Forgot your password?
typodupeerror
Security Apple Technology

Apple Quietly Goes After Mac Trojan With Update 321

Posted by kdawson
from the nothing-to-see-here dept.
Th'Inquisitor was one of several readers to point out coverage of Apple's stealth security fix, included along with the recent Snow Leopard 10.6.4 update. Graham Cluley of Sophos first noticed the update to protect Mac computers from a Trojan, and the fact that Apple didn't mention it in the release notes. The malware opens a back door to a Mac that can allow attackers to gain control of the machine and snoop about on it or turn it into a zombie. "You have to wonder," writes Cluley, "whether their keeping quiet about an anti-malware security update like this was for marketing reasons." While he certainly has a point that Apple benefits by its users' belief that the platform is secure, you also have to wonder whether any such publicity from a security company has a marketing subtext, as well.
This discussion has been archived. No new comments can be posted.

Apple Quietly Goes After Mac Trojan With Update

Comments Filter:
  • by Anonymous Coward on Saturday June 19, 2010 @04:55PM (#32627576)

    Can you read?

  • by Anonymous Coward on Saturday June 19, 2010 @05:00PM (#32627622)

    OSX is based on UNIX (and is a certified UNIX OS)
    Linux is Not UNIX and although compatible is quite different to OSX

  • by grapes911 (646574) on Saturday June 19, 2010 @05:05PM (#32627640)
    trojan != virus
  • by topham (32406) on Saturday June 19, 2010 @05:05PM (#32627646) Homepage

    Trojans aren't viruses.

    Please list off all the viruses that will run on Snow Leopard.

  • by OrwellianLurker (1739950) on Saturday June 19, 2010 @05:07PM (#32627660)
    Apparently the mods cannot read either.
  • by Anonymous Coward on Saturday June 19, 2010 @05:09PM (#32627670)

    Why is the information publicly available? Why would most generic Mac users care to seek it on their own? Should Apple shove it in their face?

    If you RTFA you will see that it is only publically available thanks to security software maker Sophos, who dissected the update and found the code. This is not coming from Apple in any way, as you seem to imply, they won't even confirm or comment on it.

    From TFA:

    Sophos senior technology consultant Graham Cluley, in a Friday blog post, asserts that Apple quietly patched the Mac's malware protection to thwart a backdoor Trojan horse that could allow hackers to control an iMac or MacBook remotely. Apple's OS X 10.6.4 upgrade secretly patched XProtect.plist, a file that contains "elementary signatures of a handful of Mac threats - to detect what they call HellRTS," Cluley writes. Malicious hackers have been disguising HellRTS as iPhoto, the Mac's photo-editing program.

  • by at_slashdot (674436) on Saturday June 19, 2010 @05:13PM (#32627708)

    I think you don't know what a trojan is. A trojan is a simple program that pretends to be something that it isn't. Any OS is vulnerable to such program because OSes are designed to, guess what, run programs, no OS is that smart to identify if a program is not doing what is claiming to do. (not getting into details, there are way to limit the damage and heuristics, but the main idea is that a trojan is a program that the user is running because he/she doesn't know any better).

    Actually the big part of the problem is running programs from random sites on the internet, Linux for example has the advantage that most of the programs come from well vetted sources not from random sites that can be also be subject to phishing.

  • by v1 (525388) on Saturday June 19, 2010 @05:17PM (#32627754) Homepage Journal

    There's been malware out for mac for well over a year. The big one I run into is a self-decoding shell script that installs a root cronjob to redirect your dns servers. The machines get brought into me because their web browsing has gotten slower, due to the malware dns server the machine is now using being a lot slower than their ISP's.

    I've actually ran into ONE example of a mac that was back-door'd, but thought it was an isolated targeted attack. (the victim was "high profile") But maybe it was just an early version of what's discussed in this thread.

    BUT, tossing my hat into the ring as to whether or not Apple should be "hiding" the fix... check out the latest security update from Apple. HUGE list of security patches. (over 40?) All with accreditation to the people that brought the issues to Apple. It's not like they don't have issues, and it's not like they systematically hide them. They just tend to fix them very quickly, and have very few (relatively speaking) to fix in the first place. Apple is well-known to include security updates and fixes in their OS updates, they don't all land in security updates. That's all this one was. It's very likely there were a dozen other security-related fixes made in the 10.6.4 update. This one they just happened to notice. Apple just doesn't usually put a security-fix accreditation readme in with their OS updates. Is that the real issue here I wonder?

  • by logjon (1411219) on Saturday June 19, 2010 @05:17PM (#32627756)
    My Windows box is perfectly safe because I'm not a moron.
  • Part of writing serious malware, the sort that uses shellcodes and relies upon particular calling conventions and memory layouts, is very platform-specific. That kind of thing has to be learned anew for every platform one wants to target, often including different architectures of a given OS.

