Slashdot Mirror
Mac Malware Evolves - No Install Password Required
An anonymous reader writes "The latest versions of the Mac Defender malware attacks no longer require users to enter their admin credentials (username and password) upon install. A threat called 'Mac Guard' installs itself into areas of the Mac OS X system that only require standard user privilege. On Windows the criminals did this to avoid UAC warnings, and have copied this trick to their Mac OS X releases."
I always find it stupid that even here people say that malware on Linux would not be able to gain root like in Windows. Spam bots, fake antiviruses, password stealing nasties and so on run perfectly fine under normal user account. There is no reason why they would require admin privileges. All the personal files are accessible on normal user account and spam can be send without root too. Sure, it could hide a little bit better if it had root access, but there's plenty of tricks to pull out under normal account too. It's like a guy making everything overcomplicated by thinking how he needs to act like a perfect guy and take the girl to a fancy restaurant and many dates before having intercourse with her. Sometimes it's just easier to go for a ladyboy - a woman with mens desire for sex. Requiring access to root account would be more common situation with something like hacking servers since you need to modify logs and really hide in the system. Most likely you also need to get access to HTTP ports and under Linux you need root account for those. But malware runs perfectly fine under user account.
...is anyone actually surprised by this?
Palm trees and 8
This still requires the user to deliberately install the malware. Since it's not compromising the system, but the user, it doesn't need privileges to do this.
Give me Classic Slashdot or give me death!
My PC can't get Mac malware.
It was only a matter of time till there started being viruses and malware for the MAC just like anything else the more market share something gets the more it gets picked apart. It's only a matter of time till we see desktop linux get virus and malware released. We have already seen some variation of it with the way they are pulling android apps off the market cause of security issues.
Screw you, Sophos, and your filthy FUD marketing.
So that means it's now running with only user privileges instead of admin rights, which seems like a slight improvement for those dumb enough to install it.
If all else fails, immortality can always be assured by spectacular error.
Mac malware: type in your password* if you want to install a system-wrecker.
Linux malware: type in your other and more important password if you want to install a system-wrecker.
Windows malware: use internet explorer and navigate to mainstream sites with hidden malicious PDFs or java bombs if you want to install a system-wrecker.
*If you're clever enough to not use your admin password on a daily basis then you're probably clever enough to steer clear of most system-wreckers and so this is not referring to you.
That's how most malware works these days. Time for the mac users to wake up a bit and realize they really aren't "thinking different" enough to ward off the crapware and extortion schemes.
It was only a matter of time till there started being viruses and malware for the MAC just like anything else the more market share something gets the more it gets picked apart. It's only a matter of time till we see desktop linux get virus and malware released. We have already seen some variation of it with the way they are pulling android apps off the market cause of security issues.
http://www.thetechnologygeek.org
Hi profile attacks that occur in user space help to underscore that the obsession OS vendors have with admin access doesn't do much of anything to prevent a machine from being compromised -- it only serves to give users a false sense of security. Any malware can run in the user space of any os if the user installs it (and they wiil); and at minimum it has access to all of a user's private data. That should be just as worrisome as a single user machine getting rootkitted - while the harm to the system is greater for a rootkit, the damage to the user is just the same
The only real issue is the "auto-download safe content" default option in Safari.It should'nt be enabled by default. Just uncheck it.
Another case of iClicitys (rush of advertisement clics generated by apple buzz)
So instead of installing into /Applications, which does require an admin username and password, it now likely installs somewhere in the user's home folder, which doesn't require admin authorization. This means the problem would be isolated to that particular user's account.
You know all these loser anti-virus peddlers are watching this with glee.
this is only one particular piece of malware, in itself not so significant, but it indicates macs and their users have finally reached enough critical mass to bother stealing from... that's what malware is about now
So either the patch will already recognize and remove this, or they will have to issue another little update to take care of it completely. Given that they are not compromising any privileges, stopping this should be ridiculously easy. Why are these guys even bothering?
