Linked by Kroc Camen on Thu 22nd Jan 2009 17:52 UTC
Privacy, Security, Encryption "Intego has discovered a new Trojan horse, OSX.Trojan.iServices.A, which is currently circulating in copies of Apple's iWork 09 found on BitTorrent trackers and other sites containing links to pirated software. The version of iWork 09, Apple's productivity suite, are complete and functional, but the installer contains an additional package called iWorkServices.pkg." Update: A new variant has been discovered in a pirated version of Adobe Photoshop CS4, also information about one target of a DDOS attack coming from the trojan.
Order by: Score:
libray
Member since:
2005-08-27

The method used here is pretty similar to the way some malware gets onto Windows systems. There are so many third party apps for Windows that its unwieldy have signed, known software that people trust. Someone searching for iWork on the torrent sites should be ashamed anyway, but this is just the beginning.

In the name of getting something for nothing, you open your system to being rooted.

Reply Score: 5

thecwin Member since:
2006-01-04

The Mac will probably have more social malware in the near future. Exploit-based malware still remains to be seen, but seems likely given that Apple don't exactly have a perfect security record.

The idea that there's no malware for anything other than Windows is a very misleading myth, and provides a false sense of security. I can't say much for OS X since I've not looked into it. I *do* know, however, that stuff exists for Linux. I had a viral infection on Gentoo Linux when someone set a password the same as their username on my box, and I (stupidly) had SSH visible on the default port to the world.

It didn't root me, and only managed to clog up my mailserver, but rootkit checkers don't exist on Linux for the fun of it.

Linux and Windows are both currently very attractive targets due to their deployment in the server and server-client spaces respectively. Hacked Linux servers are often used to distribute Windows malware, as well as hack other Linux servers. Thankfully, Linux tends to have fewer remote exploits due to usually having a more minimal default installation with far fewer attack vectors (no RPC, management interfaces, etc.).

Reply Score: 8

gustl Member since:
2006-01-19

Let me put it like this:

The typical cracked Linux machine is a Server, and it is usually manually cracked.

The typical cracked Windows machine is a desktop, and it is usually cracked by a self-spreading worm, virus, whatever.

Therefore I would conclude, that the pure technical security of Linux is higher than for Windows, the Linux Server targets however are very attractive because they provide access to high speed connections.

Administrator's stupidity (as mentioned previously) still allows crackers to get into a Linux system, at least to lower privilege accounts. Intrusion detection systems would be a good idea for Linux systems, especially ones which listen to the internet at some ports.

Reply Score: 1

thecwin Member since:
2006-01-04

"The typical cracked Linux machine is a Server, and it is usually manually cracked. "


Really? Then there's a hell of a lot of people devoting their life to ssh dictionary attacks on my subnet ;) . You'd be surprised about how often Linux machines are brute-forced by automated daemons in order to distribute spam and Windows malware. Linux is almost never the end-goal, but rather a way of getting to the Windows machines.

I hate Windows and love Linux, but still, I accept there is automated malware for Linux too.. it just tends to not be categorised and hunted in the same way as Windows malware. After all, most Linux boxes have a very good intrusion detection system: a vigilant administrator.

I do think, however, that the OS X/Linux security model itself is more secure than Windows, and helps prevent against serious attacks.

Reply Score: 4

sakeniwefu Member since:
2008-02-26

People, I think that's what he meant. You took it too literally.

Remote vulnerabilities are rare in most OSes including current Windows versions, and in Linux you don't often download and run nakit15yo.jpg.exe files, so the best approach is to brute force dumb passwords for services such as SSH that are left open by default by many admins and some distributions.

If you leave OpenSSH open, you must make sure that either password authentication or remote login to weak accounts is disabled. Non-default ports do work, but it isn't really safe.

Once a non-admin user is compromised the hacker has a lot of locally exploitable bugs to choose from.

He doesn't even need to do that as he can run a distributed spam botnet from non-root users all the same.

Edited 2009-01-23 22:56 UTC

Reply Score: 2

steogede2 Member since:
2007-08-17

Let me put it like this:

The typical cracked Linux machine is a Server, and it is usually manually cracked.

The typical cracked Windows machine is a desktop, and it is usually cracked by a self-spreading worm, virus, whatever.


Not really. Not really my SSH* and ModSecurity logs show lots of attempts at automated hacking and I know that lots of Linux servers don't have application firewalls like ModSecurity (I didn't till my server was cracked) and don't have any measures in place to thwart dictionary attack on SSH.

*note to self, must configure my firewall better so that these attacks don't even get as far as SSH.


In reference to the article :
> It's merely a matter of those with malicious intent
> measuring the profit that can be made (monetary or
> otherwise) from their exploits.

Admittedly there are many more Windows and Mac OS desktops out there, that doesn't mean that Linux exploits aren't "profitable". Your typical Windows or Mac desktop will be on connection with between 0.25 and 1Mb upstream, a Linux server might be on a 100Mb connection. When mine was compromised (a flaw in Mambo) a few years ago, the trojan used about half a terabyte of "bandwidth" in a couple of days (at £1 a Gigabyte).

