Slashdot Mirror
Mac Malware Evolves - No Install Password Required
An anonymous reader writes "The latest versions of the Mac Defender malware attacks no longer require users to enter their admin credentials (username and password) upon install. A threat called 'Mac Guard' installs itself into areas of the Mac OS X system that only require standard user privilege. On Windows the criminals did this to avoid UAC warnings, and have copied this trick to their Mac OS X releases."
I always find it stupid that even here people say that malware on Linux would not be able to gain root like in Windows. Spam bots, fake antiviruses, password stealing nasties and so on run perfectly fine under normal user account. There is no reason why they would require admin privileges. All the personal files are accessible on normal user account and spam can be send without root too. Sure, it could hide a little bit better if it had root access, but there's plenty of tricks to pull out under normal account too. It's like a guy making everything overcomplicated by thinking how he needs to act like a perfect guy and take the girl to a fancy restaurant and many dates before having intercourse with her. Sometimes it's just easier to go for a ladyboy - a woman with mens desire for sex. Requiring access to root account would be more common situation with something like hacking servers since you need to modify logs and really hide in the system. Most likely you also need to get access to HTTP ports and under Linux you need root account for those. But malware runs perfectly fine under user account.
...is anyone actually surprised by this?
Palm trees and 8
This still requires the user to deliberately install the malware. Since it's not compromising the system, but the user, it doesn't need privileges to do this.
Give me Classic Slashdot or give me death!
My PC can't get Mac malware.
So that means it's now running with only user privileges instead of admin rights, which seems like a slight improvement for those dumb enough to install it.
If all else fails, immortality can always be assured by spectacular error.
It was only a matter of time till there started being viruses and malware for the MAC just like anything else the more market share something gets the more it gets picked apart. It's only a matter of time till we see desktop linux get virus and malware released. We have already seen some variation of it with the way they are pulling android apps off the market cause of security issues.
http://www.thetechnologygeek.org
Hi profile attacks that occur in user space help to underscore that the obsession OS vendors have with admin access doesn't do much of anything to prevent a machine from being compromised -- it only serves to give users a false sense of security. Any malware can run in the user space of any os if the user installs it (and they wiil); and at minimum it has access to all of a user's private data. That should be just as worrisome as a single user machine getting rootkitted - while the harm to the system is greater for a rootkit, the damage to the user is just the same
The only real issue is the "auto-download safe content" default option in Safari.It should'nt be enabled by default. Just uncheck it.
Another case of iClicitys (rush of advertisement clics generated by apple buzz)
So instead of installing into /Applications, which does require an admin username and password, it now likely installs somewhere in the user's home folder, which doesn't require admin authorization. This means the problem would be isolated to that particular user's account.
So either the patch will already recognize and remove this, or they will have to issue another little update to take care of it completely. Given that they are not compromising any privileges, stopping this should be ridiculously easy. Why are these guys even bothering?
Unless perhaps they are trying to get an installed base with the current package, which can then perhaps help with a real exploit - e.g. directing a browser to a website that exploits a real vulnerability.
Yes, yes. We hear this every single time there's Mac malware. You do realize that this isn't the first time, right?
Originally this malware asked for an admin password which means it could get access to admin privileges. This new variant installs under user permissions which means that the admin can more easily remove it. That is assuming users don't run as admin. BTW, this variant still requires user intervention to install so it's not quite a virus or worm but still a Trojan.
Well, there's spam egg sausage and spam, that's not got much spam in it.
One of the key selling points that entices a lot of novice users to buy an Apple over a PC is lack of malware/virii. The other key selling points being ease of use/reliability/stability. This latest outbreak, while not particularly damaging, and while not really a threat as the user still must "install it," is getting a ton of media attention and is thus removing the "cloak of invulnerability" that Macs have been advertised to have against malware and virii. So now when a novice user, who doesn't know any better, has to choose between the more expense Mac vs a cheaper PC, will the remaining key selling points be enough to entice them to pay the higher premium? Many people switch solely on the reason of not dealing with virii/malware, but now that they will have to deal with that (whether or not it's true is irrelevant as in many novices minds Macs are now vulnerable) they might just stick with their PC. Bottom line - this is going to really hurt Apple a lot more than most people realize, as they will no longer have the novice users switching just to avoid virii and malware. Apple's "cloak of invulnerability" has been removed...and whether the remaining key selling points will sustain them remains to be seen.
