Apple Snubs Security Firm That Spotted Mac Botnet

Sparrowvsrevolution writes "Now that it's being increasingly targeted by botnet herders, Apple has a thing or two to learn about cooperating with friendly security researchers. Boris Sharov, the CEO of Dr. Web, the Russian security company that first reported more than half a million Macs were infected with Flashback malware last week, says when his company alerted Apple to the botnet, it never responded to him. Worse yet, on Monday Apple asked a Russian registrar to take down a domain it said was being used to host a command and control server for Flashback, but in fact was a 'sinkhole' that Dr. Web had set up to observe and analyze the botnet. Sharov describes the lack of communication and cooperation as a symptom of a company that has never before had to work closely with the security industry. 'For Microsoft, we have all the security response team's addresses,' he says. 'We don't know the antivirus group inside Apple.'"

Why do we support liers?

[VernorVinge]

Apple products are overpriced, insecure, not upgradable, developed by a CEO who believed integrity is optional, and makes it's outsized profits on breaking labor laws in developing countries. Why do the supposed 'creative' class continue to support this pile of dung?

Russian altruism? Suuuuure...

[KrazyDave]

Boris is trying to spin Apple's response (or lack thereof) as a sign of arrogance or unpreparedness, I don't think it it's either. I think it's Boris' attempt to publicize himself and Dr. Web and might even be behind the engineering of the threat now that Mac saturation is broad enough to make A.V. for Macs a profitable market. I don't trust the Russians or the Chinese in any regard.

Re:there is no Apple AV group

[Anonymous Coward]

When was the last time ANY computer got a "virus"? A self replicating piece of code that spread from that PC via contact with storage media, etc.?

"Viruses" are long dead. They are now worms, trojans, spyware, etc. etc. They do not spread the way a real virus spreads. Its an antiquated term than people just use to mean "malware" these days.

So apple can certainly claim they do not get "viruses". Neither do PC's.

Re:Blaming the messenger

[Anonymous Coward]

How do you manage to breathe with your tongue so far up the asshole of a cancer-riddled corpse?

Corroboration?

[CyberLife]

As with any other claimed discovery, I'd like to see independent corroboration. I'm not saying it doesn't exist, just that I personally haven't seen it. Everything I've read credits Dr.Web as the source. Has nobody else confirmed their findings?

Re:No overwhelmingly surprising

[IamTheRealMike]

Bingo. Getting root is useful but not required for viruses, and Windows has had very similar setups for a long time already. It's perfectly possible to make a program that hides itself, resists deletion, spams, steals passwords, logs keys etc all without having root and there are quite a few such viruses out there. MacOS isn't any better defended than Windows against malware, in fact it's significantly worse because so many users don't even have AV software installed (my Mac does, btw).

In my experience...

[blueg3]

Not surprisingly, the summary is not as accurate as the article.

Sharov may describe this as "a symptom of a company that has never before had to work closely with the security industry", but the article correctly points out that it's more a symptom of having "little experience working with the community of security researchers who aim to dissect and shut down botnets." The botnet security community is different from the general security community. As far as I know, Apple has a decent working relationship with the latter. It's no real surprise they have limited experience working with the anti-botnet community, since until now they haven't really had botnet problems.

The article also notes that Dr. Web is relatively unknown and that in the opinion of Kaspersky (which is at least more well-known), Apple is taking the usual appropriate steps.

As far as them not getting a contact back, that disagrees with my experience in reporting a security vulnerability to Apple. You send a message to their easily-found, catch-all "security" address. In relatively short order, a security engineer gets in touch with you, and you communicate with that person from that point on. It seemed to work just fine, unless, I suppose, you're egotistical enough to think that you should be able to pick up the phone and talk to someone at Apple immediately -- which is a common-enough problem in security.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:"We don't know the antivirus group inside Apple

[blueg3]

I e-mailed that address and got a response from a security engineer. Perhaps Dr. Web is holding it wrong.