Reply Score: 1

kaiwai Member since:
2005-07-06

You're right; lets also remember that this is a malware deliberately installed by the user; hence the reason I'd prefer it if people stopped beating up Microsoft over the fact that there are idiots who download software, install that said software - and then complain because it is malware. If you download and install something - you have consciously made the choice to install something.

Back on-topic, the same explanation goes for this iWorks malware, people know the risks of downloading pirated software, they know what they're doing is risky - and they still do it. The people who download, install pirated software and complain about the negative effects - I have the same sympathy for them as those who have bareback sex and complain afterwards they've contracted an STD. They knew the risks but went ahead and did it anyway.

Oh, and lets be honest, iWorks is hardly an expensive piece of software - for goodness sake, just buy the damn thing; really NZ$179 and even cheaper if you're a student.

Reply Score: 3

protagonist Member since:
2005-07-06

A PC columnist once wrote a few years ago that "I could send an email with an attachment named this is a virus.exe and people would open it". This statement holds true no matter what the OS being used. Idiots are OS agnostic. I also recall getting severely flames a few years ago on a Mac forum for suggesting that people should pay more attention to security on a Mac. But then I have been called paranoid in the past. :-)

Reply Score: 2

kaiwai Member since:
2005-07-06

A PC columnist once wrote a few years ago that "I could send an email with an attachment named this is a virus.exe and people would open it". This statement holds true no matter what the OS being used. Idiots are OS agnostic. I also recall getting severely flames a few years ago on a Mac forum for suggesting that people should pay more attention to security on a Mac. But then I have been called paranoid in the past. :-)


It is unfortunate that most people think of security they automatically think of security holes in their software when in reality most of the security flaws that exist are due to social engineering. Kevin Mitnik showed just how easy it was to get access to company's network just through some basic social engineering.

Reply Score: 2

MysterMask Member since:
2005-07-12

1. I thing people in this discussions far to often mix admin priviledges with root. They are not the same under MacOSX.

2. People should get used to use sandboxing if they want to restrict apps they don't trust. See e. g. http://www.macpronews.com/macpronews-30-20080116MacSandboxWrapper.h... (Mac Sandbox Wrapper)
or use a GUI-Tool like
http://www.macupdate.com/info.php/id/19025 (Sandbox)

Reply Score: 2

aliquis Member since:
2005-07-23

"Someone searching for iWork on the torrent sites should be ashamed anyway, but this is just the beginning."


Uhm..
"Yeah, why not just download the trial and fill in a serial?!"
Though retail torrent is probably safer since it don't even use a serial...

Good luck being politically correct. Personally I can't understand when I would have a use for iWork to begin with.

Reply Score: 2

Not disovered by Intego
by mckill on Thu 22nd Jan 2009 18:22 UTC
mckill
Member since:
2007-06-12

This wasn't discovered by them, it was discovered by this guy a few days after after he found something running on his system, his story and details of it are here:

http://notahat.com/posts/28

The installer for iWork09 that was used was from a random torrent tracker and had a modified installer package to install something extra.

Reply Score: 3

RE: Not disovered by Intego
by steogede2 on Fri 23rd Jan 2009 14:58 UTC in reply to "Not disovered by Intego"
steogede2 Member since:
2007-08-17

This wasn't discovered by them, it was discovered by this guy a few days after after he found something running on his system, his story and details of it are here


He took out the URL that was being DDoS - Almost makes me want to download it just to find out (I wonder if it was OcUK, and if there's any chance of getting some of the bounty their offering?).

Reply Score: 1

Slow news day
by evangs on Thu 22nd Jan 2009 18:35 UTC
evangs
Member since:
2005-07-07

Why is this even news? You install software from sources you cannot verify. No OS is secure from stupid users.

Reply Score: 11

RE: Slow news day
by Kroc on Thu 22nd Jan 2009 19:06 UTC in reply to "Slow news day"
Kroc Member since:
2005-11-10

It's news to 20'000+ people. ;)

Reply Score: 6

RE: Slow news day
by WorknMan on Thu 22nd Jan 2009 20:26 UTC in reply to "Slow news day"
WorknMan Member since:
2005-11-13

Why is this even news? You install software from sources you cannot verify. No OS is secure from stupid users.


You know, I was having a debate with someone about this recently. The guy posted a Youtube video trying to debunk the notion that as OSX/Linux gets more marketshare, you would see more viruses/malware for them. He tried to argue this wouldn't happen because of how much more secure the operating systems were than Windows to outside attacks, and also included the old 'IIS vs Apache' argument.

But as I explained to him, it doesn't matter how secure it is when you have more and more users migrating over who will run anything that promises them nude pics of Angelina Jolie. And you know that Apache server admins won't do that. Well, at least most of them won't anwyay ;)

Even if you can't affect the system as much as you might be able to on Windows, malware doesn't need a whole lot of access to do what it is designed to do these days. Once it installs and puts itself in a startup group, it's pretty much game over. Now you can annoy the user with popup ads, use the computer as part of a botnet, or whatever.

