Register FAQ / Rules Forum Spy Search Today's Posts Mark Forums Read
Go Back   MacRumors Forums > Mac Community > Community Discussion > Current Events

Reply
 
Thread Tools Search this Thread Display Modes
Old Aug 13, 2012, 12:50 PM   #1
Shrink
macrumors Demi-God
 
Shrink's Avatar
 
Join Date: Feb 2011
Location: New England, USA
GUASS VIRUS - Do I need to be concerned??

First, if I'm in the wrong place, Mods please move this and accept my apologies.

I've been reading about the Gauss Virus and was wondering if there is any necessity to download the Kaspersky anti-virus.
I am aware that there has never been a virus in the wild that has infected an OS X system. I know the recommended steps for malware protection (this is to save GGJ some time! I also know that a virus is only one type of malware...so let's not get into that whole can of worms!).

I'm just wondering if there has been any information suggesting that the Gauss Virus represents any threat to the Mac user who has all the necessary malware protections in place.
__________________
Two things are infinite, the universe and human stupidity; and I'm not sure about the universe. -- Albert Einstein
Shrink is offline   0 Reply With Quote
Old Aug 13, 2012, 01:23 PM   #2
wywern209
macrumors 65832
 
wywern209's Avatar
 
Join Date: Sep 2008
Location: do you rly want to know?
no.it's only affected banks in the middle eastern area.
__________________
2.2 GHZ quad i7 15" MBP 2011
Specs:AMD Radeon 6750m, 8GB 1333Mhz RAM, HR Anti-Glare,500GB 7200rpm HDD.
wywern209 is offline   0 Reply With Quote
Old Aug 13, 2012, 02:06 PM   #3
Shrink
Thread Starter
macrumors Demi-God
 
Shrink's Avatar
 
Join Date: Feb 2011
Location: New England, USA
Quote:
Originally Posted by wywern209 View Post
no.it's only affected banks in the middle eastern area.
I, too, was under the impression that it was focused on institutions. But (according to some stuff on CNET), it's spreading out of the Middle East. Not necessarily down to the individual user level...but that's why I was asking if there was anyone knew any information that it might be shifting to the individual user level.

Thanks for your response...your take, if I'm reading you right, is that it is an "institutional" virus.
__________________
Two things are infinite, the universe and human stupidity; and I'm not sure about the universe. -- Albert Einstein
Shrink is offline   0 Reply With Quote
Old Aug 13, 2012, 11:22 PM   #4
Macman45
macrumors G5
 
Macman45's Avatar
 
Join Date: Jul 2011
Location: Somewhere Back In The Long Ago
The Guass virus is unlikely to get to you, if you want the real low down on it's abnormal distribution, and what the malware actually does, plenty of info here:

http://www.securelist.com/en/analysi...l_Distribution
__________________
Thats Not All Folks
Macman45 is offline   0 Reply With Quote
Old Aug 13, 2012, 11:32 PM   #5
wywern209
macrumors 65832
 
wywern209's Avatar
 
Join Date: Sep 2008
Location: do you rly want to know?
OP the gauss virus was created for the pissing wars between the western gov'ts and the middle eastern ones. The sole purpose of the virus is to gain intelligence on the transactions of those banks in those areas. Unless you have an account with the affected banks, you have nothing to worry about. The NSA has bigger fish to fry.
wywern209 is offline   0 Reply With Quote
Old Aug 14, 2012, 06:44 AM   #6
Shrink
Thread Starter
macrumors Demi-God
 
Shrink's Avatar
 
Join Date: Feb 2011
Location: New England, USA
Thanks, all, for the responses.

It was not my impression that it represented a risk to individual users, but it's nice to have some reassurance.

Again, thanks for your time.
__________________
Two things are infinite, the universe and human stupidity; and I'm not sure about the universe. -- Albert Einstein
Shrink is offline   0 Reply With Quote
Old Aug 14, 2012, 10:36 PM   #7
DavidB52
macrumors newbie
 
Join Date: Apr 2011
Your anti-virus software should be able to protect you against it anyhow.

I use Kaspersky Internet Security 2012 and I wouldn't have even heard of it if they hadn't proactively sent me an email letting me know they are effectively protecting my computer against it. (Good to know they are on top of it, because I sure wasn't.)

I am sure Norton and the other antivirus vendors are on top of it too.
DavidB52 is offline   0 Reply With Quote
Old Aug 18, 2012, 01:34 PM   #8
Carlanga
macrumors 601
 
Carlanga's Avatar
 
Join Date: Nov 2009
Location: PR
IMO not worth it (yet) to have any type of Antivirus bogging down your OSX system.
__________________
☻ "A dream you dream alone is only a dream...
... A dream you dream together is reality." ☻
Carlanga is offline   0 Reply With Quote
Old Aug 18, 2012, 01:50 PM   #9
Shrink
Thread Starter
macrumors Demi-God
 
Shrink's Avatar
 
Join Date: Feb 2011
Location: New England, USA
Quote:
Originally Posted by Carlanga View Post
IMO not worth it (yet) to have any type of Antivirus bogging down your OSX system.
That has always been my approach, and since Gauss seems to be a virus directed at big institutions (e.g. banks) I'm not concerned about it.