Re:Mac's don't get malware

[Bobfrankly1]

Macs are PCs. Don't tell me they're mainframes.

Ever seen the ads that begin with: "I'm a Mac" "I'm a PC"

Apple seems to think that Macs are not PCs

Yes, but the Reality Distortion Field has been decreasing in strength as of late. Apple's own moderation of Java updates allowed this one to flourish, the Apple devout can't pass the buck onto another vendor this time. It's foolish to presume that a large installed base of users unconcerned with security would go ignored forever.

Re:Mac's don't get malware

[517714]

Unless you happen to be one of the million or more who clicked on a bogus/rigged link on a spoofed site and got this Flashback Trojan installed.

FTFY

The majority of Macs have one of the cheap/free pieces of software that prevented this trojan from installing - Little Snitch, Xcode, VirusBarrier X6, iAntiVirus, avast!, ClamXav, HTTPScoop, Packet Peeper. I said have rather than run as it is sufficient that the path to the application existed, and the application did not need to be running.

Re:Mac's don't get malware

[Anonymous Coward]

A mac is a PC. personal Computer. Jesus H Christ.

Re:"We don't know the antivirus group inside Apple

[gstrickler]

As someone who has found and reported a (now) patched security vulnerability [nist.gov] to that email address, I can say that I agree with Boris Sharov's complaint. You do get an automated response with a case #, that includes the text

We do not automatically provide status updates on issues as we work on them, but please feel free to request one if needed by replying to this message.

However, I received no replies to when I did request status updates (and supplied additional information about the affected systems with explicit instructions about what needed to be done to fix existing systems). Even when I contacted other sources (Secunia, who confirmed the problem, and US-CERT), I received nothing from Apple. Nor was the problem addressed in two releases of QuickTime in the year following my report.

How I finally got a reply from Apple was sending an email to sjobs@apple.com on Sept 4, 2010 with a copy of the now year old security report, and my statement that I was taking it to the full-disclosure list if I didn't hear back from Apple by Sept 15th. Fewer than 6 hours later (on a Saturday), I had a status update from Apple. Here's the meat of that reply:

Just wanted to let you know that a fix for this issue has been identified, and we are targeting an upcoming release of QuickTime to address it.

We provide status updates upon request.

Subsequent emails always got a reply, but before I sent my email to sjobs, it was like talking to a wall. Also, despite assurances that they understood the extent of the problem and my explicit instructions about needed remediation for affected systems, when they finally released the fix 3 months later, it only corrected the problem and did not provide remediation for the permissions on already affected systems, nor did it even mention that there were permissions to be fixed.

When it became clear that no remediation fix, nor an acknowledgement of the problem was coming from Apple, and ample time had passed for users to have installed the updated version of QT, I submitted my own fix to the Full Disclosure [seclists.org] mailing list.

In total, it was 15 months for Apple to release a fix, a fix that in all likelihood involved altering or removing two lines of code that were granting excessive privileges to specific directories. Even then, they did not correct the permissions on machines that were already affected.

So, in my opinion, Apple has a long way to go in developing and maintaining communications with those who report security vulnerabilities. And in acting upon those reports in a timely and responsible way.

Re:Mac's don't get malware

[VGPowerlord]

I guess you don't use Windows Calculator?

No, because I prefer that the (square root of 4) minus 2 to equal 0, not -8.1648465955514287168521180122928e-39

Re:Of course not.

[CAIMLAS]

Judging by the actual support and bugfixes most Apple software seems to get (ie, none - they're worse than Microsoft in this regard, by a long shot),

Apple's MO is as follows:

* ignore the claims
* deny the claims
* blame the users when popular appeal brings large media attention (it rarely gets this far)
* offer a weak consolation, still blaming the user.

Re:Mac's don't get malware

[marcosdumay]

So, it acts like a scientific calculator and doesn't do rounding. What do you expect it to do, your computer returns that same value if you code that in C.