PDA

View Full Version : Apple Responds Quickly to Evolving 'Mac Defender' Threat With Updated Malware Definitions




MacRumors
Jun 2, 2011, 08:11 AM
http://cdn.macrumors.com/im/macrumorsthreadlogo.gif (http://www.macrumors.com/2011/06/02/apple-responds-quickly-to-evolving-mac-defender-threat-with-updated-malware-definitions/)


Yesterday, we noted (http://www.macrumors.com/2011/06/01/new-variant-of-mac-defender-quickly-evades-apples-security-update-as-cat-and-mouse-game-begins/) that the attackers behind the "Mac Defender" malware (http://www.macrumors.com/2011/05/02/new-macdefender-malware-threat-for-mac-os-x/) had moved quickly to combat Apple's new security update (http://www.macrumors.com/2011/05/31/apple-addresses-mac-defender-threat-with-security-update-2011-003-for-snow-leopard/), within hours releasing a new variant of the malware that was capable of skirting around Apple's new protection.

http://cdn.macrumors.com/article-new/2011/06/macdefender_c_xprotect-500x336.jpg (http://cdn.macrumors.com/article-new/2011/06/macdefender_c_xprotect.jpg)
Xprotect.plist before (left) and after (right) latest update to address new Mac Defender variant

Fortunately for users, Apple has moved almost as quickly as the attackers, quashing any potential fears that the company might be slow to respond to each new threat that appears. As reported (http://www.spider-mac.com/2011/06/02/nuova-variante-del-trojan-mac-defender-non-aggira-il-security-update-2011-003-di-apple/) by Italian site Spider-Mac [Google translation (http://translate.google.com/translate?u=http://www.spider-mac.com/2011/06/02/nuova-variante-del-trojan-mac-defender-non-aggira-il-security-update-2011-003-di-apple/&hl=en&langpair=auto|en)], Apple has already issued an update to detect the new variant, pushing out a new entry for "OSX.MacDefender.C" to the Xprotect.plist file that contains the signatures for identifying malware.

After the update, users are indeed presented with a warning if they begin to download the latest variant:

http://cdn.macrumors.com/article-new/2011/06/macdefender_mdinstall_warning.jpg

As part of the security update earlier this week, Apple included a system to automatically update the Xprotect.plist anti-malware definitions every 24 hours, giving the company the ability to quickly push out new protection for Mac OS X Snow Leopard users. While this is unlikely to be the end of the Mac Defender attackers' efforts, it does appear that Apple is committed to responding and issuing updates to its users as quickly as the attackers can churn out new variants.

Article Link: Apple Responds Quickly to Evolving 'Mac Defender' Threat With Updated Malware Definitions (http://www.macrumors.com/2011/06/02/apple-responds-quickly-to-evolving-mac-defender-threat-with-updated-malware-definitions/)



Steve121178
Jun 2, 2011, 08:13 AM
The attackers will always be one step ahead...

iStudentUK
Jun 2, 2011, 08:13 AM
The war continues.

Soon we will see Apple and MacDefender standing off, each with enough missiles to destroy the other.

Gemütlichkeit
Jun 2, 2011, 08:15 AM
Wonder if there will be a permanent fix in Lion.


Well the current fix is to not install this BS in the first place.

0815
Jun 2, 2011, 08:16 AM
I'm getting pretty tired of the MacDefener 'news' updates - its time to go back to the normal life (and malware is part of that - no need for an update every day)

But anyway good to see that it took Apple less than 24h to release an update.


Wonder if there will be a permanent fix in Lion.
Well the current fix is to not install this BS in the first place.

There is no fix for this type of malware ... If the user interacts with an installer, so there is not much that can be done until the installer is out in the wild and a signature for it can be created. Malware authors will always be a step ahead and nothing can be done about it.

justinfreid
Jun 2, 2011, 08:16 AM
Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5)

This doesn't bode well for Lion's release. Even if these threats don't indicate a material problem with OS X, the fact that Apple has been baited into an arms war makes OS X look less secure.

ImNoSuperMan
Jun 2, 2011, 08:16 AM
Good to see apple responding so quickly.

Though I dont really like this current situation. Where are the good old days when no hackers even bothered to create malware for Macs? Stop buying so many macs people :D

miles01110
Jun 2, 2011, 08:17 AM
Looking forward to Apple's upcoming version of Patch Tuesday.

...except every week.

NebulaClash
Jun 2, 2011, 08:17 AM
The attackers will always be one step ahead...

But if Apple stays only one step behind and closes the holes within 24 hours each time, the attackers will soon learn that there isn't that much to be gained by the effort. They'll have to try another approach.

You know, this relatively benign malware is, on balance, a good thing. This will educate Mac users not to click OK on software they did not choose to install. So that when something really serious shows up, they will know better thanks to this mild version that is merely annoying.

millerb7
Jun 2, 2011, 08:18 AM
Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5)

This doesn't bode well for Lion's release. Even if these threats don't indicate a material problem with OS X, the fact that Apple has been baited into an arms war makes OS X look less secure.

You have to install this yourself.... it is NOT a virus... but maleware.

Not sure exactly how OSX is less secure? Maleware has been around for years for OSX.... just don't install the damn thing!

Northgrove
Jun 2, 2011, 08:21 AM
The attackers will always be one step ahead...

Yes, they can of course release a new variant any day. Same as with the battle on other platforms. But what's important here is that this will keep the attacks from becoming widespread. Unless people keep clicking on all new variants all the time... (remember that this is a trojan, not a virus)

Full of Win
Jun 2, 2011, 08:21 AM
The writers of this malware love to see Apple jumping through the hoops they make. This will on,y get worse with 10.7, as per Apples history, new OSes are filled with bugs and exploitable flaws.

angrynstupid
Jun 2, 2011, 08:22 AM
Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5)

This doesn't bode well for Lion's release. Even if these threats don't indicate a material problem with OS X, the fact that Apple has been baited into an arms war makes OS X look less secure.

What kind of logic is this?

0815
Jun 2, 2011, 08:22 AM
The writers of this malware love to see Apple jumping through the hoops they make. This will on,y get worse with 10.7, as per Apples history, new OSes are filled with bugs and exploitable flaws.

You mean like windows where the general advice it not to install it until SP1 is released?

riverfreak
Jun 2, 2011, 08:22 AM
There are two types of people in this world, those who create and those who destroy. I can't wait for the pimply adolescents behind the MacDefender stunt to be tracked down. How funny to have a career ending moment before it even begins.

hexx
Jun 2, 2011, 08:22 AM
just bring mac app store for default way of installing software and problem solved :) i know it's not gonna happen but it works fine on iOS devices - no malware

cnixon
Jun 2, 2011, 08:25 AM
You have to install this yourself.... it is NOT a virus... but maleware.

Not sure exactly how OSX is less secure? Maleware has been around for years for OSX.... just don't install the damn thing!

Maleware? What's maleware? Sounds like a line of men's lingerie. :confused:

zweigand
Jun 2, 2011, 08:26 AM
Man I hope this is the last round of Mac Defender tennis coverage.

Beaverfish
Jun 2, 2011, 08:27 AM
Im thinking perhaps we should stop reporting this now.........

WannaGoMac
Jun 2, 2011, 08:27 AM
You mean like windows where the general advice it not to install it until SP1 is released?

haha, I haven't heard this line in a while since Windows 7 came out. Windows 7 was a huge step in the right direction for MS as evidenced by lots of large IT departments rolling it out pre-SP1. This might have been due to the long and detailed beta test cycle, and fact that XP was over a decade old!

KaneBaker
Jun 2, 2011, 08:28 AM
just bring mac app store for default way of installing software and problem solved :) i know it's not gonna happen but it works fine on iOS devices - no malware

Might as well call the mac a console at that point then.

Detrius
Jun 2, 2011, 08:28 AM
Why do people keep thinking this is a security issue with OS X? MacDefender is not taking advantage of any security holes in OS X. It's wholly dependent on social engineering--convincing users to do something that they shouldn't. It's not a security flaw in OS X. Even if it didn't automatically open the installer, it could still talk people into opening the installer. It's good that Apple is doing something about it, but they aren't closing any security holes because there aren't any that are relevant to the situation at hand.

The fix is AdBlock or NoScript, and Apple can't do that.

beg_ne
Jun 2, 2011, 08:28 AM
The writers of this malware love to see Apple jumping through the hoops they make. This will on,y get worse with 10.7, as per Apples history, new OSes are filled with bugs and exploitable flaws.

Completely irrelevant. MacDefender doesn't take advantage of any flaw or bug in OS X. The only flaw in play here is people's gullibility.

gregd33
Jun 2, 2011, 08:29 AM
Strange game. The only winning move is not to play.

gnasher729
Jun 2, 2011, 08:30 AM
The attackers will always be one step ahead...

The attackers will always be two steps behind any user with a brain. So you may be worried; I'm not.


just bring mac app store for default way of installing software and problem solved :) i know it's not gonna happen but it works fine on iOS devices - no malware

The big step would be a setting in "User Preferences" that needs to be turned on to allow any applications to be installed, or any downloaded applications to run. That setting would have to be turned on by the user, and would turn itself off after 15 minutes. Installer and Finder trying to start applications would show a message what to do when needed (a verbal message; user has to figure out how to do it himself). Result: Users trying to install legitimate apps are slightly inconvenienced; clueless users can't install MacDefender if they try; and users who know enough to figure out how to install MacDefender should be clever enough not to do it.

zweigand
Jun 2, 2011, 08:31 AM
The writers of this malware love to see Apple jumping through the hoops they make. This will on,y get worse with 10.7, as per Apples history, new OSes are filled with bugs and exploitable flaws.
Jumping through hoops? LMAO. It's not like they are creating patches for exploits here …they find a new trojan in the wild and they update the "known baddie" list to included it.

kazmac
Jun 2, 2011, 08:32 AM
Apple did not hire those bigwig security experts for nothing.

Good. :)


batch of silly questions to anyone who can answer:

Does the security update run on it's own or do I have to launch it to scan and/or receive the updates?

And is this security software located in the Applications folder or somewhere else? I didn't see where it installed last night, wasn't at the machine.

thanks.

musio
Jun 2, 2011, 08:34 AM
This is an attack from MS to ruin the news on monday. Good timing, isn't is suspicious?

beg_ne
Jun 2, 2011, 08:35 AM
Looking forward to Apple's upcoming version of Patch Tuesday.

...except every week.

Completely clueless. Did you not even read the damn article you posted to?

There will be nothing to 'patch' as the issue isn't a security issue. As others have stated this is little more than social engineering.

Also the detection updates automatically in the background, at least daily. It requires no action from the user and is completely invisible to them.

Deflorator
Jun 2, 2011, 08:35 AM
You have to install this yourself.... it is NOT a virus... but maleware.

Not sure exactly how OSX is less secure? Maleware has been around for years for OSX.... just don't install the damn thing!

Well, while there is no femaleware in the wild this maleware can mate with and spread out, my Mac is safe.

Steve121178
Jun 2, 2011, 08:38 AM
The attackers will always be two steps behind any user with a brain. So you may be worried; I'm not.

I'm not worried, my main machines are Windows 7 PC's. I haven't had a virus/malware/trojan/attack since the old XP days.

In fact, the attackers got so bored trying to penetrate Windows 7, many gave up and decided to try and exploit vulnerabilities Adobe products instead.

philbeeney
Jun 2, 2011, 08:40 AM
Strange game. The only winning move is not to play.

How about a nice game of chess?

hmcnally
Jun 2, 2011, 08:40 AM
XProtect.plist is gonna get awfully large.

The Security System Preference panel should mention the date of XProtect.plist's most recent update.

