Apple Updates Malware Definitions to Protect Against Botnet Threat Coordinated Via Reddit

[manu chao]

Okay. Just to be clear here, this is not a virus? A virus is something that can manipulate/alter specific programs and spread itself, whereas a worm can do the same but not limited to specific softwares? So that makes this just another Trojan, and by trojan I mean malware that was somehow authenticated by the user and will collect sensitive information.

And a virus that injects a Word file and sends it out to other people is then a Trojan horse by whoever is receiving the Word file? Let me make a try in defining those terms:
Virus: injects files or applications, can replicate on its own (I think local replication would suffice)
Trojan horse: tricks user into doing something with something sent or downloaded
Worm: can spread from machine to machine without user intervention (on either side)

By this definition a worm could also be a virus, just a very effective one. But if not hiding inside a file or application during transit it would not be a virus. And most viruses might install malware on top of replicating themselves.

----------

But you don't just try to install pirated software. When you install it, MacOS X will tell you that you are installing software by an unknown developer. If that pirated software was _original_ Adobe or Microsoft software, it would just install, you wouldn't get a warning. (Surely Adobe and Microsoft are not "unknown developers" to Apple, right? ) If you proceed at that step, you don't only try to install pirated software which means your are criminal, you are also trying to install software that you should know has been manipulated, making you criminally stupid.

Isn't the point of pirated software to be modified such that it launches without requiring a serial number (or online activation). These days almost all software can be download from the developer directly and just needs a serial number to work fully.

----------

However there's a thing that really annoys me when installing software: allowing administrator rights. Ok, let's give administrator rights so the app can copy stuff to some system folders, but since it should not be the standard behavior of any app, why OSX doesn't give a more detailed explanation of what will be done with the root access I'm giving? It could throw that warning popup with a button providing additional details of the operation, don't you agree?

Because an installer has to be allowed to do essentially anything and the OS only learns about what the installer wants to do as the installer is doing it. For things to be meaningful to the user, one would need to define new levels of security as in admin access light (access to part of the OS) and admin access heavy (access to everything) which means in UNIX terms a new user group as in adminlight.

----------

I'm not arguing for pirated software, but what you just said is beyond absurd and applies to all software that isn't a registered developer with Apple (i.e. much shareware, etc.). How do I know if Handbrake or XBMC is "safe" to install? I didn't get them from the App store... OMG! It simply MUST be malware!

In other words, using Apple's registered developer checks as a substitute for a malware checker isn't the best idea.

It's a good idea for those that are not very computer savvy.

 

[Demigod Mac]

Plus you need to pay monthly for Photoshop now, right (it's not a one-time purchase)?

$10 a month in their Photoshop Photography Program.

Looks like this trojan needs to go through several hoops to hook its claws into any Mac, user authentication and all. Not like accidentally visiting an infected webpage loaded with a drive-by download exploit you'd expect to find on a Windows PC.

 

[Parasprite]

Happen how? I can't understand what you're trying to say. You don't expect to ever find a trojan or you can't believe they covered the story?

Sorry, badly worded.

I meant to say something more along the lines of "I usually don't expect to find botnets coordinated by social media posts."

I realize this is a signature, but it makes zero sense. It's like asking if anyone uses a browser cache directory. It's not for you to use, it's for the program to use, in this case for iTunes to store smaller resolution versions of pictures for a device that can only display so much resolution and has limited storage capacity (e.g. an iPod Touch for example). A better question might be why Apple puts a cache directory in the middle of photo directories where it's in the way if you store photos by directory, but then they dont' expect you to do that either. They expect you to let it compact everything into one database file for iPhoto which is stupid, IMO since a single file corruption could destroy them all, but then not everything Apple does makes sense.

This is exactly what I meant. Another way to put it could be "After years and years, why does it still get put here and not in the main cache folder" but I couldn't get it to work well for a short signature. Perhaps I could add a bit speculating about a former Microsoft programmer making that decision, but I haven't thought about it much yet.

Anyways, it seemed to fulfill it's purpose considering I just wanted to encourage discussion about it.

 

[Traverse]

It takes more than just an Internet connection for the update to happen automatically. The Mac's system preferences also need to be properly configured to permit the download. That preference is on by default, but if somebody turned it off for some reason and never turned it back on, they won't be getting the Xprotect update.

