Forgot your password?
typodupeerror
OS X Upgrades Apple

Mac OS Update Detects, Kills MacDefender Scareware 277

Posted by timothy
from the end-of-the-beginning dept.
CWmike writes "Apple released an update for Snow Leopard on Tuesday that warns users that they've downloaded fake Mac security software and scrubs already-infected machines. Chet Wisniewski, a security researcher with Sophos, confirmed that the update alerts users when they try to download any of the bogus MacDefender antivirus software. Wisniewski had not yet tested the malware cleaning functionality of the update, but was confident that it would work. 'It's reasonably trivial to remove MacDefender,' said Wisniewski. 'It's not burying itself in the system, not compared to some of some of the crap that we see on Windows.' The update, labeled 2011-003, adds a new definition to the rudimentary antivirus detection engine embedded in Mac OS X 10.6, aka Snow Leopard, and also increases the frequency with which the operating system checks for new definitions to daily."
This discussion has been archived. No new comments can be posted.

Mac OS Update Detects, Kills MacDefender Scareware

Comments Filter:
  • by CSFFlame (761318) on Tuesday May 31, 2011 @09:30PM (#36303790) Homepage
    The Nuclear Option
  • by Flyerman (1728812) on Tuesday May 31, 2011 @09:32PM (#36303802) Journal

    So every virus for Macs will get killed in the next update? Very nice work for Apple if it happens that way.

    'It's reasonably trivial to remove MacDefender,' said Wisniewski. 'It's not burying itself in the system, not compared to some of some of the crap that we see on Windows.'

    Pity it won't always be that way, survival of the fittest applies to viruses too.

    • So every virus for Macs will get killed in the next update? Very nice work for Apple if it happens that way.

      Not really any different than Microsoft's monthly "Malicious Software Removal" update that's pushed for Windows.

      • Microsoft Security Essentials. It is not included in Windows, due to anti-trust restrictions (so that may change with Windows 8 since those restrictions are going away) but it is a free download. Updates itself automatically like all AV scanners, will also update via Windows Update if there's a problem.

        • by hairyfeet (841228) <bassbeast1968&gmail,com> on Wednesday June 01, 2011 @12:46AM (#36305002) Journal

          Frankly if you are gonna give someone a free AV I'd recommend Avast over MSE any day of the week. MSE is great for someone who is ONLY going to relatively safe sites and preferably has ABP to keep malicious JavaScript at bay, because frankly I have seen XSS attacks get through MSE, such as a nasty one going around the Youporn sites that will spam everyone in the person's Yahoo address book .

          Avast sandboxes the browser and scans the page BEFORE it loads and seems to kill that and other JavaScript bugs dead, it also has the optional messenger shield and P2P shield if they use those programs and it seems (at least in my experience) to use less RAM and CPU overall than MSE.

          So while I would personally not mind if MSFT gave some sort of AV as a pack in just to help cut down on the bugs, actually seeing it in action I just don't think very highly of it compared to Avast or Comodo. As for TFA allow me to say...Welcome to the club Apple users! Meetings are on Tuesdays and Thursdays, coffee and donuts are in the back.

          Seriously now that there is blood in the water the sharks will come, and it will only get worse. they saw they were able to get some good numbers with MacDefender and now MacGuard, and thanks to Hackentosh they don't even need to buy an Apple to test their code on! The first Windows bugs were pretty primitive and easy to kill too. I remember when a simple booting into safe mode and tossing the files would kill a great number of bugs. Mark my words this is just the beginning, within 6 months I predict we'll be seeing our first really nasty deep buried Apple malware. Who knows, we may even see an Apple Code Red style mass infection!

          Either way it will be quite interesting to see how Apple handles it. Their "don't say the M word" attitude at the beginning doesn't fill me with confidence, Apple seems to care about its image too much when weighed against helping their customers. How long did it take them to cook up a tool for this "simple to remove' bug? How are they gonna handle getting a real deep Windows style nasty? Should be quite interesting to watch and see.

          • The first Windows bugs were pretty primitive and easy to kill too. I remember when a simple booting into safe mode and tossing the files would kill a great number of bugs.

            You don't even know the difference between malware and bugs.

