“A little over two weeks have passed since the appearance of MAC Defender, the fake AV solution targeting Mac users. And seeing that the approach had considerable success, it can hardly come as a surprise that attackers chose to replicate it. This time, the name of the rogue AV is Mac Protector, and the downloaded Trojan contains two additional packages. As with MAC Defender, the application requires root privileges to get installed, so the user is asked to enter the password.”
See, this is exactly why every Mac user that brags about the fact that “they don’t have to worry about viruses” makes me want to reach out and give them a hard slap in the face.
(Note that I’m not saying ALL Mac users; I’m sure there are a substantial portion that have a healthy and informed knowledge of computer security)
The ONLY thing that makes OS X less prone to attack is disinterest from malware creators. Looks like that era might be fading.
Not particularly.
These equivalent programs get installed in Windows without the “root” privileges.
This means that privilege separation in Windows is just Palin broken and has been since they broke Ring 0.
If these users automatically put in the password when they don’t know what in hell they are installing in the first place… then this is not a real problem with the OS design, but with the person operating the machine.
Someone installing a program outright in OSX regardless of its supposed or real intent does not constitute an OS design flaw.
That’s really broken. I guess the only thing worse is Sony broken.
Actually, according to most security researchers, from a technical standpoint, Macs are more vulnerable than Windows. Apple has been pretty lax on security. Safari, for example, has more security issues than IE does. it’s easier to root a Mac than it is to root Windows. The first commenter is correct. The only reason we don’t see more widespread Mac infections is because it’s not a high profile enough target.
And yet most of the holes aren’t related to Apple software, but Adobe’s piles of crap that are forced upon the computing world.
Size of target has nothing to do with value of target.
And before you cite the pwn2own contests, look again at what hoops they make them go through on the Mac to open up an attack vector and that the Mac has a far higher resale value then the generic PCs they put up. Mabe if they offered something of value, like a decent Toughbook or maybe something from Sager/Clevo or BoxxTech you’d see a change in what was targeted first.
eh… That’s not how it works. The first person to root any of the systems get to pick whatever system they want to keep. So no, resale value has nothing to do with which one gets targeted first.
Only if running as administrator.
Show me a Windows machine properly up to date, with a user running with a limited account, where he can install such applications?
They get installed as the current user if you are not an administrator, just delete the account, and you are good to go, just like in Unix.
It’s only when you are running as admin do they get access to the entire machine.
Whatever makes you feel better, these “viruses” require you to purposefully download them and give them root privileges.
Mac users still don’t have to care as per the usual since they can only get pwnt if they do something obscenely retarded unlike other OSs that will remain unnamed that might as well come preloaded with viruses since it already comes with preloaded malware 90% of the time anyways.
Visualize this: I’m playing a tiny violin for you M$ devoted folks.
As mention by others…this virus still relies on the Mac owner to be running Safari with auto-open safe files enabled.
Guess what…in Chrome for Mac, the file just downloads. Which means now I have the source for this wanna be virus. And now, because I have forwarded that downloaded zip file, all of the anti-virus companies and researchers also have it.
So .. until the hackers can figure out how to trick Mac users beyond a simple download and hope that the user will not only open the file, but run it, and give admin privileges – Mac virus impact are still a long way off in comparison. Oh, I am sure there will be at least one, but comparatively, Mac users are more savvy and don’t tend to get caught up in dumb phishing or fake av traps.
On a side note…closing what ever browser you are running stops the Fake AV from running and moving to the download phase.
Jeff
Until about two years ago, it was possible to use DNS cache poisoning to trick a Mac into downloading malicious software updates from a bogus update server. Apple’s update mechanism didn’t properly verify the authenticity of the server it contacted for updates. Apple knew about this vulnerability for years, and did nothing to fix it until it was widely publicized and became very easy to do using a plugin for metasploit.
Also, a couple of years ago, there was a critical vulnerability in Java that allowed applets to break out of the sandbox. Apple didn’t patch this vulnerability in their JVM until 8 months after Sun had announced it and patched their own JVM.
So there have been at least two cases in the past that I know of just off the top of my head where it has been possible to target Macs without tricking the user into running an application. One vulnerability was left open for years after it should have been closed. The other was left open for 8 months longer than it should have been.
Are they, now? Hmph, I had no idea, must’ve missed that memo.
Please pass along the study or studies this information was uncovered, as I would greatly enjoy reading them. Hopefully my tiny pea-brain of a non-Mac user will be able to comprehend it. If I’m lucky, they’ll have pretty, colorful pie charts of “savviness”.
Actually, according to more than one security research firm, Mac users are MORE likely to fall for phishing traps than Windows users are. The reason is because Windows users are well aware of these threats and that they need to watch out for them. Mac users, on the other hand, have largely bought into the Apple propaganda and such that their systems are immune from vulnerabilities. And the average Mac user lumps phishing traps right in with viruses and malware, believing their Macs to be immune to phishing traps.
So basically, the average Mac user is more likely to fall for a phishing trap because the average Mac user doesn’t even know what a phishing trap is. Hardly what I would call more technically savvy than Windows users.
