OS X Crimeware Kit Emerges

Trailrunner7 writes "Crimeware kits have become a ubiquitous part of the malware scene in the last few years, but they have mainly been confined to the Windows platform. Now, reports are surfacing that the first such kit targeting Apple's Mac OS X operating system has appeared. The kit is being compared to the Zeus kit, which has been one of the more popular and pervasive crimeware kits for several years now. A report by CSIS, a Danish security firm, said that the OS X kit uses a template that's quite similar to the Zeus construction and has the ability to steal forms from Firefox." Mac users are also being targeted by a new piece of scareware called MAC Defender.

Re:Masses reaction

[jo_ham]

Not wanting to go for a cheap "FTFY", I'll just say that the reaction of everyone imitating a Mac user's reaction will be yours.

The rest of us actual Mac users carry on as normal, just like the Linux users.

Interestingly, does this count as the 44th malware threat on OS X (based on a cited post from the AV thread yesterday that said there are 43 threats over the life of OS X), or does it count as more than one, since it's a tool kit. Is a swiss army knife one tool or several? :p

Idiotware?

[Hamsterdan]

Since you have to enter the admin password for it to install, what's different from NT,*NIX and other OSes?

*ANY* OS can and will be compromised if the user sitting at the keyboard grants root access...

We're not talking about malware hidden inside freepr0n.wmv that will install via Windows Media Player or via an ActiveX control, or by itself on a pre-SP2 WinXP...

Re:Can someone tell me how "form stealing" works?

[Lord_Jeremy]

Assuming that this software is actually intended to be running on the "compromised" system (which I find no indication of in either TFA, the article it links to, or google results), then what it does is exploit FireFox to "hijack" cgi webscripts on websites and use them to send spam email. Pretty much it would send data through a web request to a page that's intended to send email (like forum registration perhaps) that would essentially make the email handler crash or open a backdoor and then inject spam email into the form that would get sent by the website's server. It's a clever way of getting around spam filters blocking known spam email carriers - if your spam is being sent from multitudes of legitimate websites that just have poor software security it's much harder to identify and block.

My big question is how this is supposed to get on the target system. To date, the only Mac OS X malware discovered in the wild has been virtually harmless, since it all comes in the form of a trojan. Some not very nice person disguises their malware in a piece of pirated software and upload it to torrent sites or whatnot. Some people download it and get infected because they don't realize the danger of such an occurrence. From what I've read, the security firms typically classify these trojans as extremely low-risk, with something like fewer than 50 confirmed infections. The point is, there are as yet no "drive by" or otherwise spontaneous infections you can get on a Mac. Any bad things that could happen rely on some form of social engineering or deception. The way OSes work, if you can convince an Administrator (of any system) to run something then you generally can do whatever you want. The Mac OS X security model is in many ways stronger than the Windows security model, but it's certainly not infallible. Macs are immune to the type of autorun viruses that are spread by removable media because they don't support automatic execution of programs on removable media (I can't for the life of me understand why the hell anyone would want autorun enabled on their system). On the other hand, the default OS X user/first one created is an Administrator. They aren't a superuser but things like global-scope installers have the permission to use the equivalent of 'sudo' if an Administrator enters their password. It's like UAC on Vista/7 - a large majority of people don't think twice about clicking "Yes" to whatever comes up on their screen (the other day my fiancé unwitting installed a browser toolbar and changed her home page on her PC because she didn't uncheck a few boxes in the installer for some freeware). I'd like to think that by being asked to enter a password a user is more likely to consider what they're authorizing but in most cases, the user is the weakest link.

Re:Masses reaction

[melikamp]

The funny thing about signing binaries, it only helps to authenticate the author and to defend against the random memory corruption. It does nothing at all for defending from things like local and remote exploits, which corrupt the memory intentionally by using bugs already present in the signed binaries.

Re:Masses reaction

[mrnobo1024]

This might have been a good point in 1987, but today most serious malware spreads by exploiting bugs in legitimate software. Why rely on the user to run your evil program manually when buffer overflows and such are so abundant?

Having an "execute bit" doesn't do anything to stop that (unless you mark all your programs non-executable, of course; that'll make sure you're secure ;))

Re:Masses reaction

[errandum]

You miss the point, I think.

Whoever double clicks something to install assuming it is legit will also gladly insert their username/password.

In terms of security windows is actually more robust from a security standpoint than mac os, but it's also targeted a lot more. And I don't mean file permissions, I mean actual design flaws.

You're safer while using a mac, no doubt about it. But the OS with the most security features IS windows.

And if you don't believe me, I'll quote:

"Paul Kocher, president and chief scientist at Cryptography Research: "The fair answer is that with the latest versions of each operating system there isn't a compelling security reason to pick one or the other. It used to be that Apple was doing a better job, but with Windows 7 Microsoft has caught up. There are some differences; Windows has a better security ecosystem. On the other hand, Apple tends to have more expensive hardware and has a smaller market share, so it attracts fewer malware writers. Both have security bugs. Both need patches. Both can be broken if someone finds a zero-day exploit."

or

"Charlie Miller, a principal analyst at consultancy Independent Security Evaluators: "Technologically speaking, PCs are a little more secure than Macs. Macs have a larger attack surface out of the box (Flash, Java, support for a million file formats, etc.) and lack some anti-exploitation technologies found in PCs like full ASLR [Address Space Layout Randomization]. This means Macs have more vulnerabilities and it's easier to turn a vulnerability into an exploit on the platform. Despite the fact it is less secure, paradoxically, Macs are actually safer to use for most people. This is because there simply isn't much risk of being exploited or installing malware."

or even

"Rich Mogull, CEO at Securosis: "It depends on which version of Windows we're talking about. Clearly there are major differences between Windows XP and Windows 7. Second is, are we talking about safety versus security? Microsoft has done more in terms of its inherent security features than Apple has in the operating system. All of that said, Microsoft gets attacked a lot more than Apple does. Right now your odds of being infected as a Mac user by malicious software are quite a bit lower than a Windows user, unless you do stupid things, such as download free versions of commercial software. And some of the pornography sites on the Internet, the dark corners of the Internet have stuff that will hurt a Mac."

It's not my opinion. It's the expert's opinion.

Re:Masses reaction

[rsborg]

"Charlie Miller, a principal analyst at consultancy Independent Security Evaluators: "Technologically speaking, PCs are a little more secure than Macs. Macs have a larger attack surface out of the box (Flash, Java, support for a million file formats, etc.) and lack some anti-exploitation technologies found in PCs like full ASLR [Address Space Layout Randomization]...."

Your quote from Mr. Miller is way out of date. Apple now doesn't include Flash or Java by default, and does implement (although weakly) ASLR.

Re:Idiotware?

[joh]

The difference is that only very few Mac apps require an admin password since most are just bundles you throw into your Applications folder (or where you want them to be) without actually "installing" (= spraying files and data all over the system) anything.

Maybe not a really huge difference, but most people are not really used to that and any app running an actual installer is eyed with suspicion.

It would help a lot if apps like Adobe Reader wouldn't needlessly come with such an installer. But then it's very nearly malware anyway.