

Apple to support reps: 'Don't confirm Mac infections' - foob
http://www.theregister.co.uk/2011/05/20/apple_malware_attacks/

======
learc83
I worked in Geek Squad for 5 years (finally started making a enough money
doing freelance development to quit this past december).

I've done malware removal on 5-10 computers a day, 5 days a week for most of
that time. So I've seen thousands of malware infections on the average
consumer's computer. I've seen more different malware infections than just
about anyone outside of an antivirus research lab.

When I first started most of malware came from users downloading files from
P2P sites. However, for the last 2 years nearly all the malware I found was
installed via a drive-by download that happened without user input.

You can talk all you like about avoiding porn sites and installing AV
software, but it's not that simple. The majority of the computers I worked on
had current AV programs--they weren't able to prevent the infections. The
situation with malware and windows is absolutely terrible, and it doesn't only
happen to idiots who stuff their drives with porn.

Macs have security flaws--they aren't perfect, but when compared to the
malware ghetto I've dealt with over the years, calling this a mac malware
problem an "explosion" is just ridiculous.

~~~
josephcooney
Selection bias? Your conclusion that windows is a malware ghetto based on your
experience at the geek squad is like a Doctor saying 'everyone is sick,
because all I see everyday are sick people'.

~~~
powrtoch
I think the meaning was that Windows is a malware ghetto compared to Mac. More
akin to a Doctor noticing that 95% of his patients are blondes and declaring
that blondes tend to get sick more.

The significance of this is offset by the base rate though: unlike Windows
PCs, blondes don't constitute 90% of the sample group.

------
maqr
The users who are most likely to be infected by this stuff are the same users
that Apple caters to in person in their stores. Many Apple customers (at least
the ones that I know) have become used to in-store "geniuses" fixing their
difficult computer problems -- setting up their email, installing software,
that kind of thing. This is going to be very difficult for Apple stores to
handle.

~~~
furyg3
It's not really that hard, Windows support guys have been doing it forever.
And, like almost everything else, it's easier on a mac (my mom got this
malware... on mother's day)

The problem is: naive user + attack vector (bad default Safari options) +
malicious attacker (advertising network).

The solution is:

* Cleanup - Kill process form activity monitor, delete app from Applications, and installers from Downloads folder (kinda shocked that there isn't more to it).

* Inform - Teach user about basic practices.

* Close vector - Safari's _Automatically open safe files after download_ checkbox.

* Block attacker - Install AdBlock for Safari (Bonus points).

All of the above, except the 'informing' part, takes all of two minutes to do,
so I think the "Geniuses" at the Apple Stores can manage.

To those entrepreneurs whose business model is based on ads... sorry, but
Adblock is the new Antivirus. I install it alongside any software updates or
antivirus software (even on Macs, now).

~~~
beaumartinez
> _Cleanup [...] kinda shocked that there isn't more to it._

Perhaps not with this "first generation" of OS X malware.

On Windows some malware replicate to files and have other self-preservation
quirks making anti-malware software necessary.

> _I think the "Geniuses" at the Apple Stores can manage._

Against simple malware, yes. When crackers start investing time and effort
into their malware (like on Windows), it'll be a different case altogether.

------
morganpyne
To be honest, I'm just curious why we haven't seen much _real_ malware yet.
The Mac Defender stuff is a joke, but there's no reason why somebody couldn't
be exploiting the recent Skype bug ([http://www.purehacking.com/blogs/gordon-
maddern/skype-0day-v...](http://www.purehacking.com/blogs/gordon-
maddern/skype-0day-vulnerabilitiy-discovered-by-pure-hacking)), or the
Chrome/Flash bug (<http://www.vupen.com/demos/VUPEN_Pwning_Chrome.php>), the
bugs found at pwn2own or the myriad other holes which are closed regularly via
updates.

~~~
orijing
The reason is scale and alternative options: If you're a hacker, why focus on
the Mac when you can target 10x as many people on Windows?

~~~
morganpyne
I have often seen this mantra repeated, but I can't believe that this is
enough to dissuade _every single hacker_. With Macs approaching 10% of the
market this has got to be worth somebodies time to have a go. And yet, I know
a lot of folks with Macs and not a single one has ever had malware issues.
Either nobody is getting hit, or they are getting hit with stuff so good and
stealthy that they just don't know it :-) I'm certainly not arguing that Macs
are invulnerable (far from it), I'm just genuinely curious why somebody
somewhere isn't stepping in to fill the malware niche.

~~~
orijing
Yeah, I'm surprised if no hacker just wants to penetrate the Mac to be able to
claim victory, like "Steve Jobs, you thought macs couldn't get viruses. Let me
prove you wrong"... or something like that?

