Apple Quickly Updates Malware Definitions to Detect New SMS Scam Trojan

[asr]

Let's not forget about zero-day exploits, improperly sandboxed applications or plug-ins, users that run as admin, out-of-date operating systems, Adobe Flash Player (which has an auto-update daemon that can write to ''/Library/Internet Plug-Ins/'' at the very least), Java (which anyone with open-source software such as LibreOffice or OpenOffice will typically have installed), etc.

Malware software authors typically don't like to follow the rules that the OS puts in place, and there are many ways around those rules. Privilege escalation is not even close to impossible.

I'm not an Apple hater— quite the opposite, really— but I also won't blindly assume that I'm safe because I have a Mac. Any computer with an internet connection and/or a user is potentially vulnerable.

Quote:

Originally Posted by spyguy10709

Originally Posted by D-a-a-n View Post
Originally Posted by spyguy10709
Again, like I always say, the only virus you can get on OSX is one you install yourself. This just prevents the user from hurting him/herself. This isn't a "virus" like everyone is saying - it's a program that phishes your personal info. It can't escalate itself privelidge-wise like with a Windows virus and become "above" your system to prevent removal or uninstallation. Nothing can do that in OSX due to it's unix base.

Also, great job Apple for staying so on top of this


Could you elaborate more on that?

Sure- to install something in OS X (that does anything without you clicking the icon, like a service or anything like that) requires you to put your password in a box that prevents privilege escalation (basically the OS has complete control over all applications, not the other way around - a virus). If you don't have a password, you just leave the box blank. A program can't put a password into the system, only the user into the system. This prevents programs from replicating (a virus) or taking over the system (like many trojans).

----------

Quote:

Originally Posted by oneMadRssn

As with every system: the best defense is being ready, so having an automatic nightly backup is most important.

Just make sure that backup doesn't erase the previous evening's backup, since often people don't notice infections right away. Also, if your backup drive is connected to your Windows machine with write permissions and you get data-deletion malware on your machine... you're pretty much screwed. Make a Windows 7 Backup System Image to keep on a different hard drive every two weeks or so.

[charlituna]

Quote:

Originally Posted by Simplicated

So did this Trojan manage to bypass Gatekeeper?

Pre mountain on software. Or non App Store software. Remember that you can have both on the computer without jailbreaking it.

----------

Quote:

Originally Posted by ArtOfWarfare

Nicely handled, it would seem.

But really, it seems to me this is an issue phone service providers should handle. Why is the money that they handle handled so insecurely? Shouldn't our provider send us some sort of message for us to confirm that some company is going to start leaching money via our phone bill and shouldn't they block companies that they find frequently commit this kind of fraud?

You signed up for this service so there's no reason for the phone company to question it.

Common sense on the user part is a big factor in this. If you use some you are generally safe. If you don't, oh well.

----------

Quote:

Originally Posted by PowerPCMacMan

. Now Apple is getting viruses and malware. Terrible if u ask me.

Malware sure, if the users are dumb enough to fall for these kind of stunts. But viruses, not really. There's been perhaps 1 Mac ox virus in the wild, the rest were Trojans. And most the same phishing stunt style

[munkery]

This post is a response to posts stating that Windows is not less secure than OS X.

1) Until Vista, the admin account in Windows did not implement DAC in a way to prevent malware by default. Also, Windows has a far greater number of privilege escalation vulnerabilities that allow bypassing DAC restrictions even if DAC is enabled in Windows.

Much of the ability to turn these vulnerabilities into exploits is due to the insecurity of the Windows registry. Also, more easily being able to link remote exploits to local privilege escalation exploits in Windows is due to the Windows registry.

Mac OS X does not use an exposed monolithic structure, such as the Windows registry, to store system settings. Also, exposed configuration files in OS X do not exert as much influence over associated processes as the registry does in Windows.

Mac OS X Snow Leopard has contained only 4 elevation of privilege vulnerabilities since it was released; obviously, none of these were used in malware. Lion has contained 2 so far but one of these vulnerabilities doesn't affect all account types because of being due to a permissions error rather than code vulnerability.

The following link shows the number of privilege escalation vulnerabilities in Windows 7 related to just win32k:

http://cve.mitre.org/cgi-bin/cvekey....yword=win32k+7

More information about privilege escalation in Windows 7:

http://www.exploit-db.com/bypassing-...vista7-mirror/ -> guide to develop exploits to bypass UAC by manipulating registry entries for kernel mode driver vulnerabilities.

https://media.blackhat.com/bh-dc-11/...nelpool-wp.pdf -> more complete documentation about Windows kernel exploitation.

http://mista.nu/research/mandt-win32k-paper.pdf -> more complete documentation about alternative methods to exploit the Windows kernel.

http://threatpost.com/en_us/blogs/td...net-bug-120710 -> article about the TDL-4 botnet which uses a UAC bypass exploit when infecting Windows 7.

