Feeds

back to article Mac trojan evades Apple's brand new security fix

Just hours after Apple issued a security update to protect Mac users against a rash of scareware attacks, a new variant began circulating that completely bypasses the malware-blocking measure. The trojan arrives in a file called mdinstall.pkg and installs MacGuard, a malicious application that masquerades as security software …

COMMENTS

This topic is closed for new posts.

Page:

Meh

Blah!

Ah well, we knew this would start happening eventually!

10
2
Holmes

Ah - had to happen?

Where the market goes the data thieves follow swiftly after?

6
0
Silver badge
Boffin

Was bound to happen sooner or later

Canonical better prepare, I dare say its users will be the next target of this scam.

I'll love to see them try and tackle Linux From Scratch though. This kind of malware largely relies on being able to pull the wool over a user's eyes as to what's really happening. Those who are in to the DIY OS might be a bit harder to hoodwink.

1
1
Bronze badge

The next version....

"Now that Macs by default will update a list of known malicious applications every 24 hours...."

So the next version of the virus will disable the auto-update feature as soon as possible. Seems obvious, surely?

13
4

Easier said than done

Despite the noise this is a very basic trojan, it doesn't do anything really clever, just relies upon the Safari default "Open safe files after downloading" (this was always asking for trouble), to install an app into the apps folder and add it to the users login items, It throws dodgy porn urls at safari and asks for credit card details but basically it runs in userspace.

Shocking how well they've done for what it is though.

6
2
a53
WTF?

Sorry.

It's NOT a virus!

5
15
Anonymous Coward

Needs admin password for that

Not sure how easy it would be be, but in any case it would need to ask for the admin password for that.

1
4
FAIL

Haven't seen it called a VIRUS

So what is your point?

MacFan? or just dense?

12
3
Headmaster

It's NOT a virus!

You appear to be suffering from the delusion that the meanings of words are decided by some ultimate authority which you can influence by loud assertions.

I know precisely what you mean (I think). This piece of malware doesn't (from the article) appear to replicate itself in any way, which was the analogy that gave rise to the term "computer virus". It therefore isn't a virus as we techies understand it, it's a trojan (a program that attempts to trick the user into believing that it's something else). However, the term "computer virus" long ago entered the public conciousness, and has (in my experience) come to have the meaning "malware" in the ears of the great unwashed.

If you're fond of analogies, you might try asking people whether a fish, or a bird, is an animal.

12
5
a53

It's NOT a virus!

(nyelvmark) "You appear to be suffering from the delusion that the meanings of words are decided by some ultimate authority which you can influence by loud assertions."

No, just fed up with people calling things by the wrong names. Words are important, allowing them to be used wrongly causes misunderstandings. If we called birds fish, we'd get no-where. We have to stick to one name or the other. I get your bird/fish analogy, but if I didn't know the answer I'd look it up rather than make blind assumptions or wild guesses.

It isn't by the way just this article, it's almost every article on the subject. If techies allow those with less knowledge to remain in that state they do them a disservice.

2
10
Silver badge
Facepalm

@Haven't seen it called a VIRUS

You haven't read the comment being replied to then.

2
1
Silver badge

VIRUS -or not?

If I can get my 2 cents in there, I'd like to point that most malware targetting Windows -or MacOS-machines these days are not self-replicating viruses. Most if not all do indeed require user interaction, regardless of the platform, and the ones that don't usually rely on 3rd-party software vulnerabilities, for which there are holes in ALL platforms, especially MacOS, as demonstrated by the last few Pwn2own contests. The "it's no virus" defense favored by some Mac fanbois is completely irrelevant: your credit info was stolen, but it's not a virus, so it's fine. Your life is ruined, but at least it wasn't a virus.

Of course there is also the bizarre reality distortion field that says: "every non-Mac box connected to the internet is pwnd within minutes, no user interaction needed"

Bullshit. User interaction is needed for Windows malware at least as much as for MacOS malware. PEBCAC, and the more you rely on a "jus works, no training required" doctrine the more vulnerable to cons you are.