          • by macs4all (973270) on Wednesday June 01, 2011 @02:36AM (#36305526)

            Seriously now that there is blood in the water the sharks will come, and it will only get worse. they saw they were able to get some good numbers with MacDefender and now MacGuard, and thanks to Hackentosh they don't even need to buy an Apple to test their code on! The first Windows bugs were pretty primitive and easy to kill too. I remember when a simple booting into safe mode and tossing the files would kill a great number of bugs. Mark my words this is just the beginning, within 6 months I predict we'll be seeing our first really nasty deep buried Apple malware. Who knows, we may even see an Apple Code Red style mass infection!

            Yeah, their "Pretty Good Numbers" were measured in maybe a few hundred Macs, worldwide. Yeah, that's some epidemic. And the ONLY reason it got as far as it did, was because of all the lame-ass website admins. who got infected by the fake banner ad, and then the genius move of then poisoning several Search Engines' Page Rank systems [abc3340.com], so those sites came up high in search results. So, the REAL SUCCESSFUL "attack" was on those websites. And I would bet my bottom dollar that the vast majority of infections were of gullible Windows-Switchers, who cannot fathom a computer platform that DOESN'T regularly need "Virus Scans". The veteran Mac users KNOW better! (Yes, I'm being smug).

            Oh, and one of the reasons this will NEVER get to the level of a Windows problem is simple: Macs don't have a "Registry", in the sense that Windows does. Without that idiotic, centralized database of thousands of system and application settings, it is literally impossible to create malware that can survive simple file-replacement techniques. The problem is that there is literally NO reliable mechanism to "rebuild" a seriously damaged Registry. Microsoft can't do it, Third Parties can't do it, and users DAMN sure can't do it!

            This is why SO many problems with Windows end with the tried-and-true mantra of "Wipe and Reload" (a/k/a the "back off and nuke it from orbit" method). Because, quite literally, it is often the ONLY way to be sure.

            But, since Apple uses .plist files, and since the rule is that they can be REBUILT if deleted, it's gonna be pretty damned hard for something to really scrog an OS X system. At least in a way that cannot be relatively easily "rebuilt".

            And that tune you've been singing has been sung for over ELEVEN years now, and what? Heck, even Linux has much, much more "malware" that OS X. In fact, over 250 times as much.

            • by jimicus (737525) on Wednesday June 01, 2011 @04:25AM (#36305966)

              Complete balderdash.

              You can't trust a machine that's running malware to tell the truth when it tells you that it is now clean - because for all you know, the malware has hooked into the very API routines your anti-malware product depends upon. Anyone who's spent any serious length of time trying to clean up a heavily infested Windows PC will attest to that.

              There's booting from a CD - which is much more sensible but only 100% workable if you have a whacking great database of checksums for every valid executable, every DLL, everything that may contain runnable code on the planet and you can somehow use the CD to patch all known vulnerabilities on a system - including local exploits that may take advantage of something the user's already downloaded.

              A heuristic algorithm is never going to be 100% reliable because you're essentially only one step away from trying to solve the halting problem - the only real difference is instead of saying "Will the computer halt?" you're saying "Will the computer do something undesirable?". The best you can hope for is to say it probably won't.

      • Re: (Score:3, Interesting)

        by Nerdfest (867930)

        Not really any different than Microsoft's monthly "Malicious Software Removal" update that's pushed for Windows.

        Exactly. Sad to say, but exactly.

      • by Ixokai (443555)

        Its basically the same, yeah. Unless you happen to get stupid the day after the last update on Windows, you may not notice you've been infected for ~29 days, as opposed to like, ~1.

        ~1 is a lot better then ~29, isn't it?

      • It WASN'T that different, except now it is updating definitions. Before it was updated only through the Software Update system, just like the Malicious Software Removal Tool. Now it is more like Security Essentials, except without the behavioral detection.

    • by Anonymous Coward on Tuesday May 31, 2011 @09:42PM (#36303874)

      More reason to use winodws - you get a more sophisticated malware for your money.

    • by DJRumpy (1345787)

      The Mac scanner only scans for Trojans at this point (3 of them including MacDefender), not viruses. Apple has typically left virus scanning up to 3rd parties, while taking a more active role in alerting users about phishing and malware up front.

