GUASS VIRUS - Do I need to be concerned??

[Shrink]

First, if I'm in the wrong place, Mods please move this and accept my apologies.

I've been reading about the Gauss Virus and was wondering if there is any necessity to download the Kaspersky anti-virus.
I am aware that there has never been a virus in the wild that has infected an OS X system. I know the recommended steps for malware protection (this is to save GGJ some time! I also know that a virus is only one type of malware...so let's not get into that whole can of worms!).

I'm just wondering if there has been any information suggesting that the Gauss Virus represents any threat to the Mac user who has all the necessary malware protections in place.

[wywern209]

no.it's only affected banks in the middle eastern area.

[Shrink]

Quote:

Originally Posted by wywern209

no.it's only affected banks in the middle eastern area.

I, too, was under the impression that it was focused on institutions. But (according to some stuff on CNET), it's spreading out of the Middle East. Not necessarily down to the individual user level...but that's why I was asking if there was anyone knew any information that it might be shifting to the individual user level.

Thanks for your response...your take, if I'm reading you right, is that it is an "institutional" virus.

[Macman45]

The Guass virus is unlikely to get to you, if you want the real low down on it's abnormal distribution, and what the malware actually does, plenty of info here:

http://www.securelist.com/en/analysi...l_Distribution

[wywern209]

OP the gauss virus was created for the pissing wars between the western gov'ts and the middle eastern ones. The sole purpose of the virus is to gain intelligence on the transactions of those banks in those areas. Unless you have an account with the affected banks, you have nothing to worry about. The NSA has bigger fish to fry.

[Shrink]

Thanks, all, for the responses.

It was not my impression that it represented a risk to individual users, but it's nice to have some reassurance.

Again, thanks for your time.

[DavidB52]

Your anti-virus software should be able to protect you against it anyhow.

I use Kaspersky Internet Security 2012 and I wouldn't have even heard of it if they hadn't proactively sent me an email letting me know they are effectively protecting my computer against it. (Good to know they are on top of it, because I sure wasn't.)

I am sure Norton and the other antivirus vendors are on top of it too.

[Carlanga]

IMO not worth it (yet) to have any type of Antivirus bogging down your OSX system.

[Shrink]

Quote:

Originally Posted by Carlanga

IMO not worth it (yet) to have any type of Antivirus bogging down your OSX system.

That has always been my approach, and since Gauss seems to be a virus directed at big institutions (e.g. banks) I'm not concerned about it.

I do have ClamXav, which is really a malware scanner, not a constantly running anti-virus. I run a scan once a month, otherwise it is dormant, not using any system capacity.

BTW: Every month it finds and quarantines two nastys, both called Heuristic Phishing...

They don't do anything, and are not transmitted to others (have checked with a friend.) I have no idea where they come from, but I just trash them every month and don't worry about them.

No harm, no foul...

[Carlanga]

Quote:

Originally Posted by Shrink

...
BTW: Every month it finds and quarantines two nastys, both called Heuristic Phishing...

That is prob because you are using a mail application. Heuristic ones are phishing emails only AFAIK, so if you don't open the link from the email or reply to it you shouldn't worry. Kinda like emails that get blocked by hotmail by web telling you that the junk email had malware inside. I always run my emails from the web instead of an app, keeps everything more secure.

[munkery]

Quote:

Originally Posted by Shrink

I am aware that there has never been a virus in the wild that has infected an OS X system.

This fact is now debatable depending on how one wants to define replication given the versions of Flashback that installed without user interaction.

To clarify:

Quote:

Originally Posted by munkery

The variants of Flashback that utilized CVE-2012-0507 prior to being patched could install without user interaction but with only ad-click hijacking functionality to generate revenue. The CVE-2012-0507 exploit allows the untrusted Java applet to perform functions outside the Java security sandbox without user interaction. It should be noted that the Java sandbox is self contained and part of the Java implementation; it is not an implementation of the sandboxing used with other client side apps within OS X.

This Java exploit does not utilize memory corruption but instead leverages a logical error in the Java reference array to achieve code execution. The runtime security mitigation in OS X Lion don't prevent these types of exploits that rely on logical errors. This type of vulnerability is rare but does lead to reliable exploits when found.

Infecting Safari occurs in two ways:

1) Safari is infected when the info.plist file contained in its app bundle is modified; this requires password authentication. Specifically, the LSEnvironment entry in the info.plist file is modified. The payloads are loaded into Safari when launched.