    Trojans, on the other hand, are literally nothing other than programs that the user doesn't realize he is installing. They may attempt to hide themselves using platform-specific tricks, but at the end of the day, it's a program written like any other. OS X may emphasize Objective-C and de-emphasize its UNIX underpinnings for many things, but at the end of the day it uses a POSIX API very similar to the one found in Linux.

    Hell, I've written software for the POSIX subsystem of NT on x86, and successfully ported it to Linux on ARM, with fewer than one #ifdef per KLOC. I strongly suspect that OS X is a lot closer to Linux than SUA (Microsoft's NT Subsystem for UNIX Applications) is to Linux, yet it wasn't hard at all. It wasn't malware, but if I'd wanted to I could have invisibly slipped it into an installer for some other program and then it would have been a trojan.

  • by Low Ranked Craig (1327799) on Saturday June 19, 2010 @05:21PM (#32627788)
    Trojans for Macs are really no different than any other OS. It just takes a bit of social engineering or something like that, because a trojan, unlike a virus, requires the user to install it. When you install something on a Mac (and windows depending on your settings) you need to type in a password and specifically give permissions to do so. Mac trojans and assorted malware have been around for awhile. What I'm not aware of are any successful Mac OS viruses in the wild, i.e. a "drive-by" infection: getting infected simply by opening an e-mail or a web page.
  • by Ethanol-fueled (1125189) * on Saturday June 19, 2010 @05:37PM (#32627892) Homepage Journal
    Every pedant in this thread likes to say that trojans are technically different than viruses.

    The kind of person who would buy a mac because they "don't get viruses" would be very pissed after stumbling upon this article and especially this condescending, duplicitous thread.

    People from the Windows world know this - the average user dosen't give a shit about the differences between viruses and trojans. If it makes their AV software blink red, it's bad.
  • by jedidiah (1196) on Saturday June 19, 2010 @05:52PM (#32628022) Homepage

    The kind of user that buys a Mac probably doesn't care about "details".

    A virus is called a virus for a reason. It's called a virus because it
    shares an important characteristic with biological organisms.

    It can replicate itself.

    A Trojan is just a stupid program that doesn't do what it says.

    Similarly, a Trojan is called that for a reason. You have to go outside
    the city walls and drag it back inside your perimeter before it does you
    any damage.

    Yes, these little "details" like words and terms that have actual specific meaning are important.

  • by Graff (532189) on Saturday June 19, 2010 @06:22PM (#32628238)

    Only problem being, by that definition, Windows nowdays doesn't have viruses either. They just have spyware, adware, and trojans.

    Oh really? You mean these aren't viruses?

    These all fit the definition of a virus and there are tons more in the McAfee Threat Center.

  • by Bungie (192858) on Saturday June 19, 2010 @06:55PM (#32628434)

    Can anyone explain why there is a significant difference between virus and malware,

    A virus attaches it's code to programs and spreads itself to others when you run an infected execuable on a system. Viruses are pretty much old school and are easy to detect because they modify the code of executables. They also can't infect programs outside of the priviledge level of the infected software and also cannot do a lot of crazy things outside of the user's access level. They are pretty much old school and are not very profitable, just destructive or annoying.

    Malware spreads through an exploit vector or social engineering. It installs software and drivers to the system which it attempts to hide through various tricks and obscure OS functionality. Malware can often have a rootkit driver which make them invisible or impossible to remove when booted normally. Malware is designed to make a profit too (like making your machine send spam, logging passwords or other info, popping up ads...).

    The reason for the two different levels of software is because malware initially was difficult for vendors to define. Some software for example, presents it's negative aspects in the EULA and it's assumed to be valid software if you install it. Who's to say that WGA isn't spyware or any software that reports activities back to a central server? Malware is also hard to detect heuristically and antimalware apps instead rely on lists of file/registry locations and hashes.

    But the two AV programs shouldn't be an issue because they do their blocking and checking at different points. Antivirus needs filter drivers so it can scan files for attached virus code or activity. Antimalware just needs to periodically scan a set of locations and ensure no malware is there. But yeah, most of them can be integrated pretty easily and it makes sense.

  • "man softwareupdate" for info on one way to auto install updates.

    And OS X out of the box has ran software update at first boot since 10.0. Yes, a user has to click install now, and they may just ignore it. But it will come back and prompt again later.

  • by Nursie (632944) on Saturday June 19, 2010 @08:29PM (#32628900)

    Golly, other companies have done this before so it must be ok for apple to do it too, and anyone that criticises them must just be a hater. tee hee hee

    You're a tool.