      • by ninetyninebottles (2174630) on Tuesday May 31, 2011 @10:30PM (#36304258)

        The Mac scanner only scans for Trojans at this point (3 of them including MacDefender), not viruses. Apple has typically left virus scanning up to 3rd parties, while taking a more active role in alerting users about phishing and malware up front.

        Ummm, what viruses would it be looking for? There aren't any real, in the wild Mac viruses unless you count Mac Guard, which barely qualifies and is only delivered via trojan that happens to spawn a separate app at run time.

    • by at_slashdot (674436) on Tuesday May 31, 2011 @10:04PM (#36304060)

      That reminds me of people who were commenting here on slashdot about the fact that it doesn't matter that the malware installs without using root access, see, it does matter.

      • The only thing root access gives malware authors is rootkit installation and removal hardening. They can still read and write user files, which could lead to either ID theft, or ransomware by proprietary file encryption.

      • by TubeSteak (669689)

        That reminds me of people who were commenting here on slashdot about the fact that it doesn't matter that the malware installs without using root access, see, it does matter.

        I'm not sure you understand the people who say "root doesn't matter".
        Malware doesn't have to stick around very long to be profitable, it only has to spread widely.

        So while, yes, root matters for the cleanup...
        No, it doesn't matter when it comes to logging your keystrokes and obtaining your credit card numbers/banking info/passwords.

        Either way, you've gotten screwed and the malware distributors have made some money.

        • by dgatwood (11270) on Wednesday June 01, 2011 @12:18AM (#36304858) Journal

          No, it doesn't matter when it comes to logging your keystrokes and obtaining your credit card numbers/banking info/passwords.

          Actually, on Mac OS X, it does matter.

          • If the app is written properly and uses EnableSecureEventInput while the user is entering passwords (as recommended in TN2150), then event taps won't get you passwords.
          • Only processes running as root can seize keyboards as of 10.5, preventing password capture down at the device access level as well.
          • Only processes running as root can load kernel extensions, preventing it at the driver level.

          Thus, to my knowledge, unless you exploit a bug in the OS, it should not be possible to sniff passwords in Mac OS X unless an app is running as root.

          That's not to say that it can't steal passwords in other ways—spoofing password dialogs, stealing your Safari cookie files, reading your Safari bookmarks and pretending to be Safari while it displays your bank's website, etc.—but it should not be able to capture passwords that you enter in other applications. Thus, root matters. A lot.

      • by PitaBred (632671)

        Being that it's not installed with root permissions means it's easy to remove. When it can keep you from seeing it when you're looking for it (aka, root permissions), you're hosed. It's the difference between fully installing the system again along with all your programs and such and then restoring from backup, and just possibly restoring from backup if something gets hosed. You do back up, right?

    • Pity it won't always be that way, survival of the fittest applies to viruses too.

      True. Also worth noting is that some environments are more hospitable to them than others. If OS X continues to grow in market share it becomes a more alluring target for virus creators, but if the system itself is very secure then you still won't see more than a trickle. Look at the difference between Apache on Linux and IIS on Windows for example. Relative security levels play a huge role.

    • by node 3 (115640)

      So every virus for Macs will get killed in the next update? Very nice work for Apple if it happens that way.

      'It's reasonably trivial to remove MacDefender,' said Wisniewski. 'It's not burying itself in the system, not compared to some of some of the crap that we see on Windows.'

      Pity it won't always be that way, survival of the fittest applies to viruses too.

      Actually, the way Mac OS X works, it's very difficult to construct a program that "buries" itself in the system. It's even somewhat more difficult to do than it is in Linux. On Mac OS X, every single program can be found by dropping to a bash shell. The places that get called on startup are few and easily managed.

      That's not to say it's impossible or anything, but these sort of pithy responses that amount to "well, on Windows it does this, so it's only a matter of time until this happens on OS X, too" genera

    • by mwvdlee (775178)

      ...As long as you bought the very latest version of OSX. Atleast that's what TFS claims.

  • The summary mentions:

    the rudimentary antivirus detection engine

    Wouldn't we be better off detecting the viruses, not the antivirus?

    • by OzPeter (195038) on Tuesday May 31, 2011 @09:55PM (#36303968)

      The summary mentions:

      the rudimentary antivirus detection engine

      Wouldn't we be better off detecting the viruses, not the antivirus?