2) The ~/.MacOSX/environmental.plist file is modified so that a filtering payload is loaded into every app that then loads the ad-click payload into the browser when the browser is launched. This method does not require password authentication. The modification to environment.plist includes adding DYLD launch variables.

It should be noted the environment variables added to environment.plist don't take affect until the user has logged out and then logged back in. This could be why so many machines reported themselves as infected to the C&C servers despite only 10,000 machines actively having Safari modifying ad-clicks to generate revenue. I do not believe that this limitation occurs with installation method #1, which could be why method #1 is the prioritized installation method.

Given that password authentication is not required to install the ad-click hijacking payload, the request for password authentication in method #1 may also have been intended for functions included in subsequent versions of Flashback. For example, logging keystrokes protected by NSSecureTextField (masked text entry such as passwords and banking credentials) would require password authentication given that Flashback didn't include a privilege escalation exploit within OS X.

Luckily, the ability to load DYLD launch variables from environment.plist has now been removed from Mac OS X as well as the issue with Java being patched.

http://support.apple.com/kb/TS4267

Subsequent patches to Java for Mac are going to be produced by Oracle and will be released along side patches for other operating systems.

This version of Flashback replicates by loading itself into every app launched by the user if infection method #2 is used. Method #2 requires no user interaction. Although, the user having to log out/in could be considered user interaction.

[Shrink]

Quote:

Originally Posted by Carlanga

That is prob because you are using a mail application. Heuristic ones are phishing emails only AFAIK, so if you don't open the link from the email or reply to it you shouldn't worry. Kinda like emails that get blocked by hotmail by web telling you that the junk email had malware inside. I always run my emails from the web instead of an app, keeps everything more secure.

Thanks for the information. Yes, I use Mac Mail, but I have never had any problems with the Heuristic malware, so I just dump them at the end of every month, and not worry.

Quote:

Originally Posted by munkery

This fact is now debatable depending on how one wants to define replication given the versions of Flashback that installed without user interaction.

To clarify:



This version of Flashback replicates by loading itself into every app launched by the user if infection method #2 is used. Method #2 requires no user interaction. Although, the user having to log out/in could be considered user interaction.

Interesting. I'm afraid I was just parroting what I have read so many times regarding viruses in the wild never effecting OS X. I am not sophisticated enough to argue the subtleties of the definition of replication. I'll leave it to someone with more technical knowledge than I (which means pretty much everybody) to debate your point.

However that turns out, thanks for your reply...

[munkery]

Quote:

Originally Posted by Shrink

Interesting. I'm afraid I was just parroting what I have read so many times regarding viruses in the wild never effecting OS X. I am not sophisticated enough to argue the subtleties of the definition of replication. I'll leave it to someone with more technical knowledge than I (which means pretty much everybody) to debate your point.

However that turns out, thanks for your reply...

Despite however such a debate would turn out, it is important to note that Flashback shows that malware that installs without user interaction in OS X has limited efficacy to impact the users of infected machines more directly.

Security frameworks, such as NSSecureTextField, prevent malware from compromising more security sensitive actions performed by users by preventing passwords and data entered into secure forms from being logged by keyloggers or copied by form grabbers.

Compromising such security frameworks requires elevated privileges. Gaining elevated privileges without tricking the user to password authenticate, so via an exploit, is much more difficult in OS X. For example, recent versions of OS X have only contained less than 3 or 4 privilege escalation vulnerabilities (none used in malware; most not inherently useful in malware given certain limitations - locks user out of own system or dependent on non-default software with limited distribution); while, Windows 7 had so far over 60 of these vulnerabilities in just one default process (win32k.sys) with several being exploited in the wild (example = TDL-4).

Also, Keychain provides much better secure storage than the secure storage found in other operating systems. Keychain achieves this by limiting access to the keychain entries on a per application basis using access control lists.

The secure storage in Windows doesn't isolate entries on a per application basis. This is shown via password recovery programs available for Windows that show passwords stored by other applications. Malware often leverages this weakness in the secure storage of Windows.

It should be noted that third party browsers for Mac (Firefox and Chrome) don't utilize keychain for protected storage and have secure storage systems as potentially insecure as that used in Windows.

Hopefully, this information helps you with your concerns about viruses.

