MacRumors

macrumors bot
Original poster
Apr 12, 2001
54,150
15,956
https://www.macrumors.com/images/macrumorsthreadlogodarkd.png


124536-xprotect_hellrts.jpg


With the release of Mac OS X Snow Leopard last August, Apple rolled out a rudimentary antimalware feature which allows the operating system to detect specific malware threats in downloads and warn users accordingly. Far from offering true antivirus functionality, however, the feature requires that Apple manually update a property list file in OS X if it wishes to add entries to its watch list.

Security firm Sophos today notes that Apple has finally offered an update to the antimalware features watch list with Mac OS X 10.6.4, expanding for the first time beyond the two threats included at Snow Leopard's launch. The addition includes multiple entries for identifying what Apple calls "OSX.HellRTS".
HellRTS, which Sophos products have been detecting as OSX/Pinhead-B since April, has been distributed by malicious hackers disguised as iPhoto, the photo application which ships on modern Mac computers.

If you did get infected by this malware then hackers would be able to send spam email from your Mac, take screenshots of what you are doing, access your files and clipboard and much more.
As a firm that writes and sells antivirus software, Sophos unsurprisingly takes the position that Apple's antimalware feature, while welcome, is insufficient for proper protection against threats. In fact, the blog post from Sophos notes that nowhere in the Mac OS X 10.6.4 documentation does Apple announce this antimalware, leading to speculation by Sophos that Apple is simply trying to downplay security threats for marketing purposes and thus providing users with a false sense of security.

Article Link: Apple Quietly Updates Antimalware Protection in Mac OS X 10.6.4
 

bigcat318

macrumors 6502
Dec 25, 2007
357
83
Where would I be downloading iPhoto from that this would be a problem? Is it common to download something that comes pre-installed on your Mac :confused:
 
Comment

jmpage2

macrumors 68040
Sep 14, 2007
3,085
439
So, let me see if I've got this right.

If I download pirated/illegal/illicit software from the interwebs and proceed to install it and give my root password, something bad may happenz?

I can haz malware?

People are morons. Stop downloading and installing pirated/hacked free copies of paid for software and you won't have these problems. Idiots.
 
Comment

Nuvi

macrumors 65816
Feb 7, 2008
1,078
752
So, let me see if I've got this right.

If I download pirated/illegal/illicit software from the interwebs and proceed to install it and give my root password, something bad may happenz?

I can haz malware?

People are morons. Stop downloading and installing pirated/hacked free copies of paid for software and you won't have these problems. Idiots.

Get your facts straight. Just few weeks ago there was an report about malware included on a screen saver packages promoted by Verisontracker, Macupdate etc.
 
Comment

res1233

macrumors 65816
Dec 8, 2008
1,127
0
Brooklyn, NY
This is how Apple does it, they introduce a feature subtly, make improvements, then once they feel it's ready, they announce it. I expect that this feature will be an advertised part of OS X 10.7. Just like how they recompiled most of Snow Leopard 64-bit, while Leopard was already 64-bit compatible. Leopard was, in my opinion, partly a preparation to get ready for recompiling everything 64-bit.
 
Comment

nagromme

macrumors G5
May 2, 2002
12,546
1,196
Does Pinhead-B spread itself over the Internet?

Macs have always had trojans and always will. A Trojan is simply a lie, and if you can make someone believe a lie, you can get them to do anything. That doesn’t mean victims are “morons,” since nobody is perfect. So it’s good to defend against Trojans by methods other than just common sense.

But something that spreads itself (properly called a worm, though most people say virus) over the Internet has never been successfully achieved on OS X. (But about once a year, tech sites post a false alarm, which then never gets retracted when the facts emerge. Example: The iChat/Oomp-A thing, which wasn’t at all what sites first reported it to be.) Unless, of course, this is the first! I think it would have been a big headline in April if so.
 
Comment

ChrisA

macrumors G4
Jan 5, 2006
11,836
623
Redondo Beach, California
This is a good first step. I just hope apple keeps this up into the future.

No, This approach can't work. You can't just compare a file to a short list of bad files. Malware is so easy to write. For example I could make a three line shell script and call it "free-porn-for-life" and then inside the scrip is a line to enable remote logins. It's nearly trivial to do and does not require any sophisticated "hacking". This trick is so old that Virgil wrote about it 2,000 years ago The idea is to give someone a gift but the gift is not what it appears to be.

The only way to defend against these is to do what the people of Troy should have done with that big horse, quarantine it and observe what what it does and examine it before trusting it. Comparing it to a short list will not work. Maybe that's what the Trojans did. Maybe they had a list and knew not to accept a giant wooden pigs or giant cows, but "horse" was not on the list so they took it.

In the article, someone wrote some malware but he tells people it is a pirated version of iPhoto. The fools think "man I can save $79!" and download it. Surprizing that Apple would bother to protect people from this.
 
