Apple Developing Software to Remove Flashback Malware

[Member(TM)]

Kaspersky did describe what their OS id method was by linking to a wikipedia article on TCP/IP stack fingerprinting As the wiki article says:

http://en.wikipedia.org/wiki/TCP/IP_stack_fingerprinting

Yes, I had read it, it's just that although that description is enough to get a rough understanding of the technique, it allows different implementations and the generic concepts don't give a good idea about error margins. It was only for the sake of getting a better picture of what these margins are, not that it makes an essential difference.

How about my old PowerPC iMac G5 running Leopard? How can I update it? There is no Java update released from Apple.

Concerning this particular malware, it's my understanding that it doesn't affect PowerPC systems. Concerning the Java security hole, I don't know if it was already present in Leopard, but in any case I think Apple no longer provides security updates nor Java updates for Leopard.

 

[AidenShaw]

It has started!

But seriously, smart users will just disable Java on their browsers from now on.

Just disable Java in Safari Preferences.

And when malware that exploits a flaw in HTML or CSS rendering appears, will "smart people just disable HTML or CSS"?

How about a flaw in h264 decoding, or in JPEG or PNG display? What about a flaw in the TCP/IP stack?

Taking that argument to its reductio ad absurdum conclusion, "smart people" will never power on their computers. A powered-off Apple is immune to all threats.

 

[RPeanut]

Most of that is simply computing common sense, such as not pirating software or letting others install software on your computer or using secure passwords. None of those things are OS-specific. In fact, of that list, only the first 3 items are specific to Mac OS X.

Not even the first 3 are specific to Mac OSX since there are Windows equivalents. I know Windows users that just refuse to install security software and just follow the steps you outlined. It's not uncommon and to my knowledge works to a good degree.

 

[bydandie]

Not even the first 3 are specific to Mac OSX since there are Windows equivalents. I know Windows users that just refuse to install security software and just follow the steps you outlined. It's not uncommon and to my knowledge works to a good degree.

True, but the recommendation regarding having a complex passphrase doesn't stop malware. I'd also state as a security professional that anyone who relies on 'common sense' will get exploited at some point, why not have multiple layers of protection?

 

[GGJstudios]

And when malware that exploits a flaw in HTML or CSS rendering appears, will "smart people just disable HTML or CSS"? How about a flaw in h264 decoding, or in JPEG or PNG display? What about a flaw in the TCP/IP stack?

Name one example of Mac OS X malware that exists in the wild that functions like that. Also, I didn't suggest that you disable everything; only Java, which isn't needed for most web browsing by most users.

True, but the recommendation regarding having a complex passphrase doesn't stop malware.

It does help prevent networks, computers, online accounts, etc. from being compromised. Not all security threats are malware.

 

[AidenShaw]

Name one example of Mac OS X malware that exists in the wild that functions like that.

A week or so ago Java wouldn't have come up as an "existing in the wild" threat.

Next week, maybe a CSS exploit will show up....

Also, I didn't suggest that you disable everything; only Java, which isn't needed for most web browsing by most users.

But, once you start disabling parts of the web because of security issues - where do you stop? And what if one needs Java?

I'm just pointing out that your argument that one can simply disable any possible vectors for infection is absurd.

Particularly absurd since "FlashBack" relies on Apple's negligence in keeping Java on Apple up-to-date - the next trojan may use a different vector - so that disabling Java will have no impact on the vulnerability to the next major Apple OSX malware infection.

It does help prevent networks, computers, online accounts, etc. from being compromised. Not all security threats are malware.

Indeed, disabling the GbE/WiFi/BT network connections is the best and fastest way to secure your computer.

 

[GGJstudios]

A week or so ago Java wouldn't have come up as "existing in the wild".

False. There was a Java exploit back in October, 2010. I've been recommending disabling Java since then.

But, once you start disabling parts of the web because of security issues - where do you stop? And what if one needs Java?

First, disabling Java isn't necessary if the updates are applied. My response you quoted was for a user running Leopard, which doesn't have the updates available. Also, if someone visits a trusted site that requires Java, a simple mouse click enables it for the duration of the visit. There are many other ways to prevent infection by this malware. Disabling Java is a simple fix for most people, and it's not permanent. It can be enabled any time it's needed.

I'm just pointing out that your argument that one can simply disable any possible vectors for infection is absurd.