Having said all that, now I will answer your question ;) The reason why this is important is, because of guys like the one I mentioned above, there are probably a lot of Linux/Mac users out there who have this belief that, "Well, I can run whatever I want and don't have to worry about viruses/spyware because I'm not a Windows user", so we really need to get the word out to these people.

As for Windows (especially Vista), as long as you have the latest updates installed, there's really not a lot of exploits out there anymore than can simply install themselves remotely without requiring the user to do something specific. The way malware is getting onto Windows is the same way it'll get on to other operating systems.

Edited 2009-01-22 20:40 UTC

Reply Score: 11

RE[2]: Slow news day
by DrillSgt on Thu 22nd Jan 2009 20:53 UTC in reply to "RE: Slow news day"
DrillSgt Member since:
2005-12-02

"But as I explained to him, it doesn't matter how secure it is when you have more and more users migrating over who will run anything that promises them nude pics of Angelina Jolie. And you know that Apache server admins won't do that. Well, at least most of them won't anwyay ;) "

No, they will write down the name of the file and run it when they get home ;)

Reply Score: 2

RE[2]: Slow news day
by evangs on Thu 22nd Jan 2009 21:44 UTC in reply to "RE: Slow news day"
evangs Member since:
2005-07-07

The reason why this is important is, because of guys like the one I mentioned above, there are probably a lot of Linux/Mac users out there who have this belief that, "Well, I can run whatever I want and don't have to worry about viruses/spyware because I'm not a Windows user",


That's equivalent to saying that because I wear a rubber I get to stick my gadget wherever I please. You might be safer, but you're not _that_ safe ...

Reply Score: 3

RE[2]: Slow news day
by John.Gustafsson on Thu 22nd Jan 2009 23:21 UTC in reply to "RE: Slow news day"
John.Gustafsson Member since:
2005-08-08

But as I explained to him, it doesn't matter how secure it is when you have more and more users migrating over who will run anything that promises them nude pics of Angelina Jolie. And you know that Apache server admins won't do that. Well, at least most of them won't anwyay ;)


Nude pictures? Where? Where? Where?

*waiting for the nude pictures*

Doing improper stuff on your computer is bad. Doing improper stuff on a a Linux or XP installation in VMWare is also bad, but in a different way:)

Reply Score: 2

RE[2]: Slow news day
by PortResi on Sat 24th Jan 2009 15:02 UTC in reply to "RE: Slow news day"
PortResi Member since:
2008-10-06

You install software from sources you cannot verify. No OS is secure from stupid users.


These are the same people who respond to phishing and place coffee cups on the DVD tray.

As for Windows (especially Vista), as long as you have the latest updates installed, there's really not a lot of exploits out there anymore than can simply install themselves remotely without requiring the user to do something specific.


I am still getting the same amount of repair work from Vista that I am getting from XP users. So, there must be quite a few stupid windows users.

Edited 2009-01-24 15:03 UTC

Reply Score: 1

RE: Slow news day
by polaris20 on Thu 22nd Jan 2009 21:43 UTC in reply to "Slow news day"
polaris20 Member since:
2005-07-06

Never have truer words been spoken.

Reply Score: 2

Uh, really?
by Soulbender on Thu 22nd Jan 2009 18:45 UTC
Soulbender
Member since:
2005-08-18

Virus and malware in pirated software?
How could this possibly be news to anyone, anywhere?
If that qualifies as news and get headlines I'll be over where the pirated software is for sale (aka the street outside), gearing up to be famous.

Reply Score: 6

RE: Uh, really?
by slight on Thu 22nd Jan 2009 18:58 UTC in reply to "Uh, really?"
slight Member since:
2006-09-10

I guess because OSX has relatively little malware in the wild, for the time being, so new finds are still newsworthy.

Reply Score: 5

That's karma for you...
by orestes on Thu 22nd Jan 2009 19:02 UTC
orestes
Member since:
2005-07-06

Pity it wasn't something of a more CIH like bent.

Reply Score: 2

Comment by Dirge
by Dirge on Thu 22nd Jan 2009 19:05 UTC
Dirge
Member since:
2005-07-14

It seems to me it wouldn't take much to modify more legitimate software with this trojan. I'm not sure why everyone writes this threat off so quickly.

Reply Score: 2

RE: Comment by Dirge
by Volt on Fri 23rd Jan 2009 00:45 UTC in reply to "Comment by Dirge"
Volt Member since:
2006-06-23

There isn't even any reason to download iWork from a pirate site. You can simply punch in any serial into Apple's trial version (no, I didn't pirate it). I'm actually surprised that it took this long for trojans to really take advantage of the installer. Or maybe this is just the first case of widespread infection.

Reply Score: 1

RE: Comment by Dirge
by Soulbender on Fri 23rd Jan 2009 10:00 UTC in reply to "Comment by Dirge"
Soulbender Member since:
2005-08-18

It seems to me it wouldn't take much to modify more legitimate software with this trojan.