[Shrink]

Quote:

Originally Posted by munkery

Despite however such a debate would turn out, it is important to note that Flashback shows that malware that installs without user interaction in OS X has limited efficacy to impact the users of infected machines more directly.

Security frameworks, such as NSSecureTextField, prevent malware from compromising more security sensitive actions performed by users by preventing passwords and data entered into secure forms from being logged by keyloggers or copied by form grabbers.

Compromising such security frameworks requires elevated privileges. Gaining elevated privileges without tricking the user to password authenticate, so via an exploit, is much more difficult in OS X. For example, recent versions of OS X have only contained less than 3 or 4 privilege escalation vulnerabilities (none used in malware; most not inherently useful in malware given certain limitations - locks user out of own system or dependent on non-default software with limited distribution); while, Windows 7 had so far over 60 of these vulnerabilities in just one default process (win32k.sys) with several being exploited in the wild (example = TDL-4).

Also, Keychain provides much better secure storage than the secure storage found in other operating systems. Keychain achieves this by limiting access to the keychain entries on a per application basis using access control lists.

The secure storage in Windows doesn't isolate entries on a per application basis. This is shown via password recovery programs available for Windows that show passwords stored by other applications. Malware often leverages this weakness in the secure storage of Windows.

It should be noted that third party browsers for Mac (Firefox and Chrome) don't utilize keychain for protected storage and have secure storage systems as potentially insecure as that used in Windows.

Hopefully, this information helps you with your concerns about viruses.

Thank you for the very useful information.

I appreciate the time you took to help me understand security a little better. I am extremely concerned about security and try to maintain whatever little privacy still remains.

Again, thanks...

[munkery]

Quote:

Originally Posted by Shrink

BTW: Every month it finds and quarantines two nastys, both called Heuristic Phishing...

Even sophisticated phishing emails require a lot of user intervention to be successful.

These emails only become problematic if you click on links contained within the email and log into the web page reached via the link.

Using the link causes malicious scripts to be injected into the web page so that the interaction between your browser and the web server hosting the web page becomes compromised such that your login credentials become accessible to the attacker.

The easiest way to avoid compromise via phishing emails is the following:

- Check the digital certificate of websites, such as banks and paypal, by clicking the lock icon to see if the certificate belongs to the right organization.

- Always manually navigate to the logins of encrypted security sensitive websites and never login to these websites from links in emails, email attachments, instant messages, & etc even if the certificate appears to be legitimate. This prevents login credentials from being stolen via advanced phishing techniques that use cross-site scripting.

[Shrink]

Quote:

Originally Posted by munkery

Even sophisticated phishing emails require a lot of user intervention to be successful.

These emails only become problematic if you click on links contained within the email and log into the web page reached via the link.

Using the link causes malicious scripts to be injected into the web page so that the interaction between your browser and the web server hosting the web page becomes compromised such that your login credentials become accessible to the attacker.

The easiest way to avoid compromise via phishing emails is the following:

- Check the digital certificate of websites, such as banks and paypal, by clicking the lock icon to see if the certificate belongs to the right organization.

- Always manually navigate to the logins of encrypted security sensitive websites and never login to these websites from links in emails, email attachments, instant messages, & etc even if the certificate appears to be legitimate. This prevents login credentials from being stolen via advanced phishing techniques that use cross-site scripting.

I'm pretty much up on what you have suggested. I've read enough of GGJstudio's posts ( ) to know never to go to a website through a link in an email. But, once again, thank you for taking the time to give me useful information...one can never be reminded often enough of good security behavior.

You information is appreciated...

[OnceYouGoMac]

Quote:

Originally Posted by Carlanga

IMO not worth it (yet) to have any type of Antivirus bogging down your OSX system.

That's debatable. After the Flashback and MacDefender business I decided to install Kaspersky AV 2011 on my MBP and Sophos on my MBA. I got the Kaspersky disk free with the Windows version I bought for my parents' peecees. It probably wasn't necessary but I feel safer using my Macs online with protection

[Carlanga]

Quote:

Originally Posted by OnceYouGoMac

That's debatable. After the Flashback and MacDefender business I decided to install Kaspersky AV 2011 on my MBP and Sophos on my MBA. I got the Kaspersky disk free with the Windows version I bought for my parents' peecees. It probably wasn't necessary but I feel safer using my Macs online with protection

Not debatable since by the time a new malware is out apple will send their own fix around the same time as the 3 parties.