5
2

Re: Haven't seen it called a VIRUS

"So what is your point?

MacFan? or just dense?"

Is there a difference? Well, perhaps the nucleus accumbens fires up a lot more in the fans.

1
0
FAIL

Correct

It is a trojan.....

0
0
Thumb Down

a53 is correct.

It is not a virus. It is malware. There is a distinction, you know.

0
1
Thumb Down

It has nothing to do with "it's no virus" defense

It is malware. Even the Windows version of this crap is not called a virus.

Stop blaming 'fanboi' attitude, I very much doubt that a53 is a I'll-follow-Apple-into-the-abyss fanboi. He/she is simply fed up with something that's not a virus being called just that, a virus.

Use a generic term (like endpoint security vendors have for the last few years) that generally describes what viruses, worms, trojans, bots, etc are - malware.

0
0
Terminator

It's not a brain tuma

Either.

Just thought I'd throw some silly shit in.

2
0
Anonymous Coward

Oh go fly

a fish!

0
0
Silver badge

@SP

"It is malware. Even the Windows version of this crap is not called a virus."

Right.

"He/she is simply fed up with something that's not a virus being called just that, a virus."

Right again.

So you are ready to admit that there is no widespread Windows virus then, contrarily to Apple's claims? Or is the "fed up" thing one-way-only?

Disclaimer: I am no windows luser. Nor am I MacOS luser. I am the one in charge of the cattleprod. KZZZZZERRT!

0
0
Rob
Bronze badge
Holmes

It's also not a...

... Bulgarian traffic warden in a panda suit.

Thought I'd better make that point as well so everyone knows.

1
0
Anonymous Coward

Pass me that 'phone

I'm going to order in pizza, the popcorn and 24oz coke isn't going to last long enough to see this one out.

13
0
Meh

How long before

Macs go full walled-garden mode, where you can only install stuff in that new Mac app store thing.

7
3
Boffin

Chrome OS

.... otherwise known as Google's Chrome OS then?

1
0

soon, with lion

i guess, app store fully integrated and from the rumors will be preferred way of installing apps - i wouldn't mind that move at all

0
0
Silver badge
Gimp

That one needs to be installed, right?

I suppose the users need to click on "OK" after the message "this application has been downloaded from the internet, do you want to proceed?"

Mac users will have to learn to read, then...

13
2
Gold badge

Re: Mac users will have to learn to read, then

Yup! 'Fraid so.

Windows has been trying to teach its users to read error messages for several decades now. It doesn't work.

12
0
Facepalm

Define an error message

Do you mean error messages like:-

An error has occurred, if this error persists, please contact your network administrator.

.... on a stand alone PC??????!!!!!

0
0
Coat

Or even worse...

When you get those 'contact your network Administrator' messages, you look up the error message in the NT/W2K/2K3/Whatever Resource Kit, and it just says 'Contact your network administrator'...

Exactly who do they think shell out for those kits, really?

Mine's the one with a few scratched up Technet CDs and a Knoppic LiveCD in the pocket...

0
0
Facepalm

@ratfox

Well going by the fact that they have asked for it to be downloaded, they would be even more thick to go, "no actually don't run it, I'll just fill up my harddrive with programme set up files I never actually install."

0
0
Silver badge
Unhappy

A lost battle

Trying to detect bad applications seems to me to be a wasted cause - just how effective is AV really? Most Windows boxes I have seen were taken by stuff that either (A) evaded the AV, or (B) convinced the meaty one that they really wanted/needed to install it.

Given the near infinite options for black hats to adjust their product to evade detection (a trojan need not keep a specific exploit trick that a virus needs, after all), and the time lag in AV catching up, it appears a lost cause. But lucrative to the AV snake^b salesmen of course...

