Wolf! [Apple malware scares]

daring fireball ^

[Gomez]

Ed Bott, ZDNet, three days ago: “Coming Soon to a Mac Near You: Serious Malware”:

Now I am seeing evidence that the next target is OS X. That’s potentially very bad news for Mac owners who have abandoned their PCs in the belief that switching to a Mac somehow immunizes them from malware.

Security experts know, of course, that there’s nothing magical about Macs when it comes to security. They just haven’t been targeted because Windows has been such a big juicy target for so long.

But now that Macs have achieved a critical mass of success in the marketplace, they’ve attracted the attention of malware authors. According to a report from a Danish IT security company, an underground group has completed work on a fully operational kit specifically designed to build malware aimed at the Mac OS platform.

Tony Bradley, PCWorld, December 2010: “Apple No Longer Flying Under the Security Radar”:

The McAfee report explains, “McAfee Labs saw malware of increasing sophistication that targets Mac this year; we expect this trend to increase in 2011. The popularity of iPads and iPhones in business environments and the easy portability of malicious code between them could put many users and businesses at risk next year and beyond,” adding “We anticipate threats of data and identity exposure will become more pronounced.” […]

If McAfee is right, 2011 could be a bittersweet year for Apple and Apple fans.

Nick Farrell, The Inquirer, September 2009: “Hackers Target Macs”:

A bunch of Russian hackers are offering 43 cents for each Mac that their partners in crime can infect with bogus video software. The move has been cited by insecurity experts at Sophos as a sign that Mac users’ security by obscurity days are coming to an end. […]

This is because most Mac users believe that faith in Steve Jobs protects them from all malware. To them, malware is only for Windows users because OS X is perfect and totally secure. The fact that Mac OS X’s security is the stuff of jokes at security experts’ parties does not matter to the Apple faithful.

Roger L. Kay, Businessweek, March 2008: “Apple’s Icarus Effect”:

Just as those living in shiny houses of self-righteous glass often end up surrounded by shards of their former sanctimony, so Apple Inc. now finds itself the increasingly appealing target of software hackers.

Bernhard Warner, The Sunday Times, July 2008: “Hackers Start to Target Apple Macs”:

The company [Sophos] reports today that two new Mac-ware Trojans that emerged in February and June ought to shake Mac users of their misconceptions that their computers (and, eventually, iPods and iPhones) are impenetrable. To put this in perspective, the first really pernicious piece of Mac malware emerged only in October, 2007, Mr Cluley adds, suggesting that a worrisome trend is about to get worse.

Kevin Allison, GNT, December 2007: “Apple’s Rising Popularity Lures Hackers”:

“Over the past two years, we had found one or two pieces of malware targeting Macs,” said Patrik Runald, an F-Secure security researcher. “Since October, we’ve found 100-150 variants.”

The rising security threat could present a challenge to Apple, which has long touted the security advantages of its platform over those of Microsoft, whose software is a perennial target for hackers.

“As Apple’s platform becomes more visible, it will increasingly come under the gun,” said Roger Kay, an analyst at Endpoint Technologies.

Bill Snyder, Infoworld, December 2008: “Hackers Take Aim at Mac OS X”:

It’s not often that an analyst covering computer security issues tells you that he doesn’t do much to protect his systems. But one reputable analyst I know said just that as we talked about the rising threat of malware aimed at Apple’s hardware. I won’t mention his name, but the gentleman is dead wrong. The days when you can assume that Apple’s products are exempt from harm are over.

Ryan Singel, Wired, November 2007: “New Apple Trojan Means Mac Hunting Season Is Open”:

Evron sees more problems for Apple users than just new Trojans that try to trick users. Hackers will find it profitable and all too easy to find holes in Apple software, because the company hasn’t paid sufficient attention to security, said Evron. He predicts Apple will experience a full-range of attacks, just as Microsoft did a decade ago when Windows machines and the internet first met.

“It’s Mac season. The next two years will be interesting.”

Kim Zetter, Wired, October 2007: “iPhone’s Security Rivals Windows 95 (No, That’s Not Good)”:

With Apple’s announcement Monday that it shipped 1.12 million iPhones in the three months after its launch, the gadget’s apparent popularity rivals some PCs. That has security experts warning of trouble, following revelations that Apple built the iPhone’s firmware on the same flawed security model that took rival Microsoft a decade to eliminate from Windows.

