
Apple Snubs Firm That Discovered Mac Botnet - VuongN
http://www.forbes.com/sites/andygreenberg/2012/04/09/apple-snubs-firm-who-discovered-mac-botnet-tries-to-cut-off-its-server-monitoring-infections/
======
huxley
Good job on Dr. Web on finding this and trying to do the right thing but these
quotes give a different context than you'd get from the article title and
lede:

"Sharov believes that Apple’s attempt to shut down its monitoring server was
an honest mistake."

"In Apple’s defense, it may not have recognized Dr. Web as a credible security
firm when the company contacted Apple earlier this month–I hadn’t heard of the
firm either until its discovery and analysis of the Flashback botnet."

It looks like Apple wasn't the only one surprised by this:

"But the better-known security firm Kaspersky confirmed Dr. Web’s findings on
Friday. A Kaspersky representative said it hadn’t contacted Apple with its
findings and hadn’t had any direct communication with the company, and
Kaspersky researcher Kurt Baumgartner wrote in a statement that 'from what
we’ve seen, Apple is taking appropriate action by working with the larger
internet security community to shut down the Flashfake [also known as
Flashback] C2 domains. Apple works vigorously to protect its brand and wants
to rectify this.'"

~~~
mindstab
That kind of "we didn't know" will only get you so far in this day and age
where 1 second on google will get you a wikipedia page on dr web saying
they've been around since 1992.

The world is bigger than firms who are big in america and that kind of
american centric thinking also won't go down well on the web.

~~~
lawnchair_larry
American centric? You realize Kaspersky is Russian as well?

~~~
guard-of-terra
Everybody at Kaspersky knows who Dr. Web is. It's a household name in Russia.

So it's probably the article's honest mistake if you infer otherwise from it.

------
mrich
How long will it take to change the mindset at Apple to think about security
before shipping? Microsoft did their job years ago, now Apple has to follow.

How long will it take for Mac users to learn that viruses are indeed a threat
on all kinds of computers, not just PCs? I can only hope Apple will take a
more active role in educating them.

~~~
dguido
... they have. They don't ship OS X with Java anymore. The only exploit this
attack campaign is using is a Java exploit. They install Java when the user
attempts to run something that needs it.

The next best thing they'll have to do is, when they install it, disable the
web plugin in Safari by default or add an interstitial that prompts the user
for it to run.

One 500k node botnet really is not that large in the grand scheme of things.

~~~
justinschuh
I think "they have" is a bit overstated, unless you just mean they've shown
improvement in the last few years. Things like functional ASLR and more use of
seatbelt in Lion are definitely headed in the right direction; however, there
seem to major gaps in testing and validating security--even basic stuff like
continuous fuzzing and automated security testing. Also, their response and
turnaround time is generally worse than Microsoft's (close to a year has not
been uncommon). I can understand Microsoft's slowness due to their massive
compatibility matrix and enterprise customer base--but Apple doesn't have that
excuse. Apple has also been historically ignored as a mass malware target, so
maybe a 500k node botnet is a helpful wakeup call.

And just to be clear, I'll admit that I'm not a disinterested party here. The
Chrome security team carries the bulk of the WebKit security workload
(fuzzing, auditing, fixing, etc.). That consumes a tremendous amount of my
team's time, and prevents us from focusing more on Chrome. So, I'd definitely
appreciate it if Apple were significantly more proactive about security.

~~~
dguido
Why does Apple need to fix security bugs in Webkit? Are they being exploited
somewhere by attackers I'm not familiar with? It doesn't seem like there is a
problem to solve.

I'd venture to say that Apple is more proactive than most other vendors about
security because they look at the forest and not just the individual trees.

~~~
justinschuh
I talked to Alex briefly at CanSec about your strategy. I appreciate the idea
of setting a minimum bar, but it can start to sound like selling feel-good
security. It's easy to say in hindsight "all you had to fix was these ten bugs
and ignore the rest." The truth, however, is that you can't reliably predict
that in advance. History has shown that even the low-end mass malware moves to
more advanced techniques as targets become harder. And, of course, the
strategy you're proposing does nothing for those at risk from targeted attacks
(which is something I'm professionally seeing more and more of).

