Slashdot Mirror
Mac Malware Evolves - No Install Password Required
An anonymous reader writes "The latest versions of the Mac Defender malware attacks no longer require users to enter their admin credentials (username and password) upon install. A threat called 'Mac Guard' installs itself into areas of the Mac OS X system that only require standard user privilege. On Windows the criminals did this to avoid UAC warnings, and have copied this trick to their Mac OS X releases."
I always find it stupid that even here people say that malware on Linux would not be able to gain root like in Windows. Spam bots, fake antiviruses, password stealing nasties and so on run perfectly fine under normal user account. There is no reason why they would require admin privileges. All the personal files are accessible on normal user account and spam can be send without root too. Sure, it could hide a little bit better if it had root access, but there's plenty of tricks to pull out under normal account too. It's like a guy making everything overcomplicated by thinking how he needs to act like a perfect guy and take the girl to a fancy restaurant and many dates before having intercourse with her. Sometimes it's just easier to go for a ladyboy - a woman with mens desire for sex. Requiring access to root account would be more common situation with something like hacking servers since you need to modify logs and really hide in the system. Most likely you also need to get access to HTTP ports and under Linux you need root account for those. But malware runs perfectly fine under user account.
...is anyone actually surprised by this?
Palm trees and 8
This still requires the user to deliberately install the malware. Since it's not compromising the system, but the user, it doesn't need privileges to do this.
Give me Classic Slashdot or give me death!
My PC can't get Mac malware.
So that means it's now running with only user privileges instead of admin rights, which seems like a slight improvement for those dumb enough to install it.
If all else fails, immortality can always be assured by spectacular error.
The only real issue is the "auto-download safe content" default option in Safari.It should'nt be enabled by default. Just uncheck it.
Another case of iClicitys (rush of advertisement clics generated by apple buzz)
So instead of installing into /Applications, which does require an admin username and password, it now likely installs somewhere in the user's home folder, which doesn't require admin authorization. This means the problem would be isolated to that particular user's account.
Does the principle apply to Linux? If yes, then it matters, for nerds, for real. ;)
The malware is evolving from taking advantage of bugs in Windows, to social engineering. I had malware scanning on my PC because malware could get in the back door via services and other areas. Now, they are installing it right in front of your face trying to masquerade as something else.
They are going from the thief in the night who exploits the bad lock in the back door, to walking in the front door acting like the delivery man and given the run of the building by unsuspecting human beings. They are no longer exploiting Windows or Mac OS X... they are exploiting the users directly and making it look like it's the OS's fault.
I've seen plenty of PCs pwned by this type of malware, and it wasn't Windows fault in those situations either, the user simple installed something that took over the system.
"All great wisdom is contained in .signature files"
Or they want to infect a trusted file, or more likely, the user info they want will resides in the users directory.
For the most part, modern attackers don't want to damage your computer, they want to get personal info. CC numbers and the like.
IT's best for them if there attack as no noticeable impact on a system.
The Kruger Dunning explains most post on
The vast majority of Windows infections also come from viruses that "must be installed". Not 100% obviously, but if you take out the ones that infected users months after patches were released, and the ones where users clicked through a UAC prompt to install anyway, you end up with a very very small sample.
Its all about social engineering now.
This just gives Apple one more reason to force all application installs via the app store in future versions of the OS. The other reason of course is money.
You are still required to click through an install wizard, so this is in no shape or form an install performed without the user.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
But... but... weren't we all told that this isn't possible? I'm sure I've heard the rhetoric repeatedly before that if someone didn't bother porting some malware to Mac or Mozilla back when they had tiny market share, then it's some kind of proof that they're secure and it can't be done.
A polar bear is a cartesian bear after a coordinate transform.
Hi profile attacks that occur in user space help to underscore that the obsession OS vendors have with admin access doesn't do much of anything to prevent a machine from being compromised -- it only serves to give users a false sense of security.
I have a hard time completely dismissing privilege escalation. There is still some value in being able to separate user data from the system proper - if only to make clean-up easier. But I do completely agree with the overall lesson here. An overly simplified view of security might very well overlook the fact that there's still a lot of value with operating in the context of an unprivileged user. And as such, users should remain wary whenever they're acting outside the boundaries of their local environment.
It strikes me that this is a subset of the dancing pigs problem. The promise is that computing is being made easy. And in doing so, the end user gets all manner of over-simplified, friendly (or frightening) messages wanting their rubber-stamp to do various unknown black-box things. Whether you promise dancing pigs or protection from evil hackers, it comes down to the same thing. Present the proper dialog box and end users are likely to accept it.
This is a problem that won't be solved by more dialog boxes. At some point, the user needs to be exposed to some level of the complexity of their environment and hopefully given enough information and skepticism to make reasonable decisions.
The problem with this assessment is that it's the exact same assessment that OS X has been receiving for the past 6 years whenever a new Trojan pops up. And no, this trojan really isn't any different than its predecessors. I'm not trying to defend OS X as the almighty glorious Mac Master Race computer, but it's a little ridiculous to see this cycle every time an OS X Trojan pops up (and they've pretty much all been trojans -- IIRC, a few were classified as worms, but I really don't remember clearly):
1. Malware appears for OS X
2. AV companies advertise it wildly
3. Journalists/"Analysts" declare that age of Innocence for OS X is over, no longer "immune" to Malware
4. Message Board users declare the end of OS X/Catastrophic damage
5. Time passes and reality sets in -- the Malware/Trojan fails to reach any noticeable level of threat
Again, this isn't to say OS X is immune. Absolutely not. But every time a bit of Malware appears, this exact cycle happens -- and OS X and Apple's sales only go up.
