PDA

View Full Version : Hackers debut Mac OS X adware


MacBytes
Nov 25, 2006, 09:33 AM
http://www.macbytes.com/images/bytessig.gif (http://www.macbytes.com)

Category: Mac OS X
Link: Hackers debut Mac OS X adware (http://www.macbytes.com/link.php?sid=20061125103337)
Description:: none

Posted on MacBytes.com (http://www.macbytes.com)
Approved by Mudbug

Blue Velvet
Nov 25, 2006, 09:39 AM
We recently received a proof-of-concept sample of an adware program. Normally that wouldn't be worth blogging about, but in this case it's for Mac OS X. In theory, this program could be silently installed to your User account and hooked to each application you use… and it doesn't require Administrator rights to do so. We won't disclose the exact technique used here, it's a feature not a bug, but let's just say that installing a System Library shouldn't be allowed without prompting the user. Especially as it only requires Copy permissions. An Admin could install this globally to all users.

The result: This particular sample successfully launched the Mac's Web browser when we used any of a number of applications.


Err... should I be worried about this? I suspect not.

mkrishnan
Nov 25, 2006, 09:39 AM
Okay, so I read the article and it caught my attention... but... but... googling only reveals a bunch of other articles digging the same article. Where is this proof of concept? I would like to see some actual evidence... and I'd like to see it analyzed by someone other than a "security" consultant.

gloss
Nov 25, 2006, 09:40 AM
Of course you should. It's not major, but it is seriously annoying.

mkrishnan
Nov 25, 2006, 09:47 AM
Of course you should. It's not major, but it is seriously annoying.

Assuming it isn't vaporware... this announcement sounds somewhat suspicious to me. Like how sarcastic the wording is. But I agree, it is concerning. It seems at the moment that the key piece of the problem on Windows (the ability of COM / ActiveX objects in a web page to install applications through Internet Explorer) is still missing on Macs (and for anyone who uses Firefox)... meaning that the real threat level is still close to zero. But I would still like to see more specifics on how this supposed vulnerability works.

cwt1nospam
Nov 25, 2006, 09:50 AM
It isn't a proof of concept, it's a proof of desperation. If they really had a proof of concept they would have verified that it works before posting about it. Think about it! They say they've got the code, but also say:

In theory, this program could be silently installed to your User account and...

No test? Seriously, if this were real, they'd have run it on at least one test machine.

ero87
Nov 25, 2006, 10:06 AM
i'm sick of hearing these reports, they frighten me!

someone tell me when a mac USER, a real one, has a virus. then I guess we should lall be sincerely concerned.

iJawn108
Nov 25, 2006, 10:17 AM
shut off scripting, problem sovled.

mkrishnan
Nov 25, 2006, 10:24 AM
shut off scripting, problem sovled.


Where have I heard this solution before? (http://news.com.com/Microsoft+Virus+target+wont+be+in+Vista/2100-1002_3-5820706.html) :D

parenthesis
Nov 25, 2006, 03:29 PM
Of course that article is sarcastic and don't have "proof": it's from The Register! They're known for their sarcasm (and decent journalism).

Go to the linked F-Secure (http://www.f-secure.com/weblog/archives/archive-112006.html#00001030) page if you want more details.

"We recently received a proof-of-concept sample of an adware program. Normally that wouldn't be worth blogging about, but in this case it's for Mac OS X. In theory, this program could be silently installed to your User account and hooked to each application you use… and it doesn't require Administrator rights to do so. We won't disclose the exact technique used here, it's a feature not a bug, but let's just say that installing a System Library shouldn't be allowed without prompting the user. Especially as it only requires Copy permissions. An Admin could install this globally to all users.

The result: This particular sample successfully launched the Mac's Web browser when we used any of a number of applications."

mkrishnan
Nov 25, 2006, 03:32 PM
Of course that article is sarcastic and don't have "proof": it's from The Register! They're known for their sarcasm (and decent journalism).

No, I'm sorry, I was talking about the linked F-Secure note, not the Register piece, when I said it sounded sarcastic and fishy. This F-Secure is supposed to be a real industry monitor / consultant / analyst, isn't it? I've never heard of them, but they didn't overtly smell of Onion. And yet... something about this piece strikes me as vaporware. And I'll stick with my statement that I want to see this analyzed by someone with Mac community credibility before I believe it.

WildCowboy
Nov 25, 2006, 03:44 PM
This F-Secure is supposed to be a real industry monitor / consultant / analyst, isn't it? I've never heard of them, but they didn't overtly smell of Onion.

