Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Mac Malware Evolves - No Install Password Required

samzenpus posted more than 3 years ago | from the under-the-wire dept.

OS X 374

An anonymous reader writes "The latest versions of the Mac Defender malware attacks no longer require users to enter their admin credentials (username and password) upon install. A threat called 'Mac Guard' installs itself into areas of the Mac OS X system that only require standard user privilege. On Windows the criminals did this to avoid UAC warnings, and have copied this trick to their Mac OS X releases."

cancel ×

374 comments

Root access not needed (4, Insightful)

mms3k (2192016) | more than 3 years ago | (#36250894)

I always find it stupid that even here people say that malware on Linux would not be able to gain root like in Windows. Spam bots, fake antiviruses, password stealing nasties and so on run perfectly fine under normal user account. There is no reason why they would require admin privileges. All the personal files are accessible on normal user account and spam can be send without root too. Sure, it could hide a little bit better if it had root access, but there's plenty of tricks to pull out under normal account too. It's like a guy making everything overcomplicated by thinking how he needs to act like a perfect guy and take the girl to a fancy restaurant and many dates before having intercourse with her. Sometimes it's just easier to go for a ladyboy - a woman with mens desire for sex. Requiring access to root account would be more common situation with something like hacking servers since you need to modify logs and really hide in the system. Most likely you also need to get access to HTTP ports and under Linux you need root account for those. But malware runs perfectly fine under user account.

Re:Root access not needed (0)

Anonymous Coward | more than 3 years ago | (#36250936)

That's why you don't run it as your user, you run it as another user with low privs.
Well done on continuing the challenge, btw, they're relatively well disguised :)

Re:Root access not needed (-1)

Anonymous Coward | more than 3 years ago | (#36250972)

This ladyboy troll is really getting boring. We all already know you like cocks.

Get out of the closet, faggot.

Re:Root access not needed (0)

Anonymous Coward | more than 2 years ago | (#36251166)

Is it gay to suck Steve?

There's a difference... (0)

Senes (928228) | more than 3 years ago | (#36251006)

Mac malware: type in your password* if you want to install a system-wrecker.

Linux malware: type in your other and more important password if you want to install a system-wrecker.

Windows malware: use internet explorer and navigate to mainstream sites with hidden malicious PDFs or java bombs if you want to install a system-wrecker.

*If you're clever enough to not use your admin password on a daily basis then you're probably clever enough to steer clear of most system-wreckers and so this is not referring to you.

Re:There's a difference... (-1)

Anonymous Coward | more than 2 years ago | (#36251270)

What happens when a jew with a big hard-on walks into a wall? He breaks his nose.

Why do jews have such big noses? Air is free.

How was copper wiring invented? Two jews fighting over a penny.

Why do black men always cry during sex? The mace.

Re:Root access not needed (-1)

Anonymous Coward | more than 2 years ago | (#36251104)

Most women are "ladyboys". You just have to take a chance. Avoid co-workers so you are not accused of sexual harassment.

Re:Root access not needed (-1)

Anonymous Coward | more than 2 years ago | (#36251360)

Erm, I've never fucked a woman with a cock. I guess I've never fucked your "sisters"

Re:Root access not needed (0)

Anonymous Coward | more than 2 years ago | (#36251160)

Lol so hard at 'sometimes it's just easier to go for a ladyboy' - I want to shake the hand of whoever told you it means a woman with a mans desire for sex. Try Googling it (but make sure you turn off safe-search for full effect).

Re:Root access not needed (3, Informative)

CharlyFoxtrot (1607527) | more than 2 years ago | (#36251516)

It's an ongoing joke, he's been challenged to use the word "ladyboy" in every comment he makes.

No surprises here (2)

betterunixthanunix (980855) | more than 3 years ago | (#36250910)

...is anyone actually surprised by this?

Re:No surprises here (1)

gid (5195) | more than 2 years ago | (#36251162)

Nope, and Google Chrome uses this same trick if I'm not mistaken.

Re:No surprises here (1, Troll)

supremebob (574732) | more than 2 years ago | (#36251208)

The Apple store might pretend to be surprised by this, anyway, considering that they're still not allowed to tell customers that Mac malware exists.

Re:No surprises here (0)

Anonymous Coward | more than 2 years ago | (#36251438)

trolling much?

or just blindfolded?

you have to download and install it, and then it can read only files on your profile for which you have the privileges. this is no different than any other program you install and doesn't do anything that the user doesn't let to.

there are site on the web that resell your cc number, but that doesn't mean that mosaic has been "pwned oh my god lulz"

Re:No surprises here (2)

CharlyFoxtrot (1607527) | more than 2 years ago | (#36251594)

That policy has probably changed now since Apple has publicly acknowledged the threat and announced a fix, as well as publishing how to remove it [apple.com] . That's their M.O. : nobody gabs until word comes down from the mother-ship.

