
Evidence suggests first zombie Mac botnet is active - tvon
http://arstechnica.com/apple/news/2009/04/evidence-suggests-first-zombie-mac-botnet-is-active.ars
======
ZeroGravitas
I don't want to sound paranoid but security researchers working for anti-virus
vendors have a vested interest in blowing these things out of proportion.

I don't know the details of this particular story but I have seen blatant
scaremongering and misinformation in the past when it comes to Macs.

~~~
josefresco
"I have seen blatant scaremongering and misinformation in the past when it
comes to Macs"

Not just Macs, anti-virus and security professionals are experts in all
computer FUD (regardless of platform)

~~~
tvon
True, but Macs I think get some special attention because they already have
the Windows world pretty knotted up. Mac users are still largely unconverted.

------
ashleyw
Considering users were actively trying to install software which they thought
was trusted (so would have entered passwords when prompted), I don't find this
surprising — is there even much you can do to prevent this kind of thing,
apart from taking control away from the user?

~~~
derefr
Compartmentalization of power: require the application to ask separately for
each thing it wants to be able to do (e.g. Install a driver, bind a port, save
to a write-protected folder), and then "profile" the set of powers it has
requested to determine what kind of app it is when explaining to the user
whether he should enter his password. A screensaver shouldn't ask to rewrite
the page table, and the OS can know that and help the user avoid it.

~~~
alexitosrv
That sounds awfully similar to Windows UAC.

"There's a much, much bigger hole than any programmer could possibly exploit:
The annoyance factor." Source:
[http://it.slashdot.org/comments.pl?sid=222252&cid=180030...](http://it.slashdot.org/comments.pl?sid=222252&cid=18003076)

~~~
derefr
No, no: you don't ask _the user_ separately for each thing the program wants
to do; the program asks for several tokens from the keychain, and then the
keychain asks for a single password entry, telling the user all the things the
program wants to do with it.

~~~
uuilly
My mom, dad, sister and brother have all separately asked me what the keychain
was. I would get many more calls if it was more complicated.

~~~
derefr
And what I'm suggesting here is to _simplify_ the keychain process by _adding_
information. I know that sounds strange, but imagine, instead of a vague
window saying "Please unlock keychain blah blah password," you get one that
says "Fluffy Bunnies Screensaver is requesting your permission to do things
that may harm your computer. Fluffy Bunnies Screensaver is likely to be
infected with a virus. [More information dropdown arrow]

[Quarantine Fluffy Bunnies] [Continue running Fluffy Bunnies without granting
additional permissions] [Grant additional permission]"

[more information dropdown] = "Fluffy Bunnies Screensaver has asked for
permission open your computer to connections from other Internet users, run
programs downloaded from the Internet without informing you, and install a
program that loads when the computer starts. These actions together fit the
pattern of behavior displayed by many viruses.

This does not necessarily mean that Fluffy Bunnies Screensaver is a virus, but
if you don't understand why Fluffy Bunnies Screensaver is requesting to do
these things, please try to run the program without giving it these additional
permissions; the permissions Fluffy Bunnies Screensaver has requested may not
be necessary for it to work properly."

Only if you click "Grant additional permissions" does the password input field
appear/enable. Additionally, below the password box, a listbox also appears
with (by-default-checked) checkboxes for each right that the program has
requested. If you wish, before confirming your password, you may disable some
of the rights, without disabling others. This may, theoretically, allow you to
run an infected Installer program (that requires elevation either way) without
actually being infected by a virus _attached to it_. (You might still be
infected if the Installer _installs_ the virus.)

~~~
ams6110
Sadly, the fact remains that users don't read dialog boxes[1]. If you want to
make a computing "appliance" that is not going to be subject to attack, you'll
have to disallow owner-administrators and software installations altogether.

