
Apple support forums confirm malware explosion - ssclafani
http://www.zdnet.com/blog/bott/crying-wolf-apple-support-forums-confirm-malware-explosion/3351
======
teilo
I run a mac-heavy shop. About 40 of them at present.

The naysayers who want to downplay this as business as usual are wrong.

I have had three cases of this within two weeks at my company. Prior to that
time, I have not had a single piece of Mac malware infect my machines over a
period of 8 years.

This is not business as usual. I expect to find a whole lot more of this in
the near future, and for the first time since I've managed IT at this company,
I'm researching anti-malware solutions for Mac.

~~~
rbanffy
> I'm researching anti-malware solutions for Mac.

I'd advise you to educate your users (as not to enter their passwords every
time the computer asks them for no apparent reason), run proper backups and
check Safari (and other browser) defaults.

~~~
teilo
As an alternative to anti-malware? You're kidding, right?

Do you really think that Mac users are inherently less gullible than Windows
users?

I have been in this business long enough to know that there are always certain
users who will click anything that pops up on their screen, no matter how
clearly you try to convince them otherwise. If education solves _your_ future
Mac virus problem, then more power to you. But that's just not the real world.

~~~
cosgroveb
Gullibility isn't even necessary to have machines get infected by malware.
There have been cases in the past of ad networks serving ads infected by flash
zero days. You don't have to run a downloaded executable to get an infected
machine.

~~~
27182818284
Exactly. I'm not worried about downloading an email, most of the non-savvy
users I know understand not to do that anymore, I'm worried about something
like Flash being the vector of the virus.

------
thaumaturgy
Our small shop had to clean up one of these yesterday. It's not hard, for now,
but there are all sorts of really neat hidey-holes in MacOS for these kinds of
things, and so far this piece of malware has been evolving pretty fast. It's
changed names three times, and it first started propagating as a fake
JavaScript alert on sites that looked like a Windows screen; now there's a
pretty reasonable Finder mock-up doing the dirty deed instead.

It doesn't help that there's a setting in Safari to automatically run "safe"
downloads.

I'm intensely curious about how far this thing goes. If it were to, say, start
hooking into launchctl ... well, that would be interesting indeed.

~~~
cbf
_It doesn't help that there's a setting in Safari to automatically run "safe"
downloads._

This feature has always struck me as a cordial invitation from Apple to trick
their users via some means or other.

~~~
flomo
It used to be worse. Early versions of Safari would automatically execute a
shell script as part of a "safe" download. They 'fixed' it by changing the
disk image spec rather than the Safari feature. This type of exploit probably
reflects how much thought was put into the feature.

The "safe download" social engineering attack was outlined years ago, so it's
somewhat surprising it took this long to widely exploited.

~~~
kennywinker
>They 'fixed' it by changing the disk image spec rather than the Safari
feature.

Which was the right thing to do, by the way. I don't want disk images running
shell scripts when they are mounted manually OR automatically.

------
rb2k_
Isn't it still programms that the user explicitly has to install?

If normal users keep their random application installing limited to the app
store they should be fine. If you DO install "video players" from porn sites
or download stuff off the pirate bay, you might end up with malware...

~~~
podperson
Exactly. Nothing will protect you from stupidity.

~~~
Vivtek
You must not have parents with computers. It's not _stupidity_ \- it's the
assumption that what you see on the screen isn't actively lying to you. For
somebody accustomed to being told that the computer is always right, this is a
hard thing to grasp, and attitudes like yours really don't help.

~~~
nickolai
Telling anyone that "the computer is alway right" is the problem. The Mac
attitude saying " relax, the software knows what to do" is really putting the
users at risk in this case. They just dont have the dismissive reflex windows
users have acquired for such situations.

EDIT : Disclaimer : im mostly a linux user.

------
Tichy
Just in time to pave the way for App Store only installs on OS X.

~~~
cookiecaper
It's kind of disappointing overall, because package management has always been
the solution to this kind of problem. You tell users "never install anything
you don't find in the repo", but now it seems somehow tainted. I guess maybe
it's that nobody cares about it until Apple can make 30% of your software's
retail price through it.

I'm glad that systems are finally getting the same kind of package management
that we have enjoyed on Linux for well over a decade, but it's a serious
bummer that it has to come with such scammy-feeling commercialistic trappings
before it can be brought to the masses. It's hard to put my finger on the
feeling exactly.

