New Mac OS X Trojan Hides Inside PDFs

Trailrunner7 contributes this snippet from ThreatPost: "Malware that targets Mac OS X isn't anywhere near catching up to Windows-based malware in terms of volume and variety, but it seems that OS X malware may be adopting some of the more successful tactics that Windows viruses have been using to trick users. Researchers have come across a sample of an OS X-based Trojan that disguises itself as a PDF file, a technique that's been in favor among Windows malware authors for several years now."

Nothing to see..

Article is shallow: users click executables disguised with a PDF icon.. Nothing to see here, move along folks!

Re:Nothing to see..

[ceoyoyo]

Don't forget the part where opening a "PDF" asks for your admin password. Hm....

(Note: I couldn't find out whether it actually asks for your admin password, but if it actually wants to do much it's going to have to)

Re:Nothing to see..

[Kenja]

At the very least it would warn you that the application was not in the white list and ask if you wanted to add it.

Re:Nothing to see..

[Richard_at_work]

Do much being .... What, exactly? Access your browser to capture your passwords? Participate in a DDOS? Send spam email? Propagate itself?

Don't need admin to do any of that...

Re:Nothing to see..

[__aailrp9629]

Oh, don't worry. Nobody clicks through to the articles anyway.

Re:Nothing to see..

Yea- but can the application install itself to continually start up? Ideally in a user/admin environment without the user entering a password you couldn't get the spyware/malware to automatically start at boot. There would be nothing to attach to either. Thus making it difficult to cause continued problems for users. Obviously this does not solve the problem completely as even a single click of a PDF could stay loaded on the system until reboot. Ideally exchangeable document formats would not permit executable code in the first place. Ideally in order to get executable code enabled users would have to be admin and technical enough to use a terminal. A few step process. Anybody else would require a pseudo techy user from India's approval (which would have an instant response). That user would then make a recommendation. This way someone whose job it is to know the bad from the good could make an educated determination about the request. The user would then agree to execute it if the Indian tech said "probably safe", "definitely safe" (white listed), or "may not be safe, not recommended", or "probably not safe", "almost certain not safe, not recommended", "don't install this it is on our blacklist as dangerous".

Re:Nothing to see..

[ceoyoyo]

Kinda kills the fun when your DDOS/spam relay etc. gets itself zapped every time the user restarts the computer.

Mac users tend not to restart their computers very often, but the ones who randomly click on executables sent to them by e-mail are probably the few who do.

Oh, and on a Mac your passwords are stored in the system keychain, which is encrypted and yes, does require your password to access.

Re:Nothing to see..

Article is complete BS, however it actually has been possible to compromise OSX using PDFs (see example below) in the past and sure there are more many more bugs to come. Benefits of the PDF vector include that in general people tend to trust opening them and particularly in OSX, a thumbnail image is automatically generated so attackers don't even need the victim to open the file, also apple default mail client auto previews PDFs in incoming so the user doesn't even have the choice not to open them.

http://www.coresecurity.com/content/Apple-OSX-ATSServer-CharStrings-Sign-Mismatch

Re:Nothing to see..

Typical mac-boy thinks his machine is invulnerable to malware. Can only administrator set +x on files? Can only administrator customize your menu items? You are not thinking very creatively about how to penetrate a system without using admin privileges. Also, I doubt that you could not write a key-logger without admin privileges, but I don't know enough about macs to be sure.

Re:Nothing to see..

[Richard_at_work]

I don't need the admin password to add something I own to my own startup items list...

Re:Nothing to see..

What's more is the article is not even claiming to have seen one in the wild!

Fuck you slashdot. I am fucking tired of the constant flamebait bullshit headlines and articles.

Re:Nothing to see..

[Zephiris]

It can add itself to your user files, which allow something to start "at boot", as long as that user is the one (auto)logging in.

You don't see much Windows malware adding itself to your "Startup" folder, but few average Mac users are going to check "command line files" to see whether something has injected something bad or not.

As TFA says, this isn't a PDF, but an executable merely pretending to be one.

It's a trojan, and it likely wouldn't even be sandboxed due to the ball-dropping there on Apple's part. It wouldn't be able to snoop some low level processes, but absolutely anything that is running under your user? Yup. Open ports to communicate with the mothership? Of course. Install a line to start whenever this user is logged in? Of course.

If you get a user dumb enough to allow admin privileges to a fake PDF, you can use officially sanctioned mechanisms to inject code into every process in the machine without requiring a separate 'trojan process' to stay alive to monitor it. Or just replace the operating system kernel. :p

Re:Nothing to see..

[ThorGod]

The new piece of malware hides inside a PDF file and delivers a backdoor that hides on the user's machine once the malicious file is opened. Once the user executes the malware, it puts the malicious PDF on the user's machine and then opens it as a way to hide the malicious activity that's going on in the background, according to an analysis by researchers at F-Secure. The Trojan then installs the backdoor, which is named Imuler.A, which attempts to communicate with a command-and-control server.

That server isn't capable of communicating with the malware, however, the researchers found, so the malware is on its own once it's installed on a victim's machine. What's not clear is exactly how the malware is spreading right now.

Vague enough to be worthless, but worded to sound informative.

Re:Nothing to see..

[ThorGod]

So...turn off pdf previews (always a good idea) and/or don't use Mail.app. Also, don't download pdfs from strange sources. Pretty basic stuff.

Re:Nothing to see..

Until there's as much malware on Mac OS X as there is in windows, we'll continue to see attention drawn to any minor 'security holes'. Everybody loves drama, especially when it's the family down the street that's always been well off.

Re:Nothing to see..

restart? you mean close the lid and open it again?

Re:Nothing to see..

[ninetyninebottles]

It's a trojan, and it likely wouldn't even be sandboxed due to the ball-dropping there on Apple's part.

What makes you think it wouldn't be sandboxed on OS X 10.7 by default, the same as every other app you download?

Re:Nothing to see..

Mail, Safari, and Preview open PDF's in a separate sandboxed process. Nothing to worry about.

Re:Nothing to see..

[SchMoops]

Except it's NOT EVEN A PDF, so you don't need to take those precautions. OS X will say "_____ is an application you downloaded from the Internet. Are you sure you want to run it?" so any tech-literate user will know that it's an executable, not a PDF.

Re:Nothing to see..

It's easy enough to use launchd to add startup items for the currently logged-in user. It's pretty annoying. I had to set up a folder action to alert me whenever something decides to have itself launch on login. I wish changes to login items would require a password.

Short the iOS locked-down approach, I don't see an obvious way to balance convenience with security. Users will enter passwords with little to no thought, and will likely be calling tech support if the computer won't let the just run the freeboobs.exe file received from an unfamiliar email address. I suppose if setting up a Mac for a newbie one could enable the parental controls stuff.

Re:Nothing to see..

[ThorGod]

Yep, it's not a problem if the pdf is an executable disguised as a pdf or an actual pdf...the classic non-problem.

Re:Nothing to see..

[LordLimecat]

Without your admin password it can still do quite a bit; it could skim your iMail account, access your browser saved passwords, etc-- anything else that YOU have access to without typing a password.

Re:Nothing to see..

[antdude]

But Mac OS X don't use file extensions. How is a Chinese person supposed to know it is a legit PDF or a malware? Do we really need to install an AV in Mac OS X these days?

Re:Nothing to see..

[Guy+Harris]

What makes you think it wouldn't be sandboxed on OS X 10.7 by default, the same as every other app you download?

Because it wasn't downloaded from the App Store, so it isn't sandboxed by default.

Re:Nothing to see..

[spud603]

what is iMail?

Re:Nothing to see..

[LordLimecat]

aka mac mail, whatever that default mail application is.

Re:Nothing to see..

[Andreas+Mayer]

I had to set up a folder action to alert me whenever something decides to have itself launch on login.

If it's about a folder why don't you just write protect it?

Re:Nothing to see..

[Andreas+Mayer]

Without your admin password it can still do quite a bit; it could [...] access your browser saved passwords,

It could? I guess that depends on the browser. Passwords are typically saved in the keychain. When a program tries to access a keychain item for the first time the user will be queried to confirm the operation by entering his user password.

Re:Nothing to see..

[Andreas+Mayer]

But Mac OS X don't use file extensions.

Yes, it does.

How is a Chinese person supposed to know it is a legit PDF or a malware?

Not sure why the person being chinese would be relevant ...
I think the easiest method is to select the file in the Finder and hit the space bar. If it is a PDF quicklook will render it. If it is an application, you will only see the icon and other file information.

To be sure, choose File - Information from the menu bar in Finder. If there's a line that says 'Type: Application' then it's an application.

