MacScan Detects Spyware 43
limpymac writes "MacScan public beta was announced to the public short minutes ago. MacScan will detect, isolate and remove spyware on the Macintosh. Currently it will detect trojan horses and keystroke loggers without a hitch. The application is for Mac OS and Mac OS X and is created by the folks at SecureMac.com. I found a keystroke recorder on my Macintosh I installed a year ago and forgot to remove; hah, I have a year's worth of logs!"
Actually it was more than a few minutes ago. (Score:3, Insightful)
posted by AcaBen on Friday December 13, @07:40AM
from the undboubtetdly-more-coming-for-x dept.
On MacSlash [macslash.com]
Ummm....spyware & Macintosh.... (Score:5, Funny)
Re:Ummm....spyware & Macintosh.... (Score:1)
Re:Ummm....spyware & Macintosh.... (Score:1)
In other news... (Score:5, Funny)
-psy
Re:In other news... (Score:2, Informative)
Re:In other news... (Score:2)
-psy
Re: (Score:1)
Re: (Score:1)
Now all we need (Score:5, Funny)
Re:Now all we need (Score:5, Interesting)
It is not so funny as it may sound. This is exactly my attitude when I installed Debian stable release few years ago and never minded checking security updates. I laughed at my Windows-using friends every time there was a new worm or virus, telling them that it's not fair that GNU/Linux is not supported by all of this malware, until someone exploited my old bind buffer overflow and installed a kernel level rootkit.
Remember that Darwin, the base of Mac OS X, is based on FreeBSD. chkrootkit [chkrootkit.org], a tool to locally check for signs of a rootkit, is constantly tested on FreeBSD 2.2.x, 3.x and 4.x, not without a reason.
Read the paper Attacking FreeBSD with Kernel Modules: The System Call Approach [packetstormsecurity.org] written by pragmatic/THC on June 1999 to have some idea on how well those issues were understood three and a half years ago. This is only one paper, the first thing about FreeBSD rootkits I just found.
So, of course it's funny what you said, of course your Mac is indeed much more secure than an average Wintel box out there, but it doesn't mean there's no spyware. Your Mac is not a toy, it's a powerful Unix box under the hood, which may mean that it's harder to exploit than Windows box, but it also means that when it's exploited, it's probably easier to write and install spyware there (like a simple kernel module which would intercept read syscall, for example). Never forget about that.
Re:about chkroot (Score:1)
I don't have access to any OSX system, however, according to the FAQ: 'chkrootkit looks for known "signatures" in trojaned system binaries. For example, some trojaned versions of ps have "/dev/ptyp" inside them.'
Try running "chkrootkit -x passwd" to run only passwd test in expert mode. It will show any text strings inside your /usr/bin/passwd binary.
(It may be a lot of text, so you'll probably need to run "chkrootkit -x passwd | less" or "chkrootkit -x passwd | more" or "chkrootkit -x passwd > some_file.txt")
"chkrootkit -x passwd | grep ^/" will show you files, which are harcoded into your passwd binary, this is what I got on my Debian GNU/Linux box:
/lib/ld-linux.so.2
/usr/share/locale
/var/run/nscd.pid
/etc/passwd
/etc/shadow
(grep / instead of ^/ will show every line including slash, not only those beginning with slash, it may show more files, but it'll also show other text besides file paths.)
If you see something suspicious there then---OK, forget about it. I see lots of suspicious strings inside my own passwd binary, like "adlqr:uSekn:x:i:w:" which could be a backdoor password or something. Besides, I have to tell you that I (and I'm not experienced in something like that) could manually trojan your /usr/bin/passwd in a way which
wouldn't be detected by chkrootkit
(until they add my trojan binary, which is unlikely if I do it manually, every time in a different way)
and it won't show anything suspicious looking for strings in the binary.
So just check if your /usr/bin/passwd is the same as some version you know is original (like on the CD, or on the freshly installed system, etc.)
The best you can do is probably check md5 hash (run "md5sum /usr/bin/passwd" or "md5 /usr/bin/passwd" -- I don't know what's the command on MacOS X) and compare it with md5 hash of /usr/bin/passwd you know is clean.
But in the situation I described [slashdot.org] my /usr/bin/passwd was changed, but also
my /usr/bin/md5sum! So I couldn't trust anything.
You have to boot from the read-only media (like CD-ROM
or a floppy which has been write-protected after it has been prepared using a clean system)
and check your hard drive using only software on the CD.
This is the only way you'll know that at least your md5sum or ls don't lie to you
(because when you find out that your passwd, md5sum, ls, ps, who, netstat and everything important has been changed by someone,
it's not a nice feeling, trust me).
Re:about chkroot (Score:2)
May I suggest... (Score:5, Funny)
They may not actually be as interesting / immersive as the year of typing itself.
Is it just me... (Score:5, Informative)
Triv
The Spy Who Loved Me (Score:3, Funny)
Re:The Spy Who Loved Me (Score:4, Funny)
(or should that read self-delusion)
hey I know that name (Score:2, Interesting)
It comes from Macdonald and Scanlon.
PC World desperately needs this (Score:1)
The wintel world (win9x) needs something that can get Gator and friends out the door. Ive had Gator, Netdotdomains, and a hoard of other spyware install itself, take the free system resources from 95% to 65%, and not get out. Anitivirus software just cannot detect it.
Re:PC World desperately needs this (Score:5, Informative)
Re:PC World desperately needs this (Score:5, Informative)
That's because you gave permission to install it via some sneaky click-wrap license. You know, those ones you never read? AV companies have the technology, but they would probably get their pants sued off if they called another company's product malicious when it was merely annoying or nosy--and when the user supposedly consented to it being there.
The wintel world (win9x) needs something that can get Gator and friends out the door.
There are plenty of them already, like Pest Patrol [pestpatrol.com], Spybot S&D [kolla.de], and Ad Aware [lavasoftusa.com].
There's a lot of good information on spyware at Doxdesk [doxdesk.com] and Spyware Info [spywareinfo.com].
Blast from the past (Score:5, Interesting)
Re:Blast from the past (Score:1)
Re:Blast from the past (Score:2, Informative)
Re:REALbasic & Security Experts (Score:1)
Looks interesting ... (Score:4, Funny)
Re:Looks interesting ... (Score:1, Funny)
Just a thought.
you trojaned your own computer? (Score:3, Funny)
The last thing she ever heard (Score:4, Funny)
"George, I told you to put that stuff away. What's that, the third model we've killed? Well, see if we at least snapped the photo in time."
Crashes (Score:5, Informative)
Re:Crashes (Score:2)
I wouldn't even call it beta. More like pre-alpha
MacScan b2 Available (Score:1, Informative)