Linked by HAL2001 on Thu 19th May 2011 12:10 UTC
Privacy, Security, Encryption "A little over two weeks have passed since the appearance of MAC Defender, the fake AV solution targeting Mac users. And seeing that the approach had considerable success, it can hardly come as a surprise that attackers chose to replicate it. This time, the name of the rogue AV is Mac Protector, and the downloaded Trojan contains two additional packages. As with MAC Defender, the application requires root privileges to get installed, so the user is asked to enter the password."
Order by: Score:
We told you so
by sparkyERTW on Thu 19th May 2011 12:50 UTC
sparkyERTW
Member since:
2010-06-09

See, this is exactly why every Mac user that brags about the fact that "they don't have to worry about viruses" makes me want to reach out and give them a hard slap in the face.

(Note that I'm not saying ALL Mac users; I'm sure there are a substantial portion that have a healthy and informed knowledge of computer security)

The ONLY thing that makes OS X less prone to attack is disinterest from malware creators. Looks like that era might be fading.

Reply Score: 1

RE: We told you so
by gfolkert on Thu 19th May 2011 13:57 UTC in reply to "We told you so"
gfolkert Member since:
2008-12-15

Not particularly.

These equivalent programs get installed in Windows without the "root" privileges.

This means that privilege separation in Windows is just Palin broken and has been since they broke Ring 0.

If these users automatically put in the password when they don't know what in hell they are installing in the first place... then this is not a real problem with the OS design, but with the person operating the machine.

Someone installing a program outright in OSX regardless of its supposed or real intent does not constitute an OS design flaw.

Reply Score: 3

RE[2]: We told you so
by fretinator on Thu 19th May 2011 14:11 UTC in reply to "RE: We told you so"
fretinator Member since:
2005-07-06

This means that privilege separation in Windows is just Palin broken

That's really broken. I guess the only thing worse is Sony broken.

Reply Score: 4

RE[2]: We told you so
by pantheraleo on Thu 19th May 2011 15:07 UTC in reply to "RE: We told you so"
pantheraleo Member since:
2007-03-07

Actually, according to most security researchers, from a technical standpoint, Macs are more vulnerable than Windows. Apple has been pretty lax on security. Safari, for example, has more security issues than IE does. it's easier to root a Mac than it is to root Windows. The first commenter is correct. The only reason we don't see more widespread Mac infections is because it's not a high profile enough target.

Reply Score: 5

RE[3]: We told you so
by Kivada on Thu 19th May 2011 15:47 UTC in reply to "RE[2]: We told you so"
Kivada Member since:
2010-07-07

And yet most of the holes aren't related to Apple software, but Adobe's piles of crap that are forced upon the computing world.

Size of target has nothing to do with value of target.

And before you cite the pwn2own contests, look again at what hoops they make them go through on the Mac to open up an attack vector and that the Mac has a far higher resale value then the generic PCs they put up. Mabe if they offered something of value, like a decent Toughbook or maybe something from Sager/Clevo or BoxxTech you'd see a change in what was targeted first.

Reply Score: 0

RE[4]: We told you so
by pantheraleo on Thu 19th May 2011 18:26 UTC in reply to "RE[3]: We told you so"
pantheraleo Member since:
2007-03-07

and that the Mac has a far higher resale value then the generic PCs they put up. Mabe if they offered something of value, like a decent Toughbook or maybe something from Sager/Clevo or BoxxTech you'd see a change in what was targeted first.


eh... That's not how it works. The first person to root any of the systems get to pick whatever system they want to keep. So no, resale value has nothing to do with which one gets targeted first.

Reply Score: 3

RE[2]: We told you so
by moondevil on Fri 20th May 2011 16:56 UTC in reply to "RE: We told you so"
moondevil Member since:
2005-07-08

Not particularly.

These equivalent programs get installed in Windows without the "root" privileges.


Only if running as administrator.

Show me a Windows machine properly up to date, with a user running with a limited account, where he can install such applications?

Reply Score: 2

RE[2]: We told you so
by BluenoseJake on Sat 21st May 2011 15:49 UTC in reply to "RE: We told you so"
BluenoseJake Member since:
2005-08-11

They get installed as the current user if you are not an administrator, just delete the account, and you are good to go, just like in Unix.

