Apple Investigating 'MACDefender' Malware, Support Staff Barred From Assisting Customers

[GGJstudios]

If that were true - then there wouldn't be a huge increase in "infections."

That's true. Although the advice is simple, that doesn't offer any guarantee that people will follow it. The point, however, is that defending a Mac from malware only requires that the user does that one thing. Software isn't required as a defense.

I completely agree that people should be better informed and, therefore, less vulnerable with regard to cars, printers, computers, etc. The fact is, they're not. We can only hope that those who show enough initiative and awareness to visit a Mac forum such as this will also be able to digest a simple directive: be careful what you install.

It really goes back to the truthful response among Harley riders when people say they should wear helmets, "The best protection is what you have IN your head, not ON it!"

 

[munkery]

There hasnt been much to them. "New unknown threats better thrwarted by user knowledge" - correct??

Go back and read the content concerning privilege escalation. Malware is ineffective without achieving privilege escalation via exploitation or social engineering.

Mac OS X does not have an incident of privilege escalation via exploitation in malware. This is due to an very low incidence rate of privilege escalation vulnerabilities due to being open source and having a better implementation of DAC due to not having a system like the Windows registry to store settings for kernel space elements of the OS.

User knowledge is the most effective method to protect against social engineering.

Nothing, including AV software, provides protection from threats that include privilege escalation other than a vendor patch given all the techniques available to obfuscate code to allow known malware to bypass AV scanners.

Yes, they were all patched.

Did you notice how long many of them remained unpatched despite being a commonly known vector for privilege escalation? Did you notice the same kernel-mode drivers are repeatedly vulnerable despite being patched?

 

[GGJstudios]

For what I deemed high risk of doing it again I installed Sophos, set any user accounts that had no passwords to have one

Sophos is not recommended, as it can actually increase your Mac's vulnerability.
For more info, read this: Mac Virus/Malware Info

 

[John Dillinger]

@ GGJ

Link to proof of this?

Well its 2nd/3rd/4th hand, but Ars quoted some Apple store Genius (near bottom of page): "This is difficult, as the store sells several antivirus products implying that Apple supports the idea, but as many customers point out, the sales guys aren't shy in making the claims for Mac OS X's security. Internally, Apple's [IT] department mandates the use of Norton Antivirus on company machines."

It hasn't been out for months. It was announced May 2nd.

I was being hypothetical... but lets run with it:

It was announced May 2nd.

Meaning it very well could have been in the wild for months.. it was only announced ie reported (not even necessarily when it was detected)May 2nd. Its not like the crafters of the malware made a press release.

You're new to this arent you?

That's exactly what happens to many Windows users who don't run antivirus and keep their virus definitions up to date. But that's not required to protect a Mac.

Looking at the present situation.. genius store reports/ apple support threads/ anonymous accounts from supposed Apple retail staff... and leaked Apple memos.. maybe they do?

They don't need to be up-to-date on the latest developments. The same advice has worked for the past 10 years of Mac OS X. Be careful what you install. Period. It's not hard to remember. Even a cave man could do it!

......evidently NOT

No it won't, if the software doesn't know what to look for.

If its been identified for a month... by now Norton would know what to look for

 

[gnasher729]

I agree that users who are victimized by MacDefender are not necessarily stupid, but either uninformed, careless or knowingly foolish.

If that were true, they would disbelieve a pop-up that claimed they were infected with a virus, because their "Apple programming" would tell them that's not possible. If anything, such a belief would prevent them from installing the app.

We had Macintosh users posting here in the past who were afraid that they were infected by a various, and it turned out they had gone to a site that tried to sell Windows scareware which clearly showed Windows-style windows with messages that their PC running Windows XP was infected. And some were hard to convince that this website would show exactly the same dire warning, whether the had an infected PC, a clean PC, a Mac, Linux, or an iPhone.

But what you should also tell everyone: A website has no way whatsoever to find out if your computer is infected by anything. Forget about whether Macs could get viruses or catch malware or not, or the same for Windows or Linux. Fact is that no website can possibly detect it. If a website claims that your computer is infected by a virus, then that website is lying. Any website that claims your computer is infected is a scam. Simple as that. Applies to Mac users just as it applies to Windows users.

By the way, if you get a phone call from some company claiming that your computer has problems, that's a scam as well (google for Virtual PC Doctor).

 

[76ShovelHead]

Whats sad is Mac's aren't supposed to be threatened by this type of stuff. I suppose if it's just a fake program that doesn't mess with and infect your computer its okay, all you need is AppCleaner installed and drag it to the trash as AppCleaner will delete all associated content.

