×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

322 comments

No user interaction (5, Funny)

Anonymous Coward | about 2 years ago | (#39688735)

So, what you're saying is, It Just Works?

Re:No user interaction (5, Insightful)

buchner.johannes (1139593) | about 2 years ago | (#39688775)

Isn't a Trojan that requires no user interaction by definition a Virus?

Re:No user interaction (5, Informative)

Anonymous Coward | about 2 years ago | (#39688961)

No, because you still have to navigate to a web site. It is a trojan because they need to entice you to do so.

Re:No user interaction (0)

Anonymous Coward | about 2 years ago | (#39689085)

No, viruses self-propagate

Re:No user interaction (4, Informative)

Anonymous Coward | about 2 years ago | (#39689353)

No, viruses propagate. Worms self-propagate.

Re:No user interaction (5, Informative)

ninetyninebottles (2174630) | about 2 years ago | (#39689111)

Isn't a Trojan that requires no user interaction by definition a Virus?

Not really.

Trojan - malware posing as legitimate software.

Virus - malware that copies itself either replacing or attaching to legitimate software.

Worm - malware that copies itself from system to system automatically without user interaction.

This software seems to be automatically installed when the user follows a link in their Web browser, but there is no indication that it in any way sends more links to people. So this malware does not fit neatly into any of the common categories. "Virus" seems to be a catch all term these days so you might as well call it that.

Re:No user interaction (5, Informative)

Altieres Rohr (1286518) | about 2 years ago | (#39689469)

The definition of worm is not "malware that copies itself from system to system automatically without user interaction". Worm is self-replicating code that uses a network, by some defintions, and, by others, a worm is any malware that spreads by itself but does not parasite legitimate software (thus why "USB worms").

Although the Morris worm did not require user interaction, this is not true of all future malware that would be considered a worm. Malware that copies itself to network drives, P2P software shared folders, or attaches itself to or sends e-mail, IM or IRC messages are all worms.

As for trojans, any malware that does not replicate is a trojan. Back in the day, and even today, the only way to convince a user to run such software is by advertising it as another piece of software - thus why the trojan horse definition. Exploit code changed that, but they're all still trojans, and most still fallback to advertising themselves as a Flash player plugin or video codec when the exploit doesn't work. In any case, this new malware doesn't replicate, so it is a trojan.

There is no malware category to describe code that requires no user interaction to run. Exploits, worms and viruses and trojans all can do it, but that's not required by their definitions.

Reference: http://www.f-secure.com/en/web/labs_global/threat-types [f-secure.com]

Re:No user interaction (5, Informative)

ninetyninebottles (2174630) | about 2 years ago | (#39689803)

The definition of worm is not "malware that copies itself from system to system automatically without user interaction". Worm is self-replicating code that uses a network, by some defintions, and, by others, a worm is any malware that spreads by itself but does not parasite legitimate software (thus why "USB worms").

I worked in the security industry for many years and never heard anyone call something a "usb worm". If it is copying itself as the result of user interaction, we always called it a virus. If it spread on its own, it was a worm. The definition of "worm" you provide does not seem to differentiate itself from a virus in any way. Something that copies itself via shared disks is almost the classic poster child for a virus. The term originated talking about malware spread on floppies.

Darn you kids and your newfangled definitions!

Fix Available (5, Funny)

Frankie70 (803801) | about 2 years ago | (#39689373)

Fix available here [microsoft.com] .

Re:Fix Available (5, Insightful)

Anonymous Coward | about 2 years ago | (#39689531)

pfft, out of the frying pan, into the blazing inferno of thrown chairs.

Better fix here [linuxmint.com] .

Missing from summary (5, Informative)

dr2chase (653338) | about 2 years ago | (#39688747)

from TFA: "if you’ve downloaded and installed the latest software updates from Apple that patch the Java vulnerabilities (or disabled Java), you’re safe" (for now).

But it looks like the good times are over.

Re:Missing from summary (5, Insightful)

slashmydots (2189826) | about 2 years ago | (#39688779)

I didn't consider mac users lording their "super advanced security and magical virus immunity" as "good times." It's about time someone reminded them that Windows is far more secure, it's just targetted more. This is going to be the beginning of a long line of taking them down a notch.

Re:Missing from summary (2, Interesting)

Anonymous Coward | about 2 years ago | (#39688859)

I didn't consider mac users lording their "super advanced security and magical virus immunity" as "good times."

But we sure did!

Re:Missing from summary (4, Informative)

errandum (2014454) | about 2 years ago | (#39689081)

Well, the general idea is that they were very secure. Not too long ago I was modded into oblivion because I said windows is, by design, more secure that Mac OS. So obviously, I dropped the subject and never posted about it again.

If no one is allowed to talk about it, the general impression will be that they are, indeed, more secure (at least here).

Re:Missing from summary (0, Troll)

mario_grgic (515333) | about 2 years ago | (#39689593)

Funny thing is this Java Runtime vulnerability is also present in the Windows version of Java, and it can be exploited just as easily.

Re:Missing from summary (4, Informative)

Atzanteol (99067) | about 2 years ago | (#39689693)

And it was patched much faster by Oracle and pushed out quicker by the Java install because Microsoft doesn't have insane control issues like Apple does.