Do we really need to install an AV in Mac OS X these days?

Personally, I think that's not really useful at the moment. There's hardly any malware around for the AV to detect. And the few types that do exist are already found by the integrated protection mechanism.

Re:Nothing to see..

[antdude]

How do you view Mac OS X's file extensions (e.g, .exe)? I always thought they didn't have them like MS' OSes.

Re:Nothing to see..

[Guy+Harris]

How do you view Mac OS X's file extensions (e.g, .exe)? I always thought they didn't have them like MS' OSes.

You were mistaken. Executable images in Mac OS X have no file extensions (Mac OS X being a UN*X), and classic Mac OS didn't use extensions, but Mac OS X uses extensions for a lot of file types, including "application bundles" (.app), which is what files (well, directories) in, for example, /Applications are.

You view them either by using ls or by (at least on Snow Leopard) opening up the preferences for the Finder, selecting the Advanced tab, and checking "Show all filename extensions", so that it shows the extensions even for files for which "don't show the extension" was specified.

Re:Nothing to see..

[antdude]

Ah, I will have to look at that option.

Re:Nothing to see..

[Dog-Cow]

He probably setup the action on the launchd folder to alert him to when files were added and/or modified.

Re:Nothing to see..

except it notes that there is no PDF icon, so WTF?

Re:Nothing to see..

[AmiMoJo]

And Microsoft is actually way ahead here. Random files downloaded or found on CDs/USB drives at least generate a warning prompt that allows you to cancel opening them. Granted many users are too dumb to understand what is happening, but even then the app still needs to generate further warning prompts to add itself to start up, dump files in protected filesystem locations, access certain other app's data or open holes in the firewall. IMHO it is a shame that the Windows Firewall does not block outbound access by default too.

OSX is just like Windows used to be, i.e. forgo security so that things "just work". It has nothing to do with software vulnerabilities or anything like that, it is simply a case of trusting the user too much.

Re:Nothing to see..

Access your browser to capture your passwords

Are you talking about browser memory or the saved passwords database? Because i was under the impression that accessing the memory space of other processes required root privileges.
Please enlighten me on this.

Re:Nothing to see..

[iluvcapra]

The capability-based privilege system applies to all applications, not just App Store ones. An application on 10.7 can't access paths on the filesystem without either getting explicit permission or asking through an NSOpenPanel, which on 10.7 runs in a separate process.

Re:Nothing to see..

[Guy+Harris]

The capability-based privilege system applies to all applications, not just App Store ones.

No, it only applies to applications that have opted into it, which App Store apps have to, but other apps don't.

An application on 10.7 can't access paths on the filesystem without either getting explicit permission or asking through an NSOpenPanel, which on 10.7 runs in a separate process.

Again, only if it's opted into it. cat doesn't have to ask permission, and neither do, say, Wireshark or Microsoft Office or Quicken or.... Some apps that ship with Lion are sandboxed, such as TextEdit and Preview, but most aren't.

Re:Nothing to see..

[konohitowa]

You might want to get caught up on OS X. The application launch system asks for permission (and has been asking for a while, i.e. it's not new to 10.7, although it's more refined in 10.7) of things that were downloaded before allowing them to launch. As to random files on CDs/USB, I couldn't say. I don't recall the last time I used a CD or launched something from a USB, so I have no experience with that level of functionality.

Re:Nothing to see..

[Angostura]

Safari has set a ’quarantine' bit on downloaded executables since at least 10.4 - this ensures that newly downloaded executables trigger an alert when they are first run.

Re:Nothing to see..

[ceoyoyo]

Browser passwords on a Mac are in the system keychain, which you have to give the password for. If you're using Mail.app, which I assume you mean by "iMail," it's the same deal. Passwords are stored in the system keychain and are accessible by Mail.app but not by other apps, without the password. I guess it could probably scrape any locally stored e-mail though.

Anyway, I really don't care what happens to someone dumb enough to click on a fake PDF that's sent to them and then click yes, it's okay to run this untrusted program that just got downloaded from the net. So long as their computer isn't sending me spam.

Re:Nothing to see..

[ceoyoyo]

You need your own password though.

Re:Nothing to see..

You really don't.

Re:Nothing to see..

[Richard_at_work]

Only if the option has been locked in the control panel by the end user, and most don't...

Re:Nothing to see..

Don't forget the part where opening a "PDF" asks for your admin password. Hm....

(Note: I couldn't find out whether it actually asks for your admin password, but if it actually wants to do much it's going to have to)

You mean just like on Windows where any similar application is going to ask for admin privileges.

Re:Nothing to see..

[Coren22]

But, does Mail? Entourage (now Outlook)? How about messaging software that allows file transfer? I know Firefox does, and I believe Chrome does, but not every software does this.

Re:Nothing to see..

[Coren22]

When the OS offers to save a password it asks you. The login keychain, which is the default location for most passwords is opened at logon, and available to be read pretty readily.

But...

Macs don't get viruses. The Genius Bar guy told me this yesterday...

Windows is bad, hmmmmk?

[LodCrappo]

Must every story about Mac malware spend more time talking about how Windows is so bad than the OS X malware they are reporting?

Re:Windows is bad, hmmmmk?

[Pence128]

To be fair, it's a "lets trick people into downloading and running programs" and not a "shit, lets execute data".

Re:Windows is bad, hmmmmk?

To be fair the gaylord wanker is not a profitable malware market.

Re:Windows is bad, hmmmmk?

[LodCrappo]

I'm sure that will be a great comfort to the Mac users effected by this malware :)

Re:Windows is bad, hmmmmk?

It is, though. The "pink pound" effect amongst mac users means they are more likely to have significant funds for banking trojans to steal. Also many of them still believe the "macs can't get viruses" mantra and take about as many precautions online as they do with anonymous strangers down at the bathhouse.

Re:Windows is bad, hmmmmk?

The opposite actually. If you are a Mac user affected by this, then you have to acknowledge at least some personal responsibility, instead of blaming it on the OS manufacturer.

Re:Windows is bad, hmmmmk?

[KDR_11k]

So it requires a gullible user. There's not exactly a shortage of those.

Re:Windows is bad, hmmmmk?

obvious sarcasm is apparently not something you are good at seeing

Re:Windows is bad, hmmmmk?

Not really... we can still blame Windows. If not for Windows, there would not be any malware to speak of. Doesn't matter what OS you are using, Windows is to blame.

Re:Windows is bad, hmmmmk?

[LodCrappo]

"isn't anywhere near catching up to Windows-based malware in terms of volume and variety"
"may be adopting some of the more successful tactics that Windows viruses have been using to trick users"
"a technique that's been in favor among Windows malware authors for several years now"

Re:Windows is bad, hmmmmk?

Thank-you.

Re:Windows is bad, hmmmmk?

[marcello_dl]

So, to be kind and politically correct towards windows - stockholm syndrome is real - we must ignore the fact that OSX has indeed less volume and variety of malware? Does not make sense.
OSX has less malware than windows and is the more refined desktop OS out there. Windows has more games and possibly vertical apps, and I prefer debian to both. See? No problems.

Re:Windows is bad, hmmmmk?

[slimjim8094]

But how do you prevent stupidity? To stop this attack, you'd need to remove the ability for the user to execute programs of their choosing. A mitigating factor would be preventing applications from setting their own icon. Which do you propose?

If "people are exceedingly stupid and will do anything the dancing bunnies tell them" is your only major security flaw, I'd say you're doing as well as possible.

Re:Windows is bad, hmmmmk?

To stop this attack, you'd need to remove the ability for the user to execute programs of their choosing.

Don't worry, Apple's working on that. (And they'll probably patent it.)

Re:Windows is bad, hmmmmk?

Especially when it comes to Apple customers.

Re:Windows is bad, hmmmmk?

[johnmorganjr]

Face it, windows sucks and Mac is a step up from windows. Why does everyone have a hard time understanding that? Your windows is not secure, just a mere speedbump in the road. Run a real os like Debian or some other version of Linux.

Re:Windows is bad, hmmmmk?

[ninetyninebottles]

But how do you prevent stupidity? To stop this attack, you'd need to remove the ability for the user to execute programs of their choosing. A mitigating factor would be preventing applications from setting their own icon. Which do you propose?

You don't need to prevent a user from being able to run apps, you just need to restrict default behaviors for apps, provide the user with information on how much an "expert" thinks they should trust software, and tell the user in clear and simple terms when the app wants more privileges and exactly what those privileges are. Finally, you need to present this in a usable interface. Apple is already heading down this route with both iOS and OS X. In OS X 10.7 apps are sandboxed by default, although I haven't seen a single report as to if this trojan works within the sandbox, breaks out of the sandbox, or simply fails entirely on Lion.