~~~
blantonl
You advocated _and_ disparaged the App Store concept, and then you railed
against capitalism. Regardless of how you perceive the App Store concept, you
cannot deny that it works, and it works well.

Frankly, what's wrong with a package management system that charges consumers
and pays commissions to the host?

~~~
drivebyacct2
You're missing the point. The App Store is not a package management system.

In Ubuntu, I never, ever install one-off DEBs. Every single piece of software
is installed through a repo. I'm able to trust that software and I don't let
other apps get root privileges unless I grant them and know what's going on.

The Apple App Store is not a package management system. It's a store.
Developers have to relinquish control and money to have their apps listed
there. Thus, many apps must still be installed manually. It's not an open
ecosystem and it's not really fair to compare them.

Synaptic and trusted repositories saves me from malware because there is no
reason not to use them. There are many reasons not to use Apple's.

------
ceejayoz
The really terrifying thing about this is how easily malware writers are able
to slip their downloads into major web sites. I got the MacDefender alerts on
MSNBC.com.

~~~
nkassis
Ad networks will doom us all.

~~~
RexRollman
Agreed. And this kind of thing is why I install NoScript on Firefox these
days.

------
bdittmer
Explosion? From this article it looks it's a single piece of malware that
people are having trouble with. Hardly an explosion.

~~~
sjs
Pretty typical from zdnet. That site is mostly garbage.

Just as Gruber doesn't say nice things about Microsoft and/or Windows, neither
do Ed Bott and Mary Jo Foley say nice things about Apple and/or OS X.

Ed Bott's Windows Expertise: <http://www.edbott.com/weblog/>

Ed Bott's Microsoft Report: <http://www.zdnet.com/blog/bott>

Mary Jo Foley's All About Microsoft: <http://www.zdnet.com/blog/microsoft>

You can safely ignore 95% of everything these guys say about what they
perceive to be the opposition. They make Gruber's bias look like child's play.

------
jdq
The piece reads more like he is trying to defend himself after being called
out by Gruber.

------
passingbyhi
> I'm researching anti-malware solutions for Mac.

Sophos free for Mac: [http://www.sophos.com/en-us/products/free-tools/sophos-
antiv...](http://www.sophos.com/en-us/products/free-tools/sophos-antivirus-
for-mac-home-edition.aspx)

Avast (beta) free for Mac: <http://forum.avast.com/index.php?topic=78646.0>

ClamXav (free) for Mac: <http://www.clamxav.com/>

------
watmough
Heh, I just got an email that did a remarkable job of appearing exactly like a
typical Apple Store email.

Be careful out there folks. You don't know what's on the other end of that
link.

------
dkl
Anyone know if it is just Safari that allows infection? What about Chrome?

~~~
bradleyland
The infection doesn't actually occur within Safari. When you click a link,
your browser is redirected to a file download. The default behavior in Safari
is to unpack and run "safe" downloads. So, what happens is:

1\. You click a link in Safari

2\. The installer package is downloaded

3\. Safari unpacks it and executes the installer

Note: you are not infected yet

4\. The user completes the installer wizard, entering their password along the
way

5\. The computer is "infected"

This sucks, but it's not a drive-by infection. Yet.

Chrome does not unpack and run downloads, so you'd have to execute the
downloaded package yourself.

------
miniklop
i use this firewall www.protemac.com/netmine few months no problems or
attaks)!

------
noelchurchill
Ugh it's finally happened.

~~~
jarin
If I remember correctly, this isn't the first OS X trojan by any means.

~~~
noelchurchill
_Yesterday I spent several hours going through discussions.apple.com and
collecting requests for help from Mac users who have been affected by this
issue. I found more than 200 separate discussion threads, many of them from
people who have been tricked into installing this software and are desperately
trying to remove it. It started with four posts on April 30; this past weekend
there were 42 unique, new discussion threads on this subject._

 _I am not unfamiliar with Apple’s forums. I’ve done similar searches in the
past, especially after reading some of those same posts that Gruber called out
from 2008. I have never found more than one or two in-the-wild reports. This
time, the volume is truly exceptional._

This appears to be the first widespread malware attack.