Re:Missing from summary (1, Informative)

Anonymous Coward | about 2 years ago | (#39689083)

Who ever claimed immunity? The claim that OS X is immune to viruses is just a big fat straw man. It's about as retarded as "I heard your BMW broke down, so what they say about superior German engineering is a lie!".

It takes a special kind of ignorance to go there with any kind of seriousness, an inability to separate fantasy from reality as bad as those you attempt to attack.

It's a far cry from not needing to be concerned about viruses, which has actually held up in comparison to windows for example.

Re:Missing from summary (0)

Anonymous Coward | about 2 years ago | (#39689117)

Many BMW owners will freely admit that they break more often and are harder/more expensive to work on. The "German Engineering" isn't about it not breaking, but about how well it works when it does ;)

Re:Missing from summary (0)

Anonymous Coward | about 2 years ago | (#39689119)

Blaaaaaah blah blah blah blah blah blah.

Who gives a fucking rancid toss? Windows has malware targeted at it. OSX now has successful malware targeted at it. UNIX used to have malware targeted at it and for all I know still does. Users of each of them should be protecting against malware. Other than that, who fucking cares? They're operating systems. If you're making them your religion you've got a fucking empty life.

Then again, we're posting on Slashdot, so who the fuck am I to talk?

Re:Missing from summary (2, Insightful)

Anonymous Coward | about 2 years ago | (#39689327)

20-30 new viruses a day for windows 1 virus for the mac in 10 years shows windows is more secure?

Re:Missing from summary (2, Insightful)

Anonymous Coward | about 2 years ago | (#39689551)

It's called the beginning of the Bell Curve. There's a sweet spot coming up. A real white knuckle ride.

Re:Missing from summary (3, Insightful)

Anonymous Coward | about 2 years ago | (#39689371)

This is going to be the beginning of a long line of taking them down a notch.

What? really? So just because someone uses a Mac instead of Windows means they somehow think they are superior to you? I'm sure there are some people that use Mac that think they are superior but that doesn't mean that everyone using a Mac thinks that. So how about you get off your high horse and stop condemning people based on what OS they choose. I personally prefer Mac OS to Windows. I grew up on Windows from Windows 3.1 to Windows Vista. For me, Mac OS is far more intuitive and streamlined. When I think of Windows I think of Menus and Folders. When I think of Mac I think of Apps and Documents. But I saw the preview of Windows 8 and it looks like they're really working on fixing that. I may switch back one day. But I don't think Mac is inherently better. Just different. I do think its more secure though. Simply because they're far more locked down in their hardware. Windows is designed to work with almost anything which leaves a lot more room for errors to exploit.

Re:Missing from summary (0)

Anonymous Coward | about 2 years ago | (#39689701)

Oh man you're funny. Mac users having always looked down on window users.
Bitch slapping them with viruses, malware, trojans is going to bring them back to earth hopefully. ^_^

Re:Missing from summary (1)

Cinder6 (894572) | about 2 years ago | (#39689781)

And Windows users look down at Mac users. And Linux users look down at both (Windows users look at Linux users in bafflement, mostly). Everyone looks down at everyone else, if they view it as some sort of "war".

Re:Missing from summary (1)

Jeremi (14640) | about 2 years ago | (#39689785)

It's about time someone reminded them that Windows is far more secure, it's just targetted more.

... so using Windows is like living in the Green Zone in Baghdad? Sounds appealing!

Re:Missing from summary (-1, Flamebait)

rubycodez (864176) | about 2 years ago | (#39689789)

Windows is not more secure, it is in fact the least secure of all networked operating systems. the exploits are due to long known bad programming practices. Here we are talking about that bloated cruft known as Java weakening the far superior BSD OS that mac uses, along with that cruft known as flash. but windows is rotten and insecure from the foundation up.

Re:Missing from summary (1)

buchner.johannes (1139593) | about 2 years ago | (#39688799)

Is that Java security hole that we heard about over the last weeks Mac-specific or cross-platform? Any reason to worry or to have our belief in Java security shattered? Or just a conspiracy of several factors in the Mac environment?

Re:Missing from summary (2, Informative)

Anonymous Coward | about 2 years ago | (#39689011)

Any reason to worry or to have our belief in Java security shattered?

Java has security?

Re:Missing from summary (5, Informative)

Anonymous Coward | about 2 years ago | (#39689129)

Is that Java security hole that we heard about over the last weeks Mac-specific or cross-platform? Any reason to worry or to have our belief in Java security shattered? Or just a conspiracy of several factors in the Mac environment?

The malware writers could in theory do the same thing to Linux distros. However the openjdk and java on Linux is essentially different in as much as the methods to run and install to a user home directory a downloaded .so the way this malware does cannot happen on Linux distros in as much as the user is the only one on Linux who can direct which binaries run from within a user profile at login.

I know this is a mouthful for those who do not understand but I would highly recommend looking into how exactly this malware works. Here is how the default set-up of OS X can be subverted to install a binary to a hidden user directory without user permission or knowledge. Then download a binary which is really smart that will try to get user permission to install system wide and if it does not receive this permission it just does it to the ill informed Mac user without permission. With Linux the system would not allow a .so to be loaded to a user /home directory and then set it to run at login. This is the problem with Mac security there is also a huge hole in the way binaries can run from within a /home at login without permission!