OS X should treat an attempt to delete XProtect.plist in a special manner... beyond asking for the password, which can be social engineered by a malware author by presenting a screen shot of dialog box, with an arrow and instructions to the user to type in their password to allow it.

hexx
Jun 2, 2011, 08:41 AM
Might as well call the mac a console at that point then.

well it's just how you obtain your soft or am i wrong? it's the soft you want to use not how you get it or am i too old and lazy to be bothered about things like that?

homsar
Jun 2, 2011, 08:42 AM
I wouldn't be surprised if the entire thing weren't stage-managed by Apple to give them an argument in favour of a move to an iOS-style Mac App Store-only software model. (Jailbreak your Mac, anyone?)

ghostface147
Jun 2, 2011, 08:44 AM
It'd be nice to know if we got updated instead of having to look at xprotect.plist. Maybe that security section in settings can be updated somehow to show the latest date of definitions.

Elijahg
Jun 2, 2011, 08:46 AM
The writers of this malware love to see Apple jumping through the hoops they make. This will on,y get worse with 10.7, as per Apples history, new OSes are filled with bugs and exploitable flaws.

Can't Apple update XProtect.plist to remove Full of Win too? :rolleyes:

Popeye206
Jun 2, 2011, 08:48 AM
I just hope this doesn't make them get more creative and actually go for a real virus. But I guess playing cat and mouse to go for the gullible users is much easier.

autrefois
Jun 2, 2011, 08:50 AM
You have to install this yourself.... it is NOT a virus... but maleware.

Not sure exactly how OSX is less secure? Maleware has been around for years for OSX.... just don't install the damn thing!

The word "virus" was not brought up until you mentioned it...

I agree with justinfreid that this situation is making OS X *LOOK* less secure. It is a threat: even if it is malware that must be user-installed, it is still malware. Mac users are less used to this sort of thing, and this is arguably the most high-profile threat to OS X and it's coming right before a major conference.

I wonder if Steve will address security in his keynote to try to show Apple is being active in protecting against malware (daily automatic updates could be spun to be a positive thing). The fact that they do seem to be on top of this one, unlike other holes that would at times go unpatched for months, makes things at least seem more secure.

Xian Zhu Xuande
Jun 2, 2011, 08:54 AM
The attackers will always be one step ahead...
A quick response like this from Apple makes it useless for them to be 'one step ahead' because their little piece of malware doesn't have enough time to accomplish anything of particular value. Apple's response here would probably be difficult to manage if there were many threats on the Mac, but it works quite perfectly in the current environment.

Wonder if there will be a permanent fix in Lion.
It isn't a virus. It is malware which the user chooses to (well, is tricked into) installing themselves. Only way to protect against that (short of customers understanding threats like this and not falling for them in the first place) is to recognize the software and kill it as Apple is currently doing.

0815
Jun 2, 2011, 08:58 AM
Well, while there is no femaleware in the wild this maleware can mate with and spread out, my Mac is safe.

I thought you can get a lot of that stuff on pages with mostly naked females ?

applefan289
Jun 2, 2011, 08:59 AM
Even if Macs started getting regular Malware attacks, I would still prefer Macs over PCs with Windows.

I would also think Apple would release their own Antivirus software for free like Microsoft has done with Security Essentials.

Phil A.
Jun 2, 2011, 08:59 AM
The big step would be a setting in "User Preferences" that needs to be turned on to allow any applications to be installed, or any downloaded applications to run. That setting would have to be turned on by the user, and would turn itself off after 15 minutes. Installer and Finder trying to start applications would show a message what to do when needed (a verbal message; user has to figure out how to do it himself). Result: Users trying to install legitimate apps are slightly inconvenienced; clueless users can't install MacDefender if they try; and users who know enough to figure out how to install MacDefender should be clever enough not to do it.

I don't see how that would help to be honest: Even as things stand now, the user has to go through the installation steps to get this installed. That means they are most likely intentionally installing it in response to the socially engineered fear created by the fake virus warning. If they had to go into a control panel setting to allow it, the chances are they would because they want to install this software to "protect" their mac. If you are saying people who are stupid enough to want to install this wouldn't be able to figure it out, then you'd also be stopping them installing or running anything at all they downloaded from the internet. Not really a good solution IMO

HiVolt
Jun 2, 2011, 09:00 AM
Sooner or later Apple will have to come up with a memory resident malware scanner, unfortunately.

These are the same scumbags that have been doing these fake antivirus/utility on Windows computers for years, I think now that they've tapped into the Mac side, they wont be going away anytime soon.

0815
Jun 2, 2011, 09:00 AM
I wouldn't be surprised if the entire thing weren't stage-managed by Apple to give them an argument in favour of a move to an iOS-style Mac App Store-only software model. (Jailbreak your Mac, anyone?)

Here we go again - people running out of real arguments against apple clinging to stupid claims like this ....

dagamer34
Jun 2, 2011, 09:03 AM
I hope in Lion they disable opening downloaded files automatically. It's the largest security hole ever in an operating system.

kalsta
Jun 2, 2011, 09:06 AM
Fantastic stuff Apple!!

The writers of this malware love to see Apple jumping through the hoops they make.

They may enjoy being in the spotlight right now, but when news sites get bored of the story (and they will soon enough), and provided Apple keeps thwarting their efforts in such a timely manner, I imagine they'll very soon tire of it.

macnews
Jun 2, 2011, 09:08 AM
Apple did not hire those bigwig security experts for nothing.

Good. :)


batch of silly questions to anyone who can answer:

Does the security update run on it's own or do I have to launch it to scan and/or receive the updates?

And is this security software located in the Applications folder or somewhere else? I didn't see where it installed last night, wasn't at the machine.

thanks.

Looks like it runs on it's own, though I'm not sure where the file is located yet. This does depend if you have turned the option off however under security "automatically update safe downloads list."

homsar
Jun 2, 2011, 09:09 AM
Here we go again - people running out of real arguments against apple clinging to stupid claims like this ....

Nyeh? I love my two Macs and iPhone and run an almost all-Apple ecosystem in my home and work. Of course I'm looking for arguments against them.

I didn't say they WOULD do that, just that I wouldn't be surprised if they did. Maybe I engaged in a certain amount of hyperbole. Certainly if Apple wanted to go down the route of a fully-curated desktop architecture like they have on iOS, stuff like this would give them the perfect excuse.

Steve121178
Jun 2, 2011, 09:10 AM
Fantastic stuff Apple!!



They may enjoy being in the spotlight right now, but when news sites get bored of the story (and they will soon enough), and provided Apple keeps thwarting their efforts in such a timely manner, I imagine they'll very soon tire of it.

Yeah, because that's exactly what the attackers did with other OS's with holes in... ;)

They are exploiting the same issue. While they are making Apple look stupid, you can bet your house they have found other vulnerabilities in OS X. These guys are pro's and will continue to move the goal posts.

Scarrus
Jun 2, 2011, 09:13 AM
Even if Macs started getting regular Malware attacks, I would still prefer Macs over PCs with Windows.

I would also think Apple would release their own Antivirus software for free like Microsoft has done with Security Essentials.

OMG, people truly are obsessed.

Ok, once again, clear, in capital letters and plain english:


THERE IS NO VIRUS FOR MAC OSX, NOR WILL THERE EVER BE ONE!

afd
Jun 2, 2011, 09:16 AM
just bring mac app store for default way of installing software and problem solved :) i know it's not gonna happen but it works fine on iOS devices - no malware

Anyone else ever wonder if apple started doing this stuff themselves as an excuse to lock up OSX like iOS?

jetownsend
Jun 2, 2011, 09:16 AM
I'm getting pretty tired of the MacDefener 'news' updates - its time to go back to the normal life (and malware is part of that - no need for an update every day)

But anyway good to see that it took Apple less than 24h to release an update.

There is no fix for this type of malware ... If the user interacts with an installer, so there is not much that can be done until the installer is out in the wild and a signature for it can be created. Malware authors will always be a step ahead and nothing can be done about it.

The "fix" for gullible users is the walled garden and benevolent dictatorship of the Mac App Store. For some people, though, this cure is worse than the disease.

Deflorator
Jun 2, 2011, 09:16 AM
I thought you can get a lot of that stuff on pages with mostly naked females ?

I believe, taht most of users prefer just one gender, so either maleware from female-sites or femaleware from male-sites, anyway, good luck mating with yourself, dear so called "Mac virus".

macnews
Jun 2, 2011, 09:17 AM
I don't see how that would help to be honest: Even as things stand now, the user has to go through the installation steps to get this installed. That means they are most likely intentionally installing it in response to the socially engineered fear created by the fake virus warning. If they had to go into a control panel setting to allow it, the chances are they would because they want to install this software to "protect" their mac. If you are saying people who are stupid enough to want to install this wouldn't be able to figure it out, then you'd also be stopping them installing or running anything at all they downloaded from the internet. Not really a good solution IMO

The social engineering aspect of this really is the biggest threat not just to Macs but also Windows. I have a friend who writes code (he can read machine code which is just weird and scary sometimes) and his take on this round of malware is this: It isn't Mac's are more vulnerable now or that the sheer number of Macs now make it more attractive, rather it is the improved security in Windows which has caused virus and malware writers to re-tool. Basically, it is now easier to just trick people in to installing your bad software than to trick the OS. Since the tricking relies on the weakest link - humans - the OS really doesn't matter so you just spread out the con as far as possible.

arkitect
Jun 2, 2011, 09:18 AM
Well now that Apple have mounted the back of this tiger they can't afford to be slow…
We'll see how this pans out.

Scarrus
Jun 2, 2011, 09:18 AM
Anyone else ever wonder if apple started doing this stuff themselves as an excuse to lock up OSX like iOS?

No, because that type of argument would just make them seem hypocritical. I'm sure if/when they want to close OS X, Steve will do his magic on stage and convince 99% of the audience... probably with real good arguments too!

deputy_doofy
Jun 2, 2011, 09:19 AM
Look, malware is a problem only because the same people who fork over their account numbers to the Nigerian King will fall for this (and those people are a plenty, unfortunately).

That said, I've been to some seedy sites and I never worry about malware. Until something auto-downloads, auto-installs, auto-runs, and I'm infected without doing anything, I will not worry about any of this nonsense...

Tastic Bycrom
Jun 2, 2011, 09:20 AM
OMG, people truly are obsessed.

Ok, once again, clear, in capital letters and plain english:


THERE IS NO VIRUS FOR MAC OSX, NOR WILL THERE EVER BE ONE!

Don't make statement like that. Just because there is no prevalent virus for OSX doesn't exclude the possibility of one being made. OSX is just software and can have flaws.

twilson
Jun 2, 2011, 09:21 AM
The attackers will always be one step ahead...

Still, one is better than five surely?

Scarrus
Jun 2, 2011, 09:22 AM
Look, malware is a problem only because the same people who fork over their account numbers to the Nigerian King will fall for this (and those people are a plenty, unfortunately).

That said, I've been to some seedy sites and I never worry about malware. Until something auto-downloads, auto-installs, auto-runs, and I'm infected without doing anything, I will not worry about any of this nonsense...

AMEN

And that is practically impossible in Mac OS X. I'm not saying it's theoretically imposible, just practically for a lot of reasons.

baryon
Jun 2, 2011, 09:22 AM
What Apple should fix is to REQUIRE a PASSWORD when you install ANYTHING. Why does Mac Defender get away with installing without the need of a password? How is that not a bug?

Otaviano
Jun 2, 2011, 09:22 AM
Would be nice for this stupid story to die down. Rehashing it just keeps these malware people super motivated. Apple updated the list, let me make a new variant. If the story dies down so will the variants of Mac Defender.

Apple should make "Open safe files after downloading" be unchecked by default. The average person who doesn't know better keeps it checked, quite foolishly.

twilson
Jun 2, 2011, 09:24 AM
haha, I haven't heard this line in a while since Windows 7 came out. Windows 7 was a huge step in the right direction for MS as evidenced by lots of large IT departments rolling it out pre-SP1. This might have been due to the long and detailed beta test cycle, and fact that XP was over a decade old!