Really? F-Secure has been around for close to 20 years IIRC. That said, they primarily sell antivirus software, so it's in their best interest to make a big deal out of anything that comes along. (Of course, the flip side is that you'd hope the antivirus people would be among the first to recognize and develop defenses against threats.)

Like everything coming out these days, I'll wait until these things appear in the wild before I really worry about them. Until then, I'll let the "experts" worry about them.

mkrishnan
Nov 25, 2006, 03:55 PM
Mmm, okay. But something about that note still just does not ring true to me. Maybe it's because it's a blog and the author felt the liberty to not use business diction and phrasing. Nonetheless...we shall see. I don't care so much about the adware part... this is still a local user exploit. *BUT* if this means that software can write to any part of /system, even if only a new file is being created, without admin privilege and without user intervention... something is seriously amuck, and I want Apple to know what. I'm just not convinced it's actually true yet.

SMM
Nov 25, 2006, 05:39 PM
I think we shall see more and more "Fox News" type of anti-Apple reporting. When looking at the thread subject titles, you see many which are barely justified by the actual content. Unfortunately, far too many people do not read beyond that point. My all-time favorite on MR was something like, "New iPod's shoddy construction" (this is just my rendition of the real text, which I do not recall). The actual story was about a guy who fell off his bicycle and landed on the iPod. The case was damaged and the display broken. I have no reason to suspect the user of anything except adding a little humor. Yet, a headline reader would just conclude Apple was having quality issues.

You know it just irritates the h**l out of Redmond, that Apple does not suffer from the virus/malware issues they do. So, if there is any chance to dispel the Apple invincibility myth, or discredit their security, they will pounce on it. A perfect example of this was during the last presidential election. Gee-Dub did not serve in the military and even his national guard service was under scrutiny. Kerry on the other hand served with distinction in Vietnam.

The republican machine could not make George a hero, no matter how badly they wanted to. The only choice was to not let Kerry be one. So, they found a couple of fundamentalist, good-old-boys, to come forth, lie through their teeth and throw enough doubt (greatly fanned by Fox, Murdoch and crew) about Kerry's service. It worked like a charm.

MS has a lot riding on Vista. I think Apple is poised to not only steal their thunder, but to also breakthrough the MS 'mystic'. I have heard many people say (essentially), "the reason Apple has a better OS right now is because MS has been solely focused on developing the ultimate OS". Well, if Redmond cannot deliver, many more people are going to start looking at alternatives.

Analog Kid
Nov 25, 2006, 07:37 PM
"We recently received a proof-of-concept sample of an adware program. Normally that wouldn't be worth blogging about, but in this case it's for Mac OS X. In theory, this program could be silently installed to your User account and hooked to each application you use… and it doesn't require Administrator rights to do so. We won't disclose the exact technique used here, it's a feature not a bug, but let's just say that installing a System Library shouldn't be allowed without prompting the user. Especially as it only requires Copy permissions. An Admin could install this globally to all users.

The result: This particular sample successfully launched the Mac's Web browser when we used any of a number of applications."
The "in theory" part is that it could theoretically do to you what the proof of concept did to their test machine in practice.

From the description, I'd guess it's using Input Methods as a vector. IM is a feature, but it really should be better protected. Anything placed in IM gets loaded and run by every application launched.

wyatt23
Nov 26, 2006, 02:46 AM
cool. i'll believe this when i have to have spyboy for mac, ad-adware for mac, and microsoft defender for mac all simultaneously running on my system.

'til then... BOGUS~!

cwedl
Nov 26, 2006, 04:36 AM
Whats the point of making stuff like this, on one hand its good that they have found holes in mac osx that hopefully they've notfied apple about but on the other hand they should get a life.

solvs
Nov 26, 2006, 07:57 AM
Of course that article is sarcastic and don't have "proof": it's from The Register! They're known for their sarcasm (and decent journalism).
I'm sorry, but that made me laugh. The Register?

Yeah, you can pretty much ignore this then.

SPUY767
Nov 26, 2006, 09:42 AM
This item could theoretically be installed in the library of a vulnerable Mac if the user were to follow the instructions in the included text file.

0010101
Nov 26, 2006, 11:42 AM
I'm tellin' ya man.. the more popular OSX becomes, the more stuff like this is going to appear.

If you're in a band and going to release an album.. what are you going to put it on? Vinyl? 8 Track? Cassette?

No. You release it on the most common media.

WinTel machines have like what? 70% of the 'consumer' market? MacOS, Linux, Solaris, BeOS, etc make up the other 30%.

As Apples market share grows, things like this will pop up with more and more frequency.