Here is a run-down of how it works and why it will only work on Mac because its method of infection does not require user interaction to install the payload to a users home directory with Mac OS. However I have the feeling that this security nightmare will be addressed by the Apple coders simply by doing things the way most Linux distros do!

From a CNET article:

How does it work?

The Flashback malware injects code into applications (specifically Web browsers) that will be executed when they run, and which then send screenshots and other personal information to remote servers.

First step: Exploiting Java
When you encounter the malicious Web page containing the malware and have an unpatched version of Java running on your system, it will first execute a small Java applet that when run will break the Java security and write a small installer program to the user's account. The program is named something like .jupdate, .mkeeper, .flserv, .null or .rserv, and the period in front of it makes it appear hidden in the default Finder view.

In addition, the Java applet will write a launcher file named something like "com.java.update.plist", "com.adobe.reader.plist", "com.adobe.flp.plist" or even "null.plist" to the current user's ~/Library/LaunchAgents/ folder, which will continually launch the .jupdate program whenever the user is logged in.

In order to avoid detection, the installer will first look for the presence of some antivirus tools and other utilities that might be present on a power user's system, which according to F-Secure include the following: /Library/Little Snitch /Developer/Applications/Xcode.app/Contents/MacOS/Xcode /Applications/VirusBarrier X6.app /Applications/iAntiVirus/iAntiVirus.app /Applications/avast!.app /Applications/ClamXav.app /Applications/HTTPScoop.app /Applications/Packet Peeper.app

If these tools are found, then the malware deletes itself in an attempt to prevent detection by those who have the means and capability to do so. Many malware programs use this behavior, as was seen in others such as the Tsunami malware bot.

Second step: Downloading the payload
When the jupdate program executes, it will connect to a remote server and download a payload program that is the malware itself, and which consists of two components. The first is the main part of the malware that performs the capture and upload of personal information, and the second is a filter component that is used to prevent the malware from running unless specific programs like Web browsers are being used.

Third step: Infection
Once the malware and the filter are downloaded, the malware is run to infect the system. This is where users will see an alert about a software update and will be prompted to supply their passwords. Unfortunately at this point there is nothing to stop the infection, and whether or not a password is supplied only changes the mode of infection.

The root of the infection routine is based around hijacking configuration files in OS X that are read and executed when programs are run. One of these is called "Info.plist" located in the "Contents" folder within each OS X application package, and is read whenever that specific program is opened. The second is called "environment.plist" and is located within the user account in a hidden folder (~/.MacOSX/environment.plist), which can be used to launch parameters whenever any programs are opened by the user.

The first mode of infection is if a password is supplied, in which case the malware alters the Info.plist files in Safari and Firefox to run the malware whenever these programs are opened. This is the malware's preferred mode of infection, but if a password is not supplied, then the malware resorts to its second mode of infection, where it alters the "environment.plist" file. Then runs a downloaded .so from within a user profile whenever a user logs in.

Re:Missing from summary (3, Interesting)

jedidiah (1196) | about 2 years ago | (#39689657)

The malware writers could in theory do the same thing to Linux
distros. However the openjdk and java on Linux is essentially
different in as much as the methods to run and install to a user
home directory a downloaded .so the way this malware does
cannot happen on Linux distros in as much as the user is the
only one on Linux who can direct which binaries run from within
a user profile at login.

If you are able to alter the user's files, then you can pretty much do anything you want with their account. The trick is just figuring out how to do so based what ever GUI they happen to be running. For Macs there just happens to be a single approach. There's no reason this approach couldn't be tailored to Linux and sort itself out with GNOME and KDE. If there's a similar autostart mechanism, then the virus can just manipulate that.

At the very least, it could install itself at the end of .login or .bashrc.

Re:Missing from summary (3, Informative)

SiMac (409541) | about 2 years ago | (#39689699)

I'm not sure what you're talking about here. If you have access to a user's account, you can set a binary to run when a user logs in on Linux without administrator privileges. You can call gksudo to put up a dialog asking for administrative privileges so you can modify other users' files as well, or just put up the dialog yourself and hope the user enters their password. This is exactly the same level of security as on OS X. If there's a reason this doesn't work on Linux, you have not communicated it.

It's unclear to me where the .so comes in, as opposed to a regular binary, but you are aware that you can set LD_PRELOAD and LD_LIBRARY_PATH to whatever you want, right?

Re:Missing from summary (0)

Anonymous Coward | about 2 years ago | (#39689753)

Putting an @reboot entry in the user's crontab would start anything you want when the machine boots, without the user even logging in.

Re:Missing from summary (4, Insightful)

dr2chase (653338) | about 2 years ago | (#39689143)

It WAS cross-platform (in theory). Apple was slow to release a patch, everyone else (who was up to the latest rev of Java) is fine, because non-Apple Java had a patch for this before the Trojans were deployed.

