Forgot your password?
typodupeerror
OS X Security Worms Apple

Apple Support Forums Suggest Malware Explosion 455

Posted by Soulskill
from the macpocalypse-is-nigh dept.
dotwhynot writes "According to ZDNet, the volume of in-the-wild malware reports on discussions.apple.com is truly exceptional. With the launch of the first malware DIY kit for OS X earlier this month, and now this, has the malware industry threat finally caught up with the growth of Apple, and what do Mac users need to do?"
This discussion has been archived. No new comments can be posted.

Apple Support Forums Suggest Malware Explosion

Comments Filter:
  • by gilesjuk (604902) <.giles.jones. .at. .zen.co.uk.> on Wednesday May 18, 2011 @04:22PM (#36170400)

    Is it possible to protect a user from themselves? If a user chooses to install some software and it turns out to be rogue then that's not the fault of the OS, it is the nativity of the user.

    If Apple made the installation of non-App Store software on the Mac possible then it would stop a lot of rogue applications. But then people would complain about lack of freedom.

    The security model of OSX is fairly proven, Windows struggles due to backward compatibility at times.

  • by MartinSchou (1360093) on Wednesday May 18, 2011 @04:38PM (#36170640)

    This isn't exploiting privileges.

    "Your computer has been infected. Please install this program to clean it."

    It's social engineering, and you can't protect against that. The installer needs admin rights to install, so people have to enter their password - and they do.

    Seriously - how are you supposed to protect against that?

  • by Anonymous Coward on Wednesday May 18, 2011 @04:51PM (#36170798)

    I have seen this "malware" in the wild. My elderly mother called me, last week, about this. She reported "something came up on my screen, telling me that my computer is infected and that I should click to remove them". I had her take a screenshot and send it to me:

    http://imagebin.org/153902 [imagebin.org]

    She is almost as computer illiterate as one could be, but even she had a suspicion that this wasn't legitimate.

    Out of curiosity, I went to the URL (which inspects the user-agent, to avoid showing this scareware screen to non-Mac users), clicked "remove all", downloaded/unzipped the file, _manually ran the installer_, and clicked through several install steps.

    This is not drive-by malware, it doesn't use an exploit in a vulnerable browser plugin, etc. It's a fairly-hardmless trojan that is easily removed. A google search for "remove mac protector" will yield detailed instructions, e.g.:

    http://www.bleepingcomputer.com/virus-removal/remove-mac-protector [bleepingcomputer.com]

    I have saved the installer, if anyone would like a copy of it for analysis. It contains some remnants of Russian language settings from Xcode, among other interesting tidbits.

  • by jo_ham (604554) <joham999&gmail,com> on Wednesday May 18, 2011 @04:56PM (#36170884)

    I can see exactly why this has happened. The offending malware is a trojan, that is installed via social engineering.

    It have seen a couple of hits lately on google image search, where clicking on one of the images takes you to a remote server where you get the familiar-to-windows-users "this is your hard drive" trick, where the browser shows a reasonable approximation of a Finder window, and shows a "scanning for viruses" progress bar, followed by an inevitable "your computer is at risk! click here to fix the problem!". I assume the link takes you to a site that downloads the "MacProtector" trojan which is what many people have been complaining about - essentially a simple program with no close button or quit option that nags you to pay for removal software. The website clearly uses browser detection and just serves up the appropriate windows/osx version of the con page.

    You can kill it using the terminal, or using command+option+escape, or from the Activity Monitor (and it's not sophisticated enough to be able to stop you, if you know how to terminate processes unlike some of the more nasty malware on windows that disables the task manager etc). I suspect that it's only a matter of time before it gets more difficult to remove.

    However, the term "malware explosion" seems very sensationalist - it's *a* piece of malware that has hit a lot of clueless users all of a sudden who are not used to dealing with this sort of thing due to the generally low malware issue on OS X to date.

    Mac OS X users need to be aware of social engineering scams like this and to be careful about what they install (this is not a virus or drive by install) - it's no different to the trojan that was being distributed in the warez copy of Office for Mac that deleted files etc, just that the delivery method can now target people who are simply browsing google image search.

    As always with security-related stories, no Mac users don't think our platform is immune to threats. It seems the only people making those sort of wild claims are the anti-Mac people who crow that it's what they think we would say (wow, awkward sentence). There are no "immune" systems, merely "safer" vs "less safe".

    When it comes to trojans though, every OS is equally vulnerable, although this is skewed by the userbase somewhat (for example, far fewer 'normal' computer users on Linux distros who would be taken in by the social engineering). If we assume the Mac and Windows user base is broadly the same in terms of distribution (ie, from clueless all the way up to power users) then it is only a matter of time before a "big" trojan comes along for OS X - and here it is.

    Calling it a "malware explosion" is just inaccurate though.

  • by Anonymous Coward on Wednesday May 18, 2011 @05:10PM (#36171058)

    A few other points:

    - The initial can-we-get-you-to-click-on-this? page is pretty slick, other than the grammar in the dialog box; you can drag that box around in the browser window, it has drop shadows, etc.
    - The source of that page is one giant, obfuscated javascript chunk (I have it saved, too, somewhere)
    - Removing it takes about 45 seconds, once you know how to do it, unlike trying to deal with an infected Windows box where you can't: browse to antivirus sites, run regedit, run task manager, open your AV software, update the definitions, etc., end up wiping and reinstalling the entire OS, or wasting hours trying to boot safe mode and run AV scans...

  • Re:Hardly surprising (Score:5, Informative)

    by grcumb (781340) on Wednesday May 18, 2011 @05:14PM (#36171104) Homepage Journal

    I would expect as Apple becomes more popular it will become more of a target for malware. This is not very surprising. I just hope Linux never becomes popular!

    Well, if we do a quick calculation, perhaps we can get a ballpark idea of just how big this threat is:

    Number of distinct threats: 1

    Number of distinct reports: 42

    Now, let's be generous and assume that for each of those 42 threads, there were about 1000 other people who experienced the same problem. That makes about 42,000 people who inadvertently installed and ran a Mac trojan. I'm not certain about the size of the Mac desktop/laptop installed base, but I suspect that a reasonable estimate is in the tens of millions.

    Now, compare this with Microsoft's admission [slashdot.org] that 1 in 14 downloads on Windows is malicious, and I think it's safe to say we have two problems of distinctly different scope.

    The article's author, Ed Bott, asks whether we should be crying wolf about this latest surge in Mac malware. Near as I can tell, there is a threat, but it's more akin to an excited chihuahua trying to hump your ankle than a ravening wolf.

    Once again, those who claim to see direct parallels between Windows security and Mac/Linux security are guilty of false equivalence [imagicity.com].

"A great many people think they are thinking when they are merely rearranging their prejudices." -- William James

Working...