It's only when you are running as admin do they get access to the entire machine.

Reply Score: 2

v RE: We told you so
by Kivada on Thu 19th May 2011 14:47 UTC in reply to "We told you so"
RE: We told you so
by HackDefendr on Thu 19th May 2011 16:01 UTC in reply to "We told you so"
HackDefendr Member since:
2010-05-21

Visualize this: I'm playing a tiny violin for you M$ devoted folks.

As mention by others...this virus still relies on the Mac owner to be running Safari with auto-open safe files enabled.

Guess what...in Chrome for Mac, the file just downloads. Which means now I have the source for this wanna be virus. And now, because I have forwarded that downloaded zip file, all of the anti-virus companies and researchers also have it.

So .. until the hackers can figure out how to trick Mac users beyond a simple download and hope that the user will not only open the file, but run it, and give admin privileges - Mac virus impact are still a long way off in comparison. Oh, I am sure there will be at least one, but comparatively, Mac users are more savvy and don't tend to get caught up in dumb phishing or fake av traps.

On a side note...closing what ever browser you are running stops the Fake AV from running and moving to the download phase.

Jeff

Reply Score: 0

RE[2]: We told you so
by pantheraleo on Thu 19th May 2011 18:32 UTC in reply to "RE: We told you so"
pantheraleo Member since:
2007-03-07

As mention by others...this virus still relies on the Mac owner to be running Safari with auto-open safe files enabled.


Until about two years ago, it was possible to use DNS cache poisoning to trick a Mac into downloading malicious software updates from a bogus update server. Apple's update mechanism didn't properly verify the authenticity of the server it contacted for updates. Apple knew about this vulnerability for years, and did nothing to fix it until it was widely publicized and became very easy to do using a plugin for metasploit.

Also, a couple of years ago, there was a critical vulnerability in Java that allowed applets to break out of the sandbox. Apple didn't patch this vulnerability in their JVM until 8 months after Sun had announced it and patched their own JVM.

So there have been at least two cases in the past that I know of just off the top of my head where it has been possible to target Macs without tricking the user into running an application. One vulnerability was left open for years after it should have been closed. The other was left open for 8 months longer than it should have been.

Reply Score: 4

RE[2]: We told you so
by sparkyERTW on Fri 20th May 2011 12:33 UTC in reply to "RE: We told you so"
sparkyERTW Member since:
2010-06-09

Mac users are more savvy and don't tend to get caught up in dumb phishing or fake av traps.


Are they, now? Hmph, I had no idea, must've missed that memo.

Please pass along the study or studies this information was uncovered, as I would greatly enjoy reading them. Hopefully my tiny pea-brain of a non-Mac user will be able to comprehend it. If I'm lucky, they'll have pretty, colorful pie charts of "savviness".

Reply Score: 1

RE[2]: We told you so
by pantheraleo on Fri 20th May 2011 14:06 UTC in reply to "RE: We told you so"
pantheraleo Member since:
2007-03-07

Mac users are more savvy and don't tend to get caught up in dumb phishing or fake av traps.


Actually, according to more than one security research firm, Mac users are MORE likely to fall for phishing traps than Windows users are. The reason is because Windows users are well aware of these threats and that they need to watch out for them. Mac users, on the other hand, have largely bought into the Apple propaganda and such that their systems are immune from vulnerabilities. And the average Mac user lumps phishing traps right in with viruses and malware, believing their Macs to be immune to phishing traps.

So basically, the average Mac user is more likely to fall for a phishing trap because the average Mac user doesn't even know what a phishing trap is. Hardly what I would call more technically savvy than Windows users.

It also doesn't help that Safari and Apple's Mail.app are about the worst on the market when it comes to detecting phishing traps and providing the users with any kind of warning if something looks suspicious. So Mac users just go along fat, dumb, and happy, unaware of the threats to their systems. And because of that, they are more likely to fall for those threats.