True, but how would you get it into the production chain?

Reply Score: 2

After some debuging ...
by inetman on Thu 22nd Jan 2009 21:34 UTC
inetman
Member since:
2006-05-30

I found something interesting, nobody mentioned yet.

This Trojan comes along with a build in Lua interpreter, and (as mentioned on some security sites) with a small p2p client.

AFAIK it is relativly new that trojans bring their own scripting interpreters with them... Cool stuff somehow but OS X trojans(/malware) are still way behind their W32 pendants, this one for example doesn't even try to hide it self (no lib or kernel hooks) ...

Anyways you should be careful with this one since it is able to update itself.

Regards ;-)

Reply Score: 1

I blame Apple
by whartung on Thu 22nd Jan 2009 21:36 UTC
whartung
Member since:
2005-07-06

The single best security measure of OS X is that it is, and always has been, "secure by default".

What I mean by this is that, in contrast to Windows, prompting for the the Superuser password for an application installation on the Mac is by far the exception, not the norm. Macs are famous for "drag and drop" software installation.

On Windows, you routinely either had simply "run under Administrator", or grant every trivial bit of software Admin privilege just so they could be installed. Thus, handing these "keys to the kingdom" simply become second nature to a Windows user. It's just a harsh reality there.

On the Mac, when an app asks for Superuser, I as a consumer really want to know "why". What is so special and important for this application that it needs such privileges.

I don't know what the new iWork services are, but it's really a shame that it must run "under root", or at least need root privileges to be installed.

If iWork didn't require this, perhaps someone would have noticed that the pirate version "installs different" than the original version, and potentially this warning would have gone up sooner.

Unfortunately, when I update my Ubuntu box, it seems to always want root, and I grudgingly give it.

But, as a rule, it's simply a bad habit, and should be discouraged.

It would be interesting to know if Apple could have worked around the need for iWork to have root access during install through some other mechanism.

Folks complain about the nasty cert error that Firefox pops up with unrecognized certs. I think asking for Superuser should have an equally aggressive error message, and perhaps have other means to which folks can get some access to some root privileges without giving them the whole kit.

Reply Score: 2

RE: I blame Apple
by spikeb on Thu 22nd Jan 2009 23:06 UTC in reply to "I blame Apple"
spikeb Member since:
2006-01-18

what you are thinking of is slowly being integrated (at least in fedora) with policykit

Reply Score: 2

RE: I blame Apple
by apoclypse on Thu 22nd Jan 2009 23:06 UTC in reply to "I blame Apple"
apoclypse Member since:
2007-02-17

Apple almost always asks for admin privileges when installing software, mostly because the apps installed are system wide as opposed to just for one user. So if you get a new version of Garageband you should be able to run it asa different user. I very rarely see Apple itsef use the drag and drop installer they usually use .pkg and an installer. However even in Ubuntu you are supposed to trust the software that comes from Canonical, not saying you have to but if you don't trust Canonical's repos then you shouldn't have installed Ubuntu in the first place since you will never update it otherwise, otherwise its borderline paranoia. This case is different because the software was pirated and frankly anyone who got caught gets what they deserve, imo.

I haven't pirated software/music whatever since I was in college and I did that because I couldn't actually afford the applications I wanted to use (mostly CG stuff like Maya, and XSI which cost about $7K and up). This application is $79, its practically free why would you want to pirate it? Apple makes it fairly useless to pirate their applications with their prices. Logic which is only $500 would cost $2k anywhere else. FCP which is fairly expenseive is still a bargain compared to what Avid used to charge (and still does) for their stuff. Not only that but Apple also gives you cut down bare essentials versions which are basically the application itself without all the cruft for chump change. I see no reason why people would need to steal iWork of all things. If you can afford a Mac you can afford iWork. If you have a hackintosh then you can afford iWork since you supposedly save money on a Mac.

Reply Score: 2

RE: I blame Apple
by pcunite on Thu 22nd Jan 2009 23:10 UTC in reply to "I blame Apple"
pcunite Member since:
2008-08-26

Unfortunately, when I update my Ubuntu box, it seems to always want root, and I grudgingly give it. But, as a rule, it's simply a bad habit, and should be discouraged. It would be interesting to know if Apple could have worked around the need for iWork to have root access during install through some other mechanism.


You thinking is close but needs just a little bit of clarification. The reason installs require root is because AFTER the install is complete it is the only way to harden a system. Most people don't run hardened systems but for those of us who do consider:

1. An executable can write to a directory. That same directory can not be executed from.

2. A directory that can be written to must not ever allow executions from.

To achieve those two points the software must be run under a limited account. The exe can run from C:\Progs but only write to C:\user\desktop. C:\Progs can never be written to by the user. The user can write a file to their desktop using notepad.exe. An exploit to the web browser would not allow a virus to live on the system.