For Mavericks, the setting is in the App Store preference pane, while under earlier versions of OSX it's under the Security & Privacy pane.

http://support.apple.com/kb/HT3662?viewlocale=en_US&locale=en_US

Thank you! I had forgotten that this was disabled on one of my systems.

 

[lincolntran]

Plus you need to pay monthly for Photoshop now, right (it's not a one-time purchase)?
.

That's correct. All software companies are going this route now. Pretty pathetic.

 

[cerote]

I have a GeekTool script that tells me when it was updated. My update finally didn't kick in till the 5th at 3 am.

 

[alchemistTi]

So tired of the "it's not actually a virus because of -------, OS X doesn't get viruses!" gibberish.

Mac's are great. But they sure aren't perfect. Take it as a compliment that more malware is targeting Macs; this wouldn't happen if their popularity/use was decreasing.

 

[\-V-/]

So tired of the "it's not actually a virus because of -------, OS X doesn't get viruses!" gibberish.

Mac's are great. But they sure aren't perfect. Take it as a compliment that more malware is targeting Macs; this wouldn't happen if their popularity/use was decreasing.

There still aren't any viruses for Mac. Popularity has nothing to do with it ... Macs are everywhere and Apple is one of the most valuable companies on the planet now. Infections still generally require user intervention, so they have to be disguised in a way that gets people to enter their login info ... which is difficult to do if the person has any clue what they're doing. Most of these also come from pirated software. Any malware OS X has had has been blown wildly out of proportion. You're right though, Macs aren't perfect, but they are still quite secure.

 

[gnasher729]

Isn't the point of pirated software to be modified such that it launches without requiring a serial number (or online activation). These days almost all software can be download from the developer directly and just needs a serial number to work fully.

So all you are saying is that trying to pirate software is inherently dangerous, right? Can we add that it is even more dangerous, because you know that you are going to a site run by criminals?

----------

So tired of the "it's not actually a virus because of -------, OS X doesn't get viruses!" gibberish.

Mac's are great. But they sure aren't perfect. Take it as a compliment that more malware is targeting Macs; this wouldn't happen if their popularity/use was decreasing.

You are posting nonsense here. The people affected by this have _deliberately_ gone to a piracy site to download pirated software. So from the outset they know that the site is run by criminals. They then deliberately downloaded software from that site. And they deliberately ignored warnings.

----------

I'm not arguing for pirated software, but what you just said is beyond absurd and applies to all software that isn't a registered developer with Apple (i.e. much shareware, etc.). How do I know if Handbrake or XBMC is "safe" to install? I didn't get them from the App store... OMG! It simply MUST be malware!

Aren't you just slightly exaggerating here? There is a big difference between Handbrake and pirated software: With Handbrake, you can go to their official website and have a good expectation that the software is written by someone who didn't mean you any harm. If you go to a piracy site, you know from the outset that the site is run by criminals. If you downloaded Handbrake from that same piracy site, you could expect trouble as well.

 

[gnasher729]

One note: This update doesn't protect you from a "botnet threat". The botnet is tiny, 17,000 computers, it's no threat to anyone - there are much, much bigger botnets around, and mostly they just send annoying spam, _and_ this update doesn't try to protect you from that botnet.

What it protects you from is from having software on your Mac that makes you part of the botnet. First, because you don't want your Mac to be part of a botnet, and second because someone has control over your computer and could do things to it that are much worse for you than participating in a botnet.

http://threatpost.com/how-much-does-botnet-cost-022813/77573

has a nice link about the cost of _buying_ a botnet. A botnet with 17,000 machines doesn't exactly make much money, we'll see what happens to it after this update, so I'd say the malware creators probably lost money with this operation. (The article is from early 2013; prices will tend to drop. For example, the market for stolen credit card numbers is completely swamped and prices have dropped to the bottom).

 

[D-Dave]

No offence but is the file safe? not to be rude but this thread is about downloading files from unknown sources and just installing them

Then maybe, just maybe, you should consider the possibility that even if the original poster says "it's safe" it may in fact not be...
/sarcasm

I realy hope you were joking...

 

[Rossatron]

it's not really a worm but regardless, you get it by downloading and installing pirated software from a shady website or torrent. for more details see here:
http://www.thesafemac.com/iworm-method-of-infection-found/

if you don't willfully engage in such activities you are quite safe. by now you are safe in any case because xprotect will kill it anyway even you do try to install some pirated software that carries it.