It's not absurd. Some vectors need to be disabled, such as Safari's "Open "safe" files after downloading", which never should have been enabled in the first place. What do you think antivirus apps do? They disable vectors for infection. No, they don't usually disable functionality entirely in the process, but if you have an "unlocked door" though which malware can enter, common sense is to lock the door. In the absence of Java updates, disabling it until needed is a valid approach, and one that Apple recommends, as well.

Particularly absurd since "FlashBack" relies on Apple's negligence in keeping Java on Apple up-to-date - the next trojan may use a different vector - so that disabling Java will have no impact on the vulnerability to the next major Apple OSX malware infection.

That's quite possible, but since Java has been exploited by two strains of malware in the past 18 months, disabling it until needed is a wise approach.

I assume you have a better solution?

 

[bydandie]

It does help prevent networks, computers, online accounts, etc. from being compromised. Not all security threats are malware.

Of course, but why place it within a section related to Malware? I'd challenge that it prevents networks and computers from being compromised in the absolute context you present, as compromise from poor access controls is only part of the equation.

You will also be perfectly aware, as an expert in the field, that there is clear evidence that it's not the complexity, but the length of a passphrase that provide the greatest protection.

 

[roadbloc]

It amuses me how Apple's lacking approach to security is still defended. Call it what you want, virus or Trojan, it still shouldn't have happened.

 

[GGJstudios]

Of course, but why place it within a section related to Malware?

Why not? Security is security. There is no rule for what can and can't be suggested to keep a Mac secure. Also, I can't count the number of posts I've seen by users swearing they'd been hacked or had a virus, when the only thing that happened was their email account was compromised due to a weak password. So it's perfectly appropriate to mention it while discussing keeping a Mac secure.

I'd challenge that it prevents networks and computers from being compromised in the absolute context you present, as compromise from poor access controls is only part of the equation.

Did you read my post?

It does help prevent networks, computers, online accounts, etc. from being compromised. Not all security threats are malware.

You will also be perfectly aware, as an expert in the field, that there is clear evidence that it's not the complexity, but the length of a passphrase that provide the greatest protection.

While I never claim to be an expert, I do agree that password length is important, as well. Some sites limit the length of the password, and the suggestion isn't intended to be a total answer for all password-related best practices. However, it will hopefully encourage people to put more thought into creating a password, instead of using something like "blue" or "password" or "apple".

It amuses me how Apple's lacking approach to security is still defended.

Perhaps I'm missing such posts. Who is defending Apple? I think it's pretty clear they dropped the ball... again.

 

[StrikerShoot]

If and when a virus is released in the wild for Mac OS X or later, the same will be true for Mac users. We're just not there yet, since safe computing practices can still completely protect against all Mac OS X malware in the wild.

Macs are not immune to malware, but no true viruses exist in the wild that can run on Mac OS X, and there never have been any since it was released over 10 years ago.

What about OSX.MachArena.A and OSX/Oomp-A?

 

[GGJstudios]

What about OSX.MachArena.A

Proof-of-concept.... never in the wild.

Macarena was a proof-of-concept virus. It consisted of source code and instructions on compiling it, meaning that the user would have to compile and run it with full knowledge of what they were doing to become infected. It did not actually do anything other than copy itself, as a demonstration that such things were possible on a Mac. It was never seen as an actual virus in the wild.

OSX/Oomp-A?

That's not a virus. A trojan/worm:

The Oompa-Loompa malware, also called OSX/Oomp-A or Leap.A, is an application-infecting, LAN-spreading worm...

The Leap worm is delivered over the iChat instant messaging program as a gzip-compressed tar file called latestpics.tgz. For the worm to take effect, the user must manually invoke it by opening the tar file and then running the disguised executable within.

 

[Nuvi]

Just disable Java in Safari Preferences.

That's not a real solution. There are way too many GUI elements that rely on Java to implement something like that in wide scale.

Anyway, Apple dropped the ball big time with this one. They had two months to patch it up but instead they only acted after wide spread trojan infection among Mac users. Regarding the severity of the Flashback I would say its the probably the last trojan I would like to see on my Macs. Apparently one of Flashback downloaders goals is to install a payload that steals credit card numbers, bank account log-in information and other similar personal data. Information like that can be used to create large scale credit card counterfeit operations etc. Therefore, one can assume that this operation is controlled by entity with connections to organised crime or very least intention of selling the data to a group capable of utilising such information. This is very much inline with their approach of totally avoiding Mac's with any application installed with program's that could inform the user about existence of Flashback trojan. With this approach they have managed to access 600000 Macs. If you consider financial implications, the author can create massive over all financial damages even with micro transactions.