Comment

BC2009

macrumors 68020
Jul 1, 2009
2,009
462
Let's face it, nobody can stop you from downloading and installing malicious software except by enforcing something like the "App Store" for all installations. In which case all applications can be reviewed before being made available.

Macs are just as susceptible to malware as PCs now that Microsoft has been kind enough to add the warning before blindly executing something downloaded from the internet (how dumb of them was that back in the day?).

At least my Mac warns me before running any executable I downloaded that is not digitally signed by a trusted authority. And yes, when I get that warning I try to make sure I downloaded from a good and trusted site (especially when dealing with open source downloads).

And while any computer can be vulnerable to virus and unwanted intrusions via a simple buffer overflow, overall Macs have seemed to have less exposure to this. But yet we still see security patches to every version of every operating system ever produced (including OSX).

The best you can do is design an OS to isolate "root/admin" activities from user activities, force the user to specifically authorize actions that require "root/admin" access and warn them, and do your best to minimize bugs that can be exploited. If anybody thinks they are perfectly safe because they are running a specific OS, they are wrong. A while back Sun produced "Trusted Solaris" for government customers that were big on security, and YES they still issued security patches to this.

Apple's move here is a great step in the right direction to warn users who are not knowledgeable when they have just been social-engineered into downloading crap. I think they should expand the feature and advertise it -- tell folks "hey we are going to warn you when you've downloaded something known to be dangerous and we are going to periodically update the list of known dangerous downloads". If you don't want to wait around for Apple to do that then you can go purchase commercial software to do the same. If you are careful about your downloads then you probably don't need the commercial software.
 
Comment

gr8whtd0pe

macrumors 6502a
Feb 21, 2008
520
16
Belle, WV
I am shocked that someone that writes and sells antivirus software would say this isn't enough to protect your system. Amazing.

</scarsam>
 
Comment

Small White Car

macrumors G4
Aug 29, 2006
10,938
1,273
Washington DC
Ever heard of a "new version" ? Honestly, this is kind of a dense comment.

The question still stands. Why, when seeing "new software update" appear in OS X, would someone ignore that pop-up from Apple and instead go out and find iPhoto on the internet?

That makes no sense to me. But the person questioning it is "dense?" Then I must be dense too. Please explain it to me because I don't get it.
 
Comment

ValSalva

macrumors 68040
Jun 26, 2009
3,756
209
Burpelson AFB
As a firm that writes and sells antivirus software, Sophos unsurprisingly takes the position that Apple's antimalware feature, while welcome, is insufficient for proper protection against threats. In fact, the blog post from Sophos notes that nowhere in the Mac OS X 10.6.4 documentation does Apple announce this antimalware, leading to speculation by Sophos that Apple is simply trying to downplay security threats for marketing purposes and thus providing users with a false sense of security.

Just the kind of comment you'd expect from a company who wants to sell you their own antivirus crap.
 
Comment

res1233

macrumors 65816
Dec 8, 2008
1,127
0
Brooklyn, NY
The question still stands. Why, when seeing "new software update" appear in OS X, would someone ignore that pop-up from Apple and instead go out and find iPhoto on the internet?

That makes no sense to me. But the person questioning it is "dense?" Then I must be dense too. Please explain it to me because I don't get it.

I'm pretty sure it's when people try to download free versions of an upgrade to iPhoto that they would have to pay for normally, usually via torrenting. Don't even ask me how I know that. THX!
 
Comment

AlanShutko

macrumors 6502a
Jun 2, 2008
794
206
The question still stands. Why, when seeing "new software update" appear in OS X, would someone ignore that pop-up from Apple and instead go out and find iPhoto on the internet?

That makes no sense to me. But the person questioning it is "dense?" Then I must be dense too. Please explain it to me because I don't get it.

iLife, including iPhoto, doesn't get free updates through Software Update, except for minor bug fixes. If iLife 08 came with your computer, and you wanted the new features in iPhoto 09 like face recognition, you could buy iLife 09 for $79, or you might choose to pirate it.
 
Comment

Small White Car

macrumors G4
Aug 29, 2006
10,938
1,273
Washington DC
I'm pretty sure it's when people try to download free versions of an upgrade to iPhoto that they would have to pay for normally, usually via torrenting. Don't even ask me how I know that. THX!

Ha ha...deal.

So like with most of these things, it seems like it mostly affects pirates.
 
Comment

Ziggie

macrumors newbie
May 27, 2010
10
0
The question still stands. Why, when seeing "new software update" appear in OS X, would someone ignore that pop-up from Apple and instead go out and find iPhoto on the internet?

That makes no sense to me. But the person questioning it is "dense?" Then I must be dense too. Please explain it to me because I don't get it.

You don't get new updates to the iLife suite when a new version appears. So people have a choice to either buy it, or pirate it. Those that fall in the second category risk being infected with malware.

Too slow, that'll teach me to do other things before submitting..
 
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.