Unless perhaps they are trying to get an installed base with the current package, which can then perhaps help with a real exploit - e.g. directing a browser to a website that exploits a real vulnerability.
Originally this malware asked for an admin password which means it could get access to admin privileges. This new variant installs under user permissions which means that the admin can more easily remove it. That is assuming users don't run as admin. BTW, this variant still requires user intervention to install so it's not quite a virus or worm but still a Trojan.
Well, there's spam egg sausage and spam, that's not got much spam in it.
One of the key selling points that entices a lot of novice users to buy an Apple over a PC is lack of malware/virii. The other key selling points being ease of use/reliability/stability. This latest outbreak, while not particularly damaging, and while not really a threat as the user still must "install it," is getting a ton of media attention and is thus removing the "cloak of invulnerability" that Macs have been advertised to have against malware and virii. So now when a novice user, who doesn't know any better, has to choose between the more expense Mac vs a cheaper PC, will the remaining key selling points be enough to entice them to pay the higher premium? Many people switch solely on the reason of not dealing with virii/malware, but now that they will have to deal with that (whether or not it's true is irrelevant as in many novices minds Macs are now vulnerable) they might just stick with their PC. Bottom line - this is going to really hurt Apple a lot more than most people realize, as they will no longer have the novice users switching just to avoid virii and malware. Apple's "cloak of invulnerability" has been removed...and whether the remaining key selling points will sustain them remains to be seen.
Does the principle apply to Linux? If yes, then it matters, for nerds, for real. ;)
The malware is evolving from taking advantage of bugs in Windows, to social engineering. I had malware scanning on my PC because malware could get in the back door via services and other areas. Now, they are installing it right in front of your face trying to masquerade as something else.
They are going from the thief in the night who exploits the bad lock in the back door, to walking in the front door acting like the delivery man and given the run of the building by unsuspecting human beings. They are no longer exploiting Windows or Mac OS X... they are exploiting the users directly and making it look like it's the OS's fault.
I've seen plenty of PCs pwned by this type of malware, and it wasn't Windows fault in those situations either, the user simple installed something that took over the system.
"All great wisdom is contained in .signature files"
I'm really curious just what Apple will do in a patch to prevent this. You could of course recognize one variant, but you can't easily find an infinite number of variations... especially when there's so little difference between a trojan and some application that is meant to be downloaded and run.
The funny thing is currently the absolute safest recommendation you can make to a Mac user to keep them safe is to NOT install any anti-virus software.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
And how many people, who share computer share also the same user account? On Windows side, the malware does not really need to even install itself, running it until shutdown is enough, as there are always enough people that get (re)infected and who keep their machines always on.
This just gives Apple one more reason to force all application installs via the app store in future versions of the OS. The other reason of course is money.
You are still required to click through an install wizard, so this is in no shape or form an install performed without the user.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
But... but... weren't we all told that this isn't possible? I'm sure I've heard the rhetoric repeatedly before that if someone didn't bother porting some malware to Mac or Mozilla back when they had tiny market share, then it's some kind of proof that they're secure and it can't be done.
A polar bear is a cartesian bear after a coordinate transform.
It can't evolve; it was created that way.
Where, exactly, is this going to hide from htop, top, ps or any other process listing facility?
Unlike Windows, OSX and Linux and every other sane OS in the universe, there is no such thing as a "hidden process."
As a user process, it also cannot patch top, ps, or htop, or any other process lister. It cannot fuck with logs. It cannot do anything at all that the ordinary user cannot do. Indeed it runs under the same UID as the logged in user.
ps -uax | grep $USER
OH HEY GUYS THAT LOOKS WEIRD
killall -9 $SUSPICIOUS PROGRAM
rm $PATHTOSUSPICIOUSPROGRAM/SUSPICIOUSPROGRAM
And not even have to have a # in your prompt. No sudo, no su, no nothing.
Go on with life
Wow. That's...difficult.
--
BMO
I thought macs dont get viruses?
