Macs are being infected more because of all those stupid Windoze users who switched because of the "Mac vs PC" ads. Doh!
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Updates Anti-Malware Tools to Address New Trojan Threat
- Thread starter MacRumors
- Start date
- Sort by reaction score
Macs are being infected more because of all those stupid Windoze users who switched because of the "Mac vs PC" ads. Doh!
If you get a PDF from someone and when you double click on it the OS informs you that this application wants to run that you just downloaded from here ... don't let it run.
Also once your system picks up the malware update (assuming you are on 10.6 or 10.7) then the OS will be even more upfront about it.
Ahh good to see you're still clinging to the 10 year old idea of Windows and Microsoft.
I do hope that was sarcasm, please say it was. If it wasn't I feel compelled to point out how wrong you are, Mac users are not smarter than PC users, nor are PC users smarter than Mac users. They are just computer users, no different from each other.
Obligatory counterargument:
In terms of root access (aka privilege escalation and elevation of privilege), Mac OS X Snow Leopard has contained only 2 elevation of privilege vulnerabilities since it was released; obviously, neither of these were used in malware. Lion has contained 1 so far but this vulnerability doesn't affect all account types because of being due to a permissions error rather than code vulnerability.
The following link shows the number of privilege escalation vulnerabilities in Windows 7 related to just win32k:
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=win32k+7
So does Apple but with one difference. Apple's anti-malware protection is included by default.
Last edited:
I was just thinking that. Funny how all the malware is always disguised under flash. Here I thought flash could't get any worse
Strange to cloak it under flash because a lot of people choose not to have flash so they wouldn't jump at this malware smart or not so smart.
EDIT: Good to see Apple jumping on the issue almost instantly as usual. No safer OS
Also seems that the devils didn't finish writing it before Apple killed it lol
LOL is right. How misinformed can you get?
Apple has traditionally been slow to deal with security issues, basically ignoring them until they get outed in the mainstream press -- and most do NOT involve Flash. Maybe take a look at a few OS security articles before making silly statements. See, for example Mac OS X Java fiasco: Apple still doesn't get security.
As to the current state of affairs, Apple seems to be instructing its support employees to HIDE security issues from customers who call for advice: Apple to support reps: "Do not attempt to remove malware"
Last edited:
Well the problem with MacOSX is that for PDF file it will open it automatically by default in Safari when you follow a link, and will often display it automatically if you receive it by email (which uses the same renderer as Preview and such will infect your Mac automatically if it's vulnerable).
It's not very clear on the F-secure site if it's an OSX executable looking like a PDF file or a PDF file using an exploit of the OSX PDF renderer.
If it's the latter, I'd like to know which versions of Mac OSX are vulnerable to this as the Lion PDF renderer is supposed to be far more secure with a PDF parsing thread with almost zero rights.
Obligatory counterarguments:
----------
I highly doubt this malware exploits the PDF renderer (unless it doesn't effect Lion) for two reasons:
1) Preview is now sandboxed.
2) Using Linux distros with similar runtime security mitigations as Lion for a model, client-side exploitation is incredibly difficult without some pre-established local access. Of course, this is self defeating if the goal of the exploitation is to achieve that local access in the first place.
See the paper linked below about bypassing the runtime security mitigations in Linux for more details.
http://www.blackhat.com/presentatio...Europe-2009-Fritsch-Bypassing-aslr-slides.pdf
The author only manages to do so while already having local access to the OS.
2) Using Linux distros with similar runtime security mitigations as Lion for a model, client-side exploitation is incredibly difficult without some pre-established local access. Of course, this is self defeating if the goal of the exploitation is to achieve that local access in the first place.
See the paper linked below about bypassing the runtime security mitigations in Linux for more details.
http://www.blackhat.com/presentatio...Europe-2009-Fritsch-Bypassing-aslr-slides.pdf
The author only manages to do so while already having local access to the OS.
Regardless, the malware would still require stringing together multiple exploits to achieve system level access even if it exploits the PDF renderer in older version of OS X.
Last edited:
No, they are not equally disastrous. A virus/worm infects your system without any special user action. A Trojan requires the users to actively install and provide their password for elevated privileges. It's ridiculous to suggest that these are even remotely comparable in severity.
If PAST HISTORY is any indication? Hmm...I wonder about future or present history!
Thank you so much for this link. Firefox prompted me to update Flash yesterday and these posts got me worried that I had let a Trojan in...Thanks to the linked article, I know that I just installed a regular Flash updateI installed a flash update yesterday, and after reading this article, it got me worried. So I checked the CNET article and they have screenshots of the fake and real flash installers. My mac is good... for now.
Fake:
Image
Real:
Image
The payload of this malware doesn't include privilege escalation.
This is shown by its install location.
http://www.f-secure.com/v-descs/backdoor_osx_imuler_a.shtml
This threat also targets Lion, which further supports that the malware doesn't include privilege escalation.
http://reviews.cnet.com/8301-13727_...se-sends-screenshots-files-to-remote-servers/
Without privilege escalation, this malware is unable to log protected data entry, such as masked passwords.
The user's files could be exposed but this is largely mitigated by the anti-malware solution in SL and Lion.
Users of Leopard and earlier can install ClamXav to match the anti-malware protection provided in SL and Lion.
For those wanting extra security, details to secure user files containing sensitive information are provided in the "Mac Security Suggestions" link in my sig.
