Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Snubs Security Firm That Spotted Mac Botnet

Posted by Soulskill on from the doesn't-play-well-with-others dept.

Sparrowvsrevolution writes "Now that it's being increasingly targeted by botnet herders, Apple has a thing or two to learn about cooperating with friendly security researchers. Boris Sharov, the CEO of Dr. Web, the Russian security company that first reported more than half a million Macs were infected with Flashback malware last week, says when his company alerted Apple to the botnet, it never responded to him. Worse yet, on Monday Apple asked a Russian registrar to take down a domain it said was being used to host a command and control server for Flashback, but in fact was a 'sinkhole' that Dr. Web had set up to observe and analyze the botnet. Sharov describes the lack of communication and cooperation as a symptom of a company that has never before had to work closely with the security industry. 'For Microsoft, we have all the security response team's addresses,' he says. 'We don't know the antivirus group inside Apple.'"

27 of 409 comments (clear)

  1. Mac's don't get malware by crazyjj · · Score: 5, Funny

    Why would they communicate with a supposed security researcher who doesn't even know that?

    --
    What political party do you join when you don't like Bible-thumpers *or* hippies?
    1. Re:Mac's don't get malware by jesseck · · Score: 5, Informative

      Can you please provide any links to folks that have claimed that Macs dont' get malware?

      Here you go:

      Mac Commercial (produced by Apple) and Apple's own webpage

      And yes, "viruses" are not the only kind of malware out there- most people on /. know that. But no one else in my family does, and neither do the vast majority of people those two examples target for marketing. Apple's claim that Mac's don't get "viruses", in my mom's mind, equate to "Apple's don't have malware".

    2. Re:Mac's don't get malware by CharmElCheikh · · Score: 5, Insightful

      Well in all "honesty" apple's own webpage says "it doesn't get PC viruses". Technically, it doesn't; it gets Mac malware. But I know, it isn't honest, hence my first quotes, and to most people that does mean that "it doesn't get anything bad, unlike that stupid windows thingy".

      --
      My /. user ID is probably higher than yours
    3. Re:Mac's don't get malware by SJHillman · · Score: 5, Insightful

      From Mac's website: "A Mac isn’t susceptible to the thousands of viruses plaguing Windows-based computers. That’s thanks to built-in defenses in OS X Lion that keep you safe, without any work on your part."

      1) No shit a Mac isn't susceptible to PC viruses. PC's aren't susceptible to Mac-only malware either
      2) In this case, my car isn't susceptible to Windows-based viruses thanks to built-in defenses of it's windshield. Viruses weren't written for my windshield, so that counts as a built-in defense, right?

    4. Re:Mac's don't get malware by fustakrakich · · Score: 5, Funny

      Yes, but debugging your windshield is still necessary every once in a while

      --
      “He’s not deformed, he’s just drunk!”
    5. Re:Mac's don't get malware by forkfail · · Score: 5, Informative

      Also:


      As PCMag's Security Watch noted yesterday, Mac users did not have to download or even interact with the malware to become infected. Websites exploited a Java flaw that let Flashback.K download itself onto Macs without warning. It then asked users to supply an administrative password, but even without that password, the malware was already installed.

      From here:

      http://www.pcmag.com/article2/0,2817,2402641,00.asp

      So - yes, it required a trojan-esque password entry to fully activate, but it installed and was active even without it. Which means that it was probably ready and waiting for the next legitimate use of a password entry.

      Your walled garden has been breached, and instead of putting your head in the sand, perhaps you'd better wake up to the fact that yes, security really is, at the end of the day, the user/owner's responsibility.

      --
      Check your premises.
    6. Re:Mac's don't get malware by Cro+Magnon · · Score: 5, Funny

      I guess you don't use Windows Calculator?

      --
      Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
    7. Re:Mac's don't get malware by Bobfrankly1 · · Score: 5, Interesting

      Macs are PCs. Don't tell me they're mainframes.

      Ever seen the ads that begin with: "I'm a Mac" "I'm a PC"

      Apple seems to think that Macs are not PCs

      Yes, but the Reality Distortion Field has been decreasing in strength as of late. Apple's own moderation of Java updates allowed this one to flourish, the Apple devout can't pass the buck onto another vendor this time. It's foolish to presume that a large installed base of users unconcerned with security would go ignored forever.

    8. Re:Mac's don't get malware by fuzzyfuzzyfungus · · Score: 5, Informative

      Pre OSX MacOS, while it may have gotten raves for friendliness, and was somewhat less bug riddled, was architecturally more or less a toy OS compared to almost anything contemporary. The ecosystem wasn't as large, and the distribution vectors markedly less efficient; but the Mac malware was out there.