2) Windows has the potential to have full ASLR but most software does not fully implement the feature. Most software in Windows has some DLLs (dynamic link libraries = Windows equivalent to dyld) which are not randomized.

http://secunia.com/gfx/pdf/DEP_ASLR_2010_paper.pdf -> article overviewing the issues with ASLR and DEP implementation in Windows.

Also, methods have been found to bypass ASLR in Windows 7.

http://vreugdenhilresearch.nl/Pwn2Ow...tExplorer8.pdf -> article describing bypassing ASLR in Windows 7.

Mac OS X has full ASLR implemented on par with Linux. This includes ASLR with position independent executables (PIE). DLLs in Windows have to be pre-mapped at fixed addresses to avoid conflicts so full PIE is not possible with ASLR in Windows.

Using Linux distros with similar runtime security mitigations as Lion for a model, client-side exploitation is incredibly difficult without some pre-established local access. Of course, this is self defeating if the goal of the exploitation is to achieve that local access in the first place.

See the paper linked below about bypassing the runtime security mitigations in Linux for more details.

http://www.blackhat.com/presentation...slr-slides.pdf

The author only manages to do so while already having local access to the OS.

3) Mac OS X Lion has DEP on stack and heap for both 64-bit and 32-bit processes. Third party software that is 32-bit may lack this feature until recompiled in Xcode 4 within Lion. Not much software for OS X is still 32-bit.

But, not all software in Windows uses DEP; this includes 64-bit software. See first article linked in #2.

4) Mac OS X implements canaries using ProPolice, the same mitigation used in Linux. ProPolice is considered the most thorough implementation of canaries. It is known to be much more effective than the similar system used in Windows.

http://www.blackhat.com/presentation...rman-paper.pdf -> article comparing ProPolice to stack canary implementation in Windows.

5) Application sandboxing and mandatory access controls (MAC) in OS X are the same thing. More specifically, applications are sandboxed in OS X via MAC. Mac OS X uses the TrustedBSD MAC framework, which is a derivative of MAC from SE-Linux. This system is mandatory because it does not rely on inherited permissions. Both mandatorily exposed services (mDNSresponder, netbios...) and many client-side apps (Safari, Preview, TextEdit…) are sandboxed in Lion.

Windows does not have MAC. The system that provides sandboxing in Windows, called mandatory integrity controls (MIC), does not function like MAC because it is not actually mandatory. MIC functions based on inherited permissions so it is essentially an extension of DAC (see #1). If UAC is set with less restrictions or disabled in Windows, then MIC has less restrictions or is disabled.

http://www.exploit-db.com/download_pdf/16031 -> article about Mac sandbox.

http://msdn.microsoft.com/en-us/libr...(v=VS.85).aspx -> MS documentation about MIC.

https://media.blackhat.com/bh-eu-11/...xes-Slides.pdf -> researchers have found the MIC in IE is not a security boundary.

6) In relation to DAC and interprocess sandboxing in OS X in comparison with some functionality of MIC in Windows 7 (see #5), the XNU kernel used in OS X has always had more secure interprocess communication (IPC) since the initial release of OS X.

Mac OS X, via being based on Mach and BSD (UNIX foundation), facilitates IPC using mach messages secured using port rights that implement a measure of access controls on that communication. These access controls applied to IPC make it more difficult to migrate injected code from one process to another.

Adding difficulty to transporting injected code across processes reduces the likelihood of linking remote exploits to local exploits to achieve system level access.

As of OS X Lion, the XPC service has also been added to implement MAC (see #5) on IPC in OS X. (http://developer.apple.com/library/m...CServices.html)

7) Security benefits of a UNIX foundation

Not all software vulnerabilities are exploitable. Vulnerabilities that are not exploitable only allow a denial of service condition upon being triggered. Exploitable vulnerabilities allow code execution when triggered.

There are two methods to achieve code execution in relation to buffer overflows:

1) RET overwrite -> control return address of instruction pointer

2) SEH (structured exception handler) overwrite -> control content of handler that will be executed upon an exception

To clarify:

Quote:

While typical stack-based buffer overflows work by overwriting the return address in the stack, SEH overwrites work by overwriting the handler attribute of an exception registration record that has been stored on the stack. Unlike overwriting the return address, where control is gained immediately upon return from the function, an SEH overwrite does not actually gain code execution until after an exception has been generated. The exception is necessary in order to cause the exception dispatcher to call the overwritten handler.

Basically, SEH overwrites provide a second method to exploit a vulnerability in the event that a RET overwrite is unsuccessful or not exploitable. Obviously, more vectors being available to facilitate exploiting a vulnerability increases the number of vulnerabilities that are exploitable. SEH overwrites reduce the number of vulnerabilities that only produce a denial of service condition.

Mitigations have been developed to prevent SEH overwrites. These include SafeSEH and SEHOP. Methods are known that allow bypassing both mitigations.

