Apple Developing Software to Remove Flashback Malware

[Nuvi]

Another poster has just reported being infected despite having Sophos installed. I don't think I'm qualified to say whether antivirus software is advisable or not, but I believe many antivirus users have something in common with many Mac users: a certain tendency to feel overconfident about their protection. Besides the need of a faster response to threats, that's where I think that OS and security software vendors have failed: in educating their users about the limited extent of their security and the part of responsibility that still resides in the user.

Regarding the linked post, that situation is very strange since F-Secure says he is not infected and in manual check he doesn't have files related with Flashback but Kaspersky seems to have his UUID. Its most likely false positive since he doesn't have the Flashback files. Anyway, Kaspersky app was pulled due to problems so I'm betting its false positive on their part.

Regarding the need to run anti viral software; I don't think there is a one right solution. It depends on user requirements. One might be safe without any monitoring or protection while other might be asking for trouble even with full virus protection and outgoing traffic monitoring.

 

[Nuvi]

First, it's not only my approach. It's the same approach recommended by Apple. You don't have to leave it disabled. As I've said many times, you can enable it whenever you visit a trusted site that requires it, so it doesn't prevent any functionality for those who require it. It's just a mouse click.

I have Java on my Mac and it is enabled. I've only recommended disabling Java in Safari Preferences, not on the whole computer.

Not once have I suggested "throwing it out the window". Please try to read and comprehend my posts before you attack them. I have never recommended uninstalling Java or disabling it in Java preferences. I have only recommended unchecking "Enable Java" in Safari Preferences. That has zero effect on other apps that require Java, and can be re-enabled whenever required in Safari.

Ok, for example many of the apps you run on enterprise environment are in the cloud which is accessed via browser. Therefore disabling it is not an option. As I said before, something that works for you certainly doesn't work for everyone. Switch Java on and off is just not practical for all.

It's not required for that, as ClamXav and others do the same without running with root privileges.

Sorry mate but every single app that wants to have full file access needs to run "root". For example Time Machine and Spotlight use root in order to access all the files. There is no way you can have full background scan without running root. Its very likely that the apps that scan without root are not scanning all the files or prompt you for root when they do so.

And yet they didn't prevent infection by Flashback, since no antivirus app detected it when it was first encountered.

I don't see any reason for the MS Office or Skype restriction, either, but my point is that in this case, MS Office and Skype offered more protection than Sophos did, which was none.

OK, this is getting bit silly. My information about Sophos heuristic scan is based on their security blog so if they say they can spot it I tend to give it some merit.

In the same way, you will likely hear about the threat and take whatever safe computing measures are necessary to avoid it, without relying on some antivirus firm to create or update definitions. This has worked successfully, without requiring any 3rd party antivirus app, for as long as Mac OS X has been around.

I never recommended relying on Apple to provide a fix. In the same way, I don't rely on Apple for the security of my Mac.

As said before, there is not one option suitable for all. One user can be fine without any security and other one might require antivirus software and outgoing traffic monitoring. Regarding modern security requirements I think its clear that the times have changed. This creates a situation with even greater demand for differing security solutions.

 

[GGJstudios]

Ok, for example many of the apps you run on enterprise environment are in the cloud which is accessed via browser.\

If you're referring to iCloud, that means you're running Lion, so you can install the Java updates and leave it enabled. For those on Leopard and earlier, they don't have access to iCloud anyway, so it's no issue.

As I said before, something that works for you certainly doesn't work for everyone. Switch Java on and off is just not practical for all.

It may not be convenient, but it's certainly practical for those who don't have access to the Java updates.

OK, this is getting bit silly. My information about Sophos heuristic scan is based on their security blog so if they say they can spot it I tend to give it some merit.

That's hardly proof of anything. Of course they're going to claim whatever makes people buy their app. If it comes from Sophos or any antivirus company, I'm immediately skeptical, until information is corroborated by other sources. I'm sure their advertisers would love to have more people who tend to give merit to whatever they say.

