Slashdot Mirror
New Mac Virus Discovered, Making the Rounds
sl4shd0rk writes "A new Mac OS X exploit was discovered Friday morning by Kaspersky Labs which propogates through a zipfile attachment. The attachment tricks the Mac user into installing a variant of the MaControl backdoor via point-and-grunt. Embedded in the virus is an encrypted IP address belonging to a server in China which is believed to be a C+C server. Once installed, the virus opens a backdoor allowing the attacker on the C+C server to run commands on the compromised machine. Shortly after Kaspersky's announcement, AlienVault Labs claims to have found a similar version of the Mac malware which infects Windows machines. The Windows version appears to be a variant of the Gh0st RAT malware used last month in targeted attacks against Central Tibetan Administration. Both viruses are suspected of being tools in a campaign to attack Uyghur Activists."
I know its overly popular these days to call any malware, trojan or other malicious bit of software a virus, but they really dont meet the definition. Frankly, I cant think of a real virus being released in quite some time. Which just seems lazy to me.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Malware, not virus. Virii aren't installed by the users themselves...
Thank you very much.
Well, since this is a trojan and not a virus, your statement is sort of silly and makes you look stupid.
---- Booth was a patriot ----
There aren't. What is being called "viruses" are trojans and other malware that requires the user to install them.
Now I have to add Uyghur Activist Porn to my list of porn sites to avoid, for fear of getting a virus...
I sure hope I can remember not to click on any of that stuff.
In times of universal deceit, telling the truth gets you modded -1 Troll
The novelty hasn't worn off. We'll know the Mac has reached the big time as a platform when new pieces of malware are not covered.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
Reading that I feel like an old man, disconnected from the modern day. Is some new tech online porn technology that I've missed out on? Please... I NEED... TO... KNOW... !!!
Pardon my crystallized forebrain, but what's "point-and-grunt" ? Is that one of those newfangled hipster Fail-on-Rails thingamabobs that goes into the weird rounded USB thing on my tee-vee ?
-Billco, Fnarg.com
Only reason it's a big deal is because Apple used to advertise OS X "doesn't get PC viruses." So when a Mac gets one, now everyone jumps on it with a /. article to show apple was wrong.
BTW Apple just removed their claim: http://www.huffingtonpost.com/2012/06/25/mac-virus-apple_n_1625110.html
My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
Oh, so its like windows in bootcamp then?
It's hard to blame Mac when you open an infected file. People have been unwittingly installing Malware and other infecting programs onto Macs for years. This is very different from one that propagates without the help of the user. It's a non story.
this isn't a virus, it doesn't replicate. It's an email trojan. It's not a Mac or PC exploit, because it exploits the person not the machine. And it's got a very specific target. Thanks for the warning, I won't, and don't click on attachments anyway.
There was an unknown error in the submission.
Only reason it's a big deal is because Apple used to advertise OS X "doesn't get PC viruses." So when a Mac gets one, now everyone jumps on it with a /. article to show apple was wrong.
Well, it's still true that OS X doesn't get Windows viruses. Perhaps a tautology, but true nonetheless....
This sig has exceed its monthly bandwidth allotment.
Clearly this is propaganda perpetrated by Mac-Haters.
Requiem for the American Dream
The GP pointed out that a trojan horse is not a virus. Trojans need user interaction while viruses are self-propagating. Saying that most users can't tell the difference between them (as you appear to be insinuating) is just plain silly.
You've said this twice now. None of the previous commenters has said that Macs are immune to viruses. Either your English comprehension is lacking or you're deliberately trying to stir things up.
So you have to recieve an email from somone who has been infected, unzip the file, start the program, disregard the warning about running downloaded programs and type in root password? :)
Scary stuff!
You really deserve to e infected by then.
This story isn't covering a virus either. It is a malicious application but one that relies on an idiot running an application from a stranger and ignoring the warning suggesting that maybe you shouldn't open it.
lists like http://www.okean.com/chinacidr.txt are nice and hand to feed into your edge router.
Kaspersky discovered that if users willingly execute files that turn out to be malicious, their computers will be backdoored.
In other news, I discovered that fire produces heat. Please front-page this important announcement immediately.
I'd like to point out that this popaganda has nothing to do with the McHaters. We're a proud clan, with neigh a hate-on for any OS. We're not mad either, like those McHatters. Please don't confuse us with them.
-Paddy McHater
Maybe I'm getting old but what was the last windows virus? That wasn't self inflicted and I mean virus by the current discussion, if apple define virus as something that only Windows can get then they are pretty safe in their claim.
Wake me up when they find something that can infect a Mac connected to the internet when no is one using it. You know, kind of like "install windows, connect to internet, pwned in 15 minutes"?