SafeSEH is bypassed if only one component of the program doesn't implement this mitigation; it is common that not all components implement SafeSEH.

SEHOP is bypassed if ASLR is compromised via a memory disclosure vulnerability.

So, what does this have to do with the security benefits of a UNIX foundation?

UNIX and UNIX-like operating systems, such as Mac OS X and Linux, don't have structured exception handling. So, SEH overwrites, as a vector to increase the number of exploitable vulnerabilities, doesn't exist in these operating systems. The signalling system used in these operating systems isn't liable to this type of manipulation.

SEH overwrites do provide a plausible explanation for more vulnerabilities being exploitable in Windows.

http://www.i-hacked.com/freefiles/Ea...ploit_v1.3.pdf

http://www.sysdream.com/sites/defaul...s/sehop_en.pdf

8) Windows has far more public and/or unpatched vulnerabilities than OS X.

http://m.prnewswire.com/news-release...110606584.html -> article about 18 year old UAC bypass vulnerability.

9) Password handling in OS X is much more secure than Windows.

The default account created in Windows does not require a password. The protected storage API in Windows incorporates the users password into the encryption key for items located in protected storage. If no password is set, then the encryption algorithm used is not as strong. Also, no access controls are applied to items within protected storage.

In Mac OS X, the system prompts the user to define a password at setup. This password is incorporated into the encryption keys for items stored in keychain. Access controls are implemented for items within keychain.

Also, Mac OS X Lion uses a salted SHA512 hash, which is still considered cryptographically secure. It is more robust than the MD4 NTLMv2 hash used to store passwords in Windows 7.

http://www.windowsecurity.com/articl...ord-Part1.html -> article about Windows password hashing.

10) The new runtime security mitigation improvements to be included in Windows 8 have already been defeated.

http://vulnfactory.org/blog/2011/09/...op-mitigation/

To put this into perspective, methods to bypass the new runtime security mitigations in Mac OS X Lion are not yet available.

11)In regards to recent earlier version of Mac OS X:

The following article relates to varying levels of security mitigations in different Linux distros but it is applicable in revealing that the runtime security mitigations in some earlier versions of Mac OS X prior to Lion were far from inadequate.

http://www.blackhat.com/presentation...slr-slides.pdf

While Mac OS X Leopard/SL lack full ASLR, Windows Vista/7 have stack canaries (aka stack cookies) that are trivial to bypass.

The following link shows the issues with stack canaries in Windows. -> http://www.blackhat.com/presentation...rman-paper.pdf

So:

Windows Vista/7 = NX + ASLR
Mac OS X Leopard/SL = NX + stack cookies

These articles show that NX in combination with stack canaries is more difficult to bypass than a combination of NX and ASLR.

12) Mountain Lion only improves upon the security of Lion.

BTW, Safari on a Mac running Lion was not hacked at the last pwn2own.

[cr2]

Quote:

Originally Posted by spyguy10709

It can... as a matter of fact. That's what a virus is. UAC is useless, it's a ripoff of Unix based control - but it's not 100% accurate. Google windows privilege (whoops, slipped on the keys, so shoot me) escalation - and then get back to me. Thanks!

~Amateur Security Researcher

Sorry, but I came from Windows world. I know Mac is better and has some automatic update to safeguard us. How do I know that I am getting the updated definition (and the update program is not broken). Will really appreciate a response in simple words which I can then forward to everyone in the family. Most of the family moved to iPhone -> iPad -> Macs....

Thanks in advance.

[linuxcooldude]

Quote:

Originally Posted by PowerPCMacMan

In the PowerPC days, viruses and malware in OSX was unheard of. While I agree the move from PPC was a much needed one, the switch to Intel meant trouble ahead for OS X on x86 hardware. Now Apple is getting viruses and malware. Terrible if u ask me.

OS9 & bellow had 40 some odd viruses, trojans. Once Apple went to Mac OSX is virtually went to nil. Most of what Mac users get now is scammed by not knowing what they are doing.

In nearly all cases they have to type in their Administrators password with their own hands and in some cases their own phone numbers or sensitive data.

The operating system is working as it should to protecting the computer. But cannot protect the computer from the owner themselves blatantly typing things in without knowing what their doing or where it came from.

Quote:

Not exactly keeping up to date when they managed to compromise at least 500,000 users data last year with the flashback trojan.

Again by users themselves not knowing what they are doing.

[Tech198]

Quote:

Originally Posted by linuxcooldude

OS9 & bellow had 40 some odd viruses, trojans. Once Apple went to Mac OSX is virtually went to nil. Most of what Mac users get now is scammed by not knowing what they are doing.

In nearly all cases they have to type in their Administrators password with their own hands and in some cases their own phone numbers or sensitive data.

The operating system is working as it should to protecting the computer. But cannot protect the computer from the owner themselves blatantly typing things in without knowing what their doing or where it came from.



