New Mac scareware variant installs without password Scammers have developed a strain of Mac scareware that avoids the need to trick a mark into entering an administrative password. Earlier rogue anti-virus strains, such as MacDefender, need permission to run, a hurdle MacGuard neatly sidesteps. MacGuard works on the premise that home users have administrator rights, meaning …
The files are included in torrents, or e-mailed to a user? You seem to be expecting google to administer the whole internet, which is not their job, they offer some tools to warn you about potentially malicious sites, but end users will frequently click through the warning, or - for the obvious reason - Google won't have a warning in place for that particular site.
(Hint: The obvious reason is that it's impossible to make a system 100% impervious without dedicating a disproportionate amount of staff to it, and having that staff never make mistakes. Google's system, I believe, is automated, and needs to be updated to deal with emergent threats, they can't make it too automatically strict as it will make lots of false positives).
You missing the main thing here, this particular trojan has to convince users to install it by posing as an antivirus. It can only work (and barely) on the web.
E-mail has no way of knowing the OS, the people behind the malware would have to pick either the Windows or Mac UI in advance. Plus people are much more into e-mail scams, I doubt anyone would believe an e-mail saying they have viruses, it's ridiculous.
Right you do understand what spam is?
I will enlighten you, so you don't get caught.
<Snip>
Congrats you may have wone 1,000,000 english dollars. Click link to claim
http://nationallottery.com (link actually directs to dodgy site in nowherestan)
<snip>
Click link
Land on page, detect OS (VERY easy to do), redirect to correct page.
Install....
So you click on that dogdy site link, it opens the web browser, which should then check the link against Google's Safe Browsing list, right?
I don't see how does change my original comment?
There is an anti-malware layer in most browsers these days even before you get into the operating system, be it OSX, Windows, or Linux. That layer IS NOT WORKING, although is advertised as doing so.
That layer is also operated by Google. Why is no one seeing this?
Forget your Windows or Mac preferences and look at what's going on.
"So you click on that dogdy site link, it opens the web browser, which should then check the link against Google's Safe Browsing list, right?"
The "dodgy site" in both cases that my browser got redirected to this malware was Google Images.
Google images is notable for its non-functionality if you have Javascript enabled, so even that safeguard is denied. I think you have a point.
images,google.com 127.0.0.1 added to my hosts file
And yes, I do all my work on OS X in a non-admin account, Just like I have always done on any other OS.
You know what a zero day exploit is, really? How 1337, lulz. Loved the EDI bit, says a lot.
This original trojan has been around for over 21 days with only 3 variants, the MD5 checksums and even the javascript download code are all well known.
Google Images was one the main sources of the malware:
http://thenextweb.com/apple/2011/05/02/bogus-macdefender-malware-campaign-targets-mac-users-using-google-images/
Can Google really be this stupid and not remove these from search results or flag them on the Safe Browsing list for so long?
Fair enough, they would believe it, but they would still need to go to a webpage to install it.
There's no way the e-mail would include Windows and Mac executables of the "anti-virus" and still get through the e-mail AV scanners (fortunately those tend to work better than Google's Safe Browsing crap)
End of the day, no matter the entry point, users still need to go to a webpage for an attack like this, and the primary provider of webpage malware scanning (Google) is not only not doing their job properly but also providing the original malware links as highly ranked search results in the first place.
They also are beginning to sell ChromeOS where the inability to install malware like this (or any actual software for that matter) is one of main selling points. There is a clear conflict of interest here.
"There's no way the e-mail would include Windows and Mac executables of the "anti-virus" and still get through the e-mail AV scanners"
Fortunately Mac advertises worldwide that Mac "don't get viruses" so AV software is unnecessary. Without AV software the kit appears to run faster, so they can lie about being a better OS than Windows, while having no security!
... downloading to another folder is achieved by supplying an archive with an absolute path, and one of the built-in extractors failing to validate that properly. bsdtar is safe, so I'll guess it's a zip problem. The default set up also doesn't allow users to write to absolutely anywhere on the system, but it does allow them to write to /Applications, so whatever they're doing probably doesn't allow a write to anywhere.
Yes, though, it's a big gaping hole.
What the heck has Apple done to the *nix security model in OS/X? They must have done something bone-headed because there is no-way no-how that software can install on a *nix box without being a sudoer AND having to enter your password; its the only way to make sure it's a person doing the install and not some piece of bovine-excrement software. If they of the pomaceous fruit changed the security model to allow this kind of thing then I would stay away from the whole Mac family. Use Free BSD or Linux.. avoid Windows and Mac.
You can easily install software on any brand of *nix box without ever entering a password. You cannot install the software to one of the system directories, but stuff in your private ~/bin will execute just as well as the stuff in /usr/bin. The system directories are only interesting if you want to infect everybody on the machine (likely irrelevant on a PC-class box) or if you need SUID/SGID privileges. Unless you're trying to install a root kit or do vandalism along the famous "cd /; rm -rf *" lines, you don't.
It is possible to remove this option, but that's hardly the standard "*nix security model".
Under UNIX, a user is free whatever to do in their home directory except installing "servers", especially stuff serving between port 1-1024.
