stand out like a sore thumb as it would be a different color. The range of random colors would not even have to be that large to make it obvious to most people. If the Mac default color was 'nearly gray' instead of pure gray, nobody would notice until a fake window popped up that was a different gray.