Common Windows Malware Can Now Infect Macs

[ghanwani]

How does a computer get infected? Is it just by visiting a website that is running the malware? Or is there more to it like installing software from that site?

If it's possible to get infected just by visiting a website, that is a big problem. Are there browser settings that might help prevent that?

 

[4jasontv]

I'll just place this in the 'iOS should remain a closed ecosystem' folder because it would be a lot easier to manage this if it only had one point of entry.

 

[jallred]

A comprehensive collection of macOS malware can be found at https://objective-see.com/malware.html. Caution -- these are live samples, so handle with care. Notable examples include a crypto miner from North Korea, and a RAT (Remote Access Trojan) from a Russian threat actor.

You can scan for suspicious processes, plugins, libraries, scripts, and scheduled tasks using https://objective-see.com/products/knockknock.html . BlockBlock (https://objective-see.com/products/blockblock.html) alerts on attempts to establish persistence on a Mac, which is a necessary step for attackers to gain a foothold on your machine.

The malware repository and tools are created by Patrick Wardle, a former NSA analyst and one of the best macOS malware researchers on the planet. I've used his tools and intel personally and in my day job as a cybersecurity incident responder.

 

[4jasontv]

But, lots of folks in USA spends thousands buying themselves to an operating system prison just like that, literally allowing Apple to do everything on their devices.

That's ok. It's no worse than allowing your power company to remote control your AC or washing machine. They have already proved better at managing these devices than the average person.

 

[spencecb]

Oh Macrumors, how I love to hate you. Why would you bother telling people there is a way to check this, without describing the process? You casually mention it as if most people would be like "oh yeah, I know about that and how to do it..." I'm sure my comment will be deleted.

 

[jallred]

Found something at 9to5mac

1. Go to /Users/[username]/Library/LaunchAgents directory
2. Check for suspicious filenames in this directory (example below is a random name)

/Users/user/Library/LaunchAgents/com.wznlVRt83Jsd.HPyT0b4Hwxh.plist

if there is a file named like above, it's very likely you have been infected

Two other directories to watch:
1. System-wide LaunchAgents are found in /Library/LaunchAgents.
2. LaunchDaemons (LaunchAgents without windows) can be found at /Library/LaunchDaemons.

 

[Shirasaki]

That's ok. It's no worse than allowing your power company to remote control your AC or washing machine. They have already proved better at managing these devices than the average person.

Brilliant. So we better hand the world over on a silver platter and let robots to control every single aspect of our lives.

 

[4jasontv]

Brilliant. So we better hand the world over on a silver platter and let robots to control every single aspect of our lives.

I get the Rick and Morty reference, but I wouldn’t assume most people understand you’re joking.

 

[Arislan]

Found something at 9to5mac

1. Go to /Users/[username]/Library/LaunchAgents directory
2. Check for suspicious filenames in this directory (example below is a random name)

/Users/user/Library/LaunchAgents/com.wznlVRt83Jsd.HPyT0b4Hwxh.plist

if there is a file named like above, it's very likely you have been infected

Thanks for the additional info. The article was horribly light on what to look for, how this is actually spread, and if there's any anti-malware software that sniffs it out.

 

[Unregistered 4U]

Infection path would be good information.

Also, I generally find LittleSnitch to be a great defense against this kind of thing (as long as the virus doesn't disable it). It may still exist, but you can identify it by network access.

The headline should be, “Security Researcher realizes that stating the obvious about macOS will spread their name throughout the internet.” LOL

“While there might be a gap between Windows and MacOS malware, the gap is slowly closing over time. The truth is that MacOS malware is becoming bigger and more dangerous” - Security Researcher

Yes, the gap between MASSIVE amounts of malware on Windows and the tiny amounts of malware on macOS is slooooooowly closing. I mean, just this report closes the gap by an amazingly impressive 1 MORE!

