Slashdot Mirror
Mac OS Update Detects, Kills MacDefender Scareware
CWmike writes "Apple released an update for Snow Leopard on Tuesday that warns users that they've downloaded fake Mac security software and scrubs already-infected machines. Chet Wisniewski, a security researcher with Sophos, confirmed that the update alerts users when they try to download any of the bogus MacDefender antivirus software. Wisniewski had not yet tested the malware cleaning functionality of the update, but was confident that it would work. 'It's reasonably trivial to remove MacDefender,' said Wisniewski. 'It's not burying itself in the system, not compared to some of some of the crap that we see on Windows.' The update, labeled 2011-003, adds a new definition to the rudimentary antivirus detection engine embedded in Mac OS X 10.6, aka Snow Leopard, and also increases the frequency with which the operating system checks for new definitions to daily."
The Nuclear Option
So every virus for Macs will get killed in the next update? Very nice work for Apple if it happens that way.
'It's reasonably trivial to remove MacDefender,' said Wisniewski. 'It's not burying itself in the system, not compared to some of some of the crap that we see on Windows.'
Pity it won't always be that way, survival of the fittest applies to viruses too.
the rudimentary antivirus detection engine
Wouldn't we be better off detecting the viruses, not the antivirus?
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
The slow, but inevitable slide to Mac OS X being locked down in the exact same way that iOS is.
First they block apps in the name of protecting users from themselves... Then they just slowly increase the definition of "harmful apps."
So the "no malware/virus on Mac" has now changed to "We have malware, but it's better than the ones on Windows"? Wonder what the defence would be when they inevitably start getting more complicated.
Microsoft Security Essentials. It is not included in Windows, due to anti-trust restrictions (so that may change with Windows 8 since those restrictions are going away) but it is a free download. Updates itself automatically like all AV scanners, will also update via Windows Update if there's a problem.
'It's not burying itself in the system, not compared to some of some of the crap that we see on Windows.'
at least, we hope not (yet).
*Still* negative function...
Thanks!
That they added an anti-virus system, but since this isn't a virus, I am not sure how it will help. Seems like they should have added an anti-trojan system instead. Then again, since Trojans rely on user stupidity, I am not sure how you can completely protect them. I mean if you enter your root password and ask the computer to install something, it should actually comply and do as you wish, even if the thing is something you are stupid to install.
I haven't heard that name since I stopped reading "Hardy Boys" as a kid.
Does this malware require the user to enter a password?
Userspace malware is nothing different than Purple Gorilla Bonzi-Buddy shit.
There is no OS or kernel patch that protects against stupid.
I can install the SELinux scripts, and there is nothing preventing me from utterly hosing the system as administrator or my own account with my own permissions. You would have to make a read-only system, maintained by someone not-me. This is what corporate IT does.
I see a market for itinerant bonded neighborhood sysadmins should people get over themselves and admit that joe-user can't handle his own computer at home.
--
BMO
But it doesn't matter if you just want the piece of malware to do its job: e.g. key-log and scan for personal information
Scanning no, but to intercept keystrokes would require root access.
in addition to keeping a self-updater that may eventually pull an update that does allow for the use of an escalation exploit.
Pretty sure it would need root to install even as a start-up item, and it would be pretty visible if it did so.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Ubnuntuers? lol unity?
I think Strongbad said it best. "You're not Ally. You're not even... literate." It's just a shame I can't put you in the recycle bin.
There's no complete cure, no; but there's stuff that you can do to make it better. Apple updating the security mechanism to get its malware definitions on a daily basis, instead of as part of the normal Software Update cycle, is a very good move. It won't completely fix things, though, of course. You're absolutely right, you can't stop stupid.
But you can certainly make stupid _worse_: and Safari's "open safe files" feature (especially defaulting to yes), which includes dmgs (think, isos kinda for non-Mac folk) and archives is an especially stupid thing to do and makes the impact of stupid users, worse.
I was kinda hoping they'd at least flip that default when they addressed this issue. But I'll take the daily updates.
I hope Apple takes this incident to heart and makes one minor, but very significant, change to how their OS(or more specifically, their OS setup process) works: namely that the default user should not have admin privileges! Currently an out of the box Mac will prompt the user to set up an account, and that account will have admin privileges. To actually set up another account the user has to know enough to go into sy
Hopefully in Lion they will, at the very least, explain to users that they should set up a non-admin account to do their everyday computing and only use the admin account when they need to do admin things.....
Monstar L
It's all configured using the command line and plists, as God intended.
Because Mac users who want to configure things are not drooling apes that need a GUI to configure every last part of the system.
Almost completely irrelevant.
