
Mac OS X Isn’t Safe Anymore: The Crapware / Malware Epidemic Has Begun - nithinr6
http://www.howtogeek.com/210589/mac-os-x-isn%E2%80%99t-safe-anymore-the-crapware-malware-epidemic-has-begun/
======
Someone1234
As an aside: Everyone who read this article, please keep in mind that the
process injection model used by these pieces of adware is exactly what your
typical "keylogger" uses also.

No malware literally logs keys typed anymore. I cannot stress that point
enough. Instead they log form submissions (e.g. POST requests) which give the
malware author much more useful information they can data mine in an automated
way (e.g. URL, named parameters, etc). This works even on a "secure" page
(e.g. HTTPS with extended certificate).

I'm super tired of supposed power users or "geeks" telling others to
copy/paste in their username/passwords to improve security. That's not how
this works, it isn't how any of this works. Nobody reads raw key-streams,
they're completely useless because they fail to contain CONTEXT (i.e. where
you typed what).

Sorry, just a pet peeve of mine. The term "keylogger" is largely a misnomer. A
more accurate name would be "credential hijacking" or "form submission theft."
A lot of malware actually use standard injected JavaScript to add event hooks
to a page, to fire the data back to a evil browser extensions.

~~~
bhayden
Don't a lot of login forms hash passwords with JS before sending it over the
internet? Wouldn't it then be useless to anyone listening?

~~~
Someone1234
I cannot think of a popular site which does this.

If that provides security really depends on what the "bad guys" are hooking.
If they're placing event triggers straight onto text box/button/form elements
themselves (either through JavaScript or grabbing something akin to Win32
messages) then that wouldn't do anything at all.

Even if they did grab the raw POST request (which is somewhat common) a hash
would only provide security if it was merged with an anti-forgery token sent
from the server, otherwise the "bad guy" could just re-post the exact same
hash and login anyway.

I think it really boils down to how popular your site is. If for example
Facebook did that, because it is popular enough with the "bad guys" they're
going to spend the time circumventing any JavaScript-based security you could
implement.

~~~
csixty4
> I cannot think of a popular site which does this.

LiveJournal used to do it. No idea if they still do. I don't think it ever
caught on.

------
coldtea
> _Mac OS X Isn’t Safe Anymore: The Crapware / Malware Epidemic Has Begun_

Yeah, not really. Like it hadn't began all the other times in those last 14
years that such articles appeared.

I've used Windows for decades (still do ocassionally), and had lost count of
malware, adware and viruses I had to battle. So, don't tell me about "malware
epidemic" on OS X with a straight face...

~~~
dublinben
>adware and viruses I had to battle

This is largely a user problem now. I haven't caught a single problematic
download on my Windows 7 box.

~~~
josephlord
See recent Lenovo issue. It isn't a user problem but an ecosystem problem
starting with the OEMs and the general discovery and distribution of software.

------
smackfu
Part of the problem is that a lot of legitimate freeware / open source
software is not signed. I assume because people don't want to pay the $100 a
year just to support OS X. So people get used to installing unsigned software,
and then end up installing malware.

~~~
3JPLW
CNet's downloader app looks like it's signed. It warns that it was downloaded
from a website (which it was), but you don't have to do the right-click-open
song and dance.

~~~
comex
I'd love to see Apple take a stand and revoke their certificate. Usually I
strongly support developer freedom / openness, but these apps are straight-up
malware. Having a decline option somewhere doesn't matter if essentially all
users who accept do so unintentionally.

------
abrowne
I've seen a lot of Mac users with adware in the last few months. I've found
Adware Medic[1] to remove nearly all of it pretty easily.

[1]:[http://www.adwaremedic.com/](http://www.adwaremedic.com/)

~~~
corv
Seconded, AdwareMedic is quick and painless.

Power users might also appreciate Little Snitch[1] to see what their Mac is
connecting to.

[1]:
[http://www.obdev.at/products/littlesnitch/index.html](http://www.obdev.at/products/littlesnitch/index.html)

~~~
abrowne
I forgot to mention, after running AdwareMedic, make sure to check browsers'
search engine and homepage settings.

------
joncameron
How about a non-Apple App Store: something like homebrew with a friendly GUI
that's easy to navigate? I started using Homebrew Cask recently, and it seems
like a perfect workflow for the average user who just wants to download VLC or
whatever.

I'm imagining Grandma pulling up the "Application Warehouse", let's say, and
clicking a download button under a VLC icon. It gets downloaded from a trusted
source over HTTPS, gets checked against a hash, symlinked and Gran's ready to
go, all without the hassle of shady installers from the search engine
shitpile.