Re:Windows is bad, hmmmmk?

But how do you prevent stupidity? To stop this attack, you'd need to remove the ability for the user to execute programs of their choosing. A mitigating factor would be preventing applications from setting their own icon. Which do you propose?

If "people are exceedingly stupid and will do anything the dancing bunnies tell them" is your only major security flaw, I'd say you're doing as well as possible.

Ah ah its funny. You have stupid people on windows, and stupid people on macs. Having stupid people on windows is bad bad bad and the reputation of windows suffers. Having stupid people on macs is good good good since macs just work and nothing blemishes the shiny apple.
But hey macs get viruses and trojans too.

Re:Windows is bad, hmmmmk?

How is that different from most of the malware on Windows these days? How many people download malware/trojans because the ad told them that their "virus scanner" that they have never actually installed, has found a virus and must be installed to scan?

It's email viruses and that junk that causes the most problems these days. There have been far less worms and pure attacks based on buffer overflows in the recent years.

Re:Windows is bad, hmmmmk?

So it's exactly the same as most Windows malware, then.

Re:Windows is bad, hmmmmk?

It's worth noting that Windows has more volume and variety of installs than OSX. Saying that Windows has more malware than OSX is like saying that Washington State has more income than Washington, D.C. While that's undeniably true in absolute terms, it may or may not be true in per-capita terms.

Re:Windows is bad, hmmmmk?

[johnmorganjr]

Ok..... who's the crybaby that called me a troll and got my point taken away? You are about as sad as a fresh install of Windows.

Re:Windows is bad, hmmmmk?

[LordLimecat]

WIndows 1.1 also has less malware volume and variety of malware than Windows XP So does BeOS. That doesnt mean its more secure.

Re:Windows is bad, hmmmmk?

[Andreas+Mayer]

In OS X 10.7 apps are sandboxed by default,

That's news to me.

Start up the Activity Viewer. It has column for 'Sandbox'. Right now about a dozen processes on my machine are sandboxed. The remaining 80something are not.

Applications have to be explicitly marked as sandboxed by the developer. This is to prevent damage in case the application get's compromised. This mechanism is not meant to defend against the user willfully running malicious applications.

Re:Windows is bad, hmmmmk?

[Andreas+Mayer]

But hey macs get viruses and trojans too.

Care to show us a virus for Mac OS X?

Re:Windows is bad, hmmmmk?

[tlhIngan]

You don't need to prevent a user from being able to run apps, you just need to restrict default behaviors for apps, provide the user with information on how much an "expert" thinks they should trust software, and tell the user in clear and simple terms when the app wants more privileges and exactly what those privileges are. Finally, you need to present this in a usable interface. Apple is already heading down this route with both iOS and OS X. In OS X 10.7 apps are sandboxed by default, although I haven't seen a single report as to if this trojan works within the sandbox, breaks out of the sandbox, or simply fails entirely on Lion.

Users do not read dialog boxes. What you presented is a fancy dialog box, but that's all it is. The Android permissions system works only for tech savvy users. Those who don't will just click "Install" without reading the list at all.

If you default "no" several permissions, the app can say "I need X permission. Please enable it." and you'll find the user will do it.

It's called the Dancing Pigs Problem. The user will NOT care about security - they will do whatever it takes to run the app.

In fact, as Facebook users have shown they will basically be the attack vector.

Yes, the days of the honor system virus are here. There's no way to protect the user without going to some walled-garden approach. They will open security holes if some app tells them to.

This is especially prevalent on ways for the users to get stuff for free. Offer pirated software and the user will download all sorts of crap.

Re:Windows is bad, hmmmmk?

I'm sure that will be a great comfort to the Mac users effected by this malware :)

No Mac users will be created by this malware. Some may be affected by it, though.

Re:Windows is bad, hmmmmk?

this is an OS-independent social engineering attack, not "Mac malware."

I think you hit the nail on the head there. This type of OS could be carried out no matter what OS you're on. The user is the weakest link. If the user isn't a complete idiot, then the malware fails. Problem is, you can't patch stupidity.

Re:Windows is bad, hmmmmk?

WIndows 1.1 also has less malware volume and variety of malware than Windows XP So does BeOS. That doesnt mean its more secure.

I think that's a perfect example of a straw man argument. Congratulations.

Re:Windows is bad, hmmmmk?

[fatphil]

ITYM: ... the Mac users that *infect themselves* with this malware.

Of course, this is only one step away from being "live", but it's an important step, and until then it really doesn't pose much of a threat to anyone with a brain.

Re:Windows is bad, hmmmmk?

[ninetyninebottles]

Users do not read dialog boxes.

Users do read dialogue boxes, when presented in a decent UI instead of the abysmal situation we have with most programs today. First, they have to be presented sparingly; not a problem going forward as most apps should never need to elevate privileges, especially since those distributed by the manufacturer through controlled channels can be vetted and signed with an ACL. This only applies to unsigned apps downloaded outside the main channels. It will take time to overcome the conditioning most users of Windows have been subjected to their whole lives.

Second, you have to present information that the user can understand and then give them actual choices about what to do. The buttons should be verbs. If your buttons are OK/Cancel you have failed.

It's called the Dancing Pigs Problem [wikipedia.org]. The user will NOT care about security - they will do whatever it takes to run the app.

It presents false dichotomy. Users will do what they need to to run an app, but there is no reason you have to compromise security to do so. Whether a user trusts or does not trust an app should almost never, ever effect what the app does. You can give apps fake data, fake network, fake anything inside a sandbox or VM. If it's testing to see if it is in a VM, it's almost certainly malware. Once users learn that 99.99% of the time they can choose not to trust something and it will still work fine, they will actually start to pay attention to the .01% of the time where there is a real issue. All the false positives in modern software *cough* Windows, are detrimental.

All of your arguments are predicated on a system that keeps all the really shitty flaws of current, lousy attempts to implement protection against trojans.

Re:Windows is bad, hmmmmk?

[zippthorne]

It takes time to effect a user. I guess you could start the process while bored, waiting for your computer to be repaired, but somehow I think that any users effected would probably not need any particular comforting regarding the particulars of their conception if this were the case.

Re:Windows is bad, hmmmmk?

[LodCrappo]

We're talking about malware on an OS targeting people who can't even figure out Windows... an OS these same computer illiterates were likely told is perfectly safe and unable to get a virus by the family computer nerd that talked them into buying it. While I agree with the sentiment of your post, I think reality is that the "doesn't work on people who have a brain" thing is going to be even less of an obstacle for malware on OS X than it is in the Windoze world.

Re:Windows is bad, hmmmmk?

[fatphil]

It is alleged that a friend of a friend has often said that Macintoshes are computers for people with one-button brains.

Certainly you're right, and the "we're safe because we're Jobbs' chosen people, Aaaaaamen" attitude harms security.

Re:Windows is bad, hmmmmk?

[Coren22]

How many people download malware/trojans because the ad told them that their "virus scanner" that they have never actually installed, has found a virus and must be installed to scan?

You would be surprised...I work in a tech company, most people are rather knowledgeable, and we still get hit by this one about once a month...

Re:Windows is bad, hmmmmk?

[Coren22]

Perhaps you got modded troll because you live under a bridge and post trollish comments?

Windows is exactly as secure as Mac at this point, they have the same security mechanisms. UAC == OS X's privilege escalation. They even give the same information nowadays.

Does not hide in PDFs

It's just a trojan with a PDF icon.

And it will be nerfed as soon as it's added to the OS X XProtect filter, if it hasn't already.

Trojans are nothing new, giving them fake icons is nothing new, even Mac trojans are nothing new. News this ain't.

Re:Does not hide in PDFs

[oakgrove]

Absolutely. The title of the summary is "hides in pdfs" which is a big fat lie. Nice job, Slashdot.

Re:Does not hide in PDFs

[LordLimecat]

Lets be clear here, then.

Is or is not Microsoft to blame for executable content that a user double clicks? Because if we had a clear "no" to that, I think the entire "Windows security vs OSX security" discussion would basically be over.

Re:Does not hide in PDFs

As if any Mac user (or Windows user for that matter) could tell...
(I'm not trying to insult anyone or troll here, It's just my experience, and it's kind of logical.)
But I must say, Mac, by being simpler, apparently attracts people who wouldn't even be able to use a Windows UI. When I see someone who is especially incompetent with computers or just plain dumb, it's surprising how often they pull out a Mac or even an iPad out of their bags.