Does the principle apply to Linux? If yes, then it matters, for nerds, for real. ;)
The malware is evolving from taking advantage of bugs in Windows, to social engineering. I had malware scanning on my PC because malware could get in the back door via services and other areas. Now, they are installing it right in front of your face trying to masquerade as something else.
They are going from the thief in the night who exploits the bad lock in the back door, to walking in the front door acting like the delivery man and given the run of the building by unsuspecting human beings. They are no longer exploiting Windows or Mac OS X... they are exploiting the users directly and making it look like it's the OS's fault.
I've seen plenty of PCs pwned by this type of malware, and it wasn't Windows fault in those situations either, the user simple installed something that took over the system.
"All great wisdom is contained in .signature files"
It depends on who is using the computer. GNU/Linux has many millions of desktop users, but it would be pretty hard to convince most of those people to run some random program they downloaded from some website. Mac OS X's userbase, on the other hand, is composed mainly of people who are not knowledgeable about computers and who wanted something that was "easier" or "more user friendly" than Windows (cue the comments from technically adept people who happen to like Mac OS X), and may more easily fall victim to social engineering.
Of course, desktop GNU/Linux use is expanding to more people who are not so technically inclined, so this may change over the next few years.
Palm trees and 8
I'm really curious just what Apple will do in a patch to prevent this. You could of course recognize one variant, but you can't easily find an infinite number of variations... especially when there's so little difference between a trojan and some application that is meant to be downloaded and run.
The funny thing is currently the absolute safest recommendation you can make to a Mac user to keep them safe is to NOT install any anti-virus software.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
This just gives Apple one more reason to force all application installs via the app store in future versions of the OS. The other reason of course is money.
You are still required to click through an install wizard, so this is in no shape or form an install performed without the user.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
But... but... weren't we all told that this isn't possible? I'm sure I've heard the rhetoric repeatedly before that if someone didn't bother porting some malware to Mac or Mozilla back when they had tiny market share, then it's some kind of proof that they're secure and it can't be done.
A polar bear is a cartesian bear after a coordinate transform.
Where, exactly, is this going to hide from htop, top, ps or any other process listing facility?
Unlike Windows, OSX and Linux and every other sane OS in the universe, there is no such thing as a "hidden process."
As a user process, it also cannot patch top, ps, or htop, or any other process lister. It cannot fuck with logs. It cannot do anything at all that the ordinary user cannot do. Indeed it runs under the same UID as the logged in user.
ps -uax | grep $USER
OH HEY GUYS THAT LOOKS WEIRD
killall -9 $SUSPICIOUS PROGRAM
rm $PATHTOSUSPICIOUSPROGRAM/SUSPICIOUSPROGRAM
And not even have to have a # in your prompt. No sudo, no su, no nothing.
Go on with life
Wow. That's...difficult.
--
BMO
That seems like it's not really any protection at all. Most Macs are likely single user setups anyway. Sometimes, sure, you'll have some other users on the machine, but most of them are likely just tied to one user.
To that one user, their files are the critical component of the machine. If they bought the machine, they have the reinstall discs for the OS, plus those of any upgrades. Annoying? You betcha. But if they haven't been backing up their files (shame on them) then having to reinstall the OS is the LEAST of their worries.
And this of course goes for Windows and Linux installs as well. And really, even in a multi-user/single-machine scenario, while the damage is limited, it is still potentially devastating for the user involved. And again, for many (most?) installs, there's only one user that matters anyway.
