Slashdot Mirror
Apple Support Forums Suggest Malware Explosion
dotwhynot writes "According to ZDNet, the volume of in-the-wild malware reports on discussions.apple.com is truly exceptional. With the launch of the first malware DIY kit for OS X earlier this month, and now this, has the malware industry threat finally caught up with the growth of Apple, and what do Mac users need to do?"
I realise you're trolling but there are two common malware paths these days: (1) Drive by Downloads - where exploits in things like PDFs, or Flash cause Remote Code Execution on the affected users box, by exploiting flaws in installed software. Hopefully privileged elevation requiriring sudo or UAC will prevent these programs running as admin/root, but often it's just enough that these apps run as a user class. (2) Stupid Users- people who have been trained to download anything from anywhere and just run it. OSX, like Windows, is vulnerable to both, because the software distribution model is totally broken. The app store may help, but i'll still put my trust, for now, in the linux repo model.
I would expect as Apple becomes more popular it will become more of a target for malware. This is not very surprising. I just hope Linux never becomes popular!
Man, you really need that seminar!
Is it possible to protect a user from themselves? If a user chooses to install some software and it turns out to be rogue then that's not the fault of the OS, it is the nativity of the user.
If Apple made the installation of non-App Store software on the Mac possible then it would stop a lot of rogue applications. But then people would complain about lack of freedom.
The security model of OSX is fairly proven, Windows struggles due to backward compatibility at times.
There's stories floating around about companies complaining because Apple is not distributing available security updates to their products, supposedly because of approvals. The App store is apparently not a good solution currently.
Finally! I am so sick of smug Mac users talking about how Macs can't get viruses because they're so secure.
Well, this still is no virus... Manually installing malware and typing in the administrator password to do it is bad. But no virus.
It's not a virus, it's a trojan. You can't technically fix stupid; users that install everything they see will always be the weakest point in system security.
"I use a Mac because I'm just better than you are."
>Likewise, if Linux ever became a big contender on the desktop, you would see a surge in Linux rootkits.
Yes. But I think it would be easier to get Linux users to just stay with the repositories of open source code, than to download all kinds of crap from everywhere. Not all users, but a lot of them.
That should disarm the threat somewhat.
Some of my favourite people are from th US; Vonnegut, Chomsky, Bill Hicks.
The thing to keep in mind is that this malware going around is a trojan. The user has to enter a username and password to install the malware. It can't propagate itself nor install itself automatically from a web site. People are just blindly typing their password to anything asking. Interestingly, it claims to be an antivirus suite and uses SEO to show up on searches for Mac antiviruses per Arstechnica (http://arstechnica.com/apple/news/2011/05/fake-mac-defender-antivirus-app-scams-users-for-money-cc-numbers.ars), so ironically, the people getting infected are people who think they need virus protection on a Mac. Expect to hear people continuing to proclaim this as the beginning of Mac viruses, however.
Pffft! Whatever.
At work I worry about our Dells running Windows. But not our Red Hat server.
But hey, we use AV on our machines.
At home I don't worry about my Mac.
Much ado about one malware kit. Overblown.
And the air positively reeks in here of anti-Mac schadenfreude. Sour grapes, I say. Xenophobia, I say. Dumbassedness, I say.
This isn't exploiting privileges.
"Your computer has been infected. Please install this program to clean it."
It's social engineering, and you can't protect against that. The installer needs admin rights to install, so people have to enter their password - and they do.
Seriously - how are you supposed to protect against that?
When they "explosion", do they mean more than a dozen?
Because if there weren't ANY Malware calls last month, and a dozen script kiddies used the new "Home Malware Kit" du jour,... then indeed, numerically we have an "explosion."
I'd also have to say there are an explosion of explosions as well. Because of course -- last month there were NO explosions, and this month there is ONE.
>> The problems for Apple don't end, however, since the iPad market caught up with back-orders, there has been an IMPLOSION of orders. In other words, less people are buying, than last month.
I think I'll implode and explode my lungs ten times, before I act on this urgent matter, however.
>>"ad space available -- low rates!!!"
How does Linux prevent you from installing bad stuff onto your computer?
The installer asks the user to enter their admin password - and they do. That's why they get infected.
But I'm sure you can explain exactly how Linux' security model prevents a user from using sudo to install rogue programs. And if you can't come up with something better than "the user account shouldn't have have wheel rights", then you need explain how the user is ever going to install useful stuff that requires sudo.