Java has a better in-theory story than most things exposed to the web because it is (by design) invulnerable to buffer overruns. In practice, however, it uses native libraries for some important stuff, and those have the buffer overrun problem. I don't know the details of this bug, however. I find the seemingly neverending stream of vulnerabilities in everything to be more than a little depressing.

Re:Missing from summary (2)

ninetyninebottles (2174630) | about 2 years ago | (#39689163)

Is that Java security hole that we heard about over the last weeks Mac-specific or cross-platform? Any reason to worry or to have our belief in Java security shattered?

It was cross platform. Oracle seems to have fixed it in the Windows version of Java quite a while ago, then more recently in the Mac version, although that last point seems to be a matter of contention between Apple and Oracle.

Re:Missing from summary (0)

Anonymous Coward | about 2 years ago | (#39688833)

yeh seems mac have now gained the interest of the bad boys, there may come a time when we'll see that the security of windows isn't worse than anything else out there, so far they have just been the only one interesting enough to be fired at from all sides by "millions" of bad guys

Re:Missing from summary (4, Insightful)

pushing-robot (1037830) | about 2 years ago | (#39688863)

But it looks like the good times are over.

At least until you remove Java (and preferably Flash and Acrobat Reader), or set plugins to click-to-run, or they finally implement signed apps and sandboxing (which Apple keeps delaying since developers keep screaming about it).

It's ridiculous that all browsers don't require you to approve plugins, at least on a per-site level, but it's true there are still quite a few sites out there that break in strange ways if some hidden java or flash element fails to load. Still, I'd rather live with that than trust my computers' security to Adobe and Oracle.

Re:Missing from summary (-1)

Anonymous Coward | about 2 years ago | (#39689017)

At least until you remove Java (and preferably Flash and Acrobat Reader)

Java has always been a joke.

Re:Missing from summary (1)

H0p313ss (811249) | about 2 years ago | (#39689141)

Java has always been a joke.

I would certainly agree that applets have always been a joke:

  • Virus magnets/security nightmare
  • Rarely worked as designed
  • Rarely worked with default configurations
  • Rarely worked with the JVM that people had installed

Yes there are exceptions, but I'm yet to see an applet whose customers were deliriously happy about. Usually the exact opposite.

Re:Missing from summary (5, Funny)

Centurix (249778) | about 2 years ago | (#39689567)

Two ints and a float are in a bar. They spot an attractive double on her own.
The first int walks up to her. “Hey, baby”, he says, “my VM or yours”. She slaps him and he walks back dejected.
The second int walks over. “Hey, cute-stuff, can I lick your Bean?”. After a quick slapping, he too walks back.
The float then ambles over casually. “Were those two primitive types bothering you?”, he remarks.
“Yes. I’m so glad you’re here”, she says. “They just had no Class!”

Borrowed from somewhere else...

Re:Missing from summary (0)

Anonymous Coward | about 2 years ago | (#39689209)

or set plugins to click-to-run

Unfortunately that doesn't help for Java applets due to a webkit limitation [webkit.org] .

Re:Missing from summary (1)

Anonymous Coward | about 2 years ago | (#39689249)

Honestly and without asbestos, are you kidding? I only mean that the typical Mac (or any computer) user is in no way competent to approve plugins. That would change nothing.

It's why they bought a Mac -- they want savvy people making good choices for them.

(Necessary humbling disclaimer -- I run Ubuntu mostly because I can sit back and let Canonical take care of things. I started in 1978 with the PET; I'm not much interested in staying ahead of the gory details anymore. I've got to admit my daily attitude isn't too different from Mac users.)

Re:Missing from summary (3, Informative)

Billly Gates (198444) | about 2 years ago | (#39689311)

I have said this before here and will say this again.

For the Tech Support pros reading this
1. Use FoxitPDF or Summutra PDF. They will at least prompt you before blindly opening a PDF from a website and executing it in no sandbox with full javascript unlike Adobe Reader.
2. If you must support Java for corporate users create a GPO that enforces Java in Intranet only! No internet zone java if you must use crappy Kronos or ADP apps. If the users need Java in IE for an external site add it to a special custom security zone.
3. Use Chrome. It has its own PDF reader, does not support Java, and updates flash automatically without user interaction
4. Use Flashblock and keep it for sites like Pandora or youtube if you support home users or need training sessions in youtube for work.
5. Use antivirus software. THey are getting much better and no longer slow your whole computer down so much. Even the latest Norton is as light as MSE which is shocking! If you are one of the smirk users who are proud that you are virus free I have to say your an idiot and infected. How? Last week malware was hosted right here on slasdhot in an ad! If you came to slashdot last weekend or before you are infected. Avast! and MSE are both free and pretty decent and only add a few seconds more of boot time.

Java is not going away and neither is flash nor pdfs. Follow the above steps and you take care of 85% of all security issues unless you run unpatched Windows. I use Java for Eclipse and have Java disabled in all my browsers. Disable it in IE even if you do not use it. Some exploits may call to IE helper ojbects to execute so its a good idea anyway.

If you do IT and do not follow all of these procedures you are lazy and so many are as many get constant support calls for fake virus scans and slow computers through constant infection from running unpatched old versions of flash, java, and Windows. If you must run insecure old java then do it right and disable it from all sites except Kronos and ADP. That is it! Your infects will drop to near zero

Re:Missing from summary (1)

JDG1980 (2438906) | about 2 years ago | (#39689619)

Java is not going away and neither is flash nor pdfs.

