Apple Snubs Security Firm That Spotted Mac Botnet

Sparrowvsrevolution writes "Now that it's being increasingly targeted by botnet herders, Apple has a thing or two to learn about cooperating with friendly security researchers. Boris Sharov, the CEO of Dr. Web, the Russian security company that first reported more than half a million Macs were infected with Flashback malware last week, says when his company alerted Apple to the botnet, it never responded to him. Worse yet, on Monday Apple asked a Russian registrar to take down a domain it said was being used to host a command and control server for Flashback, but in fact was a 'sinkhole' that Dr. Web had set up to observe and analyze the botnet. Sharov describes the lack of communication and cooperation as a symptom of a company that has never before had to work closely with the security industry. 'For Microsoft, we have all the security response team's addresses,' he says. 'We don't know the antivirus group inside Apple.'"

Re:there is no Apple AV group

[HarrySquatter]

Flashback isn't a virus...

'We don't know the antivirus group inside Apple.'

[Anonymous Coward]

Because there isn't one?

*rimshot*

Blaming the messenger

[cpu6502]

"I found a security hole in your OS....."

"It's your fault scumbag. Keep quiet!" - Apple. Other companies have tried the same tactic, trying to silence/punish security people from publishing known holes. Like Microsoft. Sony. Nintendo. The Bluray Cartel.

'We don't know the antivirus group inside Apple.'"

[Anonymous Coward]

Because there aren't any, I worked for them and customers that called in were routinely told there is nothing to worry about when it comes to malware.
On their corporate side you would be amazed at who states exactly the same thing when they should know better.

Just a taste:
http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=OS+X&filter_exploit_text=&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve= [exploit-db.com]

"We don't know the antivirus group inside Apple"?

[MartinSchou]

Sharov describes the lack of communication and cooperation as a symptom of a company that has never before had to work closely with the security industry. 'For Microsoft, we have all the security response team's addresses,' he says. 'We don't know the antivirus group inside Apple.'"

Seriously? Is it really that difficult for a security company to search for "security" on apple's website and find this page?

https://ssl.apple.com/support/security/ [apple.com]

Re:there is no Apple AV group

[tacarat]

The current version downloads and installs itself. No human interaction required besides viewing an infected webpage. Don't confuse the "viruses are impossible to get on a Mac" crowd more by trying to make them learn the subcategories of malicious software. The fact it was originally a trojan that required the admin password to install versus the drive by installer requiring none is something more for the academics quibble about, not the end users.


Granted, this is /., so it's academics and fanboys anyhow >.>

Re:Mac's don't get malware

[jesseck]

Can you please provide any links to folks that have claimed that Macs dont' get malware?

Here you go:

Mac Commercial (produced by Apple) [youtube.com] and Apple's own webpage [apple.com]

And yes, "viruses" are not the only kind of malware out there- most people on /. know that. But no one else in my family does, and neither do the vast majority of people those two examples target for marketing. Apple's claim that Mac's don't get "viruses", in my mom's mind, equate to "Apple's don't have malware".

No overwhelmingly surprising

[gubers33]

Apple has had the benefit of so many years of being such a small market share that it did not make sense for people to create Trojans that targeted them. However, Microsoft has had to respond to threats over the years and had the time to develop processes to assess threats and work with security researchers. Apple has ended up behind the curve in this spectrum because of how long they had a small market share. If Apple is able to suck up their pride and work with the researchers they could end up being able to deal with such threats appropriately, but right now their pride is getting the best of them.

Re:Mac's don't get malware

[Anonymous Coward]

http://www.apple.com/why-mac/better-os/#viruses [apple.com]

Safeguard your data. By doing nothing. With virtually no effort on your part, OS X defends against viruses and other malicious applications, or malware. For example, it thwarts hackers through a technique called “sandboxing” — restricting what actions programs can perform on your Mac, what files they can access, and what other programs they can launch. With FileVault 2, your data is safe and secure — even if it falls into the wrong hands. FileVault 2 encrypts the entire drive on your Mac, protecting your data with XTS-AESW 128 encryption. Initial encryption is fast and unobtrusive. It can also encrypt any removable drive, helping you secure Time Machine backups or other external drives with ease. Other automatic security features include Library Randomization, which prevents malicious commands from finding their targets, and Execute Disable, which protects the memory in your Mac from attacks. Download with peace of mind. Innocent-looking files downloaded over the Internet may contain dangerous malware in disguise. That’s why files you download using Safari, Mail, and iChat are screened to determine if they contain applications. If they do, OS X alerts you, then warns you the first time you open one.