One user can be fine without any security and other one might require antivirus software and outgoing traffic monitoring.

A more accurate statement is: "Any user can be fine without any 3rd party antivirus as long as they practice safe computing, and others might prefer antivirus software and outgoing traffic monitoring, even though it's not required to keep a Mac malware-free."

If someone is aware and wants to run antivirus, I don't have any problem with that. What I do have a problem with is users being misled into believing it's required to keep a Mac secure from malware, or that their Mac is completely protected, simply by running a 3rd party antivirus app.

 

[bydandie]

No, it doesn't miss the point. Heuristics are of limited to no value in protecting Mac users from future, not-yet-created malware. That's the point. No antivirus app can protect you from something that hasn't been created yet, especially based on little to no history.

So you believe that all malware is unique, without using what others have used in the past? The amount of malware that is truly unique in terms of components is very few and far between. All you have to do is modify the payload and exploit enough to get past the current AV signatures. Try infecting your windows systems with malware that's a couple of years old and I'll bet it doesn't always detect it any more; that because the companies work on the law of probabilities. Even the virus PoC you refer to will be used in the wild at this moment in time, that's what APT and AET refer to (even though there are few advanced techniques in play), the fact is that signature-based malware detection only detects directly when there is a large amount of activity.

 

[GGJstudios]

So you believe that all malware is unique, without using what others have used in the past? The amount of malware that is truly unique in terms of components is very few and far between. All you have to do is modify the payload and exploit enough to get past the current AV signatures. Try infecting your windows systems with malware that's a couple of years old and I'll bet it doesn't always detect it any more; that because the companies work on the law of probabilities. Even the virus PoC you refer to will be used in the wild at this moment in time, that's what APT and AET refer to (even though there are few advanced techniques in play), the fact is that signature-based malware detection only detects directly when there is a large amount of activity.

No, I don't believe all malware is unique, but there has been very little malware in the wild for Mac OS X. Windows has had at least hundreds of thousands, if not millions of malware infections upon which to base heuristics. Mac OS X has had maybe a dozen or so trojans since it was introduced over 10 years ago. That's not much to build on.

 

[AidenShaw]

No, I don't believe all malware is unique, but there has been very little malware in the wild for Mac OS X. Windows has had at least hundreds of thousands, if not millions of malware infections upon which to base heuristics. Mac OS X has had maybe a dozen or so trojans since it was introduced over 10 years ago. That's not much to build on.

You are ignoring obvious suspicious behaviours, which can be part of the heuristics even without "history". Besides the keychain attack being an obvious example, any app that port scans the local subnet is *very* suspicious.

I have a port scanner that I wrote in C++ (so obviously "zero-day", since I'm the only one who has it) to check my lab systems for availability. Because the lab systems are dynamic, I do a port scan on the entire 20-bit lab network.

When the heuristics-based Symantec corporate anti-virus roled out - my scanner would be blocked in a fraction of a second. I had to "white-list" the scanner to keep it running (and re-white-list it each time I recompiled, since the white-list is based on the filename plus its SHA1 signature).

There are also some suspicious domain names, for example http://www.google.ng/:

(see attachment)​

I think that you're damaging any credibility you might have once had by claiming that using heuristics is useless for anti-malware software on Apple OSX.

 

[dejo]

Ok, for example many of the apps you run on enterprise environment are in the cloud which is accessed via browser.

Are they Java applets or just web-apps written using Java on the back-end? There's a difference.

 

[bydandie]

No, I don't believe all malware is unique, but there has been very little malware in the wild for Mac OS X. Windows has had at least hundreds of thousands, if not millions of malware infections upon which to base heuristics. Mac OS X has had maybe a dozen or so trojans since it was introduced over 10 years ago. That's not much to build on.

The flaw in your argument is that most of the attack vectors work with universal software (flash, adobe reader, Java etc). OS X uses standard comms protocols as well; there is simply no way that malware will exist just for Mac, the common components will be reused where possible.