I do have ClamXav, which is really a malware scanner, not a constantly running anti-virus. I run a scan once a month, otherwise it is dormant, not using any system capacity.

BTW: Every month it finds and quarantines two nastys, both called Heuristic Phishing...

They don't do anything, and are not transmitted to others (have checked with a friend.) I have no idea where they come from, but I just trash them every month and don't worry about them.

No harm, no foul...
__________________
Two things are infinite, the universe and human stupidity; and I'm not sure about the universe. -- Albert Einstein
Shrink is offline   0 Reply With Quote
Old Aug 18, 2012, 02:35 PM   #10
Carlanga
macrumors 601
 
Carlanga's Avatar
 
Join Date: Nov 2009
Location: PR
Quote:
Originally Posted by Shrink View Post
...
BTW: Every month it finds and quarantines two nastys, both called Heuristic Phishing...
That is prob because you are using a mail application. Heuristic ones are phishing emails only AFAIK, so if you don't open the link from the email or reply to it you shouldn't worry. Kinda like emails that get blocked by hotmail by web telling you that the junk email had malware inside. I always run my emails from the web instead of an app, keeps everything more secure.
__________________
☻ "A dream you dream alone is only a dream...
... A dream you dream together is reality." ☻
Carlanga is offline   0 Reply With Quote
Old Aug 18, 2012, 04:28 PM   #11
munkery
macrumors 68020
 
munkery's Avatar
 
Join Date: Dec 2006
Quote:
Originally Posted by Shrink View Post
I am aware that there has never been a virus in the wild that has infected an OS X system.
This fact is now debatable depending on how one wants to define replication given the versions of Flashback that installed without user interaction.

To clarify:

Quote:
Originally Posted by munkery View Post
The variants of Flashback that utilized CVE-2012-0507 prior to being patched could install without user interaction but with only ad-click hijacking functionality to generate revenue. The CVE-2012-0507 exploit allows the untrusted Java applet to perform functions outside the Java security sandbox without user interaction. It should be noted that the Java sandbox is self contained and part of the Java implementation; it is not an implementation of the sandboxing used with other client side apps within OS X.

This Java exploit does not utilize memory corruption but instead leverages a logical error in the Java reference array to achieve code execution. The runtime security mitigation in OS X Lion don't prevent these types of exploits that rely on logical errors. This type of vulnerability is rare but does lead to reliable exploits when found.

Infecting Safari occurs in two ways:

1) Safari is infected when the info.plist file contained in its app bundle is modified; this requires password authentication. Specifically, the LSEnvironment entry in the info.plist file is modified. The payloads are loaded into Safari when launched.

2) The ~/.MacOSX/environmental.plist file is modified so that a filtering payload is loaded into every app that then loads the ad-click payload into the browser when the browser is launched. This method does not require password authentication. The modification to environment.plist includes adding DYLD launch variables.

It should be noted the environment variables added to environment.plist don't take affect until the user has logged out and then logged back in. This could be why so many machines reported themselves as infected to the C&C servers despite only 10,000 machines actively having Safari modifying ad-clicks to generate revenue. I do not believe that this limitation occurs with installation method #1, which could be why method #1 is the prioritized installation method.

Given that password authentication is not required to install the ad-click hijacking payload, the request for password authentication in method #1 may also have been intended for functions included in subsequent versions of Flashback. For example, logging keystrokes protected by NSSecureTextField (masked text entry such as passwords and banking credentials) would require password authentication given that Flashback didn't include a privilege escalation exploit within OS X.

Luckily, the ability to load DYLD launch variables from environment.plist has now been removed from Mac OS X as well as the issue with Java being patched.

http://support.apple.com/kb/TS4267

Subsequent patches to Java for Mac are going to be produced by Oracle and will be released along side patches for other operating systems.
This version of Flashback replicates by loading itself into every app launched by the user if infection method #2 is used. Method #2 requires no user interaction. Although, the user having to log out/in could be considered user interaction.
munkery is offline   0 Reply With Quote
Old Aug 18, 2012, 05:40 PM   #12
Shrink
Thread Starter
macrumors Demi-God
 
Shrink's Avatar
 
Join Date: Feb 2011
Location: New England, USA
Quote:
Originally Posted by Carlanga View Post
That is prob because you are using a mail application. Heuristic ones are phishing emails only AFAIK, so if you don't open the link from the email or reply to it you shouldn't worry. Kinda like emails that get blocked by hotmail by web telling you that the junk email had malware inside. I always run my emails from the web instead of an app, keeps everything more secure.
Thanks for the information. Yes, I use Mac Mail, but I have never had any problems with the Heuristic malware, so I just dump them at the end of every month, and not worry.