      No .. its customary to look for signs of an infection even if you can't see the infection itself. So that by detecting anti-virii (and spelling nazis be damned) you prove that the system has come into contact in the past with a genuine virus. Unfortunately as time goes on you find the that more and more systems develop anti-virii until the entire population has developed them, thus leading you to posit that the original virus was very very wide spread. However by now, due to the universality of the anti-virii, all systems are now safe from the original virus. Which is all well and good until something to do with an unclean telephone occurs. Hmm does that make Apple one of the telephone santizers????

      • So you use an incorrect form and you know it and you are proud of that? I'm pretty sure that stupidity is worse than ignorance.

    • by Jeremi (14640) on Tuesday May 31, 2011 @10:18PM (#36304176) Homepage

      Wouldn't we be better off detecting the viruses, not the antivirus?

      The distinction between those two categories grows hazier every year...

      • The distinction between those two categories grows hazier every year...

        This is easy - the one that screws up all your network connections is the ... ah, hell.

    • by node 3 (115640)

      The summary mentions:

      the rudimentary antivirus detection engine

      Wouldn't we be better off detecting the viruses, not the antivirus?

      Well, if Norton on the Mac is anything like on Windows, removing it would probably provide a greater overall benefit than detecting and removing actual malware.

  • 'It's not burying itself in the system, not compared to some of some of the crap that we see on Windows.'

    at least, we hope not (yet).

    • at least, we hope not (yet).

      Wouldn't it be pretty trivial to do a byte-by-byte comparison of a machine that's infected and one that isn't?

    • by PopeRatzo (965947) *

      'It's not burying itself in the system, not compared to some of some of the crap that we see on Windows.'

      That's what's known as "whistling past the graveyard."

      "I've got some little cold sores, but it's nothing like herpes or anything..."

  • For years I have understood that Unix systems were less prone to security threats posed by malware/viruses/hackers due to the basic security model of unix. When naysayers said Mac was less prone because of marketshare, the argument against this is the large number of Linux servers which have never been successfully targeted by any major security threat. While this malware attack is a trojan (and more social engineering), are the naysayers actually correct that Mac is not been successfully attacked because o
    • by catmistake (814204) on Tuesday May 31, 2011 @10:20PM (#36304192) Journal
      Depends on who you ask. If you ask a security expert that, due to the fact that they are a security expert, they of course spent most of their time buried in Windows fixing the broken, they will tell you all computer operating systems are equally susceptible. However, if you ask a long toothed grey beard UNIX systems administrator, he will tell you all computer operating systems are equally susceptible, but he's never seen a virus because he has spent most of his time buried in UNIX.
    • Re: (Score:3, Interesting)

      A few things:
      • The simple Unix security model is better than the (largely historic) Windows model because users do not have the ability to make systemwide changes. This ensures that even if malware infects a user's machine, it is always possible for the root user -- what Windows refers to as an "Administrator" -- to remove the infection, and the worst case is that the user's files are all gone.
      • A Windows system can be set up to have the same security model as a Unix system, and this has been recommended by M
      • by ninetyninebottles (2174630) on Tuesday May 31, 2011 @10:47PM (#36304366)

        This is possible to set up in Windows, GNU/Linux (using SELinux; you can also simplify things and run your web browser in the SELinux sandbox, which confines downloaded programs to the same sandbox, and by default deletes those programs when the sandbox is closed), FreeBSD (with TrustedBSD), TrustedSolaris (if anyone still cares about Solaris), AIX, etc...but I am not sure that this is something that is officially supported in Mac OS X. That being said, Mac OS X does have mandatory access control built into its kernel, and as far as I know that is what is used to implement "parental controls."

        OS X's Mandatory Access Controls are a port of TrustedBSD. They are used to sandbox selected services in OS X to improve security, but not widely deployed yet for userspace software. You can configure them yourself using the CLI or using a third party application like "Sandbox".

        • That is good to hear; when I last looked into it, I was given the impression that manually fiddling with the mandatory access controls was not officially sanctioned/supported by Apple.
        • A Windows system can be set up to have the same security model as a Unix system, and this has been recommended by Microsoft for years. However, so many legacy applications expect "administrator" privileges in Windows that this is not the easiest thing to do.

          OS X's Mandatory Access Controls are a port of TrustedBSD. They are used to sandbox selected services in OS X to improve security, but not widely deployed yet for userspace software. You can configure them yourself using the CLI or using a third party application like "Sandbox".