You cannot protect a user from himself - at most you can make it difficult for him.
I would like it if all apps had to get vetted through an app store process for OSX just like the iPhone/iPad. The solution is to give up control to Apple. Steve Jobs is the smartest person. And routing all decisions through him will make sure that the best decisions are made quickly and then pushed out to all Apple controlled devices ASAP. I never understand why people want the ability to make decisions that will harm themselves when Apple is telling them that they'll handle it. The nerds need to get a life.
I have seen this "malware" in the wild. My elderly mother called me, last week, about this. She reported "something came up on my screen, telling me that my computer is infected and that I should click to remove them". I had her take a screenshot and send it to me:
http://imagebin.org/153902
She is almost as computer illiterate as one could be, but even she had a suspicion that this wasn't legitimate.
Out of curiosity, I went to the URL (which inspects the user-agent, to avoid showing this scareware screen to non-Mac users), clicked "remove all", downloaded/unzipped the file, _manually ran the installer_, and clicked through several install steps.
This is not drive-by malware, it doesn't use an exploit in a vulnerable browser plugin, etc. It's a fairly-hardmless trojan that is easily removed. A google search for "remove mac protector" will yield detailed instructions, e.g.:
http://www.bleepingcomputer.com/virus-removal/remove-mac-protector
I have saved the installer, if anyone would like a copy of it for analysis. It contains some remnants of Russian language settings from Xcode, among other interesting tidbits.
I can see exactly why this has happened. The offending malware is a trojan, that is installed via social engineering.
It have seen a couple of hits lately on google image search, where clicking on one of the images takes you to a remote server where you get the familiar-to-windows-users "this is your hard drive" trick, where the browser shows a reasonable approximation of a Finder window, and shows a "scanning for viruses" progress bar, followed by an inevitable "your computer is at risk! click here to fix the problem!". I assume the link takes you to a site that downloads the "MacProtector" trojan which is what many people have been complaining about - essentially a simple program with no close button or quit option that nags you to pay for removal software. The website clearly uses browser detection and just serves up the appropriate windows/osx version of the con page.
You can kill it using the terminal, or using command+option+escape, or from the Activity Monitor (and it's not sophisticated enough to be able to stop you, if you know how to terminate processes unlike some of the more nasty malware on windows that disables the task manager etc). I suspect that it's only a matter of time before it gets more difficult to remove.
However, the term "malware explosion" seems very sensationalist - it's *a* piece of malware that has hit a lot of clueless users all of a sudden who are not used to dealing with this sort of thing due to the generally low malware issue on OS X to date.
Mac OS X users need to be aware of social engineering scams like this and to be careful about what they install (this is not a virus or drive by install) - it's no different to the trojan that was being distributed in the warez copy of Office for Mac that deleted files etc, just that the delivery method can now target people who are simply browsing google image search.
As always with security-related stories, no Mac users don't think our platform is immune to threats. It seems the only people making those sort of wild claims are the anti-Mac people who crow that it's what they think we would say (wow, awkward sentence). There are no "immune" systems, merely "safer" vs "less safe".
When it comes to trojans though, every OS is equally vulnerable, although this is skewed by the userbase somewhat (for example, far fewer 'normal' computer users on Linux distros who would be taken in by the social engineering). If we assume the Mac and Windows user base is broadly the same in terms of distribution (ie, from clueless all the way up to power users) then it is only a matter of time before a "big" trojan comes along for OS X - and here it is.
Calling it a "malware explosion" is just inaccurate though.
The slightly different option is to default to only installing through the App store with an option for users to turn that off, perhaps in the Accounts section of System Preferences. This gives a compromise where people on Slashdot can use whatever method they want and naive users will be much more protected.
Remember that 99% of the users out there know very little about computers. They think a Computer Science degree or Computer Engineering degree means you "know how to fix computers." Kind of like an "electrical engineer" can come and wire your house or a "mechanical engineer" knows how to fix your car.
The question here is: how much do you protect users from their own naivety/stupidity/credulity (depending upon how you want to phrase it)?
I believe that in the long term, like it or not, the trend will be that the operating system will be closer to the walled garden approach for just this reason.
Malware has been "about to explode" on the Macs for the last 10 years according to pundits. People, this is Ed Bott's Microsoft blog. Why are you falling for such obvious flamebait?
I love these dramatic phrases like "about to explode" and "malware explosion."