Again by users themselves not knowing what they are doing.

The problem also comes from those 'random" people who just go to any website without knowing what it is, or who owns it ...... That one website you opened yesterday, could now be infected and no one would know it.... even legitimate websites could (in theory) be as well, thats why "no script" exists. While not full proof, and nothing ever is, its still up to the user to make their own decision..... I bet you anything half the people who got infected by the flashback tool never took notice of what URL they were going to.

[linuxcooldude]

Quote:

Originally Posted by Tech198

The problem also comes from those 'random" people who just go to any website without knowing what it is, or who owns it ...... That one website you opened yesterday, could now be infected and no one would know it.... even legitimate websites could (in theory) be as well, thats why "no script" exists. While not full proof, and nothing ever is, its still up to the user to make their own decision..... I bet you anything half the people who got infected by the flashback tool never took notice of what URL they were going to.

Yeah, I remember going to some random website, a popup would tell me my windows PC is infected with a virus ( I was Running Linux at the time...lol ) With a cheap java/flash animation.

I think the best protection & security is knowledge. If a popup tells you need to install such and such file to use/view the website would raise a red flag with me.

[GGJstudios]

Quote:

Originally Posted by Sony311

And people always defended OSX for being virus/spyware free... LOL. Welcome to reality. Hopefully Apple can keep up with the variations that are no doubt going to be roaming out in the wild based on this.

No informed person ever claimed OS X to be malware free, only virus-free. A handful of OS X trojans have existed in the wild for some time, but no viruses.

Quote:

Originally Posted by PowerPCMacMan

In the PowerPC days, viruses and malware in OSX was unheard of.

Completely false. There were numerous viruses, trojans and other forms of malware in the wild that affected Mac OS 9 and earlier, far more than exists for OS X.

Quote:

Originally Posted by PowerPCMacMan

Now Apple is getting viruses and malware.

Malware in the form of trojans, yes. Viruses, no.

Quote:

Originally Posted by iGrip

Apple has zero malware.

False. There are Mac OS X trojans in the wild.

Quote:

Originally Posted by charlituna

There's been perhaps 1 Mac ox virus in the wild

Zero, actually.

Macs are not immune to malware, but no true viruses exist in the wild that can run on Mac OS X, and there never have been any since it was released over 10 years ago. The only malware in the wild that can affect Mac OS X is a handful of trojans, which can be easily avoided by practicing safe computing (see below). Also, Mac OS X 10.6 and later versions have anti-malware protection built in, further reducing the need for 3rd party antivirus apps.

Mac Virus/Malware FAQ

1. Make sure your built-in Mac firewall is enabled in System Preferences > Security > Firewall
   
   
2. Uncheck "Open "safe" files after downloading" in Safari > Preferences > General
   
   
3. Disable Java in your browser (Safari, Chrome, Firefox). This will protect you from malware that exploits Java in your browser, including the recent Flashback trojan. Leave Java disabled until you visit a trusted site that requires it, then re-enable only for the duration of your visit to that site. (This is not to be confused with JavaScript, which you should leave enabled.)
   
   
4. Change your DNS servers to OpenDNS servers by reading this.
   
   
5. Be careful to only install software from trusted, reputable sites. Never install pirated software. If you're not sure about an app, ask in this forum before installing.
   
   
6. If you're running Mountain Lion, check your Gatekeeper settings in System Preferences > Security & Privacy > General > Allow applications downloaded from. For more information on these settings: OS X: About Gatekeeper
   
   
7. Never let someone else have access to install anything on your Mac.
   
   
8. Don't open files that you receive from unknown or untrusted sources.
   
   
9. For added security, make sure all network, email, financial and other important passwords are long and complex, including upper and lower case letters, numbers and special characters.
   
   
10. Always keep your Mac and application software updated. Use Software Update for your Mac software. For other software, it's safer to get updates from the developer's site or from the menu item "Check for updates", rather than installing from any notification window that pops up while you're surfing the web.

That's all you need to do to keep your Mac completely free of any Mac OS X malware that has ever been released into the wild. While you may elect to use it, 3rd party antivirus software is not required to keep your Mac malware-free.

If you still want to run antivirus for some reason, ClamXav (which is free) is one of the best choices, since it isn't a resource hog, detects both Mac and Windows malware and doesn't run with elevated privileges.

[MagnusVonMagnum]

Quote:

Originally Posted by RedCroissant

Nope. How did you come to that conclusion from my post?