          MS can not be secured to the same degree -- a simple .reg file can disable UAC without warning, disable 64bit driver signing, and install a root Certificate Authority. This Java Applet exploit [securelist.com] (A variant of which I've found on US machines attacking US bank accounts) shows windows security for what it is -- an after thought, easily disabled.

          Both OSX and Linux security are far superior IMO than Windows, but I do have working "root" level proof of concept exploits for all 3 -- reported, and unpatched (excep

      • Re: (Score:2, Troll)

        by Kitkoan (1719118)

        As a final note, Mac OS X is routinely the first system to be defeated at pwn2own; some say this is because it is less secure, others say it is because the participants want Mac OS X systems more than Windows systems.

        OSX is the first system to be defeated at pwn2own because its less secure, not because the OSX system is a more wanted prize. Charles Miller (the man who takes down OSX at pwn2own) has answered this before in a interview. [threatpost.com]

        Many pundits have made a lot of the fact that the Mac was the first to be exploited in the Pwn2Own contest. Was the choice of the Mac as the first target because the hardware/operating system combo was more desirable as a prize than the commodity Windows laptops of the other competitors? Or was it just because Macintosh exploits occur with much less frequency than Windows exploits and would therefore be more newsworthy?

        So until this year, applications on Apple were way easier to exploit than Windows. This is because Apple had weak ASLR and no DEP while Windows had full ASLR and DEP. This year, Snow Leopard has DEP, so its no longer trivial to exploit. In fact, I have lots of bugs in Safari that I easily could have exploited on Leopard but will be very difficult on Snow Leopard. So it used to be that that it was much worse, but now its mostly comparable (although still slightly behind)

      • The guy who won said it was because Apple does not secure as well as MS. http://threatpost.com/en_us/blogs/transcript-charlie-miller-mac-os-x-pwn2own-and-writing-exploits-031810 [threatpost.com]
        • errr...?

          So until this year, applications on Apple were way easier to exploit than Windows. This is because Apple had weak ASLR and no DEP while Windows had full ASLR and DEP. This year, Snow Leopard has DEP, so its no longer trivial to exploit. In fact, I have lots of bugs in Safari that I easily could have exploited on Leopard but will be very difficult on Snow Leopard. So it used to be that that it was much worse, but now its mostly comparable (although still slightly behind)

          bold mine.

          Also.

          Another question from the Twittersphere: What OS/browser pairing to you use? Do you do anything special (beyond default settings) to secure yourself while browsing?

          You're not trying to pwn me are you??? Have you ever heard the saying about the cobbler's kids not having shoes? That's me, I'm afraid. I use Safari on OSX with no special settings. This isn't the most secure combination, by any stretch of the imagination, but I like it. It's designed by Apple engineers to be easy to use and 'just work' and it does. The risk of malware is low, and hey, I'm a security expert right :) The risk of a targeted attack is real, except I don't think I'm important enough to be targeted! So I rely on security by obscurity, I guess

          That same guy also says he feels perfectly safe browsing on Safari ontop of OSX.

          So?

      • by http (589131)
        I care about Solaris. I hates its forever.
    • To this date there have not been any viruses (i.e. self propagating code that infects machines without user intervention) for Mac OS X and I'm pretty sure Linux as well.

      The malware that relies on social engineering techniques (like the one mentioned in this discussion) is very hard to protect against. Basically, user with some kind of system privileges to install software is lured to download the software, attempt to install it, provide their password when asked by the OS/installer. If you have a user w
      • To this date there have not been any viruses (i.e. self propagating code that infects machines without user intervention) for Mac OS X and I'm pretty sure Linux as well.

        You should at least try using a search engine before making a remark like that:

        https://help.ubuntu.com/community/Linuxvirus [ubuntu.com]

        I say this as someone who has used nothing except GNU/Linux for many years now: there are viruses out there that will infect a vulnerable GNU/Linux system. Do not be fooled, these things are out there. As an exercise, you can try to write a very basic virus that targets the vi text editor and inserts itself into any C program a user creates (if you want bonus points, have th

        • The point is that people who opt to use some kind of UNIX as their primary machine are usually not technically clueless. The second point is that most UNIX distros (including OS X) come with hundreds of tools to monitor the system, inspect binaries etc. Also, good chunk of software is downloaded as source and compiled and the localhost. This also gives you a chance to look at code directly.
          • point is that people who opt to use some kind of UNIX as their primary machine are usually not technically clueless

            That has not been my observation; the majority of Mac OS X users I know of do not know a lot about their computers, nor are they interested in learning. They purchased a system with Mac OS X because they heard that it was easy to use and would give them fewer headaches than a Windows system.