 

[munkery]

Safari's Safe Browsing (old API) protects against phishing and bad websites...

Googles updated Safe Browsing 2.0 API screens against malicious file downloads. >>>> Apple should implement this into Safari.

XProtect in conjunction with the file quarantine feature already accomplishes this effect. Again, not 100% effective because relies on a database.

Apple should also implement SafeBrowsing API into the Mac OS X system itself to screen all files (no matter where the user gets it from).

XProtect does this for Safari, Mail, iChat, etc.

Windows 8 will do this.

Are you sure? When Windows tried to include MSE by default, AV vendors threatened to sue because of pre-established licensing agreements and MS backed down.

Getting back on track, IE 8 (and Windows 8) has SmartScreen Filter (as Chrome has Safe Browsing API 2) to scan a file download request against a blacklist before downloading.

Apple should do the same in Safari AND Mac OS X. And this database of blacklist is free, open and maintained by Google. (Apple already uses it partially).

Again, XProtect. Again, not 100% effective.

Second, you're right when you say no basic malware protection is 100% effective.

But honestly, this is not relevant. Yes this blacklist cannot predict future malware, but it can be 100% effective in blocking this/these malware already in the wild.

Relying on software leads to complacency. This is dangerous because software solutions based on database systems will never be 100% effective.

There's only like 3 for the Mac... so it would be easy to add these to a block list.

Why wouldn't Apple do this???

XProtect.

 

[layte]

Did you notice how long many of them remained unpatched despite being a commonly known vector for privilege escalation? Did you notice the same kernel-mode drivers are repeatedly vulnerable despite being patched?

Worst case seemed to be a month from Microsoft being notified to a patch being released (certainly faster than Apple have respond to non iOS vulnerabilities in the past), I'd be genuinely interested in reading about in the wild attacks made during that time window, and then nothing since early March. It would seem that a bunch of similar vulnerabilities were discovered and patched, here we are nearly two months on and nothing (yet). Anyway, we continue to take this thread away from the topic at hand, which is the latest piece of Mac malware.

 

[Gav Mack]

Sophos is not recommended, as it can actually increase your Mac's vulnerability.
For more info, read this: Mac Virus/Malware Info

Just because Sophos runs as root? I want my AV software to run that way - the malware coders will start to use zero day exploits on OSX giving them root as soon as there's enough Mac users out there to make money out of them becoming bots. The hackers are already starting to create and sell toolkits to those that want to setup a botnet for the Mac. The days of apple being lazy patching vulnerabilities are now over, they've already handed java back to oracle to update for the next Java JRE release so I'm guessing they will have more resources to keep their own house locked down. There has been so many cry wolfs predicting malware on the mac but for the first time in over 10 years I'm listening.

iantivirus on the other hand is totally useless.

 

[GGJstudios]

Link to proof of this?

Well its 2nd/3rd/4th hand, but Ars quoted some Apple store Genius

Well, that's certainly authoritative enough! Actually, I asked for proof, not innuendo from hearsay from a passing comment by an unnamed untrustworthy source.

It was announced May 2nd.

Meaning it very well could have been in the wild for months.. it was only announced ie reported (not even necessarily when it was detected)May 2nd. Its not like the crafters of the malware made a press release.

No, it was announced by one of those antivirus firms that are motivated to report such things as quickly as possible, so as to sucker people into buying their software.

You're new to this arent you?

You're welcome to look at my posting history and then see if you think I'm new to this.

That's exactly what happens to many Windows users who don't run antivirus and keep their virus definitions up to date. But that's not required to protect a Mac.

Looking at the present situation.. genius store reports/ apple support threads/ anonymous accounts from supposed Apple retail staff... and leaked Apple memos.. maybe they do?

If users were simply careful about what they install, as we always recommend, you wouldn't be getting those reports.

They don't need to be up-to-date on the latest developments. The same advice has worked for the past 10 years of Mac OS X. Be careful what you install. Period. It's not hard to remember. Even a cave man could do it!

......evidently NOT

As already said, the advice works. Whether people follow it or not is up to them.

No it won't, if the software doesn't know what to look for.

If its been identified for a month... by now Norton would know what to look for

No, it hasn't been identified for a month. And Norton didn't know what to look for when it was released.

But what you should also tell everyone: A website has no way whatsoever to find out if your computer is infected by anything. Forget about whether Macs could get viruses or catch malware or not, or the same for Windows or Linux. Fact is that no website can possibly detect it. If a website claims that your computer is infected by a virus, then that website is lying. Any website that claims your computer is infected is a scam. Simple as that. Applies to Mac users just as it applies to Windows users.

