It's been getting a bunch of press. That being said, it's irrelevant to this thread except to just take a shot at Android. Clearly this issue is much smaller in scope unless you count the ones infected and the scary possibilities that can arise from access.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
What You Need to Know About Mac Malware 'Backdoor.MAC.Eleanor'
- Thread starter MacRumors
- Start date
- Sort by reaction score
It's been getting a bunch of press. That being said, it's irrelevant to this thread except to just take a shot at Android. Clearly this issue is much smaller in scope unless you count the ones infected and the scary possibilities that can arise from access.
Downloading apps from outside Apple's App Store is fine, provided you're downloading directly from well known, trusted developers. Less computer savvy users may be better off sticking with the App Store, but that should not be considered a general requirement for keeping a Mac secure.
LibreOffice can be downloaded from the MAS.
[doublepost=1467828175][/doublepost]
MR has apparently decided to call OS X macOS even before Apple releases a version with this new name.
You always need to trust people, because they are people too at Apple or anywhere else.
What Apple could do is to enable a sanboxed mode for unsigned Apps, unless the user specifies the contrary.
It's an OS X virus not Mac OS if we're honest
and not a virus, it's a trojan. (but at least they did refer to it as "malware" here rather than virus as I've seen in other publications)
There are so many dumb and ignorant Mac Users out there, who will just click on anything that comes up.
Obviously the Apple approach to protect users from themselves has been working just fine for them.
The inconveniences for pro-users are minute compared to the bad press Apple would get if they opened up that protection.
Even me as a user since 1984 fell for a FLASH update a few months ago from a safe site, which I order from all the time, which installed adware. I did get suspicious when it was asking for "4Jw (or so) wants to make changes" and wouldn't let it happen.
I use VPN to be able to see movies from Germany or streaming German TV, which otherwise are not accessible.
Since then, when I get that FLASH notice I quit my browser(s) and go to Adobe for the latest download of Flash and ignore every other pop up.
Same for links in e-mails. Read e-mail, quit and go to that website directly.
Again, yes people should educate themselves, but they don't
Whining when it's too late and blaming Apple is just easier!
Uh oh, this will stir up the 30% crowd. MAS is a good measure as applications there are less likely to cause harm. I think general awareness and due diligence is more important overall though. Signed applications from trusted developers outside of MAS are certainly fine in my book. I also run a few unsigned apps when I feel highly confident about the group behind them. Grabbing a completely unknown product from MacUpdate is just asking for trouble. The people doing so must have done zero research given that the tool doesn't even accomplish its stated purpose.
tl;dr be intelligent about what you install regardless of system.
What does Apple do with their "cut?" Pay for the server that stores a copy of the program, look through the program to make sure it doesn't contain malware, process the payment, provide access to a captive audience...
Why, when people mention this, do they make it sound like the mob "protecting" your business?
[doublepost=1467830738][/doublepost]
How did you determine how much money someone deserves?
Does the software request/require an administrator password, to install the nefarious startup script?
If not, that is quite scary.
If so, never give your admin password to unknown software unless you know exactly what it's doing. Giving it your password is giving it a license to set-up and/or do anything it wants with your system.
If not, that is quite scary.
If so, never give your admin password to unknown software unless you know exactly what it's doing. Giving it your password is giving it a license to set-up and/or do anything it wants with your system.
The fact that MacUpdate send you their updater App NOT the file you asked for killed MacUpdate for me.
ANY system that does this is a malware site and can no longer be trusted.
If you are forced to use MacUpdate, ALWAY click the link to download from the developers site so MacUpdate can not try to install their software.
True, but Apple used to strike a great balance with how OS X had been.
They are slowly getting into monkey territory.
The less mundane and less crucial tasks you leave to a user, the less they will experience the need to act PROACTIVELY and cautiously.
Meanwhile Apple tries to raise a generation of coders, akin to Facebook, Google and Microsoft who all try to push kids into coding, no matter their later career and I think that's great.
I wish that was their more general stance towards tech literacy.
Again: I'm not saying open all gates with a flick of a switch, but macOS and ESPECIALLY iOS need to stay/become (more) open to the savvy user.
Also, please don't overthrow UNIX/POSIX standards replacing them with your own ones when the benefit is marginal...
I know cron is still a thing on macOS, but oh well...
Unless they have a bigger plan for all of this and things will eventually fall into place nicely.
Could be, still would love to keep the POSIX compatibility, it's one of the nicest things about macOS.
It's personal judgement that I don't expect anyone to adopt, so it's really just for my personal sake.
Glassed Silver:mac
yes.
HIGHLY recommended that the first thing anyone does when they get a new Router, is go into the configuration and disable the routers uPNP capability.
uPNP, which allows for the router to dynamically / smartly forward ports to media devices, has regularly been used as a point of attack and abused by botnets and DDoS attacks, and can be used to maliciously take control over your network attached PCs
The best, albeit it not most user friendly setup, is to lock down all ports inbound, and only manually set up your own port forwarding rules if you require access to internal network resources from the internet.