Thus an installer must be ran as root because not only must it execute, it must write to a directory that will later be executed from.

I did not explain this the best way but hopefully you got it!

Reply Score: 3

RE[2]: I blame Apple
by whartung on Thu 22nd Jan 2009 23:42 UTC in reply to "RE: I blame Apple"
whartung Member since:
2005-07-06


1. An executable can write to a directory. That same directory can not be executed from.

2. A directory that can be written to must not ever allow executions from.

To achieve those two points the software must be run under a limited account. The exe can run from C:\Progs but only write to C:\user\desktop. C:\Progs can never be written to by the user. The user can write a file to their desktop using notepad.exe. An exploit to the web browser would not allow a virus to live on the system.

Thus an installer must be ran as root because not only must it execute, it must write to a directory that will later be executed from.


That's all well and good. And as long as that process is provided by the "system", i.e. a "trusted agent", rather than "joe random installer that I just authorized", then that could mitigate the problem nicely. The system process can ensure that the privileges of the newly installed exe won't get inadvertently promoted to super user.

In this trojans specific case, the major problem was that this exe got installed with SU privileges. If it was installed with my "generic user" privileges, it's no less a potential breach (it could be "loaded automatically", send sensitive documents to an outside party, etc.), but its capability to continue to do harm is limited by my weaker privilege set. (i.e. it can't download a new kernel module that roots my system even more).

Reply Score: 2

RE[3]: I blame Apple
by pcunite on Fri 23rd Jan 2009 03:57 UTC in reply to "RE[2]: I blame Apple"
pcunite Member since:
2008-08-26

[qThat's all well and good. And as long as that process is provided by the "system", i.e. a "trusted agent", rather than "joe random installer that I just authorized", then that could mitigate the problem nicely. [/q]

You are correct. We have to know we can trust the software. That is why I am very careful of what I install. At some point there is initial risk.

Reply Score: 1

RE[3]: I blame Apple
by lemur2 on Fri 23rd Jan 2009 04:03 UTC in reply to "RE[2]: I blame Apple"
lemur2 Member since:
2007-02-17

That's all well and good. And as long as that process is provided by the "system", i.e. a "trusted agent", rather than "joe random installer that I just authorized", then that could mitigate the problem nicely. The system process can ensure that the privileges of the newly installed exe won't get inadvertently promoted to super user.

In this trojans specific case, the major problem was that this exe got installed with SU privileges. If it was installed with my "generic user" privileges, it's no less a potential breach (it could be "loaded automatically", send sensitive documents to an outside party, etc.), but its capability to continue to do harm is limited by my weaker privilege set. (i.e. it can't download a new kernel module that roots my system even more).


I think you may have the wrong end of the stick here.

On Windows and, to a lesser extent, Mac OSX, the end users are accustomed to installing stuff for which they have no possible way to vet it. One gets a binary (somehow), and apart from the blurbs (which are written after all by the author of the software) one has no objective way to assess what is in the software and what it will do.

Asking for the root password on installation does nothing really with such a paradigm. End users will just be accustomed to giving it when they want to install anything. All that giving the root password does is identify that the person doing the installation is probably authorised to do so for that machine.

The only real way to ensure that the software one is about to install is not malware is to have everyone who uses the software able to inspect the source code at will. There will be enough people in the userbase who can audit the code functionality, and compile the software for themselves to verify that the distributed binary matches the source, that all people in the userbase can be assured that it is not malware.

Anything else ... involving customarily installing closed-source binary-only software ... will lead to the possibility of being compromised via trojan horses.

Edited 2009-01-23 04:05 UTC

Reply Score: 2

RE[4]: I blame Apple
by Brendan on Fri 23rd Jan 2009 10:30 UTC in reply to "RE[3]: I blame Apple"
Brendan Member since:
2005-11-16

Hi,

The only real way to ensure that the software one is about to install is not malware is to have everyone who uses the software able to inspect the source code at will.


That sounds great in theory, but in practice it's an empty promise that does nothing except provide a false sense of security.

For an example, I spend a lot of time programming in assembly and C and know enough to be able to read most languages. I run Gentoo and almost all the source code for everything I use is available (the only exception here is the NVidia driver). It's probably over 1 billion lines of code once you add in X, KDE, GCC, etc. Guess how many lines of code I've checked for malicious code? If you guessed "none" you're very close (I've played with the source code for Bochs a little).

If I did want to check the source code myself, there's no way I'd be able to keep up - there's more new code than I could possibly check and I'd never be able to keep up.

Normal users (e.g. people that have never seen source code in their life) would be less likely to check the code they use.

In the end we trust the suppliers, regardless of whether the suppliers are providing source code or not, because we have no sane alternative.

Note: AFAIK Gentoo's repository is extremely trustworthy, but there's many mirrors and I don't know of a way that I can make sure that the mirror I'm using is an untainted clone of the master repository. Maybe I'm wrong (hopefully I'm wrong)...