Quote:
Originally Posted by munkery View Post
This fact is now debatable depending on how one wants to define replication given the versions of Flashback that installed without user interaction.

To clarify:



This version of Flashback replicates by loading itself into every app launched by the user if infection method #2 is used. Method #2 requires no user interaction. Although, the user having to log out/in could be considered user interaction.
Interesting. I'm afraid I was just parroting what I have read so many times regarding viruses in the wild never effecting OS X. I am not sophisticated enough to argue the subtleties of the definition of replication. I'll leave it to someone with more technical knowledge than I (which means pretty much everybody) to debate your point.

However that turns out, thanks for your reply...
__________________
Two things are infinite, the universe and human stupidity; and I'm not sure about the universe. -- Albert Einstein
Shrink is offline   0 Reply With Quote
Old Aug 18, 2012, 06:25 PM   #13
munkery
macrumors 68020
 
munkery's Avatar
 
Join Date: Dec 2006
Quote:
Originally Posted by Shrink View Post
Interesting. I'm afraid I was just parroting what I have read so many times regarding viruses in the wild never effecting OS X. I am not sophisticated enough to argue the subtleties of the definition of replication. I'll leave it to someone with more technical knowledge than I (which means pretty much everybody) to debate your point.

However that turns out, thanks for your reply...
Despite however such a debate would turn out, it is important to note that Flashback shows that malware that installs without user interaction in OS X has limited efficacy to impact the users of infected machines more directly.

Security frameworks, such as NSSecureTextField, prevent malware from compromising more security sensitive actions performed by users by preventing passwords and data entered into secure forms from being logged by keyloggers or copied by form grabbers.

Compromising such security frameworks requires elevated privileges. Gaining elevated privileges without tricking the user to password authenticate, so via an exploit, is much more difficult in OS X. For example, recent versions of OS X have only contained less than 3 or 4 privilege escalation vulnerabilities (none used in malware; most not inherently useful in malware given certain limitations - locks user out of own system or dependent on non-default software with limited distribution); while, Windows 7 had so far over 60 of these vulnerabilities in just one default process (win32k.sys) with several being exploited in the wild (example = TDL-4).

Also, Keychain provides much better secure storage than the secure storage found in other operating systems. Keychain achieves this by limiting access to the keychain entries on a per application basis using access control lists.

The secure storage in Windows doesn't isolate entries on a per application basis. This is shown via password recovery programs available for Windows that show passwords stored by other applications. Malware often leverages this weakness in the secure storage of Windows.

It should be noted that third party browsers for Mac (Firefox and Chrome) don't utilize keychain for protected storage and have secure storage systems as potentially insecure as that used in Windows.

Hopefully, this information helps you with your concerns about viruses.
__________________
Mac Security Suggestions
munkery is offline   0 Reply With Quote
Old Aug 18, 2012, 08:01 PM   #14
Shrink
Thread Starter
macrumors Demi-God
 
Shrink's Avatar
 
Join Date: Feb 2011
Location: New England, USA
Quote:
Originally Posted by munkery View Post
Despite however such a debate would turn out, it is important to note that Flashback shows that malware that installs without user interaction in OS X has limited efficacy to impact the users of infected machines more directly.

Security frameworks, such as NSSecureTextField, prevent malware from compromising more security sensitive actions performed by users by preventing passwords and data entered into secure forms from being logged by keyloggers or copied by form grabbers.

Compromising such security frameworks requires elevated privileges. Gaining elevated privileges without tricking the user to password authenticate, so via an exploit, is much more difficult in OS X. For example, recent versions of OS X have only contained less than 3 or 4 privilege escalation vulnerabilities (none used in malware; most not inherently useful in malware given certain limitations - locks user out of own system or dependent on non-default software with limited distribution); while, Windows 7 had so far over 60 of these vulnerabilities in just one default process (win32k.sys) with several being exploited in the wild (example = TDL-4).

Also, Keychain provides much better secure storage than the secure storage found in other operating systems. Keychain achieves this by limiting access to the keychain entries on a per application basis using access control lists.

The secure storage in Windows doesn't isolate entries on a per application basis. This is shown via password recovery programs available for Windows that show passwords stored by other applications. Malware often leverages this weakness in the secure storage of Windows.

It should be noted that third party browsers for Mac (Firefox and Chrome) don't utilize keychain for protected storage and have secure storage systems as potentially insecure as that used in Windows.

Hopefully, this information helps you with your concerns about viruses.
Thank you for the very useful information.