Because a person who downloads unsigned software is taking an inherent risk. It may be a small risk, but it's still there, none-the-less. All this talk on here about only stupid people falling for this sort of thing needs to stop. It's not only against the rules, but it's inaccurate as well. Less educated people might be more likely to have a problem, statistically, but to even evaluate a problem one has to be aware of it first. Or do you think the first person that ever scanned their credit card at a gas pump that had a 3rd party scam scanner inserted into it (i.e. you're scanning with the scammer's scan reader, not the gas pump's) should have "just known" what to look for the first time one ever appeared? If a web site gets hacked or hijacked and the official software replaced with a perfect look-alike with a backdoor trojan, are you going to be too smart to fall for it and non download it with no visible signs that there's an issue??? Really? Seriously? Yeah, I don't think so. I think too many people on here have a false sense of security based solely on the reasoning that it hasn't happened to them yet. Well, I haven't been hit by lightning yet or won the super lotto, but I'm at least aware it COULD happen.

Quote:

I install all sorts of software from all sorts of sites and am more than capable of determining which sites to visit and which files/applications to download safely. I've been doing that for quite a few years now and have yet to download a virus/Trojan/ or other malware/spyware.

Yeah and I'm more than capable of judging whether a woman has an STD by looking her over carefully.

I see a lot of INSULTS going on in this thread about how STUPID people would have to be to get their computer infected. I've seen similar comments elsewhere about AIDS, etc. as well. These people think condoms never fail, birth control is 100% effective and other naive conclusions just because it hasn't happened to them (yet anyway). I simply think people could be a little less careless with their comments. It's not only against the rules to flame/insult people on here, but it can and will bite you in the hind quarter some day. To quote Bogart, "Maybe not today, maybe not tomorrow, but soon and for the rest of your life."

Quote:

Originally Posted by Max(IT)

And clearly you have no idea of what a Trojan is ... This kind of virus you have to install by yourself .... Is not OS X the problem: it's the user in front of the screen.

Actually, the problem is the criminal trying to trick people with look-alike software that is the real problem. Your logic reminds me of people who blame the woman for getting raped instead of the rapist.

[RedCroissant]

Quote:

Originally Posted by MagnusVonMagnum

Because a person who downloads unsigned software is taking an inherent risk. It may be a small risk, but it's still there, none-the-less. All this talk on here about only stupid people falling for this sort of thing needs to stop. It's not only against the rules, but it's inaccurate as well. Less educated people might be more likely to have a problem, statistically, but to even evaluate a problem one has to be aware of it first. Or do you think the first person that ever scanned their credit card at a gas pump that had a 3rd party scam scanner inserted into it (i.e. you're scanning with the scammer's scan reader, not the gas pump's) should have "just known" what to look for the first time one ever appeared? If a web site gets hacked or hijacked and the official software replaced with a perfect look-alike with a backdoor trojan, are you going to be too smart to fall for it and non download it with no visible signs that there's an issue??? Really? Seriously? Yeah, I don't think so. I think too many people on here have a false sense of security based solely on the reasoning that it hasn't happened to them yet. Well, I haven't been hit by lightning yet or won the super lotto, but I'm at least aware it COULD happen.



Yeah and I'm more than capable of judging whether a woman has an STD by looking her over carefully.

I see a lot of INSULTS going on in this thread about how STUPID people would have to be to get their computer infected. I've seen similar comments elsewhere about AIDS, etc. as well. These people think condoms never fail, birth control is 100% effective and other naive conclusions just because it hasn't happened to them (yet anyway). I simply think people could be a little less careless with their comments. It's not only against the rules to flame/insult people on here, but it can and will bite you in the hind quarter some day. To quote Bogart, "Maybe not today, maybe not tomorrow, but soon and for the rest of your life."



Actually, the problem is the criminal trying to trick people with look-alike software that is the real problem. Your logic reminds me of people who blame the woman for getting raped instead of the rapist.

First of all, I think you need to relax a bit and perhaps try reading my posts properly before responding to me when you really intend to respond to others in that way.

I never called anyone stupid or implied it. You can even check all of my other posts if you feel like and won't see me speaking to anyone in that manner or even implying it. See if you can find where I have insulted anyone on this site.

You initially question whether or not I only only download and install signed software and then make the snide comment that I must then have a limited selection.

I never said that my computer was immune or that I was guaranteed never to download malware/spyware; just that I hadn't yet. When you know what kind of app you are looking for, and are discriminating when looking for the sources; as you said, a "small" risk is involved. Small. Yes, the risk is still there. I haven't denied that, but I also don't download a BUNCH of unsigned software from strange sources or through torrents.

I understand that people can get scammed and that it is not always their fault. But if you have concerns about the nature of a credit card scanner; then don't use it. If you're worried at all that some chick you want has something that you don't; then you probably shouldn't. I know that birth control is not 100% effective and all of these analogies are irrelevant and also reflect why initial bad judgement when something seems a little off makes that action inherently more of a risk than going to trusted stations for a full tank, or trusted and statistically safer areas to empty the other tanks. In those cases, the person that refuses to acknowledge the increased risk must also take some of the blame in their own theft or infection. True, not all the blame, but there is some degree of culpability involved.

