Forgot your password?
typodupeerror
OS X Security Apple

OS X Crimeware Kit Emerges 202

Posted by Soulskill
from the probably-just-holding-it-wrong dept.
Trailrunner7 writes "Crimeware kits have become a ubiquitous part of the malware scene in the last few years, but they have mainly been confined to the Windows platform. Now, reports are surfacing that the first such kit targeting Apple's Mac OS X operating system has appeared. The kit is being compared to the Zeus kit, which has been one of the more popular and pervasive crimeware kits for several years now. A report by CSIS, a Danish security firm, said that the OS X kit uses a template that's quite similar to the Zeus construction and has the ability to steal forms from Firefox." Mac users are also being targeted by a new piece of scareware called MAC Defender.
This discussion has been archived. No new comments can be posted.

OS X Crimeware Kit Emerges

Comments Filter:
  • by Anonymous Coward on Monday May 02, 2011 @06:28PM (#36005206)

    MACDefender requires that you agree to install it. It's not able to infect your Mac without your knowledge and consent.
    AND : Just drop it in the trash bin to get rid of it. Hassle free. Click and drag. That's it.

    BTW : The Kit has not yet proven it's functionality and works (if it does) currently only with FireFox.

    Still too early for iHate, schadenfreude or panic.
    There is still no single widespread, dangerous and working malware for OS X out there. Period.

  • by Gohtar (1829140) on Monday May 02, 2011 @06:34PM (#36005260)
    I submit they are more so, since they have a falsely inflated sense of security.
  • Re:Masses reaction (Score:5, Insightful)

    by bmo (77928) on Monday May 02, 2011 @06:39PM (#36005316)

    Nobody with a brain has ever claimed that OSX is impervious. And nobody with a brain has ever claimed that OSX is impervious to PEBCAK.

    What *has* been claimed is that the automatic propagation of evil over OSX (and BSD and Linux and *every other sane OS out there*) is terribly inefficient, because unless you pack the evil in a container, permissions (including the permission to execute) are stripped as soon as you send your file. And then you have to either unpack it or you have to manually assign the execute bit through right clicking and using the dialog or using chmod. And only then can you run the file.

    Compare and contrast this to the Windows world where the execute bit is tied to 3 letters in the file name and Windows will duly execute the file as soon as it's double-clicked. Malware in this system goes from machine to machine because Windows assumes that a file is permitted to execute if it whispers the correct shibboleth of "exe, com, scr" or what have you.

    While OSX's advantage of using the Unix model of tossing permissions does not cover warez, the equivalent of purple gorillas on OSX or braindead users, even the small amounts of protection that OSX gives goes a long way in preventing network effects on the spread of malware.

    --
    BMO

  • by Skuld-Chan (302449) on Monday May 02, 2011 @06:45PM (#36005376)

    You're assuming they get this malware from installing an app - more likely they get this while browsing the net.

    Anyhow who's to stupid not to know how apps work or are installed won't know not to click on a dialogue that pops up while doing something "you need to update your mac - click here!".

  • by jo_ham (604554) <joham999 @ g m a i l.com> on Monday May 02, 2011 @06:47PM (#36005398)

    Well, the answer will be "yes" - if you are stupid (which is harsh - let's say uninformed) enough to be fooled by the sorts of things that malware gets up to (like "click here for a free system check!" or "check it out, so sexy!!! - natalie-portmans-hot-grits.jpg.exe" then the penetration rate per-platform is going to be broadly similar. You're going to have a portion of your userbase who are susceptible to this, along with another portion who set blanket passwords for all of their activities and set it to "password1".

    Windows has the problem that not only does it have to contend with this user problem (which is common to both platforms [win and OS X], and less common on Linux/non-Mac-BSD), but it has also faced the "swiss cheese operating system" problem that they have been trying to fix since malware first came about. OS X at least has the benefit of starting from a better platform (BSD core) than Windows' legacy issues. That's not to say it's immune to threats - the fact that there are security updates for OS X disprove that.

    I'm surprised that there hasn't been a more high profile virus or malware outbreak on OS X before now, since even with the smaller marketshare (1 in 5 new computers sold in the US is a Mac, but total install base is still nearer 10%), the "kudos" for "sticking their nose in it" is high.

  • Re:Masses reaction (Score:2, Insightful)

    by mysidia (191772) * on Monday May 02, 2011 @06:53PM (#36005458)

    Not to worry, my faithful, mandatory binary signing will be here soon enough.

    Yes, worry. The "malware" binary will be validly signed; and in some way, not technically malware -- the malware will be part of the unsigned data payload loaded by the benign binary. The benign binary will be something like /usr/bin/python, and may be shipped with the OS itself... (how much higher a level of trust can you get for a binary?)