~~~
sid0
Don't people like Charlie Miller do just that?

Of course, there aren't in it for the profit, where the only rational thing to
do is to target Windows.

------
illumen
Yesterday I saw some mac osx malware being served up from a website listed in
google image search results.

The search was Flamenco or something like that. My girlfriend pulled me over
to show me that this website was saying it was from apple security and that I
needed to download a tool to remove the Trojan.

Having just come back from a visit to Turkey, we found the Trojan reference
funny.

I think if she was surfing with safari the .zip file would have extracted
automatically, which I think would have caused many people to run whatever
evil was stored inside.

~~~
tjogin
That definitely is a stupid default setting.

------
nchlswu
As far as I'm concerned, when I read this I had no problems with what Apple is
doing. They got a memo stating that Apple is looking into it, and don't
confirm/deny malware.

That's what they're supposed to do, no? This is hardly a cover up. Apple is
simply reminding their support staff to not make promises they can't keep.
This is a holdover till they have a solution. If their permanent solution is a
cover up, that's a whole other story.

~~~
Niten
I agree... although it would be nice if they would step up for their customers
in this regard, I just don't see a scandal here. (That's just The Register's
style of reporting I guess, not to diss them or anything.)

However, the letter itself is interesting in that it confirms Mac malware is
becoming a real issue.

------
Groxx
More abuse of the term "infection":

> _The con artists behind Mac Defender hook their victims by presenting Mac-
> using web surfers with images that depict an antivirus scan taking place on
> their machines. The images falsely claim users are infected with serious
> malware and urge them to download and install the antivirus package. Those
> who fall for the ruse are then infected._

Yes. It's _malware_. It has _infected_ the computer. Because they _downloaded
and installed it willingly_. But "infection" implies "virus" to most people,
and this is nothing of the sort.

------
augustl
I hope Apple solve this by creating a consumer version or mode of OS X with a
sandbox similar to iOS. I'd love if my mom had no way of installing software
that could break the computer, without doing scary sounding stuff like
"jailbreaking" or "enable developer mode".

~~~
fuzionmonkey
Chrome OS is the epitome of this. The whole operating system is just a
browser. Nothing to configure, install or break.

------
sliverstorm
The real news is not that Apple won't remove malware, it's that Apple is
apparently actively working to conceal the truth and perpetuate the Mac-
selling legend that Macs cannot get viruses.

~~~
wisty
It's not a virus. It's malware. Users install it, and it sends them to porn
sites.

If you run "sudo rm -rld /*" on a Mac, it may not run so well either.

Of course, it may be a sign that more sophisticated malware (i.e. real
viruses, and other stuff that actually exploits the Mac's vulnerabilities)
will be on the way.

~~~
daeken
> Of course, it may be a sign that more sophisticated malware (i.e. real
> viruses, and other stuff that actually exploits the Mac's vulnerabilities)
> will be on the way.

Once an OS has the attention of malware writers (even user-installed malware
like this), real malware won't be far behind. Especially when you consider how
much easier exploitation is on OS X than, say, Windows or Linux. It's 2011,
but OS X still doesn't have useful ASLR -- supposed to be coming in 10.7, but
it was also supposed to come in 10.6, so we'll see how that goes.

~~~
danssig
> when you consider how much easier exploitation is on OS X than, say, Windows
> or Linux.

[citation needed]

It wasn't until Windows 7 that windows finally got a reasonable security
approach. I don't know what install bases look like these days but most PCs I
interact with are still on XP which is obviously not harder to exploit that OS
X.

~~~
blub
That is not correct, most of the security improvements were already
implemented in Vista, which was released in 2007.

~~~
adamc
Yes, but Microsoft has acknowledged that there were weaknesses in its 32-bit
ASLR implementation for Vista; see
[http://en.wikipedia.org/wiki/Address_space_layout_randomizat...](http://en.wikipedia.org/wiki/Address_space_layout_randomization)

~~~
sid0
32-bit ASLR is going to be weak by definition. It's unavoidable.

------
progolferyo
As a PC turned Mac user for the last 3 years, this is truly the best thing
about working on the Mac platform. My girlfriend is still on her shitty HP
laptop and it is so incredibly painful to watch her worry about viruses and
malware on a daily basis.

I hope Apple's policy around this is not going to be sweep it under the rug
because it could get out of control as Apple market share grows and more
effort is dedicated towards hacking the Mac.

As stupid as this story is, it is still something that Apple is gonna have to
probably start paying more and more attention to, given the trajectory of
Apple market share in the future and the increased effort will be taken
towards the Mac platform.

I think

~~~
kenjackson
_My girlfriend is still on her shitty HP laptop and it is so incredibly
painful to watch her worry about viruses and malware on a daily basis._

WTF is your gf doing on a daily basis? Does she do reviews of shady porn
sites? Install MSE (it's free) on your gf's computer and tell her not to
install programs sent in email from people. Then tell her to stop worrying.