I use my system as a completely non priveleged user thanks to that model as I install my usual software to ~/Applications in my home directory...
It's still the UNIX security model, it's just that the default user almost certainly has a particular group in their groupset, and the directory in question has group read-write-execute on it.
It's been possible to do such things as this since the year dot, or at least UNIX V7 circa 1978.
If you read the blog you linked to: http://blog.intego.com/2011/05/25/intego-security-memo-new-mac-defender-variant-macguard-doesnt-require-password-for-installation/ it DOES NOT download to the Applications folder, but to the downloads folder. The user still has to go through the installation process, just will not be prompted for a password.
I don't think there's any way on Mac or Windows for a file to decide where it downloads to, other than the default or selected download folder. Also, if it did downlaod to the Applications folder, it would just sit there, as it would never run without an installation script adding it to the start up items.
But hel, why spoi; a good story!
It doesn't matter where it downloads, Safari's default action is to run installer packages as they're considered 'safe' and installer packages can install an app somewhere in the user's home directory and add it to the startup list on login without asking for a password.This is not a good thing.
The automatically open safe files option is an accident waiting to happen, it shouldn't have made it into V1 of Safari let alone survive up to V5.
Now Apple have got salemen, managers and executives up and down the country braying for the latest frutiy status symbol regardless of the technical ramifications we're only going to see more of this kind of thing.
Think about it, anyone in a business organisation with an i-device is probably fairly high up the org chart and as such it's making the marks easier to identify, just target the iOS/OSX platform and you've already seperated much of the wheat from the chaff in any company.
All that remains to be seen is how Apple respond to the threat, in theory having a linux-derived OS should make it easier but how much are they willing to break the seamless UX in the name of safety and security and mundane things like that (mundane to the marketing wonks that is).
Allow me: OS X contains a BSD layer, derived from BSD. Because it has a terminal, it also contains a bunch of open source components that you commonly see included in Linux distributions. WebKit is notably a fork from KHTML and KDE is generally closely associated with Linux distributions. There's even a rootless X11 manager if you want to use it (though I don't think it's a default install).
So, fine, technically it's not Linux-derived because its original development predates that of Linux and Linux is just a kernel, whereas OS X explicitly uses a completely distinct kernel. But it's quite accurate to say that it shares a large code footprint with what people idiomatically call 'Linux' and that at least some components were part of idiomatic Linux before they were part of OS X.
I'm sure that you could find a bunch of BSD, Linux or OS X people that would be angered by the statement, but hopefully not at as irreverent a site as this.
I can guess Steve' Face timing the board now!
Based upon the Theory people only spend time writing malware for an Os with enough market share to make it worth while just treble the price!
Returns will increase even though market share fall (some people like designers with buy a mac whatever the cost) and the malware problem will go away as the "developers" concentrate on erm... Windows
For two reasons.
Firstly Safari doesn't give you any options as to where it's going to download files. Everything goes to downloads. How does this code manage that trick.
Secondly even after you copy a downloaded app to the Applications folder the system will warn you that it is a download and do you really want to run it?
User gets message - "We've detected a virus on your computer"
"oh dear" says user.
Message says - "We've got a free fix for your problem - just click here and follow our instructions"
User thinks - "ooo, this is a dangerous situation, but they've got a free fix, so I'll click it to fix it"
System asks - "you're trying to run some really dangerous shit here, are you sure you want to run it" (or it says "Are you sure?")
User thinks - "of course I want to run it, I've got an infection I need to clean up"
Click, BOOM!
System asks - "you're trying to run some really dangerous shit here, are you sure you want to run it" (or it says "Are you sure?")
This is the sort of message an operating system needs to give people, along with such favourites as "Stop clicking that fucking mouse button a billion times, I know you want to open up Internet Explorer to look at porn, I'm working on it. It's not my fault you didn't bother to give me a decent processor or RAM."
The attack is trivially avoided by not letting your main user account have administrator privileges. Fair enough, Apple should perhaps insist on the creation of a separate admin user when first running the setup assistant, but manually adding an admin & demoting the first user account to "regular" user is the work of moments.
This isn't entirely correct as it implies that a user with admin permissions has total and unfettered access to the system - this was always a big gaping hole in Windows security until UAC, but with OS X an administrator account has always needed the user to enter a password for access to system files, prefs and other sensitive areas.
The malware is using the equivalent of the Windows "install for current user" (as opposed to "all users") to avoid the need for an admin password. This does mean that even when installed it could only wreak havoc within the users account, not the whole system.
I'm splitting hairs as this is still pretty shitty from the users point of view.
What seems to happen is that an installer will pop up unexpectedly while you are sufing, yes?
You would still need to click on "Continue" to proceed with the install.
Wouldn't the sudden (unexpected) appearance of a "SoopahVirusCheckerOhYes Installer" window give the game away to most users?
You still have to confirm you want to install it, it just no longer requires a password. I can see my daughter panicking after clicking on a bad Bieber image and following the instructions out of fear she's going to get in trouble for wrecking the computer. The password part would have stopped her.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