Yes it was, and still there are 64-bit rootkits etc. that take over even the most advanced Windows systems, bypassing various sandboxes put in place in Windows 7.

addicted44
Jun 2, 2011, 09:26 AM
haha, I haven't heard this line in a while since Windows 7 came out. Windows 7 was a huge step in the right direction for MS as evidenced by lots of large IT departments rolling it out pre-SP1. This might have been due to the long and detailed beta test cycle, and fact that XP was over a decade old!

True, but that was largely because W7 = Vista SP1.

Windows 7 is what Vista should have been.

Scarrus
Jun 2, 2011, 09:26 AM
Don't make statement like that. Just because there is no prevalent virus for OSX doesn't exclude the possibility of one being made. OSX is just software and can have flaws.

Yes, and it does have flaws like any other software, but as far as viruses go, it's practically imune as the whole User Interface and System works sandboxed inside Unix.

The thing is, there's this Unix system running underneath, which is basically the kernel and some extensions to it, maybe also drivers, don't know that for sure. And on top of that there's like another system who only has reading access to the system files and can in no way be modified otherwise.
Of coure you could ******* up the system by going in the console(terminal), logging in as the root user and start messing stuff up but you would have to self interract with the system. For a program or a virus to do this it would have to create an automated task in automator which is also impossible.

ˇalgiris
Jun 2, 2011, 09:26 AM
What Apple should fix is to REQUIRE a PASSWORD when you install ANYTHING. Why does Mac Defender get away with installing without the need of a password? How is that not a bug?

Because it's installing into user folder, not system wide. User is the owner of his folder it doesn't make sense to ask for passwords.

Nightarchaon
Jun 2, 2011, 09:28 AM
How long before the virus writers hijack this "tool" and its plist to prevent anti-virus software being installed by flagging legitimate anti virus tools as malicious !

addicted44
Jun 2, 2011, 09:28 AM
People will whine and moan, but the actual fix is to convince users to download only through the App Store.

Not like iOS where there are no alternatives available, but what we have now (alternate stores are allowed) with massive consumer education directing them towards the Mac App Store.

Additionally, Apple needs to remove the "Open Safe Files..." option altogether. Honestly, whyTF is that even an option? Its on par with Windows' default login being root brainfart.

whooleytoo
Jun 2, 2011, 09:28 AM
The step I'd like to see Apple make is this:

All executables, or packages which may contain executables are 'quarantined' by Safari. They aren't opened, and they don't go in the Downloads folder where someone might accidentally launch them. They appear as "Quarantined" in the Downloads window in Safari and to open them you need to explicitly click a "I trust this download" button - ideally requiring Administrator privileges.

Most inexperienced users wouldn't take that step, so wouldn't be fooled by this trojan.

Still, good for Apple for taking these steps. In only hope this is the end, and not the beginning. Otherwise, (the safety of the) Mac App Store for all apps, here we go.

twilson
Jun 2, 2011, 09:28 AM
Because it's installing into user folder, not system wide. User is the owner of his folder it doesn't make sense to ask for passwords.

I think he's saying that installation of ANY KIND should require a password, and I would tend to agree.

macnews
Jun 2, 2011, 09:29 AM
Yeah, because that's exactly what the attackers did with other OS's with holes in... ;)

They are exploiting the same issue. While they are making Apple look stupid, you can bet your house they have found other vulnerabilities in OS X. These guys are pro's and will continue to move the goal posts.

The vulnerability is the user, not the OS so yes, I'm sure like any con they have thought of many other ways to trick the user. Understand, this malware PRESENTS an install screen. While it doesn't require a user password it DOES require USER interaction. This is a huge difference compared to the earlier days of windows (not sure about win7) where crap could just install with no user interaction at all.

I think the media is trying to make Apple look stupid but in reality it is the user. It is like putting blame on Yahoo for a Nigerian scam email that comes in to your Yahoo email. It is the user who has to give them their bank account access, not Yahoo.

Nightarchaon
Jun 2, 2011, 09:29 AM
True, but that was largely because W7 = Vista SP1.

Windows 7 is what Vista should have been.

Actually it was

Windows Vista = Windows 7 beta.

Or at best , RC1

0815
Jun 2, 2011, 09:30 AM
What Apple should fix is to REQUIRE a PASSWORD when you install ANYTHING. Why does Mac Defender get away with installing without the need of a password? How is that not a bug?

This is what amazes me: MacDefender is all over the new - but the password thing is rarely mentioned - I'm not worried since it still requires an installer to get installed, but the scary part is that they found a way around the password - which at least would add some user awareness (even if installed in the user folder) - not sure if that really would help, since people who blindly click through installers that they didn't launch will also most likely blindly type their password when prompted.

ˇalgiris
Jun 2, 2011, 09:30 AM
I think he's saying that installation of ANY KIND should require a password, and I would tend to agree.

That hardly makes sense unless you want to work from an account managed with parental controls. ON the other hand if it takes only that to put an end to this who am i to argue.

3rd Doctor
Jun 2, 2011, 09:32 AM
This is what amazes me: MacDefender is all over the new - but the password thing is rarely mentioned - I'm not worried since it still requires an installer to get installed, but the scary part is that they found a way around the password - which at least would add some user awareness (even if installed in the user folder) - not sure if that really would help, since people who blindly click to installers that didn't launch will also most likely blindly type their password when prompted.
Did they though? Or was it the fact that the user is running as an administrator rather than a standard user?

Thunderhawks
Jun 2, 2011, 09:32 AM
XProtect.plist is gonna get awfully large.

The Security System Preference panel should mention the date of XProtect.plist's most recent update.

OS X should treat an attempt to delete XProtect.plist in a special manner... beyond asking for the password, which can be social engineered by a malware author by presenting a screen shot of dialog box, with an arrow and instructions to the user to type in their password to allow it.

Since we are looking for ideas, how about:

One of the install buttons one has to press to install malware should be charged with say 110 Volts.

So, when all the people who don't know what they are doing try to press a malware key, they get zapped!:-)

Or

As soon as you enter your credit card and the charge comes through, the bank calls and says your credit line is all used up.:-)

Feel free to add.

This is a user education issue and IMO Apple should run some ads to that extent and put it into there opening videos when you first start up a Mac.

ranReloaded
Jun 2, 2011, 09:32 AM
haha, I haven't heard this line in a while since Windows 7 came out. Windows 7 was a huge step in the right direction for MS as evidenced by lots of large IT departments rolling it out pre-SP1. This might have been due to the long and detailed beta test cycle, and fact that XP was over a decade old!

Vista was 7's Beta? :D

ˇalgiris
Jun 2, 2011, 09:35 AM
Vista was 7's Beta? :D

A very long and expensive beta test.

0815
Jun 2, 2011, 09:36 AM
Did they though? Or was it the fact that the user is running as an administrator rather than a standard user?

Yes they did - by installing it in the 'user folder' where the user has the full right to do anything. Even if you are logged in as an Administrator you wouldn't be an administrator on the Unix level and it will would prompt for the password if you try to install something (or have to use sudo on the command line).

macnews
Jun 2, 2011, 09:38 AM
This is what amazes me: MacDefender is all over the new - but the password thing is rarely mentioned - I'm not worried since it still requires an installer to get installed, but the scary part is that they found a way around the password - which at least would add some user awareness (even if installed in the user folder) - not sure if that really would help, since people who blindly click to installers that didn't launch will also most likely blindly type their password when prompted.

Not requiring a password is a "feature" for the logged in user. If I understand it correctly, this is a carry over from the early days of Unix where you had more educated computer users (since there weren't many and you had to be a lot more educated just to use a computer) and it was assumed you would want to install software made available just to that non-admin user. It doesn't install for every user thus there is some protection. Still requires user permission to install so think they were thinking this was enough of a protection vs usability factor.

I'm not defending this "feature" just explaining what has been told to me about why it is like it is.

ranReloaded
Jun 2, 2011, 09:39 AM
It's not about the system's inherent security anymore.

If this social engineering/phishing stuff is deceiving the privileged user into doing its bid, there's no way to secure the system short of making it unusable.
(i.e., forbid installs or introduce Vista's pervasive "Cancel or Allow", which ends up annoying the user and ultimately promotes automatically choosing "Allow" each time, without reading the message).

The user has become the vector, there's only so much Apple can do against it.

eagle33199
Jun 2, 2011, 09:39 AM
There's an old joke that I find very apt here... Two people are out walking and come across a Cheetah. As the Cheetah eyes them, one slowly bends down and tightens his shoes. The other says to him "dude, you can't outrun a cheetah!". He replies "I'm not trying to outrun the cheetah."

OSX doesn't have to stay ahead of all the criminals out there trying to penetrate the system. They merely have to stay ahead of their competition, and those criminals will go after the easier, more profitable, pray. OSX will remain relatively free of threats so long as Apple aggressively counterattacks each one quickly and efficiently, taking the profit out of it.

For those moaning that this is the death of OSX... lets do a quick comparison. So far this month (and it's only the second day of the month), OSX has had 1 new variant of malware. Windows, according to McAfee's virus definitions, has had over 30 new viruses discovered today alone. go take a look yourself: http://home.mcafee.com/VirusInfo/ThreatActivity.aspx

RoboCop001
Jun 2, 2011, 09:39 AM
And so it came to pass, on June 2nd 2011, that OS X did cease to exist. But even then, the malware programmer had no concept of his greater role in events. For this was far more than OS X's end. This day was the day upon which the whole of creation would change forever. This was the day the Time Lords returned!! :eek::eek::eek:

Mak47
Jun 2, 2011, 09:40 AM
The step I'd like to see Apple make is this:

All executables, or packages which may contain executables are 'quarantined' by Safari. They aren't opened, and they don't go in the Downloads folder where someone might accidentally launch them. They appear as "Quarantined" in the Downloads window in Safari and to open them you need to explicitly click a "I trust this download" button - ideally requiring Administrator privileges.

Most inexperienced users wouldn't take that step, so wouldn't be fooled by this trojan.

Still, good for Apple for taking these steps. In only hope this is the end, and not the beginning. Otherwise, (the safety of the) Mac App Store for all apps, here we go.

That's actually a great idea. Still not 100% idiotproof, but probably as close as can be.

ranReloaded
Jun 2, 2011, 09:40 AM
A very long and expensive beta test.

At least Google's betas are always free! :D

KnightWRX
Jun 2, 2011, 09:40 AM
I think he's saying that installation of ANY KIND should require a password, and I would tend to agree.

Why would you lock down a user's home directory though ? That goes against the "it just works" mantra.

Installing for a single user shouldn't require a password.

ˇalgiris
Jun 2, 2011, 09:41 AM
Latest version of this scam install (if you let it) to the /Users/[USERNAME]/Applications, because it's not a system level location like /Applications is.

That's why it doesn't ask for password, because you are free to do what you want in you user folder, unless you want to restrict yourself with parental controls.

sined13
Jun 2, 2011, 09:43 AM
This is a never ending cat and mouse game. It is no different than on any other OS.

Scarrus
Jun 2, 2011, 09:43 AM
Not requiring a password is a "feature" for the logged in user. If I understand it correctly, this is a carry over from the early days of Unix where you had more educated computer users (since there weren't many and you had to be a lot more educated just to use a computer) and it was assumed you would want to install software made available just to that non-admin user. It doesn't install for every user thus there is some protection. Still requires user permission to install so think they were thinking this was enough of a protection vs usability factor.

I'm not defending this "feature" just explaining what has been told to me about why it is like it is.

I really wonder who thumbs these kind of posts down...