~~~
astrodust
Microsoft really should consider making something like Ninite
([https://ninite.com](https://ninite.com)) a native component of Windows 10.

It skips all the garbage and installs the application.

~~~
Someone1234
They are/have. In Windows 10 it is called "OneGet." It is a Linux-like package
manager to complement their Windows Store (app store) which isn't going away.

------
amalag
I cleaned some crapware off an acquintances computer. She is around 70 and
didn't know why the computer was not behaving correctly. It was really easy
compared to windows crapware. When my dad's Windows computer had malware I had
to reformat . But with OSX I deleted a plist or two and it was done.

~~~
mrks_
I have to disagree with this. At my current job I deal with a lot of Mac
malware/adware, and fully removing it is complicated process. After clearing
the applications folder and removing browser extensions, you have to check a
lot of folders, and you kind of have to know what you're looking for. In
/Library/ for example, you have to check Application Support, Extensions,
Frameworks, LaunchAgents, LaunchDaemons, PreferencePanes, and StartupItems. I
like OSX, but it definitely needs a MalwareBytes equivalent.

~~~
mzs
[http://www.thesafemac.com/arg/](http://www.thesafemac.com/arg/)

~~~
mrks_
Yeah, that site has been really useful. That's where I discovered the large
number of folders in which malware can hide.

------
protomyth
"Examining further comes up with something curious… the person who wrote this
malware wanted to give special thanks to his mom."

That's the old default Credits.rtf.

------
JohnTHaller
Now that Mac OS X has hit about 7% of internet users, it's profitable enough
for adware/malware folks to target.

Most of the infections on Windows aren't due to some huge security issue on
Windows that Macs are magically immune to. They are due to the users
themselves installing adware or malware-infected software from sites online.
Now that there are more Macs out there, the reward is greater. So, there is
more revenue to be made form adware-laden software and a better return for the
time investment/risk of creating malware for Macs (to send out spam, be used
in DDoS attacks, sniff for and steal financial info and passwords, etc).

~~~
nkozyra
This is a common (and tired) response but it's really not entirely true -
Windows does in fact have a lot of potentially catastrophic holes that are
innately tied to higher privileges for users.

Most of what Windows has implemented since 7 with UAC, MSSE and now integrated
with Defender is a layer on top that introduces some failsafes. I won't argue
that it's been a massive and much-needed improvement to Windows, but Java and
Flash still provide viable vectors to bypass it and infect a Windows machine.

Designing actual viruses - stuff that has the ability to read and modify the
filesystem - is still harder to pull off undetected on OSX. This article
intimates as much. Most of what's included here is either bundled applications
you don't want - but you still have to actively find and then agree to - or
browser modifications. Neither of those is within 500 sqmi of, say,
CryptoLocker.

~~~
JohnTHaller
I never claimed that Windows or Mac OS X are more or less secure than the
other. I very specifically said the following:

"Most of the infections on Windows aren't due to some huge security issue on
Windows that Macs are magically immune to. They are due to the users
themselves installing adware or malware-infected software from sites online."

This is 100% accurate and what most home users have to deal with in terms of
issues on Windows. The vast majority of Windows issues that end users
experience and get frustrated over have nothing to do with Java or Flash flaws
or needing to compromise a system. The users themselves give the apps
permission to install and do their thing.

It's also worth noting that Java and Flash don't provide much of an attack
vector for the majority of Windows users you and I know anymore either.
Firefox won't permit outdated versions of the Java or Flash plugins with
security issues to run and will direct you to update. Chrome has its own
version of Flash built in and automatically updated with the browser and
disables Java by default. Even Internet Explorer blocks outdated ActiveX
plugins like old and insecure versions of Flash and Java these days.

~~~
nkozyra
I still don't think that's true - visiting a malicious site without any action
still provides far more of a risk on Windows than it does on OSX.

Are there improvements on the browser and OS side that are helping? Sure. Do
those impact the vast majority of Windows users? Probably not. Look at browser
& OS version usage and you'll see that the "users you and I know" are probably
not indicative of the majority of users in general. At least not yet.