-Brendan

Reply Score: 3

RE[5]: I blame Apple
by lemur2 on Fri 23rd Jan 2009 14:14 UTC in reply to "RE[4]: I blame Apple"
lemur2 Member since:
2007-02-17

Hi,

" The only real way to ensure that the software one is about to install is not malware is to have everyone who uses the software able to inspect the source code at will.


That sounds great in theory, but in practice it's an empty promise that does nothing except provide a false sense of security.

For an example, I spend a lot of time programming in assembly and C and know enough to be able to read most languages. I run Gentoo and almost all the source code for everything I use is available (the only exception here is the NVidia driver). It's probably over 1 billion lines of code once you add in X, KDE, GCC, etc. Guess how many lines of code I've checked for malicious code? If you guessed "none" you're very close (I've played with the source code for Bochs a little).

If I did want to check the source code myself, there's no way I'd be able to keep up - there's more new code than I could possibly check and I'd never be able to keep up.

Normal users (e.g. people that have never seen source code in their life) would be less likely to check the code they use.

In the end we trust the suppliers, regardless of whether the suppliers are providing source code or not, because we have no sane alternative.

Note: AFAIK Gentoo's repository is extremely trustworthy, but there's many mirrors and I don't know of a way that I can make sure that the mirror I'm using is an untainted clone of the master repository. Maybe I'm wrong (hopefully I'm wrong)...

-Brendan
"

It doesn't work like that. One doesn't have to check the source code oneself to gain assurance as to its trustworthiness.

All that you need to know is that anyone can check it, and that it is vetted by package maintainers. Package maintainers (such as those at Debian, and hence indirectly Ubuntu) have a meritocracy ... there must be a reason for change (an open bug normally, or a new feature request), and the new code being proposed for acceptance must be vetted and agreed as the best solution.

As soon as anyone sees bulk changes (intended to introduce malware, but "disguised" somehow) ... there will be a question as to why such extensive changes for a simple bug. What do all these changes do? We will choose this other proposal from someone else instead, because it is far simpler to follow and less of a change, so it is far more elegant.

And so on. Read about it here:

http://www.debian.org/distrib/packages

Read about trying to get code into the repositories here:
http://www.debian.org/devel/
and here:
http://www.debian.org/doc/debian-policy/

Put it this way ... since the first implementation of repositories, and the open source change control methods behind them ... AFAIK there has never once (in many years of operation, over many different distributions, for millions of users) been malware introduced on to a users Linux system via installing packages from the repositories.

As far as anyone getting a tainted copy different from that in the repository ... when you install a Linux distribution, the install CD includes a copy of the public key of each repository. Binary packages placed in the repositories are digitally signed with the corresponding private key. Package managers won't install software that has an incorrect signature. If you installed any Linux (even Gentoo) from a valid CD, then you won't be getting any corrupt packages installed. If your original install CD was compromised ... then you are already compromised anyway.

The proof is in the pudding, as they say. It is anything but an empty promise. In fact the track record of the package management systems for Linux is (so far at least) impeccable.

In comparison ... how many malware infections per million downloads of Windows software packages would you estimate? Perhaps a few thousand? I'd suggest that that is a conservative estimate.

Edited 2009-01-23 14:32 UTC

Reply Score: 2

RE[2]: I blame Apple
by Havin_it on Fri 23rd Jan 2009 18:57 UTC in reply to "RE: I blame Apple"
Havin_it Member since:
2006-03-10

I think you nailed it*. I have tried to follow this philosophy on my various Windows installs, by revoking execution perms from a Limited User's writeable folderspace. It does cause problems with many benign but lazily-designed apps, though. A large part of this is probably because Windows (NTFS) permissions instantiate this permission not on its own, but as the "execute files / traverse directory" permission, which means the revoked user can't, for example, DIR or CHDIR in these folders. I've never heard a reasonable explanation of why these two disparate permissions are fused together in Windows; if anyone has, I'd love to hear it.

*Of course, we have to trust the installer itself not to do anything naughty. It would be nice if Windows was tooled to enforce their behaviour to stick to the above, but I can't see that ever happening when they can't even set sensible default permission-layout ;)

Reply Score: 2

RE: I blame Apple
by Gone fishing on Fri 23rd Jan 2009 08:22 UTC in reply to "I blame Apple"
Gone fishing Member since:
2006-02-22


On the Mac, when an app asks for Superuser, I as a consumer really want to know "why". What is so special and important for this application that it needs such privileges.


I’m not a Mac user but this doesn’t make sense to me. If you can install by just dragging and dropping (that does sound nice) without super user privileges doesn’t that mean the app will only be available to the user who installed? That sounds like a pain in the arse.

Also that means the app can do whatever it likes to the users environment and that where the real damage is done I can loose my OS I can always reinstall in an hour or two I can loose all my email and my thesis that’s a disaster.

When I click something and it installs I want to be superuser I want to have to put in my password etc

Reply Score: 4

RE[2]: I blame Apple
by evangs on Fri 23rd Jan 2009 10:22 UTC in reply to "RE: I blame Apple"
evangs Member since:
2005-07-07

Mac Applications are self contained bundles. All the libraries that they need are either statically linked or bundled together with the app. That's essentially what the .App bundles are. This is also why installing applications do not require root priviledges since they are not modifying any system directories.