While I have massive problems in using a Mac... I always end up having to think "hmm, how would my dad (who has an IQ of 70) try to do this?"... then I do it like that, and lo and behold... That's how it can be done!

And this absolutely horrifies me... like nothing else.

My theory is that we're way past the simplest a computer can be, into the territory where *only* simpletons can still use them at anything close to maximum efficiency/comfort. Think super-Clippy.

And it means, that the more dumbed-down a interface is, the easier it is to trick its user. Because the user, just being efficient, dumbed down too.

Re:Does not hide in PDFs

[overkill1024]

I almost wonder if Adobe commissioned the trojan just so they can say "Look, it wasn't me this time"

Re:Does not hide in PDFs

[UnknowingFool]

No for a long time MS was blamed because content was executable without the user double clicking. MS has done a lot of work since XP to fix these things but the track record before XP was atrocious.

Re:Does not hide in PDFs

I think you're missing the point. You see, we're all trained by Windows to jump through a whole lot of hoops to do simple things, when they should just be simple. I had to train myself to use my Mac, because I was used to doing things the hard way in Windows. Now I just do it the obvious way. I can still use a windows machine and do it the hard way, but I love using my mac because I can work faster. And my Linux box (which I installed from scratch, by the way) because it's really as simple as a mac. You just type a command rather than click it is all. No pointless hoop-jumping.

Case in point (from a management perspective, at least): I went to a Microsoft-sponsored training seminar on how to use Systems Center Configuration Manager, which is how you do your more advanced remote configuration in a Windows environment. The main part of the training was setting up a remote install of Windows. It took the entire seminar - three hours - to set it up (just set up the install server, not including the actual install). I went back to my office and set one up in Linux in three minutes flat. Then I set one up on my Leopard server in ten.

And keep in mind that was Microsoft-sponsored. So yes, that was in as ideal an environment as you're going to get.

Re:Does not hide in PDFs

Lets be clear here, then.

Is or is not Microsoft to blame for executable content that a user double clicks? Because if we had a clear "no" to that, I think the entire "Windows security vs OSX security" discussion would basically be over.

I think you have a good point, but it's not really that simple. You see, in Windows, there are exploits that can hit you just by viewing an image. (Windows Metafile vulernability, anyone?) Yes, that one's been patched, but there have been quite a number of them before and since. You don't get that on the Mac. On the mac, the malware has to rely on a dumb user.

My point is that Microsoft is having to patch for "multiple vulnerabilities" all of the time. You know that it has more. So does the malware author. He probably knows them before Microsoft does. Here's a cut-and-paste from US-CERT:

TA11-256A Microsoft Updates for Multiple Vulnerabilities September 13, 2011
TA11-222A Adobe Updates for Multiple Vulnerabilities August 10, 2011
TA11-221A Microsoft Updates for Multiple Vulnerabilities August 9, 2011
TA11-201A Oracle Updates for Multiple Vulnerabilities July 20, 2011
TA11-200A Security Recommendations to Prevent Cyber Intrusions July 19, 2011
TA11-193A Microsoft Updates for Multiple Vulnerabilities July 12, 2011
TA11-166A Adobe Updates for Multiple Vulnerabilities June 15, 2011
TA11-165A Microsoft Updates for Multiple Vulnerabilities June 14, 2011
TA11-130A Microsoft Updates for Multiple Vulnerabilities May 10, 2011
TA11-102A Microsoft Updates for Multiple Vulnerabilities April 12, 2011
TA11-067A Microsoft Updates for Multiple Vulnerabilities March 8, 2011
TA11-039A Microsoft Updates for Multiple Vulnerabilities February 8, 2011
TA11-011A Microsoft Updates for Multiple Vulnerabilities January 11, 2011

I think they just keep copying and pasting "Microsoft Updates for Multiple Vulnerabilities". Either that, or they have a macro. Nothing in there about Apple. Why? They don't seem to need to. They did their homework and did it right the first^D^D^D second time (yes, there was classic MacOS), and the Linux folks got it right before both of them. And before anyone brings up the kernel.org stuff, that was a stupid user with a weak password, not an OS vulnerability.

Re:Does not hide in PDFs

Windows Metafile vulernability,

s/vulernability/vulnerability/

Bah. I can't type. Yes, I am being a spelling nazi on my own post. :)

Re:Does not hide in PDFs

Lets be clear here, then.

Is or is not Microsoft to blame for executable content that a user double clicks? Because if we had a clear "no" to that, I think the entire "Windows security vs OSX security" discussion would basically be over.

Depends. What does Microsoft do to inform the user that the item in question is (or could be) malicious.

Vista and Win7 have UAC, which basically brings them to the level of OS X 10.4/10.5, so they display a big 'I don't know what this is, but it's an executable of some kind" warning, which people generally click through without thinking.

OS X 10.6 and later added built-in signature malware detection, installed and updated automatically every day. Whenever a sample of this trojan gets around to Apple's security team, it'll be added to the signatures and pushed out to every Mac user. Then the warning will be replaced with "Hey, this is totally a virus, click here to delete it" warning.

The closest thing Microsoft offers is WIndows Defender, which is a good solution, but is optional.

So I'd say that both vendors are addressing the "User is tricked into downloading a malicious executable" file in mostly the same way.

Re:Does not hide in PDFs

Well, it's got a Chinese-language PDF inside it that it opens, that way the user doesn't realize they screwed up.

Also, the filename is in the pattern "argleblargle.PDF", but formatted as an executable. Users examining the file extension alone or the icon will be fooled.

On a Mac, however, the tell is that the program uses an icon at all, instead of the "preview" version that PDFs usually have. I don't know a lot of Mac users that have a PDF viewer installed at all, since the OS handles it just fine.

Re:Does not hide in PDFs

[LordLimecat]

At the risk of erring (as I dont have time to check each vulnerability), I would hazard that most-if-not-all of those are XP vulns; you might as well compare it to some linux 2.4 distro (since thats the era XP comes from).

And MOST of the exploits that XP has been hit with are through 3rd party apps, that just so happen to be cross platform (Quicktime plugins, Java plugins, Flash plugin s, Acrobat plugins), and most of the remainder are browser exploits. Unless you go back to Code Red or Sasser days (or an out of date XP install-- and lets be fair here, all OSes have remote exploits that have since been patched), you will see precious few viruses that actually do infections on Vista or 7 through an OS exploit.

Re:Does not hide in PDFs

[LordLimecat]

Its actually built into Windows Vista and 7-- check your services. Also, they provide Security Essentials, though they dont build it in (not sure that would be legal-- see Internet Explorer anti-trust suit). Finally, every so often when updates are applied, the Malicious Software Removal tool runs, which is basically a targetted virus detection and removal suite.

ANyways, Im not sure I see the big value of a built-in antivirus-- if Security Essentials came with every windows PC, every single virus would come with a method of bypassing it (which is likewise why Im not super reassured by Mac having it built in-- would-be viruses will all have to have a bypass method before they are pushed into the wild).

Re:again PDF?

[Pence128]

Title, summary and article all fail. It's an executable who's name ends with ".pdf" and has a pdf icon.

Re:again PDF?

What is it with Apple OS and exploits in PDF?
Is the kernel written by Adobe?

What is it with and exploits in PDF?
It doesn't matter who the kernel is written by.

Re:again PDF?

[lightknight]

Part of it, apparently.

Article title is wrong

This trojan doesn't hide inside a PDF. It is an executable that disguises itself as a PDF.

Any Informative Links?

[ninetyninebottles]

I saw reference to this trojan the other day, but my research turned up only vague descriptions such as the one linked in the summary. From all the reading I did it seems like this is an executable of some sort, with no extension that is being e-mailed to people. None of the descriptions I've read have described how it infects the machine, but I assume the user has to run it and then agree to allow the unsigned program to run for the first time. At this point it drops a PDF on the hard drive, opens it, and then installs a bare bones apache server, which doesn't actually work as far as anyone can tell. There was some indication that this was a cross platform trojan, but no one has been able to confirm this.

So if anyone is actually in a lab with a copy of this could you please enlighten us on the following points:

• How is this being distributed in the wild?
• Does this somehow run automatically and does it bypass the user having to authorize the executable to run for the first time?
• On 10.6 does it require an admin password to install?
• Does it attempt to do something about the firewall settings?
• On 10.7 does this attempt to escape the sandbox?
• Does the best case install actually get an Apache server running well enough to listen to a control channel, update itself, or perform actions?

So as far as I can tell this is a failed attempt to create a trojan that was released into the wild, possibly as part of testing or as an experiment. It's not really much in the way of news, but for security geeks it is quite interesting; which is why the complete failure of the security companies to provide a decent description is so frustrating. Does anyone have real information about this trojan?