So Mac is now targeted and failing, it seems partly due to "ease of use" installs that Windows foisted on the world so that uneducated masses could use computers more easily.

Linux would/will as well, given the behaviour observed on the machines I have set up for family/friends (dubious .exe files on the users desktop, WTF?)

The only viable defence against Trojans is in the meaty world: you either (A) educate your users to be suitably paranoid or (B) flatly deny them the ability to run/install arbitrary software.

Ideally (C) do both.

8
1

If battle goes badly, change the rules

Actually the best way to defend your system against this kind of crap is to prevent it from getting into the system in the first place.

And thats where web blockers and exploit guard components come to play, if user cannot get to the hostile page, or the hostile advertisement cannot load user is safe.

Traditional AV is the last line of defense when more modern techniques fail

3
0
Thumb Down

@Paul Crawford

While we know that new malware has the potential to get past AV software, there is no point in punting it completely; it can block most malware that already exists. It will not stop a dedicated attempt to break into your computer, but it can protect against moments when you let your guard down, accidentally click a link, etc.

3
0
Thumb Up

I like this reasoning...

...and would like to apply it to the world of motor transport:

The only viable defence against fatal road accidents is in the meaty world: you either (A) educate your users to be suitably paranoid or (B) flatly deny them the ability to drive cars.

Ideally (C) do both.

Since none of A, B or C are practical, however, I take the bus.

3
0
Silver badge

@I like this reasoning...

"The only viable defence against fatal road accidents is in the meaty world: you either (A) educate your users to be suitably paranoid or (B) flatly deny them the ability to drive cars."

Yes, like a driving test perhaps?

And jail time and/or losing one's license for doing really stupid things on the road?

We are used to the concept of education and control where there are obvious physical consequences from our actions, which is why we limit the freedom to do certain things until one has demonstrated some degree of relevant skill and responsibility.

Computers on the other hand don't seem to be covered as there are no 'real' consequences from users' ignorance (or sometimes utter stupidity). Other than fraud of course. And blackmail. Oh yes, and extortion via DDoS attacks...

0
0
Silver badge
WTF?

test?

Nope, it's existing users - not new ones.

People get a license and belive that's all the need, they are now expert drivers and can drink as much as they like, ignore warning signs and generally not give a toss.

Legislation is generally to be ignored, insurance, tax, MOT are something for other mugs to pay out for. There is no need to learn how to go round corners, just find out how hard the right-hand pedal can be pressed.

You can't take a license away from someone who's never had one. Ban from driving? only if they are locked up. Points on what license?

Stupid is as stupid does and doesn't need a bit of paper or three to do it.

0
0
Joke

Actually

I prefer it that way, I'd rather there was no tossing going on when people drive!!

0
0

@ Paul

"So Mac is now targeted and failing, it seems partly due to "ease of use" installs that Windows foisted on the world so that uneducated masses could use computers more easily."

Ummmm.. so you're saying that a Mac is harder to use? That they have been known for years and years to be really hard to use... Ahhhhh no... Apple has always had the claim to fame that it was easy to use.

Ease of use has nothing to do with this! Social Engineering and gullibility are what this piece of malware tripe spreads by.

0
0

Isn't this a user problem though?

I've not used a Mac for more than a couple of minutes, but surely if the user had seperate admin and login accounts this wouldn't work?

I know my Linux box is infullible*, but the fact MUST enter an admin password to install anything is a pretty damn good protection as long as my wetware is in order -- the same ought to be true for Apple machines.

*pretty close to infallible

3
0

No admin password is needed for Linux

Unless you are using some distro which has ultra paranoid security, you don't need admin access to install stuff that can access users stuff.

Just install attack component as Gnome or KDE applet and you get both autostart and access to all user data. No root password needed.

2
5
Headmaster

Pedantry Power!