You should also consider your wording because even though you don't say people that download malware/spyware are stupid, your phrasing implies that the ignorant ones are statistically more prone to it. Because of this, those that are intelligent and discriminating(based on your own statement) are less likely to be a victim. As such, the more educated and prepared are then even less likely than the mildly educated; and so on and so forth.

And I really wish that they would bring the down-vote back just so I could counteract those that think your post was helpful or appropriate; because it wasn't.

[makitango]

Seems strange to me that no malware/scam programmer understands a thing about imitating a typical OS X installer. The fonts are placed way off, centered in a strange way and badly cascaded, and the background within the installer... ugh!

[munkery]

Quote:

Originally Posted by MagnusVonMagnum

If a web site gets hacked or hijacked and the official software replaced with a perfect look-alike with a backdoor trojan, are you going to be too smart to fall for it and non download it with no visible signs that there's an issue??? Really? Seriously? Yeah, I don't think so.

Apps that are installed via drag and drop that don't require password authentication don't have sufficient privileges to key log protected data entry or expose protected storage. So these apps aren't viable for this type of malware. Also most popular apps use the Sparkle framework for updating.

Apps that install with sufficient privileges to compromise protected data entry and protected data storage are installed via an installer.

Most installers and updaters, such as the Sparkle framework, verify checksums to mitigate the malware attack you describe from occurring.

Also, using the code signing available in OS X L/ML via Gatekeeper mitigates these types of attacks via the same mechanism as installers and updaters.

So the chance of this type of attack successfully targeting OS X users is unlikely.

[MagnusVonMagnum]

Quote:

Originally Posted by munkery

Apps that are installed via drag and drop that don't require password authentication don't have sufficient privileges to key log protected data entry or expose protected storage. So these apps aren't viable for this type of malware. Also most popular apps use the Sparkle framework for updating.

Apps that install with sufficient privileges to compromise protected data entry and protected data storage are installed via an installer.

Most installers and updaters, such as the Sparkle framework, verify checksums to mitigate the malware attack you describe from occurring.

Also, using the code signing available in OS X L/ML via Gatekeeper mitigates these types of attacks via the same mechanism as installers and updaters.

So the chance of this type of attack successfully targeting OS X users is unlikely.

Most installers and updaters? Do you really think a trojan is going to use the official installer or updater or just imitate their appearance?

The real question is whether the user is going to be able to tell the difference. Obviously, bad grammar, odd fonts, etc. could be giveaways, but a good scam isn't going to make those mistakes (and that doesn't stop some for falling for the bad ones either, it seems).

Gatekeeper sounds good in theory, but falls apart in practice if you have a large variety of software to install and you actually want the software rather than just whining why doesn't the author have a certificate on file with Apple. I had to disable it within 20 minutes of starting up my new computer because it refused to let me install any number of programs (many of them older ones that aren't necessarily updated, but are still plenty useful).

As for passwords, there are PLENTY of programs that DO require them (e.g. anything that installs a preference pane like "A Better Finder", Adobe Flash, Flip4Mac, Microsoft's Mouse driver, Perian, to name just a few) all require a password to install. Is the average user going to realize that a trojan version of a given program is asking for password permission and the real program would not ask for it when they don't have the real program? Is the average person aware of the difference? Would the average person even know about any of these things?

My point is that "average" Mac users aren't super knowledgeable about computers in general and are therefore at greater risk for malware like trojans than ones that do, but no one is at zero risk that uses a computer over the Internet. It may be "unlikely" but so is getting hit by lightning and that still happens to over 1000 people each year. I'd dare say malware victims number considerably higher than that (even on the Mac). Are they all "stupid?" A lot of people on here sure think so, but I simply see no need for name-calling (which is all over this thread). It's childish and makes me question the intelligence of the very people calling others stupid.

[munkery]

Quote:

Originally Posted by MagnusVonMagnum

Most installers and updaters? Do you really think a trojan is going to use the official installer or updater or just imitate their appearance? ...

Your post referred to hijacking the download location of apps by hacking developers websites and etc. Your post didn't reference Trojans in general. So I responded to the content of your post.

If an app updates via the Sparkle framework then already installed versions of the app won't be updated to the malicious version due to the checksum verification.

Gatekeeper includes the same type of verification so users that are updating existing installs wouldn't be affected.

Most popular third party apps use the Sparkle framework or are found in the App Store or use a Mac developer digital certificate from Apple.

In reference to fresh installs, developers would realize something was wrong when their own app that they are hosting doesn't match it's own checksum. I doubt such malicious apps would be hosted very long for any popular app still under active development.

Gatekeeper also protects users from Trojans in general because unsigned apps can't run until manually allowed to do so. This prevents Trojans from sneaking into the system.

BTW, Gatekeeper allows users to manually create exceptions for individual apps without completely turning Gatekeeper off so Gatekeeper doesn't need to be disabled to run unsigned apps but the user does have to manually create an exception for unsigned apps to run.