One of these things is not like the others.

PDFs and Flash objects are an integral part of modern Web browsing. Java is not. If you tried browsing with no Flash plugin or PDF viewer, you'd quickly run across a bunch of sites where you got a severely degraded experience and/or couldn't view the content. But I haven't had a Java plugin installed on my PC for years, and guess how many sites I've run across that need one? Zero. Not a single one. The only reason you need Java in your browser is if you are using one of the poorly-written business sites that still requires it. In that case, it should at least be possible to whitelist Java to only those specific sites. Or you could use IE+Java for only work related websites, and Firefox Portable or Chrome for all your other web browsing.

If you're a home user, there is no reason to ever install Java at all. It's nothing but a needless security risk.

Re:Missing from summary (1)

Billly Gates (198444) | about 2 years ago | (#39689747)

If your a home user Chrome will take care of a lot of that.

Unfortunately, Java is needed at work and some people who run Eclipse as my example also enabled Java in FF and IE without knowing it. I always remember to backtrack to disable it. Java applets are dead yes, but java client software is not. Both Netbeans and Eclipse are good products for those who want a free ide that is not crippled unlike VS express editions that are multiplatform. They are java based as much as I hate Oracle and unfortunately. Worse if you use Andriod or Google apis you will be stuck with Java 6 as they are not Java 7 compatible that is more secure. Oracle needs to give up JavaFX and install java just as a JRE without browser support unless the user wants it.

My other gripe was about corporate users whose IT departments just install java without a GPO to restrict for whitelists. They use Java for old software because businesses still use IE 6 and need flash/java so they do not look like crap. Java should be intranet or whitelist only and I have never seen a single business EVER set it up that way.

  Most IT administrators are lazy or do not know that its insecure to enable it sitewide on all sites. FLash too is bad at work and I wish you could setup IE to use flash for only youtube training videos like you can with Java applets? Flash is problematic as well. IT is too busy to keep track and update all of these plugins so they are almost always waaay out of date.

For Mac users its time to get a good anti virus product. Avast is going beta for it and hopefully will have a free version. Adobe products are insecure but at least if you go to www.filehippo.com you can get Foxit if you must view pdfs. I am a fan of it and it eliminates another vector. Thankfully mac users have their own pdf viewer.

Re:Missing from summary (1)

rubycodez (864176) | about 2 years ago | (#39689815)

you can it severely degraded, I call it more usable without unnecessary cruft. Java and Flash are doomed, for similar reasons.

Re:Missing from summary (1)

nashv (1479253) | about 2 years ago | (#39689331)

A lot of things look ridiculous in hindsight. It's all a work in progress, always will be.

Re:Missing from summary (1)

am 2k (217885) | about 2 years ago | (#39689347)

At least until [...] they finally implement signed apps and sandboxing (which Apple keeps delaying since developers keep screaming about it).

No, sandboxing is there and working fine (actually too fine, that's why the devs keep screaming), it's just not mandatory for apps in the MAS yet. You can enable a sandbox column in the activity monitor to check which apps are already using it.

Re:Missing from summary (0)

Anonymous Coward | about 2 years ago | (#39689297)

As of Lion, Macs do not come installed with Java. So its a non issue.

Re:Missing from summary (0)

Anonymous Coward | about 2 years ago | (#39689787)

When 0-day exploits are found in the pdf subsystem is Aple going to nuke pdf from Os X ?
The correct strategy is to patch things on time automatically (like windows) or make sure the idiots using Macs actually patch the fucking software they use.
See its not difficult at all.

The fault for compromised Macs is 100% with Apple since they don't give a crap about updating critical software their users employ. And Java is critical, many many banking websites require Java. What are you going to do ? Apple needs to learn how to secure things and should take inspiration from yeah Microsoft.

flashback to first post (-1)

Anonymous Coward | about 2 years ago | (#39688751)

First post!!

Contradiction (2)

Hercules Peanut (540188) | about 2 years ago | (#39688777)

I understand the purpose and value of malware protection but from the article we first read:

The Java exploits appear to be pretty standard, but have been obfuscated using ZelixKlassMaster to avoid detection by anti-malware products.

then

This Trojan further underlines the importance of protecting Macs against malware with an updated anti-virus program as well as the latest security updates.

Doesn't that seem to come off as a slightly counter-intuitive statement? Is it unreasonable to come away from this article asking yourself "Why buy anti-virus when the malware just avoids it anyway?"

Re:Contradiction (5, Informative)

ninetyninebottles (2174630) | about 2 years ago | (#39688919)

This Trojan further underlines the importance of protecting Macs against malware with an updated anti-virus program as well as the latest security updates.

Doesn't that seem to come off as a slightly counter-intuitive statement? Is it unreasonable to come away from this article asking yourself "Why buy anti-virus when the malware just avoids it anyway?"