3rd Doctor
Jun 2, 2011, 09:44 AM
Yes they did - by installing it in the 'user folder' where the user has the full right to do anything. Even if you are logged in as an Administrator you wouldn't be an administrator on the Unix level and it will would prompt for the password if you try to install something (or have to use sudo on the command line).

So even if you are logged in as a guest for example, you can still install it without a password?

toxotis70
Jun 2, 2011, 09:44 AM
Can you be more specific ?

You said, that the malware installs himself without any password question?

ranReloaded
Jun 2, 2011, 09:45 AM
That's actually a great idea. Still not 100% idiotproof, but probably as close as can be.

I doubt it.

If the website/banner/ad/whatever can convince you that the software is legit (Which it seems to be, otherwise Why would anyone have downloaded it in the first place?), the user will see the exact same process happen as when they download, say, "Photoshop trial". (quarantine -> must install manually and dismiss warning). It will look "just as the real thing".

KnightWRX
Jun 2, 2011, 09:46 AM
So even if you are logged in as a guest for example, you can still install it without a password?

If guest has a home directory (which it does), yes. You install it in Guest's home directory and only Guest has access to it.

That's how home directories work.

People looking for a technical solution to social engineering can only end up making the system less usable. Social engineering is not a technical problem.

If the website/banner/ad/whatever can convince you that the software is legit (Which it seems to be, otherwise Why would anyone have downloaded it in the first place?),

Hum... Javascript can be used to automatically download files. Safari with the "Open Safe files automatically" then automatically runs it since .mpkg is a safe file.

So the only manual step in this vector is actually completing the install. Safari's feature is the huge hole that needs plugging. That option be removed and the user should have to manually open files he downloads or Safari should do what other browsers do, prompt the user for action when a download is initiated (Open, Save to download folder, Cancel).

ranReloaded
Jun 2, 2011, 09:49 AM
[...]
For those moaning that this is the death of OSX... lets do a quick comparison. So far this month (and it's only the second day of the month), OSX has had 1 new variant of malware. Windows, according to McAfee's virus definitions, has had over 30 new viruses discovered today alone. go take a look yourself: http://home.mcafee.com/VirusInfo/ThreatActivity.aspx

+30
(pun intended)

0815
Jun 2, 2011, 09:50 AM
So even if you are logged in as a guest for example, you can still install it without a password?

Every user can do whatever they want WITHIN their home directory. It is basically just copying data in the user directory of the current user. This is nothing that installs system wide or uses any security holes to hook it in the system, does not restart automatically when the machine is booted, nothing. (And guest you can anyway setup to wipe everything out after logout)

ranReloaded
Jun 2, 2011, 09:51 AM
[...]
Hum... Javascript can be used to automatically download files. Safari with the "Open Safe files automatically" then automatically runs it since .mpkg is a safe file.

So the only manual step in this vector is actually completing the install. Safari's feature is the huge hole that needs plugging. That option be removed and the user should have to manually open files he downloads or Safari should do what other browsers do, prompt the user for action when a download is initiated (Open, Save to download folder, Cancel).

I agree banning automatic launch of installers IS a huge step forward.

Mak47
Jun 2, 2011, 09:53 AM
I'm glad Apple is taking some steps to prevent this, even though it is more of a user education issue.

This being malware as opposed to a virus, it's authors have nothing to gain simply by being a step ahead. If they're not getting credit card info etc. They aren't making any money, which is the entire point of something like this. If Apple issues updates every day like they have been, they won't ever get anything.

What would really stop this stuff however, are real consequences. Right now it's worth the risk for even a small amount of success because nobody tracks these people down. As high profile as this case has been, it would be perfect to make an example out of these guys.

BLACKFRIDAY
Jun 2, 2011, 09:56 AM
There's an old joke that I find very apt here... Two people are out walking and come across a Cheetah. As the Cheetah eyes them, one slowly bends down and tightens his shoes. The other says to him "dude, you can't outrun a cheetah!". He replies "I'm not trying to outrun the cheetah."

OSX doesn't have to stay ahead of all the criminals out there trying to penetrate the system. They merely have to stay ahead of their competition, and those criminals will go after the easier, more profitable, pray. OSX will remain relatively free of threats so long as Apple aggressively counterattacks each one quickly and efficiently, taking the profit out of it.

For those moaning that this is the death of OSX... lets do a quick comparison. So far this month (and it's only the second day of the month), OSX has had 1 new variant of malware. Windows, according to McAfee's virus definitions, has had over 30 new viruses discovered today alone. go take a look yourself: http://home.mcafee.com/VirusInfo/ThreatActivity.aspx

I need the full cheetah story. :mad:

3rd Doctor
Jun 2, 2011, 10:03 AM
Every user can do whatever they want WITHIN their home directory. It is basically just copying data in the user directory of the current user. This is nothing that installs system wide or uses any security holes to hook it in the system, does not restart automatically when the machine is booted, nothing. (And guest you can anyway setup to wipe everything out after logout)

This must be the first piece of malware with that ability then.

Anything that i install or even update on my mac, because im a standard user it always asks for an admin name and password. I presume its because standard programs are all handled within /applications which is separate from the home folder. (I realise two of you already explained this, it took me a while to get my feeble mind around it.)

Tastic Bycrom
Jun 2, 2011, 10:05 AM
Yes, and it does have flaws like any other software, but as far as viruses go, it's practically imune as the whole User Interface and System works sandboxed inside Unix.

The thing is, there's this Unix system running underneath, which is basically the kernel and some extensions to it, maybe also drivers, don't know that for sure. And on top of that there's like another system who only has reading access to the system files and can in no way be modified otherwise.
Of coure you could ******* up the system by going in the console(terminal), logging in as the root user and start messing stuff up but you would have to self interract with the system. For a program or a virus to do this it would have to create an automated task in automator which is also impossible.

I'm quite aware of OSX's UNIX based history, and something as simple as a faulty kext (kernel extension) could do quite a bit of damage. Other sandboxes do provide quite a bit of security, but perfectly immune is not something I would say with confidence.

The upside is that previous security flaws have been patched up fairly quickly and usually before anyone comes up with any meaningful exploits.

AppleHater
Jun 2, 2011, 10:06 AM
I think the damage has been done already as the reputation of virus/malware-free is ruined for the mac platform. Hopefully, we don't see these on iPod/iPad anytime soon.

ˇalgiris
Jun 2, 2011, 10:09 AM
I think the damage has been done already as the reputation of virus/malware-free is ruined for the mac platform.

This is a joke right?

kallisti
Jun 2, 2011, 10:09 AM
Strange game. The only winning move is not to play.

Awesome reference ;)

KnightWRX
Jun 2, 2011, 10:13 AM
I think the damage has been done already as the reputation of virus/malware-free is ruined for the mac platform. Hopefully, we don't see these on iPod/iPad anytime soon.

The damage was done a long time ago. This is not the first piece of malware for OS X.

I'm quite aware of OSX's UNIX based history, and something as simple as a faulty kext (kernel extension) could do quite a bit of damage. Other sandboxes do provide quite a bit of security, but perfectly immune is not something I would say with confidence.

There's really nothing in the Single Unix Specification that provides the level of security the other poster alluded to. So just being UNIX is not going to prevent viruses from propagating in the system.

My HP-UX systems and Linux both use the ELF binary format. Guess what, here's a nice little article about injecting code into a ELF binary :

http://vxheavens.com/lib/vbs00.html

All you need then is a local privilege escalation bug (which all Unix operating systems get at some point or other), have your infector abuse that, get root privileges, and insert itself (the payload parasite is the infector in a virus program) into any other system binaries (ideally, you want to look for ELF binaries on NFS/CIFS network shares or on USB devices/floppies disks so your virus spreads to other systems).

ˇalgiris
Jun 2, 2011, 10:18 AM
The damage was done a long time ago. This is not the first piece of malware for OS X.



There's really nothing in the Single Unix Specification that provides the level of security the other poster alluded to.

One more time this is not a virus. It's an package installer ( there are many apps that come as installers though i hate them).

The biggest issue here is that they have compromised many web sites that's all.

Anyone can rig an app - there is no defence againsta that.

In other words OS X SECURITY WASN'T COMPROMISED TO INSTALL THE APPLICATION.


So just being UNIX is not going to prevent viruses from propagating in the system.

I think you are wrong. OS 9/8/7 had viruses (NOT UNIX) and OS X HAS NO VIRUSES (it's Unix) ergo a logical conclusion can be reached that the Unix structure prevents bad people from finding easy ways (or ways at all) to make a virus that can spread trhough OS X.

KnightWRX
Jun 2, 2011, 10:22 AM
One more time this is not a virus. It's an package installer ( there are many apps that come as installers though i hate them).

The sub-thread I was participating in alluded that OS X was virus free because it is UNIX.

We weren't discussing MacDefender and your present comment is thus worthless. We're discussing the practical/theoritical possibility of an OS X virus.

I think you are wrong. OS 9/8/7 had viruses (NOT UNIX) and OS X HAS NO VIRUSES (it's Unix) ergo a logical conclusion can be reached that the Unix structure prevents bad people from finding easy ways (or ways at all) to make a virus that can spread trhough OS X.

That's not a logical conclusion. That's just pure speculation. Point me what "Unix structure" prevents bad people from finding easy ways to make a virus. I just pointed out how it can be done in an earlier post using the ELF binary format (which is common in Unix platforms, though OS X uses Mach-O as an executable format).

The fact is, there is nothing about "UNIX" that prevents viruses just by virtue of being Unix.

Now, I get that I'm probably arguing with a Unix layman here, but please, try to understand this simple concept.

ˇalgiris
Jun 2, 2011, 10:26 AM
The sub-thread I was participating in alluded that OS X was virus free because it is UNIX.

We weren't discussing MacDefender and your present comment is thus worthless. We're discussing the practical/theoritical possibility of an OS X virus.



That's not a logical conclusion. That's just pure speculation. Point me what "Unix structure" prevents bad people from finding easy ways to make a virus. I just pointed out how it can be done in an earlier post using the ELF binary format (which is common in Unix platforms, though OS X uses Mach-O as an executable format).

Oh give me a break. I can repeat Mac OS, prior Mac OS X, had hubdreds of viruses (why?) and Mac OS X has NONE (why). Market share of OS 9 was even smaller, so that one goes out of the window.

Of course in theory everything is possible, but so far in practice IT IS NOT.

When you show my a living and breathing Mac OS X virus we can start talking what Unix can prevent or can't. Whatever you see it as a speculation or not nonone gives a damn about - THE FACT IS Mac OS X viruses are NONE right now and in the past 10 years too.

KnightWRX
Jun 2, 2011, 10:30 AM
Oh give me a break. I can repeat Mac OS prior Mac OS X had hubdreds of viruses (why?) and Mac OS X has NONE (why). Market share of OS 9 was even smaller, so that one goes out of the window.

You can repeat that all you want, it doesn't make it any more true.

Of course in theory everything is possible, but so far in practice IT IS NOT.

No, this is computer science, if it is possible in theory, it is also possible in practice, since practice is pretty much applied theory in computers. The fact that it hasn't been done doesn't mean it can't be done (the fallacy you keep stating).

I provided the facts. Wrap your head around it. It's possible. Nothing in UNIX and the Single Unix Specification as defined by the Open Group prevents viruses.

Go read through it if you don't believe me. There is no Unix structure that prevents viruses from being written.

Rodimus Prime
Jun 2, 2011, 10:33 AM
This is what amazes me: MacDefender is all over the new - but the password thing is rarely mentioned - I'm not worried since it still requires an installer to get installed, but the scary part is that they found a way around the password - which at least would add some user awareness (even if installed in the user folder) - not sure if that really would help, since people who blindly click through installers that they didn't launch will also most likely blindly type their password when prompted.

yep. Personally I always though the entering the password crap when you were the admin on OSX was rather pointless and stupid since you are the admin.
I like the windows solution if you are an admin you can just click yes at the same question and it will install.
If not an admin then an admin password needs to be entered.
The password entering does not solve the biggest hole in the system which is user stupidity.