Re:Any Informative Links?

[Andreas+Mayer]

On 10.7 does this attempt to escape the sandbox?

Huh? The only applications that are sandboxed are those that are built that way.
I very much doubt the malware author sandboxed his creation. ;)

Re:Any Informative Links?

[Registered+Coward+v2]

So as far as I can tell this is a failed attempt to create a trojan that was released into the wild, possibly as part of testing or as an experiment. It's not really much in the way of news, but for security geeks it is quite interesting; which is why the complete failure of the security companies to provide a decent description is so frustrating. Does anyone have real information about this trojan?

Of course it is a failed attempt - they should have got it on the app store and given Apple control of 30% of the infected machines.

Seriously, security is one area where, IMHO, Apple users have a bit of a head in the sand attitude. Other than hearing some (non-Apple) stores that are authorized retailers attempt to sell "protection" plans for Macs because "Macs have two viruses in the wild" (really? What are they?); the general attitude is "Macs are immune because no one attacks them." While strident fanboys will proclaim OSX's security superiority, I think ignoring the possibility that Macs are/will become targets is dangerous. there is precious little information out there on how to protect yourself from an attack; and the prevalent attitude of "there are no Mac viruses/trojans/etc" leads to a false sense of security and may actually make it easier to convince mac users to enter their admin pw and install malware.

A search of Apple's support site for "security" or "viruses" turns up general articles on why Apple doesn't discuss security issues until they are fixed or to not open unknown files in emails. It would be nice if they had a Top 10 Things to Do to secure your Mac. Even if there isn't a problem now, building a false sense of security will lead to great problems later and a blackeye on Apple's brand.

I've used Apples since the original Apple ][ and like tim for a lot of reasons, but there are areas where Apple and its users need to be more aware of the potential threats rather than trumpeting Apple's superiority. For a long time, it simply wasn't worth attacking Macs because they are a tiny fraction of the user base. As Apple grows (and not just in the Mac market), that "advantage" goes away.

Re:Any Informative Links?

[swbozo]

It would also be nice to know if the trojan is a universal binary. If not, maybe those of us still running PowerPC machines have a reason to keep using them.

Re:again PDF?

[ninetyninebottles]

Title, summary and article all fail. It's an executable who's name ends with ".pdf" and has a pdf icon.

Actually, as near as I can tell it is an executable with no extension at all, but with a PDF icon of some sort and MIME type included in the resource fork.

Re:again PDF?

[TheRaven64]

How does this get past the download protection though? Any executable that is saved by Safari or Mail.app will have the source location saved in the metadata. When you first run it, the system tells you that it's an executable that you've not run before and asks if you meant to. It never shows this for pdf files[1] so you know that it is definitely something malicious.

[1] Depressingly, it does show this warning when you open a UNIX shell script in TextEdit if it has execute permission. It also shows when you open a Windows application, irrespective of whether or not you have anything installed that will actually run it.

Re:again PDF?

[bonch]

RTFA. It's an executable using a PDF document icon. This is nothing more than a social engineering trick

Re:But...

[tmosley]

Never said they didn't have trojans.

Might want to learn the difference.

Re:But...

[bonch]

This isn't a virus; it doesn't do anything when installed or propagate. It can't even communicate with its server.

Re:But...

[bonch]

This isn't a virus. It doesn't propagate; it's not even capable of communicating with its server once installed, so it's another one of these annual proof-of-concept social engineering attacks that anonymous Apple-haters latch onto and then promptly forget about a day later.

Re:But...

[Farmer+Tim]

Still technically correct: a trojan isn't a virus.

Though I'll admit it's amazing that anyone working at a Genius Bar got anything technically correct...

Okay, fellow Mac users

[93+Escort+Wagon]

Here's the plan:

1) OS X makes it brain-dead easy to not run as an admin user. Create a separate admin account first, then remove the admin privilege from your everyday account. On those rare occasions you need admin privileges, you'll be automatically asked to provide the admin account info - you don't need to even think about it.

(Somehow that isn't sinking into a lot of peoples' heads, even those who should know better)

2) Back up your stuff regularly. Again, OS X makes this brain-dead easy with Time Machine. You can use something else like a custom rsync script, but - just DO IT.

If you're running as a non-admin user, the worst that can happen is your own stuff gets hosed - and then you can get it back from your backups. But since trojans are probably only going to go after the system files, it's unlikely even your stuff will get touched.

Okay, there's one caveat. If you click on an infected file, and it asks for admin permissions and you provide it, you're screwed. But one would hope you're smart enough to realize viewing a PDF should not require admin authentication. In the end, common sense does have to enter into the picture.

BTW if you claim running as an admin is okay because you're always prompted to authenticate anyway... you're just wrong.

Re:Okay, fellow Mac users

[artor3]

You can call things "brain-dead easy" all you want. The average user still won't use them, or even know they're there.

Re:Okay, fellow Mac users

[93+Escort+Wagon]

You can call things "brain-dead easy" all you want. The average user still won't use them, or even know they're there.

For the account stuff, you might have a point. They don't need to "know it's there" (unlike, say, the old Windows setup where you had to know about "Run as Administrator...") - but they do need to know what admin versus non-admin means. But really that's all they have to know. Even my 70+ year old mom was able to grok that.

As far as backups go, though - the first time you plug in an external hard drive, if backups haven't already been set up - OS X automatically asks "do you want to use this disk for backups?" The user doesn't need to go looking for anything. That's a pretty low bar.

Re:Okay, fellow Mac users

[berryjw]

Dude, I've watched so many OS X users click through *anything* that pops up to know better. That "average" user everyone keeps referencing doesn't read those boxes any more than they read the EULAs for the software they're using, and most of them will provide credentials without even considering why they might be asked for them. Users view all of this as speed bumps, and don't have any idea it's part of system security. Come on, how many passwords do you still see pasted on monitors, or sticky's on the desktop?

Re:Okay, fellow Mac users

[artor3]

That's if they plug in an external drive. How many do? And how many answer in the affirmative? A lot might worry that if they say yes, they can't use that drive for other things.

And I suspect that your 70+ year old mom had it explained to her, likely by you. There are a lot of people who just want their cursor to turn into a unicorn, and will say yes to anything to make it happen.

In the end, you can't defend a computer from it's owner, no matter which OS you use.

Re:Okay, fellow Mac users

[MimeticLie]

Come on, how many passwords do you still see pasted on monitors, or sticky's on the desktop?

Unless your machine is in an easily accessible place, that seems perfectly reasonable to me. I'd rather have users who write down complex passwords than ones that use "password1" for everything.

Re:Okay, fellow Mac users

[berryjw]

Come on, how many passwords do you still see pasted on monitors, or sticky's on the desktop?

Unless your machine is in an easily accessible place, that seems perfectly reasonable to me. I'd rather have users who write down complex passwords than ones that use "password1" for everything.

I work for a K-12 public school system... and most of the passwords I see like this *are* [lastname][current year], or something equally guessable. Oh, and these are the faculty. I really want to send out an email at the beginning of every school year; "All faculty should make three copies each of their house and car keys, and attach them to 3"x5" index cards containing the address/license # and description of each property. Please have these delivered to the Technology Department as soon as possible, so we may have them distributed randomly about our schools when the students arrive to begin this year. If you take exception to this, please consider how we feel about your doing the same with our keys, the ones we call passwords." Think anyone would read it? No more than they do those annoying boxes which pop up asking for credentials...

Re:Okay, fellow Mac users

[kerrbear]

I work for a K-12 public school system... and most of the passwords I see like this *are* [lastname][current year], or something equally guessable. Oh, and these are the faculty. I really want to send out an email at the beginning of every school year; "All faculty should make three copies each of their house and car keys, and attach them to 3"x5" index cards containing the address/license # and description of each property. Please have these delivered to the Technology Department as soon as possible, so we may have them distributed randomly about our schools when the students arrive to begin this year. If you take exception to this, please consider how we feel about your doing the same with our keys, the ones we call passwords." Think anyone would read it? No more than they do those annoying boxes which pop up asking for credentials...

I wonder if there is a way to actually provide physical keys to computer systems. The solution would be to insert a USB key that would unlock the computer. The sys admin could set all the passwords. That way, even if the user forgot their key, they could still use the password- they would just have to memorize it.

Re:Okay, fellow Mac users

[R3d+M3rcury]

For the account stuff, you might have a point.

He definitely has a point.

Consider the "installer." You bring your fancy new computer home, turn it on, and it starts up the setup program. It asks you to make an administrator account. It then says, "Great! You're now ready to use your brand new computer!"