            The second point is that most UNIX distros (including OS X) come with hundreds of tools to monitor the system, inspect binaries etc.

            Tools which only the most experienced users can use to detect malware; even technically literate people may not be able to spot suspicious behavior.

            Also, good chunk of software is downloaded as source and compiled and the localhost. This also gives you a chance to look at code directly.

            Allow me to introduce you to my favorite programming contest:

            h [xcott.com]

    • by Billly Gates (198444) on Tuesday May 31, 2011 @10:56PM (#36304420) Journal

      Windows was more insecure because Microsoft designed it to be be scriptable with com/dcom objects that apps can use to integrate into one another for app embedding. ActiveX are just objects that are designed from the ground up to be mix win32 applets inside IE. The whole object model is based upon using proprietary win32 code and api's so the programmers do not have to code as much. This was designed for lock in and accessibility everywhere with no security in mind.. Unfortunately, this meant I can write some VB 6 app to call win32 functions to wipe your hard drive and I can just copy the dll over as an activeX object in IE. If you have IE 5 or earlier all you would have to do is visit my webpage and it would run automatically on your computer and it would be trash. The iloveyou worm that hit it big in Outlook was a simple VBA script that copied the string and did a simply call to the user's address book. Most of the win32 api was designed for Windows95 built on Dos which had no concept of user rights. Only the security API for Windows NT had that modern concept. These api's were ported over to WindowsXP.

      Buffer overflows are something else and poor memory management of Windows causes GP faults which everyone and their brother received back in the Win 9x days. Microsoft had trouble enforcing this because Dos and Windows 3.1 apps just took random memory addresses mostly and one would just take an address of something else and bluescreen and take down your system. So if you are a hacker and know when a ram address ends with a certain DLL (thanks to a debugger) you can put some code in that adress and WHAM instant execution. Windows also has no concept of data for execution vs data for storage. This is a flaw of x86 actually but you could put executable code in just a cookie or a temp file and it would not be hard to trick Windows when it is done executing a DLL to go to your program and it will totally bypass security. You can do this in Unix as well but this is very uncommon today as you need to be root and was a hack of the early 80s when coders wrote in assembly to gain performance tricks. This is frowned upon in the Unix world as there are excellent libraries that can obtain speeds close to assembly. Not to mention users do not want to log in as root. This same assembly calls stayed in Windows due to backwards compatibility as WindowsXP has the default user as an administrator. Doh

      Anyway, this was why Windows was less secure and why MS wants you to switch to .NET. Less to do with marketshare but more to do with poor design decisions and the requirements to be backwards compatible. I am so sick of those saying Windows is great and it is marketshare or something else stupid.

      • by radish (98371)

        ActiveX in IE 5 was a mess. Luckily it was EOL 10 years ago, try running 10 year old versions of Mac or Linux OSs and see how secure they are. Current versions of IE are better, and of course, if you don't run IE at all you're immune from ActiveX attacks as no other major browsers support it (and the other occasional vector, Outlook, is crazy paranoid these days).

        The full user account ACL/permissions stuff has been in mainstream Windows since XP (again - many years ago).

        Windows also has no concept of data f

      • by spongman (182339)

        Only the security API for Windows NT had that modern concept. These api's were ported over to WindowsXP

        no NT APIs were 'ported' to XP. XP was NT (version 5.1 build 2600 to be precise)

      • Windows was more insecure because Microsoft designed it to be be scriptable with com/dcom objects that apps can use to integrate into one another for app embedding. ActiveX are just objects that are designed from the ground up to be mix win32 applets inside IE.

        COM/DCOM is a binary object model for creating object oriented API. A COM API is just an API following some specific conventions. The convention describes how an "object" must point to a type which must have a jump table. Nothing is more or less secure about it.

