Apple Quietly Goes After Mac Trojan With Update 321
Th'Inquisitor was one of several readers to point out coverage of Apple's stealth security fix, included along with the recent Snow Leopard 10.6.4 update. Graham Cluley of Sophos first noticed the update to protect Mac computers from a Trojan, and the fact that Apple didn't mention it in the release notes. The malware opens a back door to a Mac that can allow attackers to gain control of the machine and snoop about on it or turn it into a zombie. "You have to wonder," writes Cluley, "whether their keeping quiet about an anti-malware security update like this was for marketing reasons." While he certainly has a point that Apple benefits by its users' belief that the platform is secure, you also have to wonder whether any such publicity from a security company has a marketing subtext, as well.
Re:Trojan for Mac had to appear some day... (Score:0, Informative)
Can you read?
Re:Trojan for Mac had to appear some day... (Score:1, Informative)
OSX is based on UNIX (and is a certified UNIX OS)
Linux is Not UNIX and although compatible is quite different to OSX
Re:You have to wonder? (Score:5, Informative)
Re:You have to wonder? (Score:1, Informative)
Trojans aren't viruses.
Please list off all the viruses that will run on Snow Leopard.
Re:Trojan for Mac had to appear some day... (Score:2, Informative)
Re:If they're trying to keep it secret (Score:1, Informative)
Why is the information publicly available? Why would most generic Mac users care to seek it on their own? Should Apple shove it in their face?
If you RTFA you will see that it is only publically available thanks to security software maker Sophos, who dissected the update and found the code. This is not coming from Apple in any way, as you seem to imply, they won't even confirm or comment on it.
From TFA:
Sophos senior technology consultant Graham Cluley, in a Friday blog post, asserts that Apple quietly patched the Mac's malware protection to thwart a backdoor Trojan horse that could allow hackers to control an iMac or MacBook remotely. Apple's OS X 10.6.4 upgrade secretly patched XProtect.plist, a file that contains "elementary signatures of a handful of Mac threats - to detect what they call HellRTS," Cluley writes. Malicious hackers have been disguising HellRTS as iPhoto, the Mac's photo-editing program.
Re:Trojan for Mac had to appear some day... (Score:3, Informative)
I think you don't know what a trojan is. A trojan is a simple program that pretends to be something that it isn't. Any OS is vulnerable to such program because OSes are designed to, guess what, run programs, no OS is that smart to identify if a program is not doing what is claiming to do. (not getting into details, there are way to limit the damage and heuristics, but the main idea is that a trojan is a program that the user is running because he/she doesn't know any better).
Actually the big part of the problem is running programs from random sites on the internet, Linux for example has the advantage that most of the programs come from well vetted sources not from random sites that can be also be subject to phishing.
this is anything but new (Score:5, Informative)
There's been malware out for mac for well over a year. The big one I run into is a self-decoding shell script that installs a root cronjob to redirect your dns servers. The machines get brought into me because their web browsing has gotten slower, due to the malware dns server the machine is now using being a lot slower than their ISP's.
I've actually ran into ONE example of a mac that was back-door'd, but thought it was an isolated targeted attack. (the victim was "high profile") But maybe it was just an early version of what's discussed in this thread.
BUT, tossing my hat into the ring as to whether or not Apple should be "hiding" the fix... check out the latest security update from Apple. HUGE list of security patches. (over 40?) All with accreditation to the people that brought the issues to Apple. It's not like they don't have issues, and it's not like they systematically hide them. They just tend to fix them very quickly, and have very few (relatively speaking) to fix in the first place. Apple is well-known to include security updates and fixes in their OS updates, they don't all land in security updates. That's all this one was. It's very likely there were a dozen other security-related fixes made in the 10.6.4 update. This one they just happened to notice. Apple just doesn't usually put a security-fix accreditation readme in with their OS updates. Is that the real issue here I wonder?
Re:Let's get this out of the way, shall we? (Score:1, Informative)
Re:Trojan for Mac had to appear some day... (Score:5, Informative)
Part of writing serious malware, the sort that uses shellcodes and relies upon particular calling conventions and memory layouts, is very platform-specific. That kind of thing has to be learned anew for every platform one wants to target, often including different architectures of a given OS.
Trojans, on the other hand, are literally nothing other than programs that the user doesn't realize he is installing. They may attempt to hide themselves using platform-specific tricks, but at the end of the day, it's a program written like any other. OS X may emphasize Objective-C and de-emphasize its UNIX underpinnings for many things, but at the end of the day it uses a POSIX API very similar to the one found in Linux.
Hell, I've written software for the POSIX subsystem of NT on x86, and successfully ported it to Linux on ARM, with fewer than one #ifdef per KLOC. I strongly suspect that OS X is a lot closer to Linux than SUA (Microsoft's NT Subsystem for UNIX Applications) is to Linux, yet it wasn't hard at all. It wasn't malware, but if I'd wanted to I could have invisibly slipped it into an installer for some other program and then it would have been a trojan.
Re:Trojan for Mac had to appear some day... (Score:5, Informative)
Re:You have to wonder? (Score:2, Informative)
The kind of person who would buy a mac because they "don't get viruses" would be very pissed after stumbling upon this article and especially this condescending, duplicitous thread.
People from the Windows world know this - the average user dosen't give a shit about the differences between viruses and trojans. If it makes their AV software blink red, it's bad.
Re:You have to wonder? (Score:5, Informative)
The kind of user that buys a Mac probably doesn't care about "details".
