Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

JabbaII

macrumors regular
Original poster
With the emergence of MacDefender malware - I would like to ask the forum on the security mechanisms in Mac OS.

Does OS X have safeguards against this type of hack?

- Hacker posts a link in some forum, user clicks on link to open the site
- Opened site does a drive by download or pops dialog box (not pop up window)
- Mac OS autoopens by degaul the downloaded dmg
- Opened application has same exact look and feel as Flash (so user do not distinguish)
- A "fake" password prompt dialog box comes up
- When you enter password to install, malware sends the password out to the hacker
- Malware finally hides itself in your system after establishing connection with the Hacker
 
It reads suspiciouly like you are asking for help in developing a MacOS X trojan.

To your first question, however, the answer is "Yes." MacOS X has had malware defense for some time. However, MacDefender is its first real test. MacOS X's detection signatures are updated daily.
 
Not quite.

The usual comment in the forums for malware was: "you should not install suspicious software".

It is not rocket science to figure out it is easier to fool the user if the application looks exactly the same as the legit one.

There have been numerous examples (software and non-software). And each one getting closer to the real stuff. We don't need Mac OS malware updates, we need a security structure that makes it impossible.
e.g.
- the fake adobe email offering discounts
- mac defender (later versions would just auto launch)
(on a side note)
- don't remember if this was true but fake physical ATMs


What I like to understand is if Mac OS has protection against these.

i.e. there are protected parts of the kernel / architecture that do not allow hackers to create an application mimicking Mac OS prompts.

One recent example is that I received an update notification (dialog box) from adobe as I boot up my mac. How do I know if I can trust my own mac if you know what I mean. (do I enter password to allow the update or not).

What happens if there is someone who can clone that process? ... scary

One way is to have digital signature confirming the source of the application before I press to proceed.
( I am not familiar with Windows but I believe it has something like that)

The other mechanism I can think of is to disable drive by download. (Is there a way in Safari)?
 
Last edited:
Osx has little safeguards to malware. As you posted the only sure protection is not to install it. Apple does release security fixes like the one for Mac defender but they're usually a liitle late to release and the malware authors already got around those fixes
 
Does OS X have safeguards against this type of hack?

- Hacker posts a link in some forum, user clicks on link to open the site
Yes, the safeguard is a reasonably informed and prudent user. The first mistake here is that the user clicks the link posted by a hacker.
- Opened site does a drive by download or pops dialog box (not pop up window)
Again, if the user is reasonably cautious, they would immediately delete any file that they didn't intentionally download.
- Opened application has same exact look and feel as Flash (so user do not distinguish)
- A "fake" password prompt dialog box comes up
If the user is surfing, they're not expecting an application to launch or a password dialog box to pop up. The fact that it does should be a warning. It doesn't matter if the app is disguised to look like MS Word or iTunes or iPhoto.... if I didn't intentionally launch such an app, I would be suspicious that it launched on its own. I certainly wouldn't respond to the app, but would kill it in Activity Monitor.
- When you enter password to install, malware sends the password out to the hacker
- Malware finally hides itself in your system after establishing connection with the Hacker
Again, why would any informed and careful user enter their admin password for an app that they didn't launch? There's no protection on any OS against user stupidity or carelessness.
The usual comment in the forums for malware was: "you should not install suspicious software".
That includes software that you didn't intentionally download and software that you didn't get from a reputable, trusted site.
It is not rocket science to figure out it is easier to fool the user if the application looks exactly the same as the legit one.
It doesn't matter if it looks the same. You're not going to get that malware-infected app in the Mac App Store or on cNet or other reputable sites. If I'm surfing and not expecting to install software of any kind, and an app installation dialog pops up, something is wrong! It doesn't matter if the app looks perfectly legit. The fact remains, I had no intention to install MacDefender or Office for Mac or Final Cut Pro, etc. So why on earth would I proceed with such an installation?
- the fake adobe email offering discounts
- mac defender (later versions would just auto launch)
It would auto launch, but not auto-install. Such phishing attempts are numerous and easily thwarted by a careful user. No OS has protection against the user deciding to install something that they shouldn't or offering their personal information on a website that they shouldn't.
i.e. there are protected parts of the kernel / architecture that do not allow hackers to create an application mimicking Mac OS prompts.
No, because any app (even legit apps) can create a prompt, formatted any way the developer chooses. A prompt is not a sign of malware.
One recent example is that I received an update notification (dialog box) from adobe as I boot up my mac. How do I know if I can trust my own mac if you know what I mean. (do I enter password to allow the update or not).
If you have Adobe installed on your Mac and you have auto-updates turned on, then such a prompt is expected and safe. If, however, you don't have any Adobe products installed on your Mac and you get a prompt to update Adobe, you should immediately suspect something is amiss. If you're careful what you install on your Mac, you don't need to fear its normal operation, including normal prompts for your password. However, you should always ask yourself, "What app is asking for my password, and why?" If you can answer that to your satisfaction, proceed. If not, don't enter it, even if you have to take a screen capture and post it here, asking what it's for.
The other mechanism I can think of is to disable drive by download. (Is there a way in Safari)?
At this point, there isn't, but it's a simple process to simply delete anything that downloads that you didn't initiate.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.