Anyone can do a user-mode trojan that says "PLEEZE INSTAWL ME! I'M A UPGRAYD!"
That was only an issue with Pre- WindowsXP-SP2 computers. SP2 was released 8 years ago. With SP2 Windows firewall came enabled by default, which protected unpatched services (like SMB) from being connected directly to the internet.
You mean like ms12-020? There are lots of others too. Just Google "windows remote exploits"
"Be grateful for what you have. You may never know when you may lose it."
Comment removed based on user account deletion
they dont claim windows viruses, they claim PC viruses, last time I checked Apple makes Personal Computers
I know Slashdot editors are famously lazy ('sup, guys!) but why does the summary they posted say "The attachment tricks the Mac user into installing..." when TFA* clearly says "the [attack] described here relies on social engineering to get the user to run the backdoor"? You know, just like every single other Trojan out there?!?** The attachment itself is totally benign until someone clicks on it several times. (Even if you view the message with webmail with Safari's "Open 'safe' files after downloading" in its (admittedly brain-dead) default "checked" position***, you still have to click on the attachment link in your webmail and then double-click the visible file to run it.) The only way this actually happens is if someone reads the email and takes a few steps on their own. As always, the attachment itself does nothing.****
Slashdot has been a techy news site for a decade and a half now. You'd think errors as blatant as this would get caught by the editors, even with their usual lack of checking.
You know what would be an awesome site? Exactly what Slashdot is, but with better editors. (And maybe lay off the JavaScript some.)
Anyway: sky is blue, water is wet, sun rises in the east, and all computers--by definition--are vulnerable to trojans. Film at 11.
And by the way, WTF is "point-and-grunt"? Does that imply that users are dumbly clicking on things? If so, doesn't that also imply that the users just might be the problem? Trojans are trivially easy to write. Here's one in one line:
Voila. Type that into Terminal, email it to all of Slashdot, and wait for a great disturbance in the Force, as if millions of home directories suddenly cried out in terror and were suddenly silenced.
* I know no one here reads them, but I think the submitter should, right? Even if they don't, they should just submit the URL and not make up shit for the summary.
** Which is to say, like every single Mac "virus" of the last decade as well.
*** Apple even puts "Safe" in quotes, so they obviously know that's not an ideal term. They should set it to "off" by default--and then remove the option.
**** Unlike the bad old days with Outlook Express' infinitely more brain-dead "Hey, let me run that executable attachment for you!" setting.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
they dont claim windows viruses, they claim PC viruses, last time I checked Apple makes Personal Computers
But to most people, "PC" is synonymous with "Windows machine", so the analogy holds.
This sig has exceed its monthly bandwidth allotment.
Apple also used to boast that users could "Safeguard your data. By doing nothing." And I noticed this: "When the latest version of Mac OS X, codenamed Mountain Lion, becomes available to users in July, the software will include a new "Gatekeeper" feature that restricts which applications users can download onto their phones or computers. Only apps "downloaded from the Mac App Store or those digitally signed by a registered developer" will be accessible with the Gatekeeper upgrade, per Computerworld"
Wow. That means a lot of my programs, which are not "registered" developers, will not be installable on a Mac 10.8. I guess?
- Stella (Atari emulator)
- NES emulator
- N64 emulator
- VLC Player
- uTorrent
- azureus
My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
Gatekeeper is not mandatory.
Why, no, I haven't meta-moderated lately. Thanks for asking!
This story isn't covering a virus either. It is a malicious application but one that relies on an idiot running an application from a stranger and ignoring the warning suggesting that maybe you shouldn't open it.
meh, by that logic HIV isn't a virus because it relies on idiots doing things with strangers and ignoring all the warnings suggesting that maybe they shouldn't be doing those things.
I think relying on human stupidity to allow malware deliver its payload into the sweet elevated privileged levels it needs to pwn you is a valid attack vector for virus. Biological virii have been relying on it for millenia.
Nah, the real reason it's a big deal around here is that if it happens 98 more times, we'll finally understand how Windows users feel. ;)
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
So there's a Windows version of it that targets Tibetan activists but they bothered to make a mac version of it to...in case Tibetan activists had macs? WHAT?! I don't think they have that kind of money. Something doesn't quite add up there. Whatever, I don't care as long as it knock Apple down a peg again. That "we're magically immune to viruses" crap they finally removed from their website was about 10 years overdue.
Only reason it's a big deal is because Apple used to advertise OS X "doesn't get PC viruses." So when a Mac gets one, now everyone jumps on it with a /. article to show apple was wrong.