    9. Re:Mac's don't get malware by spongman · · Score: 5, Funny

      mac's aren't PCs. they're crystallized mana from heaven.

    10. Re:Mac's don't get malware by Anonymous Coward · · Score: 5, Insightful

      Well in all "honesty" apple's own webpage says "it doesn't get PC viruses". Technically, it doesn't.

      Technically, it does. PC stands for Personal Computer, not Windows machine. Macs, just like Linux and Windows boxes are PCs. Since Apple are trying to use pedantry to obfuscate, holding them to definition of a PC is only fair, which puts them squarely back in the realm of lying.

    11. Re:Mac's don't get malware by Ihmhi · · Score: 5, Funny

      Honestly, the best way to debug a windshield is a full wipe.

      --
      Random Thoughts From A Diseased Mind (Not For Dummies)
    12. Re:Mac's don't get malware by Fjandr · · Score: 5, Informative

      Just for kicks:

      "The App Store revolutionized mobile apps. We hope to do the same for PC apps with the Mac App Store by making finding and buying PC apps easy and fun. We can’t wait to get started on January 6."
      --Steve Jobs

  2. Safeguard your data. By doing nothing. by rfioren · · Score: 5, Funny

    http://www.apple.com/why-mac/better-os/#viruses

  3. Re:there is no Apple AV group by ColdWetDog · · Score: 5, Funny

    Ah, but you're right. This isn't a virus. It's a trojan. And we all know that Trojan's protect dicks.

    (sorry Apple fans, that one hung out there just a wee too much).

    --
    Faster! Faster! Faster would be better!
  4. 'We don't know the antivirus group inside Apple.'" by Anonymous Coward · · Score: 5, Informative

    Because there aren't any, I worked for them and customers that called in were routinely told there is nothing to worry about when it comes to malware.
    On their corporate side you would be amazed at who states exactly the same thing when they should know better.

    Just a taste:
    http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=OS+X&filter_exploit_text=&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve=

  5. Re:there is no Apple AV group by revelation60 · · Score: 5, Funny

    It's a feature.

  6. Re:there is no Apple AV group by tacarat · · Score: 5, Informative

    The current version downloads and installs itself. No human interaction required besides viewing an infected webpage. Don't confuse the "viruses are impossible to get on a Mac" crowd more by trying to make them learn the subcategories of malicious software. The fact it was originally a trojan that required the admin password to install versus the drive by installer requiring none is something more for the academics quibble about, not the end users.


    Granted, this is /., so it's academics and fanboys anyhow >.>

    --
    "Common sense will be the death of us all"
  7. Re:Blaming the messenger by ray_nicov · · Score: 5, Informative

    Dr. Web is one of the leading security companies (at least in Russia) and they've been around since 1992. They are by no means 'nagware' or 'junk scanner' - they tools are legitimate, powerful and useful

  8. Re:there is no Apple AV group by tacarat · · Score: 5, Informative

    http://en.wikipedia.org/wiki/Malware#Trojan_horses

    Apparently I still go by the traditional definition. What do you think I'm missing?

    --
    "Common sense will be the death of us all"
  9. Re:No overwhelmingly surprising by w_dragon · · Score: 5, Insightful

    You don't need to be admin to be a botnet member, a user process will work just fine.

  10. Re:there is no Apple AV group by amicusNYCL · · Score: 5, Insightful

    If this is a trojan, then exactly what piece of legitimate software is it piggybacking on in order to get installed? It sounds to me like it's exploiting a Java vulnerability using an applet that does not disguise itself as something useful, it is specifically to install the payload. That sounds like a traditional virus. Previous versions that were actual trojans were embedded in warez downloads.

    --
    "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
  11. Re:And? by sir-gold · · Score: 5, Insightful

    A leech that swims by and says "hey, did you know you are bleeding?" isn't much of a leech. Other than a bit more fame, what does dr web gain from this, it's not like they are extorting apple.

    I'm curious were you picked up the idea that security researchers and fake-av sellers were somehow related?

    Do you also assume that anyone yelling "fire" in a crowded building is just trying to make everyone scared? if so, I hope you are in a building fire some day so you can ignore the warning, safe in your fire-proof pants

  12. In my experience... by blueg3 · · Score: 5, Interesting

    Not surprisingly, the summary is not as accurate as the article.

    Sharov may describe this as "a symptom of a company that has never before had to work closely with the security industry", but the article correctly points out that it's more a symptom of having "little experience working with the community of security researchers who aim to dissect and shut down botnets." The botnet security community is different from the general security community. As far as I know, Apple has a decent working relationship with the latter. It's no real surprise they have limited experience working with the anti-botnet community, since until now they haven't really had botnet problems.