You go to a website with pirated software, thinking you can steal for example Photoshop. But instead of installing Photoshop, you install this malware. It's you doing it. Intentionally. With MacOS X telling you not to trust the software.

i meant the part where it connects to reddit to get some lists somebody puts there

 

[tywebb13]

.

 

[Parasprite]

Well here's the joke.

If you think the file I linked to from apple's server before isn't safe, then don't download anything ever again from apple.

After all, it might not be safe, right?

/sarcasm.

Something something 7.0.1

/hue

 

[mdelvecchio]

What it really sums up, is stupidity and ignorance of the common Apple user.

incorrect. reddit pirate users are anything but the common apple user.

nice attempt at making yourself feel smarter than the average bear, tho.

 

[gnasher729]

i meant the part where it connects to reddit to get some lists somebody puts there

Well, that's just normal programming. Remember, this "malware" is just an ordinary application, except that it does things that you don't want it to do.

Many websites have published an interface for software developers to use; for example an application can ask you for your Facebook login data and then can contact the Facebook servers and ask them for information that you would be allowed to see, and the same for Reddit. For example, the software might be able to ask Reddit for all public messages made by Joe Smith (because they are public), with an interface that Reddit has created for just that purpose, and instead they ask for all public message by Joe Evil Hacker (probably using a more innocent looking name), and all Joe Evil Hacker has to do is post public messages. They could even built Joe Evil Hacker's password into the malware, so the malware could access non-public data that Joe Evil Hacker puts in Reddit.

Just as an example, this link https://forums.macrumors.com/showthread.php?p=20022987&posted=1#post20022987 links directly to the page on MacRumors containing your and my post. It's quite easy for a program to read data from this link and read our two posts. And it would be easy to write a program that goes to this link, finds all posts that quote a message by Rossatron, looks for all uppercase letters following two stars, takes them as commands, and performs the command - so this post could make that malware delete all files! And all I'd need to do if I was the evil hacker would be to modify this post by adding **DELETE ALL FILES somewhere, the malware on your Mac would read it and do what the message says. It's really like hiding a letter somewhere where a spy picks it up and follows the orders in that letter.

MacRumors admins would probably spot if 17,000 computers downloaded this one page all the time and might be clever enough to figure out what happens.

----------

incorrect. reddit pirate users are anything but the common apple user.

Reddit users don't seem to be involved in this matter at all. Or only one Reddit user account, created to post messages that the malware can access.

 

[D-Dave]

Well here's the joke.

If you think the file I linked to from apple's server before isn't safe, then don't download anything ever again from apple.

After all, it might not be safe, right?

/sarcasm.

Didn't mean to offend you or judge the safety of the posted link.

I was just commenting, that asking on any open and basicaly anonymous internetforum if a link is safe...well...does not make much sense, does it?
(Appeal to common sense: if link is to company's own download site...most likely it is safe; if hosted anwhere else...you better know what you are doing and who you are dealing with)

 

[Mactaculious]

Anyone else not received the update automatically?

I've checked the folder and my files are still not showing any updates since May. (Xprotect.meta.plist, Xprotect.plist)

I have the option 'Install system files and security updates' checked in the System->Prefs->App Store settings.

 

[noil]

I've checked the folder and my files are still not showing any updates since May. (Xprotect.meta.plist, Xprotect.plist)

I have the option 'Install system files and security updates' checked in the System->Prefs->App Store settings.

I am having a similar issue. Isn't XProtect supposed to update on it's own? Are we supposed to be doing these updates manually?

 

[Mactaculious]

I've checked the folder and my files are still not showing any updates since May. (Xprotect.meta.plist, Xprotect.plist)

I have the option 'Install system files and security updates' checked in the System->Prefs->App Store settings.

Whopee!!! Ok mine, just updated. Cheers!

 

[Rossatron]

Well, that's just normal programming. Remember, this "malware" is just an ordinary application, except that it does things that you don't want it to do.

Many websites have published an interface for software developers to use; for example an application can ask you for your Facebook login data and then can contact the Facebook servers and ask them for information that you would be allowed to see, and the same for Reddit. For example, the software might be able to ask Reddit for all public messages made by Joe Smith (because they are public), with an interface that Reddit has created for just that purpose, and instead they ask for all public message by Joe Evil Hacker (probably using a more innocent looking name), and all Joe Evil Hacker has to do is post public messages. They could even built Joe Evil Hacker's password into the malware, so the malware could access non-public data that Joe Evil Hacker puts in Reddit.