        It is correct that ActiveX is a COM model for extending the browser (and other types of applications). As such you can compare it to extension APIs such as NSAPI in other browsers. Nothing inherently more secure or insecure about that. Now, MS *also*

    • For years I have understood that Unix systems were less prone to security threats posed by malware/viruses/hackers due to the basic security model of unix. When naysayers said Mac was less prone because of marketshare, the argument against this is the large number of Linux servers which have never been successfully targeted by any major security threat. While this malware attack is a trojan (and more social engineering), are the naysayers actually correct that Mac is not been successfully attacked because of marketshare? If so, are unix systems not inherently more secure due to their design than other OSes?

      Thanks!

      When given equal incentives ($10k and/or a free laptop) to compromise an OS, OSX has always gone down first and most easily in the annual pwn2own contest. That's been a pretty clear indication that security by obscurity is Apple's main defense. "Unix systems" can be incredibly secure, but OSX is a rather flimsy incarnation of one.

    • by devent (1627873)

      Here is a very good article on security of Microsoft IIS vs. Apache on a Linux system:
      http://www.theregister.co.uk/2004/10/22/security_report_windows_vs_linux/ [theregister.co.uk]
      Have fun reading.

      • From that ancient (2004) article:

        This reasoning backfires when one considers that Apache is by far the most popular web server software on the Internet. According to the September 2004 Netcraft web site survey, [1] 68% of web sites run the Apache web server. Only 21% of web sites run Microsoft IIS. If security problems boil down to the simple fact that malicious hackers target the largest installed base, it follows that we should see more worms, viruses, and other malware targeting Apache and the underlying operating systems for Apache than for Windows and IIS.

        Ugh. Which operating system are the most compromised (2010): http://www.zone-h.org/news/id/4737 [zone-h.org]

        Linux 1.126.987
        Windows 2003 197.822
        FreeBSD 46.992
        Win 2008 15.083
        F5 Big-IP* 14.000
        Unknown 7.840
        Win 2000 6.097

        Which servers?

        Apache 1.095.982
        IIS/6.0 195.154
        nginx 40.640
        LiteSpeed 37.795
        Zeus 14.111

        Seems reality caught up with that conjecture.

  • by kervin (64171)

    I haven't heard that name since I stopped reading "Hardy Boys" as a kid.

  • by bmo (77928) on Tuesday May 31, 2011 @10:06PM (#36304078)

    Userspace malware is nothing different than Purple Gorilla Bonzi-Buddy shit.

    There is no OS or kernel patch that protects against stupid.

    I can install the SELinux scripts, and there is nothing preventing me from utterly hosing the system as administrator or my own account with my own permissions. You would have to make a read-only system, maintained by someone not-me. This is what corporate IT does.

    I see a market for itinerant bonded neighborhood sysadmins should people get over themselves and admit that joe-user can't handle his own computer at home.

    --
    BMO

    • by Ixokai (443555)

      There's no complete cure, no; but there's stuff that you can do to make it better. Apple updating the security mechanism to get its malware definitions on a daily basis, instead of as part of the normal Software Update cycle, is a very good move. It won't completely fix things, though, of course. You're absolutely right, you can't stop stupid.

      But you can certainly make stupid _worse_: and Safari's "open safe files" feature (especially defaulting to yes), which includes dmgs (think, isos kinda for non-Mac fo

    • by Culture20 (968837)

      Userspace malware is nothing different than Purple Gorilla Bonzi-Buddy shit.

      Purple Gorilla Bonzi-Buddies that quietly wait in the background downloading exploit code for the privilege escalation du jour. Once there's userspace malware, user-intervention isn't required; sometimes not even a login since it can use the system's scheduling (cron/schtasks.exe) to download when the user is logged out, and schedule a new exploit attempt immediately after download.

    • My mom refuses to ditch Windows despite nearly everyone else in my family (including grandparents) using Linux...

      She's the only one that still gets malware -- the answer was simple: Windows Steady State [wikipedia.org] -- Restores the state of the machine each boot!

      ...but, MS discontinued it. So, now the answer is simple: Run it in a VM. When a virus/malware/spyware "event" occurs ("I don't know how it happened, I didn't install ANYTHING" -- Yes you did Mom...), I pull the data into a duplicate of a known clean VM

    • If Apple does get their future, where everything is part of the Apple walled garden and all apps, media, etc have to come from Apple then it would be possible to stop user infections. If the screening process was through enough, you could make sure nothing malicious ever made it through. Of course that is a big if, people could get creative to get around it. There's also the fact that many of us are not thrilled with the idea of one company being the gatekeeper of everything.