Re:No surprises here (3, Informative)

Low Ranked Craig (1327799) | more than 2 years ago | (#36251212)

Not really. And I wasn't really surprised to find that this is a slashvertisment. Sophos makes anti-virus software for Macs. I prefer to get my news from someone who doesn't have a vested interest in selling me stuff directly related to the content of the article.

Re:No surprises here (5, Interesting)

Low Ranked Craig (1327799) | more than 2 years ago | (#36251300)

Follow up. I find it interesting that they gloss over the fact that to completely avoid this all you need to do is turn off download safe files in safari, and/or not be stupid. Their solution is to purchase their anti-malware package for Mac. Question for samzenpus, how much did these guys pay you to post this?

Re:No surprises here (5, Insightful)

gad_zuki! (70830) | more than 2 years ago | (#36251478)

That's a little like saying "Oh just run noscript or make disable the java plugin" in the Windows world. Most end user have no clue what "safe files" are or what any of what you wrote means.

Not to mention, any web based exploit can install this malware now. It runs purely in userland. Java exploits, flash exploits, browser exploits, etc open the gate for this malware. Today its the safe files in Safari, tomorrow its one of dozens of Java exploits.

Its simply easier for end users to do updates and buy an AV than to dick around with settings they don't remotely understand. To Apple's benefit they're usually good about software updates and also update Java (at least for now).

Re:No surprises here (5, Insightful)

gad_zuki! (70830) | more than 2 years ago | (#36251428)

How about the comments in the last article from the fanboys screaming "BUT THEY NEED TO PUT IN THEIR PASSWORD UNLIKE SHITTY WINDOWS" and then modded up to +5 insightful.

Welcome to the new reality. I think they'll find that userland rights on any modern OS are pretty lenient and will allow for a great deal of scammy malware activities. Malware doesnt need to run in any system directory or open any low ports or anything.

Now is probably a good time to invest in OSX AV products.

PEBKAC (4, Informative)

Hatta (162192) | more than 3 years ago | (#36250942)

This still requires the user to deliberately install the malware. Since it's not compromising the system, but the user, it doesn't need privileges to do this.

Re:PEBKAC (5, Funny)

Anonymous Coward | more than 3 years ago | (#36251000)

Comments like that make me think you are not participating in the two minute hate.

Just embrace the hate of apple and join the group think.

Re:PEBKAC (2)

Ryanrule (1657199) | more than 2 years ago | (#36251048)

So, you are saying the computer is fucked upon purchase? FUP?

Re:PEBKAC (1)

TWX (665546) | more than 2 years ago | (#36251062)

That's what I've always liked about proper user versus management privileges on a computer- when the user who isn't the computer's owner or admin b0rks their account, you just nuke the account and recreate or just nuke the home directory, backing up only if they're important enough for it to cost you if you don't. Unfortunately, when the "admin" is the owner and only has user-level knowledge, they're probably not willing to nuke their own account, assuming they're not running with too many privileges in the first place. At least with OSX it should be possible to do this as they're following the POSIX model for the most part, but only if the owner is willing/able to do it right.

On a somewhat-unrelated note, it still blows my mind when enterprise level IT still has users with full admin rights over the local workstation, as those machines constantly and continually get infected and reinfected through the ignorance of the users. Sure, it means that a user can add a local device more complicate than a printer without calling the helpdesk, but it also means that any piece of unauthorized software, whether the user intended to install it or not, or whether it's benign or malicious, gets on to the computer. When the IT department sets up the computers and privileges properly, and if the OS doesn't have local root exploits so large one can drive a Mack truck through, the user can do a lot less damage.

Re:PEBKAC (4, Insightful)

Talderas (1212466) | more than 2 years ago | (#36251118)

On a somewhat-unrelated note, it still blows my mind when enterprise level IT still has users with full admin rights over the local workstation, as those machines constantly and continually get infected and reinfected through the ignorance of the users. Sure, it means that a user can add a local device more complicate than a printer without calling the helpdesk, but it also means that any piece of unauthorized software, whether the user intended to install it or not, or whether it's benign or malicious, gets on to the computer. When the IT department sets up the computers and privileges properly, and if the OS doesn't have local root exploits so large one can drive a Mack truck through, the user can do a lot less damage.

It's not entirely unsurprising. Telling the company owner that "We need to change the level of permissions everyone has on their machines, which means they won't be able to do this, this, and this." after the company owner and the entire user base is accustomed to having that level of permission doesn't typically get a go ahead flag from the company owner.

Re:PEBKAC (1)

CharlyFoxtrot (1607527) | more than 2 years ago | (#36251070)

And now it can do less damage because it's running without admin privileges. Should be a lot easier to remove too.

Re:PEBKAC (1)

Richard_at_work (517087) | more than 2 years ago | (#36251084)

For the small fraction of people that have more than one active account on their Mac, sure, but for most people it will do the same amount of damage.

Re:PEBKAC (3, Interesting)

BitZtream (692029) | more than 2 years ago | (#36251198)

Just putting itself in the Applications directory doesn't do anything special, users still have to run it. The Applications directory isn't setuid or anything like that, it doesn't make the app run as root, it doesn't have anything to do with startup or anything else, you're just allowed to create files in the Applications directory.