[doublepost=1467834624][/doublepost]
nahhh, wont stir up us 30%ers! (not really one but felt like playing along)
MAS, while following the 30%, doesn't force developers to use it, so it's not really even a comparable thing and bringing it up really is a red herring.
on that note: Yes, A curated Application service like the Apple Store should be safer. usually is. But it's not 100% and unfortunately on OSx, the MAS is woefully lacking in many of the programs a lot of people use. But its a good place for the tech illiterate to go.
[doublepost=1467835063][/doublepost]
This was bound to need to happen as Apple's popularity increased over the years.
When they were a whopping 2% of the worlds computer users, The risk was much lower. The users who were there knew what they were getting into, and new the systems well enough. Plus being so obscure in the world meant that there really wasn't anything to gain to target 2% of the user base. Apple could keep the OS extremely locked down because the scope of what people were doing on Mac's at the time was sufficiently smaller and different than Microsoft and even Apple Today.
Fast Forward to now, where Apple is no longer 2% but roughly 10-15%. (I think OSx usage is still < 10% but the whole industry has grown since Apple was the 2%). This is now not just a few million but dozens of millions. its suddenly a larger target that starts to look attractive too attackers.
Couple this in with those new millions of userse, who have far larger scope of usage patterns, Apple really doesn't have a choice but to start opening up the APi's and platform, or risk there being insufficient development to keep the grown user base.
this is something Microsoft dealt with for years. As you have billions of users, you have to allow those billions of users enough applications and programs that have capability and access to APIs and other OS level resourcse. Thus, further exposing OSx(MacOS) to becoming a target.
AND THEN you have to factor in that many of those users, who used to buy PC's are also now buying Mac's. Buying a Mac didnt' suddenly teach them about computers and make them smart. They sstill have the same bad behaviours as before. And fundamentally, if a user is the weakest link in the security chain, there's little you can do to prevent them from causing harm. it wont matter if they're on windows or OSx, a stupid user who clicks stupid things will still be a stupid user who clicks stupid things.
Please note this IS NOT an Apple App Store versus developer direct sale issue. There is no reason why a developer can't distribute a signed "Gatekeeper" aware and compatible app. For apps that are downloaded from places other than the Mac App Store, developers can get a unique Developer ID from Apple and use it to digitally sign their apps. No problem! Easy!
Any developer not doing this is, in my mind irresponsible, and doing their users a disservice by getting them to bypass as a norm rather than the exception. Reducing security for all.
Oh...and those here taking Apple to task for App Store rules or cut of revenue are missing the mark and would be better served contacting the developers of any non-signed apps they use and demand they support GateKeeper unless required to bypass as some OS level background utilities do. These should be considered rare exceptions.
BTW: Perhaps to encourage this the current macOS beta no longer as a UI option to allow non-signed apps to run. You can re-enable this through the command line but chances are if you can't do that you don't know enough to bypass either.
If I may be so bold.
Any developer not doing this is, in my mind irresponsible, and doing their users a disservice by getting them to bypass as a norm rather than the exception. Reducing security for all.
Oh...and those here taking Apple to task for App Store rules or cut of revenue are missing the mark and would be better served contacting the developers of any non-signed apps they use and demand they support GateKeeper unless required to bypass as some OS level background utilities do. These should be considered rare exceptions.
BTW: Perhaps to encourage this the current macOS beta no longer as a UI option to allow non-signed apps to run. You can re-enable this through the command line but chances are if you can't do that you don't know enough to bypass either.
If I may be so bold.
Last edited:
You have to enter the password to install Any app on a Mac. So the only way nearly all malware gets into a Mac is through fake software that the user willingly installs.
Internet security software company Bitdefender's research lab has disclosed new malware targeting Macs called Backdoor.MAC.Eleanor [PDF]. Learn more about the malware and how to keep your Mac protected against attackers.
Which Macs are affected?
MacUpdate listed EasyDoc Converter's system requirements as Intel-based Macs running OS X 10.6 (Snow Leopard) or later. OS X Snow Leopard is compatible with Macs that have at least 1 GB of RAM and 5GB of free disk space.
Backdoor.MAC.Eleanor is thereby capable of infecting mid 2007 or newer MacBook models, all MacBook Air and MacBook Pro models, mid 2007 or newer Mac mini and iMac models, and all Mac Pro models.
Minor correction: Snow Leopard can run on any Intel Mac released in "early 2011" or earlier. Snow Leopard is the *last* OS that can run on the first generation of 32-bit-only Intel Macs. My ordered-the-day-of-the-Intel-switch 2006 MacBook Pro is happily running Snow Leopard to this day.
Therefore, this can impact *ANY* Intel Mac, running Snow Leopard or later.
That is definitely not true. If you are installing an app just for the current user and that app only accesses files in your home folder then it absolutely does not need to ask for a password to install. If you see a Mac app asking for your admin password then you should definitely pause and think about if you really trust that app, because obviously once you type that password it has a ton more privileges.