Nothing mentioned about setting up a second account for regular use or anything like that.

Re:Okay, fellow Mac users

[NoMaster]

Not to mention the fact that if an Apple executable is downloaded via browser or email, when you attempt to run it for the first time you get a message that says:

"Xxxx is an application that was [downloaded from the internet || attached to a mail message]. Are you sure you want to open it?"

And some details about when it was downloaded / received. Admin permissions or not don't even come into it.

At some point you've got to hand over responsibility from the OS (or anti-virus) babying the user's arse, and on to the user to think a bit and look after themselves. Is learning the difference between a document or data file and a program file too much to ask?

Anti-virus software is in fact starting to become part of the problem, because users have been trained to trust it so much that they never develop the skills to protect themselves from the bleedin' obvious.

Re:Okay, fellow Mac users

[dkf]

I wonder if there is a way to actually provide physical keys to computer systems.

Yes. That's smartcard-based login systems, and they've been around for decades. The main downside is that they're relatively expensive due to the need to have all that extra hardware and someone on-site to issue new cards — that can't be outsourced to another location, well not outside the city where this is happening, because cards will get broken from time to time and need replacing by someone who's trained to check that the card is going to the right person — so they tend to only be used in situations that can justify it (e.g., government offices handling large amounts of personal data).

Re:Okay, fellow Mac users

A question for you: have you ever heard about privilege escalation bugs? Another question for you: do you think Apple is infallible enough that there would be no such bugs in OSX (or Darwin, if you want to talk about that)?

No, this is probably not relevant to this case as I don't believe either that this trojan exploits such a bug, but being so trusting that everything is a-ok as long as you don't give your admin password into a surprising dialog isn't very safe either.

Re:Okay, fellow Mac users

um... just to clarify, all user accounts are user accounts of default OS X. An "admin" user simply has access to sudo.

Re:Okay, fellow Mac users

[abhi_beckert]

In the end, you can't defend a computer from it's owner, no matter which OS you use.

iOS does a pretty good job of defending itself from the owner. Mac OS X 10.7 has the technology built in to have similar features, all they would need to add is a tick box somewhere "only allow trusted software to run".

Where "trusted software" is software that was digitally signed by Apple as part of purchasing it via App Store, where they've been adding some serious crypto based security recently. Dangerous privileges, such as *accessing the internet* or *decoding a jpg file* will raise serious red flags and result in the App Store team asking you hard questions about whether or not you actually need to do those things. If they decide you have a reasonable reason to do it, they will start asking how you architected it (eg: decoding a jpg is likely to have buffer overruns, so you better do it on a background daemon with restricted privileges).

And if you get past the app store review team, they can revoke your signed app.

None of this stuff has been thoroughly tested, but it's in the system and being tested every day. When they add that "only allow trusted software" feature, I'm going to turn it on for all the computers in my family except my own.

Re:Okay, fellow Mac users

[keytoe]

That's if they plug in an external drive. How many do? And how many answer in the affirmative? A lot might worry that if they say yes, they can't use that drive for other things.

The advice I give to people in this class of user (ie, my mom) is to go buy a backup drive just for Time Machine. Plug it in, click 'Yes' and don't touch it. For a $75 insurance investment, you are now backed up.

If you need an external drive for more storage space, go buy another drive. They're cheap.

Re:When your OS begins to get relevant...

[oakgrove]

Nobody with even the slightest clue pretends that OSX or Linux are immune to Trojans and implying that this view is mainstream even amongst the most fervent fanboys is pure troll.

Re:When your OS begins to get relevant...

Not really sure that Linux is much better when it comes to social engineering attacks.

It's not a PDF

Imagine I made an piece of malware.
Imagine I set it's icon to the default PDF icon on your operating system
Imagine I named it "somefile.pdf.exe" or "somefile.pdf.app"

That's what's happened here. It's not an exploit in the PDF format but rather somebody using the appearance of a 'safe' file to trick people into double clicking it. It could just as easily have been "somefile.jpg.app" or "somefile.ogg.app" with appropriate icons.

Mac OS X will display a "you've never opened this application before, are you sure you want to?" message when a user double clicks the fake-PDF, but let's be realistic: our mom's aren't going to know any better.

Re:It's not a PDF

Well, perhaps *your* mom won't know any better...

My mom can actually tie her own shoes w/o assistance.. Self taught on WANG, Displaywrite, Wordperfect 5 and 6 on DOS... And when one of those "You are infected" trojan/fake antivirus notices came up on her favorite newspaper website, she - 1. Knew better than to trust it, or think she was infected (the windows box on her Mac was a dead giveaway for her) , and 2. wrote the newspaper informing them that they had malicious software being distributed by their online advertising..

And yes, my dad can beat up your dad.. :-P

Re:But...

[scottbomb]

To quote Apple's own website: Mac don't get WINDOWS viruses.

(They get Mac viruses). --- not on the website.

If the world were the other way around, where 90% + of the population used Macs and a small minority used Windows... need I say more?

Re:again PDF?

[Aardpig]

Obvious troll is obvious.

Re:But...

[InsectOverlord]

Apple and some of its fans do tout Mac OS X as being somehow immune to malware in general, not just viruses.

As for viruses, this one indeed seems not to be a virus (unless it proceeds to replicate after launching - a piece of malware can be both a virus and a trojan), but any device that can run an arbitrary program can run a virus.

Re:But...

Would a Mac or Slashcode exploit explain not seeing the "Apple" category included on the left side of the Slashdot page except when viewing an Apple story? There's a place in the Account area to remove a section, but no provision to add/restore one???

The signature editor seems to be hiding too.

These social engineering tricks aren't much of a malware story. It'd be more useful to be asking why NoScript doesn't have an option to filter web-bugs on trusted sites. (and how it doesn't seem to be showing Google analytics to block anymore?)

Maybe OS X should be asking for permission anytime a new app wants net access. They should not be able to phone home or anywhere by default.

Re:again PDF?

[somersault]

You know. I would know (I wouldn't even bother to read the email or save the attachment so it's kind of moot). The average user though? They're not so well clued up. If they've been as far as saving the file to their computer, I wouldn't have much faith in them not executing it.

Re:When your OS begins to get relevant...

[somersault]

Maybe not, but its users are.

Oh Noes

More malware! Whatever will we do? Better burn those Macs and get a Linux box!

Meh.

Re:But...

[PopeRatzo]

This isn't a virus; it doesn't do anything when installed or propagate. It can't even communicate with its server.

So...it's candy!

No need to worry Apple users, it "doesn't do anything when installed or propagate". You are safe and warm and don't forget to let iTunes save your password.

Says a MacOS X fanboy trying 2 hide it

See subject line above + post parent to mine -> http://apple.slashdot.org/comments.pl?sid=2444536&cid=37503772 because Lord only knows that if that happened on another OS platform, like Windows? It'd be somekind of 'horrendous event' to be shouted from the rooftops!

Re:But...

[dltaylor]

What version of NoScript doesn't show google-analytics?

I'm running 2.1.2.3 on the machine that accesses the net, and it still has it in the menu, maybe because it is in use and blocked on the site I checked.

Smells Like AV Flackery

[jasnw]

Every time one of these "sky is falling, OS X is being attacked by new malware/virus/trojan" articles floats around the 'net, it seems like the source document is from one or another AV builder or a computer security outfit with things to sell. The first clue is how vapid and vague the article is, and how little useful information it provides. Another clue is when one part of the article tells the story a bit different than elsewhere in the same article. For OS X users, there are a handful of good, indepdent, computer security sites (apple.com NOT being one of them), and if it aint there, I ignore it.

Re:Smells Like AV Flackery

Pretty much like most Android malware articles, yes?

OMG THERE'S SOMETHING THAT PROMPTS YOU TO INSTALL, SPECIFICALLY TELLS YOU IT NEEDS ACCESS TO THE SD CARD (hard drive in the case of a desktop, I suppose), CAN ONLY BE FOUND IN SOME DARK CORNER OF THE INTERNETS.

I'm not saying anyone here's a fanboy or anything, but this is what most people have been yelling for years. It's specifically the fanboys that say "omg no wai possible no viruses evar for my precious fruit"

My favourite was the banking information call recorder... that can only be made if you put your call on speaker, requires the application to KNOW that it's a call to a bank (without it having access to the call logs / number being called as no application has that access AFAIK on Android), and god knows how it's doing the voice recognition (though it does say "access to microphone" on install)

Re:But...