    The article also notes that Dr. Web is relatively unknown and that in the opinion of Kaspersky (which is at least more well-known), Apple is taking the usual appropriate steps.

    As far as them not getting a contact back, that disagrees with my experience in reporting a security vulnerability to Apple. You send a message to their easily-found, catch-all "security" address. In relatively short order, a security engineer gets in touch with you, and you communicate with that person from that point on. It seemed to work just fine, unless, I suppose, you're egotistical enough to think that you should be able to pick up the phone and talk to someone at Apple immediately -- which is a common-enough problem in security.

  13. Re:"We don't know the antivirus group inside Apple by blueg3 · · Score: 5, Interesting

    I e-mailed that address and got a response from a security engineer. Perhaps Dr. Web is holding it wrong.

  14. Re:there is no Apple AV group by Anonymous Coward · · Score: 5, Informative

    Woo pedantic! Here are the given definitions, as I understand them:

    Virus = self-propagating, but does not run on its own. Requires some legitimate program which it exploits and modifies saved data to maintain itself. For example: a virus would enter a system as an infected word document, which would add macros into your copy of word infecting all of the word documents you edit after becoming infected. In general, the virus itself is not very useful, but frequently they're used as a piggy-back which downloads a...

    Trojan-horse = program which gives a malicious user control over a system remotely. This is frequently done via IRC, but newer programs have become far more sophisticated using P2P protocols of their own design or hiding it as fake HTTP requests making traffic analysis more difficult. The trojan horse itself is NOT self-propagating, but it will put a ton of hooks around the system to re-download/re-deploy itself if it gets shut off. In general its only goal is to just keep running and allowing the malicious user to abuse the machine. Now frequently the malicious user will use the trojan horse to send out fake emails or other things which leads to propagation, but the program itself doesn't necessarily do it.

    Worm = program which attempts to spread itself. It gets on a host machine and does something (normally immediately, sometimes with an incubation period, frequently involving email, sometimes 0-day exploits to networked computers) to try and get to more machines. After it has attempted to spread itself around, it will frequently follow-up by downloading a trojan horse, or sometimes it will contain the trojan horse functionality itself.

    Straight up worms have kind of fallen out of style these days though. They're a bit too obvious and their repeated, predictable behaviour leads to them being spotted and blocked after not very much time out in the wild. And without some sort of trojan horse functionality there's not much point. Trojan horse functionality allows a central command to update the code and makes the worm a more useful product, eventually getting it on more computers and keeping security researchers guessing longer.

    Anyway, hope this actually gets modded up by someone and people use these and or tell me I'm an idiot.

  15. Re:"We don't know the antivirus group inside Apple by gstrickler · · Score: 5, Interesting

    As someone who has found and reported a (now) patched security vulnerability to that email address, I can say that I agree with Boris Sharov's complaint. You do get an automated response with a case #, that includes the text

    We do not automatically provide status updates on issues as we work on them, but please feel free to request one if needed by replying to this message.

    However, I received no replies to when I did request status updates (and supplied additional information about the affected systems with explicit instructions about what needed to be done to fix existing systems). Even when I contacted other sources (Secunia, who confirmed the problem, and US-CERT), I received nothing from Apple. Nor was the problem addressed in two releases of QuickTime in the year following my report.

    How I finally got a reply from Apple was sending an email to sjobs@apple.com on Sept 4, 2010 with a copy of the now year old security report, and my statement that I was taking it to the full-disclosure list if I didn't hear back from Apple by Sept 15th. Fewer than 6 hours later (on a Saturday), I had a status update from Apple. Here's the meat of that reply:

    Just wanted to let you know that a fix for this issue has been identified, and we are targeting an upcoming release of QuickTime to address it.

    We provide status updates upon request.

    Subsequent emails always got a reply, but before I sent my email to sjobs, it was like talking to a wall. Also, despite assurances that they understood the extent of the problem and my explicit instructions about needed remediation for affected systems, when they finally released the fix 3 months later, it only corrected the problem and did not provide remediation for the permissions on already affected systems, nor did it even mention that there were permissions to be fixed.

    When it became clear that no remediation fix, nor an acknowledgement of the problem was coming from Apple, and ample time had passed for users to have installed the updated version of QT, I submitted my own fix to the Full Disclosure mailing list.

    In total, it was 15 months for Apple to release a fix, a fix that in all likelihood involved altering or removing two lines of code that were granting excessive privileges to specific directories. Even then, they did not correct the permissions on machines that were already affected.

    So, in my opinion, Apple has a long way to go in developing and maintaining communications with those who report security vulnerabilities. And in acting upon those reports in a timely and responsible way.

    --
    make imaginary.friends COUNT=100 VISIBLE=false