Yep, I like the convenience of it and use it when an application is available there but a lot of what I use regularly is not on MAS so I download direct from those developer's sites. Occasionally I even get something that isn't signed and have to go into settings to allow it. That's very rare for me though and I'm quite careful to vet those programs first.
As someone fairly comfortable with computing I like MAS as a method of discovery for small utility apps too. For something like Parallels, the Omni-Products, or Sublime Text I know what I want as they are obvious market leaders with a great following. If I want an app to track deliveries or uncompress files though it's very convenient to discover and read reviews and comments right in MAS rather than investing a lot of time for a simple utility; and again the vetting process provides a bit of a safety net with something small like that (not infallible but better than relying on an small dev with a minor utility app outside of MAS). I also like the centralized updates of the MAS (and have always loathed applications that have their own perpetual update service, I'm looking at you Flash - even though I've stripped you from my system forever).
edit: and then there's Quicken, which as terrible as it is doesn't have any real competition with direct access to the financial service companies' data (without putting my credentials online) so I purposely buy via MAS just to cut into Intuit's take.
Sadly I had to disable GateKeeper too as it was blocking too many legitimate apps. I never use it now.
How can one be 100% sure about what exactly the software will do, before even having used it? The best thing to do is research, read about it, ask people, but that's never foolproof. If I need to convert some weird file to some other weird file format and all I can find is one little-known app online, then chances are I kind of have to try it out if I don't want to give up on whatever I'm trying to get done. It's risky but the risk can't really be avoided, unless we just refuse to do anything that we're not 100% sure about, which can be anything.
The problem is that GateKeeper is supposed to fix this, except it blocks totally legitimate apps such as VLC, FireFox, and hundreds of other useful apps that are trusted, clean, and necessary if you happen to need them (I can't imagine using a computer without VLC on it, for example). So a system like GateKeeper that gives so many false positives is not a system that can be trusted, so it's just a useless nuisance, just like its Windows counterpart that pops up with a scary message every time you double click something.
Basically GateKeeper and the similar warnings on Windows should really say: "Warning, anything you do may have any kind of consequences. Not that this message has any idea of whether that's likely or not in this particular case. Just so you know, you can't know anything. Good luck!"
It's like getting into your car and hearing "Warning! You could die today!" every single time. It would just be a nuisance, it would be useless and unhelpful.
Maybe a built in up-to-date virus scanner in GateKeeper would actually make it useful. It would only alert you if it finds a virus. Otherwise, it has no clue anyway.
The problem is that GateKeeper is supposed to fix this, except it blocks totally legitimate apps such as VLC, FireFox, and hundreds of other useful apps that are trusted, clean, and necessary if you happen to need them (I can't imagine using a computer without VLC on it, for example). So a system like GateKeeper that gives so many false positives is not a system that can be trusted, so it's just a useless nuisance, just like its Windows counterpart that pops up with a scary message every time you double click something.
Basically GateKeeper and the similar warnings on Windows should really say: "Warning, anything you do may have any kind of consequences. Not that this message has any idea of whether that's likely or not in this particular case. Just so you know, you can't know anything. Good luck!"
It's like getting into your car and hearing "Warning! You could die today!" every single time. It would just be a nuisance, it would be useless and unhelpful.
Maybe a built in up-to-date virus scanner in GateKeeper would actually make it useful. It would only alert you if it finds a virus. Otherwise, it has no clue anyway.
That is patently false. There is no such thing as an ‘install’, programs are simply executed. Any executable can be launched by a user, at which point it inherits the same access rights. It is only when that executable needs access to restricted areas or interfaces, that the user has no access to, that a password will be required. User accounts can run code independently and they can do a lot even without ever touching non-user files.
Where did you read that it modifies kernel files or invokes kernel services? It seems to me that this piece of malware operates completely within the user domain.
Startup services do not require root privileges, this solely depends on the kind of launch service and the target user. Launch agents, which is what this program is using, can be configured by the user themselves and, due to the POSIX scheme, a password is also not required, given that this is an action the current user is authorised to execute. This malware seems to be pretty clever. Once you get access to a user account, you can do quite a bit even without ever entering a password. This access persists across reboots, because of the launch agent. As long as the user never exposes their password, the damage will be contained to what the account can do.
The interesting lesson is perhaps that it pays off to use a standard user account for daily usage instead of an administrator account. I switched to a standard user account a while ago and use my administrator account exclusively for tasks that cannot be achieved by a normal user. You can even install applications in your user directory, so you never need access to /Applications either.
Well it obviously affects OS X El Capitan but for all we know it probably also runs on macOS Sierra.
[doublepost=1467843993][/doublepost]
Maybe a good rule of thumb is that when you install/run an app that you never had heard from before and Gatekeeper complains, you first go back to the drawing board and look for an alternative app or check for other users recommending the app.
XProtect is a built-in, auto-updating malware scanner that is part of OS X.