As I pointed out elsewhere, the intelligent thing to do would be to install to the users home directory as most non-techie Mac users will NEVER look in their home directory and notice it, thats just someplace they don't generally have to go, thats what the Documents, Pictures, Music and other folders are for. Unlike the Applications directory where users are bound to be looking at least once in a while.

The end result would be the same, all its going to do is effect a single user.

Now if it was intelligent, it'd modify the plist of an existing app to take itself on as the app launcher, then start the real app itself, which would possibly be used by other users on the system. You wouldn't be able to do it to the Apple builtin apps as permissions still require you to be root to modify it, but some other app the user installed will be owned by them and modifiable.

Back when they were asking for a password, they should have been installing a kernel extension to cloak themselves and make removal without booting from a clean drive impossible.

This 'malware' is like most Mac users, its a joke, its not even a little bit impressive, it just happens to be the first one noticed.

Just wait until the Windows malware writers start putting some effort into OSX, THEN it'll get nasty.

Re:PEBKAC (1)

AndyAndyAndyAndy (967043) | more than 2 years ago | (#36251158)

But now it compromises slightly smarter users, widening its success rate by some degree.

Re:PEBKAC (1)

TimeElf1 (781120) | more than 2 years ago | (#36251182)

This still requires the user to deliberately install the malware. Since it's not compromising the system, but the user, it doesn't need privileges to do this.

Gee, users deliberately installing things that might be harmful for their computer? I can't ever see that happening....

Re:PEBKAC (1)

tepples (727027) | more than 2 years ago | (#36251378)

Gee, users deliberately installing things that might be harmful for their computer?

Conventional antivirus software acts as a blacklist. Mac App Store acts as a centrally managed whitelist. Do you recommend either of these two approaches, or do you recommend a third one [tvtropes.org] that's less widely known?

Re:PEBKAC (2)

Lumpy (12016) | more than 2 years ago | (#36251250)

Stop bringing truth and facts into this.....

Re:PEBKAC (1)

nlawalker (804108) | more than 2 years ago | (#36251384)

Clearly, then, this malware was engineered by Apple itself to cull from its userbase those that it felt were not worthy of their computing experience. I mean, seriously, no one who dares install apps from anywhere other than the App Store(TM) should be able to call themselves an Apple user.

Re:PEBKAC (0)

Anonymous Coward | more than 2 years ago | (#36251540)

After reading the article, I have to say how does this thing ever get installed. The user has to click continue several times and it is obviously and installer. If you didn't ask to install something you stop the process.

On windows, don't the trojan makers try to install without you noticing. I find it really amazing that many people would get infected by this application.

Re:PEBKAC (0)

Anonymous Coward | more than 2 years ago | (#36251586)

This still requires the user to deliberately install the malware. Since it's not compromising the system, but the user, it doesn't need privileges to do this.

Well, unless there is magic pixie dust involved - it won't be long before OS X users can have their user profiles infected via drive-by exploits. Just like what happens in the Windows environments.

(On the upside, as long as there's no privilege escalation going on, an infected profile is a lot easier to sanitize then an infected machine.)

I am safe. (5, Funny)

Anonymous Coward | more than 3 years ago | (#36250980)

My PC can't get Mac malware.

Re:I am safe. (0, Offtopic)

Anonymous Coward | more than 2 years ago | (#36251042)

My PC can't get Mac malware.

Macs *ARE* PCs, numbnuts

Re:I am safe. (-1)

Anonymous Coward | more than 2 years ago | (#36251272)

Clearly, you're retarded.

Re:I am safe. (0)

Anonymous Coward | more than 2 years ago | (#36251366)

Unfortunately you would need the converse "PCs are Macs" to prove him wrong.

Re:I am safe. (-1, Troll)

MobileTatsu-NJG (946591) | more than 2 years ago | (#36251392)

Macs *ARE* PCs, numbnuts

Unless you've just woken up from a 20+ year coma, no, they're not.

Re:I am safe. (1)

geoffball (1195685) | more than 2 years ago | (#36251252)

Your Windows system got this malware years ago. Some hackers decided it would be fun to port it to MacOSX.

But, but... (2)

Moraelin (679338) | more than 2 years ago | (#36251344)

But... but... weren't we all told that this isn't possible? I'm sure I've heard the rhetoric repeatedly before that if someone didn't bother porting some malware to Mac or Mozilla back when they had tiny market share, then it's some kind of proof that they're secure and it can't be done.

Re:I am safe. (4, Funny)

BobNET (119675) | more than 2 years ago | (#36251306)

You laugh now, but it's only a matter of time before PCs become popular enough that malware writers start targeting them instead.

Market Share (0)

Anonymous Coward | more than 3 years ago | (#36250990)

It was only a matter of time till there started being viruses and malware for the MAC just like anything else the more market share something gets the more it gets picked apart. It's only a matter of time till we see desktop linux get virus and malware released. We have already seen some variation of it with the way they are pulling android apps off the market cause of security issues.