 

[mrothroc]

Brilliant. So we better hand the world over on a silver platter and let robots to control every single aspect of our lives.

I, for one, welcome our new robot overlords and would like to highlight my skills at rounding up and organizing humans.

 

[threesixty360]

a Virus maybe a form of malware but it feels like it’s used by security companies interchangeably to get you to buy their software on your mac.

i remember viruses for the early 90s and the key thing was it’s ability to run an executable without you knowing. So they would just run in the background and duplicate themselves or attach themselves to files which you may send to someone else and it would run on that persons computer etc.

the key thing is Mac OS X is based on unix which has a low level permissions structure on every file. So without explicitly saying “run this file“ or allowing a file to be duplicated etc.. an actual computer virus can’t run or do much.

whereas windows never had that level of permissions initially. (I think they introduced UAC in Vista but it annoyed everyone). not sure where windows is now in terms of low level security. But it’s Windows‘ historical ”Swiss cheese “ architecture that literally built a whole anti virus industry with companies like norton and mcafe.

malware that mac users can get will mean you were tricked into running something Vs a virus that you would have no idea is running.,

it’s an important distinction in my opinion. I’ve never had any mac anti virus software running on my machine. But windows has been like the Wild West For decades. i think the latest versions have defender on it by default so that’s better but it’s nothing like macOS.

so it’s not just through obscurity that mac was protected. It’s also through design.

 

[Unregistered 4U]

Thanks for the additional info. The article was horribly light on what to look for, how this is actually spread, and if there's any anti-malware software that sniffs it out.

The original article was as well. I’d imagine the actual attack vector requires intervention from the user (download, intentionally execute, close the error message, open system preferences, intentionally enable editing of the gatekeeper sheet, intentionally disable gatekeeper, intentionally execute the download AGAIN… Yeah, if the security research had included all THAT information, the news wouldn’t have spread quite as broadly.

 

[Art Mark]

Any networked, in any way, device can be hacked. Just as even with more than a million years of evolution the human body gets viruses, cancers, bacterial infections. He get hacked too. It's a matter of what you do to prevent the malady from taking hold, the precautions you take but nothing is 100%. EXCEPT life in a bubble, in this case a non networked device. But that doesn't do you much good!

 

[Realityck]

I do this regularly anyway (plus /Library/LaunchDaemons and /Library/LaunchAgents). A lot of "legitimate" companies load crap in there as well - much of it pointless, yet still slowing down your computer.

Looking at Monterey beta 3 hierarchy on M1 Mac, there is no such launch anything hierarchy.

Comparably x86 Mac using Catalina 10.15.7 has a LaunchAgents folder, its empty when checked.

Is that hierarchy path still used at all for M1 Macs?

 

[Sciomar]

How does a computer get infected? Is it just by visiting a website that is running the malware? Or is there more to it like installing software from that site?

If it's possible to get infected just by visiting a website, that is a big problem. Are there browser settings that might help prevent that?

(sorry for the wall of text)
Various intrusion methods. Yes and yes. It's part vigilance by the user to make sure they are visiting a legitimate website, maintaining up-to-date anti-malware definitions, updated browsers, not clicking every single pop-up and then there are additional steps which can add a degree of security. Using SOME browser extensions like uBlock Origins (caveat: there are many extensions, I in no way endorse just this one, it's purely an example) with filters (there are many) applied to further weed out nefarious script and sites. You could install a third party anti-malware service or make sure the proprietary one is turned on and updated. Use a good browser like Firefox. Just don't go to shady websites, check the link before clicking it (hovering over it sometimes reveals its true path) in whatever social media site you use or just do a search for what the party is trying to get you to click in a different tab, and stay away from torrents. It may seem overly complicated but developing some of the above practices/habits can save a lot of frustration down the road and it becomes second nature rather quickly.

That's ok. It's no worse than allowing your power company to remote control your AC or washing machine. They have already proved better at managing these devices than the average person.