Let's not forget there used to be viruses for MacOS back when they had better market share.. then as that market share slipped into just about nothingness, people just didn't bother writing them anymore.

flir67
Nov 26, 2006, 12:09 PM
LOL, I remember having those on my last pc years ago.... heck you need it when you have a pc. seriiously...



cool. i'll believe this when i have to have spyboy for mac, ad-adware for mac, and microsoft defender for mac all simultaneously running on my system.

'til then... BOGUS~!

wmmk
Nov 26, 2006, 12:23 PM
Whats the point of making stuff like this, on one hand its good that they have found holes in mac osx that hopefully they've notfied apple about but on the other hand they should get a life.
amen, brother!

This item could theoretically be installed in the library of a vulnerable Mac if the user were to follow the instructions in the included text file.
and i'm sure a lot of people will do this!

I'm tellin' ya man.. the more popular OSX becomes, the more stuff like this is going to appear.

If you're in a band and going to release an album.. what are you going to put it on? Vinyl? 8 Track? Cassette?

No. You release it on the most common media.

WinTel machines have like what? 70% of the 'consumer' market? MacOS, Linux, Solaris, BeOS, etc make up the other 30%.

As Apples market share grows, things like this will pop up with more and more frequency.

Let's not forget there used to be viruses for MacOS back when they had better market share.. then as that market share slipped into just about nothingness, people just didn't bother writing them anymore.
true, but OS X is till more secure than anything based on NT.

0010101
Nov 26, 2006, 01:12 PM
true, but OS X is till more secure than anything based on NT.

I absolutely agree. And OSX will continue to be my primary OS.

When I think back to the nightmares I had during my time running XP.. the hundreds of lost hours spent re-installing, cleaning the registry, downloading virus scan updates, anti-spyware applications and updates, having to buy more RAM just to support all the 'protection' that had to constantly run in the background, plus all the money I pissed away on Norton, McAfee, and a host of other things that were supposed to keep my computer virus and spyware free, but didn't.. well.. let's just say i'd have a whole lot more time and money.

dpaanlka
Nov 26, 2006, 01:41 PM
I call bluff...

someguy
Nov 26, 2006, 01:52 PM
I call bluff...
Yep. It's not a threat until it happens to me. That's my take on it.

Forget all this "theoretically" crap. I don't care what "could" happen "if" a local user were to "follow the directions". Come on... you haxx0rz can do better than that.

Call me when something actually happens. :rolleyes:

Snowy_River
Nov 26, 2006, 05:54 PM
I'm tellin' ya man.. the more popular OSX becomes, the more stuff like this is going to appear.

If you're in a band and going to release an album.. what are you going to put it on? Vinyl? 8 Track? Cassette?

No. You release it on the most common media.

WinTel machines have like what? 70% of the 'consumer' market? MacOS, Linux, Solaris, BeOS, etc make up the other 30%.

As Apples market share grows, things like this will pop up with more and more frequency.

Let's not forget there used to be viruses for MacOS back when they had better market share.. then as that market share slipped into just about nothingness, people just didn't bother writing them anymore.

While obscurity may have something to do with it, the argument really falls short of the mark. There are more attacks in the wild (though it's not hard to get to more than zero, right?) for much more obscure operating systems than OS X. And even if it was strictly a numbers game, OS X currently has about a, what, 6% market share? So why isn't about 6% of malware directed at OS X? Or 0.6%? Or 0.06%?

Sorry, arguing that OS X enjoys security through obscurity just doesn't cut it. OS X is simply a more secure system.

123
Nov 27, 2006, 02:04 AM
There are more attacks in the wild (though it's not hard to get to more than zero, right?) for much more obscure operating systems than OS X.
Which operating systems?


And even if it was strictly a numbers game, OS X currently has about a, what, 6% market share? So why isn't about 6% of malware directed at OS X? Or 0.6%? Or 0.06%?
Why should malware be proportional to market share?

OS X is simply a more secure system.
Evidence?

dpaanlka
Nov 27, 2006, 02:40 AM
I'm tellin' ya man.. the more popular OSX becomes, the more stuff like this is going to appear.

Why should malware be proportional to market share?

Can't you people make up your minds?

cr2sh
Nov 27, 2006, 03:01 AM
Which operating systems?

Linux (http://www.viruslist.com/en/analysis?pubid=184625030#stats). Or better yet.. Linux. (http://www.viruslist.com/en/analysis?pubid=198977709)


Why should malware be proportional to market share?


Malware should be proportional to market share because malware is often designed to: Gain the creator notoriety or Make money. Both of these objectives have a greater likelihood of succeeding when the number of effected users goes up.


Evidence?