Also, if users only run signed apps by not manually bypassing Gatekeeper for any unsigned apps, then unsigned apps won't be run and the risk of Trojans is mitigated.

[MagnusVonMagnum]

Quote:

Originally Posted by munkery

Your post referred to hijacking the download location of apps by hacking developers websites and etc. Your post didn't reference Trojans in general. So I responded to the content of your post.

Am I living in the Twilight Zone or something? This is the quote of my reply in your own post:

Quote:

MagnusVonmagnum said,:
If a web site gets hacked or hijacked and the official software replaced with a perfect look-alike with a backdoor trojan, are you going to be too smart to fall for it and non download it with no visible signs that there's an issue??? Really? Seriously? Yeah, I don't think so.

I think I said TROJAN quite clearly. It is, after all, the focal point of the thread.

Quote:

Gatekeeper also protects users from Trojans in general because unsigned apps can't run until manually allowed to do so. This prevents Trojans from sneaking into the system.

It doesn't prevent anything because non-signed apps HAVE to be overriddent to install period (legitimate or not, it doesn't matter; you still have to click OK. If you think it's legit and therefore click OK, but it isn't, how does Gatekeeper "help" identify it? Gatekeeper is only useful if you ONLY run signed apps, but as I said way back at the beginning, that limits the software you can run on your machine. I just installed Fan Control by Lobotomo (from 2007). I needed it to automate my fan and make sure my Mac Mini doesn't slowly fry itself when encoding Handbrake content, etc. (SMCFanControl has no such protection; it's purely higher minimums and manual control). If I used Gatekeeper and refused to override for fear of malware, I wouldn't be able to install it period. Gatekeeper is USELESS to me there.

[munkery]

Quote:

Originally Posted by MagnusVonMagnum

Am I living in the Twilight Zone or something? This is the quote of my reply in your own post:
...
I think I said TROJAN quite clearly. It is, after all, the focal point of the thread.

See highlighted portion in the following quote from your post:

Quote:

Originally Posted by MagnusVonMagnum

If a web site gets hacked or hijacked and the official software replaced with a perfect look-alike with a backdoor trojan, are you going to be too smart to fall for it and non download it with no visible signs that there's an issue??? Really? Seriously? Yeah, I don't think so.

The context of your entire post is that knowledgeable users could still get a trojan via this type of attack.

I stated why that type of attack is unlikely to be successful, which is the reason that these attacks rarely occur. I can't recall an incident of this type of attack occurring targeting OS X recently or in the past. This type of attack definitely doesn't have a high incidence rate most likely specifically due to the reasons I provided. More specifically, the reason being checksum verification.

Quote:

Originally Posted by MagnusVonMagnum

It doesn't prevent anything because non-signed apps HAVE to be overriddent to install period (legitimate or not, it doesn't matter; you still have to click OK. If you think it's legit and therefore click OK, but it isn't, how does Gatekeeper "help" identify it?

In combination with XProtect which is included with OS X by default.

Quote:

Originally Posted by MagnusVonMagnum

Gatekeeper is only useful if you ONLY run signed apps, but as I said way back at the beginning, that limits the software you can run on your machine. I just installed Fan Control by Lobotomo (from 2007). I needed it to automate my fan and make sure my Mac Mini doesn't slowly fry itself when encoding Handbrake content, etc. (SMCFanControl has no such protection; it's purely higher minimums and manual control). If I used Gatekeeper and refused to override for fear of malware, I wouldn't be able to install it period. Gatekeeper is USELESS to me there.

Did Fan Control turn out to be malware?

No, so provide that app with an manual exemption and Gatekeeper still works as intended and prevents other unsigned apps from sneaking onto the system.

For example, if a trojan is an app disguised as a PDF, Gatekeeper prevents it from executing when the user tries to open the fake PDF due to the rogue app being unsigned.

It is safer to just create manual exemptions for an unsigned app that the user can vet and keep Gatekeeper enabled to mitigate the attacks I just described.

Am I in the twilight zone? Do you not understand how Gatekeeper can be a benefit in this regard?

BTW, Flip4Mac is now signed with an Apple certificate.

[MagnusVonMagnum]

Quote:

Originally Posted by munkery

See highlighted portion in the following quote from your post:

Yeah, it says TROJAN right in it.

Quote:

The context of your entire post is that knowledgeable users could still get a trojan via this type of attack.

And you COULD get one from an unsigned developer that way. I never said it was "likely" to happen. I said it could happen and being "smart" has NOTHING to do with it. (i.e. post after post on here always say how STUPID people would have to be to get a trojan and yet they seem to have no idea what a trojan is or how it operates).

As your own picture shows, the ONLY thing Gatekeeper does is tell you that you've gotten the program off the Internet and ask you if you're sure you'd like to open this app from an unrecognized developer. How is that helpful if you need/want that program? Your only choices are to either NOT open it (which means you're "safe" but you don't get to use the software you need/want) or TAKE YOUR CHANCES.