Reply Score: 2

RE[3]: I blame Apple
by pcunite on Sat 24th Jan 2009 03:20 UTC in reply to "RE[2]: I blame Apple"
pcunite Member since:
2008-08-26

Mac Applications are self contained bundles. All the libraries that they need are either statically linked or bundled together with the app. That's essentially what the .App bundles are. This is also why installing applications do not require root priviledges since they are not modifying any system directories.


This is very dangerous then. I have my Windows XP system configured in such a way that an executable can not both read and write from the same directories. In other words email me a virus and it won't execute. Viruses simply do not run under my username. NO exe can run under any directory that I can write to. When folks and PC bloggers figure out SRS policy you will realize how safe Windows XP has been since Service Pack 2.

Edited 2009-01-24 03:23 UTC

Reply Score: 1

RE[4]: I blame Apple
by MysterMask on Sat 24th Jan 2009 08:25 UTC in reply to "RE[3]: I blame Apple"
MysterMask Member since:
2005-07-12


This is very dangerous then.

No it isn't. launchd is in control..


how safe Windows XP has been since Service Pack 2.

No, it isn't neither. Several security wholes demonstrated that this is not true.

Reply Score: 2

RE[5]: I blame Apple
by pcunite on Mon 26th Jan 2009 17:05 UTC in reply to "RE[4]: I blame Apple"
pcunite Member since:
2008-08-26

" This is very dangerous then.
No it isn't. launchd is in control..
how safe Windows XP has been since Service Pack 2.
No, it isn't neither. Several security wholes demonstrated that this is not true.
"

The premise of SRS is SECURE, whether you say it is or not. The fact that bugs have been found and fixed do not make the blind faith in MAC's implementation of security any better.

Reply Score: 1

RE[4]: I blame Apple
by BallmerKnowsBest on Sat 24th Jan 2009 15:57 UTC in reply to "RE[3]: I blame Apple"
BallmerKnowsBest Member since:
2008-06-02

When folks and PC bloggers figure out SRS policy you will realize how safe Windows XP has been since Service Pack 2.


That would certainly be nice, although I won't be holding my breath expecting it. Even as far back as Win2k, you could have reasonably-secure system just by running it with a normal user-level account - but from experience, even that is more hassle than most non-technical home users are willing to put up with.

Reply Score: 1

RE: I blame Apple
by 3rdalbum on Fri 23rd Jan 2009 10:30 UTC in reply to "I blame Apple"
3rdalbum Member since:
2008-05-26

Apple honestly doesn't care what runs as root.

Reply Score: 0

RE: I blame Apple
by Soulbender on Fri 23rd Jan 2009 13:58 UTC in reply to "I blame Apple"
Soulbender Member since:
2005-08-18

If iWork didn't require this, perhaps someone would have noticed that the pirate version "installs different" than the original version, and potentially this warning would have gone up sooner.


Wait, hold on. So you're saying if it had installed silently without prompting it would have been easier to spot?

Unfortunately, when I update my Ubuntu box, it seems to always want root, and I grudgingly give it.


Uh, so you think that it is MORE secure to let any user or process perform an upgrade and overwrite system files than actually prompt the user before doing so?
Wow, truly awesome.

Your reasoning is so backwards it is hilarious and you simply have no idea what secure by default really mean.

The funny thing is that nothing this trojan is doing really needs root access. All it does is add an application that autostarts and connect to a remote computer.

Reply Score: 1

RE[2]: I blame Apple
by whartung on Fri 23rd Jan 2009 19:15 UTC in reply to "RE: I blame Apple"
whartung Member since:
2005-07-06

*sigh*


Wait, hold on. So you're saying if it had installed silently without prompting it would have been easier to spot?


Um, it DID install silently. The install process of the trojan software was identical, at least from user experience point of view, as the original software.

From an installation view, there is nothing amiss in the trojaned version.

Now, if the infiltrators had actually changed the installer to require root access, whereas the original did not, then someone may have noticed that discrepancy and perhaps prompting more initial investigation as to why the torrent version was different from the boxed version.


Uh, so you think that it is MORE secure to let any user or process perform an upgrade and overwrite system files than actually prompt the user before doing so?


No, I think it's unfortunate that granting root to foreign systems for updates is considered "routine" rather than the exception.

I think users should "think twice" about granting such access.

Did you actually read any of the rest of the post?

The funny thing is that nothing this trojan is doing really needs root access. All it does is add an application that autostarts and connect to a remote computer.


In terms of accessing user files, no, of course not. All software is dangerous in this regard, and anything downloaded can pump your deepest secrets to a waiting server.

Save using sandboxed software (e.g. unsigned Java Applets, say), all of our personal data is wide open to attack, publishing, and destruction by untoward software.