When the 'admin' user attempts to do anything requiring root privileges, the system prompts for a password. If you are running as a non-admin user, you just have to fill in a different username in the password box that pops up (that of a admin account). If you don't know the admin account password, then you are obviously not managing your computer, and if you do... Then you have to type in an entire extra word to get root privileges! Wow!
Userspace malware is nothing different than Purple Gorilla Bonzi-Buddy shit.
Purple Gorilla Bonzi-Buddies that quietly wait in the background downloading exploit code for the privilege escalation du jour. Once there's userspace malware, user-intervention isn't required; sometimes not even a login since it can use the system's scheduling (cron/schtasks.exe) to download when the user is logged out, and schedule a new exploit attempt immediately after download.
My mom refuses to ditch Windows despite nearly everyone else in my family (including grandparents) using Linux...
She's the only one that still gets malware -- the answer was simple: Windows Steady State -- Restores the state of the machine each boot!
Other family members using Linux still have loads of "free" stuff installed that they don't need (from the repositories), but at least it's not malware.
Hint: People want free stuff -- Give them an OS that has it easily available.
That would solve a lot of problems.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
If you don't know the admin account password, then you are obviously not managing your computer, and if you do... Then you have to type in an entire extra word to get root privileges! Wow!
This.
The only thing loladminpassword promptspam does is train users to automatically enter the password without pausing even for a second to think about it first. You see the box, you type in the password and hit enter, possibly while emitting a snort of annoyance. It's bloody training users to bad practices; not preventing anything.
If Apple does get their future, where everything is part of the Apple walled garden and all apps, media, etc have to come from Apple then it would be possible to stop user infections. If the screening process was through enough, you could make sure nothing malicious ever made it through. Of course that is a big if, people could get creative to get around it. There's also the fact that many of us are not thrilled with the idea of one company being the gatekeeper of everything.
Short of that, nothing you can do. In fact, little you can do about system level malware. Most people don't pay attention to privilege escalation prompts. They just hand over their password or click ok when asked because they view it as another hoop to jump through.
When you exploit the user, there is little that can be done. That is one of the reasons I'm a big proponent of on access virus scanners. They are not perfect, but they can help protect users against themselves. Since they (in theory at least) only stop bad things you can train users "When this says it is bad, you need to get rid of it."
After playing around with Vista and it's UAE when it first launched, I was impressed by it's UI to make it seem very daunting and scary. I hoped it would train users to hit escape and find something better to do than shoot themselves in the foot.
Guess I was wrong...
Non impediti ratione cogitationus.
The problem is ultimately you're still ignoring the weakest link which is the human factor. While the general security you mention is very real the last few viruses that got into the house were the result of someone physically double clicking something and then answering yes to a security question. This type of malware has nothing to do with the security of the system and every system is susceptible to it. Sure the VB script on the mac may not have had access to %obscure_API% but the damage is just as bad if not worse if the result of it is to encrypt your user files and then hold your data for ransom.
Windows isn't great, but Mac OSX's lack of malware really IS due to marketshare. Why would anyone go to the effort of writing something when there's a very real risk that few people will get the chance to execute it. Look at the Android platform. Security on it is quite good, yet every week we see some story about malware all of which is installed by either the user de-activating the protections, or blindly allowing some offline app access to the phone dialer and SMS.
Not exactly.
That user doesn't have admin privileges; that user is in effect, in the sudoers file. They can authorize admin privileged actions. The default user can't modify or tweak anything in /System. But they can be prompted to allow elevated access to allow things to write into important parts of the system.
And frankly, that SHOULD be the default. It doesn't make any sense at all to be more restrictive then that. Yes, you should not run as root, or administrator on windows, in your day to day stuff. But in your regular, day to day stuff, on your machine-- you will in the normal course of events need to authorize programs to install globally or tweak system prefs or whatever else on occasion.
No one will EVER learn the "lesson" you want them to be taught. In a secure environment, you may have your regular user, who can't even possibly access (even via sudo) admin power, and an entirely separate account you use to do the system configuration and application install tasks that need higher authority. That will NEVER happen on user-focused machines. Its a frankly absurd notion.
Yes, that means machines will always be susceptible to stupid people running crap that they don't mean to download or are tricked to downloading, and that means there is no /solution/ to the problem of malware. In truth, even with such a system, you wouldn't solve the stupid. You can't solve the stupid.
The default user that people operate on, and which programs they naturally, passively run under -- should not have admin access. Of course not. Even Microsoft gets that, though their implementation of the escalation process is less then ideal. But if you expect someone to sit down on their desktop machine and ever have more then a single account, you're -- out of touch. That account should not have direct system-level access, no: but no one but a tiny minority of power users will ever accept having to set up some entirely separate account that can escalate privileges.