Just as an example, this link https://forums.macrumors.com/showthread.php?p=20022987&posted=1#post20022987 links directly to the page on MacRumors containing your and my post. It's quite easy for a program to read data from this link and read our two posts. And it would be easy to write a program that goes to this link, finds all posts that quote a message by Rossatron, looks for all uppercase letters following two stars, takes them as commands, and performs the command - so this post could make that malware delete all files! And all I'd need to do if I was the evil hacker would be to modify this post by adding **DELETE ALL FILES somewhere, the malware on your Mac would read it and do what the message says. It's really like hiding a letter somewhere where a spy picks it up and follows the orders in that letter.

MacRumors admins would probably spot if 17,000 computers downloaded this one page all the time and might be clever enough to figure out what happens.

----------



Reddit users don't seem to be involved in this matter at all. Or only one Reddit user account, created to post messages that the malware can access.

Thank you for that explanation!

 

[iceperson]

There still aren't any viruses for Mac. Popularity has nothing to do with it ... Macs are everywhere and Apple is one of the most valuable companies on the planet now. Infections still generally require user intervention, so they have to be disguised in a way that gets people to enter their login info ... which is difficult to do if the person has any clue what they're doing. Most of these also come from pirated software. Any malware OS X has had has been blown wildly out of proportion. You're right though, Macs aren't perfect, but they are still quite secure.

It's funny because I don't remember ever seeing a windows machine infected with Malware that couldn't have been blamed on the luser too. Some idiot Windows user clicks the annakornikovanudes.js file in their email and we have no problem blaming MS and/or Windows, but when the same behavior infects OSX it's "Nothing to see here, move along...."

 

[tywebb13]

.

 

[\-V-/]

It's funny because I don't remember ever seeing a windows machine infected with Malware that couldn't have been blamed on the luser too. Some idiot Windows user clicks the annakornikovanudes.js file in their email and we have no problem blaming MS and/or Windows, but when the same behavior infects OSX it's "Nothing to see here, move along...."

Malware can install itself on Windows without any user intervention whatsoever, regardless of what the user was doing. That was my point. Whether the user or the OS is to blame doesn't take away from that fact.

 

[MacSince1990]

It has been discovered how the botnet is installed. You have to download a pirated app, such as Photoshop, and then give the pirated installer administrator privileges.

No amount of malware security can fix stupid.

EDIT: Link to evidence: http://www.thesafemac.com/iworm-method-of-infection-found/

I'm always puzzled by these posts and by the upvotes they get.

As someone who's been downloading Photoshop since well before he was out of college and able to afford anything (or high school, or even middle school, for that matter, back to PS7 on LimeWire 1.5) since Mac OS 8, and has done so on both Classic Mac OS, Mac OS X, and Windows, for every single version of Photoshop save CS5 from Photoshop 7 through CS6, and also as someone who has never gotten a virus from PS, or any of the other I'm going to go with hundreds of programs, I'm always baffled by folk who either imply (and I can't quite tell which) that people who pirate are either stupid, or that all cracked programs/keygens MUST have viruses.

I can definitely understand someone's readiness to let their Mac use anything, especially if one is a long-time Mac user, as Macs are notoriously virus-free, and prior to OS X, there really WERE no viruses for Mac, save maybe, like, one for OS 9 that had no circulation.

Ironically, the only spyware I got on any Mac was very recently from a freeware program (UnRarX) which I was in a hurry to reinstall after having to replace the corrupted HDD in my MBP with a new one, which I luckily already had lying around.

I knew something was wrong, but I was tired, in a hurry, and impatient, and foolishly downloaded UnRarX (a harmless program, in and of itself, widely used for .rars) from Softonic because it came up first when I googled the program.

Anyway, *shrug* usually these things are harmless, long as tyou're not trying to download The Complete Adobe Works from 1986-2026 at 23KB.

----------

Does that make it safe? Unless you ask an iphone 6 or 6+ user with ios 8.0.1 (not to be rude) I'd say yes..

If anyone's on their iPhone 6 w/8.0.1 they won't be around to be offended by this comment