Re:Blaming the messenger

[ray_nicov]

Dr. Web is one of the leading security companies (at least in Russia) and they've been around since 1992. They are by no means 'nagware' or 'junk scanner' - they tools are legitimate, powerful and useful

Re:"We don't know the antivirus group inside Apple

[neonv]

'We don't know the antivirus group inside Apple.' means they haven't been to able to talk to them and get to know them. I saw the website, and I feel safe saying I don't know the Apple AV group. I'm sure Sharov found the website. As they said in the article, they just get no response from Apple.

Re:there is no Apple AV group

[tacarat]

http://en.wikipedia.org/wiki/Malware#Trojan_horses [wikipedia.org]

Apparently I still go by the traditional definition. What do you think I'm missing?

Re:Mac's don't get malware

[Lumpy]

Sorry but that says ,"Macs dont get PC viruses" which is 100% correct. It's just like Microsoft saying "everyone loves windows" IT's true just out of context and misleading.

Re:Not a virus, numbnuts

[LanMan04]

I think we might as well get over having lost this battle. All of the major media outlets (and thus the vast majority of Mindless Media consumers) are calling it a 'virus'.

You don't get a trojan from just surfing the web. Installing kracked software from TBP and then authenticating with your admin password is a loooooong way from random innocent people getting clobbered by drive-by malware.

Re:Mac's don't get malware

[bhcompy]

Macs are PCs. Don't tell me they're mainframes.

Re:Mac's don't get malware

[synapse7]

Apple clearly states at http://www.apple.com/why-mac/ [apple.com] that Macs do not get "PC" viruses, they didn't say anything about Mac viruses.

Re:there is no Apple AV group

[Yaztromo]

It sounds to me like it's exploiting a Java vulnerability using an applet that does not disguise itself as something useful, it is specifically to install the payload. That sounds like a traditional virus.

A virus is self-propagating. AFAIK, while this does propagate over networks, it isn't self-propagating (i.e.: infected nodes don't go around infecting other nodes). Hence, not a virus.

That's not to diminish its threat; simply that correct taxonomy aids in discourse towards finding a solution, and preventing similar malware in the future.

Yaz

Re:Mac's don't get malware

[pulski]

You're right how dare they, "get infected with BackDoor.Flashback.39 after a user is redirected to a bogus site from a compromised resource or via a traffic distribution system. JavaScript code is used to load a Java-applet containing an exploit."?

"According to some sources, links to more than four million compromised web-pages could be found on a Google SERP at the end of March. In addition, some posts on Apple user forums described cases of infection by BackDoor.Flashback.39 when visiting dlink.com."

Source: http://news.drweb.com/?i=2341&c=5&lng=en&p=0 [drweb.com]

Gotta be careful downloading all of that "kracked shit" from manufacturer's own websites.

Re:Mac's don't get malware

[forkfail]

Also:

As PCMag's Security Watch noted yesterday, Mac users did not have to download or even interact with the malware to become infected. Websites exploited a Java flaw that let Flashback.K download itself onto Macs without warning. It then asked users to supply an administrative password, but even without that password, the malware was already installed.

From here:

http://www.pcmag.com/article2/0,2817,2402641,00.asp [pcmag.com]

So - yes, it required a trojan-esque password entry to fully activate, but it installed and was active even without it. Which means that it was probably ready and waiting for the next legitimate use of a password entry.

Your walled garden has been breached, and instead of putting your head in the sand, perhaps you'd better wake up to the fact that yes, security really is, at the end of the day, the user/owner's responsibility.

Re:And the users are blaming Java, not Apple

[Anonymous Coward]

Have already seen numerous comments from fanboi's that it's "Java's fault" and "Apple is stuck fixing someone else's problem". So Apple is going to get a pass on this one at least from their users.

Actually, when it comes to java, it IS Apple's fault.

Apple made a deal with Sun/Oracle that Sun/Oracle would no longer release java for the mac. Sun/Oracle passes along the code to Apple, then Apple distributes it after modification.

As a result, when serious flaws are discovered/announced in java, it takes many months for patched versions of java to be available for the mac. Until then, macs have a well-documented security flaw that is easy to exploit with a simple web page.

Re:there is no Apple AV group

[Anonymous Coward]

A virus is self-propagating. AFAIK, while this does propagate over networks, it isn't self-propagating (i.e.: infected nodes don't go around infecting other nodes). Hence, not a virus.

No, a "virus" propagates when you boot your computer from a floppy disk that you got from your friend. A "worm" is the one that goes out on its own over the network.

Re:there is no Apple AV group

[tlhIngan]

When was the last time ANY computer got a "virus"? A self replicating piece of code that spread from that PC via contact with storage media, etc.?