This is shown by its install location.
http://www.f-secure.com/v-descs/backdoor_osx_imuler_a.shtml
This threat also targets Lion, which further supports that the malware doesn't include privilege escalation.
http://reviews.cnet.com/8301-13727_...se-sends-screenshots-files-to-remote-servers/
Without privilege escalation, this malware is unable to log protected data entry, such as masked passwords.
The user's files could be exposed but this is largely mitigated by the anti-malware solution in SL and Lion.
Users of Leopard and earlier can install ClamXav to match the anti-malware protection provided in SL and Lion.
For those wanting extra security, details to secure user files containing sensitive information are provided in the "Mac Security Suggestions" link in my sig.
Serves Apple right!!
For going with Intel! Now, OS X is open to all sorts of viruses and trojans.. Thanks a lot, Steve! You opened us to all sorts of problems for the future so long as we have to stay on Intel processors.
PowerPC was much better at least in terms of no viruses or trojans.
For going with Intel! Now, OS X is open to all sorts of viruses and trojans.. Thanks a lot, Steve! You opened us to all sorts of problems for the future so long as we have to stay on Intel processors.
PowerPC was much better at least in terms of no viruses or trojans.
Counterarguments to what, though?
My post was about the fact that:
1. Apple has traditionally been slow to deal with known security threats, and that
2. Apple's policy seems to be to hide information about known security threats.
This is a completely different issue from the relative vulnerability of different operating systems.
I installed a flash update yesterday, and after reading this article, it got me worried. So I checked the CNET article and they have screenshots of the fake and real flash installers. My mac is good... for now.
Fake:
Image
Real:
Image
Thanks for posting this. I hesitated when I got a pop-up yesterday, even tried to check on the Adobe website to see if the update was legit and finally went ahead and installed the update. Then I got worried. According to your post I am okay.
Compare the incidence rate and duration since discovery between the un-patched zero days affecting Windows and Mac OS X in the following links:
Windows has far more un-patched zero days than Mac OS X. The vulnerabilities affecting Windows have remained un-patched for far longer.
Windows policy is to just not bother fixing them at all even though the vulnerabilities have been publicly disclosed.
Many have been publicly disclosed for several years, such as DLL hijacking.
Some have been exploited in the wild after being publicly disclosed for several months.
It still is virus free. As stated many times in this thread and others, this isn't a virus. No Mac OS X viruses exist in the wild. Trojans, however, do exist, so it's best to practice safe computing.
/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist
It has the "OSX/Revir.A" definition already added, if you're on Snow Leopard or Lion.
No informed person ever said they're impervious or immune to malware; only that no Mac OS X viruses exist in the wild, which is still true. No OS is impervious or immune to foolish user actions.
Not quite. There were many more viruses and trojans in the wild that affected PowerPC Macs. There have been zero viruses and a small number of trojans since the move to Intel and Mac OS X.
Mac Virus/Malware Info
This is an application with a PDF icon. The OS will ask permission to run this application as I stated. It IS not exploiting any vulnerability, just trying to trick them into running the malware.
----------
...and both of those are incorrect generalizations.
And 2 days later fix is already worked around.
Like it or not it starting to look like Malware development for Apple is starting to grow at a much faster pace and that growth is going to be exponentiation. Less than a year ago it was once every few years. Now it seems it has been reduced down to weeks. Still well with in reason for Apple to keep it under control on fix but it is going to hit criticle mass of usable base code at some point and that point is getting closer by the day.
sorry that you could not see the sarcasm part. It mostly pointing out that fixes that Apple (or MS on its OS) are generally worked around fairly quickly. The base code of these things do not change so much. Mostly it is just a little work to exploit the fix.
Chances are really high that it was worked around really quickly. Look at the rate Mac defender was getting around Apple updates. It was measured sometime in hours. Rarely more than a few days until the company got shut down completely. The base code for that Malware is still out there and chances are being actively worked on by several groups for their own ends.
And all your little picture of Windows proves is help show the exponentiation growth. OSX is getting closer and closer to critical mass. The time between new malware is shrinking every day. It has gone from years down to weeks. I would not be surprised if in 5 years we are seeing a new one every day.
Base code on Malware is recycled time and time again. The MS blaster virus had the base of the code changed and used for months.
Alternatively, look at the rate Apple was shutting down MacDefender variants. It was measured sometime in hours. Who won?
It's a trojan that doesn't exploit any vulnerability in OS X's code.
But, you are right in that it doesn't require much work to modify a trojan to avoid detection by anti-malware software.
This is even more relevant to Windows given the much greater volume of malware targeting that OS.
It should also be noted that anti-malware software should not be a user's only line of defence from malware on any OS.
this is funny. they claimed that mac doesn't have virus or similar on AD. but how about now, huh? do you think that mac is safe? it will be the similar level with windows OS next couple of years. I guarantee it. otherwise there is no way they update like this. when I posted something about this just one year ago, people blames me. but seriously you can't deny the reality.
that is not the point. It just shows you how quickly it was being worked around and how quickly. Apple was putting out an update every day for a while which tells me that it took them a long time to fix the fundamental hole that was being exploited.
MacDefender put some huge cracks in Apple "Does not get viruses" armor.
What it points out is how quickly it was being worked around. Right now the Malware on Apple is still fairly easy for Apple to manage but that is not going to be the case forever. I am glad Apple is taking an active role in keeping things under control and hope they keep doing it as long as possible.
It is a war Apple can not win. They can win battles but in the end they will lose the war. That much is a fact.
It was using exploits to install with out telling the user or with out needing admin privages when piggy backing on something else.
Remember for even windows 95%+ of all Malware is trogans because it exploits the single biggest security hole (the user)