Well, it's still true that OS X doesn't get Windows viruses. Perhaps a tautology, but true nonetheless....
More accurately, OS X does get and can spread Windows viruses to other Macs and Windows machines... however, OS X is unaffected by them. Virus is yet another class of software that, these days, still only works on Windows thanks to Microsoft listening to their insane user-base that keeps insisting it needs backwards compatibility to run outmoded, outdated 20yr old software that in reality no one still uses... though they still insist that they do and somehow haven't yet heard of this new fangled trend in computing, the virtual machine. The only reason for virus scanning software on a Mac is to help protect Windows machines from other Windows machines.
The Admin and the Engineer
The vast majority of any OS security exploits are caused by clueless users who click on any link in an email and of course application developers who don't know what the hell they are doing. Then there are the folks who consider themselves IT experts who modify security settings incorrectly, firewall configurations incorrectly. and user and program permission. Just running a 3rd party security scan on your code does not mean it is 100% secure. This is especially prevalent in the business world were the developers are pushed to produce reliable functionality on schedule while staying within the allotted project budget. Computers are for running applications and malware counts as an application when you get down to the 0's and 1's. The most recent Flame malware actually used well known components such as MySQL to convince the security scanners that malware is also a legitimate application. The Stuxnet malware had to rely on a couple of 0 day exploits and stealing security certificates from the companies that produced them. The average script kiddie or even an above average developer usually do not physically break into the actual offices to steal these types of certificates. If you really want to be exploit free unplug your Internet cable and never load programs using any external media devices that contain stuff that you know nothing about. If the Iranians had disabled the USB ports data and other external storage devices they might have never encountered the problem. Stuxnet required someone to physically implant the malware using external media such as an USB drive. Even drive by web infections could be prevented if the application developers did a better job when they built their applications I have used Windows since 3.0 (and hated it) Linux, and the Apple OS since the Apple 2 was introduced and have never been infected. Designing a 100% secure OS or application would result in application updates cycles taking years and cost a hell of a lot more than now.. It is always a trade off between providing reliable functionality in a timely manner and the amount of time spent to make something 100% bullet proof. Your average user is just not vigilante or capable enough when it comes to detecting problems.
um not really, ask a joe average and the hard disk is the computer box and its windows
what kind of computer do you have, "well sir, its windows with the hard disk on the floor" or "its a dell"
people before the IBM personal computer 8051 call PC's anything that is a computer you can personally own, anyone after the mid 90's called it windows or mac, other than those cute apple commercials
its splitting hairs really, but go ask your aunt see what she says
I never believed that anyway. What IS interesting, however, is that every AV vendor now actively prevents analysis of how many virus infections exits per platform, which is actually a very significant bit of data.
Windows malware numbers in the millions (30M, last time I was able to get a figure), whereas OSX malware numbers somewhere in the 40K by now. That's a shade over 1% of the exposure that Windows platforms have - which still makes it a heck of a lot less risky.
The only drive-by infection (Java based) has now been addressed, so I'd say that if you don't install stuff you don't know you're still better off using OSX (or Linux, I'm hoping someone who actually understands usability will get involved on that platform).
But there is no excuse not to install anti virus software on OSX - facts are still better than myth..
Insert
Embedded in the virus is an encrypted IP address belonging to a server in China which is believed to be a C+C server.
Not only does it misuse the term "virus", as you mentioned, but it also misuses the term "encrypted". The correct term here is "obfuscated". The obfuscation code might happen to contain something that looks very similar to AES, but it isn't encryption (and it certainly isn't AES) if the "key" can just be recovered from the executable.
I've only read TFS, but- doesn't it say that there is a "Windows version" of this malware also doing the rounds?
If so, that's quite fun. Mac actually does have a PC "virus"! It's all grown up!
they dont claim windows viruses, they claim PC viruses, last time I checked Apple makes Personal Computers
Well their answer in the 'why-mac faq' does look a bit misleading.
Is a Mac safe from PC viruses?
Yes. The OS X operating system isn’t susceptible to the thousands of viruses plaguing Windows-based computers. And although no computer connected to the Internet is completely immune to all viruses and spyware, OS X has built-in defenses designed with your safety in mind.
So it is safe from PC viruses, but not completely immune to all computer viruses... ^.^
It is what it is.
Yeah because living viruses and computer viruses are exactly the same thing.
Or maybe she installed a program and it was bundled, like about a hundred other programs that can be installed via bundling. Just try and install a Java update without it asking to install a toolbar.