 

[GGJstudios]

The flaw in your argument is that most of the attack vectors work with universal software (flash, adobe reader, Java etc). OS X uses standard comms protocols as well; there is simply no way that malware will exist just for Mac, the common components will be reused where possible.

All the more reason why using historical information about Mac OS X malware won't be as helpful on Mac as it is on Windows.

 

[bydandie]

All the more reason why using historical information about Mac OS X malware won't be as helpful on Mac as it is on Windows.

Explain your logic that heuristics on a Mac that use current techniques on Windows exploits that will be reused on OS X aren't valid?

 

[GGJstudios]

Explain your logic that heuristics on a Mac that use current techniques on Windows exploits that will be reused on OS X aren't valid?

As Windows and Mac OS X have very different architectures, malware is not going to function in the same way on both. As one simple example, Mac OS X does not have a registry that can be tampered with, like Windows. Apples and oranges.

 

[AidenShaw]

As Windows and Mac OS X have very different architectures, malware is not going to function in the same way on both. As one simple example, Mac OS X does not have a registry that can be tampered with, like Windows. Apples and oranges.

Apple OSX has plist files - just as easy to target as the registry. When porting the malware to Apple OSX, you simply change it to modify the plist files instead of the registry.

Actually, plist files are probably less secure - if you can modify the plist file you can change any and all name-value pairs. The Windows registry supports full hierarchical Access Control List security on each individual name-value pair and each node in the path to the name-value pair - an installer can lock down certain registry entries (or sub-trees of entries), but allow write access to others. For example, the list of DLLs and plugins can be locked, but things like window size and position can be writable.

And obviously the anti-malware vendors will do a minor tweak to the heuristics to look for apps doing strange things with plist files - especially plists not associated with the app.

Applications on both Windows and Apple OSX have a persistent database of name-value pairs for configuration data. I don't see any fundamental difference in architecture here. There are some minor differences in how the name-value pairs are maintained, but that's all.

 

[bydandie]

Apple OSX has plist files - just as easy to target as the registry. When porting the malware to Apple OSX, you simply change it to modify the plist files instead of the registry.

Actually, plist files are probably less secure - if you can modify the plist file you can change any and all name-value pairs. The Windows registry supports full hierarchical Access Control List security on each individual name-value pair and each node in the path to the name-value pair - an installer can lock down certain registry entries (or sub-trees of entries), but allow write access to others. For example, the list of DLLs and plugins can be locked, but things like window size and position can be writable.

And obviously the anti-malware vendors will do a minor tweak to the heuristics to look for apps doing strange things with plist files - especially plists not associated with the app.

Applications on both Windows and Apple OSX have a persistent database of name-value pairs for configuration data. I don't see any fundamental difference in architecture here. There are some minor differences in how the name-value pairs are maintained, but that's all.

But surely you have to understand that facts don't matter here, only reputation and perception! :lol:

 

[Eduardo R.]

Not mad Eduardo. Just laughing at people like you that follow the dumb-masses.

Sorry to interrupt your laughter, but I don't follow the dumb-masses. You misunderstood my point completely.

I actually agree with the idea on your original post but not with the way you complained about it. Re-read it and tell me it doesn't sound like you're angry, which was my point. Why get angry about such things?

If I don't get angry about it, does it mean I'm "following the masses"? Nope.

 

[tayloralmond]

While I'm happy the Mac community has grown exponentially in the past 10 years, it's sad to see that this growth has caused malware developers to start attacking Mac computers.

 

[GGJstudios]

While I'm happy the Mac community has grown exponentially in the past 10 years, it's sad to see that this growth has caused malware developers to start attacking Mac computers.

They haven't just started. There has been Mac OS X malware pretty much since it came out, and there was a lot more malware in the wild with Mac OS 9 and earlier. The amount of malware in the wild is much less now than it was when Macs had a much smaller market share.