No, you don't need an "admin password" in Linux, (or Mac or Windows for that matter) to run malware. But without one, or some sort of privilege escalation exploit, then the "virus" runs in user space. That means you're only a process kill and delete command away from cleanup.

2
0
Silver badge

@Anon999

To compromise the user's own account in virtually all cases needs no password, but to take over the machine is a problem needing sudo rights.

Given most home PCs are used in "single account" mentality, that is not a whole lot of protection :(

Back to meaty eduction for all I'm afraid.

1
0

@Paul Crawford

Why would attacker need to take over the machine?

Everything that is interesting for attacker is under users own account.

Tell me one, just one thing that would be of interest for attacker and could not be gained with user privileges.

1
1
Unhappy

Userspace

But running in userspace isn't much of a deterrent. A userspace trojan can still empty a user's home directory, encrypt the user's files ransomware-style, steal banking details, etc...

1
0
Silver badge

@Anon999

"Tell me one, just one thing that would be of interest for attacker and could not be gained with user privileges."

The ability to key-log other user's accounts.

You know, like a child doing something silly like trying to install a game, and then the parents bank account being accessed?

On a multi-user machine that is a big deal, but as I already said, most home PCs do not enforce any real concept of user roles.

On a typical Linux box (e.g. Ubuntu that I use) by default I can read other's documents, but not modify them (so no encrypted file blackmail), nor can I install any system-wide changes (change programs, alter web browser settings, redirect DNS, etc).

0
0
FAIL

Who bothers with multi user accounts?

Most home PCs don't enforce multi user roles because it is way too much hassle.

I use Ubuntu at home and we have single account for entire family because switching from one account to another is too much to bother. And I would guess that mine is the typical use case.

Also malware authors don't care if they get _all_ accounts they are content to steal just from the user they manage to catch.

Also good part of boxes have only one user, so no need to multi user accounts there either.

0
4
Anonymous Coward

some distro which has ultra paranoid security

So why not install such a distro ?

Using OpenSUSE Firefox won't even download an executable let alone run it.

And as for "Everything that is interesting for attacker is under users own account." USE more than one account. Do your banking in a separate account from your more general browsing - it's not difficult indeed under Linux it's very easy to switch sessions.

1
0
Silver badge
Paris Hilton

@Who bothers with multi user accounts?

Answer: Those who care about their security and privacy.

It is not hard to have multiple accounts and switch users, after all only one person can physically use the keyboard/monitor at a time.

I have found most families rapidly get used to the idea and actually LIKE IT! Each can customise their own desktop, bookmarks, etc, and the parents are happier that the little ones have Google's safe search enabled, have their pr0n browsing kept out of the browser history, etc.

As already pointed out, even a single user PC can benefit from having more than one account. Yes it is hassle to switch often so you would not do this for minor things, but for most people the banking type activity is an occasional one, so switching account for that is no big deal.

So good idea for every OS type is to have something like:

1) An admin account, just for installing stuff (how often do you REALLY need to do that?)

2) Your normal user account.

3) Your banking account.

4) A guest account (for those cases when someone wants to use your PC but you would rather they did not mess with important stuff).

Paris, as you might want to add a pr0n account as well...

1
0
Linux

Wow

Wow, you just described Qubes.

I really want http://qubes-os.org/ to gain some traction, because it's designed to offer very tight security between apps, even within the same login. Win win winy win win.

0
0
Silver badge
Linux

How do you get the horse into town?

> switching from one account to another is too much to bother.

There is your Trojan attack vector right there... the "can't be bothered" sort of user.

Yeah. Hitting that logout button and entering your own password is such a bother.

With that kind of attitude it's little wonder that so many problems happen in computing and even in other areas. Just apply that mindset to driving. I am sure all of you can think of suitable examples.

0
0
Silver badge

Don't even have to log out.

Certainly on my OpenSUSE machines it's just switch user and then Ctrl-Alt-F7 or 8 ... to get back to the previous session

0
0

Page:

This topic is closed for new posts.