All in all I believe this is turning point regarding the necessity of running additional security software on Mac. It's clear that Apple is not capable of providing timely security updates to prevent large scale vulnerability abuse so end users need to choose another solution either by disabling features on systems or choosing some security software to prevent attacks. Personally I don't see disabling features an attractive solution. Luckily there are good security solutions available for Mac. If you are confident about Macs security then those should at least be running something like Little Snitch to inform the user about network traffic. Those who like more peace of mid are most likely happier with something like Sophos for Mac (free antivirus software for Mac) which costs fortune for business users but so far has been free for home users. Anyway, when the next trojan hits the Mac it's your own fault if you get bitten. You know you can't trust Apple to provide timely security updates and you can get infected by only visiting web sites so vast majority of users are not safe without taking some preventive measures.

That said, I truly hope that Apple spends couple of those billions and purchases one of well established security firms and integrates rock solid security monitoring to future Mac OS X. Unfortunately this has nothing to do with Apples walled garden approach since the threat can be anywhere from mail attachment to web banner on regular site.

Edit: I think it's somewhat funny that out of those 600000 infected Mac's 274 are in Cupertino. To be fair it's not said those 274 are owned or controlled by Apple but even the possibility of that is somewhat funny. If they are then at least Apple doesn't need to go far to get a sample... Anyway, MacRumors should contact Flashback authors to get latest scoop on Apple since they have their "inside source..."

http://nakedsecurity.sophos.com/2012/04/05/mac-botnets-gaining-traction-using-drive-by-java-exploit/

 

[Member(TM)]

Those who like more peace of mid are most likely happier with something like Sophos for Mac (free antivirus software for Mac) which costs fortune for business users but so far has been free for home users. Anyway, when the next trojan hits the Mac it's your own fault if you get bitten. You know you can't trust Apple to provide timely security updates and you can get infected by only visiting web sites so vast majority of users are not safe without taking some preventive measures.

Out of curiosity, was Sophos able to prevent infection by this Flashback variant before Java was updated last week?

 

[Nuvi]

Out of curiosity, was Sophos able to prevent infection by this Flashback variant before Java was updated last week?

Yes, they updated the definitions when Flashback was first seen in wild. However, even before that Flashbacks Java manipulation activity triggered a warning which prevented the installation of Flashback in the first place. Therefore, now Sophos detects and removes Flashback. Before the definitions of late March Sophos only detected malware activity (Flashback in this case) due to way it manipulated Java but couldn't remove it if user was already infected.

 

[Member(TM)]

Yes, they updated the definitions when Flashback was first seen in wild. However, even before that Flashbacks Java manipulation activity triggered a warning which prevented the installation of Flashback in the first place. Therefore, now Sophos detects and removes Flashback. Before the definitions of late March Sophos only detected malware activity (Flashback in this case) due to way it manipulated Java but couldn't remove it if user was already infected.

Another poster has just reported being infected despite having Sophos installed. I don't think I'm qualified to say whether antivirus software is advisable or not, but I believe many antivirus users have something in common with many Mac users: a certain tendency to feel overconfident about their protection. Besides the need of a faster response to threats, that's where I think that OS and security software vendors have failed: in educating their users about the limited extent of their security and the part of responsibility that still resides in the user.

 

[GGJstudios]

That's not a real solution. There are way too many GUI elements that rely on Java to implement something like that in wide scale.

That's not true. I been leaving Java disabled since 2010 and have only encountered a handful of sites where I had to enable it to have the site function properly. Most users will rarely, if ever, notice any change in their surfing if they disable Java in Safari.

Out of curiosity, was Sophos able to prevent infection by this Flashback variant before Java was updated last week?

Sophos should be avoided, as it could actually increase your Mac's vulnerability, as described here and here. Also, Sophos was NOT one of the antivirus apps that the trojan looked for and uninstalled itself upon detection.

Yes, they updated the definitions when Flashback was first seen in wild.

False. None of the antivirus apps updated definitions until the trojan had been in the wild for some time. This is part of the problem in running antivirus apps. They cannot detect malware that did not previously exist, so when a new threat is released in the wild, antivirus apps offer zero protection, where practicing safe computing does offer protection.

 

[AidenShaw]

False. None of the antivirus apps updated definitions until the trojan had been in the wild for some time. This is part of the problem in running antivirus apps. They cannot detect malware that did not previously exist, so when a new threat is released in the wild, antivirus apps offer zero protection, where practicing safe computing does offer protection.