Quote:

Did Fan Control turn out to be malware?

No, so provide that app with an manual exemption and Gatekeeper still works as intended and prevents other unsigned apps from sneaking onto the system.

You're missing the point. If it HAD been malware, it would have been too late to do anything about it. Once you give the password to install at a root level, the program is free to trash your hard drive if it wants to. What good would an exception do AFTER the fact? That just lets you keep the Gatekeeper setting on for that site, but you would have already had to verify (and take the associated risk) that the site and program were safe. And with site hijacks, it could potentially be safe one day and not safe the next. No, it doesn't happen very often, especially on OSX. But that doesn't mean it can't happen and those on here telling people they're stupid don't seem to get that.

Quote:

For example, if a trojan is an app disguised as a PDF, Gatekeeper prevents it from executing when the user tries to open the fake PDF due to the rogue app being unsigned.

You do realize Snow Leopard doesn't have Gatekeeper, right? What are those users going to do, especially those that cannot (or don't want to for other reasons like Rosetta being gone) upgrade to Mountain Lion because Apple abandoned their hardware? Go buy a new machine?

Quote:

It is safer to just create manual exemptions for an unsigned app that the user can vet and keep Gatekeeper enabled to mitigate the attacks I just described.

Like I said, that won't help for the exceptions since you won't know they're safe until it's too late. That's the very reason Apple has them denied by default (well some might say AND to encourage you to buy from the App Store and/or paid developers; all of which garners more money for Apple).

And thus the real problem with Gatekeeper is that Apple can and may very well misuse it in the future to block all software that isn't coming from their own App store since they want that 30% take on all software sales from every developer on Earth like they're already getting from iOS developers (well at least the ones that haven't had to go jailbreak because Apple doesn't "like" their software for competition, adult software or other spurious "Big Brother" type reasons). Personally, I don't want that extended to OSX in general and Gatekeeper is a BIG step in that direction.

[munkery]

Quote:

Originally Posted by MagnusVonMagnum

Yeah, it says TROJAN right in it.

And you COULD get one from an unsigned developer that way. I never said it was "likely" to happen. I said it could happen and being "smart" has NOTHING to do with it. (i.e. post after post on here always say how STUPID people would have to be to get a trojan and yet they seem to have no idea what a trojan is or how it operates).

Checksum verification by developer and via Sparkle framework.

Both have nothing to do with signed apps and were around long before code signing.

Quote:

As your own picture shows, the ONLY thing Gatekeeper does is tell you that you've gotten the program off the Internet and ask you if you're sure you'd like to open this app from an unrecognized developer. How is that helpful if you need/want that program? Your only choices are to either NOT open it (which means you're "safe" but you don't get to use the software you need/want) or TAKE YOUR CHANCES.

XProtect

Quote:

[...] And with site hijacks, [...] No, it doesn't happen very often, especially on OSX. [...]

Exactly, thanks!

Quote:

You do realize Snow Leopard doesn't have Gatekeeper, right? What are those users going to do, especially those that cannot (or don't want to for other reasons like Rosetta being gone) upgrade to Mountain Lion because Apple abandoned their hardware? Go buy a new machine?

File Quarantine, included since Leopard, provides the same protection. Gatekeeper is just more effective.

File Quarantine notifies the user if a PDF or other file is actually an executable.

Quote:

Like I said, that won't help for the exceptions since you won't know they're safe until it's too late. That's the very reason Apple has them denied by default (well some might say AND to encourage you to buy from the App Store and/or paid developers; all of which garners more money for Apple).

It's still better than not having those protections available at all.

Quote:

And thus the real problem with Gatekeeper is that Apple can and may very well misuse it in the future to block all software that isn't coming from their own App store since they want that 30% take on all software sales from every developer on Earth like they're already getting from iOS developers (well at least the ones that haven't had to go jailbreak because Apple doesn't "like" their software for competition, adult software or other spurious "Big Brother" type reasons). Personally, I don't want that extended to OSX in general and Gatekeeper is a BIG step in that direction.

Puts on tin foil hat.

[MagnusVonMagnum]

Quote:

Originally Posted by munkery

Checksum verification by developer and via Sparkle framework.

I'll say this one last time and then I'm done. Trojans DO NOT USE Apple's actual installation software. That's why they're trojans....(sigh)

[munkery]

Quote:

Originally Posted by MagnusVonMagnum

I'll say this one last time and then I'm done. Trojans DO NOT USE Apple's actual installation software. That's why they're trojans....(sigh)

Checksum verification by the developer has nothing to do with Apple's actual installation software.

The Sparkle framework is developed by a third party and has nothing to do with Apple's actual
Installation software.

Don't forget that our conversation is referring to the scenario of the website of an app being hacked and hijacked with the actual app being replaced with a malicious counterfeit; different variables apply.