It is trying to hide its similarity to other malware so that a new signature is needed to detect this specific variant. So while anti-virus programs may not detect this now, within a few days they probably will, at least until there is yet another variant. Apple is, of course, including their own signatures right in the OS so that makes antivirus less attractive as well, although Apple's response time has been hit and miss.

Re:Contradiction (2)

Billly Gates (198444) | about 2 years ago | (#39689361)

A good anti virus software package will look for apps with strange behaviors and sandbox or block them.

For shit and kicks I weird download happened automatically from the PirateBay yesterday. I ran it through a VirtualBox and even though Avast! did not pick up the malware signature it did flag it and immediately sandboxed it as it said its behavior was typical of tojans and malware. I was impressed.

I know some slashdoters with very outdated 1990s knowledge think you are fine without any anti virus package as long as you do not click attachments are in a rude awakening. Even slashdot hosted malware in an ad about 2 weekends ago!

Anyway Norton is available for macs and Avast has a beta for IOS and MacOSX. I would recommend any mac user to use either one. You need more than a scanner to remain secure today and no platform that can execute data and use ram can ever be secure.

Re:Contradiction (0)

Anonymous Coward | about 2 years ago | (#39689665)

Don't use shitty browsers. Disable scripts. I scan for viruses every so often, but have no constant protection from them. Of course, this computer has nothing of value on it. On the ones that do, I protect them further, of course.

But seriously, despite me using this computer all the time, I haven't gotten a virus in years.

Remotely controlled first post (0)

Anonymous Coward | about 2 years ago | (#39688831)

Sent from my MAC Mini

Apple Culture (5, Interesting)

ninetyninebottles (2174630) | about 2 years ago | (#39688847)

I hope the recent rash of Malware for the Mac will serve to change the culture of security at Apple. They have a lot of really good technology in that regard and many very good coders who work with security as a priority (they have a lot of oldschool UNIX guys these days). The problem is, it is not a priority for Apple or part of their culture. Some Apple software ships with what looks like no security review at all and no real consideration, while other software clearly was architected with that as a design goal.

They have some very nice sandboxing, but they don't apply it very widely within OS X, even when there is no pain to the user or developer. It is like they just don't want to spend money and resources on that sort of hardening. You send a security hole to Apple and sometimes you hear back the next day and it is fixed in short order. Other times you hear nothing or malware is known and spreading for weeks before Apple bothers to issue a filtering signature.

Hey Apple! Wake up and smell the coffee. Dump some of your cash reserves into expanding work in security and having some experts paying attention and getting things done. "Think Different" about security and listen to the people you already have that have created groundbreaking security systems elsewhere.

Re:Apple Culture (1)

Anonymous Coward | about 2 years ago | (#39688977)

You now, a paranoid man would say this is an Apple conspiracy to push the Mac community toward the walled garden approach that their iOS devices are stuck in. Imagine if in OS X 10.9 you cannot install any third-party applications unless they come digitally signed from the Mac App Store. Want to run your own open source code? You need a $99/year "developer" license and digital certificate to compile and sign your binaries.

I know, it's a stretch, but I never thought it would happen on their mobile devices either. We went from a culture of anyone can develop and install apps on your device (PalmOS, Windows Mobile, etc.) to the locked-down walled garden of iOS.

Re:Apple Culture (1, Troll)

ninetyninebottles (2174630) | about 2 years ago | (#39689233)

You now, a paranoid man would say this is an Apple conspiracy to push the Mac community toward the walled garden approach that their iOS devices are stuck in. Imagine if in OS X 10.9 you cannot install any third-party applications unless they come digitally signed from the Mac App Store.

Why? Why would Apple want to do this, aside from some insane take over the world theory? They are certainly pushing for signed applications running in nice sandboxes and they're using the Mac store as one way to do it, but why would they want to disable other applications entirely? The whole corporate development market, the software developer market for both iOS and MacOS would be horribly inconvenienced potentially to the point of walking away from the platform. Legacy software would prevent huge numbers of users from ever upgrading. I could go on listing reasons why Apple wouldn't want to do this, but I still haven't heard one good reason why they would want to do this. Apple doesn't make money on the iOS app store, nor really on the Mac app store. Where's the motive?

I know, it's a stretch, but I never thought it would happen on their mobile devices either.

On mobile devices they got to start fresh and they had a huge problem to solve... battery life. Phones live or die in the market based on battery life and user perception thereof. Locking down software on iOS was primarily about preventing apps that did not use battery efficient threading, push notifications, and system services so that users would be happy about their battery usage. Google is still trying to crack that nut and if you ever get a chance to talk to their devs, they know it.

Re:Apple Culture (1)

wmbetts (1306001) | about 2 years ago | (#39689643)

If they ever did that I'd stop buying Apple computers. I buy them because it's a UNIX OS that has native applications I want to run. If they start doing that I'll go back to Linux and dual booting Windows for those applications. I doubt I'm the only person that would stop buying them either.

Here we go... (1, Flamebait)

cffrost (885375) | about 2 years ago | (#39688871)

Cue the corporation-worshiping consumers willing to abandon human dignity in defense of a non-living multinational corporate person.

Re:Here we go... (0)

Anonymous Coward | about 2 years ago | (#39689101)

Cue the "comedy".