Brilliant. So we better hand the world over on a silver platter and let robots to control every single aspect of our lives.

Yes and no, an eight speed dual-clutch automatic transmission system blows away most manual drivers, a smart thermostat with the proper settings for your region will greatly reduce your energy consumption versus the old analog thermostat, and having your washing machine only on during non-peak hours (these are region and energy company specific) will also save you lots of money. While I agree turning over full control to someone outside your comfort bubble is not the 100% solution, it does have it's merits to a degree.

 

[jdb8167]

The original article was as well. I’d imagine the actual attack vector requires intervention from the user (download, intentionally execute, close the error message, open system preferences, intentionally enable editing of the gatekeeper sheet, intentionally disable gatekeeper, intentionally execute the download AGAIN… Yeah, if the security research had included all THAT information, the news wouldn’t have spread quite as broadly.

Yeah but the dialog said I had to do all that to get my pirated free version of Photoshop!

 

[Westside guy]

Looking at Monterey beta 3 hierarchy on M1 Mac, there is no such launch anything hierarchy.

Comparably x86 Mac using Catalina 10.15.7 has a LaunchAgents folder, its empty when checked.

Is that hierarchy path still used at all for M1 Macs?

All three directories do exist on my M1 MacBook Air running Big Sur (just checked).

It's possible Monterrey does something different. It's also possible the directories aren't created until an app "needs" to deposit a launcher in there.

 

[ghanwani]

Just don't go to shady websites...

If you can get infected just by visiting a website, that can be hard to control. It doesn't happen often, but every now and then I make a typo while typing in a URL and end up at the wrong place.

 

[AdeFowler]

If it's so easy to subscribe and use this software, why is it so hard for a government, to shut down these companies wherever they may be based?

 

[justperry]

No matter what these Mac’s are protected. Let’s be real here.

When was the last time you encountered your Mac got a virus?

For OS X/macOS...NEVER, there are no viruses for these OS's.

Most people don't even know what a virus is, maybe check out what a virus is.


I also think this is again scaremongering, it is by no means as bad as on the Windows side and won't be for a long time.

 

[burgman]

No matter what these Mac’s are protected. Let’s be real here.

When was the last time you encountered your Mac got a virus?

Pro Tip, learn the difference

Antivirus vs. Anti-Malware: Which One Do I Need?

Confused about antivirus vs. anti-malware? We simplify the differences and answer frequently asked questions to help you secure your digital life.

www.pandasecurity.com

 

[burgman]

For OS X/macOS...NEVER, there are no viruses for these OS's.

Most people don't even know what a virus is, maybe check out what a virus is.


I also think this is again scaremongering, it is by no means as bad as on the Windows side and won't be for a long time.

I don't see the word virus in the article, do you? Learn the difference

 

[TheralSadurns]

I know we should all know this but for everyone in the room, Mac's have always been able to get a virus. They were such a small subset of the computing world the payoff wasn't huge. Things have changed with the more mainstream adoption of Macs and now it's open season for the bad guys.

This is actually not true.
classic macOS 9 and earlier... with a WAY smaller marketshare hat tons of malware.
Come macOS 10... this changed due to a different architecture.

And Macs are still as safe, if not safer... than 10 years ago.
It does not read it anywhere in these articles... but this malware, like any other of this kind will need both your admin password, AND access to e.g. "full keyboard access" etc..
This is a complete non-issue.

 

[Sensa2004]

To get to that launch agents folder, click your Desktop to bring focus to the Finder. Then hit shift-command-g keys (all three at once) and you will get the popup window below. Paste in ~/Library/LaunchAgents/ and hit return and you be taken to the users launch agents folder.

View attachment 1809229

I have found my launch agents folder using your method as well as the method described in another post (users and groups - log in items - "these items will open automatically when you log in =, none) ...there is nothing in it at all...is that in of itself unusual / and/or mean I'm clean?