You're absolutely correct. Actually, I do address that very thing in the Mac Virus/Malware Info link that I keep posting and people keep not reading.

Whats sad is Mac's aren't supposed to be threatened by this type of stuff.

Macs are still vulnerable to the same threat they've always been vulnerable to: the user.

all you need is AppCleaner installed and drag it to the trash as AppCleaner will delete all associated content.

AppCleaner and other app removal software doesn't do a thorough job. Read this

 

[Michaelgtrusa]

You NEED to install it!

 

[munkery]

Also, 'requires local access'. So the hacker either needs to have physical access to the machine, or trick the user into running the code themselves.

FYI, locals can be linked with remote exploits to create a multi-stage remote root exploit that does not require user intervention. So, physical access to the machine or tricking the user is not required.

http://www.sans.org/top-cyber-security-risks/tutorial.php

Being swiss cheese in relation to privilege escalation vulnerabilities, as is the case with Windows, means that users are far more likely to be infected by malware without user intervention.

https://forums.macrumors.com/posts/12599703/

 

[John Dillinger]

Well, that's certainly authoritative enough! Actually, I asked for proof, not innuendo from hearsay from a passing comment by an unnamed untrustworthy source.

Ha what an exaggeration!! You're not female per chance?

What kind of conclusive proof did you expect via the requested internet link? Even if it was audio of steve jobs himself you would say "can be spoofed". If video.. "overdub".

But hey, if if the multibillion dollar corp with a chance of losing face comes out and denies it.. gotta be telling the truth right? Its not just marketing to keep posting record breaking quarters, trust

No, it was announced by one of those antivirus firms that are motivated to report such things as quickly as possible, so as to sucker people into buying their software.

Yeah report as soon as they identify it . Which, again, does not equal to the date it was in the wild. Who knows how long Intego were sleeping? Not every security firm is created equal- heard of HBGary.. or the guys who (re)set up PSN security?

No, it hasn't been identified for a month. And Norton didn't know what to look for when it was released.

Common seriously, reading comprehension. Norton knows NOW.. not when released. I never said a reputation score.. could stop a zero day threat.

Macs are still vulnerable to the same threat they've always been vulnerable to: the user.

Intego claims there are new threats. They are the subject of this article

 

[layte]

FYI, locals can be linked with remote exploits to create a multi-stage remote root exploit that does not require user intervention. So, physical access to the machine or tricking the user is not required.

http://www.sans.org/top-cyber-security-risks/tutorial.php

Being swiss cheese in relation to privilege escalation vulnerabilities, as is the case with Windows, means that users are far more likely to be infected by malware without user intervention.

Interesting, a lot of ifs, buts and slack security practices required for it to be viable. Has such an attack been used with the vulnerabilities you listed? As I said, I would be genuinely interested in reading about some real world cases rather than what could potentially happen.

Well, in the morning anyway, time for bed.

Oh go on then, just a quick one as I saw your cheeky link you added in..
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Apple+gain+privileges
leads on to: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0182 which was reported on the 23rd December 2010 and fixed by apple late March 2011. /tips hat and rides off into the sunset.

 

[GGJstudios]

What kind of conclusive proof did you expect via the requested internet link?

I didn't expect any proof, which is exactly my point. You don't have any proof that Apple requires the use of Norton. The word of an Apple Genius isn't a trustworthy source; even more so if they're quoted 2nd, 3rd or 4th hand. This forum is filled with evidence that many Apple "Geniuses" have no idea what they're talking about.

Intego claims there are new threats. They are the subject of this article

Intego can claim all it wants. It's biased and motivated to sell you antivirus software. It's not a new threat. It's the same old threat wearing a different colored necktie. It's still a trojan, which can't harm a Mac in any way, unless the user specifically and actively gives it permission to do so. It's no different than the handful of Mac OS X trojans that came before over the past 10 years.

 

[marksman]

It is windows fault anyone who owns a mac would try to install anti-virus software...

This is kind of funny in an ironic way, but perhaps anyone who was dumb enough to install anti-virus software on their mac deserves to be punished for it.

 

[fmaxwell]

Um - I didn't BLAME Apple.

To me, this, especially taken in concert with your other comments, sounds like blame to me:

"One of the "problems" is that Apple's marketing is constantly telling its customers that it can't get viruses."

On the flip side - you don't seem to want to concede that Apple's marketing does everything it can pretty much to convince someone that their computers don't have such issues.