Where, exactly, is this going to hide from htop, top, ps or any other process listing facility?
Unlike Windows, OSX and Linux and every other sane OS in the universe, there is no such thing as a "hidden process."
As a user process, it also cannot patch top, ps, or htop, or any other process lister. It cannot fuck with logs. It cannot do anything at all that the ordinary user cannot do. Indeed it runs under the same UID as the logged in user.
ps -uax | grep $USER
OH HEY GUYS THAT LOOKS WEIRD
killall -9 $SUSPICIOUS PROGRAM
rm $PATHTOSUSPICIOUSPROGRAM/SUSPICIOUSPROGRAM
And not even have to have a # in your prompt. No sudo, no su, no nothing.
Go on with life
Wow. That's...difficult.
--
BMO
That seems like it's not really any protection at all. Most Macs are likely single user setups anyway. Sometimes, sure, you'll have some other users on the machine, but most of them are likely just tied to one user.
To that one user, their files are the critical component of the machine. If they bought the machine, they have the reinstall discs for the OS, plus those of any upgrades. Annoying? You betcha. But if they haven't been backing up their files (shame on them) then having to reinstall the OS is the LEAST of their worries.
And this of course goes for Windows and Linux installs as well. And really, even in a multi-user/single-machine scenario, while the damage is limited, it is still potentially devastating for the user involved. And again, for many (most?) installs, there's only one user that matters anyway.
Oh you're so right, why they can even get to the DOS underpinnings that way! Oh, wait a tick, that hasn't been true for nearly FIVE years now since on Vista and 7 both run IE under low rights mode something even Linux doesn't have. Last time I checked Linux ran the browser with the same rights as the user that launched it whereas both IE and Chromium based (like the Comodo Dragon I'm typing on now) run as LOW rights, with the Dragon and other chromiums going one more step further and sandboxing (and if you are running the excellent Avast free you can have a "Yo Dawg" moment as it sandboxes too) the browser.
So unless you want us to start talking about how Linux is only up to version 2 of the kernel and doesn't support SATA yet you might want to stick with the facts, kay? If someone chooses to run a decade old OS, even if MSFT is nice enough to still offer security patches, that still isn't gonna make it safe for the modern web, anymore than digging out some 10 year old Debian discs would make for a very secure web server.
As for TFA, what was it I said to the Mac troll that swore up and down it wasn't a bug (he insisted on correcting everyone with a nice blame the victim "its a trojan!" meme) and insisted It didn't have anything to do with his excellent OS, just stupid users? oh yeah I said "the blood is in the water, now the wolves will come because they have seen that many Macs are like sheep ready for the slaughter" and guess what? I was right! Apple has gotten by with "security by obscurity" for so long that practically NO sally average Mac user follows safe practices, nobody on the Apple side runs AV or antimalware, so here come the sharks.
Which only makes sense, because despite all the "poo poo, Macs aren't toys for the rich, poo poo" studies have shown that not only do mac owners have multiple Macs, they on average pull down $100,000 a year. Wow. Who do you think has a juicier CC? The guy making $100k a year pisslefarting on his Mac? Or Becky the Wally world checkout girl who just got that $400 Dell out of lay-away? I know who I would be going after, and it sure wouldn't be Becky. Windows will be the target for botnets, and Macs will be the targets of those wanting them CC digits.
Mark my words: Now that they have seen how well they can spread the blood IS in the water, now the sharks will come. like any other predator the wolves looking to steal CCs, be it by ransomware or scareware or simply snatching the digits, they will look at Macs like a hungry wolf looks at a nice T-Bone steak. If it is any consolation Mac guys, I have a feeling Android may be the "mass market" product the bones the Linux guys, so at least you won't be alone. As a windows builder allow me to say...Welcome! The "how not to get pwned" workshop is on Thrusdays, coffee and donuts are in the back. Welcome to the club fellas, hey at least that means you're popular now, right?
ACs don't waste your time replying, your posts are never seen by me.
There's a glaring flaw in your reasoning.
Malware authors don't want to wreck your system. They want to get value out of your system. That doesn't need root.
The "BUT IT DOESN'T INFECT THE SYSTEM!" screaming is just a geek defense mechanism that shows ignorance of how computers are actually used. Nobody at work gives a shit about the system. They don't care about the OS, the applications. They've learned that we, the IT people, can get that all back and running quickly. None of it matters to them.
What matters is their data. That is what they want, what they worry about. From the important, like actual work, to the trivial like bookmarks and backgrounds, that is what they want us to save when a computer has a problem. It is of no comfort to them that "The malware only infected your account," because their account is what matters to them.
Also in terms of real damage it also doesn't matter. Even if malware infects a system so bad there is no possible removal, who cares? I can rebuild a system from scratch no problem. However if malware gets in and steals passwords, credit card data, SSNs, then it doesn't matter if it just had access to one account, real damage is done.
Isolation to an account doesn't matter and the malware authors have figured this out.
Oh, wait a tick, that hasn't been true for nearly FIVE years now since on Vista and 7 both run IE under low rights mode something even Linux doesn't have.
sudo -u $browseruser /usr/bin/firefox
Just create a seperate user for browsing if you dont want the browser messing around with your files. Sure, requires configuring sudoers, but not exactly rocket science.