Oh, the sensationalism (0, Offtopic)

Anonymous Coward | more than 3 years ago | (#36250994)

Screw you, Sophos, and your filthy FUD marketing.

Re:Oh, the sensationalism (0)

Anonymous Coward | more than 2 years ago | (#36251564)

i wonder why people downvote this. sophos workers, perhaps? the op is entirely right - it is only fud and sly marketing to try to make a headline of this by saying the malware "no longer requires admin password" as if it was something breathtaking, revolutionary or dangerous. the malware tricks the user, not the system, and so it doesn't need any password or admin authentication. trying to make it sound like this is new, special or a big deal is nothing but cheap marketing to flog their own half-assed av software.

Less damaging (2)

CharlyFoxtrot (1607527) | more than 3 years ago | (#36250998)

So that means it's now running with only user privileges instead of admin rights, which seems like a slight improvement for those dumb enough to install it.

Re:Less damaging (1)

LordLimecat (1103839) | more than 2 years ago | (#36251068)

Theres no reason the malware cant install in usermode, and also attempt an elevated install for real rootkit goodness.

Re:Less damaging (1)

CharlyFoxtrot (1607527) | more than 2 years ago | (#36251144)

True but if they were capable of using a real exploit wouldn't they do so directly ? The more work these asshats have to do to get into the system the more chance there is of detecting and/or stopping them at some intermediate point.

Re:Less damaging (1)

Ephemeriis (315124) | more than 2 years ago | (#36251092)

So that means it's now running with only user privileges instead of admin rights, which seems like a slight improvement for those dumb enough to install it.

It also means that whatever files exist and whatever changes are made live somewhere in that user's profile.

The Windows malware that does this is annoying because it can sneak in without admin rights... But it is easily removed by simply logging in as a different user and deleting the infected profile.

Re:Less damaging (2)

0123456 (636235) | more than 2 years ago | (#36251202)

So that means it's now running with only user privileges instead of admin rights, which seems like a slight improvement for those dumb enough to install it.

Not when it logs your banking passwords and sends them to the Russian Mafia. Most of the things that malware wants to do can be done in user mode as well as admin.

Re:Less damaging (1)

CharlyFoxtrot (1607527) | more than 2 years ago | (#36251380)

Sure but if your kid installs this under his/her account then mommy & daddy are still safe, for now at least. And it'll be a lot easier to purge something that didn't have admin rights from the system.

Good News for the App Store (5, Interesting)

vwjeff (709903) | more than 2 years ago | (#36251310)

This just gives Apple one more reason to force all application installs via the app store in future versions of the OS. The other reason of course is money.

Re:Good News for the App Store (2)

CharlyFoxtrot (1607527) | more than 2 years ago | (#36251462)

It'll never happen. A lot more mac users are power users than the stereotypes suggest and these people just wouldn't accept it. At most they could go with an opt-out system. Otherwise I think app-stores are more of a positive evolution than people give them credit for, when they are not shoved down your throat that is. The signing of software to guarantee that it hasn't been modified or tampered with is a no-brainer, a bit like having shrink-wrap around a box-set of physical media.

Well, yea (0)

Anonymous Coward | more than 3 years ago | (#36251008)

That's how most malware works these days. Time for the mac users to wake up a bit and realize they really aren't "thinking different" enough to ward off the crapware and extortion schemes.

Market Share (1)

helix2301 (1105613) | more than 3 years ago | (#36251010)

It was only a matter of time till there started being viruses and malware for the MAC just like anything else the more market share something gets the more it gets picked apart. It's only a matter of time till we see desktop linux get virus and malware released. We have already seen some variation of it with the way they are pulling android apps off the market cause of security issues.

Re:Market Share (1)

_Sprocket_ (42527) | more than 2 years ago | (#36251090)

Yes, yes. We hear this every single time there's Mac malware. You do realize that this isn't the first time, right?

Re:Market Share (1)

betterunixthanunix (980855) | more than 2 years ago | (#36251190)

It depends on who is using the computer. GNU/Linux has many millions of desktop users, but it would be pretty hard to convince most of those people to run some random program they downloaded from some website. Mac OS X's userbase, on the other hand, is composed mainly of people who are not knowledgeable about computers and who wanted something that was "easier" or "more user friendly" than Windows (cue the comments from technically adept people who happen to like Mac OS X), and may more easily fall victim to social engineering.

Of course, desktop GNU/Linux use is expanding to more people who are not so technically inclined, so this may change over the next few years.

Good (1)

thePowerOfGrayskull (905905) | more than 2 years ago | (#36251026)

Hi profile attacks that occur in user space help to underscore that the obsession OS vendors have with admin access doesn't do much of anything to prevent a machine from being compromised -- it only serves to give users a false sense of security. Any malware can run in the user space of any os if the user installs it (and they wiil); and at minimum it has access to all of a user's private data. That should be just as worrisome as a single user machine getting rootkitted - while the harm to the system is greater for a rootkit, the damage to the user is just the same

Re:Good (2, Insightful)

_Sprocket_ (42527) | more than 2 years ago | (#36251412)

Hi profile attacks that occur in user space help to underscore that the obsession OS vendors have with admin access doesn't do much of anything to prevent a machine from being compromised -- it only serves to give users a false sense of security.