Apple tries to convince people that Macs don't have the same problem with viruses that PCs do, not that Macs have some magical way of knowing that software that the user chooses to install, using their user name and password, is "bad." Let's not mix up viruses and trojans. Susceptibility to the former is a sign of an OS security issue, while the latter (trojans) rely on IO errors (Ignorant Operator errors).

I'm all too happy to concede that so many infections can be prevented by people understanding what and what they are not doing online and with files.

Good. And, specifically, I assume that applies to the topic of this thread: MacDefender. But faulting Apple for correctly representing that Macs have proven to be very resistant to viruses seems unfair. Yes, some small percentage of users takes that to mean that they are invulnerable and can install anything -- just as some small percentage of Volvo drivers believe that they are invincible due to ads touting Volvo's enviable safety record. It's not a fault of Apple, or Volvo, when ignorant consumers misinterpret factual statements. Nor is it the legal or ethical responsibility of either company to assure that each customer leaves their showroom fully cognizant of the risks associated with misuse of the products.

 

[MacMan86]

It is windows fault anyone who owns a mac would try to install anti-virus software...

This is kind of funny in an ironic way, but perhaps anyone who was dumb enough to install anti-virus software on their mac deserves to be punished for it.

No one deserves to be punished for anything in this respect. It's a computer.

If you have genuine, reputable anti-virus software on your Mac then it's not going to do anyone any harm. Many people think it's a matter of when and not if when it comes to Mac viruses - if those people want to be prepared then let them be. Apple themselves have anti-virus software running on their 'back of house' Macs in retail stores, are you calling them dumb as well?

 

[AidenShaw]

We're in the "post-virus" era

What happened to the average Mac user being educated?

I agree, unfortunately the rash of 'switchers' has lowered the average tech IQ of the userbase.

I think that the decline in competence is correlated to the rise of the Itoys.

It is windows fault anyone who owns a mac would try to install anti-virus software...

Apple tries to convince people that Macs don't have the same problem with viruses that PCs do

If you have genuine, reputable anti-virus software on your Mac then it's not going to do anyone any harm. Many people think it's a matter of when and not if when it comes to Mac viruses - if those people want to be prepared then let them be.

Apple and Apple fans need to stop using the word "virus", and use the broader term "malware".

Out-of-the-box, Windows Vista, Windows 7 and Apple OSX are pretty much immune to the classical self-spreading viruses. So immune that the number of viruses in the wild has plummeted. We're in the post-virus era.

The evil ones know this, and know that it's hard to write a successful virus for any current operating system. Instead, malware is now most often trojans that are either "drive-by" (exploit browser or OS holes to download silently when a website or application is run) or "social" (like MacDefender) which try to trick the user into authorizing them.

As MacDefender clearly shows, malware can be a problem for Apple OSX. It won't be too long before running anti-malware software on an Apple is standard. (Actually, it's standard already, but Apple OSX apparently doesn't have very good anti-malware software builtin.)

 

[Mebsat]

Apple has had it both ways for years...they emphasize being impervious to viruses and count the PC viruses in ads.

What really matters is the payload. This is about global credit card theft. The real impact of viruses on the PC community is not what it once was. The bad guys are much more pragmatic now. It's not really about deleting your pictures.

Social engineering can't be beat for collecting CC numbers. Are you really going to write something to collect the info better than having the user enter their current data for you? This means trojans.

If Apple users (with growing number of PC converts, too) will simply authenticate anything that pops up, it doesn't really matter what computer they use.

Are the numerous defects on Windows are really behind the most lucrative exploits anyway? It would be interesting to see how much identity theft comes from "drive-by" installation and how much is authenticated.

 

[samcraig]

Good. And, specifically, I assume that applies to the topic of this thread: MacDefender. But faulting Apple for correctly representing that Macs have proven to be very resistant to viruses seems unfair. Yes, some small percentage of users takes that to mean that they are invulnerable and can install anything -- just as some small percentage of Volvo drivers believe that they are invincible due to ads touting Volvo's enviable safety record.

You come off as smug. "Good" - really? I guess calling me a microsoft shill and being shown how wrong you are made you want to try and school me? Whatever.

Neither you or I have any actual statistics on how many think or do not think Mac's can get viruses/etc based on Apple's marketing. So your smugness is unfounded.

If you think by me saying ONE of the problems is Apple's marketing means I solely blame Apple as you're trying to imply - then you need some reading comprehension skills.

And if you think Apple doesn't try to present their systems as being impervious to threats, then you aren't paying attention.

I'm off to dinner.. have a nice day.

