Mac OS Update Detects, Kills MacDefender Scareware 277
CWmike writes "Apple released an update for Snow Leopard on Tuesday that warns users that they've downloaded fake Mac security software and scrubs already-infected machines. Chet Wisniewski, a security researcher with Sophos, confirmed that the update alerts users when they try to download any of the bogus MacDefender antivirus software. Wisniewski had not yet tested the malware cleaning functionality of the update, but was confident that it would work. 'It's reasonably trivial to remove MacDefender,' said Wisniewski. 'It's not burying itself in the system, not compared to some of some of the crap that we see on Windows.' The update, labeled 2011-003, adds a new definition to the rudimentary antivirus detection engine embedded in Mac OS X 10.6, aka Snow Leopard, and also increases the frequency with which the operating system checks for new definitions to daily."
So Mac Users should expect this? (Score:5, Insightful)
So every virus for Macs will get killed in the next update? Very nice work for Apple if it happens that way.
'It's reasonably trivial to remove MacDefender,' said Wisniewski. 'It's not burying itself in the system, not compared to some of some of the crap that we see on Windows.'
Pity it won't always be that way, survival of the fittest applies to viruses too.
Re:So Mac Users should expect this? (Score:5, Insightful)
So every virus for Macs will get killed in the next update? Very nice work for Apple if it happens that way.
Not really any different than Microsoft's monthly "Malicious Software Removal" update that's pushed for Windows.
And so it begins... (Score:0, Insightful)
The slow, but inevitable slide to Mac OS X being locked down in the exact same way that iOS is.
First they block apps in the name of protecting users from themselves... Then they just slowly increase the definition of "harmful apps."
Or for more comprehensive scanning (Score:3, Insightful)
Microsoft Security Essentials. It is not included in Windows, due to anti-trust restrictions (so that may change with Windows 8 since those restrictions are going away) but it is a free download. Updates itself automatically like all AV scanners, will also update via Windows Update if there's a problem.
Re:What are we detecting? (Score:4, Insightful)
The summary mentions:
the rudimentary antivirus detection engine
Wouldn't we be better off detecting the viruses, not the antivirus?
No .. its customary to look for signs of an infection even if you can't see the infection itself. So that by detecting anti-virii (and spelling nazis be damned) you prove that the system has come into contact in the past with a genuine virus. Unfortunately as time goes on you find the that more and more systems develop anti-virii until the entire population has developed them, thus leading you to posit that the original virus was very very wide spread. However by now, due to the universality of the anti-virii, all systems are now safe from the original virus. Which is all well and good until something to do with an unclean telephone occurs. Hmm does that make Apple one of the telephone santizers????
Re:And so it begins... (Score:5, Insightful)
The slow, but inevitable slide to Mac OS X being locked down in the exact same way that iOS is.
First they block apps in the name of protecting users from themselves... Then they just slowly increase the definition of "harmful apps."
If by "first they block apps..." you mean "first they warn you that an app might be harmful, suggesting that you drag it to the trash, and providing a one-click option to do that from the warning dialog...", yeah.
There really isn't a cure for this kind of thing. (Score:4, Insightful)
Userspace malware is nothing different than Purple Gorilla Bonzi-Buddy shit.
There is no OS or kernel patch that protects against stupid.
I can install the SELinux scripts, and there is nothing preventing me from utterly hosing the system as administrator or my own account with my own permissions. You would have to make a read-only system, maintained by someone not-me. This is what corporate IT does.
I see a market for itinerant bonded neighborhood sysadmins should people get over themselves and admit that joe-user can't handle his own computer at home.
--
BMO
Re:What are we detecting? (Score:5, Insightful)
Wouldn't we be better off detecting the viruses, not the antivirus?
The distinction between those two categories grows hazier every year...
Re:Or for more comprehensive scanning (Score:5, Insightful)
Also, Microsoft includes an extra set of license checks with MSE - it's supposedly quite difficult to get it working on pirated copies of Windows. So it serves as an incentive for people to buy their OS (rather than pirate). Thus how MS sees it as a profit-making product.
