Slashdot Mirror
Mac Malware Evolves - No Install Password Required
An anonymous reader writes "The latest versions of the Mac Defender malware attacks no longer require users to enter their admin credentials (username and password) upon install. A threat called 'Mac Guard' installs itself into areas of the Mac OS X system that only require standard user privilege. On Windows the criminals did this to avoid UAC warnings, and have copied this trick to their Mac OS X releases."
I always find it stupid that even here people say that malware on Linux would not be able to gain root like in Windows. Spam bots, fake antiviruses, password stealing nasties and so on run perfectly fine under normal user account. There is no reason why they would require admin privileges. All the personal files are accessible on normal user account and spam can be send without root too. Sure, it could hide a little bit better if it had root access, but there's plenty of tricks to pull out under normal account too. It's like a guy making everything overcomplicated by thinking how he needs to act like a perfect guy and take the girl to a fancy restaurant and many dates before having intercourse with her. Sometimes it's just easier to go for a ladyboy - a woman with mens desire for sex. Requiring access to root account would be more common situation with something like hacking servers since you need to modify logs and really hide in the system. Most likely you also need to get access to HTTP ports and under Linux you need root account for those. But malware runs perfectly fine under user account.
This still requires the user to deliberately install the malware. Since it's not compromising the system, but the user, it doesn't need privileges to do this.
Give me Classic Slashdot or give me death!
My PC can't get Mac malware.
This means the problem would be isolated to that particular user's account.
For many home users, that is all that really matters. We are not talking about an enterprise setup here, we are talking about some person's laptop. Frankly, in an enterprise setup I would be surprised if user home directories were not mounted with noexec (or whatever such an option would be called in Mac OS X), which would thwart this problem.
Palm trees and 8
The malware is evolving from taking advantage of bugs in Windows, to social engineering. I had malware scanning on my PC because malware could get in the back door via services and other areas. Now, they are installing it right in front of your face trying to masquerade as something else.
They are going from the thief in the night who exploits the bad lock in the back door, to walking in the front door acting like the delivery man and given the run of the building by unsuspecting human beings. They are no longer exploiting Windows or Mac OS X... they are exploiting the users directly and making it look like it's the OS's fault.
I've seen plenty of PCs pwned by this type of malware, and it wasn't Windows fault in those situations either, the user simple installed something that took over the system.
"All great wisdom is contained in .signature files"
Not really. And I wasn't really surprised to find that this is a slashvertisment. Sophos makes anti-virus software for Macs. I prefer to get my news from someone who doesn't have a vested interest in selling me stuff directly related to the content of the article.
I still cannot find the droids I am looking for...
The vast majority of Windows infections also come from viruses that "must be installed". Not 100% obviously, but if you take out the ones that infected users months after patches were released, and the ones where users clicked through a UAC prompt to install anyway, you end up with a very very small sample.
Its all about social engineering now.
Follow up. I find it interesting that they gloss over the fact that to completely avoid this all you need to do is turn off download safe files in safari, and/or not be stupid. Their solution is to purchase their anti-malware package for Mac. Question for samzenpus, how much did these guys pay you to post this?
I still cannot find the droids I am looking for...
This just gives Apple one more reason to force all application installs via the app store in future versions of the OS. The other reason of course is money.
How about the comments in the last article from the fanboys screaming "BUT THEY NEED TO PUT IN THEIR PASSWORD UNLIKE SHITTY WINDOWS" and then modded up to +5 insightful.
Welcome to the new reality. I think they'll find that userland rights on any modern OS are pretty lenient and will allow for a great deal of scammy malware activities. Malware doesnt need to run in any system directory or open any low ports or anything.
Now is probably a good time to invest in OSX AV products.
The problem with this assessment is that it's the exact same assessment that OS X has been receiving for the past 6 years whenever a new Trojan pops up. And no, this trojan really isn't any different than its predecessors. I'm not trying to defend OS X as the almighty glorious Mac Master Race computer, but it's a little ridiculous to see this cycle every time an OS X Trojan pops up (and they've pretty much all been trojans -- IIRC, a few were classified as worms, but I really don't remember clearly):
1. Malware appears for OS X
2. AV companies advertise it wildly
3. Journalists/"Analysts" declare that age of Innocence for OS X is over, no longer "immune" to Malware
4. Message Board users declare the end of OS X/Catastrophic damage
5. Time passes and reality sets in -- the Malware/Trojan fails to reach any noticeable level of threat
Again, this isn't to say OS X is immune. Absolutely not. But every time a bit of Malware appears, this exact cycle happens -- and OS X and Apple's sales only go up.
Where, exactly, is this going to hide from htop, top, ps or any other process listing facility?
Unlike Windows, OSX and Linux and every other sane OS in the universe, there is no such thing as a "hidden process."