"Viruses" are long dead. They are now worms, trojans, spyware, etc. etc. They do not spread the way a real virus spreads. Its an antiquated term than people just use to mean "malware" these days.

So apple can certainly claim they do not get "viruses". Neither do PC's.

I can think of several in recent memory. Hell, Stuxnet (remember that?) used at least 3 different methods to ensure it gets installed by USB drive. And viruses do exist, because otherwise airgapped networks would be perfectly safe from them.

The big one was an exploit using Windows Explorer's auto-thumbnail processing. And Stuxnet was also a worm because it tried to find vulnerable hosts once introduced inadvertently to the secure network.

And given the poor security of SCADA systems out there and everyone saying they should be airgapped, well, Stuxnet proves you don't need an internet connection to still be vulnerable.

Oh, hell, didn't the USAF get infected with a virus? Apparently they brought USB drives containing map updates to the Predator control computers and those got infected. Sure they couldn't do much (yet...), but it goes to show.

Nevermind those infected iPods, LCD photoframes, hard drives and other stuff that came out of the factory with viruses on them that infected the user's PC. Older, but probably still relevant.

Re:Mac's don't get malware

[fuzzyfuzzyfungus]

Pre OSX MacOS, while it may have gotten raves for friendliness, and was somewhat less bug riddled, was architecturally more or less a toy OS compared to almost anything contemporary. The ecosystem wasn't as large, and the distribution vectors markedly less efficient; but the Mac malware was out there.

Re:Mac's don't get malware

[Bill, Shooter of Bul]

Apple does believe macs are PCs.

http://technologizer.com/2010/12/16/apples-mac-store-is-a-go-and-the-mac-is-a-pc/ [technologizer.com]

Re:Mac's don't get malware

[mcgrew]

A four legged animal isn't necessarily a horse. Windows is the only platform that can get a virus, but any platform can get a trojan. Both are malware, just different kinds of malware.

Re:there is no Apple AV group

[Anonymous Coward]

Woo pedantic! Here are the given definitions, as I understand them:

Virus = self-propagating, but does not run on its own. Requires some legitimate program which it exploits and modifies saved data to maintain itself. For example: a virus would enter a system as an infected word document, which would add macros into your copy of word infecting all of the word documents you edit after becoming infected. In general, the virus itself is not very useful, but frequently they're used as a piggy-back which downloads a...

Trojan-horse = program which gives a malicious user control over a system remotely. This is frequently done via IRC, but newer programs have become far more sophisticated using P2P protocols of their own design or hiding it as fake HTTP requests making traffic analysis more difficult. The trojan horse itself is NOT self-propagating, but it will put a ton of hooks around the system to re-download/re-deploy itself if it gets shut off. In general its only goal is to just keep running and allowing the malicious user to abuse the machine. Now frequently the malicious user will use the trojan horse to send out fake emails or other things which leads to propagation, but the program itself doesn't necessarily do it.

Worm = program which attempts to spread itself. It gets on a host machine and does something (normally immediately, sometimes with an incubation period, frequently involving email, sometimes 0-day exploits to networked computers) to try and get to more machines. After it has attempted to spread itself around, it will frequently follow-up by downloading a trojan horse, or sometimes it will contain the trojan horse functionality itself.

Straight up worms have kind of fallen out of style these days though. They're a bit too obvious and their repeated, predictable behaviour leads to them being spotted and blocked after not very much time out in the wild. And without some sort of trojan horse functionality there's not much point. Trojan horse functionality allows a central command to update the code and makes the worm a more useful product, eventually getting it on more computers and keeping security researchers guessing longer.

Anyway, hope this actually gets modded up by someone and people use these and or tell me I'm an idiot.

Re:Mac's don't get malware

[Angostura]

Cast your mind back to the early 1980s, the era of the Commodore PET, the ZX81, the TRS 80. They were all personal computers, known as PCs. Then in 1981 IBM launched the IBM PC and swiftly manufacturers sprung up selling IBM PC compatibles. Within a year the letters PC had developed dual connotations - personal computer and PC compatible - compatible with the IBM PC. This duality of meaning has survived to today, so while you can (correctly) fulminate that the Mac is a PC, others will (correctly) fulminate that it isn't. You'll have to get used to that, I'm afraid.

Re:Mac's don't get malware

[Fjandr]

Just for kicks:

"The App Store revolutionized mobile apps. We hope to do the same for PC apps with the Mac App Store by making finding and buying PC apps easy and fun. We can’t wait to get started on January 6."
--Steve Jobs