I hope someone else has stats... cuz I sure can't provide those numbers. As the second article states "Ultimately, neither Linux, nor OS X, nor any other operating system is inherently any more secure than Windows, and users should be careful to take appropriate precautions, no matter how secure they may feel."

someguy
Nov 27, 2006, 06:04 AM
As the second article states "Ultimately, neither Linux, nor OS X, nor any other operating system is inherently any more secure than Windows..."
Ha!

Hahaha!

:eek:

*reads quoted text again*

AAAAAAAAHAHAHAHA!!!

*ahem*
I'm sorry. That was really funny.

billyboy
Nov 27, 2006, 11:19 AM
I thought the F word in anti virus was Symantec? There are two now with this F-secure press release

benthewraith
Nov 27, 2006, 11:57 AM
When I think back to the nightmares I had during my time running XP.. the hundreds of lost hours spent re-installing, cleaning the registry, downloading virus scan updates, anti-spyware applications and updates, having to buy more RAM just to support all the 'protection' that had to constantly run in the background, plus all the money I pissed away on Norton, McAfee, and a host of other things that were supposed to keep my computer virus and spyware free, but didn't.. well.. let's just say i'd have a whole lot more time and money.

Sometimes I think those programs just compound the issue even worse.

WildCowboy
Nov 27, 2006, 12:27 PM
Malware should be proportional to market share because malware is often designed to: Gain the creator notoriety or Make money. Both of these objectives have a greater likelihood of succeeding when the number of effected users goes up.

I would think that malware would show an exponential relationship to market share because the rewards for the amount of effort are so much greater. It doesn't take 5% as long to write Mac malware as it does Windows malware. If I'm a malware writer, I'm always going to get the biggest bang for my buck. If I'm a virus writer, I'm going to go after the OS that will allow my work to spread the fastest and farthest.

That said, I do agree with the notion that malware writers would occasionally target OS X just because it hasn't really been done, and there is the opportunity for fame there. So I do believe the argument that OS X is in many ways inherently more secure than Windows, but I wouldn't expect a proportional relationship even if they were equally vulnerable.

gekko513
Nov 27, 2006, 12:31 PM
So does this proof of concept install itself silently when you visit a web page, or does it install itself silently when you run a program you downloaded? It's not clear to me.

mkrishnan
Nov 27, 2006, 12:38 PM
So does this proof of concept install itself silently when you visit a web page, or does it install itself silently when you run a program you downloaded? It's not clear to me.

According to the claim, when you run a program locally...there's still no vector to cause this to be executed from a website. That's assuming it even exists and is not vaporware.

gekko513
Nov 27, 2006, 12:48 PM
According to the claim, when you run a program locally...there's still no vector to cause this to be executed from a website. That's assuming it even exists and is not vaporware.
Uhm, but any programmer out there can make adware that starts running when you run a program they've made. :confused:

Analog Kid
Nov 27, 2006, 01:11 PM
Uhm, but any programmer out there can make adware that starts running when you run a program they've made. :confused:
The difference here, as I read it, is that once run it sets itself up to run with any application launched thereafter. That's what makes me think of Input Methods.

Think of how many people pull stuff off VersionTracker or wherever just to see what it does. If the adware only ran when that application was active, it would be relatively easy to remove (remove the offending app), but in this case you'd have to find the installed library and remove that because IMs are loaded with every app. If the adware was written to track changes to the IM folder, it could simply reinstall itself after you delete it which would require a bit more effort to cleanse it.

Rotary8
Nov 27, 2006, 01:18 PM
not sure if you guys heard of Wibiki (free wifi) but, I'm reading it installs all sorts of spy/adware into our browsers.

I almost used it, but after reading so many negative reviews of that free wifi service I'd rather tether my mbp to my phone when i'm on the road.

gekko513
Nov 27, 2006, 01:20 PM
The difference here, as I read it, is that once run it sets itself up to run with any application launched thereafter. That's what makes me think of Input Methods.

Think of how many people pull stuff off VersionTracker or wherever just to see what it does. If the adware only ran when that application was active, it would be relatively easy to remove (remove the offending app), but in this case you'd have to find the installed library and remove that because IMs are loaded with every app. If the adware was written to track changes to the IM folder, it could simply reinstall itself after you delete it which would require a bit more effort to cleanse it.
Ok, I see your point, but there are a number of ways to tuck away files and permanently affect the user environment of the user who runs a program. There simply is no way for an OS to protect a user who runs an unknown application. The best the OS can try to do is protect other users if the one who runs unsafe apps isn't an admin, and also try to protect the system itself even against a user that is an admin.