Knock Knock tool makes a joke of Mac AV Security research and development bod Patrick Wardle has released a tool to reveal executables that automatically boot in Mac OS X. The Knock Knock tool was open source and built on an extensible framework to encourage the community to evolve the platform. Wardle, of consultancy Synack, said he designed the tool because he …
This is clever, and should be pretty effective. After all, (this is true in Windows and Linux as well), if there's some "naughty" executable on there, but it never actually gets executed... it's basically a bit of data taking up space. Knowing about what gets loaded up on boot is the first line of defense against malware on any system.
Likewise, have an upvote to take away the pain.
They really do, don't they? Even you being meta and impartial gets a downvote lobby also. In fact I'll bet this post, several removed gets downvotes for agreeing that people downvote oversensitively, simultaneously vanishing into a recursive loop and proving your point...
Sorry, as one that uses Linux to death, Windows when forced and all...
I'll stick with my MacBook Pro, due to its hardware capabilities.
*Each* OS has its strengths and weaknesses, depending upon usage.
Windows is, essentially, king, due to ease of use/misuse by the average village idiot and regrettably, all to often maintained by other village idiots.
*BSD is nice, but it is a lot stodgy in admitting to new interfaces/technology. As in taking two years to admit a beta USB system and three years to get the damned thing to actually work properly.
Linux is nice, if you like rough edges. I use it daily at home and frequently at work.
Linux is nice, but it's unpolished in may areas, when compared on a desktop level with Windows or OS X.
From that standpoint, I've eliminated all Windows desktops at home. I still maintain a Windows server, due to certain commonalities issues.
All desktops are Linux, my singular exception is this MacBook Pro, where I am typing from now.
Now, from a security standpoint, I condemn all.
Linux for partially adopting SELinux, *BSD for not bothering to seek NSA input in a far more merciful time, Microsoft was totally out of that program. Said program was to teach how to build a Trusted Operating System.
Still leaving Solaris, in certain special configurations, as the *only* trusted operating system for the US.
The Google updater comes in with various products. Ironically, the most nefarious hookup was a supposedly secure chrome based browser which installed a covertly mounted drive which only showed up in disk utility and which set up various services to re-install itself from there.
It got in because I just upgraded hardware as well as OS, and the "Hands Off!" license didn't work in the new machine (HO does not just firewall code from the network, it can also bar access to the hard disk). Grr.
There are advantages coming from the world of Windows - I don't trust anything. So far, it's certainly less work to keep things safe on a Mac, but it still requires paying attention.
This post has been deleted by its author
i have two macs, i'll be running this.
another point - i have a problem currently with an email client that isn't configurable for what folders it can download. its downloading a bunch of javascript malware that on windows would be an issue but on a mac is just flagged by avast (but not sophos - beware of sophos mac users)
thats bad design of software.
Why? What's going to execute them on Windows? Isn't your email client the thing that'll parse these scripts? Doesn't the mac client have the same capabilities? (Genuine technical question everyone, so can we skip the OS flames if at all possible? When I double click a .js file in windows it opens in notepad...)
interesting point.
the way i was thinking about it was, its only executed if i go into junk and ask it to display that message. then the js file will be opened and run, since its an html capable email client. and i never go into junk. so not a massive issue. i think my windows vms are sufficiently ringfenced.
but the big issue is usability. my screen is filled with warnings. im not sure its a good idea to store malware even if you can't execute it. and do i really want to be backing up malware onto the time machine backups on my nas only for the AV on my nas to find them as virus infections? not really.
the small issue is why is avast detecting js malware when gmail isnt.
50% of the security tools don't come with a half hour explanation of why they were built, and how they work.
Good grief, I'm not sure if you're being deliberately obtuse or you're just a bit dim.
My background is in the more "interesting" sides of security. If you consider a half hour plausible explanation sufficient validation to consider something safe you will probably also happily answer those spams that tell you there is a problem with your bank account as it all looks kosher - ditto for the other downvoters.
By way of illustration, see Whitehatsec aviator. That thing (or something that somehow managed to replace what was supposed to be there) manages to create a hidden, persistent mount which only shows up in Disk Utility, and which throws all sorts of hooks into the OS to re-install itself if you delete parts of it, it takes quite a bit of work to eradicate it (and there's hoping it hasn't dragged anything else in while it kept the cat flap open). That was reviewed in Tom's Hardware as an excellent product, but it turned out to be malware.
Macs are reasonably easy to keep clean, provided you avoid installing stuff you haven't checked out from all possible angles. A fancy and plausible explanation may seem like a recommendation, but there are enough people who can cook up a plausible text but for less benign purposes. All a trojan needs is for you to run it, and Macs too seem to have this weird need to install everything at system level, which gets people far too used to granting admin rights..
He seems to be assuming anything that autoruns at startup but wasn't signed by Apple is malware. I'm sure a lot of applications install their own stuff, and I even have some of it on my Linux desktop - VMware starts up several processes automatically!
What if you install Photoshop and there's an Adobe process that runs on OS X at startup (I don't know if there is, just using as an example) If it just checks for updates, is it OK? What if it downloads the updates without asking, possibly taking up all your drive space if you were short? What if it has a bug in it where it deletes a failed download and re-downloads it over and over again so when you have a full drive it soaks your network bandwidth? What if it has a bug where it hits a spin loop and consumes 100% CPU? What if it uploads the MAC address of your computer back to Adobe? What if it records keystrokes during while you're running Photoshop, to help engineers fix bugs and improve the GUI? What if it has a bug where it keeps recording keystrokes after you're done, and uploads passwords to Adobe? What if that isn't a bug, but a backdoor some engineer put in on his last week of work hoping to tank the company when it became public?
Everyone has a different point in the above where they'd say it crosses the line into malware, but claiming anything related to something a user knowingly installed is "malware" conflates it with true malware, which is something you never intended to install or didn't install but it happened through a remote/web exploit.
"...true malware, which is something you never intended to install or didn't install but it happened through a remote/web exploit."
Don't we need a coupla two tree more parameters for this definition, cuz with just *those it seems quite equatable to a "virus"?
I challenge that the *only difference is that a virus just spreads without you/your machine *doing anything...
... like I just did by opening Pandora's box (snicker).
Interesting stuff. Although if all true, you have to wonder why this isn't being abused more, given how prevalent Macs have become, and how many people love to be hating on them. Anyway, if he creates a slick gui for this he'll be able to sell it, I'm sure. Hype it up, say it elevates Macs to insane levels of security. Should work, though he might have trouble getting it approved at the app store...
Somebody does need to tell this guy the OS is actually called '10' though (you know, the roman number, not x)
Slightly embarrassing, to not get the name of your topic right ;-)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