Re:Or for more comprehensive scanning (Score:2, Insightful)
...what?
Re:Honest question about security of unix systems (Score:5, Insightful)
Windows was more insecure because Microsoft designed it to be be scriptable with com/dcom objects that apps can use to integrate into one another for app embedding. ActiveX are just objects that are designed from the ground up to be mix win32 applets inside IE. The whole object model is based upon using proprietary win32 code and api's so the programmers do not have to code as much. This was designed for lock in and accessibility everywhere with no security in mind.. Unfortunately, this meant I can write some VB 6 app to call win32 functions to wipe your hard drive and I can just copy the dll over as an activeX object in IE. If you have IE 5 or earlier all you would have to do is visit my webpage and it would run automatically on your computer and it would be trash. The iloveyou worm that hit it big in Outlook was a simple VBA script that copied the string and did a simply call to the user's address book. Most of the win32 api was designed for Windows95 built on Dos which had no concept of user rights. Only the security API for Windows NT had that modern concept. These api's were ported over to WindowsXP.
Buffer overflows are something else and poor memory management of Windows causes GP faults which everyone and their brother received back in the Win 9x days. Microsoft had trouble enforcing this because Dos and Windows 3.1 apps just took random memory addresses mostly and one would just take an address of something else and bluescreen and take down your system. So if you are a hacker and know when a ram address ends with a certain DLL (thanks to a debugger) you can put some code in that adress and WHAM instant execution. Windows also has no concept of data for execution vs data for storage. This is a flaw of x86 actually but you could put executable code in just a cookie or a temp file and it would not be hard to trick Windows when it is done executing a DLL to go to your program and it will totally bypass security. You can do this in Unix as well but this is very uncommon today as you need to be root and was a hack of the early 80s when coders wrote in assembly to gain performance tricks. This is frowned upon in the Unix world as there are excellent libraries that can obtain speeds close to assembly. Not to mention users do not want to log in as root. This same assembly calls stayed in Windows due to backwards compatibility as WindowsXP has the default user as an administrator. Doh
Anyway, this was why Windows was less secure and why MS wants you to switch to .NET. Less to do with marketshare but more to do with poor design decisions and the requirements to be backwards compatible. I am so sick of those saying Windows is great and it is marketshare or something else stupid.
Re:Or for more comprehensive scanning (Score:4, Insightful)
Seriously now that there is blood in the water the sharks will come, and it will only get worse. they saw they were able to get some good numbers with MacDefender and now MacGuard, and thanks to Hackentosh they don't even need to buy an Apple to test their code on! The first Windows bugs were pretty primitive and easy to kill too. I remember when a simple booting into safe mode and tossing the files would kill a great number of bugs. Mark my words this is just the beginning, within 6 months I predict we'll be seeing our first really nasty deep buried Apple malware. Who knows, we may even see an Apple Code Red style mass infection!
Yeah, their "Pretty Good Numbers" were measured in maybe a few hundred Macs, worldwide. Yeah, that's some epidemic. And the ONLY reason it got as far as it did, was because of all the lame-ass website admins. who got infected by the fake banner ad, and then the genius move of then poisoning several Search Engines' Page Rank systems [abc3340.com], so those sites came up high in search results. So, the REAL SUCCESSFUL "attack" was on those websites. And I would bet my bottom dollar that the vast majority of infections were of gullible Windows-Switchers, who cannot fathom a computer platform that DOESN'T regularly need "Virus Scans". The veteran Mac users KNOW better! (Yes, I'm being smug).
.plist files, and since the rule is that they can be REBUILT if deleted, it's gonna be pretty damned hard for something to really scrog an OS X system. At least in a way that cannot be relatively easily "rebuilt".
Oh, and one of the reasons this will NEVER get to the level of a Windows problem is simple: Macs don't have a "Registry", in the sense that Windows does. Without that idiotic, centralized database of thousands of system and application settings, it is literally impossible to create malware that can survive simple file-replacement techniques. The problem is that there is literally NO reliable mechanism to "rebuild" a seriously damaged Registry. Microsoft can't do it, Third Parties can't do it, and users DAMN sure can't do it!