[Jeremiah+Cornelius]

Little Snitch
Better Privacy
Ghostery
Ad Block+

And a little personal diligence. That includes no Facebook usage or Google IDs, and a clean sweep whey time you exit Amazon, PayPal or an affiliate.

The price of Liberty... Etc., etc. ad nauseum

Yep

[Sycraft-fu]

In fact I've seen a big rise in the amount of non-admin Windows malware. It just infects the user that is using the system. The reason is they realize that for the vast majority of systems, the user IS the system, there is no need to infect anything else. It also lets them get an infection in an enterprise setup where users don't get admin.

  Now I suppose it does make the malware slightly easier to get rid of but then it really doesn't matter, I tend to scan the things from a boot disk anyhow.

This geek idea that only the system matters is silly. True for a server maybe, not for a desktop. On a desktop, the user's data is all that matters and you don't need admin to get at that.

Re:Yep

[mjwx]

This geek idea that only the system matters is silly. True for a server maybe, not for a desktop. On a desktop, the user's data is all that matters and you don't need admin to get at that.

Some of us have understood for a while that that the user is the most vulnerable part of any system. Almost all malware infections I've seen have been user initiated, drive by infections in this day and age are very rare even on unpatched machines. This is why my Windows servers are more secure then any Linux or Mac desktop, simply because no user is permitted near them.

Re:Yep

That's almost verbatim what one of my win-admin friends said, until he discovered his SBS 2007 had been owned for an indeterminate amount of time nearly undetectably.

Re:Yep

>In fact I've seen a big rise in the amount of non-admin Windows malware.

Obligatory 'me-too'. I do a lot of tinkering outside work which naturally includes malware removal for friends and so forth. It's a whole lot less common to see some of the really nasty infections that hooked into the Winlogon process and which required livecd in order to remove - with the trend being of some .exe that's been dropped into the user's temp directory. Makes things a shedload quicker to remove anyway.

My £0.02 is that it was User Access Control that has caused this change in behavior - as the user may get alarmed by the screen dimming and prompt when they were 'just browsing'. Still, I'm not going to complain.

Re:Yep

[Coren22]

win-admin friends

SBS 2007

Your friend for one isn't a Windows Admin, he is someone who uses Small Business Server, rather than setting things up himself.

He sounds like a part time admin, not a actual Windows administrator.

Re:again PDF?

RTFA. It's an executable using a PDF document icon. This is nothing more than a social engineering trick

Social engineering tricks ARE THE #1 reason for systems being compromised/hacked.
Users are idiots (aka not computer saavy) wether they use Windows or Os X.
This is the reality, and if you had the same amount of idiots on linux as you have on the other systems you'd have the exact same kinds of problems. Instead of trojans and virues we would be talking of users downloading executable scripts from gods know where and wreaking havoc on their systems.

Re:again PDF?

[dgatwood]

What's depressing is that stupid tricks like this are even still possible in this day and age.

Helpful tip: In Mac OS X's Finder, if you choose "Preferences..." from the "Finder" menu, you'll find a checkbox that says, "Show all filename extensions". Check it. You will never again be at risk from these sorts of malware attacks (unless you or someone else goes back in and unchecks it).

I'm strongly of the opinion that this checkbox should be enabled on every computer in the world, and that a checkbox to hide those extensions should not even exist. The only thing that "feature" does is make trojans like this one possible.

Re:But...

[Concerned+Onlooker]

As Douglas Adams said, "it may only be ten percent of the users, but it's the top ten percent." That aside, being in the minority with a usable OS (read cli) is exactly where I want to be. Let Windows draw the flies, I say.

Re:But...

[AHuxley]

Add in some http://cs.nyu.edu/trackmenot/ to your browser too.
As for this, http://blog.intego.com/2011/09/23/mac-pdf-trojan-horse-surfaces-threat-is-low/
A Mac security company notes: 'threat to be very low, as this is not found in the wild."

Black lists dont work.

[mjwx]

And it will be nerfed as soon as it's added to the OS X XProtect filter, if it hasn't already.

Black lists don't work. This even MS has figured out. So they add this particular one to the filter rather then fixing the vulnerabilities or worse yet, educating users on how to safely use computers (as opposed to telling them they are automagically protected by owning a Mac) but the malware writers simply make a new variation to get around that black list. There is so much Malware for Windows simply because a lot of it is subtle variations on the same malware to get around AV/Anti-malware.

The "protect filter" is not computer security rather it is computer security theatre.

It's just a trojan with a PDF icon

To the end user, there is no difference.

Re:Black lists dont work.

[Andreas+Mayer]

So they add this particular one to the filter rather then fixing the vulnerabilities

What vulnerabilities? Stupid users? Sorry, can't really fix those. Not even with a Mac. :)

The "protect filter" is not computer security rather it is computer security theatre.

It's just one of several defenses. I don't see how that can be bad. At the moment that list sports a whopping eight (yes, one more than seven) different pieces of malware. It doesn't look like it will be overflowing any time soon.

It's just a trojan with a PDF icon

To the end user, there is no difference.

Yes, there is. He might ignore it, but there definitely is.

Re:But...

Actually, they often say they don't have Trojans and user-installed malware.

CITIZENS OF TROY!!

[catmistake]

Trojan: (capitlized)
1. citizen/resident/native/inhabitant of Troy
2. well-known brand of condoms

trojan horse: (not capitalized)
1. A hollow wooden statue of a horse in which the Greeks concealed themselves in order to enter Troy.
2. A person or thing intended secretly to undermine or bring about the downfall of an enemy or opponent.
3. A program designed to breach the security of a computer system while ostensibly performing some innocuous function

just can't get yer shit straight, can you editors?

Re:again PDF?

[Andreas+Mayer]

Title, summary and article all fail. It's an executable who's name ends with ".pdf" and has a pdf icon.

Can't be. A bundle ending in pdf is not executable.

I guess it's named 'something.pdf.app'.

And you can't even hide the app extension. (At least not on Lion. Is this new?)

Re:again PDF?

[Andreas+Mayer]

Actually, as near as I can tell it is an executable with no extension at all, but with a PDF icon of some sort and MIME type included in the resource fork.

The resource fork can hold MIME types?

(Of course the resource fork can hold anything; I mean in a format that is used by the OS.)

Re:again PDF?

[Andreas+Mayer]

I'm strongly of the opinion that this checkbox should be enabled on every computer in the world, and that a checkbox to hide those extensions should not even exist. The only thing that "feature" does is make trojans like this one possible.

Well, at least it doesn't seem to be possible to hide the extension on a file named something.pdf.app

Smug mac users deserve viruses

[Karmashock]

Call this what you will but after years of enduring their "but macs don't get viruses" comments I'm rather pleased they're joining the rest of the computing world.

Linux can enjoy the same when it gets the same kind of consumer market share.

Re:Smug mac users deserve viruses

[jo_ham]

It's not a virus, but thanks for playing.

It's not even the first trojan for OS X - there have been several in the past.

Re:Smug mac users deserve viruses

[Karmashock]

in the context of my post there's no relevant distinction.

Your sad attempt to "burn" me might have had some impact if you actually addressed my point instead of simply going for a cheap knock down.

Re:Smug mac users deserve viruses

[jo_ham]

No, it really does make a difference. Words have meaning. You used the term incorrectly.

I imagine what you meant to say was "malware", but of course no one is claiming Macs are immune to malware as a whole - that would just be silly. There's a long history of trojans on the Mac since they tend to reply on social engineering to work, and that's a platform independent problem. You can certainly attempt to minimise the potential threats, but ultimately you're only as effective as the user at the computer when it comes to that sort of thing.

You mentioned something about me addressing your point, but your point seems to be "I'm pleased because I believe this story means that Mac users are 'joining the rest of the computing world'" despite that being hilariously inaccurate because, as I mentioned, this is a long way from being the first trojan on OS X. I can talk some more about your ignorance if you like though?

Re:Smug mac users deserve viruses

[Karmashock]

okay captain strawman, I didn't say words didn't have meaning. I said that in this context the distinction is irrelevant.

http://en.wikipedia.org/wiki/Context_(language_use)#Verbal_context

That's so you can bone up on what context means... it's a word and apparently a difficult concept to master.

Re:Smug mac users deserve viruses

[jo_ham]

Oh I understand the meaning of the word context, however the context of this discussion is a Mac trojan, and you come wading in with some oft-repeated meme that "Mac users always claim they are immune to viruses". Whether it's true or not (and it's not), you're out of context quite clearly.

You also claimed that you were "pleased" to see that "Mac users are now joining the rest of the computing world" when as I explained, that train sailed a long time ago in the context of this discussion: trojans.

