OS X Crimeware Kit Emerges 202
Trailrunner7 writes "Crimeware kits have become a ubiquitous part of the malware scene in the last few years, but they have mainly been confined to the Windows platform. Now, reports are surfacing that the first such kit targeting Apple's Mac OS X operating system has appeared. The kit is being compared to the Zeus kit, which has been one of the more popular and pervasive crimeware kits for several years now. A report by CSIS, a Danish security firm, said that the OS X kit uses a template that's quite similar to the Zeus construction and has the ability to steal forms from Firefox."
Mac users are also being targeted by a new piece of scareware called MAC Defender.
Regarding MACDefender (Score:2, Insightful)
MACDefender requires that you agree to install it. It's not able to infect your Mac without your knowledge and consent.
AND : Just drop it in the trash bin to get rid of it. Hassle free. Click and drag. That's it.
BTW : The Kit has not yet proven it's functionality and works (if it does) currently only with FireFox.
Still too early for iHate, schadenfreude or panic.
There is still no single widespread, dangerous and working malware for OS X out there. Period.
Re:Security through Obscurity = FAIL (Score:2, Insightful)
Re:Masses reaction (Score:5, Insightful)
Nobody with a brain has ever claimed that OSX is impervious. And nobody with a brain has ever claimed that OSX is impervious to PEBCAK.
What *has* been claimed is that the automatic propagation of evil over OSX (and BSD and Linux and *every other sane OS out there*) is terribly inefficient, because unless you pack the evil in a container, permissions (including the permission to execute) are stripped as soon as you send your file. And then you have to either unpack it or you have to manually assign the execute bit through right clicking and using the dialog or using chmod. And only then can you run the file.
Compare and contrast this to the Windows world where the execute bit is tied to 3 letters in the file name and Windows will duly execute the file as soon as it's double-clicked. Malware in this system goes from machine to machine because Windows assumes that a file is permitted to execute if it whispers the correct shibboleth of "exe, com, scr" or what have you.
While OSX's advantage of using the Unix model of tossing permissions does not cover warez, the equivalent of purple gorillas on OSX or braindead users, even the small amounts of protection that OSX gives goes a long way in preventing network effects on the spread of malware.
--
BMO
Re:Where others have failed, Apple will win (Score:2, Insightful)
You're assuming they get this malware from installing an app - more likely they get this while browsing the net.
Anyhow who's to stupid not to know how apps work or are installed won't know not to click on a dialogue that pops up while doing something "you need to update your mac - click here!".
Re:Security through Obscurity = FAIL (Score:5, Insightful)
Well, the answer will be "yes" - if you are stupid (which is harsh - let's say uninformed) enough to be fooled by the sorts of things that malware gets up to (like "click here for a free system check!" or "check it out, so sexy!!! - natalie-portmans-hot-grits.jpg.exe" then the penetration rate per-platform is going to be broadly similar. You're going to have a portion of your userbase who are susceptible to this, along with another portion who set blanket passwords for all of their activities and set it to "password1".
Windows has the problem that not only does it have to contend with this user problem (which is common to both platforms [win and OS X], and less common on Linux/non-Mac-BSD), but it has also faced the "swiss cheese operating system" problem that they have been trying to fix since malware first came about. OS X at least has the benefit of starting from a better platform (BSD core) than Windows' legacy issues. That's not to say it's immune to threats - the fact that there are security updates for OS X disprove that.
I'm surprised that there hasn't been a more high profile virus or malware outbreak on OS X before now, since even with the smaller marketshare (1 in 5 new computers sold in the US is a Mac, but total install base is still nearer 10%), the "kudos" for "sticking their nose in it" is high.
Re:Masses reaction (Score:2, Insightful)
Not to worry, my faithful, mandatory binary signing will be here soon enough.
Yes, worry. The "malware" binary will be validly signed; and in some way, not technically malware -- the malware will be part of the unsigned data payload loaded by the benign binary. The benign binary will be something like /usr/bin/python, and may be shipped with the OS itself...
(how much higher a level of trust can you get for a binary?)
Re:Masses reaction (Score:1, Insightful)
What *has* been claimed is that the automatic propagation of evil over OSX (and BSD and Linux and *every other sane OS out there*) is terribly inefficient, because unless you pack the evil in a container, permissions (including the permission to execute) are stripped as soon as you send your file. And then you have to either unpack it or you have to manually assign the execute bit through right clicking and using the dialog or using chmod. And only then can you run the file.
Or you can just distribute through a .dmg with script that executes as soon as the user mounts the .dmg file by downloading it in safari, or double clicking it in Firefox. The scripted portion runs as soon as the .dmg is mounted, so the malware can be deployed without further user intervention.
By the way, downloading a .dmg file, mounting, and copying its contents to /Applications is the de-facto standard practice
for software deployment on MacOS.
Re:Masses reaction (Score:5, Insightful)
Of course, Faust's deal with the devil was signed too.
Comment removed (Score:5, Insightful)
Re:How do you execute the script? (Score:1, Insightful)
You can? I don't think DMGs have anything like windows Autoplay, there's no ability to automatically run a script.
The DMG flag is called internet-enable.
When the file is mounted MacOS will automatically copy the files to the desktop, and execute the installer inside the DMG.
Re:Masses reaction (Score:2, Insightful)
Interestingly, does this count as the 44th malware threat on OS X (based on a cited post from the AV thread yesterday that said there are 43 threats over the life of OS X)
43 confirmed viruses for OSX. Virus is only one VERY specific type of malware, and in fact viruses are seldom seen on any platform these days.
When was the last time Apple actually claimed to be immune or secure from viruses? They don't. They make vague claims of being "more secure", and run ads which seem to imply they don't get infections although they don't actually ever say It. Instead, they just make vague comments about how "vulnerable" the "PC's" are (as if a Mac isn't a personal computer or something), and then let their hoards of rabid fanboys run around shouting about how Macs are immune to blah blah blah.
Go ask the guys who keep hacking Macs at the annual pwn2own contest how safe those boxes are. They'll laugh at you.