~~~
JohnTHaller
All major browsers on Windows block outdated Flash and Java by default. All
major browsers on Windows are automatically updated to the latest version by
default. So, for the vast majority of Windows users, the attack vectors you're
mentioning simply don't apply anymore. That means users you and I know and
most users we don't.

What I'd meant by that line was that this doesn't apply to users in other
countries where the majority of users are still using hacked (and completely
insecure) versions of Windows XP. Sadly, Windows XP still represents about 19%
of online users. Thankfully, most of those users are using a 3rd party browser
as IE 6 is down around 1%.

------
tedunangst
> It wasn’t that long ago that you could install almost anything for OS X from
> almost any website, and you didn’t really have to worry about what you
> clicked on.

Full stop. That's a ridiculous statement to make. Are we really pining for a
return to such an oblivious mentality? Good riddance.

~~~
smackfu
It's a true statement though. OS X users avoided malware by there not being
malware, not by being smarter or being protected.

~~~
tedunangst
It's along the lines of "Not long ago I could back out of my driveway without
even looking, but now my new neighbor's kids play in the street."

I will stipulate it's a true statement. Still foolish.

------
stephenr
Breaking news: Free download sites like Download.com are shit. More at 11.

------
JamesBaxter
"We’d love to see Apple fix some of the App Store issues and make everybody
use it."

I agree with the first part of this but not the second.

------
MBlume
That's a really damning Yahoo screenshot and it matches my experience pretty
well. Yahoo is not an acceptable search platform and I'm really confused about
why Mozilla thinks otherwise.

~~~
pix64
Money

------
raverbashing
I click on all MacKeeper ads I see, repeatedly

Let the fuckers pay for that

~~~
spacehome
You see ads?

~~~
raverbashing
Sometimes when I run without Ad blockers...

------
coldcode
I've been a Mac developer since 1984 and the last time I ever saw a virus was
1988 I think. It's not impossible to get irritation-ware if you download
random crap from these download sites but genuine malware is extremely
difficult to produce. Saying "Mac OS X Isn’t Safe Anymore: The Crapware /
Malware Epidemic Has Begun" is beyond stupid.

~~~
lawnchair_larry
By "difficult to produce", do you mean difficult to find? If you mean
difficult to develop, it's actually very straight forward, and no different
from Windows.

------
trebor
As a Mac user who migrated from Windows, I had no doubt that it was only a
matter of time before Macs became more lucrative targets. Anyone who thinks
that their OS of choice is unassailable is fooling themselves.

------
geoelectric
"If you do stick to the App Store, you have nothing to worry about. We’d love
to see Apple fix some of the App Store issues and make everybody use it."

Yeah, that'd be just awesome.

~~~
Someone1234
Devil's advocate here:

That could just be the default, and the user could disable it. On Windows
8/8.1 the default is for the "SmartScreen Filter" to block "unrecognised"
applications from being run or installed. See their FAQ [0]. It can be
disabled however.

If someone is smart enough to be installing applications from third party
sources themselves, then they're smart enough to flip a switch in a
Preferences panel to enable it.

However this does protect the lowest common denominator who these malware are
actually targeting (i.e. computer illiterate individuals who will click ads in
search results).

[0] [http://windows.microsoft.com/en-us/windows7/smartscreen-
filt...](http://windows.microsoft.com/en-us/windows7/smartscreen-filter-
frequently-asked-questions-ie9)

~~~
geoelectric
If it can be disabled, I'm less bugged by it. It's still a lot of friction for
the acceptance of open source apps and other "not really appstore-compatible"
projects, though.

------
ocdtrekkie
Apple was never good at security, they just weren't a big target. Now they're
both bad at security AND a big target.

------
jkot
OSX will become walled garden just as IOS. I am personally happy for that,
many developers will return to Linux.

~~~
bluthru
Apple knows that their computers are a favorite amongst developers. No way
would they do that.

Apple already made their move and it was a nice compromise called Gatekeeper.

------
goblin89
Recently was surprised to discover that the official uTorrent distribution,
downloaded straight from utorrent.com, has some Spigot stuff in it. Was I
tricked somehow or pre-hijacked already into downloading a non-authentic
installer, or do they make money that way now—not yet completely sure.

------
cmurf
Pretty sure the "Allow apps downloaded from:" has been set to "Mac App Store
and identified developers" since 10.8? Maybe 10.7?

------
stcredzero
This is a big problem. Are there browser extensions that can block crapware?