I have a hard time completely dismissing privilege escalation. There is still some value in being able to separate user data from the system proper - if only to make clean-up easier. But I do completely agree with the overall lesson here. An overly simplified view of security might very well overlook the fact that there's still a lot of value with operating in the context of an unprivileged user. And as such, users should remain wary whenever they're acting outside the boundaries of their local environment.

It strikes me that this is a subset of the dancing pigs problem [wikipedia.org] . The promise is that computing is being made easy. And in doing so, the end user gets all manner of over-simplified, friendly (or frightening) messages wanting their rubber-stamp to do various unknown black-box things. Whether you promise dancing pigs or protection from evil hackers, it comes down to the same thing. Present the proper dialog box and end users are likely to accept it.

This is a problem that won't be solved by more dialog boxes. At some point, the user needs to be exposed to some level of the complexity of their environment and hopefully given enough information and skepticism to make reasonable decisions.

Re:Good (0)

Anonymous Coward | more than 2 years ago | (#36251464)

Any malware can run in the user space of any os if the user installs it (and they wiil);

What if the partition is mounted noexec like my mother's Ubuntu box is? And any script she downloads will open in gedit rather than any particular interpreter. Not much danger there. Also, Firefox is set up with apparmor which ships with Ubuntu by default to only have access to the $HOME/Downloads directory so it can't see any of her other files. Needless to say, trojans haven't been much of an issue for the 3 drama-free years she's been running Linux. What's that you say? What if she just installs malware.deb? Imagine my best Agent Smith voice:

How will you install a deb file Mrs. Cosby if you are not in the /etc/sudoers file?

Real issue (2, Informative)

Anonymous Coward | more than 2 years ago | (#36251028)

The only real issue is the "auto-download safe content" default option in Safari.It should'nt be enabled by default. Just uncheck it.

Another case of iClicitys (rush of advertisement clics generated by apple buzz)

The difference (2)

wandazulu (265281) | more than 2 years ago | (#36251030)

So instead of installing into /Applications, which does require an admin username and password, it now likely installs somewhere in the user's home folder, which doesn't require admin authorization. This means the problem would be isolated to that particular user's account.

Re:The difference (4, Insightful)

betterunixthanunix (980855) | more than 2 years ago | (#36251112)

This means the problem would be isolated to that particular user's account.

For many home users, that is all that really matters. We are not talking about an enterprise setup here, we are talking about some person's laptop. Frankly, in an enterprise setup I would be surprised if user home directories were not mounted with noexec (or whatever such an option would be called in Mac OS X), which would thwart this problem.

Re:The difference (1)

0123456 (636235) | more than 2 years ago | (#36251262)

Frankly, in an enterprise setup I would be surprised if user home directories were not mounted with noexec (or whatever such an option would be called in Mac OS X), which would thwart this problem.

It would reduce the problem, not eliminate it. Just because you can't run $HOME/malware.sh directly doesn't mean you can't 'bash $HOME/malware.sh'.

Re:The difference (1)

betterunixthanunix (980855) | more than 2 years ago | (#36251368)

That much is true, which is why I said "thwart" and not "completely eliminate." Now, with a bit of work, you could stop users from doing that as well -- set up the right SELinux policies/contexts and whatnot -- and thus mitigate the threat further. In the end, it really depends on what exactly you are trying to do, and what your users need to be able to do. If your users only need to be able to launch a web browser and email client, then go ahead and stop them from running bash.

Re:The difference (1)

geekoid (135745) | more than 2 years ago | (#36251154)

Except it will probably infect a trusted executable, and then when the trusted executable asks for elevated privileges nearly everyone will allow it to have them.

Re:The difference (1)

thePowerOfGrayskull (905905) | more than 2 years ago | (#36251216)

So instead of installing into /Applications, which does require an admin username and password, it now likely installs somewhere in the user's home folder, which doesn't require admin authorization. This means the problem would be isolated to that particular user's account.

And this is ok? When you consider that most systems that are not servers have only one or two users, the fact that it's limited to one account doesn't mean much of anything all. That's one account having its passwords and cc info gleefully distributed, among other things. Do you really think it matters that the admin account has not been compromised? (yet - once installed it's trivial to trick the user into providing admin access)

Full system infection is not needed at all (0)

Anonymous Coward | more than 2 years ago | (#36251296)

And how many people, who share computer share also the same user account? On Windows side, the malware does not really need to even install itself, running it until shutdown is enough, as there are always enough people that get (re)infected and who keep their machines always on.

