Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mac Malware Evolves - No Install Password Required

Posted by samzenpus on from the under-the-wire dept.

An anonymous reader writes "The latest versions of the Mac Defender malware attacks no longer require users to enter their admin credentials (username and password) upon install. A threat called 'Mac Guard' installs itself into areas of the Mac OS X system that only require standard user privilege. On Windows the criminals did this to avoid UAC warnings, and have copied this trick to their Mac OS X releases."

16 of 374 comments (clear)

  1. PEBKAC by Hatta · · Score: 4, Informative

    This still requires the user to deliberately install the malware. Since it's not compromising the system, but the user, it doesn't need privileges to do this.

    --
    Give me Classic Slashdot or give me death!
    1. Re:PEBKAC by Anonymous Coward · · Score: 5, Funny

      Comments like that make me think you are not participating in the two minute hate.

      Just embrace the hate of apple and join the group think.

    2. Re:PEBKAC by Talderas · · Score: 4, Insightful

      On a somewhat-unrelated note, it still blows my mind when enterprise level IT still has users with full admin rights over the local workstation, as those machines constantly and continually get infected and reinfected through the ignorance of the users. Sure, it means that a user can add a local device more complicate than a printer without calling the helpdesk, but it also means that any piece of unauthorized software, whether the user intended to install it or not, or whether it's benign or malicious, gets on to the computer. When the IT department sets up the computers and privileges properly, and if the OS doesn't have local root exploits so large one can drive a Mack truck through, the user can do a lot less damage.

      It's not entirely unsurprising. Telling the company owner that "We need to change the level of permissions everyone has on their machines, which means they won't be able to do this, this, and this." after the company owner and the entire user base is accustomed to having that level of permission doesn't typically get a go ahead flag from the company owner.

      --
      "Lack of speed can be overcome. In the worst case by patience." --Znork
    3. Re:PEBKAC by makomk · · Score: 4, Insightful

      This still requires the user to deliberately install the malware.

      Something like 97% of Windows malware infections these days are caused by users "deliberately" installing malware, and that's with Windows putting a lot more obstacles in the way of websites wanting to convince users they should install something malicious than Mac OS X does. Doesn't stop Windows malware infections from being a big selling point for Macs. (Even in the bad old days of Windows security, an awful lot of infections were due to users agreeing to install the malware.)

  2. I am safe. by Anonymous Coward · · Score: 5, Funny

    My PC can't get Mac malware.

    1. Re:I am safe. by BobNET · · Score: 4, Funny

      You laugh now, but it's only a matter of time before PCs become popular enough that malware writers start targeting them instead.

  3. Re:The difference by betterunixthanunix · · Score: 4, Insightful

    This means the problem would be isolated to that particular user's account.

    For many home users, that is all that really matters. We are not talking about an enterprise setup here, we are talking about some person's laptop. Frankly, in an enterprise setup I would be surprised if user home directories were not mounted with noexec (or whatever such an option would be called in Mac OS X), which would thwart this problem.

    --
    Palm trees and 8
  4. This is the evolution of criminality by hellfire · · Score: 4, Insightful

    The malware is evolving from taking advantage of bugs in Windows, to social engineering. I had malware scanning on my PC because malware could get in the back door via services and other areas. Now, they are installing it right in front of your face trying to masquerade as something else.

    They are going from the thief in the night who exploits the bad lock in the back door, to walking in the front door acting like the delivery man and given the run of the building by unsuspecting human beings. They are no longer exploiting Windows or Mac OS X... they are exploiting the users directly and making it look like it's the OS's fault.

    I've seen plenty of PCs pwned by this type of malware, and it wasn't Windows fault in those situations either, the user simple installed something that took over the system.

    --

    "All great wisdom is contained in .signature files"

  5. Re:No surprises here by Low+Ranked+Craig · · Score: 5, Interesting

    Follow up. I find it interesting that they gloss over the fact that to completely avoid this all you need to do is turn off download safe files in safari, and/or not be stupid. Their solution is to purchase their anti-malware package for Mac. Question for samzenpus, how much did these guys pay you to post this?

    --
    I still cannot find the droids I am looking for...
  6. Good News for the App Store by vwjeff · · Score: 5, Interesting

    This just gives Apple one more reason to force all application installs via the app store in future versions of the OS. The other reason of course is money.

  7. Re:No surprises here by gad_zuki! · · Score: 5, Insightful

    How about the comments in the last article from the fanboys screaming "BUT THEY NEED TO PUT IN THEIR PASSWORD UNLIKE SHITTY WINDOWS" and then modded up to +5 insightful.

    Welcome to the new reality. I think they'll find that userland rights on any modern OS are pretty lenient and will allow for a great deal of scammy malware activities. Malware doesnt need to run in any system directory or open any low ports or anything.

    Now is probably a good time to invest in OSX AV products.