This is why SO many problems with Windows end with the tried-and-true mantra of "Wipe and Reload" (a/k/a the "back off and nuke it from orbit" method). Because, quite literally, it is often the ONLY way to be sure.
But, since Apple uses
And that tune you've been singing has been sung for over ELEVEN years now, and what? Heck, even Linux has much, much more "malware" that OS X. In fact, over 250 times as much.
Re:Or for more comprehensive scanning (Score:5, Insightful)
Complete balderdash.
You can't trust a machine that's running malware to tell the truth when it tells you that it is now clean - because for all you know, the malware has hooked into the very API routines your anti-malware product depends upon. Anyone who's spent any serious length of time trying to clean up a heavily infested Windows PC will attest to that.
There's booting from a CD - which is much more sensible but only 100% workable if you have a whacking great database of checksums for every valid executable, every DLL, everything that may contain runnable code on the planet and you can somehow use the CD to patch all known vulnerabilities on a system - including local exploits that may take advantage of something the user's already downloaded.
A heuristic algorithm is never going to be 100% reliable because you're essentially only one step away from trying to solve the halting problem - the only real difference is instead of saying "Will the computer halt?" you're saying "Will the computer do something undesirable?". The best you can hope for is to say it probably won't.
Re:I hope Apple has learned a lesson from all of t (Score:5, Insightful)
Not exactly.
That user doesn't have admin privileges; that user is in effect, in the sudoers file. They can authorize admin privileged actions. The default user can't modify or tweak anything in /System. But they can be prompted to allow elevated access to allow things to write into important parts of the system.
And frankly, that SHOULD be the default. It doesn't make any sense at all to be more restrictive then that. Yes, you should not run as root, or administrator on windows, in your day to day stuff. But in your regular, day to day stuff, on your machine-- you will in the normal course of events need to authorize programs to install globally or tweak system prefs or whatever else on occasion.
No one will EVER learn the "lesson" you want them to be taught. In a secure environment, you may have your regular user, who can't even possibly access (even via sudo) admin power, and an entirely separate account you use to do the system configuration and application install tasks that need higher authority. That will NEVER happen on user-focused machines. Its a frankly absurd notion.
Yes, that means machines will always be susceptible to stupid people running crap that they don't mean to download or are tricked to downloading, and that means there is no /solution/ to the problem of malware. In truth, even with such a system, you wouldn't solve the stupid. You can't solve the stupid.
The default user that people operate on, and which programs they naturally, passively run under -- should not have admin access. Of course not. Even Microsoft gets that, though their implementation of the escalation process is less then ideal. But if you expect someone to sit down on their desktop machine and ever have more then a single account, you're -- out of touch. That account should not have direct system-level access, no: but no one but a tiny minority of power users will ever accept having to set up some entirely separate account that can escalate privileges.
Its not that people are stupid, or careless. Its that you're expectations are absurd. Security and ease-of-use are opposing concerns. Everyone with any sense knows this: in some situations the demands of security are such that we force the pain on usage, in others we try to find a balance which isn't as difficult.
There will never be a world where people will have two separate accounts on their home machine and that they need to decide to go from one account to another to make changes or operate said machine. People will simply use the tool given them, as they understand it is to be used.
Even on linux, more is rarely expected outside of highly secure environs. Sudo is the norm. Yeah, your account can't do much, but you can explicitly invoke its elevation with your own same password -- and that's fine. Home machines will never, ever, be bastions of secure practice.
Its just not worth the pain in the ass to regular people doing regular things. Is it as good as it can be, as secure as it can be? Not yet, but they are working on it. Windows has its UAV method of privilege escalation that is overly in your face so its too easy to hit 'yes' without thinking; linux has its explicit 'sudo' which is fine (and with GUI helpers in certain environments), and Mac has its own escalation prompt. Is this paradigm of the default user being a sudoer ideal? Maybe not. But its usable, and better then the situations where everything runs as root/administrator.
Usability frankly trumps security. You can not honestly expect users to give up much on their home systems, usability wise; or you're just out of touch with reality.