The new version was simply designed more intelligently.
PS: I know I shouldn't have put "void" in front of "main" but its 15 years since I wrote any serious C, and malware is supposed to be badly-written, isn't it?
In a survey of 100 programmers, 111111 thought that duck-typing was a good idea.
Oh you're so right, why they can even get to the DOS underpinnings that way! Oh, wait a tick, that hasn't been true for nearly FIVE years now since on Vista and 7 both run IE under low rights mode something even Linux doesn't have. Last time I checked Linux ran the browser with the same rights as the user that launched it whereas both IE and Chromium based (like the Comodo Dragon I'm typing on now) run as LOW rights, with the Dragon and other chromiums going one more step further and sandboxing (and if you are running the excellent Avast free you can have a "Yo Dawg" moment as it sandboxes too) the browser.
So unless you want us to start talking about how Linux is only up to version 2 of the kernel and doesn't support SATA yet you might want to stick with the facts, kay? If someone chooses to run a decade old OS, even if MSFT is nice enough to still offer security patches, that still isn't gonna make it safe for the modern web, anymore than digging out some 10 year old Debian discs would make for a very secure web server.
As for TFA, what was it I said to the Mac troll that swore up and down it wasn't a bug (he insisted on correcting everyone with a nice blame the victim "its a trojan!" meme) and insisted It didn't have anything to do with his excellent OS, just stupid users? oh yeah I said "the blood is in the water, now the wolves will come because they have seen that many Macs are like sheep ready for the slaughter" and guess what? I was right! Apple has gotten by with "security by obscurity" for so long that practically NO sally average Mac user follows safe practices, nobody on the Apple side runs AV or antimalware, so here come the sharks.
Which only makes sense, because despite all the "poo poo, Macs aren't toys for the rich, poo poo" studies have shown that not only do mac owners have multiple Macs, they on average pull down $100,000 a year. Wow. Who do you think has a juicier CC? The guy making $100k a year pisslefarting on his Mac? Or Becky the Wally world checkout girl who just got that $400 Dell out of lay-away? I know who I would be going after, and it sure wouldn't be Becky. Windows will be the target for botnets, and Macs will be the targets of those wanting them CC digits.
Mark my words: Now that they have seen how well they can spread the blood IS in the water, now the sharks will come. like any other predator the wolves looking to steal CCs, be it by ransomware or scareware or simply snatching the digits, they will look at Macs like a hungry wolf looks at a nice T-Bone steak. If it is any consolation Mac guys, I have a feeling Android may be the "mass market" product the bones the Linux guys, so at least you won't be alone. As a windows builder allow me to say...Welcome! The "how not to get pwned" workshop is on Thrusdays, coffee and donuts are in the back. Welcome to the club fellas, hey at least that means you're popular now, right?
ACs don't waste your time replying, your posts are never seen by me.
Linuxes mode is even more powerful than Windows. It's just not commonly used because it's a pain to manage.
MAC (stop yelling!) is a brand of cosmetics. I believe you mean "Mac", which is short for Macintosh, a brand of computer manufactured by Apple, Inc.
There's a glaring flaw in your reasoning.
Malware authors don't want to wreck your system. They want to get value out of your system. That doesn't need root.
this would only happen if there's an unpatched privilege escalation vulnerability on the system you're using.
i'm not sure why windows/mac/linux would be any different in this regard.
I'd take these new "malware" scares seriously if I ever, ever encountered one on my Mac in real life, or knew anyone that had. I hear lots of haters, lots of hearsay, but not much else.
'Your brain is God.' -- Dr. Timothy Leary
Even a heuristic based on the signature of this one variant would likely be effective against many or most possible variants.
Based on what it does though, I don't really see a clear heuristic you can apply.
At the heart of things, it's basically an app that opens web pages. Lots of apps do similar things, I don't see how you can implement a heuristic that would trigger false positives.
It seems like the only approach they can take is looking for specific code signatures, a tactic which works but is also easily worked around as the code changes.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Still. Not. A. Worm.