 

[Gutwrench]

Look - we can go around in circles all day. I'm in marketing and PR - so I think I'm due a little credit here when I say that if you perpetuate information in 90 percent of your marketing, advertising and PR and in 10 percent offer the "real story" - you're being a bit deceptive. I'm not saying Apple is evil or doing anything that other companies are not. But we're not talking about other issues. We're talking about MacDefender and how some posters on here want to blame the end user for being "stupid"

My point is - the average user isn't necc. stupid. The average user was led to believe that they were "safe." based on Apple's messaging. Right or wrong - it really would be hard to argue that the average user would think otherwise.

So you're in marketing? Is it true that those in business college who can't cut accounting switch to economics, and those who can't cut Econ switch to marketing? Ah, I'm just busting on you for levity sake.

 

[chrono1081]

@ GGJ
If its been identified for a month... by now Norton would know what to look for

Have you ever used Norton or Symantec? Even if they know what to look for they probably won't find it. If they do you'll get a message saying that quarantine failed and removal failed because the file is locked.

I've been begging my workplace to get rid of that trash software for a long time (and so has the rest of the IT department).

I'm not trying to argue against any of your posts I just wanted to state that because Norton says it knows about it doesn't mean it can protect against it.

 

[munkery]

Interesting, a lot of ifs, buts and slack security practices required for it to be viable. Has such an attack been used with the vulnerabilities you listed? As I said, I would be genuinely interested in reading about some real world cases rather than what could potentially happen.

Stuxnet. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=stuxnet

Oh go on then, just a quick one as I saw your cheeky link you added in..
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Apple+gain+privileges

By using Apple in your search terms rather than Mac OS X, you have inflated the results.

Mac OS X = http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Mac+OS+X+gain+privileges = 83

Not all privilege escalation exploits allow system level access. There are lateralization and elevation of privileges included in the privilege escalation category. Only, privilege elevation allows modification of the system level of the OS. Many, if not most, of those vulnerabilities do not provide system level access so, therefore, can not facilitate rootkit install.

Also, many are not reliable exploitation vectors. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mac+os+x+gain+privileges+2011 -> This system call was completely removed from the OS as it was no longer needed given that it was no longer being used by any 32 bit process that could make that system call; this system call's lack of use in any process limits its use in exploits.

It is rare for any of these vulnerabilities to be publicly known prior to being patched. If you look at Apple's security releases, 2/3 of the privilege escalation vulnerabilities are found and disclosed by Apple rather than an external researcher.

Windows = http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=windows+gain+privileges = 295

The fact that Windows XP admin accounts do not require privilege escalation to allow system level access as this account does not use DAC also has to be taken into consideration. It is common for Windows XP users to use admin accounts for day to day computing. Without DAC the number of privilege escalation exploits must include all remote exploits as well.

So, Windows XP = http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=windows+xp = 612

That number for Windows XP is artificially low given that it does not include every applicable remote vulnerability in IE (http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=internet+explorer) or MS Office (http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ms+office). Also, this does not include all remote vulnerabilities introduced via third party software vendors, such as Adobe (http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=adobe).

This is valid given that Windows XP still has the greatest market share of any OS including other versions of Windows and many use admin accounts in Windows XP for day to day computing.

The previous link I provided for Windows (http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=win32k.sys) only focused on privilege escalation vulnerabilities concerning an attack vector that has been used in the wild. This vector is well documented (http://www.exploit-db.com/bypassing-uac-with-user-privilege-under-windows-vista7-mirror/) and well known via being used in Stuxnet.

Many exploits related to win32k.sys have been released to the public before being patched. For example, http://www.exploit-db.com/exploits/15609/ was public on November 24, 2010 but was not patched until February 8, 2011. During that time, any malware developer could have used that exploit in malware in the wild if they became aware of the public and unpatched exploit via http://www.exploit-db.com/.

There has not been an incidence of privilege escalation exploitation being used in malware in the wild in OS X. This is because linking together remote and local exploits is difficult on any OS. Not only does Windows have a higher incidence rate of these vulnerabilities that provide system level access despite the versions of Windows in use, but Windows provides a more accessible vector to link exploits together via the Windows registry (http://www.exploit-db.com/bypassing-uac-with-user-privilege-under-windows-vista7-mirror/).

leads on to: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0182 which was reported on the 23rd December 2010 and fixed by apple late March 2011. /tips hat and rides off into the sunset.

This vulnerability was not publicly disclosed before being patched.

Here is a list of public zeroday vulnerabilities. http://www.vupen.com/english/zerodays/ Some of the items in this list for Windows are still unpatched since 2007.

 

[iMacx]

im fairly sure that ive seen this program advertised on the site.