Perhaps you should type "zero day protection" into Bing and see the list of products that do provide protection of unseen threats.

Many anti-malware apps use heuristics to detect anomalous behaviour by apps.

http://www.symantec.com/theme.jsp?themeid=star&tabID=4

Behavior-based protection technology provides an effective and non-invasive protection from previously unseen zero-day computer threats.

The Symantec Online Network for Advanced Response (SONAR) is the main engine of our behavior-based technology and features: a classification engine based in artificial intelligence, human-authored behavioral signatures, and a behavioral policy lockdown engine.

Together these components combine to provide industry-leading security protection against threats that are most often social engineered and targeted attacks.


http://www.symantec.com/theme.jsp?themeid=star&tabID=2

Modern antivirus solutions go beyond simple pattern matching and apply generic and heuristic techniques when looking for threats. In fact, the best antivirus engines provide multiple methods for identifying known and unknown threats. Symantec’s file-based protection is one such technology

 

[GGJstudios]

Perhaps you should type "zero day protection" into Bing and see the list of products that do provide protection of unseen threats.

Many anti-malware apps use heuristics to detect anomalous behaviour by apps.

Heuristics are based on historical information gathered from prior instances of malware, and are quite useful in Windows-based antivirus apps, where there is a wealth of information about prior infections available. Where there is no historical information, as in the case of a Mac OS X virus, since there never has been one in the wild, heuristics are useless.

 

[AidenShaw]

Heuristics are based on historical information gathered from prior instances of malware, and are quite useful in Windows-based antivirus apps, where there is a wealth of information about prior infections available. Where there is no historical information, as in the case of a Mac OS X virus, since there never has been one in the wild, heuristics are useless.

I politely disagree. For example, an app attempting to break into the Keychain is suspicious behaviour.

 

[bydandie]

Sophos should be avoided, as it could actually increase your Mac's vulnerability, as described here and here. Also, Sophos was NOT one of the antivirus apps that the trojan looked for and uninstalled itself upon detection.

That's still bad advice, as it's like saying that you shouldn't use flash as it may have an issue in the future. A better comment is to say that in your opinion it should be avoided and then let people make up their own minds. You are being quoted as being an expert on this forum, but the fact is that you're not always right.

Your point about heuristics also misses the point that cybercrminals rarely create Mac malware, they merely adapt existing malware to work on Mac. That Sophos could detect something wrong with Flashback, before it was widely known about, but not delete it proves this point.

 

[zigzagg321]

and they said macs dont get viruses

a Trojan is NOT a virus.

 

[GGJstudios]

I politely disagree. For example, an app attempting to break into the Keychain is suspicious behaviour.

You are welcome to disagree all you like. Facts are facts. Blocking a particular access point is not heuristics. It's not even antivirus activity. It's just basic security. That's why the Keychain can be locked with a password.

You can block or restrict certain kinds of activities, such as modifying system files, whether malware is involved or not, and Mac OS X already does this.

Heuristics are used in the anti-malware industry to attempt to identify new malware based on characteristics or patterns displayed by earlier versions or instances of malware, and for Mac OS X, there isn't enough prior history to make the use of heuristics as useful as it is with Windows malware.

That's still bad advice, as it's like saying that you shouldn't use flash as it may have an issue in the future. A better comment is to say that in your opinion it should be avoided and then let people make up their own minds.

It's not bad advice. If you choose to ignore it, that's your choice. It's not just my opinion. It's been documented by others. Nothing I have ever said prevents anyone from making up their own mind.

You are being quoted as being an expert on this forum

Who has ever claimed that I'm an expert? Certainly not me.

but the fact is that you're not always right.

No, I'm not always right, as I've said many times before.

Your point about heuristics also misses the point that cybercrminals rarely create Mac malware, they merely adapt existing malware to work on Mac.

No, it doesn't miss the point. Heuristics are of limited to no value in protecting Mac users from future, not-yet-created malware. That's the point. No antivirus app can protect you from something that hasn't been created yet, especially based on little to no history.

That Sophos could detect something wrong with Flashback, before it was widely known about, but not delete it proves this point.

Sophos didn't detect Flashback when it was first encountered. That's the point. It was useless in providing any protection. At least some other apps provided inadvertent protection.

 

[Nuvi]

That's not true. I been leaving Java disabled since 2010 and have only encountered a handful of sites where I had to enable it to have the site function properly. Most users will rarely, if ever, notice any change in their surfing if they disable Java in Safari.