  8. Re:More damaging for Apple than most think... by Vokkyt · · Score: 4, Insightful

    The problem with this assessment is that it's the exact same assessment that OS X has been receiving for the past 6 years whenever a new Trojan pops up. And no, this trojan really isn't any different than its predecessors. I'm not trying to defend OS X as the almighty glorious Mac Master Race computer, but it's a little ridiculous to see this cycle every time an OS X Trojan pops up (and they've pretty much all been trojans -- IIRC, a few were classified as worms, but I really don't remember clearly):

    1. Malware appears for OS X
    2. AV companies advertise it wildly
    3. Journalists/"Analysts" declare that age of Innocence for OS X is over, no longer "immune" to Malware
    4. Message Board users declare the end of OS X/Catastrophic damage
    5. Time passes and reality sets in -- the Malware/Trojan fails to reach any noticeable level of threat

    Again, this isn't to say OS X is immune. Absolutely not. But every time a bit of Malware appears, this exact cycle happens -- and OS X and Apple's sales only go up.

  9. Re:No surprises here by gad_zuki! · · Score: 5, Insightful

    That's a little like saying "Oh just run noscript or make disable the java plugin" in the Windows world. Most end user have no clue what "safe files" are or what any of what you wrote means.

    Not to mention, any web based exploit can install this malware now. It runs purely in userland. Java exploits, flash exploits, browser exploits, etc open the gate for this malware. Today its the safe files in Safari, tomorrow its one of dozens of Java exploits.

    Its simply easier for end users to do updates and buy an AV than to dick around with settings they don't remotely understand. To Apple's benefit they're usually good about software updates and also update Java (at least for now).

  10. Re:No surprises here by thoromyr · · Score: 4, Informative

    not just that, but the sophos article glosses over the fact that you still get

    1. an operating system warning about executing a file downloaded from the internet (complete with reference to where it was downloaded from). They mention it in the text, but omit it in their "slideshow" showing the steps to getting infected.

    2. an osx installer gui which means it can be canceled

    What this is *not* is a hidden and silent install like what is going on with Windows.

  11. Re:There's a difference... by hairyfeet · · Score: 4, Insightful

    Oh you're so right, why they can even get to the DOS underpinnings that way! Oh, wait a tick, that hasn't been true for nearly FIVE years now since on Vista and 7 both run IE under low rights mode something even Linux doesn't have. Last time I checked Linux ran the browser with the same rights as the user that launched it whereas both IE and Chromium based (like the Comodo Dragon I'm typing on now) run as LOW rights, with the Dragon and other chromiums going one more step further and sandboxing (and if you are running the excellent Avast free you can have a "Yo Dawg" moment as it sandboxes too) the browser.

    So unless you want us to start talking about how Linux is only up to version 2 of the kernel and doesn't support SATA yet you might want to stick with the facts, kay? If someone chooses to run a decade old OS, even if MSFT is nice enough to still offer security patches, that still isn't gonna make it safe for the modern web, anymore than digging out some 10 year old Debian discs would make for a very secure web server.

    As for TFA, what was it I said to the Mac troll that swore up and down it wasn't a bug (he insisted on correcting everyone with a nice blame the victim "its a trojan!" meme) and insisted It didn't have anything to do with his excellent OS, just stupid users? oh yeah I said "the blood is in the water, now the wolves will come because they have seen that many Macs are like sheep ready for the slaughter" and guess what? I was right! Apple has gotten by with "security by obscurity" for so long that practically NO sally average Mac user follows safe practices, nobody on the Apple side runs AV or antimalware, so here come the sharks.

    Which only makes sense, because despite all the "poo poo, Macs aren't toys for the rich, poo poo" studies have shown that not only do mac owners have multiple Macs, they on average pull down $100,000 a year. Wow. Who do you think has a juicier CC? The guy making $100k a year pisslefarting on his Mac? Or Becky the Wally world checkout girl who just got that $400 Dell out of lay-away? I know who I would be going after, and it sure wouldn't be Becky. Windows will be the target for botnets, and Macs will be the targets of those wanting them CC digits.

    Mark my words: Now that they have seen how well they can spread the blood IS in the water, now the sharks will come. like any other predator the wolves looking to steal CCs, be it by ransomware or scareware or simply snatching the digits, they will look at Macs like a hungry wolf looks at a nice T-Bone steak. If it is any consolation Mac guys, I have a feeling Android may be the "mass market" product the bones the Linux guys, so at least you won't be alone. As a windows builder allow me to say...Welcome! The "how not to get pwned" workshop is on Thrusdays, coffee and donuts are in the back. Welcome to the club fellas, hey at least that means you're popular now, right?

    --
    ACs don't waste your time replying, your posts are never seen by me.
  12. Re:No surprises here by elrous0 · · Score: 4, Insightful

    You get those kinds of warnings in Windows too. Doesn't stop an idiot from being an idiot, though.

    --
    SJW: Someone who has run out of real oppression, and has to fake it.