McAffee must love this (0)

Anonymous Coward | more than 2 years ago | (#36251046)

You know all these loser anti-virus peddlers are watching this with glee.

mac malware is trending to explode is the point (0)

Anonymous Coward | more than 2 years ago | (#36251058)

this is only one particular piece of malware, in itself not so significant, but it indicates macs and their users have finally reached enough critical mass to bother stealing from... that's what malware is about now

Apple is patching anyway (1)

Bryan3000000 (1356999) | more than 2 years ago | (#36251080)

So either the patch will already recognize and remove this, or they will have to issue another little update to take care of it completely. Given that they are not compromising any privileges, stopping this should be ridiculously easy. Why are these guys even bothering?

Unless perhaps they are trying to get an installed base with the current package, which can then perhaps help with a real exploit - e.g. directing a browser to a website that exploits a real vulnerability.

Re:Apple is patching anyway (2)

geekoid (135745) | more than 2 years ago | (#36251172)

Or they want to infect a trusted file, or more likely, the user info they want will resides in the users directory.

For the most part, modern attackers don't want to damage your computer, they want to get personal info. CC numbers and the like.

IT's best for them if there attack as no noticeable impact on a system.

Re:Apple is patching anyway (1)

Xiterion (809456) | more than 2 years ago | (#36251230)

... Why are these guys even bothering?

Because their target is the user who doesn't quite grok the difference between files, folders, programs, and the Internet. You know, the sort of person who can't find their Word documents outside of Word itself. I think the authors of this malware are simply taking advantage of the fact that most users won't notice it's there, and won't bother trying to remove it. Malware doesn't have to be dug in to a computer so hard that a tactical nuclear strike is needed to remove it in order to be effective.

That will be the most interesting aspect (1)

SuperKendall (25149) | more than 2 years ago | (#36251258)

I'm really curious just what Apple will do in a patch to prevent this. You could of course recognize one variant, but you can't easily find an infinite number of variations... especially when there's so little difference between a trojan and some application that is meant to be downloaded and run.

The funny thing is currently the absolute safest recommendation you can make to a Mac user to keep them safe is to NOT install any anti-virus software.

Does this make it easier to remove? (1)

UnknowingFool (672806) | more than 2 years ago | (#36251106)

Originally this malware asked for an admin password which means it could get access to admin privileges. This new variant installs under user permissions which means that the admin can more easily remove it. That is assuming users don't run as admin. BTW, this variant still requires user intervention to install so it's not quite a virus or worm but still a Trojan.

More damaging for Apple than most think... (1, Interesting)

imyy4u3 (1290108) | more than 2 years ago | (#36251124)

One of the key selling points that entices a lot of novice users to buy an Apple over a PC is lack of malware/virii. The other key selling points being ease of use/reliability/stability. This latest outbreak, while not particularly damaging, and while not really a threat as the user still must "install it," is getting a ton of media attention and is thus removing the "cloak of invulnerability" that Macs have been advertised to have against malware and virii. So now when a novice user, who doesn't know any better, has to choose between the more expense Mac vs a cheaper PC, will the remaining key selling points be enough to entice them to pay the higher premium? Many people switch solely on the reason of not dealing with virii/malware, but now that they will have to deal with that (whether or not it's true is irrelevant as in many novices minds Macs are now vulnerable) they might just stick with their PC. Bottom line - this is going to really hurt Apple a lot more than most people realize, as they will no longer have the novice users switching just to avoid virii and malware. Apple's "cloak of invulnerability" has been removed...and whether the remaining key selling points will sustain them remains to be seen.

Re:More damaging for Apple than most think... (1)

AHuxley (892839) | more than 2 years ago | (#36251244)

http://iantivirus.com/threats/ [iantivirus.com] has a list of some of the OS X/pre OS X era malware.
Not a lot of virii, Trojan.OSX.RSPlug was it for a while.

Re:More damaging for Apple than most think... (3, Insightful)

Shados (741919) | more than 2 years ago | (#36251280)

The vast majority of Windows infections also come from viruses that "must be installed". Not 100% obviously, but if you take out the ones that infected users months after patches were released, and the ones where users clicked through a UAC prompt to install anyway, you end up with a very very small sample.

Its all about social engineering now.

Re:More damaging for Apple than most think... (4, Insightful)

Vokkyt (739289) | more than 2 years ago | (#36251444)

The problem with this assessment is that it's the exact same assessment that OS X has been receiving for the past 6 years whenever a new Trojan pops up. And no, this trojan really isn't any different than its predecessors. I'm not trying to defend OS X as the almighty glorious Mac Master Race computer, but it's a little ridiculous to see this cycle every time an OS X Trojan pops up (and they've pretty much all been trojans -- IIRC, a few were classified as worms, but I really don't remember clearly):

1. Malware appears for OS X
2. AV companies advertise it wildly
3. Journalists/"Analysts" declare that age of Innocence for OS X is over, no longer "immune" to Malware
4. Message Board users declare the end of OS X/Catastrophic damage
5. Time passes and reality sets in -- the Malware/Trojan fails to reach any noticeable level of threat

Again, this isn't to say OS X is immune. Absolutely not. But every time a bit of Malware appears, this exact cycle happens -- and OS X and Apple's sales only go up.