Sorry mate but you are wrong. It seems you lack objectivity in your approach. What works for you will certainly not work for everyone. Many if not most enterprise level management solutions rely on Java. It's really nice for you if have survived without using Java on your Mac but on enterprise environment Java is needed. Anyway, Java is one of the most used programming languages in the world. Throwing it out of window is not a option for all.

Sophos should be avoided, as it could actually increase your Mac's vulnerability, as described here and here. Also, Sophos was NOT one of the antivirus apps that the trojan looked for and uninstalled itself upon detection.

Sorry mate but that post about Sophos is lots of talk with no real actual fact applicable to the real life situation. Take a look at activity monitor and see how many processes are run "root". Anymof those could be a vector if someone screws it up. Anyway, "root" is used so that on-access scanning and full system scanning in the background is possible. Both of these features are important in order to prevent accidental infection. Regarding the files Flashback downloader was searching there were bunch of them that had nothing to do with antivirus such as MS Office, Little Snitch etc. I understand they wanted to avoid Snitch since it would have exposed the downloader but I have no clue why they left your Mac alone if you had MS Office installed. It's even more strange they included Virus Barrier X which actually didn't pick up Flashback in heuristic scan. Anyway, I think they generally wanted to avoid all detection. However, it still doesn't explain MS Office...

False. None of the antivirus apps updated definitions until the trojan had been in the wild for some time. This is part of the problem in running antivirus apps. They cannot detect malware that did not previously exist, so when a new threat is released in the wild, antivirus apps offer zero protection, where practicing safe computing does offer protection.

You like saying false don't you... However, unfortunately you are wrong regarding the heuristic scanning. According to Sophos they were able to prevent infection before the actual definition files for Flashback due to heuristic scanning. Heuristic scanning is not just based on old viruses and malware but also on evaluation of program activity. Anyway, even if heuristic scan doesn't pick up the malware you will most likely receive virus definition update before you get infected or at least you have better chance of getting away unharmed then relying on Apple to provide a fix.

 

[GGJstudios]

It seems you lack objectivity in your approach. What works for you will certainly not work for everyone.

First, it's not only my approach. It's the same approach recommended by Apple. You don't have to leave it disabled. As I've said many times, you can enable it whenever you visit a trusted site that requires it, so it doesn't prevent any functionality for those who require it. It's just a mouse click.

It's really nice for you if have survived without using Java on your Mac but on enterprise environment Java is needed.

I have Java on my Mac and it is enabled. I've only recommended disabling Java in Safari Preferences, not on the whole computer.

Throwing it out of window is not a option for all.

Not once have I suggested "throwing it out the window". Please try to read and comprehend my posts before you attack them. I have never recommended uninstalling Java or disabling it in Java preferences. I have only recommended unchecking "Enable Java" in Safari Preferences. That has zero effect on other apps that require Java, and can be re-enabled whenever required in Safari.

Sorry mate but that post about Sophos is lots of talk with no real actual fact applicable to the real life situation. Take a look at activity monitor and see how many processes are run "root". Anymof those could be a vector if someone screws it up. Anyway, "root" is used so that on-access scanning and full system scanning in the background is possible.

It's not required for that, as ClamXav and others do the same without running with root privileges.

Both of these features are important in order to prevent accidental infection.

And yet they didn't prevent infection by Flashback, since no antivirus app detected it when it was first encountered.

Regarding the files Flashback downloader was searching there were bunch of them that had nothing to do with antivirus such as MS Office, Little Snitch etc. I understand they wanted to avoid Snitch since it would have exposed the downloader but I have no clue why they left your Mac alone if you had MS Office installed. It's even more strange they included Virus Barrier X which actually didn't pick up Flashback in heuristic scan. Anyway, I think they generally wanted to avoid all detection. However, it still doesn't explain MS Office...

I don't see any reason for the MS Office or Skype restriction, either, but my point is that in this case, MS Office and Skype offered more protection than Sophos did, which was none.

According to Sophos they were able to prevent infection before the actual definition files for Flashback due to heuristic scanning.

Link please.

Anyway, even if heuristic scan doesn't pick up the malware you will most likely receive virus definition update before you get infected

In the same way, you will likely hear about the threat and take whatever safe computing measures are necessary to avoid it, without relying on some antivirus firm to create or update definitions. This has worked successfully, without requiring any 3rd party antivirus app, for as long as Mac OS X has been around.

at least you have better chance of getting away unharmed then relying on Apple to provide a fix.

I never recommended relying on Apple to provide a fix. In the same way, I don't rely on Apple for the security of my Mac.