That seems like it's not really any protection at all. Most Macs are likely single user setups anyway. Sometimes, sure, you'll have some other users on the machine, but most of them are likely just tied to one user.
To that one user, their files are the critical component of the machine. If they bought the machine, they have the reinstall discs for the OS, plus those of any upgrades. Annoying? You betcha. But if they haven't been backing up their files (shame on them) then having to reinstall the OS is the LEAST of their worries.
And this of course goes for Windows and Linux installs as well. And really, even in a multi-user/single-machine scenario, while the damage is limited, it is still potentially devastating for the user involved. And again, for many (most?) installs, there's only one user that matters anyway.
The new version was simply designed more intelligently.
As any Windows user will tell you, it only gets worse from here. Welcome to the world of malware arms control, Macolytes.
I'll be honest, we're throwing science against the wall to see what sticks. -Cave Johnson
PS: I know I shouldn't have put "void" in front of "main" but its 15 years since I wrote any serious C, and malware is supposed to be badly-written, isn't it?
In a survey of 100 programmers, 111111 thought that duck-typing was a good idea.
MAC (stop yelling!) is a brand of cosmetics. I believe you mean "Mac", which is short for Macintosh, a brand of computer manufactured by Apple, Inc.
The plural of "virus" is "viruses", not the botched pseudo-Latin neologism seen above. You obviously never had Latin classes.
Why? Their arrogance. They will REFUSE to acknowledge it is possible for their machine to be compromised, and not run any protection. The easiest target is the one who thinks he is invulnerable.
That would be the Linux.
I'd take these new "malware" scares seriously if I ever, ever encountered one on my Mac in real life, or knew anyone that had. I hear lots of haters, lots of hearsay, but not much else.
'Your brain is God.' -- Dr. Timothy Leary
Even a heuristic based on the signature of this one variant would likely be effective against many or most possible variants.
Based on what it does though, I don't really see a clear heuristic you can apply.
At the heart of things, it's basically an app that opens web pages. Lots of apps do similar things, I don't see how you can implement a heuristic that would trigger false positives.
It seems like the only approach they can take is looking for specific code signatures, a tactic which works but is also easily worked around as the code changes.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Still. Not. A. Worm.
</ysac>
Yawn.
The "BUT IT DOESN'T INFECT THE SYSTEM!" screaming is just a geek defense mechanism that shows ignorance of how computers are actually used. Nobody at work gives a shit about the system. They don't care about the OS, the applications. They've learned that we, the IT people, can get that all back and running quickly. None of it matters to them.
What matters is their data. That is what they want, what they worry about. From the important, like actual work, to the trivial like bookmarks and backgrounds, that is what they want us to save when a computer has a problem. It is of no comfort to them that "The malware only infected your account," because their account is what matters to them.
Also in terms of real damage it also doesn't matter. Even if malware infects a system so bad there is no possible removal, who cares? I can rebuild a system from scratch no problem. However if malware gets in and steals passwords, credit card data, SSNs, then it doesn't matter if it just had access to one account, real damage is done.
Isolation to an account doesn't matter and the malware authors have figured this out.
Wow, the anti-Apple sharks are in the water biting at everything. Question. How do you tell that a piece of software asking for an in-app purchase is malware/crapware/just bad software? How does anti-virus software prevent that from happening?
I ask, because, as I understand it, this Mac Defender malware starts an installer that requires user interaction to go through a series of steps (no Admin level stuff) to actually install the software. Once the user has completed the steps, it then goes through another series of steps to try to convince the user that they need to purchase the license.
Okay, how is this much different than a legitimate piece of trialware? Yes, we happen to know this group will use that credit information for nefarious purposes. But how is anti-malare supposed to discriminate between legitimate and non-legitimate software? How do you protect the user from being ill-informed or just plain stupid?
So, when are the bad guys going to invent the "Mac Guard Cleaner" tool?
It was discovered that a sight called sourceforge has a massive collection of osx potentially malware.