As a user process, it also cannot patch top, ps, or htop, or any other process lister. It cannot fuck with logs. It cannot do anything at all that the ordinary user cannot do. Indeed it runs under the same UID as the logged in user.
ps -uax | grep $USER
OH HEY GUYS THAT LOOKS WEIRD
killall -9 $SUSPICIOUS PROGRAM
rm $PATHTOSUSPICIOUSPROGRAM/SUSPICIOUSPROGRAM
And not even have to have a # in your prompt. No sudo, no su, no nothing.
Go on with life
Wow. That's...difficult.
--
BMO
That's a little like saying "Oh just run noscript or make disable the java plugin" in the Windows world. Most end user have no clue what "safe files" are or what any of what you wrote means.
Not to mention, any web based exploit can install this malware now. It runs purely in userland. Java exploits, flash exploits, browser exploits, etc open the gate for this malware. Today its the safe files in Safari, tomorrow its one of dozens of Java exploits.
Its simply easier for end users to do updates and buy an AV than to dick around with settings they don't remotely understand. To Apple's benefit they're usually good about software updates and also update Java (at least for now).
not just that, but the sophos article glosses over the fact that you still get
1. an operating system warning about executing a file downloaded from the internet (complete with reference to where it was downloaded from). They mention it in the text, but omit it in their "slideshow" showing the steps to getting infected.
2. an osx installer gui which means it can be canceled
What this is *not* is a hidden and silent install like what is going on with Windows.
Oh you're so right, why they can even get to the DOS underpinnings that way! Oh, wait a tick, that hasn't been true for nearly FIVE years now since on Vista and 7 both run IE under low rights mode something even Linux doesn't have. Last time I checked Linux ran the browser with the same rights as the user that launched it whereas both IE and Chromium based (like the Comodo Dragon I'm typing on now) run as LOW rights, with the Dragon and other chromiums going one more step further and sandboxing (and if you are running the excellent Avast free you can have a "Yo Dawg" moment as it sandboxes too) the browser.
So unless you want us to start talking about how Linux is only up to version 2 of the kernel and doesn't support SATA yet you might want to stick with the facts, kay? If someone chooses to run a decade old OS, even if MSFT is nice enough to still offer security patches, that still isn't gonna make it safe for the modern web, anymore than digging out some 10 year old Debian discs would make for a very secure web server.
As for TFA, what was it I said to the Mac troll that swore up and down it wasn't a bug (he insisted on correcting everyone with a nice blame the victim "its a trojan!" meme) and insisted It didn't have anything to do with his excellent OS, just stupid users? oh yeah I said "the blood is in the water, now the wolves will come because they have seen that many Macs are like sheep ready for the slaughter" and guess what? I was right! Apple has gotten by with "security by obscurity" for so long that practically NO sally average Mac user follows safe practices, nobody on the Apple side runs AV or antimalware, so here come the sharks.
Which only makes sense, because despite all the "poo poo, Macs aren't toys for the rich, poo poo" studies have shown that not only do mac owners have multiple Macs, they on average pull down $100,000 a year. Wow. Who do you think has a juicier CC? The guy making $100k a year pisslefarting on his Mac? Or Becky the Wally world checkout girl who just got that $400 Dell out of lay-away? I know who I would be going after, and it sure wouldn't be Becky. Windows will be the target for botnets, and Macs will be the targets of those wanting them CC digits.
Mark my words: Now that they have seen how well they can spread the blood IS in the water, now the sharks will come. like any other predator the wolves looking to steal CCs, be it by ransomware or scareware or simply snatching the digits, they will look at Macs like a hungry wolf looks at a nice T-Bone steak. If it is any consolation Mac guys, I have a feeling Android may be the "mass market" product the bones the Linux guys, so at least you won't be alone. As a windows builder allow me to say...Welcome! The "how not to get pwned" workshop is on Thrusdays, coffee and donuts are in the back. Welcome to the club fellas, hey at least that means you're popular now, right?
ACs don't waste your time replying, your posts are never seen by me.
You get those kinds of warnings in Windows too. Doesn't stop an idiot from being an idiot, though.
SJW: Someone who has run out of real oppression, and has to fake it.
I find it interesting that they gloss over the fact that to completely avoid this all you need to do is turn off download safe files in safari, and/or not be stupid. Their solution is to purchase their anti-malware package for Mac.
So you're under the assumption that if you disable this particular setting, then you are now immune to all present and future malware on a Mac, correct? That proactive things like anti-virus or malware scanning are unnecessary, right? That the entire Mac malware threat ends with a single checkbox, is that about it?
You realize that nearly every time a piece of malware comes out for Windows that there's typically a single setting you can change to mitigate that one specific threat, right? Has that fact stopped criminals from finding new infection vectors?
The news here is not this one piece of software, or how it gets installed, or what it does, or how to stop it. The news is the fact that the professional malware authors are now targeting Macs, and they have the automated toolkits to do it. A little checkbox in your browser isn't going to change that fact.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black