</ysac>
Yawn.
The "BUT IT DOESN'T INFECT THE SYSTEM!" screaming is just a geek defense mechanism that shows ignorance of how computers are actually used. Nobody at work gives a shit about the system. They don't care about the OS, the applications. They've learned that we, the IT people, can get that all back and running quickly. None of it matters to them.
What matters is their data. That is what they want, what they worry about. From the important, like actual work, to the trivial like bookmarks and backgrounds, that is what they want us to save when a computer has a problem. It is of no comfort to them that "The malware only infected your account," because their account is what matters to them.
Also in terms of real damage it also doesn't matter. Even if malware infects a system so bad there is no possible removal, who cares? I can rebuild a system from scratch no problem. However if malware gets in and steals passwords, credit card data, SSNs, then it doesn't matter if it just had access to one account, real damage is done.
Isolation to an account doesn't matter and the malware authors have figured this out.
Wow, the anti-Apple sharks are in the water biting at everything. Question. How do you tell that a piece of software asking for an in-app purchase is malware/crapware/just bad software? How does anti-virus software prevent that from happening?
I ask, because, as I understand it, this Mac Defender malware starts an installer that requires user interaction to go through a series of steps (no Admin level stuff) to actually install the software. Once the user has completed the steps, it then goes through another series of steps to try to convince the user that they need to purchase the license.
Okay, how is this much different than a legitimate piece of trialware? Yes, we happen to know this group will use that credit information for nefarious purposes. But how is anti-malare supposed to discriminate between legitimate and non-legitimate software? How do you protect the user from being ill-informed or just plain stupid?
So, when are the bad guys going to invent the "Mac Guard Cleaner" tool?
TFA you linked to did not say what the average income of Mac owners is.
Oh, wait a tick, that hasn't been true for nearly FIVE years now since on Vista and 7 both run IE under low rights mode something even Linux doesn't have.
sudo -u $browseruser /usr/bin/firefox
Just create a seperate user for browsing if you dont want the browser messing around with your files. Sure, requires configuring sudoers, but not exactly rocket science.
Right Linux users never grab stuff from random repositories ... they always use the ones built in with the OS install and never add their own.
As far as the Mac userbase being like Windows ... well, you do realize that anyone who isn't just a 'Linux Zealot' and actually just likes UNIX in general pretty much loves OSX because its UNIX WITH a pretty GUI and apps that weren't designed by high school kids with no ability to focus or consider the people they are 'developing the software for'
I don't think you could possibly be more wrong about the user base. Before OSX you would probably be right, but after OSX was released, pretty much every UNIX lover on the planet got a boner over it, myself included. Most people that rant on about OSX for various reasons are typically Linux Zealots. This isn't a troll, I don't mean Linux users are jealous, most don't give a shit. The wants that rant and rave and make stupid statements like yourself however, are most certainly nothing more than ignorant zealots 9 times out of 10.
OSX Users may be less computer literate because they don't have to be UNIX admins to make the OS work, but many UNIX admins love it. On the other hand, you aren't running Linux unless your a geek or the fact that its Linux is completely hidden from you (Like in say, a TiVo or router or something). No non-geek has ever went out and looked for how to use Linux, certainly unlikely any non-geek installed it without a geek to guide them through the process.
Your zealotry has you completely out of touch with reality.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Yeah, someone's never seen 'sudo' in use. You don't always need your "special" password (which is 90% of the time the same anyway for home users).
Then they yelled at the ones who had stars at the start,
“We’re still the best Sneetches and they are the worst.
But now, how in the world will we know”, they all frowned,
“If which kind is what, or the other way round?”
Then up came McBean with a very sly wink.
And he said, “Things are not quite as bad as you think.
So you don’t know who’s who. That is perfectly true.
But come with me, friends. Do you know what I’ll do?
I’ll make you, again, the best Sneetches on the beaches.