So, which is it? Are you claiming that you believe "virus" specifically means "malware" in your interpretation of what you believe "most" Mac users tell you since you claim to have endured "years" of them telling you this apparently erroneously, since you seem to believe this article represents the very first instance of any virus or trojan on the Mac platform, or are you just trying to save face because you didn't expect anyone to call you on your demonstrably false equivalence between a trojan and a virus, trying to handwave it all away with a non sequitur about it "all being in context" so it doesn't matter about being precise in your definition.

It's not even like it's shorthand - the shorthand catch all term is "malware", but you specifically went with "viruses", in error.

If your point was to somehow make Mac users who say that specific phrase look bad, then it still fails, because this isn't a virus. If your point was to gloat about "Mac users joining the rest of the computing world" due to this then you still fail, since this is nowhere near the first trojan on OS X (nor would it be the first virus if it was a virus and not a trojan).

I can loan you a spade if you prefer to keep digging.

Re:Smug mac users deserve viruses

[konohitowa]

The slashdot of today reminds me of USENET after the AOL crowd was released from their cages. Minus the capslock of course. You'd think that at a supposed nerd hangout you wouldn't have to be arguing with someone about the difference between a self propagating piece of software and a social engineering trick. Yet that seems to be the norm, if evidenced by the bulk of comments on this article (and this article isn't alone in this).

Re:Smug mac users deserve viruses

[Karmashock]

The oft repeated phrase refers to all malware actually. You're insistence on specificity ignores the context of the comment and entirely fails to understand the larger point.

In your attempt to sound relevant and clever you've simply come off as arrogant and clueless.

Regards.

Re:Smug mac users deserve viruses

[jo_ham]

In your opinion that's what you think it refers to.

In my opinion Linux is Unix. See how easy that is?

Re:Smug mac users deserve viruses

[Karmashock]

Your unprovoked and childish hostility has been noted. Thank you participating.

Re:again PDF?

[dgatwood]

You mean the .pdf part, I assume.

Re:When your OS begins to get relevant...

[Osgeld]

I watch way too many computer chronicles on the internet, its funny cause from the mid mid 80's (like 87 or so) until about 1993 the # 1 software in sales is SAM antivirus ... get ready .. FOR MAC

anyone that says mac's dont get viruses is either ignorant or fucking stupid, they had a virus problem, and gee whiz they still do

Re:again PDF?

[Guy+Harris]

Actually, as near as I can tell it is an executable with no extension at all, but with a PDF icon of some sort and MIME type included in the resource fork.

Actually, if you skip all the journalism and follow links all the way to the F-Secure blog posting about the trojan, it's a file "where the icon is stored in a separate fork that is not readily visible in the OS", which presumably means "in the resource fork". The F-Secure item for the trojan says "Trojan-Dropper:OSX/Revir.A drops a downloader component that downloads a backdoor program onto the system, while camouflaging its activity by opening a PDF file to distract the user.", which seems to indicate that both a PDF that "[distracts] the user" and other stuff including "a backdoor program" are involved. It sounds a bit more complex than what the articles about the trojan say it is and the /. discussion of the trojan seem to imply it is, but they don't indicate what "a downloader component" is. I guess I've spent too much time dealing with Mac OS X at the UN*X level to know what "a downloader component" is....

Re:again PDF?

[TheRaven64]

Saving a file on the computer is easy. Click on a link to a PDF and Safari will download it. Double click on it and Preview will open it. This is the behaviour that users expect. Double click on it and OS X puts up a warning box telling them that it's the first time they've run this application that they downloaded from the Internet? That's not. Especially for normal users who won't download any applications from the Internet, so won't have seen that dialog before...

Who broke BSD?

[sgt+scrub]

A user space application can not receive a listen port on OSX now can it? If so, Apple needs to fix it.

Re:Who broke BSD?

[metrix007]

if it's above 1024 why not?

Re:Who broke BSD?

[sgt+scrub]

So it isn't possible for malicious daemons to be started without permission. An application that needs a listen port should be started by root, with sudo, or a user:group specifically granted permission to start the daemon. Running daemons as a desktop user is security suicide.

Ah, I just can't wait..

[RulerOf]

Or just replace the operating system kernel.

OS X malware doesn't have to do that. Personally, I can't wait until the malware starts to complete the full circle, and we see common malware start using its own kernel extensions to hide itself completely from the system, giving us Mac rootkits.

Re:again PDF?

[ninetyninebottles]

Actually, as near as I can tell it is an executable with no extension at all, but with a PDF icon of some sort and MIME type included in the resource fork.

The resource fork can hold MIME types?

It's not technically a MIME type (I used that term because it is actually familiar to a significant number of people), but it serves the same purpose, assuming the allusion in the article is correct. You can set the file type, system icon to use, and store a custom icon. Alternately they may be referring to similar functionality in an openstep bundle, which they refer to incorrectly as a fork. But yes, OS X can and will read this type of data stored in several formats.

Re:But...

[Angostura]

Well, as I understand this, it is simply an executable with a PDF icon and file extension. I presume therefore that when the user tries to open it they get the standard 'This is an application downloaded from the Internet do you really want to run it?’ alert.

Re:But...

[tmosley]

Prove it. I have never heard anyone say that. The point is that Macs are immune to code that comes from the internet that executes on its own, something that has plagued PCs forever. "Viruses" infect a computer ON THEIR OWN, without users doing things like typing in their passwords to give the code permission to execute.

You can browse all the shady websites you want for as long as you want on a Mac. Do so on a PC, and you are likely to be part of a botnet before the end of the day. Sorry, end of story. It's not about Macs being so good, it's about PCs being utter shit when it comes to security. In OSX, everything is sandboxed. On PCs, everything interacts with everything else, meaning that malicious code can get on to the machine in weird ways, and execute itself. This is due to piss poor programing, and PC users are going to have to get over it, and stop projecting onto superior platforms.

Think different

Mac users can be broadly characterised as vain and tech challenged, and therefore vulnerable to a different set of social engineering vectors. It shouldn't be too hard to come up with strategies to push their buttons. Button, rather.

Re:But...

[InsectOverlord]

Hm. "OS X contains powerful defenses to help keep your Mac safe from PC viruses and other malware without the hassle of constant alerts and sweeps." May not contain any outright lie but it is highly misleading and it gives Joe Sixpack a false sense of security. If I get an alert, it can't be anything too bad.

A virus copies itself on its own, but the initial infection might happen by running it manually (that's how many old DOS viruses operated).

Setting aside the fact that Macs are PCs and not all PCs run Windows... I run regularly both a Linux desktop and a Windows desktop. What "PC" users need is a tiny, just a tiny bit of education (admittedly many don't have it). I've gotten exactly zero viruses on linux and two viruses on Windows: on one occasion, I ran a random binary while drunk. On the other occasion I was not running a firewall - something that *every* computer online needs - your Mac runs one by default, I suppose you know; have no doubt it may get blasted without one (Sasser-style net worms have happened in the *nix world). The precautions I've always taken are pretty much the same I take on Linux: make sure a firewall is running, do not run random binaries (or PDFs, or DOC/XLS/PPTs, for that matter) from the net, and back in the day, don't use IE (admittedly you can't even do that on Linux). And definitely don't run an antivirus to hog the system - which has to be *disabled* on Win7 and that's a bit annoying.

Re:But...

[Coren22]

And definitely don't run an antivirus to hog the system - which has to be *disabled* on Win7 and that's a bit annoying.

Huh? I have seen warnings like this from some installers, but I have never had to disable my antivirus. Also, don't get McAfee or Norton, and you don't get a system hog, Trend Micro is actually quite good (#3) and doesn't bog your system down.

Re:But...

[Coren22]

Wow, that is hilarious. So you are saying that Macs are more usable than Windows? For what? I can do everything on a Windows machine that you can do on Mac, plus much more. Therefore by definition, Windows is more usable. Just because you don't know how to use the command line in Windows does not mean it is less usable.

Re:But...

[Coren22]

The lack of communication with the control server I got the impression had more to do with the command server not accepting connections. I doubt it is a failing of the software, as they did note that it tried to connect, which means it got past the firewall on the Mac and out on the network.

Re:But...

[InsectOverlord]

I didn't mean you have to disable the antivirus.

My point, and I thought the context made it clear, was that you do not need an antivirus as long as you take just a few precautions. Run a firewall, avoid random executables, disable useless services (and have strong passwords for those that aren't useless) and patch up vulnerabilities regularly. Precautions that should be taken for any computer online.

If you don't notice a system hog, so much the better for you. I personally don't appreciate pop-ups telling me to update the anti-virus database and icons cluttering the taskbar.