Wednesday, June 1, 2011

Welcome to the malware world, Mac users

It's a trifecta, and the only thing surprising is just how fast this is evolving.

First up, Mac malware can now install without prompting you for a password:

Earlier rogue anti-virus strains, such as MacDefender, need permission to run, a hurdle MacGuard neatly sidesteps. MacGuard works on the premise that home users have administrator rights, meaning they don't need to enter the administrator password to install software in the Applications folder.

MacGuard downloads itself into this folder rather than the default download folder. This downloader connects to malicious IP addresses hidden in its own resources folder. The appearance of the malware means that advice to treat all unexpected requests for the administrator password with suspicion becomes moot.
This is exceptionally bad juju - silent "drive by" downloads have been one of the worst aspects of the Windows security environment for years, because even security savvy users are vulnerable.  Welcome to the party, Mac fanboys!

Second, Apple has finally admitted that malware is a big problem, and has released a malware cleaner:

Apple has updated its Mac operating system to protect against a malicious application that has been hoodwinked untold numbers of users by masquerading as legitimate security software that warns they have serious infections on their machines.

Apple issued Security Update 2011-003 on Tuesday to update Mac OS X to detect for MacDefender, one of several trojans that gets installed through an elaborate ruse that's become almost a rite of passage for owners of machines running Microsoft Windows. Those behind the scareware hook their victims by presenting them with web images that depict an antivirus scan taking place on their machines. The images falsely claim users have serious malware infections and urge them to download and install the antivirus package. Those who fall for the scam are then infected.
If you're running OS X run, do not walk to get the update. 

Third, it's not at all clear that this will solve the problem:
Just hours after Apple updated a security update to protect Mac users against a rash of scareware attacks, a new variant began circulating that completely bypasses the malware-blocking measure.

The trojan arrives in a file called mdinstall.pkg and installs MacGuard, a malicious application that masquerades as security software the user needs to clean a Mac of some nasty infections said to be discovered during a recent hard drive scan. As reported repeatedly during recent days, a series of clever social engineering attacks on Google, Facebook and elsewhere have been besieging Mac users and tricking a fair percentage of them into installing the rogue antivirus packages.
 The "security is better on Mac" meme is pretty well dead in the water now.  We see all of the behavior on OS X that we see on Windows - rapidly mutating and evolving malware that bypasses current security controls.

About all I have to add is that if Linux hits 7-8% of the desktop market, it will go through precisely the same thing.

And for a touch of black humor, this has to be shown:



That's OK - I'll be fine.  Oooooh kaaaay, then.

10 comments:

BS Footprint said...

You can afford be arrogant when your chosen computer OS is relatively obscure. Malware writers usually don't bother with the 15%, it's much more appealing to hit the 85%.

It's inevitable that smug Mac users will be hit with a growing number of attacks. Surprised it took so long to happen.

GuardDuck said...

What surprises me is how long it has taken.

As we see, they are not immune. The market share meme may have been the reason they haven't been targeted. But the whole 'I have a Mac and they don't have viruses' idea has created a whole culture of users who are actively security unconscious.

That level of at risk users within the admittedly smaller user base leaves a still a pretty significant number of easy targets.

Now add in the single source of defense they will have to respond to multiple source attacks and you're looking at some rough road ahead.

GuardDuck said...

Oh, and Apple themselves pushing the 'we don't have viruses' idea is going to bite them in the ass.

bluesun said...

Do you know how much virus crossover could happen between all the different versions of Linux? Would a particular distro have to get up to some sizable market share, not just Linus as a whole?

bluesun said...

LINUX! Dagnabbit, I hate it when that happens.

Dave said...

Doesn't matter what OS you run. If there's a promt that asks "Do you wish to install?" and you answer yes, well you get what you deserve. Might as well send all your personal info to that princess in whatever coutry she's in this week. :-)

Andy said...

The desire to laugh at the Mac hipsters is intense here. But this isn't like the days of CodeRed and ILOVEYOU, where out-and-out shoddy programming on Microsoft's part led to millions of infected computers just for being on the Internet. As Dave noted, this is about users hitting "continue" no matter the text of the security dialog. That's not a platform issue, that's a grey-matter density issue.

However, I wouldn't be surprized if Apple made the default setup in the upcoming Lion release to only allow software installed via the Mac App Store. Yes, the Geekerati will be up in arms over it, but such a thing won't matter so much to those wilfully ignoring other computing issues so that they can live their lives.

And btw, MacGuard has been around for at least 3 years. It isn't news.

Borepatch said...

Andy, the biggest concern here is the silent download. This hits even users with a brain. It's pretty easy to serve this sort of thing up via Cross Site Scripting or Cross Site Request Forgery.

Your point on the App store is interesting, although I suspect it would be more motivated by the desire on Apple's part to take a cut of the software revenue.

And I've been following MacGuard from the beginning, and have a post here from way back about it. I was pretty skeptical as to its usefulness then. I'm skeptical now, but for the traditional reason to be skeptical about any antivirus - mutating maleare means you're always looking for last week's problem, not this week's.

Andy said...

Even with new fangled File APIs in Javascript and Chrome, yes I said Chrome, downloading things it shouldn't without telling you, launching a program on a Mac that came from the tubes still requires the user to acknowledge such the first time the program is run.

This, in my opinion, is in the same category as phishing attacks. Users shouldn't go randomly clicking on things without thinking.

GuardDuck said...

Which leads back to: if apple says macs don't have virusii, why would Mac users need to think before they click?