ˇalgiris
Jun 2, 2011, 10:37 AM
You can repeat that all you want, it doesn't make it any more true.



No, this is computer science, if it is possible in theory, it is also possible in practice, since practice is pretty much applied theory in computers. The fact that it hasn't been done doesn't mean it can't be done (the fallacy you keep stating).

I provided the facts. Wrap your head around it. It's possible. Nothing in UNIX and the Single Unix Specification as defined by the Open Group prevents viruses.

Go read through it if you don't believe me. There is no Unix structure that prevents viruses from being written.

I said almost everything is possible in theory.

TODAY there no VIRUSES for Mac OS X - it's a fact TODAY and it was a fact since 2001 every day.

If it can happen - of course. Did it happen - NO, for 10 whole years.

Wake me when it happens (if). 10 years in computer science is a very long time to ignore.

xxBURT0Nxx
Jun 2, 2011, 10:39 AM
yep. Personally I always though the entering the password crap when you were the admin on OSX was rather pointless and stupid since you are the admin.
I like the windows solution if you are an admin you can just click yes at the same question and it will install.
If not an admin then an admin password needs to be entered.
The password entering does not solve the biggest hole in the system which is user stupidity.
no but it prevents others from installing things on your computer just because it is logged into the admin account.

Hastings101
Jun 2, 2011, 10:46 AM
Well it's nice to know Apple is taking this threat, and hopefully all future ones, seriously.

gnasher729
Jun 2, 2011, 10:49 AM
So even if you are logged in as a guest for example, you can still install it without a password?

The long answer: Let's say you come to my home, want to browse the Internet, I give you my MacBook after switching to a "guest" account. You browse, you download Mac Defender, installer starts. Yes, you can install it in the "guest" account without having a password. Mac Defender will start scaring you and show porn sites and ask for your credit card. If you think that you should pay for anti-virus software to install on _my_ MacBook, and give them your credit card, that's beyond stupid, but they will have your credit card and rip you off. If you think that _I_ should pay for anti-virus software and ask me to type in my credit card number, and I were to type it in, that's beyond stupid as well; they would now have my credit card number and rip me off. On the other hand, if you ignore it, enjoy the web sites that it shows you (some people might find them enjoyable), and after a few hours log out of the "guest" account, the whole account is wiped clean, and Mac Defender disappears without a trace.

If it was different malware that tries to delete all the files on the user's computer, it could only delete files in the guest account. If it was different malware that tries to send out spam emails to thousands of people, it would do that just fine until you log out of the guest account and it would be wiped. If it was different malware that tried to read files with my personal information, there shouldn't be any in the guest account except what you entered in the last hours; it couldn't access anything in _my_ home directory where the real stuff is. To do anything that does harm outside the guest account, you would need to type in the admin password.

asr
Jun 2, 2011, 10:52 AM
One would think that the attackers could make a password-requiring variant of the trojan that replaces or removes the Xprotect.plist file from the operating system.

malexander
Jun 2, 2011, 10:57 AM
Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5)

@riverfreak

Ah, but you must remember, construction and destruction are both important. You can't have one without the other. Apple wouldn't be concerned with security if threats didn't exist.

Other examples:
- when Steve came back to Apple, he ended many products and brought the iMac.
- Apple has relatively future-proof products, but must end support for certain Macs/iOS devices after a while for top performance, etc.
- Apple not supporting Flash/Java in iOS, opting for apps, HTML5, and JavaScript
- Steve told Nike's CEO: "Nike makes some of the best products in the world. Products that you lust after. But you also make a lot of crap. Just get rid of the crappy stuff and focus on the good stuff."

Among many others. Destruction is absolutely essential, as is construction.

mijail
Jun 2, 2011, 10:57 AM
...something as simple as a faulty kext (kernel extension) could do quite a bit of damage.

Yeah, and something as simple as not-properly-done neurosurgery could do also quite a bit of damage, amirite?

ShiftyPig
Jun 2, 2011, 11:03 AM
Ironic:

http://i52.tinypic.com/29x4hs.jpg

So are these things scams or only scams when it doesn't help this website make money?

mijail
Jun 2, 2011, 11:07 AM
... To do anything that does harm outside the guest account, you would need to type in the admin password.

The thing is not that clear-cut, and in fact security researchers plainly recommend not to use the guest account in OS X (http://www.securityfocus.com/blogs/273) (at least in Leopard, I don't know how the thing evolved in Snow Leopard).

kevinsano
Jun 2, 2011, 11:13 AM
Ironic:

Image (http://i52.tinypic.com/29x4hs.jpg)

So are these things scams or only scams when it doesn't help this website make money?

What makes MacKeeper a scam exactly? Aside from the fact that you can find other (freeware!) 3rd party utilities with the same functionality.

Michaelgtrusa
Jun 2, 2011, 11:16 AM
It will never end.

Rodimus Prime
Jun 2, 2011, 11:17 AM
no but it prevents others from installing things on your computer just because it is logged into the admin account.

while true but then turn it into an option. I know for my personal computer I am the only one using it so that is not really a threat to me.

The long answer: Let's say you come to my home, want to browse the Internet, I give you my MacBook after switching to a "guest" account. You browse, you download Mac Defender, installer starts. Yes, you can install it in the "guest" account without having a password. Mac Defender will start scaring you and show porn sites and ask for your credit card. If you think that you should pay for anti-virus software to install on _my_ MacBook, and give them your credit card, that's beyond stupid, but they will have your credit card and rip you off. If you think that _I_ should pay for anti-virus software and ask me to type in my credit card number, and I were to type it in, that's beyond stupid as well; they would now have my credit card number and rip me off. On the other hand, if you ignore it, enjoy the web sites that it shows you (some people might find them enjoyable), and after a few hours log out of the "guest" account, the whole account is wiped clean, and Mac Defender disappears without a trace.

If it was different malware that tries to delete all the files on the user's computer, it could only delete files in the guest account. If it was different malware that tries to send out spam emails to thousands of people, it would do that just fine until you log out of the guest account and it would be wiped. If it was different malware that tried to read files with my personal information, there shouldn't be any in the guest account except what you entered in the last hours; it couldn't access anything in _my_ home directory where the real stuff is. To do anything that does harm outside the guest account, you would need to type in the admin password.

What I worry about is someone is going to figure out how to once it is installed it the trogan is going to make a bigger hole that allows much more lower system access where a lot more damaging things can be done. There are a lot of places for malware of any type to hide once you get access to more root level stuff.

Tastic Bycrom
Jun 2, 2011, 11:18 AM
Yeah, and something as simple as not-properly-done neurosurgery could do also quite a bit of damage, amirite?

Yeah, you're right. Except software engineers aren't neurosurgeons. I know I've written faulty code, and most certainly kernel extension developers have too... certain nVidia drivers on my old linux machines come to mind on that one.

Ger Teunis
Jun 2, 2011, 11:21 AM
This doesn't deserve so much attention.
It's just an app in an pkg installer, it doesn't auto launch after download nor auto install.
Safari just auto-extracts a zip; whoopty****ingdoo.

It... just... scares... people...

There is not security hole; just a crafty combination of scaring and installing normal software. This software scares more and asks for money from user.

Move along people, nothing to see here.

coolfactor
Jun 2, 2011, 11:29 AM
The fix is AdBlock or NoScript, and Apple can't do that.

I haven't seen this reported anywhere. Is that how these scumbags are hijacking websites? Through rogue ads that detect when the visitor is using a Mac? That would make sense. I wonder if changing the User-Agent in the browser would avoid the problem, too?

joelovesapple
Jun 2, 2011, 11:36 AM
I haven't seen this reported anywhere. Is that how these scumbags are hijacking websites? Through rogue ads that detect when the visitor is using a Mac? That would make sense. I wonder if changing the User-Agent in the browser would avoid the problem, too?

I wondered that too... but then you'd probably get a Windows fake dialogue popup instead asking you for your details...

arkmannj
Jun 2, 2011, 11:42 AM
just bring mac app store for default way of installing software and problem solved :) i know it's not gonna happen but it works fine on iOS devices - no malware


You can already use parental controls to basically lock users down to the App store, this seems good enough for me. I do not want all of my software to have to come through the App Store.

KnightWRX
Jun 2, 2011, 11:51 AM
TODAY there no VIRUSES for Mac OS X - it's a fact TODAY and it was a fact since 2001 every day.

A fact I never questionned (though a few would with OSX/Leap-A, a worm that targetted a flaw in iChat), so... why exactly are you arguing with me ?

It's just an app in an pkg installer, it doesn't auto launch after download nor auto install.
Safari just auto-extracts a zip; whoopty****ingdoo.

Actually, no, Safari also launches into the installer automatically. You still need to complete the install wizard, but it does auto-launch the installer.

joelovesapple
Jun 2, 2011, 11:51 AM
You can already use parental controls to basically lock users down to the App store, this seems good enough for me. I do not want all of my software to have to come through the App Store.

You can also use Opendns. www.opendns.com

It provides free internet filtering (at it's most basic level - paid versions are also available) without any software required.

Ger Teunis
Jun 2, 2011, 11:57 AM
Actually, no, Safari also launches into the installer automatically. You still need to complete the install wizard, but it does auto-launch the installer.

Really, have any valid sources?
Or is it your unarchiver doing that? Does the default unarchiver do this?
That would be an extremely bad decision by apple.

KnightWRX
Jun 2, 2011, 11:58 AM
Really, have any valid sources?
That would be an extremely bad decision by apple.

Hum, go through all the stories posted in the last few days ? It's all there.

mijail
Jun 2, 2011, 11:59 AM
Yeah, you're right. Except software engineers aren't neurosurgeons. I know I've written faulty code, and most certainly kernel extension developers have too... certain nVidia drivers on my old linux machines come to mind on that one.

The point was that a kext can do damage, and nothing will save you against that. In the same way that someone reaching into your brain can do damage, and nothing will save you agains that. Solution? Don't let some random person reach into your brain nor kernel :P.

Apart from the fact that mixing kext talk with the MacDefender saga is rather absurd, or worse.

mijail
Jun 2, 2011, 12:02 PM
Hum, go through all the stories posted in the last few days ? It's all there.

There are disk images that, when opened, do launch the contained installer (if I remember correctly).
I guess you can chain that to the auto-opening of the disk image by Safari.

But of course NOT all disk images do that; rather I'd say I have found a handful of those in my years using OS X.

Casiotone
Jun 2, 2011, 12:04 PM
One would think that the attackers could make a password-requiring variant of the trojan that replaces or removes the Xprotect.plist file from the operating system.

This doesn't make sense. If a variant can start the installer and ask for your password without a warning, then it's not in the Xprotect.plist file, so why would it need to delete the file?

KnightWRX
Jun 2, 2011, 12:12 PM
There are disk images that, when opened, do launch the contained installer (if I remember correctly).
I guess you can chain that to the auto-opening of the disk image by Safari.

But of course NOT all disk images do that; rather I'd say I have found a handful of those in my years using OS X.

The MacDefender ones are.

kalsta
Jun 2, 2011, 12:31 PM
They are exploiting the same issue. While they are making Apple look stupid, you can bet your house they have found other vulnerabilities in OS X. These guys are pro's and will continue to move the goal posts.

They are only making Apple look stupid to those who are completely ignorant of the facts — a group which you have thus identified yourself with.

Apple is not responsible for all the apps a user chooses to download and install on their Mac. Apple could have simply tried to educate users, but they have gone the extra step of providing what is essentially a 'get out of jail free' card for those silly enough to fall for the scam.