Other than the one you just mentioned - 40,000 vs 30,000,000? It would make more sense to wear crash helmets and flame-retardant clothing when driving than to install anti-virus software on a Mac...
ok so If I go out and write a little chunk of asm that only effects X68 and attacks the mbr mac will be save cause its safe from pc viruses? hogwash, its immune to malware targeted for windows, just like my car is immune to diesel gelling cause its gas, doesnt mean the wheel wont fall off
Not really. What would you do if the hard drive broke - put a new hard drive in the "hard drive"?
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
I read postings until my eyes became tired, and never found any valuable responses about the original posting. Like how we avoid this problem. Does anyone have valuable feedback about this to help us Mac users avoid this trouble?
Yes, I was actually trying to agree with you. And then I failed. /s/Well/Yes in my original reply would probably improve it.
It is what it is.
Yeah because living viruses and computer viruses are exactly the same thing.
The so-called defining characteristic of a computer virus is that it replicates itself. There is a pedantic interpretation of "replicates itself" that precludes that human beings may act as an enabler.
Just as HIV generally requires humans to do something stupid for it to spread, most modern 'malware' similarly requires humans to do something stupid.
She got what we call a "bundle bite" which is common as dirt friend and comes from "free" software, all that means is she just went "clicky clicky next next next" and refused to even take 4 seconds to look at what she was agreeing to. Since most of the bundle bites have a checkbox that you can uncheck to keep out the toolbars I'd be hard pressed to call that one anything but PEBKAC since unlike a bug they aren't trying to trick you, they just figure you're too damned lazy to even uncheck a checkbox.
BTW next time she needs some software, mind a suggestion? Ninite has all the third party stuff most folks want, media players and browsers and messengers and all kinds of software and TOOLBAR FREE so she doesn't even have to uncheck any checkboxes, its fully automated. Just have her check a box for each piece of software she wants and run it, simple as that. You can even use it to see if you have the latest versions as it'll skip any install that is up to date.
ACs don't waste your time replying, your posts are never seen by me.
Actually you don't have to do something stupid to get HIV. You can get it through a blood transfusion or possibly any exposure to certain bodily fluids or you can be born with it because your mom has it. I don't think I'd call a baby stupid because he was born which wasn't even his choice anyway.
And a computer virus isn't meant to be a 100% like for like comparison to a real virus. Virus is just a generic term anyway and things like HIV are classed as retroviruses or lentiviruses so it's not even like they're all the same and rather than coming up with some sort of naming scheme for malicious code that mimics viruses we just use different terms because that's just how it is.
The app that people are opening only has one purpose. It's not an infected file meant to trick the user.
Actually you don't have to do something stupid to get HIV.
I didn't mean YOU have to do something stupid. Just that a person does. If you get HIV blood in a transfusion, wouldn't you agree that somebody fucked up pretty badly? If you are born with HIV ... your mom did something stupid before having you. Or maybe she got a transfusion ... either way... there was some human stupidity involved somewhere in the chain.
The app that people are opening only has one purpose. It's not an infected file meant to trick the user.
The pedantic definition of computer virus is that it is self-replicating. It doesn't say anything about any trickery.
The original Stoned virus is a good example of a virus. And even it required humans to drag infected floppies from machine to machine. Today they require humans to click ok... and some subgroup of the pedants get their panties in a bunch because it requires "human stupidity" to spread... even though viruses always have required human stupidity to spread.
Whether the human drags around the floppy disk and sticks it into vulnerable systems, or wanders around sticking Ethernet cords into vulnerable systems, these are essential steps for many classical viruses to spread. But as soon as a drive by infected ad requires a human to push "ok" on a vulnerable system... well... that's totally different right?
You mean like ms12-020? There are lots of others too. Just Google "windows remote exploits"
" The following mitigating factors may be helpful in your situation:
By default, the Remote Desktop Protocol is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk. Note that on Windows XP and Windows Server 2003, Remote Assistance can enable RDP."
Hmm, I disagree. I'd wear flame proof clothing with an iPhone 4 or a Dell laptop because of the batteries, but I digress.
40.000 still means 40k opportunities to get into serious problems - it is important not to rely on myth, but on hard facts. I tend to upset Linux people with that question too when they tell em proudly they do not have a virus: how do you KNOW?
Even when you do everything right, the fact remains that you have no *evidence* to prove that your efforts have worked - unless you have a way to scan the machine, a sort of independent 3rd party assessment. It doesn't matter how good you are as a sysadmin - I am happy to believe you, but there is no way you can be sure unless you scan the platform.
For the record, I've been using Linux since Slackware came on floppies, so I'm not having a go at people using a different platform (I've only been using OSX for 2 years) - we are simply talking about following good processes but STILL do an audit to make sure those processes are actually effective. Belief doesn't cut it :).
Insert