  • Re:Masses reaction (Score:1, Insightful)

    by mysidia (191772) * on Monday May 02, 2011 @06:56PM (#36005494)

    What *has* been claimed is that the automatic propagation of evil over OSX (and BSD and Linux and *every other sane OS out there*) is terribly inefficient, because unless you pack the evil in a container, permissions (including the permission to execute) are stripped as soon as you send your file. And then you have to either unpack it or you have to manually assign the execute bit through right clicking and using the dialog or using chmod. And only then can you run the file.

    Or you can just distribute through a .dmg with script that executes as soon as the user mounts the .dmg file by downloading it in safari, or double clicking it in Firefox. The scripted portion runs as soon as the .dmg is mounted, so the malware can be deployed without further user intervention.

    By the way, downloading a .dmg file, mounting, and copying its contents to /Applications is the de-facto standard practice for software deployment on MacOS.

  • Re:Masses reaction (Score:5, Insightful)

    by cybermage (112274) on Monday May 02, 2011 @07:34PM (#36005878) Homepage Journal

    Of course, Faust's deal with the devil was signed too.

  • Re:Masses reaction (Score:5, Insightful)

    by hairyfeet (841228) <bassbeast1968@@@gmail...com> on Monday May 02, 2011 @08:46PM (#36006414) Journal

    Actually, and I'll probably get flamed for saying this, you'd be surprised how many have bought the "you just can't infect a Mac!" meme. I got called into an SMB a few years back, where the guy instead of listening to me and paying me to set up a sensible top to bottom least permission approach bought into the "can't infect a Mac!" meme and then was shocked! shocked I tell you, when he found out he got pwned thanks to one of his kids wanting to watch a naughty video and getting the DNS changer bug.

    You see the problem is something we that have been in the trenches for quite awhile (I started with Win 3.x, what was that? 20 years ago?) sadly run into far too often, it is what I like to call "magical thinking". it is the "If I use product X I won't have to change my habits or anything, and I'll be unhackable" bullshit. Hell I remember when firewall resellers were pushing the "if you have a firewall you are invisible and untouchable!" and it was bullshit then and it is bullshit now.

    NEWS FLASH...ALL OSes can be hacked, full stop. ALL OSes are extremely complex pieces of code, with interactions on top of interactions with third party code thrown in the mix just for shits and giggles. There is NO perfectly unhackable OS and if there was one that person could hire Bill Gates to shine his shoes. The last real legitimate gripe about Windows, the brain dead "hey lets run everyone as admin!" finally died hard with Vista, so frankly all OSes are on about the same footing, as in TFA it all comes down to what the malware writer thinks is profitable.

    Think OSX is immune? Read TFA. Think Linux can't be pwned? Look at the Android malware or the KDE screensaver malware that spread awhile back or even this handy how to guide [geekzone.co.nz] on writing Linux malware.

    The ONLY solution is a top to bottom least permissions approach, not magical thinking. Least permissions and users not being so brain dead they actively help the malware writer [msdn.com] is the ONLY solution.

    As a final note let me give a recent example. I set up a box, had it locked down nicely, required password for admin, least permissions, yet it got pwned in under 45 days. Did I miss something? Nope, the user decided he just had to have Limewire, even though I told him not to, so he disabled the antivirus because it wouldn't in his words "shut up" and then promptly gave permissions to Limewire to do whatever it wanted. And boy did it, 60+ pieces of malware.

    So in the end it doesn't matter what the OS, it doesn't matter what kind of permissions model you set up, if you have someone with admin rights that says "I want my emails from Melissa [wikipedia.org] and you WILL let me have them!" then no matter what OS, you're screwed. An OS is only as good as the PEBKAC sitting in front of it.

  • by mysidia (191772) * on Monday May 02, 2011 @10:01PM (#36006830)

    You can? I don't think DMGs have anything like windows Autoplay, there's no ability to automatically run a script.

    The DMG flag is called internet-enable.

    When the file is mounted MacOS will automatically copy the files to the desktop, and execute the installer inside the DMG.

  • Re:Masses reaction (Score:2, Insightful)

    by Anonymous Coward on Tuesday May 03, 2011 @03:57AM (#36008004)

    Interestingly, does this count as the 44th malware threat on OS X (based on a cited post from the AV thread yesterday that said there are 43 threats over the life of OS X)

    43 confirmed viruses for OSX. Virus is only one VERY specific type of malware, and in fact viruses are seldom seen on any platform these days.

    When was the last time Apple actually claimed to be immune or secure from viruses? They don't. They make vague claims of being "more secure", and run ads which seem to imply they don't get infections although they don't actually ever say It. Instead, they just make vague comments about how "vulnerable" the "PC's" are (as if a Mac isn't a personal computer or something), and then let their hoards of rabid fanboys run around shouting about how Macs are immune to blah blah blah.

    Go ask the guys who keep hacking Macs at the annual pwn2own contest how safe those boxes are. They'll laugh at you.

The opposite of a correct statement is a false statement. But the opposite of a profound truth may well be another profound truth. -- Niels Bohr

Working...