[1] <http://www.joelonsoftware.com/uibook/fog0000000249.html>

~~~
derefr
I think dialog boxes are simply mismatched to the WIMP paradigm: the user
expects to be able to click, navigate, and _explore_ a problem space, when
suddenly you're confronting them with a decision that, once made, disappears
and cannot be re-made a different way: the antithesis of explorability.

If, instead of indivual windows, there were some central "conversation window"
where the computer would ask you questions, then leave both the question and
answer available for viewing and correction, things might improve. In fact,
more things could be presented to the user as "beneficial, but not necessary"
decisions to make (changing preferences from their defaults, etc.) This scheme
reminds me of SimCity's Advisors window, oddly enough, and also bears a
similarity to Windows 7's Action Center.

The biggest difference is that every decision would now need a "safe
postponement default", in case you don't "check your messages." In the
elevation case, programs would have to be rewritten to not expect to be
elevated as soon as they ask for it, but rather try to do whatever possible
with the priveleges they have, and then queue up a list of things to do
if/when they get elevated (which may never happen.) for instance, under this
scheme, Installers would always install to a user-writable location, then
queue a move operation for post-elevation.

The 20% that takes 80% of the work, in this case, is figuring put what to do
when the user works outside of the elevation framework: what to do when you
move the folder the program was waiting to move, or what to display in the
conversation transcript when you change a preference in the Preferences window
that you originally chose in the context of a Conversation.f

------
donaq
It was bound to happen, I suppose. I wonder if it will happen to Linux too,
although I think it would be hard for malware writers to target Linux using
conventional methods if users stick to using only open source software.

~~~
windsurfer
Most of the users I know only get their software through their distros package
manager. I think it would be quite tough to get malware in there, especially
since most distros accept only free software.

~~~
vorador
Well, not necessarily. I mean, a repo could be hacked. Fortunately, apt uses
signed packets.

~~~
vizard
Fedora servers were indeed hacked if I remember correctly and malicious
packets were uploaded but it was detected before they reached the users.

Repo security is certainly very important. But well, ultimately you have to
trust _someone_?

~~~
vorador
The canonical example is <http://cm.bell-labs.com/who/ken/trust.html>

But I guess that there are two ways to feel really secure : either use
openbsd, or just don't use the internet.

------
CalmQuiet
If you are into "installing the pirated versions of iWork or Photoshop CS4"
(whether on Mac or PC)

...you may _already_ be a zombie.

Just don't even go there.

------
FiveFiftyOne
It was bound to happen eventually. The most troubling thing is that its
distributed in pirated software. Don't pirate, run your tests against
checksums and keys when you download legitimate software. Of course, this
won't cross the mind of many users. An interesting feature would be to combine
a checksum with your downloads, which the Mac installer could then verify off
of your download page. Invalid checksum = big warning and flashing lights.

~~~
arvidj
If a malicious hacker can intercept and manipulate a download, why can't he
manipulate the checksum? Just asking :)

~~~
tvon
There is no interception and manipulation of a download going on, at least
regarding the botnet the article suggests, it came from knowingly downloading
and installing pirated software. The checksum idea is to get the checksum from
the official source and to apply it to the pirated download, but then the
pirated download is surely modified anyway, so this wouldn't work.

------
rs
Rule of thumb: don't trust pirated software! If you need to get some
application, buy it, or use a Free version

------
allenbrunson
if true, this is a definite rite of passage for our beloved platform. maybe
mac users will have to install antivirus software soon?

~~~
chaosmachine
Antivirus software doesn't seem to help PCs much.

~~~
tom_rath
That's like saying a seatbelt doesn't help crash victims much.

The trick for both is using it.

~~~
old-gregg
Antivirus software is usually more harmful than most viruses.

~~~
tom_rath
If that's the case, "You're doing it wrong".

~~~
windsurfer
[http://www.thepcspy.com/read/what_really_slows_windows_down/...](http://www.thepcspy.com/read/what_really_slows_windows_down/5)

Aparently not.

~~~
tom_rath
"You're doing it wrong" personified right there. If you're using MacAfee or
Norton, that's like wrapping a seatbelt around your neck (as those numbers
show).

If you're working without at least common-sense anti-virus protection, you're
going to deserve what you'll eventually get.

~~~
slater
I just kicked Norton of my wife's Vista PC, thanks to Norton's own "Norton
Removal Tool".

I'd like to know what your definition of "common-sense anti-virus protection"
is, though. Apart from "don't download/install anything from untrusted
places".

------
Create
as someone put it:

after a dmg comes an OMG ;)