But, software with Admin or root privileges is necessary to truly "infect" a machine. These privileges are used to hide the software, corrupt other software, and generally get free reign on your machine.

While the Mac and Linux is not impenetrable, clearly the difficulty of getting root privileges, and habitual use of normal operations while not having these privileges, has been frustrating malware creators, otherwise we would likely see even more malware and such on these machines.

We can raise the "market share" issue all we want about why there is little malware on the Mac and Linux, but truth be told, if it was easy to get malware on these platforms, we'd have it up to our eyeballs.

The systems are vulnerable, but the market share isn't high enough to make writing it worth the time and effort. If the effort were lower, we'd likely be seeing it by now.

Reply Score: 3

Well wadayah know?!
by factotum218 on Fri 23rd Jan 2009 04:54 UTC
factotum218
Member since:
2007-03-20

In other news grandma opened an email attachment that turned out not to be a recipe for pie crust. Just how badly did this flaky user get burned? Find out at 10....

And somehow people never seemed to believe that I could avoid a system wide crash by not downloading and installing from unknown sources.

Seriously though pirate ships most often get sunk at some point.

Edited 2009-01-23 04:58 UTC

Reply Score: 2

buzievagy
Member since:
2009-01-23

The fact that the iWork trial is freely available as a 30 day trial version from Apple's site, and that trial version can be transformed to the real 'retail' version given the proper serial number, only makes this story the more worse.

I never understood why to put freely available stuff to torrent sites - it just makes no sense (maybe the virusbarrier guys did it? who knows) and also never understood why download shit from the slow torrents if the same is available from the original publisher. No, it's not faster.

Again, this is pure human greed, nothing more. Shelling out that $79 if you really use their software is not a big deal. I also used iWork '08, and will be checking '09 as well, but to me openoffice (neooffice) is much much better and suitable. Enough for what I need. And it's also free.

Lots of mac software is in fact quite cheap, and while you cant buy everything, at least you could buy those apps that you use on a regular basis. For example: forklift is a wonderful file manager that I used for a while in its 'pirated' version but since I really rely on it (ftp, uninstalling stuff, batch rename, etc.) I decided to support their developers and give them that $30 or $40 they wanted. Never regret it. Then for instance Liquid CD which is donationware, and much better that that stupidly huge toast. After I have been using it for half a year or so, and was absolutely satisfied with it I have 'donated' a few bucks - and was given a proper serial. No biggie. And the list could go on. SuperDuper in the Tiger era for backing up stuff for $25..., etc.

Really, I just dont understand the pointless torrent sharing and downloading at times.

Reply Score: 2

Wherewithal
by Havin_it on Fri 23rd Jan 2009 18:30 UTC
Havin_it
Member since:
2006-03-10

It's just one word, Kroc.

</GrammarNazi>

Great article, though. We don't think much about the Mac warez scene, and this whole situation reminds us that piracy both exists, and can have the same ramifications for the idiot pirate, on Macs as on Windows (or any other platform where software isn't sourced from a central repository).

And I wholeheartedly echo the hope for Mac users to be spared the lascivious attentions of Symantec & co. Nobody deserves that!

Reply Score: 2

Bound to happen, still, a wake up call
by siraf72 on Fri 23rd Jan 2009 19:44 UTC
siraf72
Member since:
2006-02-22

On mac OS x, when I download a shareware/freeware app from the internet that requires root privileges to install, I deny and delete. There might be a couple of exceptions but I can't think of any.

The fact is ANY application that asks for root on a mac should be questioned. As was mentioned before though one tends to trust big name apps (alas often pirated versions as well).

As a mac user this most definitely IS news. I'm not into pirating, but have in the past hacked-and-try before buy. That behavior even for an experienced user can be dangerous.

Good article.

Reply Score: 1

DollarCardMarketing
Member since:
2009-01-24

What the brief article did NOT mention and many of the commenters may not be aware of, is that this vulnerability not only puts the Mac user that downloaded the pirated sofware at risk, but the trojan itself is designed to set up a botnet to use those computers as slaves to the master's whim. I'm ALL for wagging my finger and saying "shame shame... " to those who download pirated software when there's a perfectly good trial version available for 30 days from the source. And if something bad should happen to their system as a result of their thievery, then so be it. However, this was used as a weapon against an innocent third party. Whoever did this can launch instructions to those 20,000 computers to execute some other dastardly deed against someone (or some people) who have nothing to do with their software or P2P networks, etc...

How do I know this? I was actually the victim of a DDOS attack from those 20,000+ computers that nearly put an end to my business by crippling our host's servers and pushing our bandwidth over 600Gb within a week's time and sending millions of bot "visits" to our DollarCardMarketing.com site. We have no way of knowing whether the coder had something against us, or we were just a randomly picked "test" site, or if someone hired them to write and distribute it. A more comprehensive article was written and is being followed up on at the Washington Post: http://voices.washingtonpost.com/securityfix/2009/01/pirated_iwork_...

Be safe!

Best Regards,

John

Reply Score: 3