And all it will cost you is ten dollars eaches.”
----
I hope everyone knows this story and appreciates the relevance.
Wow, the anti-mac trolls out in force. Somehow your logic about being clever applies to OS X, but doesn't apply to the OS with the exact same security model.
So unless you want us to start talking about how Linux is only up to version 2 of the kernel and doesn't support SATA yet you might want to stick with the facts, kay?
Are you retarded? If linux doesn't support SATA they how is my computer running right now?
You, uh... might want to reread that. The bit you quoted is in response to 5-year out of date ranting on the part of the GP.
You just got seriously whooshed, and there wasn't even a joke.
Like a total stranger walking up to your door and saying, "here eat this turd." Password or no, only the stupid will fall for this one.
"not only do mac owners have multiple Macs, they on average pull down $100,000 a year. Wow. Who do you think has a juicier CC? The guy making $100k a year pisslefarting on his Mac? Or Becky the Wally world checkout girl who just got that $400 Dell out of lay-away? I know who I would be going after, and it sure wouldn't be Becky. Windows will be the target for botnets, and Macs will be the targets of those wanting them CC digits."
--------------
Hmmm. I certainly don't fit this image. My last tax year I ran just north of 23K. I have 7 year old mac mini, a hackintosh dell mini 10v I picked up for $240, and a newer mac mini I recently got for $600 bucks.
I suppose you are right I do own multiple macs, but I don't think my credit card wold do a thief a whole lot of good.
Right, and now you can't save downloaded files to ~/incoming.
IE & Chrome process isolation is more than that - it does run the tab processes in a low-privilege sandbox, but it also provides them a very restricted API for limited, user-controlled access outside of that sandbox.
I'm a mac lover, and if you look up towards the top, I'm probably one of the first posts to say 'wait until the Windows guys come after OS X'.
Its just reality, these 'exploits' are user exploits, not true OS exploits. They are hacking the user, getting them to do something they shouldn't. If the OS stopped you (which it can) then you'd be ranting about how evil apple is for locking down the OS to the point of being a walled garden.
OSX WILL get bet the to hell and back if it keeps gaining popularity, hopefully Apple will have learned from whats happened to Windows and not suffer all the same issues along the way, which they clearly have done something better out of the gate, but not at all a perfect implementation as there have been plenty of exploits up to this point and they'll be plenty more for sure.
If Linux got popular, the same thing would happen to it. They stopped going after the OS, its FAR FAR FAR (insert 20 or so more FARs) easier to convince an ignorant user to do something they shouldn't than exploit the OS, even on Windows now days. Do people still hack the OSes? Sure. I used to crack games for people on IRC just for the challenge, and never play the game beyond verifying the crack. Its fun. Some people think causing massive amounts of extra work for other people on the Internet is fun, most of the time they grow out of that before high school ends though and put the script kit away. Very few people actually put work into exploiting the OS in order to get their malware spread, and those guys usually don't want to get noticed so they aren't doing stupid shit like 'buy our software' popups. They're just quietly using your machine to spam for profit.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Which only makes sense, because despite all the "poo poo, Macs aren't toys for the rich, poo poo" studies have shown [mashable.com] that not only do mac owners have multiple Macs, they on average pull down $100,000 a year.
You're too stupid to understand that "âoeThirty-six percent of Apple computer owners reported household incomes greater than $100,000, compared to 21 percent of all consumers." does not mean that "they on average pull down $100,000 a year."
The rest of your post is even dumber. Knuckle draggingly dumb.
If saying someone "got whooshed" is "harsh," no wonder everyone's first reaction to getting their panties in a bunch is to run, sobbing, to mommy and demand that "being a big meanie" be declared a felony.
Right, and now you can't save downloaded files to ~/incoming.
You obviously don't know how to use groups. On second though with an ID like yours you're obviously a troll.
You obviously missed the point. If the user under which the browser runs can save files to any folder at all - whether you set it up using groups or otherwise - then you're back to square one. Your browser can now download e.g. a bash script from the Net and run it - that's not a sandbox.