It also doesn’t help that Safari and Apple’s Mail.app are about the worst on the market when it comes to detecting phishing traps and providing the users with any kind of warning if something looks suspicious. So Mac users just go along fat, dumb, and happy, unaware of the threats to their systems. And because of that, they are more likely to fall for those threats.
Edited 2011-05-20 14:10 UTC
Sent from my iPad
EDIT: Dammit! Where can I download Mac Defender, I think I’m infected?
I can’t get excited about a “virus” that requires you to enter the administrator password to install. If you download stuff from web pages, and enter the root/administrator password when it wants to install, there is no good protection for you. And that is true on Windows, Linux, Mac, BSD, etc.
As Forest’s momma used to say, “Stupid is as stupid does.”
At the risk of getting annoying with my sandbox advocacy… How exactly are you supposed to know *why* some piece of software requires admin rights before installing and running it, on nowadays’ desktop OSs ?
In my book: If the program does not tell you why… it doesn’t get installed.
Then, if you don’t understand what you are granting, you shouldn^aEURTMt be allowing anyway.
Social engineering in these problems is the largest problem.
The key is – did I download something on purpose and CHOOSE to install. Then I will grant it privilege. If you don’t know why something is asking for your password, just say no. If you are unsure, say no. Only say yes when YOU have chosen to install something. Even with Windows update, I have it set to notify me when updates are ready, I review the updates, and only then do I CHOOSE to install them. When it asks for my permission, I know why.
The bottom line, is when you don’t know why something is asking for permission, just say no. It was good enough for Nancy, it good enough for me.
On current OSes it’s not easy, I admit that, but if someone wrote a completely new OS they could separate every API in use to two categories: privileged and non-privileged. Even file system access would have to be separated for it to be effective, and so if your application used e.g. PrivFileOpen(“somefile.txt”) instead of FileOpen(“somefile.txt”) the system would immediately notify about it and halt execution.
Similarly, executables would have to list in the executable file every function call they use (excluding parameters though) so that if the application tries to use a function call not specified it would again get halted.
Then at installation time OS would present the user with what permissions the application is asking for, ie. what privileged functionality or data it wants access to, and a short explanation of what each item might entail and possibly a warning based on heuristics on the permissions being asked.
Sure, it would require helluva lot of work and careful design from the OS developer(s), but it should still help atleast a little. Of course there are still those luddites who just click away, but clear-text explanations for items should again help with atleast some of them; people often just click “Ok” or “next” because they don’t understand what’s presented to them, not because they don’t care.
Happy to see that I’m not alone wanting OSs to work that way
Though I would rather not incorporate the privileged/nonprivileged status of API calls at the function name level on my side. There would just be a set of default privileges, like “Accessing ~/.%APPNAME%” on an unice, that would be granted to everyone and would be well-documented in the API doc.
This would in turn allow new backwards-incompatible releases to change the set of default privileges, if experience shows that there was a mistake in it somewhere.
Edited 2011-05-19 15:14 UTC
I’ve been thinking for years of how I would write my own OS if I ever did one, and strong security from bottom up is one of those features I’d like to implement I’ve got lots of ideas, both security-related and non-security-related, but even writing down all the aforementioned ones would be way too much to fit inside an OSAlert comment form :/
The reason why I’d separate them is exactly because of this thing you mentioned: non-privileged calls would only have access to your files, ie. ~./*, and trying to open anything outside of your files would immediately generate a warning and you’d need to use privileged calls for that. It would allow for slightly more fine-grained control, plus it would allow for more fine-grained status messages, both to the system and to user. And it would force developers to pay a little bit more attention to what they’re doing themselves, which is only a good thing; just get a handful of Windows apps and there’s bound to be some examples of what I mean.
Edited 2011-05-19 17:01 UTC
Myself, I aim at something a bit more restrictive as a default setting : software only has access to its own files and to files which you explicitly give them access to, either via command line parameters or via “Open/Save file” dialogs in a GUI.
Normal utility software has no business peeking at your files without asking for permission first. User files are his/her private property, at least in my opinion
Why does separating privileged and non-privileged code at the API call level allows for more fine-grained control ? Can’t the implementation of SomeFunction() itself check if the instruction is privileged or not, and if it is issue a warning or halt the program, all that being done through a standard API for optimal user experience/security/whatever ?
Again, to me it sounds like a benefit of a fine-grained privileged model as a whole, not of your solution in particular
What you said
Edited 2011-05-19 19:29 UTC
This is a bit like Symbian works.
Your application needs to have specific certificates depending on which APIs it calls.
Yeah. I think Android also works this way. For once, mobile OS’ low-level layers prove to be better-suited to their job than desktop ones
Edited 2011-05-20 22:54 UTC
It sucks that some folks are allowed to use computers. It’s not that hard to protect yourself from virus infections without “sacrificing computing experience” or whatever it is called in English.
These Mac vs. Windows comments some have made are getting a little boring. Both operating systems are great, and I understand that some will prefer one over another, but please really?
It is a fact that as Mac gets more popular, it will become a more attractive target for crapware/malware creators. There is now some decent security software available for Mac, and along with Windows users we should all have some form of security software installed.
If you are a tech savvy user, then you will know the risks of not doing so.