  • Re:iPhoto? (Score:4, Informative)

    by dancingmad (128588) on Saturday June 19, 2010 @08:47PM (#32628990)

    Whatever the current version of iPhoto is comes with your Mac. To upgrade you have to buy the latest version of iLife.

  • by Ash-Fox (726320) on Saturday June 19, 2010 @09:03PM (#32629090)

    I've never seen an update break anything.

    You obviously haven't used many Macs for a long period of time - I can recall numerous events where java updates broke things with a simple scorch game [quickfox.org] on OS X - to the point I had to put stupid warnings on the site. I can recall when my network uPnP was borked by a security update from Apple, I can recall the numerous daemons being broken in various OS X server updates too.

    My anecdotal 'evidence' is based on years of experience over a wide variety and vast amount of Macs.

    I shake my head when I hear the windos admins at the company test a bugfix update.

    Because making sure things don't break is obviously stupid of IT.

    Isn't that what the vendor is supposed to do before sending it out?

    The vendor didn't test the fix in your environment, they tested it in theirs.

  • by 99BottlesOfBeerInMyF (813746) on Saturday June 19, 2010 @09:35PM (#32629266)

    So what are the architectural differences in OSX or Linux that would protect everyone from malware if they were the dominant platforms?

    While the previous poster may be a bit vague on the details, this is not a point without merit. OS X and most desktop Linux variants do, indeed, have some significant security as a result of architectural choices. In other areas Windows has the upper hand, such as how much access control is applied in userland. Services, are a good example. Windows tends to have more open services and because of the proprietary nature of those closed services, more redundant services. A good example is Autodetection of local network services. It's a good type of service to exploit and a common target for malware on all platforms. Microsoft implements UPnP and exposes it by default, but by most accounts does not adequately sandbox it. Further, because it is proprietary, all cross-platform software has to either forgo the ability to link up with other versions of their own software running on other platforms, or they have to implement a different service. The upshot is, if you're running Adobe CS suite or any one of many other software packages on Windows you're running two services (UPnP and Zeroconf) that do the same thing, both of which have to exposed to hackers and neither of which is as sandboxed as it should be. If you're doing the same on OS X you have only one version (Zeroconf) and it is happily sandboxed so an attacker has to exploit not only the service, but also break the sandbox somehow... a very difficult task. This is all the result of how Windows handles services in comparison to OS X or Linux. On Windows more are exposed by default, they're easier to exploit, and they are usually proprietary; all of which leads to less security regardless of market share.


  • I've never seen an update break anything.

    iTunes 2.0 erased partitions [xlr8yourmac.com] due to a nasty directory expansion bug. I wasn't bit by this, but I would have been if I downloaded the update right away. Since then, I've been happy to wait 2 weeks for folks like you to be my guinea pig. Please keep posting your reaction to updates, I need to know if it's safe for me to dl! kthxbai.
  • by uglyduckling (103926) on Sunday June 20, 2010 @04:12AM (#32630594) Homepage
    This isn't iPhoto, it's malware disguised as iPhoto; if it were disguised as office2008.dmg would you call it a hole in Microsoft's software? In fact, it's not _any_ kind of security hole. It's practically impossible to prospectively guard against trojans because they're software installed by the user that claims to do one thing but actually does something else. The only real way to do that comprehensively is a closed app-store model, which is the main thing Apple are bashed for on Slashdot.
  • by uglyduckling (103926) on Sunday June 20, 2010 @04:23AM (#32630634) Homepage
    Apple Menu -> System Preferences -> Software Updates -> Uncheck "check for updates" box. BTW, Software Updates are _never_ pushed on OSX, there isn't even an auto install option, unlike Windows.
  • by Tom (822) on Sunday June 20, 2010 @06:38AM (#32631028) Homepage Journal

    Yes, I begin to understand. Mostly, I understand that:

    * the driver mess on windos can cause your system to fail if you upgrade it, because... well, because the library management system is so stupid, there are no proper words to describe it
    * Microsoft is at the same time totally lost and bound in their needs for backwards compatability and can't move forward because of it, and then on the other hand breaks it with minor updates
    * even if you don't touch the drivers, different hardware can mean your non-driver update breaks. In other words: The hardware abstraction layer doesn't really abstract the hardware

    Yes, I agree installing the update on one machine first, checking if it works, and then installing it everywhere is the right thing to do. That wasn't what I'm talking about. I was talking about week-long testing cycles for a minor OS update. Really, if you have to do that, you should ask yourself if you're using the right OS.

    To use a car analogy: If every time you fill up you get this urge to run a full maintainance cycle, just to make sure nothing broke, something is wrong with either your head or your car.

We can predict everything, except the future.

Working...