And if she does do reviews of shady porn sites, tell her to use a VM.

~~~
cosgroveb
This blame the user bullshit has to end. My own girlfriend got a virus (it was
hostage-ware to be precise) last year and doesn't visit porn sites, runs up-
to-date anti-virus, and keeps Windows up-to-date and patched. She knows better
to run random shit sent to her via email. She's very defensive and doesn't
even open an email that looks shady. It was probably a drive-by-download,
Flash, PDF, or Java, I don't know. Running combofix, anti-spyware scanners,
and everything I could find on forums didn't help. She wasn't happy that I had
to wipe her HDD.

It is painful to watch her worry about viruses.

~~~
smackfu
All it takes is one or two mistakes. Typo in URL, click a link, blindly click
past a prompt that you should be reading, and you have malware and you
probably didn't even notice it, no matter how smart your girlfriend is.

~~~
isleyaardvark
Ad networks. Or just a reputable site screwing up. People often mention porn
sites or incorrect urls, but it's worth repeating that the user doesn't
necessarily have to do _anything_ wrong.

------
yuhong
Personally I feel that top-down control of customer support agents is
fundamentally flawed these days, but that is a different matter.

------
Caballera
Mac Protector (another name for Mac Defender) tried to install on my wive's
new MacBook Pro the other day when she went to live.com to get the last of her
contacts and some emails. She knew not to provide it with permission to
install and panic and disaster was adverted.

Mac Defender does look pretty real though and I could see how the uninformed
or people that easily panic would give it permission to install. As one second
your on the web then a 'window' pops up saying your infected with Virus and to
get the latest downloads ect., and it all looks convincingly real.

I don't regret switching to Mac myself as my Mac runs so much smoother then
any Windows PC, plus installation of software is a breeze, my MacBook Pro
starts up in 15 seconds and it just works right out the box. There was no
crapware pre-installed like my old HP laptop.

Additionally, when I researched looking into purchasing my MacBook Pro I saw
that Apple does recommend using Anti-virus software and I do have it
installed, with no issues and it doesn't slow my MacBook Pro down a bit.

------
Garbage
Original post - <http://news.ycombinator.com/item?id=2564429>

------
patrickk
Here's an article comparing some decent Mac antivirus applications for those
who are concerned:

[http://lifehacker.com/5800267/the-non+alarmists-guide-to-
mac...](http://lifehacker.com/5800267/the-non+alarmists-guide-to-mac-malware-
protection)

------
primeMover2010
awesome. even malware has higher usability on mac, than it has on other
platforms. and if you pay for the snake oil.. errrr... remedy, the virus is
gone. the virus writers are pretty awesome social engineers.

------
wesley
OSX Lion better have an outgoing firewall.. Anyone know?

~~~
ericd
Little Snitch can do this currently, if you're looking. Outbound firewalls are
somewhat annoying, though, as you have to authorize every single program at
least once, which makes me think that Apple is unlikely to add one that runs
by default.

~~~
wesley
Just wondering, could a trojan somehow control safari (or other approved apps)
via a script, and then upload files to the hacker's server, circumventing
little snitch and other outgoing firewalls?

~~~
podperson
A trojan can do anything a user can do, so yes.

The one thing Lion has going for it here is that apps can declare their
intention to do certain things and then be prohibited from doing anything
else. So, for example, a non networked app can tell the OS it has no interest
in using network APIs and will then be sandboxed from them (so if its code is
violated it won't be able to suddenly start phoning home). But, of course,
this requires effort on developers' parts to support the feature. The key
thing is that Apple's own apps are likely to use this feature.

But if you download some random piece of software and then run it and the OS
says "are you sure?" and you answer yes then you're boned.

And again, if you already said "yeah" to "run this bizarro app from
disreputable source", are you going to say "omfg no" when asked if it can use
the network?

------
bonch
It says right in the article that AppleCare doesn't cover what users do to
their machines. Microsoft doesn't remove malware that Windows users install
either.

This thing is coming from Ed Bott's Microsoft column on ZDNet, where he's been
hitting this hard for the second day in a row based on an "investigation" that
involved him scouring the Apple discussion forums for a couple of hours. Two
hundred clueless posts on a web forum out of a userbase of millions doesn't
mean there's a "malware explosion," as he described it. Why are people falling
for this flamebait?

~~~
illumin8
The Mac Defender malware is pretty harmless. It downloads as a zip file, and
users must manually click through the entire installer just to get it
installed. How many Windows viruses are delivered as a setup.exe where you
have to click next about 3 times and enter your admin password just to install
it?

As usual anti-mac trolls love to jump on the bandwagon and bash the platform
with one of the best security track records running.

~~~
Niten
Most Windows viruses these days have the exact same attack vector, simply
tricking the user into installing them. All we're seeing here is that: (1)
Despite the marketing, the Mac is not magically immune to these things any
more than Windows is, and (2) now that OS X has obtained a reasonable market
share it's finally become worth attacking.

Neither of these things should be surprising to anyone, and hopefully the
antimalware situation on OS X will improve before progressively more insidious
Mac viruses are released.

~~~
podperson
By definition a "virus" does not have this "attack vector". A virus spreads
with no conscious user intervention. This is a "trojan" -- something the user
inflicts on themselves, and neither the Mac nor Windows have any real
protection against trojans.

Mac OS X 10.6 has virus detection built into the OS. Only a couple of viruses
are detected because, oddly enough, that's all that have been found. Again,
"viruses" not "trojans".

Most "anti-virus" software is worse than malware on its own -- it slows down
the computer it's used on. Microsoft Windows, out of the box, will shut down
your computer without asking you, quitting out of applications on the way.
This, again, is exactly the kind of thing malware does.

~~~
skymt
Well if you want to get pedantic, a "virus" spreads by infecting legitimate
executables, a technique that hasn't been viable since the days of "Don't Copy
That Floppy". In everyday use, the word "virus" is synonymous with "malware"
and almost always refers to a trojan or drive-by.

~~~
podperson
The difference between a virus and a worm has become blurred, since both
spread without user intervention. But there's no such blurring with trojans.

------
innes
As the OS gets more popular, Apple will need to add the kind of protective
features present in Windows to deal with this sort of problem. Dismissing it
isn't gonna work - this kind of malware is the problem these days rather than
viruses. As a savvy user, I've never found the need to run antivirus software
on Windows, but it would be the height of arrogance for me to scoff at the
problems others do have and blame it on their stupidity.

As is the way with these things, Apple will stonewall, but I expect eventually
handle the issue. In the mean time some of the congregation will snort in
derision and deny there's a problem.

~~~
Steko
Apple is not going to solve the problem of gullible people typing their credit
card info into a scammer's form, any Mac based solution (of which the obvious
will be to lock down installation to the Mac App Store) is just going to push
scammers back on the web.

~~~
innes
No, but they can help solve the problem of gullible people downloading and
running installers for known malware.

Honestly, listening to some Mac user responses to this problem, it's like
entering a timewarp back to when all the measures implemented on Windows/IE to
deal with this stuff hadn't even been thought up.

Possibly a quick fix, until it's addressed, is for folk on OSX to do their web
surfing in a Windows VM, using a security-focussed browser designed for non-
technical people, such as IE9. ;-)

~~~
danssig
>Honestly, listening to some Mac user responses to this problem, it's like
entering a timewarp back to when all the measures implemented on Windows/IE to
deal with this stuff hadn't even been thought up.

That's because many of the measures implemented on windows are fundamentally
flawed. Virus/Malware scanners? Really? So we want to turn infecting people's
computers into a business?

The MS approach has always been to make money on working around defects. I
really, really hope Apple doesn't decide to go down this route.

~~~
innes
> The MS approach has always been to make money on working around defects.

Internet Explorer and Windows Defender are both free.

Also, the _defect_ in this instance is allowing users to install software on
their PCs and not helping them avoid installing malware. As this story shows,
this is a defect that is shared and arguably worse on OSX.

~~~
danssig
Well, millions or billions _have_ been made on anti-virus software. The
overhead to have every file or network operation read by some scanning program
is too much. This needs to be avoided at all costs. Especially since there are
better ways.

Again, the proper solution for the kind of people who would actually install a
virus manually is to simply point them at the App store.

------
lotusleaf1987
Woof: <http://daringfireball.net/2011/05/wolf>

"According to a third article penned by Bott, AppleCare reps are seeing a
four- to five-fold increase in the number of calls requesting support for
rogue antivirus scams targeting the Mac"

So now a handful of incidents is cause for uproar?

"Porn sites just started popping up on my MacBook Pro," one user wrote. "Is
this a virus? I have never had a virus on a Mac before and I have been using
Macs for years. Please help!"

So it's just adware then? Oh no!

------
burn-a-mac
Hopefully this will make people think twice before buying crap produced by
Apple.