A virus is called a virus for a reason. It's called a virus because it
shares an important characteristic with biological organisms.
It can replicate itself.
A Trojan is just a stupid program that doesn't do what it says.
Similarly, a Trojan is called that for a reason. You have to go outside
the city walls and drag it back inside your perimeter before it does you
any damage.
Yes, these little "details" like words and terms that have actual specific meaning are important.
Re:You have to wonder? (Score:2, Informative)
Only problem being, by that definition, Windows nowdays doesn't have viruses either. They just have spyware, adware, and trojans.
Oh really? You mean these aren't viruses?
These all fit the definition of a virus and there are tons more in the McAfee Threat Center.
Re:Let's get this out of the way, shall we? (Score:5, Informative)
A virus attaches it's code to programs and spreads itself to others when you run an infected execuable on a system. Viruses are pretty much old school and are easy to detect because they modify the code of executables. They also can't infect programs outside of the priviledge level of the infected software and also cannot do a lot of crazy things outside of the user's access level. They are pretty much old school and are not very profitable, just destructive or annoying.
Malware spreads through an exploit vector or social engineering. It installs software and drivers to the system which it attempts to hide through various tricks and obscure OS functionality. Malware can often have a rootkit driver which make them invisible or impossible to remove when booted normally. Malware is designed to make a profit too (like making your machine send spam, logging passwords or other info, popping up ads...).
The reason for the two different levels of software is because malware initially was difficult for vendors to define. Some software for example, presents it's negative aspects in the EULA and it's assumed to be valid software if you install it. Who's to say that WGA isn't spyware or any software that reports activities back to a central server? Malware is also hard to detect heuristically and antimalware apps instead rely on lists of file/registry locations and hashes.
But the two AV programs shouldn't be an issue because they do their blocking and checking at different points. Antivirus needs filter drivers so it can scan files for attached virus code or activity. Antimalware just needs to periodically scan a set of locations and ensure no malware is there. But yeah, most of them can be integrated pretty easily and it makes sense.
Re:When will we get automatic patching? (Score:5, Informative)
"man softwareupdate" for info on one way to auto install updates.
And OS X out of the box has ran software update at first boot since 10.0. Yes, a user has to click install now, and they may just ignore it. But it will come back and prompt again later.
Re:Let's get this out of the way, shall we? (Score:3, Informative)
Golly, other companies have done this before so it must be ok for apple to do it too, and anyone that criticises them must just be a hater. tee hee hee
You're a tool.
Re:iPhoto? (Score:4, Informative)
Whatever the current version of iPhoto is comes with your Mac. To upgrade you have to buy the latest version of iLife.
Comment removed (Score:5, Informative)
Re:Security as it should be (Score:5, Informative)
So what are the architectural differences in OSX or Linux that would protect everyone from malware if they were the dominant platforms?
While the previous poster may be a bit vague on the details, this is not a point without merit. OS X and most desktop Linux variants do, indeed, have some significant security as a result of architectural choices. In other areas Windows has the upper hand, such as how much access control is applied in userland. Services, are a good example. Windows tends to have more open services and because of the proprietary nature of those closed services, more redundant services. A good example is Autodetection of local network services. It's a good type of service to exploit and a common target for malware on all platforms. Microsoft implements UPnP and exposes it by default, but by most accounts does not adequately sandbox it. Further, because it is proprietary, all cross-platform software has to either forgo the ability to link up with other versions of their own software running on other platforms, or they have to implement a different service. The upshot is, if you're running Adobe CS suite or any one of many other software packages on Windows you're running two services (UPnP and Zeroconf) that do the same thing, both of which have to exposed to hackers and neither of which is as sandboxed as it should be. If you're doing the same on OS X you have only one version (Zeroconf) and it is happily sandboxed so an attacker has to exploit not only the service, but also break the sandbox somehow... a very difficult task. This is all the result of how Windows handles services in comparison to OS X or Linux. On Windows more are exposed by default, they're easier to exploit, and they are usually proprietary; all of which leads to less security regardless of market share.
Re:If they're trying to keep it secret (Score:3, Informative)
I've never seen an update break anything.
iTunes 2.0 erased partitions [xlr8yourmac.com] due to a nasty directory expansion bug. I wasn't bit by this, but I would have been if I downloaded the update right away. Since then, I've been happy to wait 2 weeks for folks like you to be my guinea pig. Please keep posting your reaction to updates, I need to know if it's safe for me to dl! kthxbai.
Re:One does not have to wonder (Score:4, Informative)
Re:Let's get this out of the way, shall we? (Score:3, Informative)
Re:If they're trying to keep it secret (Score:3, Informative)
Yes, I begin to understand. Mostly, I understand that:
* the driver mess on windos can cause your system to fail if you upgrade it, because... well, because the library management system is so stupid, there are no proper words to describe it
* Microsoft is at the same time totally lost and bound in their needs for backwards compatability and can't move forward because of it, and then on the other hand breaks it with minor updates
* even if you don't touch the drivers, different hardware can mean your non-driver update breaks. In other words: The hardware abstraction layer doesn't really abstract the hardware
Yes, I agree installing the update on one machine first, checking if it works, and then installing it everywhere is the right thing to do. That wasn't what I'm talking about. I was talking about week-long testing cycles for a minor OS update. Really, if you have to do that, you should ask yourself if you're using the right OS.
To use a car analogy: If every time you fill up you get this urge to run a full maintainance cycle, just to make sure nothing broke, something is wrong with either your head or your car.