I appreciate the time you took to help me understand security a little better. I am extremely concerned about security and try to maintain whatever little privacy still remains.

Again, thanks...
__________________
Two things are infinite, the universe and human stupidity; and I'm not sure about the universe. -- Albert Einstein
Shrink is offline   0 Reply With Quote
Old Aug 19, 2012, 05:00 AM   #15
munkery
macrumors 68020
 
munkery's Avatar
 
Join Date: Dec 2006
Quote:
Originally Posted by Shrink View Post
BTW: Every month it finds and quarantines two nastys, both called Heuristic Phishing...
Even sophisticated phishing emails require a lot of user intervention to be successful.

These emails only become problematic if you click on links contained within the email and log into the web page reached via the link.

Using the link causes malicious scripts to be injected into the web page so that the interaction between your browser and the web server hosting the web page becomes compromised such that your login credentials become accessible to the attacker.

The easiest way to avoid compromise via phishing emails is the following:

- Check the digital certificate of websites, such as banks and paypal, by clicking the lock icon to see if the certificate belongs to the right organization.

- Always manually navigate to the logins of encrypted security sensitive websites and never login to these websites from links in emails, email attachments, instant messages, & etc even if the certificate appears to be legitimate. This prevents login credentials from being stolen via advanced phishing techniques that use cross-site scripting.
__________________
Mac Security Suggestions
munkery is offline   0 Reply With Quote
Old Aug 19, 2012, 06:49 AM   #16
Shrink
Thread Starter
macrumors Demi-God
 
Shrink's Avatar
 
Join Date: Feb 2011
Location: New England, USA
Quote:
Originally Posted by munkery View Post
Even sophisticated phishing emails require a lot of user intervention to be successful.

These emails only become problematic if you click on links contained within the email and log into the web page reached via the link.

Using the link causes malicious scripts to be injected into the web page so that the interaction between your browser and the web server hosting the web page becomes compromised such that your login credentials become accessible to the attacker.

The easiest way to avoid compromise via phishing emails is the following:

- Check the digital certificate of websites, such as banks and paypal, by clicking the lock icon to see if the certificate belongs to the right organization.

- Always manually navigate to the logins of encrypted security sensitive websites and never login to these websites from links in emails, email attachments, instant messages, & etc even if the certificate appears to be legitimate. This prevents login credentials from being stolen via advanced phishing techniques that use cross-site scripting.
I'm pretty much up on what you have suggested. I've read enough of GGJstudio's posts ( ) to know never to go to a website through a link in an email. But, once again, thank you for taking the time to give me useful information...one can never be reminded often enough of good security behavior.

You information is appreciated...
__________________
Two things are infinite, the universe and human stupidity; and I'm not sure about the universe. -- Albert Einstein
Shrink is offline   0 Reply With Quote
Old Aug 27, 2012, 03:25 PM   #17
OnceYouGoMac
macrumors 6502
 
Join Date: Aug 2012
Location: In front of my Mac
Quote:
Originally Posted by Carlanga View Post
IMO not worth it (yet) to have any type of Antivirus bogging down your OSX system.
That's debatable. After the Flashback and MacDefender business I decided to install Kaspersky AV 2011 on my MBP and Sophos on my MBA. I got the Kaspersky disk free with the Windows version I bought for my parents' peecees. It probably wasn't necessary but I feel safer using my Macs online with protection
OnceYouGoMac is offline   0 Reply With Quote
Old Aug 27, 2012, 07:15 PM   #18
Carlanga
macrumors 601
 
Carlanga's Avatar
 
Join Date: Nov 2009
Location: PR
Quote:
Originally Posted by OnceYouGoMac View Post
That's debatable. After the Flashback and MacDefender business I decided to install Kaspersky AV 2011 on my MBP and Sophos on my MBA. I got the Kaspersky disk free with the Windows version I bought for my parents' peecees. It probably wasn't necessary but I feel safer using my Macs online with protection
Not debatable since by the time a new malware is out apple will send their own fix around the same time as the 3 parties.
__________________
☻ "A dream you dream alone is only a dream...
... A dream you dream together is reality." ☻
Carlanga is offline   0 Reply With Quote


Reply
MacRumors Forums > Mac Community > Community Discussion > Current Events

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
Concerned about malware ghanwani OS X 10 Jun 17, 2013 02:26 PM
Concerned about my new 21.5 screen! Chuckstones iMac 16 Dec 19, 2012 09:37 PM
All iPads: Concerned about iPad 4 i-sidd iPad 2 Nov 10, 2012 09:44 PM
Should I Be Concerned? mcdonoughdr iPhone 3 Sep 16, 2012 07:35 PM
Concerned! Kendy6508 Wasteland 1 Jul 3, 2012 01:47 PM

Forum Jump

All times are GMT -5. The time now is 09:34 AM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC