
Mac malware evolves to no longer require users to enter their password  - zgorgonola
http://nakedsecurity.sophos.com/2011/05/26/apple-malware-evolved-no-password-required/
======
rickmb
In other words: it still falls into the "you have to be stupid enough to allow
total strangers behind the wheel of your car" category, they just don't need
you to hand over the keys anymore. Got it.

Stupidity is not a problem that can be solved through technology.

At least Apple now has a service to protect stupid people against themselves,
it's called the "App Store". You know, with the kind of approval system we've
all been bitching about.

As far as I'm concerned, self-inflicted malware is about as big a security
issue as running with scissors. To treat it as some external force that needs
to be dealt with by manufacturers, OS-makers, anti-virus producers or even
legislators just perpetuates the real problem, turning it into a perpetual
arms race that can not possibly be won, but at some point may cost us the
freedom to install anything we want on _our_ computers.

~~~
mahrain
Exactly, Mac users have so far been very safe from actual virusses and worms,
and other malicious stuff sneaking onto your computer through security holes,
however, this type is something you can't do anything against. It's the user
consciously downloading and running a program.

For this type of inexperienced users Symantec and McAfee make Mac products.

~~~
derefr
Just as a thought: if there was an "Only run Mac App Store-distributed
applications" switch somewhere in OSX's System Preferences, off by default, I
know several people for whom I (as their tech-guy-cum-sysadmin) would flip it
on in a heartbeat, and then never likely hear about this particular flavor of
PEBKAC again.

~~~
wesley
System preferences > accounts > parental controls > limit programs > allow
app-store programs > all

Deny all the rest.

------
jasonlotito
* Requires user interaction, so it doesn't count.

* Doesn't work if you aren't an admin.

* The OS is just installing what the user agreed to install.

Seems like Mac users are regurgitating Windows users' excuses from years ago.

It's a problem. Rather than make excuses, we should be expecting Apple and
others to be actively working toward a solution.

~~~
mahrain
If I trick a GNU/Linux or UNIX user into running a "sudo rm -rf /" command and
entering a password, did I create malware?

~~~
tincholio
No, modern rm implementations disallow that by default. You need to override
it with a switch.

------
hobolobo
Without wanting to sound condescending, I'm not sure that the average Mac user
is sophisticated enough (in terms of technical expertise) to detect
interaction that has been initiated by malware.

So many years of being told that there's no such thing as malware for OSX (and
so no need for anti-malware) may have produced fertile ground for it. Of all
the people with Macs I know, just one has an anti-virus installed.

------
caf
In the final screenshot, I wonder how Sophos think that the unsophisticated
user is supposed to figure out which of the two scare boxes claiming to have
detected malware is lying, and which is telling the truth?

------
ralfd
There are only two long term solutions: \- an anti-vir scanner which
constantly monitors all your files, hogs resources and plays the game of cat &
mouse \- Prevent users from installing software that wasn’t from the Mac App
Store, just like on iOS.

The last is a nuclear option and not practicable for a professional desktop
system. But I would like this as a configurable option for my parents.
(Withholding the admin password from them is another possibility, but, well,
see the article)

~~~
wesley
Don't the parental controls in mac os x allow this? Haven't tried, but you can
limit the apps that the user can run to your own selection. Or even limit to
just app store apps.

------
raffaelc
Just to be clear, the article is written by someone associated with Sophos, a
commercial anti-malware firm. ClamXav for Mac OS X is free, the engine is open
source, it has regular malware definition updates, and monitors any directory
or directories the user specifies. Well written, powerful, open source, free
software. www.clamxav.com

------
credo
from
[http://www.macworld.com/article/160098/2011/05/macdefender.h...](http://www.macworld.com/article/160098/2011/05/macdefender.html)

 _"Windows 7 is actually more secure than OS X, but the gap narrows every
year. And there simply isn’t the same attack ecosystem for Macs, nor are we
likely to see one develop.

So while Mac users will likely see more malware, it’s highly improbable we (or
Windows 7 users) will ever experience what those who are still running Windows
XP battle today.

But two other factors are changing the Mac security landscape. First, Apple
products are growing rapidly in popularity. At the same time, the overall
Internet security environment is more hostile than a cantina on Tatooine."_

~~~
wesley
How is windows 7 more secure? I can install a malicious app if I want to on
any system.

The only "problem" here is that safari automatically opens safe files. They
should also get a smartscreen filter like IE9 has. Safari has something like
this already (google safefilter) but it doesn't seem to be as effective.

Mac OS X as a whole has xprotect, but that is a very simplistic defense to
look for some known malware signatures.

~~~
generalk
I'm no security expert, but I do try to keep up. Someone please correct me if
my facts are off. _Ahem_ :

Windows 7 does a lot more randomization of memory layout than Mac OS X does,
making it more difficult to exploit executables and libraries shipped with the
system. It's actually easier to exploit a Mac OS X machine than it is a
Windows 7 machine -- see the results of pretty much every Pwn2Own [1] contest.

That said, the vast majority of spyware is targeted at Windows and doesn't
need low-level exploits to do its job. It's the difference between safety and
security; you're probably more safe on a Mac, even though they're technically
less secure.

[1]: <http://en.wikipedia.org/wiki/Pwn2Own>

~~~
wesley
True, but it is my understanding that the randomization will finally be
addressed in Lion (Address Space Layout Randomization)

[http://www.appleinsider.com/articles/11/02/25/apple_exposing...](http://www.appleinsider.com/articles/11/02/25/apple_exposing_mac_os_x_lion_to_security_experts_for_review.html)

------
rbanffy
I believe only a recent Windows emigrant would fall for the "your computer is
infected" trick.

Oh, and wow! It evolved and now installs in a part of the system that makes
the malware easily detectable and removable.

I wonder what Sophos is trying to sell... Oh yes! Anti-malware for a platform
that really doesn't need it nearly as badly as that other competing platform.

Flagged because it's actually an ad.

------
TheNewAndy
Someone who knows how OSX works - how is the malware getting execute
permissions?

~~~
darren_
It's not. For whatever reason, OS X installer pkg files are deemed 'safe
files' by safari, which has an option to open such "safe" files automatically.
So the thing that actually launches is a standard Installer.app from apple,
but running a pkg script provided by the 'bad guys'. Fortunately Installer.app
requires user interaction before it does anything, but it's still
disconcerting.

------
joshzayin
As I understand it, this relies on the admin account's ability to write to the
/Applications folder without a password. So, if you just run in a non-admin
account, you should be fine.

~~~
wesley
Won't the non-admin account just ask for the admin password? Since people are
used to doing this when installing apps, it comes second nature..

If people are willing to click through several steps of an installer app,
they'll also type in the admin password if requested.

This is only useful for other family members that you do not trust for safety
reasons.

~~~
joshzayin
Right, but the _point_ of this article is that it no longer needs the admin
password. If you're running in a non-admin account (like I am), it'll still
need the password, and thus user interaction, so it'll be trivial to stop.

~~~
wesley
Even without the password you still need user interaction, the user has to
click next multiple times during install.

~~~
joshzayin
True. Somewhere I thought I read that the installer ran without user
interaction in this variant, but thinking about it, that doesn't make much
sense.

Though, if you're concerned about having to give an admin password (as
evidently some people are), running in a non-admin account would solve that.
(Also, if you have write privileges to /Applications, it's possible to write a
script overwriting the contents of a trusted executable with malicious code,
but that isn't how this works so it's slightly irrelevant.)

------
gilesc
Interesting that the author of the fake in-browser Finder apparently uses
Dropbox.

------
apinstein
Does anyone know how this malware gets past the com.apple.quarantine
attribute? That is a little concerning, though in general this is just your
standard trojan attack.

~~~
wesley
Are you talking about the dialog warning you about opening software from the
web?

Might it be because the zip file is extracted automatically? (open safe files
in safari)

Or is an installer not considered an application is apple's eyes?

Edit: well, i just checked without open safe files (I just found it today on a
google image search, google plays a big part in the distribution of this). And
there still is no warning when opening the zip. I assume once extracted it
doesn't know it was downloaded from the web. Is it that easy to circumvent?

------
napierzaza
I like how they make it look like a passive process, except for the fact that
at every screen shot you would have to run the application or click "next".
This is social engineering. You were tricked into installing it. There's not
way to stop that if it's an open system.

------
hackermom
Some nice sensationalism and FUD there by Sophos. Great product marketing,
guys.