Re:More damaging for Apple than most think... (-1, Redundant)

rudy_wayne (414635) | more than 2 years ago | (#36251582)

So now when a novice user, who doesn't know any better, has to choose between the more expense Mac vs a cheaper PC, will the remaining key selling points be enough to entice them to pay the higher premium? Many people switch solely on the reason of not dealing with virii/malware, but now that they will have to deal with that (whether or not it's true is irrelevant as in many novices minds Macs are now vulnerable) they might just stick with their PC.

Bottom line - this is going to really hurt Apple a lot more than most people realize, as they will no longer have the novice users switching just to avoid virii and malware. Apple's "cloak of invulnerability" has been removed...and whether the remaining key selling points will sustain them remains to be seen.

Anyone with a basic understanding of computers has long known that "no Mac viruses" has simply meant "nobody gives a shit about Macs" [imageshack.us]

Does the principle apply to Linux? (2)

G3ckoG33k (647276) | more than 2 years ago | (#36251126)

Does the principle apply to Linux? If yes, then it matters, for nerds, for real. ;)

Re:Does the principle apply to Linux? (1)

0123456 (636235) | more than 2 years ago | (#36251180)

Does the principle apply to Linux? If yes, then it matters, for nerds, for real. ;)

If you download and run random programs on any OS I've used you're vulnerable to malware. You could partially mitigate it by mounting /home as noexec, and you could probably use SELinux to prevent users from running any applications from /home, but that's a pain.

Re:Does the principle apply to Linux? (1)

betterunixthanunix (980855) | more than 2 years ago | (#36251286)

you could probably use SELinux to prevent users from running any applications from /home, but that's a pain.

How is that a pain? Have you ever tried it? In Fedora, it is a matter of setting an SELinux boolean (allow_user_exec_content) and setting the user as user_u. This is literally two things to click on in the SELinux GUI tool, or two commands to run in a terminal. This might annoy users who want to do things like write scripts, but if your goal is to defend against this kind of malware, then that is what you have to do.

Of course, most home users are unaware of noexec/SELinux and would need the family IT guy to do this for them.

Re:Does the principle apply to Linux? (1)

0123456 (636235) | more than 2 years ago | (#36251374)

How is that a pain?

If you're not using a Fedora-based OS then SELinux probably doesn't work, and any competent Unix user probably has a bunch of scripts in $HOME that they use to do random things; I certainly do. I could put them in /usr/local/bin instead but that's a pain in itself.

You also need to ensure that /tmp and /var/tmp are noexec, which Ubuntu, at least, seems to dislike. On the plus side, /tmp is normally a RAM disk so any malware installed there will vanish at the next reboot.

Re:Does the principle apply to Linux? (1)

betterunixthanunix (980855) | more than 2 years ago | (#36251490)

If you're not using a Fedora-based OS then SELinux probably doesn't work,

Well, there is also AppArmor, TrustedBSD, TrustedSolaris, etc. The real point here is that mandatory access control does not have to be a hard thing to use, especially if you are trying to do something common like prevent a particular user from executing programs in their home directory. I cannot comment much on how easy AppArmor/etc. are to use, since I have not actually used them.

You also need to ensure that /tmp and /var/tmp are noexec, which Ubuntu, at least, seems to dislike.

That screams "problem" to me, but theoretically an SELinux policy could be written to allow this for whatever specific program needs that privilege. I have tried a few lightweight things with SELinux, and there are quite a few surprises -- like the fact that Firefox tries to mark its stack as executable (seriously, in 2011, a web browser wants to execute code on its stack). Another option, which I have made use of, is the SELinux sandbox, which lets you confine an application so that it can get special permissions (like marking its stack as excecutable) without allowing it to affect other parts of the system (this also means that you cannot save files, unless you mount a special home directory just for the sandbox, which is allowed; the sandbox also allows you to set up the security context in a way that makes sense, e.g. Firefox should be able to access the web).

Re:Does the principle apply to Linux? (1)

Lumpy (12016) | more than 2 years ago | (#36251328)

Under linux you have to download it, turn on the execute bit and set the permissions and THEN execute it.
Nope no chance in hell that a user will fall for this under linux. if they launch random crap they will never be able to set it to execute.

Re:Does the principle apply to Linux? (1)

0123456 (636235) | more than 2 years ago | (#36251434)

Under linux you have to download it, turn on the execute bit and set the permissions and THEN execute it.

"To install the Cute Kitty screensaver, download malware.sh, open a Terminal window and type 'bash malware.sh'."

Yeah, it's a pain, but more than a few people will do it in order to see cute kitties or b00b13s. The only way to stop them from doing it is to ensure they can't run anything that isn't in a system directory.

And, even then, they'll still install random Firefox plugins which don't require execute permission or root access.

Re:Does the principle apply to Linux? (1)

LoganDzwon (1170459) | more than 2 years ago | (#36251456)

A direct example would be more like a website can tell if your on debian/ubuntu or RHEL/fedora and sends you an .deb or .rpm. Then your browser see it is a package so it fires up your package manager for you.