Furthermore, even if you do use groups like that - now you can only save to ~/incoming. What if I want to save to ~/docs also? Should I give the browser access to that as well? Oh, and I want ~/pics as well. But wait, now it can read all the files I actually care about. So much for sandboxing.
A proper sandbox does not give browser direct access to your home at all. It gives it an API which lets it access things in a controlled way - the sandboxed process can request that user selects a place to save a file (the corresponding dialog pops up outside the sandbox), and then the file is opened, and some form of handle to that file is provided to the sandbox. The sandbox thus has access to that particular file - which can be anywhere on the filesystem where the real user has proper permissions - but to that file alone, and as soon as the file is closed, the handle is invalidated, and any further file access has to go through the same process again. Thus, the user is always prompted to pick a file first, and nothing happens behind his back.
And what's wrong with my ID?
Sorry. I took it that you were saying that you could not accomplish the ~/incoming thing using Linux. However your ID indicates you at least now how to shutdown Linux.
Actually, my ID indicates that I know how to shut down FreeBSD - Linux would be "shutdown -P now" (capital "P"). ~
The flood started a long time ago.
Practically from the days of the yellow box and the blue box.
What we are seeing now is the shift from professionals to skript kiddies. That's why this is in the news. Skript kiddies don't know how to keep their heads down.
But the first wave of skript kiddies will pass. And Mac malware operating in the wild will still be, relative to the installed base, at least an order of magnitude less than MSWindows malware.
But how did we get here? Everyone has to compete with Microsoft, and the only way to do that is to do inherently unsafe junk. That's why I really don't like Microsoft. The push the vulnerable marketplace.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
It's not the real pros.
Yeah, it's something to worry about, but it's high-profile. The guys who really know their stuff don't do high-profile, and that's why we haven't seen this until now. They have definitely known about local execution for a long time, and there really is nothing special about this tool. Except that only a script kiddie would make something like it and release it to the wild.
This has been possible since well before Mac OS X 10.0, and I had to admit to myself by 10.3 that Apple, as a company, was not really interested in pre-emptive security measures. When they "switched" processors, I finally had to admit it myself that Steve was either not really seeing a whole lot more of the picture than Bill, or that the board of directors was insisting on going head-to-head with Microsof instead of trying to solve the real problems. (Probably both.)
Now, x86 has inherent security issues, and non of the current crop from INTEL (or AMD, et. al.) fix the real problems, but that's not what I'm talking about. (PPC and ARM have some of the same issues, and issues of their own.)
The attitude problem is visible in the execution of the switch, although it was also visible in the "secrecy" surrounding their maintaining the parallel code base until the switch.
A code base that includes multiple CPU architectures, the different the better, is an essential part of security.
But that has nothing to do with the current use of this feature (local execution) as a pseudo-vulnerability, other than as parallel evidence of the inability of large computer companies to face certain realities about computer security. (And as evidence that the kiddies are taking notice of the Mac, which means, yes, this will be used for capturing sudo passwords and making botnets as much as for stealing credit card numbers, which is why Apple's response is anything but satisfying.)
But, no, Microsoft's tools are not any sort of a solution. If anything, they just prolong the mess. And the way they use DRM only makes it that much harder to secure in any real sense. They use bits and pieces of some of the right tools to solve the wrong problems.
Red Hat is probably the best Linux distribution for this kind of stuff, but you have to shut off the stupid SELinux NSA-trap before you can start.
The best defense is to keep valuable stuff off your PCs. That being a kind of not-very-good solution, the next best option is to use multiple bank accounts and get the bank to put tight charge limits on the accounts that you use on the web, even they will try there best to talk you out of it, and may even refuse to set up the separate accounts for you, in which case you have to use more than one bank. (Actually, we all need to use more than one bank anyway.)
Hmm. This belongs in a blog entry, more than in this reply.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.