Re:Here we go... (0)

Anonymous Coward | about 2 years ago | (#39689483)

Cue the high-horses and hypocrisy.

Re:Here we go... (1, Troll)

rolfwind (528248) | about 2 years ago | (#39689759)

Hey, I agree, I would never worship a non-living multinational-corporation.

Apple has been going downhill ever since Jobs died. While He was around, He would never have allowed this to happen.

Disable Java (2)

sqrt(2) (786011) | about 2 years ago | (#39688909)

Unless you know you need Java, disable it. Also, install something like Noscript for whatever browser you use. You'll be safe then, at least against the types of attacks we've been seeing.

I don't recall there ever being a self-replicating worm for a *nix platform that could infect you just by being unpatched and connected to the network; please correct me if I'm wrong. You have to actually navigate to an infected site for these trojans to get you.

Re:Disable Java (0)

Anonymous Coward | about 2 years ago | (#39688999)

http://en.wikipedia.org/wiki/Morris_worm

Re:Disable Java (1)

Anonymous Coward | about 2 years ago | (#39689067)

Or, use Firefox nightlies. They have a form of noscript available, which will be later on enabled by default for all.

Re:Disable Java (0, Flamebait)

Anonymous Coward | about 2 years ago | (#39689087)

Unless you know you need Java, disable it.

No one NEEDS Java.

Re:Disable Java (1, Interesting)

H0p313ss (811249) | about 2 years ago | (#39689151)

No one NEEDS Java enabled in a web browser in 2012

Corrected that for you.

Re:Disable Java (1)

Billly Gates (198444) | about 2 years ago | (#39689413)

People do need Java.

Any Computer Science student typically learns Java. Eclipse is huge and so are Aptana, bit torrent clients (forgot the popular one written in Java), and corporations use banking, Kronos, and ADP sites that use java applets to make up for the fact they use IE 6 still. Java is another crappy workaround just like Flash to give a false sense of modern browsing with graphical effects.

However even slashdot nerds never once think about disabling java in the browsers. I see this at work too when they complain their users are keeping them busy cleaning infections on a daily basis. Disable java in all web browsers except through a whitelist via a GPO duh!

I agree the Java applet html tag was depreciated in 1999. It died on the web browser front many many years ago. IT and all of us need a refresher that you can still use java and just not use it in the browser. Chrome doesn't even support it.

"Trojan Requires No User Interaction" (0)

Anonymous Coward | about 2 years ago | (#39689039)

So... rape condom?

Market share (3, Insightful)

devleopard (317515) | about 2 years ago | (#39689073)

This is inevitable, and will continue. OSX have gone from 2% to an estimated 14% market share since 2003 [wikipedia.org]

Android has something like a 47% share in the smartphone space.. and there's a report of malware weekly.

I think it's fair to say that it's easier to find a hole (ugh, here comes the 12 year-old humor) than to imagine all the ways people might come up with. You simply need a large enough target to make it worth their while.

Re:Market share (4, Insightful)

ModernGeek (601932) | about 2 years ago | (#39689487)

Mac OS 9 had a smaller install base than current Mac OS X and was constantly riddled with viruses. I don't think that market share alone determines whether or not something ends up riddled with viruses. That being said, Apple has been particularity lax about security these last three years.

Rubbish names. (5, Funny)

mr_lizard13 (882373) | about 2 years ago | (#39689103)

Kaspersky refers to it as 'Backdoor.OSX.SabPub.a' while Sophos calls it at 'SX/Sabpab-A.'

Those names are very un-Apple. How about just 'iTrojan'.

Or, to avoid confusion with the previous trojan...

'The New iTrojan.'

Re:Rubbish names. (-1)

Anonymous Coward | about 2 years ago | (#39689161)

Rubbish Troll, Rubbish attempt at humour

Re:Rubbish names. (-1)

Anonymous Coward | about 2 years ago | (#39689533)

Awww, looks like some Apple cum guzzler got their feelings hurt....... poooooooor baby

Re:Rubbish names. (-1)

Anonymous Coward | about 2 years ago | (#39689547)

Awwww, looks like some eight year old logged in on dad's Winbox and had to post something "funny" bashing Apple.

BotOxAss-A (1)

G3ckoG33k (647276) | about 2 years ago | (#39689127)

"Kaspersky refers to it as 'Backdoor.OSX.SabPub.a' while Sophos calls it at 'SX/Sabpab-A.'""

G3ckoG33k calls it BotOxAss-A.

Funny pattern (0)

Anonymous Coward | about 2 years ago | (#39689175)

The only companies finding this "trojans" are RUSSIAN.

And BTW, Kaspersky is known for creating viruses, releasing them and then claiming to be the best at finding them.

My semi-regular Mac accounts post (4, Informative)

93 Escort Wagon (326346) | about 2 years ago | (#39689199)

Mac users need to stop running their day-to-day stuff under Administrator accounts. Create a new account (if your account is "joe", call this new one "joe_admin"); give it admin permissions; make sure you can log in with it; then (and ONLY then!) remove the admin permissions from your personal account. And then... keep using the same account you've always been using.