Sourceforge like Anonymous is a collection of software hackers who write code and then try and get other people to run it.
There is no central sourceforge quality control and no protections that the code uploaded is not malware.
To infect the computer the osx users need only download the source files, recompile using the compiler included in the osx distribution.
There are no system messages to warn about running linux programs that may need header file changes on a BSD platform.
Worse still if an osx user were to modify the source code it would give them complete control to screw up their computer.
There is a grave danger of root kits where hackers instruct users to down load these "sourceforge" source code programs and then modify them to enable a trojan horse or virus function. If a user were to downloda one of these files and then hand change it they could broadcast their most personal information all over the internet.
Worse still because there has been such a small rate of this occurring in the past any increases would take the osx community completely unprepared. As the osx platform overtakes the windows platform as the operating system of the future we risk a grave future where hackers can write source code that is capable of operating on literally millions of apple computers.
Then they yelled at the ones who had stars at the start,
“We’re still the best Sneetches and they are the worst.
But now, how in the world will we know”, they all frowned,
“If which kind is what, or the other way round?”
Then up came McBean with a very sly wink.
And he said, “Things are not quite as bad as you think.
So you don’t know who’s who. That is perfectly true.
But come with me, friends. Do you know what I’ll do?
I’ll make you, again, the best Sneetches on the beaches.
And all it will cost you is ten dollars eaches.”
----
I hope everyone knows this story and appreciates the relevance.
Like a total stranger walking up to your door and saying, "here eat this turd." Password or no, only the stupid will fall for this one.
As long as users have access to even the smallest portion of a file system, malicious programs will continue to use this access and manipulate it to their benefit, whether it's potentially gaining higher privileges, or sitting in a loop of not being able to do much other than annoy people.
I don't see the solution as continual limitation of user's access, but instead increasing the ease of removal by an administrator; an example being an easy removal of some form of user profile and recovery from a backup source, whether that's on Unix, Linux, or Windows.
I lol at you Apple
I'm a mac lover, and if you look up towards the top, I'm probably one of the first posts to say 'wait until the Windows guys come after OS X'.
Its just reality, these 'exploits' are user exploits, not true OS exploits. They are hacking the user, getting them to do something they shouldn't. If the OS stopped you (which it can) then you'd be ranting about how evil apple is for locking down the OS to the point of being a walled garden.
OSX WILL get bet the to hell and back if it keeps gaining popularity, hopefully Apple will have learned from whats happened to Windows and not suffer all the same issues along the way, which they clearly have done something better out of the gate, but not at all a perfect implementation as there have been plenty of exploits up to this point and they'll be plenty more for sure.
If Linux got popular, the same thing would happen to it. They stopped going after the OS, its FAR FAR FAR (insert 20 or so more FARs) easier to convince an ignorant user to do something they shouldn't than exploit the OS, even on Windows now days. Do people still hack the OSes? Sure. I used to crack games for people on IRC just for the challenge, and never play the game beyond verifying the crack. Its fun. Some people think causing massive amounts of extra work for other people on the Internet is fun, most of the time they grow out of that before high school ends though and put the script kit away. Very few people actually put work into exploiting the OS in order to get their malware spread, and those guys usually don't want to get noticed so they aren't doing stupid shit like 'buy our software' popups. They're just quietly using your machine to spam for profit.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
I'm a lazy engineer with enough years of hacking hardware, tools and control systems to not want to waste time on broken products. Windows is one of those products. Microsoft Windows was created broken, constantly patched, but never fix in twenty years. But these comments are not really about Windows vs Macintosh security, are they? It appear to me that Windows fanboys have been in pain for so long that they can't possible admit that they suffer by choice. When faced with that possibility they are quick to point a finger and say, "just wait, you will get yours!" Have they really suffered so much and so long that they can only spit venom, and wish their misadventures on others? Apparently so. As I previously posted, it's Microsofts greed and laziness, not malware writers cleverness that