Re:Does the principle apply to Linux? (1)

FudRucker (866063) | more than 2 years ago | (#36251522)

what if /home was in its own disk partition and mounted with a noexe parameter? i guess /tmp and /var would have to get the same treatment too...

Re:Does the principle apply to Linux? (0)

Anonymous Coward | more than 2 years ago | (#36251314)

Of course it applies. Also, while it doesn't use the password entry, it applies to modern versions of Windows too. It always has, and this is not newsworthy in that context. It's a yawn-fest really. Malware wanting administrator permission has *always* been because that allows it to make itself harder to remove or detect. It's a tradeoff. By not using administrator permissions it's easier to remove/detect.

Fun thing is though, is that the vast majority of users aren't impacted by that. The malware will be just as functional either way for most typical users because the "easier removal" is still beyond their abilities. Such is the sad state of affairs.

This is the evolution of criminality (4, Insightful)

hellfire (86129) | more than 2 years ago | (#36251142)

The malware is evolving from taking advantage of bugs in Windows, to social engineering. I had malware scanning on my PC because malware could get in the back door via services and other areas. Now, they are installing it right in front of your face trying to masquerade as something else.

They are going from the thief in the night who exploits the bad lock in the back door, to walking in the front door acting like the delivery man and given the run of the building by unsuspecting human beings. They are no longer exploiting Windows or Mac OS X... they are exploiting the users directly and making it look like it's the OS's fault.

I've seen plenty of PCs pwned by this type of malware, and it wasn't Windows fault in those situations either, the user simple installed something that took over the system.

Re:This is the evolution of criminality (2)

JSBiff (87824) | more than 2 years ago | (#36251294)

I think another point might be that the malware is evolving from doing things which might require system-wide admin privileges, to just doing things which require lower levels of access.

My first thought when I saw an article posted on Ars Technica yesterday, about this change in the malware, was, "But, wouldn't that mean the malware has to run at lower privilege levels"?

Then I realized that something running at "user" privilege levels instead of root, can still be bad. It could probably still keylog that particular user's credentials when going to websites and such. It could still send out spam emails as the user. It could still search through the user's personal files looking for anything "interesting" (or just uploading them en-masse to another 'owned' machine). It could still act as an online file repository for child porn, terrorists, organized crime, etc. It could act as a webserver for a phishing attack.

It could be used as part of a DDOS, or as part of a massive computation network (think something like World Community Grid for organized crime - to, e.g. brute force recover encryption keys for someone or some system the criminals are targetting).

It still requires the user to click through (2)

Shivetya (243324) | more than 2 years ago | (#36251336)

You are still required to click through an install wizard, so this is in no shape or form an install performed without the user.

Re:It still requires the user to click through (1)

robmv (855035) | more than 2 years ago | (#36251476)

is that OS X install wizard build by the OS?, or is it an executable coded by the malware author? if the answer is true to the last question, why is needed to continue the install wizard?, the malware author can add code before opening it to install anything they want even if you press cancel

The problem is Safari setting to open "safe" files automatically, that is the most dumb thing a browser can do

Silly! (0)

Anonymous Coward | more than 2 years ago | (#36251436)

It can't evolve; it was created that way.

So uh... (3, Insightful)

bmo (77928) | more than 2 years ago | (#36251470)

Where, exactly, is this going to hide from htop, top, ps or any other process listing facility?

Unlike Windows, OSX and Linux and every other sane OS in the universe, there is no such thing as a "hidden process."

As a user process, it also cannot patch top, ps, or htop, or any other process lister. It cannot fuck with logs. It cannot do anything at all that the ordinary user cannot do. Indeed it runs under the same UID as the logged in user.

ps -uax | grep $USER
OH HEY GUYS THAT LOOKS WEIRD
killall -9 $SUSPICIOUS PROGRAM
rm $PATHTOSUSPICIOUSPROGRAM/SUSPICIOUSPROGRAM

And not even have to have a # in your prompt. No sudo, no su, no nothing.

Go on with life

Wow. That's...difficult.

--
BMO

A virus? (0)

Anonymous Coward | more than 2 years ago | (#36251552)

I thought macs dont get viruses?

Only your own folder? Still... (2)

lpp (115405) | more than 2 years ago | (#36251566)

That seems like it's not really any protection at all. Most Macs are likely single user setups anyway. Sometimes, sure, you'll have some other users on the machine, but most of them are likely just tied to one user.

To that one user, their files are the critical component of the machine. If they bought the machine, they have the reinstall discs for the OS, plus those of any upgrades. Annoying? You betcha. But if they haven't been backing up their files (shame on them) then having to reinstall the OS is the LEAST of their worries.

And this of course goes for Windows and Linux installs as well. And really, even in a multi-user/single-machine scenario, while the damage is limited, it is still potentially devastating for the user involved. And again, for many (most?) installs, there's only one user that matters anyway.

It didn't evolve. (1)

Anonymous Coward | more than 2 years ago | (#36251580)

The new version was simply designed more intelligently.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...