I know some of you don't like Apple, but for goodness sakes give them credit where credit is due.

KnightWRX
Jun 2, 2011, 12:38 PM
Apple is not responsible for all the apps a user chooses to download and install on their Mac. Apple could have simply tried to educate users, but they have gone the extra step of providing what is essentially a 'get out of jail free' card for those silly enough to fall for the scam.

Exactly, this isn't some kind of software that uses an exploit to gain access to the system.

Though it could be argued that Safari's "Open Safe files" feature should be disabled by default and maybe just completely removed.

saoir
Jun 2, 2011, 12:38 PM
Impressive response by Apple. So happy not to be a windowz user :D

bearcatrp
Jun 2, 2011, 12:42 PM
Bravo apple. Wish windows would follow apple's lead here. Don't have to pay for a fix either. Anyone know if this affects iOS devices too or just OS X?

Tastic Bycrom
Jun 2, 2011, 12:47 PM
The point was that a kext can do damage, and nothing will save you against that. In the same way that someone reaching into your brain can do damage, and nothing will save you agains that. Solution? Don't let some random person reach into your brain nor kernel :P.

Apart from the fact that mixing kext talk with the MacDefender saga is rather absurd, or worse.

I really wasn't mixing kext talk with MacDefender. Completely separate. It was in response to other posts.

gnasher729
Jun 2, 2011, 12:58 PM
What I worry about is someone is going to figure out how to once it is installed it the trogan is going to make a bigger hole that allows much more lower system access where a lot more damaging things can be done. There are a lot of places for malware of any type to hide once you get access to more root level stuff.

But now we are talking about something completely different. MacDefender attacks the biggest vulnerability: The one sitting at the other end of the keyboard. What you are talking about is vulnerabilities in the OS itself. Guest accounts _should_ be safe, but letting known malware playing around in a guest account and hoping for the best is obviously a stupid move.

However, we can assume that in most cases MacDefender will be installed in a user account with some significant amount of user data. So _if_ MacDefender did something malicious beyond asking for your credit card details, then it _could_ do significant amount of damage. Like deleting or modifying all the files in your user account.

So in summary, voluntarily letting malware run in a guest account is not exactly clever. Voluntarily letting malware run in any normal user account is incredibly stupid.


The thing is not that clear-cut, and in fact security researchers plainly recommend not to use the guest account in OS X (http://www.securityfocus.com/blogs/273) (at least in Leopard, I don't know how the thing evolved in Snow Leopard).

These "security researchers" are actually quite clueless. Yes, giving a malicious person access to a guest account on your Mac is dangerous. But then a malicious person with access to a guest account on my MacBook could just grab the MacBook and run away. Or put the MacBook on the floor and jump on it with both feet. Or remove the hard drive, plug it into another computer, and copy it. Or do any amount of other things that are damaging. You need to keep some perspective on risks. I can hand my MacBook switched to a guest account to the grandchildren, and I know that they won't delete all my files by accident (friend of mine lost significant amounts of music in iTunes to his then three year old granddaughter), or on purpose.

GGJstudios
Jun 2, 2011, 01:08 PM
Wonder if there will be a permanent fix in Lion.
I already have the permanent fix... and it works on any version of Mac OS X. I have this cool little attachment for my Mac that thwarts all Mac OS X malware that exists in the wild ... me! The permanent fix is an informed, prudent user who THINKS before doing anything, especially selecting and installing software. That will eliminate 100% of all existing Mac OS X malware that any user can encounter today.

Does the security update run on it's own or do I have to launch it to scan and/or receive the updates?

And is this security software located in the Applications folder or somewhere else? I didn't see where it installed last night, wasn't at the machine.
The initial Software Update activates daily updating of threat definitions. There's nothing you need to do ongoing to make that happen. No, there's nothing in the Applications folder related to the malware protection.
XProtect.plist is gonna get awfully large.
What makes you think so? There is still only a handful of trojans that can affect Mac OS X. It's not a long list.
I hope in Lion they disable opening downloaded files automatically. It's the largest security hole ever in an operating system.
I agree. No files should download or open without deliberate user action.

THERE IS NO VIRUS FOR MAC OSX, NOR WILL THERE EVER BE ONE!
While none exist, that doesn't mean there won't be any in the future.
Yes, and it does have flaws like any other software, but as far as viruses go, it's practically imune
False. No OS, including Mac OS X, is immune to malware or viruses.
Did they though? Or was it the fact that the user is running as an administrator rather than a standard user?
Running as an admin or standard user makes no difference.
And so it came to pass, on June 2nd 2011, that OS X did cease to exist.
Unless your post is sarcasm, do you have any idea how ridiculous it sounds? I would be embarrassed, if I were you.
...Why would anyone have downloaded it in the first place?
The download is automatic, not requiring the user's approval.

This being malware as opposed to a virus, it's authors have nothing to gain simply by being a step ahead. If they're not getting credit card info etc. They aren't making any money, which is the entire point of something like this.
Have you been reading these threads? They ARE getting credit card info. Also, malware includes viruses, trojans, worms, etc.

Anything that i install or even update on my mac, because im a standard user it always asks for an admin name and password.
Whether you're a standard or admin user makes no difference. The admin password is required if the app requires privilege escalation. You can run some apps directly from the Downloads folder or your desktop, without requiring any password, even as a standard user.
Oh give me a break. I can repeat Mac OS, prior Mac OS X, had hubdreds of viruses
No, there were never "hundreds of viruses" for Mac OS 9 and earlier. There were some viruses, but not nearly that many.
no but it prevents others from installing things on your computer just because it is logged into the admin account.
Admin or standard user: it makes no difference.

The fix is AdBlock or NoScript, and Apple can't do that.
That's not the fix. People have encountered MacDefender, even with adblockers. And for the record, Apple can build adblockers into Safari. The "fix" is informed, prudent users who think before they act.
I think the damage has been done already as the reputation of virus/malware-free is ruined for the mac platform
Mac OS X has never been malware-free. No OS is. And Mac OS X is still virus-free.
A fact I never questionned (though a few would with OSX/Leap-A, a worm that targetted a flaw in iChat)
Those that argue that Leap-A was a virus are those that don't understand the difference between a virus, a trojan and a worm.
You can also use Opendns.
That makes no difference. You can still encounter MacDefender with OpenDNS, because it's not a DNS issue.
Really, have any valid sources?
Or is it your unarchiver doing that? Does the default unarchiver do this?
That would be an extremely bad decision by apple.
Unarchiver is irrelevant, because the downloaded file isn't an archive. It's an installer app.

ten-oak-druid
Jun 2, 2011, 01:37 PM
I posted the other day that I wondered whether this malware was related to some of the current malware on Windows. Of course a bunch of Windows fanboys rated that negative as though that wasn't a legitimate consideration.

Turns out MS thinks it is possible.

Microsoft Links Fake Mac AV to Windows Scareware Gang (http://www.pcworld.com/article/228280/microsoft_links_fake_mac_av_to_windows_scareware_gang.html?tk=rel_news)

musio
Jun 2, 2011, 01:40 PM
This is an attack from MS to ruin the news on monday. Good timing, isn't is suspicious?

Not only WWDC but the announcement of windows 8 make this suspicious..

ten-oak-druid
Jun 2, 2011, 01:40 PM
Exactly, this isn't some kind of software that uses an exploit to gain access to the system.

Though it could be argued that Safari's "Open Safe files" feature should be disabled by default and maybe just completely removed.

It is almost as bad as MS having password autofill enabled on IE as a default.

milo
Jun 2, 2011, 01:41 PM
Trojans like this are the equivalent of leaving a gun on the ground with a note that says "Urgent! Point at head and pull trigger!"

There's only so much you can do to protect people from their own stupidity.

faroZ06
Jun 2, 2011, 02:03 PM
Wonder if there will be a permanent fix in Lion.


Well the current fix is to not install this BS in the first place.

Where do you even download it FROM?

Really, have any valid sources?
Or is it your unarchiver doing that? Does the default unarchiver do this?
That would be an extremely bad decision by apple.

Yes, it opens by default if you enable it to do so. I enabled it because I'm not stupid enough to fall for random installers that pop up :)

Source: me using a Mac...

I think the damage has been done already as the reputation of virus/malware-free is ruined for the mac platform. Hopefully, we don't see these on iPod/iPad anytime soon.

There was already malware on pirated versions of iWork. No viruses so far (or anytime in the future).

One would think that the attackers could make a password-requiring variant of the trojan that replaces or removes the Xprotect.plist file from the operating system.

Yeah, but wouldn't the next security update fix it?
Or Apple could have some checksum to prevent tampering with it.
Hopefully not, I want to add "Acrobat" to the list of malware ;)

But if Apple stays only one step behind and closes the holes within 24 hours each time, the attackers will soon learn that there isn't that much to be gained by the effort. They'll have to try another approach.

You know, this relatively benign malware is, on balance, a good thing. This will educate Mac users not to click OK on software they did not choose to install. So that when something really serious shows up, they will know better thanks to this mild version that is merely annoying.

Like Acrobat. I know people who installed Acrobat from eMails with PDFs saying that you need Acrobat to view them. Inexperienced users don't know that Preview and Safari can already read PDFs, so they install it. It installs the updater for Acrobat, which is SUPER glitchy. Then, you can't view PDFs in Safari, they open in Acrobat...

KnightWRX
Jun 2, 2011, 02:11 PM
No viruses so far (or anytime in the future).

You have a Delorean ? Can you bring me back a floating skateboard next time you use it ? :p

No one can predict the future.

mac9000
Jun 2, 2011, 02:29 PM
You have a Delorean ? Can you bring me back a floating skateboard next time you use it ? :p

No one can predict the future.

Not accurately, but you can. Considering how secure UNIX is, a real virus for Mac seems impossible. Even if someone figured out how to make one, viruses are kinda obsolete anyway. They're just annoying and don't make any cash.

GGJstudios
Jun 2, 2011, 02:33 PM
Not accurately, but you can. Considering how secure UNIX is, a real virus for Mac seems impossible.
It's not impossible at all. No OS is immune, including Unix, Linux, Mac OS X, Windows, etc.
Even if someone figured out how to make one, viruses are kinda obsolete anyway. They're just annoying and don't make any cash.
Viruses are far from obsolete. Where are you getting this nonsense about them not making money?

mijail
Jun 2, 2011, 02:44 PM
These "security researchers" are actually quite clueless.


You must have some nerve to say that about the Matasano (and SecurityFocus) people. But hey, you saying that helps to put the sum of your knowledge in context.

Yes, giving a malicious person access to a guest account on your Mac is dangerous.

Aha, so you know who is malicious and who isn't. That must make things certainly easier. In fact, if you know that, you could argue that you don´t really need much security.

I can hand my MacBook switched to a guest account to the grandchildren, and I know that they won't delete all my files by accident (friend of mine lost significant amounts of music in iTunes to his then three year old granddaughter), or on purpose.

Oh, I see. So you were only referring to security like "the children won´t be able to delete my files accidentally".
All clear, then.

mac9000
Jun 2, 2011, 02:45 PM
It's not impossible at all. No OS is immune, including Unix, Linux, Mac OS X, Windows, etc.

Viruses are far from obsolete. Where are you getting this nonsense about them not making money?

Everyone on the forum...
Most attacks are trojans now. It's so much easier to trick the user than the system. Viruses just plague your computer, but things like MacDefender get your credit card number and steal your money. Also, the requirement of "sudo" in UNIX for certain commands eliminates automatically installing stuff on your system.

Rodimus Prime
Jun 2, 2011, 02:47 PM
Viruses are far from obsolete. Where are you getting this nonsense about them not making money?

He is right. Virus in the truest sense are obsolete. Trogans and worms are the 2 biggest things.
Virus still require some human interaction to spread by opening up an infect file and from there they spread to other files on that computer but still require human interaction to spread.