has produced out current reality. Microsoft effectively built in a root level exploit when they implemented Windows with OLE/ActiveX at it's heart. OLE/ActiveX helped Microsoft to displace IBM in corporate circles because any generic Windows PC in a corporate network could be "owned" by network administrators. This had many advantages prior to 1994 when corporate networks were closed. But once the Internet was opened to the public that became a liability. To make things worse, Windows 95 and succeeding versions added full TCP/IP stacks to this mix. Direct access to TCP/IP via OLE/ActiveX became a huge exploit for self executing code. That is the key that MS Windows root kits are based on. What was "good enough" in 1993 is sorrowfully lacking in 2003. That's why I say it is not the brilliance of malware creators that power these exploits, but the myopic greed and laziness of Microsoft. On top of this, it is the constant churn of running battle that is "Windows User vs Malware," that primes the uninitiated for manipulation. Every month these is some new Windows exploit that get lots of press. Then, several time a year some hit-whore writes a "Smug Macintosh users will get theirs" article. This produces FUD in the uninitiated who want to believe the "press" is objective and balance, so they click and install... just to be safe. Will some clever programmer figure out a method for exploiting Mac OS, or even iOS? If substantial money is be gained, it is a high likelihood. But I would be very surprised if the current Apple goes down the same path that Microsoft took.
The flood started a long time ago.
Practically from the days of the yellow box and the blue box.
What we are seeing now is the shift from professionals to skript kiddies. That's why this is in the news. Skript kiddies don't know how to keep their heads down.
But the first wave of skript kiddies will pass. And Mac malware operating in the wild will still be, relative to the installed base, at least an order of magnitude less than MSWindows malware.
But how did we get here? Everyone has to compete with Microsoft, and the only way to do that is to do inherently unsafe junk. That's why I really don't like Microsoft. The push the vulnerable marketplace.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
It's not the real pros.
Yeah, it's something to worry about, but it's high-profile. The guys who really know their stuff don't do high-profile, and that's why we haven't seen this until now. They have definitely known about local execution for a long time, and there really is nothing special about this tool. Except that only a script kiddie would make something like it and release it to the wild.
This has been possible since well before Mac OS X 10.0, and I had to admit to myself by 10.3 that Apple, as a company, was not really interested in pre-emptive security measures. When they "switched" processors, I finally had to admit it myself that Steve was either not really seeing a whole lot more of the picture than Bill, or that the board of directors was insisting on going head-to-head with Microsof instead of trying to solve the real problems. (Probably both.)
Now, x86 has inherent security issues, and non of the current crop from INTEL (or AMD, et. al.) fix the real problems, but that's not what I'm talking about. (PPC and ARM have some of the same issues, and issues of their own.)
The attitude problem is visible in the execution of the switch, although it was also visible in the "secrecy" surrounding their maintaining the parallel code base until the switch.
A code base that includes multiple CPU architectures, the different the better, is an essential part of security.
But that has nothing to do with the current use of this feature (local execution) as a pseudo-vulnerability, other than as parallel evidence of the inability of large computer companies to face certain realities about computer security. (And as evidence that the kiddies are taking notice of the Mac, which means, yes, this will be used for capturing sudo passwords and making botnets as much as for stealing credit card numbers, which is why Apple's response is anything but satisfying.)
But, no, Microsoft's tools are not any sort of a solution. If anything, they just prolong the mess. And the way they use DRM only makes it that much harder to secure in any real sense. They use bits and pieces of some of the right tools to solve the wrong problems.
Red Hat is probably the best Linux distribution for this kind of stuff, but you have to shut off the stupid SELinux NSA-trap before you can start.
The best defense is to keep valuable stuff off your PCs. That being a kind of not-very-good solution, the next best option is to use multiple bank accounts and get the bank to put tight charge limits on the accounts that you use on the web, even they will try there best to talk you out of it, and may even refuse to set up the separate accounts for you, in which case you have to use more than one bank. (Actually, we all need to use more than one bank anyway.)
Hmm. This belongs in a blog entry, more than in this reply.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.