Edited 2011-05-20 14:10 UTC

Reply Score: 2

Discount Viagra
by brewmastre on Thu 19th May 2011 13:19 UTC
brewmastre
Member since:
2006-08-01

Sent from my iPad

EDIT: Dammit! Where can I download Mac Defender, I think I'm infected?

Reply Score: 9

Can't get excited
by fretinator on Thu 19th May 2011 13:36 UTC
fretinator
Member since:
2005-07-06

I can't get excited about a "virus" that requires you to enter the administrator password to install. If you download stuff from web pages, and enter the root/administrator password when it wants to install, there is no good protection for you. And that is true on Windows, Linux, Mac, BSD, etc.

As Forest's momma used to say, "Stupid is as stupid does."

Reply Score: 5

RE: Can't get excited
by Neolander on Thu 19th May 2011 13:53 UTC in reply to "Can't get excited"
Neolander Member since:
2010-03-08

At the risk of getting annoying with my sandbox advocacy... How exactly are you supposed to know *why* some piece of software requires admin rights before installing and running it, on nowadays' desktop OSs ?

Reply Score: 2

RE[2]: Can't get excited
by gfolkert on Thu 19th May 2011 13:59 UTC in reply to "RE: Can't get excited"
gfolkert Member since:
2008-12-15

In my book: If the program does not tell you why... it doesn't get installed.

Then, if you don't understand what you are granting, you shouldn’t be allowing anyway.

Social engineering in these problems is the largest problem.

Reply Score: 1

RE[2]: Can't get excited
by fretinator on Thu 19th May 2011 14:10 UTC in reply to "RE: Can't get excited"
fretinator Member since:
2005-07-06

The key is - did I download something on purpose and CHOOSE to install. Then I will grant it privilege. If you don't know why something is asking for your password, just say no. If you are unsure, say no. Only say yes when YOU have chosen to install something. Even with Windows update, I have it set to notify me when updates are ready, I review the updates, and only then do I CHOOSE to install them. When it asks for my permission, I know why.

The bottom line, is when you don't know why something is asking for permission, just say no. It was good enough for Nancy, it good enough for me.

Reply Score: 3

RE[2]: Can't get excited
by WereCatf on Thu 19th May 2011 14:56 UTC in reply to "RE: Can't get excited"
WereCatf Member since:
2006-02-15

At the risk of getting annoying with my sandbox advocacy... How exactly are you supposed to know *why* some piece of software requires admin rights before installing and running it, on nowadays' desktop OSs ?


On current OSes it's not easy, I admit that, but if someone wrote a completely new OS they could separate every API in use to two categories: privileged and non-privileged. Even file system access would have to be separated for it to be effective, and so if your application used e.g. PrivFileOpen("somefile.txt") instead of FileOpen("somefile.txt") the system would immediately notify about it and halt execution.

Similarly, executables would have to list in the executable file every function call they use (excluding parameters though) so that if the application tries to use a function call not specified it would again get halted.

Then at installation time OS would present the user with what permissions the application is asking for, ie. what privileged functionality or data it wants access to, and a short explanation of what each item might entail and possibly a warning based on heuristics on the permissions being asked.

Sure, it would require helluva lot of work and careful design from the OS developer(s), but it should still help atleast a little. Of course there are still those luddites who just click away, but clear-text explanations for items should again help with atleast some of them; people often just click "Ok" or "next" because they don't understand what's presented to them, not because they don't care.

Reply Score: 1

RE[3]: Can't get excited
by Neolander on Thu 19th May 2011 15:12 UTC in reply to "RE[2]: Can't get excited"
Neolander Member since:
2010-03-08

Happy to see that I'm not alone wanting OSs to work that way ;)

Though I would rather not incorporate the privileged/nonprivileged status of API calls at the function name level on my side. There would just be a set of default privileges, like "Accessing ~/.%APPNAME%" on an unice, that would be granted to everyone and would be well-documented in the API doc.

This would in turn allow new backwards-incompatible releases to change the set of default privileges, if experience shows that there was a mistake in it somewhere.