Trojans and worms are the big damaging things and the real money makers.

mac9000
Jun 2, 2011, 02:49 PM
He is right. Virus in the truest sense are obsolete. Trogans and worms are the 2 biggest things.
Virus still require some human interaction to spread by opening up an infect file and from there they spread to other files on that computer but still require human interaction to spread.

Trojans and worms are the big damaging things and the real money makers.

Thank you :D

GGJstudios
Jun 2, 2011, 03:07 PM
Most attacks are trojans now. It's so much easier to trick the user than the system
Yes, most attacks are trojans. Most. Not all. There are still viruses in the wild that affect Windows. They are not obsolete, and to assume that Macs are immune to a future virus is irresponsibly naive.
Virus in the truest sense are obsolete.
As long as Windows systems are being infected by viruses, no matter how few, they are not obsolete. You forget the very large number of XP users who still are plagued by viruses.

Virus still require some human interaction to spread by opening up an infect file and from there they spread to other files on that computer but still require human interaction to spread.
If it requires user interaction to spread, it's not a virus. A virus can spread and infect systems without user knowledge or interaction.

Demigod Mac
Jun 2, 2011, 04:43 PM
The social engineering aspect of this really is the biggest threat not just to Macs but also Windows. I have a friend who writes code (he can read machine code which is just weird and scary sometimes) and his take on this round of malware is this: It isn't Mac's are more vulnerable now or that the sheer number of Macs now make it more attractive, rather it is the improved security in Windows which has caused virus and malware writers to re-tool. Basically, it is now easier to just trick people in to installing your bad software than to trick the OS. Since the tricking relies on the weakest link - humans - the OS really doesn't matter so you just spread out the con as far as possible.

This.

Operating systems have become extremely difficult to break into ever since OS X and Windows Vista/7. Previously, it was possible to infect computers regardless of what their owners were doing. Social engineering is now malware authors' preferred method of delivering their payloads. Viruses and worms are quickly becoming obsolete because of this. Trojans are the most effective malware delivery method.

As long as users have the ability to install software from 3rd party sources, such malware will always exist. Apple cannot realistically prevent someone from installing a fresh variant of MacDefender than they could stop someone from installing Firefox.

bigwig
Jun 2, 2011, 05:37 PM
How do I force an update of the malware definitions? There appears to be no way to do so.

Rodimus Prime
Jun 2, 2011, 05:45 PM
Yes, most attacks are trojans. Most. Not all. There are still viruses in the wild that affect Windows. They are not obsolete, and to assume that Macs are immune to a future virus is irresponsibly naive.

As long as Windows systems are being infected by viruses, no matter how few, they are not obsolete. You forget the very large number of XP users who still are plagued by viruses.

If it requires user interaction to spread, it's not a virus. A virus can spread and infect systems without user knowledge or interaction.


You need to look up the complete defenision of a virus
http://www.webopedia.com/DidYouKnow/Internet/2004/virus.asp

A computer virus attaches itself to a program or file enabling it to spread from one computer to another, leaving infections as it travels. Like a human virus, a computer virus can range in severity: some may cause only mildly annoying effects while others can damage your hardware, software or files. Almost all viruses are attached to an executable file, which means the virus may exist on your computer but it actually cannot infect your computer unless you run or open the malicious program. It is important to note that a virus cannot be spread without a human action, (such as running an infected program) to keep it going. Because a virus is spread by human action people will unknowingly continue the spread of a computer virus by sharing infecting files or sending emails with viruses as attachments in the email.


Sum it up a virus will be riding on lets say a word file or a picture file. Now those files type are generally good but open them up and the virus now infects your computer and does its damage and in theory infects other files like it on the computer. I just choose 2 random file types as an example. Not sure if can even happen with them.

Worms on the other hand are truly self replicating and can spread with zero human interaction.

Trojans is a program that looks good but really something else. Complete different than a virus as they are more self contained.

Viruses are the easiest of the 3 to stop as most AV programs catch those infected file types pretty quickly. Torjans can slip past them fairly easy and worms are just a pain.

Now the common person puts all 3 under the term "Virus" but it is incorrectly used. Correct term is Malware and the rest is a break down from that.

KnightWRX
Jun 2, 2011, 06:35 PM
Also, the requirement of "sudo" in UNIX for certain commands eliminates automatically installing stuff on your system.

So does runas in Windows ? :p

Seriously, again guys, nothing in UNIX (as in the Single Unix Specification) makes OS X more virus resistant than other OSes. No, "sudo" is not it, as a virus would simply bypass that using some kind of privilege escalation bug to gain root privileges instead of relying on the user to "sudo".

ten-oak-druid
Jun 2, 2011, 06:44 PM
Facebook video scam puts malware on Mac and Windows (http://www.computerworld.com/s/article/9217229/Facebook_video_scam_puts_malware_on_Mac_and_Windows)
By Robert McMillan
June 1, 2011 08:02 PM ET

Facebook seems unable to stop scammers from circulating malicious Web links that install fake antivirus software on victims' computers.

The scam was spotted Tuesday by antivirus vendor Sophos. At that time the criminals behind it were luring victims into installing the software by offering links purportedly to a video of disgraced former International Monetary Fund Managing Director Dominique Strauss-Kahn and a hotel maid. On Wednesday the scam switched and the link was supposed to be an X-rated video of celebrities Rihanna and Hayden Panettiere.

In both cases there is no such video. People who click on the link are sent to a website that tries to install the fake antivirus software. The scam is slightly different, depending on whether the victim is using a Mac or a PC. On the PC, the site tells victims that they need to install the latest version of Adobe Flash Player to watch the video. But the software they install is actually the fake antivirus program.

On the Mac, there's a pop-up window that looks like a security warning. When victims click to "fix" the security problems, they end up installing the fake software.

...

xlii
Jun 2, 2011, 06:44 PM
Just check my plist file and it hasn't been updated. It only shows 7 entries. Entry 8 for the .C file hasn't happened.

ten-oak-druid
Jun 2, 2011, 06:48 PM
It is interesting because while Windows XP has more cases of malware infection currently, it is the only version of Windows with decreasing amounts of malware. Windows 7 cases of infection are increasing. But XP has about 4x the number of infected computers right now. Both have about 1/3 of the market share of windows versions.

Most of the difficulty with Windows comes from a greater number of people looking for pirated software. These people put other Windows users at risk. People looking for pirated software go for the $300 machines, not high end models like Apple sells.

GGJstudios
Jun 2, 2011, 06:49 PM
You need to look up the complete defenision of a virus
Thanks, but I'm extremely familiar with all malware definitions. One could argue that if the user turns on their computer, they "took action" to spread a virus, but that's being extreme. The point is, the user can be doing what any informed and reasonably prudent user would do, running the same apps they've been running, like Word, Outlook, Excel, etc., and still be infected by a virus without their knowledge or permission or interaction with the virus. This is not the case with a trojan, where a user must choose to take deliberate action to install the trojan. Viruses give no warning when they infect or spread. Trojans require that the user perform an installation procedure.

Trojans is a program that looks good but really something else. Complete different than a virus as they are more self contained.
Being more "self-contained" is not the distinguishing characteristic of a trojan. Go back and read the definitions.

AidenShaw
Jun 2, 2011, 07:01 PM
Most of the difficulty with Windows comes from a greater number of people looking for pirated software.

Since there are 19 times as many Windows users as there are Apple OSX users, it's pretty obvious that even if Apple users were 10 times more likely to be criminals, there would be more criminal Windows users than criminal Apple users.

Don't bother replying, your "Windows users are cheap criminals" argument is unsupportable, and you have not supported it.

ten-oak-druid
Jun 2, 2011, 07:28 PM
Microsoft has stated that the major cause of Windows malware is pirated copies of Windows itself.

Because Apple does not sell $300 laptops, the user base is less likely to be visiting these sites looking for pirated stuff.

The greater number of thieves on Windows is a risk to all. That is why I avoid that OS.

There are certainly many people who are not criminals on Windows. But there is a greater percent of people using Windows who enjoy pirated software.

The irony is that the people I've met who feel upset that anyone would charge money for music or software are the most ardent Windows supporters. Why do they not pay for their beloved OS?

There may be some hope in the future though. Microsoft has added anti piracy software starting with Vista and now 7. That may be why 1/3 of Windows users are still on XP and 1/3 on 7 while Vista is a much lower fraction. It will be interesting to see if the market share of Windows 8 comes mostly from 7 users.

AidenShaw
Jun 2, 2011, 07:38 PM
Microsoft has stated that the major cause of Windows malware is pirated copies of Windows itself.

Because Apple does not sell $300 laptops, the user base is less likely to be visiting these sites looking for pirated stuff.

The greater number of thieves on Windows is a risk to all. That is why I avoid that OS.

There are certainly many people who are not criminals on Windows. But there is a greater percent of people using Windows who enjoy pirated software.

The irony is that the people I've met who feel upset that anyone would charge money for music or software are the most ardent Windows supporters. Why do they not pay for their beloved OS?

Still, no links to support any of those conjectures and anecdotes? Please, do us all a favor and don't reply unless you're able to support your arguments.

ten-oak-druid
Jun 2, 2011, 07:41 PM
There are some people who actually believe people who routinely pirate software would be equally likely to purchase a $1000 computer as a $300 computer. LOL

AidenShaw
Jun 2, 2011, 07:46 PM
There are some people who actually believe people who routinely pirate software would be equally likely to purchase a $1000 computer as a $300 computer. LOL

And there are people who believe that if you make claims that you should be able to support them with links to articles or other information that supports your claim.

If you look at my posts, you'll notice that I use the "url=" tag a lot. Consider that.

This is becoming pointless - I'm not replying again unless you make a significant attempt to defend your position....

ten-oak-druid
Jun 2, 2011, 08:00 PM
LOL

Silly kids think discussing the the obvious with regards to software pirate demographics is an attack on Windows users as a group.

There are many Windows users who do not pirate software. But lets face it, the majority of people who believe they are entitled to all software and media for free are tightwads and more likely to buy a $300 computer over a $1000 computer. Apple doesn't make those so they are by default Windows users.

And to lets think about it. If you believe all software should be free then you will want all you can get. And of course there is more software available for windows. Most of it duplicating features of each other but if its free why not get it all?

I guess if you are real sensitive about the Windows community this is disturbing commentary. But it is not meant to be an argument that "Windows users are criminals". It is an argument that software pirates gravitate to cheap computers and those happen to run Windows.

I guess it is equally painful to point out that most people who program viruses and malware are Windows users.

By the way not only does pirated software spread malware, the sales of pirated software (or beneficiary's of identities stolen by it) can be criminals of other sorts:

Drug Cartels Profiting from Malware and Pirated Software (https://www.infosecisland.com/blogview/11584-Drug-Cartels-Profiting-from-Malware-and-Pirated-Software.html)

Now there are those who would have you believe the drug cartels are mac users selling pirated mac software. LOL

Here was a case recently of a drug cartel selling pirated Office 2007:

Mexican Drug Cartel Selling Bootleg Copies of Microsoft Office? (http://www.maximumpc.com/article/%5Bprimary-term%5D/mexican_drug_cartel_selling_bootleg_copies_microsoft_office)

Office 2007: Mac OS or Windows?

wp3gi
Jun 2, 2011, 08:04 PM
To force update the file go to "System Preferences", "Security", Uncheck "Automatically update safe downloads list", and then Re-check "Automatically update safe downloads list". Your list will be re-downloaded when it turns back on.

Item 10 has been added to the list, which is OSX.MacDefender.D

The file's path is: System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist

xlii
Jun 2, 2011, 08:47 PM
To force update the file go to "System Preferences", "Security", Uncheck "Automatically update safe downloads list", and then Re-check "Automatically update safe downloads list". Your list will be re-downloaded when it turns back on.