Its not that people are stupid, or careless. Its that you're expectations are absurd. Security and ease-of-use are opposing concerns. Everyone with any sense knows this: in some situations the demands of security are such that we force the pain on usage, in others we try to find a balance which isn't as difficult.
There will never be a world where people will have two separate accounts on their home machine and that they need to decide to go from one account to another to make changes or operate said machine. People will simply use the tool given them, as they understand it is to be used.
Even on linux, more is rarely expected outside of highly secure environs. Sudo is the norm. Yeah, your account can't do much, but you can explicitly invoke its elevation with your own same password -- and that's fine. Home machines will never, ever, be bastions of secure practice.
Its just not worth the pain in the ass to regular people doing regular things. Is it as good as it can be, as secure as it can be? Not yet, but they are working on it. Windows has its UAV method of privilege escalation that is overly in your face so its too easy to hit 'yes' without thinking; linux has its explicit 'sudo' which is fine (and with GUI helpers in certain environments), and Mac has its own escalation prompt. Is this paradigm of the default user being a sudoer ideal? Maybe not. But its usable, and better then the situations where everything runs as root/administrator.
Usability frankly trumps security. You can not honestly expect users to give up much on their home systems, usability wise; or you're just out of touch with reality.
Did they include a death's head symbol?
The Tao of math: The numbers you can count are not the real numbers.
This will never stop the pillock clicking all the dialogue boxes that pop up during a browing session.
NB: Your computer is infected and so are you, please insert download and install our software (PCFresh) and then put your floppy into the drive and we can clean your private parts.
Percentage wise, I wonder what the split is between Windows users and Mac users.
Because people continue to write more viruses and malware for Windows, people will continue fighting back. Windows will always be more secure than OS X.
So every virus for Macs will get killed in the next update? Very nice work for Apple if it happens that way.
If you read t.f. summary:
....the rudimentary antivirus detection engine embedded in Mac OS X 10.6, aka Snow Leopard, ... also increases the frequency with which the operating system checks for new definitions to daily."
I'd prefer that they would get these definition updates out faster in the future but the update rate is not exactly as mind-numbingly slow as you suggest either.
I ran across it this past weekend. I tried it just now and the ad is still being served via the oddsiti URL. (Not the actual content, that's on a numbered IP machine.)
I suggest you add "||oddsiti.com^" to your adblock preferences, as any ad provider that lets this kind of crap through deserves to be blocked, not to mention allowing ads to be served from numbered IP addresses.
For those of you who want to see it, here it is, but I'm adding spaces to keep the link dead without manual editing:
http://oddsiti . com/?id = 541894
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
It's being served by a different numbered IP address than it was the other day (was on a 178. address now on a 212. address), and I don't think this is MacDefender, but some other scareware trash that's just as stupid.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
to remove smugness, I see.
So if I want to protect against malware on a mac I need to update its OS every day, potentially? See the thing is, the last time I updated its OS it went down (didn't come back after reboot) which took me two days to diagnose, fix, and restore my stuff from backup. Since then I decided I don't want to update my OS any more. Will I still be protected by Apple if I don't choose to install their latest risky OS version, but just keep the one I have and will they automatically supply me the fixes to the malware search tool? Seems like it might be easier just to install an anti-malware package and be done with it.
Korma: Good
is that you can't protect a Mac with this fix unless you accept everything else that Apple has deemed to be essential in the most recent version of the OS.
Or at least that is what Apple is telling its customers.
"A plan fiendishly clever in its intricacies"- Homer Simpson
An informative quotation which describes the problem and what you can do about it (Snow Leopard) is modded troll? Fail.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
. Windows has its UAV method of privilege escalation that is overly in your face so its too easy to hit 'yes' without thinking; linux has its explicit 'sudo' which is fine (and with GUI helpers in certain environments), and Mac has its own escalation prompt.
I never understood this argument. How is a Mac installation any less 'in-your-face' than the UAC? Sure, it asks for a password. But if I can click allow without thinking, I can type my password without thinking as well. All I know is that I am trying to perform action X, which for some reason brings up a box asking me to perform an action before it can proceed.
That user doesn't have admin privileges; that user is in effect, in the sudoers file.
In particular, one of the groups that user is in is the "admin" group (which does, in fact, happen to be in the sudoers file). At least some directories in OS X have permissions rwxrwxr-x and a group owner of admin, so users in the admin group do have, even when not sudoing something or the GUI equivalent, more privileges than users not in the admin group.
There is no OS or kernel patch that protects against stupid.
As most of my tech support assistance is for GOOD friends only (I long ago bailed on the frustrating path of coddling stupid users through their self inflicted fuckups), I have to agree that there is absolutely no protection against stupid, and as long as vectors use the path of least resistance, i.e. stupid, then they will win.
Stupid trumps all. Just watch some TV.
Ocean is land, covered with water.