Edited 2011-05-19 15:14 UTC

Reply Score: 1

RE[4]: Can't get excited
by WereCatf on Thu 19th May 2011 16:43 UTC in reply to "RE[3]: Can't get excited"
WereCatf Member since:
2006-02-15

Happy to see that I'm not alone wanting OSs to work that way ;)


I've been thinking for years of how I would write my own OS if I ever did one, and strong security from bottom up is one of those features I'd like to implement ;) I've got lots of ideas, both security-related and non-security-related, but even writing down all the aforementioned ones would be way too much to fit inside an OSNews comment form :/

Though I would rather not incorporate the privileged/nonprivileged status of API calls at the function name level on my side. There would just be a set of default privileges, like "Accessing ~/.%APPNAME%" on an unice, that would be granted to everyone and would be well-documented in the API doc.


The reason why I'd separate them is exactly because of this thing you mentioned: non-privileged calls would only have access to your files, ie. ~./*, and trying to open anything outside of your files would immediately generate a warning and you'd need to use privileged calls for that. It would allow for slightly more fine-grained control, plus it would allow for more fine-grained status messages, both to the system and to user. And it would force developers to pay a little bit more attention to what they're doing themselves, which is only a good thing; just get a handful of Windows apps and there's bound to be some examples of what I mean.

Edited 2011-05-19 17:01 UTC

Reply Score: 2

RE[5]: Can't get excited
by Neolander on Thu 19th May 2011 19:28 UTC in reply to "RE[4]: Can't get excited"
Neolander Member since:
2010-03-08

The reason why I'd separate them is exactly because of this thing you mentioned: non-privileged calls would only have access to your files, ie. ~./*, and trying to open anything outside of your files would immediately generate a warning and you'd need to use privileged calls for that.

Myself, I aim at something a bit more restrictive as a default setting : software only has access to its own files and to files which you explicitly give them access to, either via command line parameters or via "Open/Save file" dialogs in a GUI.

Normal utility software has no business peeking at your files without asking for permission first. User files are his/her private property, at least in my opinion ;)

It would allow for slightly more fine-grained control,

Why does separating privileged and non-privileged code at the API call level allows for more fine-grained control ? Can't the implementation of SomeFunction() itself check if the instruction is privileged or not, and if it is issue a warning or halt the program, all that being done through a standard API for optimal user experience/security/whatever ?

plus it would allow for more fine-grained status messages, both to the system and to user.

Again, to me it sounds like a benefit of a fine-grained privileged model as a whole, not of your solution in particular ;)

And it would force developers to pay a little bit more attention to what they're doing themselves, which is only a good thing; just get a handful of Windows apps and there's bound to be some examples of what I mean.

What you said ;)

Edited 2011-05-19 19:29 UTC

Reply Score: 1

RE[4]: Can't get excited
by moondevil on Fri 20th May 2011 14:45 UTC in reply to "RE[3]: Can't get excited"
moondevil Member since:
2005-07-08

This is a bit like Symbian works.

Your application needs to have specific certificates depending on which APIs it calls.

Reply Score: 2

RE[5]: Can't get excited
by Neolander on Fri 20th May 2011 22:38 UTC in reply to "RE[4]: Can't get excited"
Neolander Member since:
2010-03-08

Yeah. I think Android also works this way. For once, mobile OS' low-level layers prove to be better-suited to their job than desktop ones ;)

Edited 2011-05-20 22:54 UTC

Reply Score: 1

No offense but..
by hussam on Fri 20th May 2011 00:35 UTC
hussam
Member since:
2006-08-17

It sucks that some folks are allowed to use computers. It's not that hard to protect yourself from virus infections without "sacrificing computing experience" or whatever it is called in English.

Reply Score: 0

**Yawn**
by jamiepedder on Fri 20th May 2011 01:33 UTC
jamiepedder
Member since:
2010-07-29

These Mac vs. Windows comments some have made are getting a little boring. Both operating systems are great, and I understand that some will prefer one over another, but please really?

It is a fact that as Mac gets more popular, it will become a more attractive target for crapware/malware creators. There is now some decent security software available for Mac, and along with Windows users we should all have some form of security software installed.

If you are a tech savvy user, then you will know the risks of not doing so.

Reply Score: 1