Item 10 has been added to the list, which is OSX.MacDefender.D

The file's path is: System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist

Thanks, I just forced the update and it worked. I don't know why it wasn't pushed to me. I was stuck on OSX.MacDefender.B as the latest update since this first came out 2 days ago or so.

CQd44
Jun 2, 2011, 08:49 PM
LOL

Silly kids think discussing the the obvious with regards to software pirate demographics is an attack on Windows users as a group.

There are many Windows users who do not pirate software. But lets face it, the majority of people who believe they are entitled to all software and media for free are tightwads and more likely to buy a $300 computer over a $1000 computer. Apple doesn't make those so they are by default Windows users.

And to lets think about it. If you believe all software should be free then you will want all you can get. And of course there is more software available for windows. Most of it duplicating features of each other but if its free why not get it all?

I guess if you are real sensitive about the Windows community this is disturbing commentary. But it is not meant to be an argument that "Windows users are criminals". It is an argument that software pirates gravitate to cheap computers and those happen to run Windows.

I guess it is equally painful to point out that most people who program viruses and malware are Windows users.

By the way not only does pirated software spread malware, the sales of pirated software (or beneficiary's of identities stolen by it) can be criminals of other sorts:

Drug Cartels Profiting from Malware and Pirated Software (https://www.infosecisland.com/blogview/11584-Drug-Cartels-Profiting-from-Malware-and-Pirated-Software.html)

Now there are those who would have you believe the drug cartels are mac users selling pirated mac software. LOL

Here was a case recently of a drug cartel selling pirated Office 2007:

Mexican Drug Cartel Selling Bootleg Copies of Microsoft Office? (http://www.maximumpc.com/article/%5Bprimary-term%5D/mexican_drug_cartel_selling_bootleg_copies_microsoft_office)

Office 2007: Mac OS or Windows?

So... if I were to find a news article involving OS X users, I can use that as a blanket statement as well? AWESOME.

pcbjr
Jun 2, 2011, 09:21 PM
To force update the file go to "System Preferences", "Security", Uncheck "Automatically update safe downloads list", and then Re-check "Automatically update safe downloads list". Your list will be re-downloaded when it turns back on.

Item 10 has been added to the list, which is OSX.MacDefender.D

The file's path is: System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist

Thanks, I just forced the update and it worked. I don't know why it wasn't pushed to me. I was stuck on OSX.MacDefender.B as the latest update since this first came out 2 days ago or so.


I'm real confused - what is Item 10, where is it, how do I view it (please provide some "See Spot run" directions) and how do I know that the new update is actually running this check?

ten-oak-druid
Jun 2, 2011, 09:22 PM
Windows 7 has improved security I understand. But if you use a pirated copy, all bets are off:

32% of Pirated Windows 7 Copies Possess Malicious Code (http://www.spamfighter.com/News-13952-32-of-Pirated-Windows-7-Copies-Possess-Malicious-Code.htm)

"Media Surveillance, a Germany-based anti-piracy solutions firm, lately downloaded above 500 pirated copies of Windows 7 (and Windows activation exploits). The company found that 32% of these pirated copies contained malicious code."

So Windows users, instead of being in denial about the risk of pirated software, make it a point to tell people you know who do this to stop.

CodeBreaker
Jun 3, 2011, 02:56 AM
I think Apple should stop playing this game now. Instead, they can post a 5 min educational video, maybe on their website, or bundle it with the next OS update, so that it plays after restart (just like the welcome video).

The only way to stop people from installing this is to educate users. Tell them what a malware is, how it steals your credit card no., and what to do if a mysterious installer is launched without your knowledge.

wesleyh
Jun 3, 2011, 03:55 AM
I got the malware today and the installer package opened just fine, how do I know my xprotect file or whatever plist is up to date? Where can I find it?

Edit: nm, read the previous comments and figured it out. Now the plist contains macdefender A-D.

Anyway, the downloaded package still opens and gives me the installer screen. Is this because I already opened it once and it doesn't recheck?

That plist is gonna grow very long methinks...

Fukui
Jun 3, 2011, 07:19 AM
Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5)

This doesn't bode well for Lion's release. Even if these threats don't indicate a material problem with OS X, the fact that Apple has been baited into an arms war makes OS X look less secure.
It may make it *look* less, but it will hopefully *make* it more secure in the end. I’ll take is more than looks any day of the week.

justinfreid
Jun 3, 2011, 10:36 AM
You have to install this yourself.... it is NOT a virus... but maleware.

Not sure exactly how OSX is less secure? Maleware has been around for years for OSX.... just don't install the damn thing!

I don't see why you quoted me to make this point, millerb7, please see autrefois’s first sentence below.
Further, initially requiring user intervention for infection doesn't make software something less than a virus - this malware isn't a virus, as far as I can tell, because it doesn't reproduce and spread itself to other machines.

The word "virus" was not brought up until you mentioned it...

I agree with justinfreid that this situation is making OS X *LOOK* less secure. It is a threat: even if it is malware that must be user-installed, it is still malware. Mac users are less used to this sort of thing, and this is arguably the most high-profile threat to OS X and it's coming right before a major conference.

I wonder if Steve will address security in his keynote to try to show Apple is being active in protecting against malware (daily automatic updates could be spun to be a positive thing). The fact that they do seem to be on top of this one, unlike other holes that would at times go unpatched for months, makes things at least seem more secure.

What kind of logic is this?

Thanks autrefois, and hope this answers your question angrynstupid.

Since I was posting from my phone and wasn't sure of the exact syntax for italics, I didn't emphasize look, and it was the appearance of a growing flaw that I thought could potentially cause problems, however small, so close to the release of Lion.
Apple's quick reaction and change to daily updates indicates to me that they see this type of infection as a growing problem and not a one off, never to return issue. Being forced to devote resources to another cat and mouse situation, the other being jailbreaking of iOS, is what might sap a lot of the OS X team's resources going forward.
But, I understand how Apple PR could spin this the other way and claim that Lion is in fact more secure and point to how this cat, Lion, can crush any mouse it finds.
I have a lot of confidence in Cupertino, and I'm looking forward to 10.7, but I don't think suggesting that an escalating anti-malware arms race would look bad should be scoffed at (how I interpreted my 30 or so thumbs down for the post): Apple Inc. isn't perfect and the growing popularity of OS X lends itself, at the very least, to it being a more interesting playground for malware authors.

MAC-PRO-DEMON
Jun 3, 2011, 12:01 PM
Slightly annoyingly I got the Malware today as well. I knew what it was immediately, so deleted it as soon as I noticed it. This marks the second machine which it has downloaded onto in my house! What is more disappointing is that Sophos Antivirus didn't notice it, until I pointed it to scan the file, even then it couldn't get rid of it, I had to manually delete it! It seems there are 4 malware files inside the mpkg -->

GGJstudios
Jun 3, 2011, 12:27 PM
What is more disappointing is that Sophos Antivirus didn't notice it,
Sophos is not recommended, as it can actually increase your Mac's vulnerability.

MAC-PRO-DEMON
Jun 3, 2011, 04:55 PM
Sophos is not recommended, as it can actually increase your Mac's vulnerability.

What would you recommend? Intego? I'm only able to go free..

GGJstudios
Jun 3, 2011, 05:12 PM
What would you recommend? Intego? I'm only able to go free..
If you read the Mac Virus/Malware Info (http://forums.macrumors.com/showpost.php?p=9400648&postcount=4), you'll see a recommendation for ClamXav, if you insist on using any antivirus.

Music4Film
Jun 3, 2011, 07:46 PM
I just forced an update to the OSX definitions via turning the automatic refresh off and on again in the system preferences security tab and there seems to be yet another new Defender variant added to the list. OSX.MacDefender.E

AidenShaw
Jun 3, 2011, 08:08 PM
I just forced an update to the OSX definitions via turning the automatic refresh off and on again in the system preferences security tab and there seems to be yet another new Defender variant added to the list. OSX.MacDefender.E

On an earlier MACdefender thread, I posted:

The main value of Norton and other protection programs today isn't virus protection, it's malware protection. And by the way, simplistic signatures like Apple is using for malware are becoming worthless - polymorphic malware (see http://en.wikipedia.org/wiki/Polymorphic_virus) changes its signature constantly. Current top-tier anti-malware suites use behavioural and other heuristics that can stop previously unknown malware - the zero-day problem.

- Proactive Threat Scanning
Proactive threat scanning uses heuristics to detect unknown threats. Heuristic process scanning analyzes the behavior of an application or process to determine if it exhibits characteristics of threats, such as Trojan horses, worms, or keyloggers. This type of protection is sometimes referred to as zero-day protection.

http://www.symantec.com/business/support/index?page=content&id=TECH102401&locale=en_US

Apple's response to this threat seems to be using techniques from a decade ago.

As Margo Channing said, "Fasten your seat belts. It's going to be a bumpy night."

Probably before another week is up the MAC Defender folks will adopt polymorphism, so that every single MAC Defender infection has a unique signature. Apple can't stop that using old-fashioned signature-based methods.

Tucom
Jun 3, 2011, 11:51 PM
It's honestly - in a way - excellent that the Mac is finally being targeted because, like others have pointed out, will ultimately make the Mac and OS X *more* secure, how?

A.) Educate the "noob" users to not install random downloads.

B.) Get Apple on the ball and make OS X more secure by patching up new holes.

C.) Give Apple a necessary objective to create even more secure OS's down the road.


Basically this malware and any more down the road is basically like having the malware writers "beta test" OS X's security, and, if Apple responds accordingly, ultimately just make OS X that much more secure.

Kinda like w/ Windows 7, all the more viruses that come out, eventually make it safer, and MS has been incredibly on the ball lately and am typing this from my gaming Windows 7 machine and given the facts lately I'd have no problem storing any very sensitive info on here, I thin Win 7 is finally a very secure OS, though still maybe not *quite* to OS X, but it then it could very well be.

Props to Microsoft for finally making Windows a stable, secure OS, and props to Apple for being on the ball about OS X's vulnerabilities that are undeniable going to be there sometimes, at least for now.

DLDHistory
Jun 4, 2011, 12:29 AM
Looking forward to Apple's upcoming version of Patch Tuesday.

...except every week.

This is very funny...us Win7 people get this and we have to laugh or we will cry hehehe..Patch Tuesday is usally followed by headache Wednesday :)

caspersoong
Jun 4, 2011, 02:49 AM
I wonder how much this costs Apple.

MAC-PRO-DEMON
Jun 4, 2011, 10:20 AM
If you read the Mac Virus/Malware Info (http://forums.macrumors.com/showpost.php?p=9400648&postcount=4), you'll see a recommendation for ClamXav, if you insist on using any antivirus.

If it was just me using the computers, then I would not "insist" on using any antivirus. Unfortunately it isn't, and my younger sister managed to get download it yesterday "when I was looking for the song" and my older sister managed to download it "when I was googling that shop". We aren't all power users, my parents wont have problems as they don't go anywhere near the sorts of sites that house the virus, but my sisters do, I do. Antivirus is a must, you can't be left in the dark!

GGJstudios
Jun 4, 2011, 10:57 AM
If it was just me using the computers, then I would not "insist" on using any antivirus. Unfortunately it isn't, and my younger sister managed to get download it yesterday "when I was looking for the song" and my older sister managed to download it "when I was googling that shop". We aren't all power users, my parents wont have problems as they don't go anywhere near the sorts of sites that house the virus, but my sisters do, I do. Antivirus is a must, you can't be left in the dark!
I understand your concern, but no antivirus can fully protect against a user's deliberate actions. Keeping other users of your Mac informed on threats such as this and teaching them to be cautious when installing anything will help a lot.