~~~
dguido
Actually, history does not show that low-end mass malware moves to more
advanced techniques and you CAN predict the vulns they'll target in advance,
as long as you're familiar with their motivations, capabilities, and
incentives. <http://www.trailofbits.com/research/#eip>

Again, show me an actual attack that has exploited Safari. Ever. Targeted,
mass malware, I don't care. Apple has better shit to worry about and their
investment in Seatbelt was worth 1000x more than individually fixing the
limitless supply of bugs in Webkit. Problem solved, move to next actual issue.

~~~
justinschuh
You can scope the discussion to mass malware on desktop Safari, but that's
just reductio ad absurdum. Any fortune 500 or government has to be concerned
with real attacks, not just tamping down the noise floor. And as for Apple,
they've historically been more interested in protecting their manufacturer
subsidy by stopping iPhone jailbreaks--in which WebKit exploits against Safari
have played a key role.

------
pooriaazimi
This 'discovery' did certainly boost Dr. Web's market share though! 'Dr. Web
Light' is now the number 2 most downloaded free app on the Mac App Store:
<http://cl.ly/1z0Z1F0P29221K1y3X01>

------
revelation
There is obviously no point in reiterating how Apple is removing Java, how
they are adding VMs, code signing - etc.

The only way for them to improve security is to take it seriously, because the
amount of code shipped with each release will only go up, never down. The
attitude needs to change.

There is of course lots of data support this argument. Just do a quick Ctrl+F
through <http://support.apple.com/kb/HT5130> for 'arbitrary code execution'.
21 hits, and many of them in core apple components. These are almost extinct
on Windows by now.

~~~
runjake
_because the amount of code shipped with each release will only go up, never
down._

Actually, it went down with the Mac OS X 10.6 Snow Leopard release. Up to 7 GB
less. [1]

1\.
[http://en.wikipedia.org/wiki/Mac_OS_X_Snow_Leopard#New_or_ch...](http://en.wikipedia.org/wiki/Mac_OS_X_Snow_Leopard#New_or_changed_features)

~~~
klez
I'm nitpicking, but 7GB in binary doesn't necessarily mean 7GB in source code.

------
RyanMcGreal
One interesting sidenote in this story is the fact that Mac OSX now has enough
market share that it no longer enjoys security-by-obscurity from targeted
malware, let alone herd immunity.

~~~
nirvana
It never did. It has simply been much more secure. The "security by obscurity"
claim was a rationalization of windows fans to justify why the mac was so much
more secure.

Anyone who genuinely understand security understands that obscurity is not a
form of security. There are many incidents of high profile targeted attacks
against owners of macs that could have occurred in the past two decades if
Apple hadn't been taking security more seriously.

------
ravivyas
The biggest problem is as long as people think Macs are secure... they will
never be.

~~~
nirvana
Which is why there are botnets of millions upon millions of Macs out there
infected by viruses, while its really big news that a trojan manages to get
600,000 infections on Windows.

Oh, no, wait, its the reverse!

~~~
ravivyas
:) . Typical . I never mentioned anything about Windows. All I said was w.r.t
computer security you are most venerable when you don't have the fear of bad
things happening to you.

~~~
SeanLuke
You made an either-or proposition. Either you're secure or you're not. The
responder nailed it correctly: the issue is not "secure/insecure". His example
showed that it's a measure of utility. How much effort expended by Apple and
its users is worth the probable reduction in botnets on that platform and
their consequent damage? Because botnets are historically so rare on MacOS (9
or X) the utility equation has always been very much in the don't-worry-about-
it category. Not so for (for example Windows).

Will this equation change significantly with the new botnet? I think it's
unlikely, but I dunno. Regardless, all-or-nothing seems to be the _wrong_
perspective from which to examine this problem.

~~~
ravivyas
I never mentioned Macs are more/less secured. All I am trying to say is w.r.t
computer security the sense of being secure & letting your guard down is the
most insecure thing. Its just not about Virus,Trojans , Worms etc .. its also
about social engineering. I tell my mom don't open random links .. I don't
mention if its on email or a webpage or if its on Windows or her Android
phone.

------
stuartd
Annoyingly, the Java 2012 update REMOVED the -uninstall option from Java, so
you have to rm it and clean up the installhistory plist manually if you want
to uninstall Java from Lion

------
drieddust
so Apple first ignores Oracle's warning and fails to issue the patch. Later it
react by removing Java and tries to shut down the security firm's domain.

How responsible :)

~~~
Zr40
No, Java wasn't removed. Java was _updated_ on systems where it has been
installed.

------
Havoc
>“We don’t know the antivirus group inside Apple.”

What antivirus group...

------
recoiledsnake
>“For Microsoft, we have all the security response team’s addresses,” he says.
“We don’t know the antivirus group inside Apple.”

Does Apple even have an antivirus group?

~~~
coob
They definitely have people working on OS X's malware protection (XProtect).
The definitions file can be found at
/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist
(Flashback A/B/C are in there for me).