      Short of that, nothing you can d

  • I hope Apple takes this incident to heart and makes one minor, but very significant, change to how their OS(or more specifically, their OS setup process) works: namely that the default user should not have admin privileges! Currently an out of the box Mac will prompt the user to set up an account, and that account will have admin privileges. To actually set up another account the user has to know enough to go into sy

    Hopefully in Lion they will, at the very least, explain to users that they should set up a non-admin account to do their everyday computing and only use the admin account when they need to do admin things.....
    • Almost completely irrelevant.
      When the 'admin' user attempts to do anything requiring root privileges, the system prompts for a password. If you are running as a non-admin user, you just have to fill in a different username in the password box that pops up (that of a admin account). If you don't know the admin account password, then you are obviously not managing your computer, and if you do... Then you have to type in an entire extra word to get root privileges! Wow!

    • To get admin privs, you should have to call Apple support. They, upon sufficient justification, shall issue a one-time sudo password. If the deem it unnecessary for you to have admin privs at this time, you don't get them.

      That would solve a lot of problems.

    • by Ixokai (443555) on Wednesday June 01, 2011 @04:35AM (#36305998)

      Not exactly.

      That user doesn't have admin privileges; that user is in effect, in the sudoers file. They can authorize admin privileged actions. The default user can't modify or tweak anything in /System. But they can be prompted to allow elevated access to allow things to write into important parts of the system.

      And frankly, that SHOULD be the default. It doesn't make any sense at all to be more restrictive then that. Yes, you should not run as root, or administrator on windows, in your day to day stuff. But in your regular, day to day stuff, on your machine-- you will in the normal course of events need to authorize programs to install globally or tweak system prefs or whatever else on occasion.

      No one will EVER learn the "lesson" you want them to be taught. In a secure environment, you may have your regular user, who can't even possibly access (even via sudo) admin power, and an entirely separate account you use to do the system configuration and application install tasks that need higher authority. That will NEVER happen on user-focused machines. Its a frankly absurd notion.

      Yes, that means machines will always be susceptible to stupid people running crap that they don't mean to download or are tricked to downloading, and that means there is no /solution/ to the problem of malware. In truth, even with such a system, you wouldn't solve the stupid. You can't solve the stupid.

      The default user that people operate on, and which programs they naturally, passively run under -- should not have admin access. Of course not. Even Microsoft gets that, though their implementation of the escalation process is less then ideal. But if you expect someone to sit down on their desktop machine and ever have more then a single account, you're -- out of touch. That account should not have direct system-level access, no: but no one but a tiny minority of power users will ever accept having to set up some entirely separate account that can escalate privileges.

      Its not that people are stupid, or careless. Its that you're expectations are absurd. Security and ease-of-use are opposing concerns. Everyone with any sense knows this: in some situations the demands of security are such that we force the pain on usage, in others we try to find a balance which isn't as difficult.

      There will never be a world where people will have two separate accounts on their home machine and that they need to decide to go from one account to another to make changes or operate said machine. People will simply use the tool given them, as they understand it is to be used.

      Even on linux, more is rarely expected outside of highly secure environs. Sudo is the norm. Yeah, your account can't do much, but you can explicitly invoke its elevation with your own same password -- and that's fine. Home machines will never, ever, be bastions of secure practice.

      Its just not worth the pain in the ass to regular people doing regular things. Is it as good as it can be, as secure as it can be? Not yet, but they are working on it. Windows has its UAV method of privilege escalation that is overly in your face so its too easy to hit 'yes' without thinking; linux has its explicit 'sudo' which is fine (and with GUI helpers in certain environments), and Mac has its own escalation prompt. Is this paradigm of the default user being a sudoer ideal? Maybe not. But its usable, and better then the situations where everything runs as root/administrator.

      Usability frankly trumps security. You can not honestly expect users to give up much on their home systems, usability wise; or you're just out of touch with reality.

I cannot conceive that anybody will require multiplications at the rate of 40,000 or even 4,000 per hour ... -- F. H. Wales (1936)

Working...