On those rare occasions you need to use admin permissions - such as when you are installing software - you'll be prompted to authenticate as an admin, just like you already are. The only difference is you'll need to type that new admin account's ("joe_admin") into the authentication window rather than use your own account. It's brain-dead simple.

The reason for this (in case you're saying "but the Mac already warns you to authenticate, why bother?") is, when your account is an admin account, you're in the "admin" group (duh). The "admin" group has write permissions into the /Applications and /Library folders. All a bad guy needs to do to get around those authentication warnings is to invoke a bash script (or Applescript or whatever) that makes the necessary changes outside of the GUI.

If you're not running as an admin, a malicious script can still theoretically mess with your personal files and folders; but not the system-level ones.

Re:My semi-regular Mac accounts post (2)

Billly Gates (198444) | about 2 years ago | (#39689449)

This can be installed with just a user account too. Its a memory corruption bug so it simply injects itself to processes already running as admin through local priveldges. However the last malware would still run under a user account but the malware could be easily deleted by deleting the account. Still with more code it can infect key system files.

User privledges only add another step and are not foolproof.

Re:My semi-regular Mac accounts post (1)

wmbetts (1306001) | about 2 years ago | (#39689537)

The only stuff you have access to in either directory is your own stuff. I can't write to anything else even via the command line. I can't access /etc/master.passwd or any other sensitive file unless I use sudo. I might be wrong, but I think OSX more or less uses same security model as Linux.

Those idiots at Microsoft (-1)

Anonymous Coward | about 2 years ago | (#39689235)

If they hadn't written this crappy code and had used *nix instead, this wouldn't have happened.

Re:Those idiots at Microsoft (2, Informative)

sqrt(2) (786011) | about 2 years ago | (#39689279)

This is a flaw in Java, which isn't an Apple or "Unix" product. Apple is only responsible for it insofar that they bundle Java with their OS, which is going to end with their next major release of OS X.

Just be sure not to panic & delete the wrong f (5, Informative)

Kenja (541830) | about 2 years ago | (#39689265)

You are looking for com.apple.PubSabAgent.pfile & com.apple.PubSabAGent.plist and NOT com.PubSubAgent.plist or com.PubSubAgent.pfile.

Re:Just be sure not to panic & delete the wron (0)

Anonymous Coward | about 2 years ago | (#39689621)

Yes, note the capital 'G' in the trojan plist file. Also, be sure to look in /Library/Preferences, and not /Users//Library/Preferences where there is a legitimate file called com.apple.PubSubAgent.plist (without the capital G).

The correct place to look for the trojan shouldn't have more than about 30 plist files listed. If there are several screens full of plist files, (I have 120+ on my OS 10.5.8 Mac) you're probably looking in the wrong place.

Sorry, this can't possibly be true. (-1, Flamebait)

rudy_wayne (414635) | about 2 years ago | (#39689285)

There are no viruses / trojans that affect Macs

Even if there were, it wouldn't matter because Macs are immune due to their inherent superiority.

After all, the Mac fanboys have been telling us this for more than 10 years now,. they couldn't possibly be wrong.

I surf using a linux VM hosted on OS X (1)

koan (80826) | about 2 years ago | (#39689557)

Not perfect, but less likely to be exploited and get to my host machine, I don't do much on OS X any more, moved all the video editing and audio DAW to Win7 because I can build my own boxes to my spec that way.
Hello to my fav NT4 machine at 31 jing-ring street Beijing !

Well, I just disabled my Java plugin (2)

gman003 (1693318) | about 2 years ago | (#39689585)

Guess it's time to start treating my Mac computers the same way I treat my Windows computers - in need of extra care and protection against external attacks.

And so I've just disabled my Java and Quicktime plugins. Java because that's where all the current attacks are focused (and I never use it anyways), Quicktime because I never use it, either, and a smaller attack area is always good. I still visit enough sites that I need Flash enabled, but that's currently my only plugin (and protected by some heavy blocking rules).

I'll also be much more strict about keeping everything up-to-date, and all the other basic security practices.

Next, guess I need a basic virus-scanner. The only GPL one I see is Clam, which, last time I used it, was completely ineffective at stopping viruses. The one I use on Windows, MSE, is naturally not available on the Mac. So, any suggestions?

Java sucks (2, Insightful)

JDG1980 (2438906) | about 2 years ago | (#39689673)

A large part of the blame for this rests on Sun/Oracle's idiotic decision to install the browser plugin by default when the Java runtime is installed.

Most users don't need Java at all. Of those who do, a majority of them don't need it in the browser. And of those who do need it in the browser, they only need it for a small handful of websites, not any and every site on the entire WWW. What should happen is that Java installs by default for desktop applications only with no browser plugin. If the browser plugin IS enabled, then by default it should work only on explicitly whitelisted sites or domains, not everywhere. Of course, there should be methods for system administrators to roll out custom whitelist configurations to users in bulk. But apparently no one at Oracle has heard of the principle of least privilege [wikipedia.org] , so we get crap like this every couple of months.

If you have Java, please reevaluate whether or not you really need it. If you do need it, but only for desktop apps (and/or development) and not for browser based apps, then remove the browser plugin. There are virtually no legitimate public websites that use Java, but a lot of malware that exploits the plugin for evil purposes.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...