“It really is an example of ‘those who don’t learn from history are condemned to repeat it’,” says Dan Geer, vice president and chief scientist at security firm Verdasys.

Steve Hargreaves, “special” to CNN, October 2006: “Hackers Look to Crack the Mac”:

Apple computers have long been prized for being virus-free. But as more people use Apple products, experts say the company is increasingly becoming a target for cyber pranksters and criminals writing viruses and other forms of malware.

John McCormick, TechRepublic, May 2006: “X Marks the Spot: Hackers Turn Attention to Apple’s OS”:

But that may all be about to change. The number of newly discovered Mac OS X vulnerabilities has surged by more than 220 percent (annualized) from 2003 to 2005. Compare that to an 80 percent increase in the number of Windows vulnerabilities.

Of course, McAfee is in the business of selling antivirus software, so it’s important to take its reports with a grain of salt (as with any antivirus vendor).

Bob Johnson, CNet, May 2006: “Say Good-Bye to Apple Security?”:

While Microsoft’s vulnerabilities might let intruders into the castle, Apple is giving them the keys to the kingdom and rolling out the welcome mat.

Apple also happens to make the world’s most popular music devices: iPods. Essentially large hard drives, they also have the potential to deliver all kinds of security threats into any environment, even Windows. Once a virus infiltrates the iPod, plug and play becomes plug and plague. Did anyone really believe the security nirvana for Apple would last? It’s now more vulnerable than ever, and things can only get worse.

Munir Kotadia, Silcon.com, March 2005: “Symantec: Mac OS X a Hacker Target”:

Symantec’s concerns were echoed by James Turner, security analyst at Frost & Sullivan Australia, who said many of the people who bought Apple products were not concerned about security, which left them wide open to attack.

“The iPod, PowerBooks and mini Macs are cool products,” Turner said. “The by-product is that people are buying these products for form over function. They say it looks pretty and then buy it but don’t secure it. As Apple increases its market share, it will be a legitimate target”.

Eric Hellweg, MIT Technology Review, October 2004: “Hackers Target Apple? Congratulations!”:

The Apple community has, since its inception, been largely immune to nefarious hackers bent on spreading harm. If you are a Windows user, as I am, you know the routine. You complain about the latest spyware or virus attack, and Apple devotees respond with good-natured teasing — they don’t have worry about such nonsense. Well, now they do.

Predictably, posts on various Apple-related message boards have been offering varying levels of concern, ranging from mild disappointment to utter gloom. I think this reaction is fundamentally misguided. MAC users should not be upset about this malware news; they should rejoice.

[Gomez]

ping

[Wayne07]

The difference in the stories is that most recent is actually reporting on something real, where the others are just FUD. As you allude to in your title, it really is like the boy who cried wolf. This is now something to take seriously, but will people after all the false alarms?

[PGR88]

damn. I just bought an Apple MAC with OS X.

I never believed the apple store’s saleman’s blanket statements about “never having to worry about viruses” but didn’t think it would come this quickly!

[proxy_user]

Yes, but they have to trick you into voluntarily installing the software and typing in your administrative password, don’t they? No one with any knowledge of security would do such a thing.

[Swordmaker]

Are we Mac users quaking in our boots yet? Nope! PING!

The "kit" that the underground group is completing is just a collection of tools that have been around for the last few years... it's nothing new, nothing earth shaking, nothing that is going to make something suddenly magically work that didn't work before. It just collects all the things that have been tried and failed and makes them available in one place for script kiddies to buy and to try again and fail again. At worst, we will see a few MORE Trojan Horse programs for OSX to warn us about... and to prevent them downloading... because this kit has the known families of Trojan horse engines in it. Whoopee-do. The door is closed on those.

Please, No Flame Wars!
Discuss technical issues, software, and hardware.
Don't attack people!
Don't respond to the Anti-Apple Thread Trolls!
PLEASE, IGNORE THEM!!!

Apple Security Scare (YAWN) again Ping!

If you want on or off the Mac Ping List, Freepmail me.

[Swordmaker]

The difference in the stories is that most recent is actually reporting on something real, where the others are just FUD. As you allude to in your title, it really is like the boy who cried wolf. This is now something to take seriously, but will people after all the false alarms?

Nope, this news is no different than the "real" stories that were reported in 2010, 09, 08, 07, 06, 05 ... 0X ad nauseum... Until the crackers find a viable VECTOR to spread their viruses and worms that does NOT involve the willing and active participation of the USER with an administrator's name and password, there's not much to worry about. OSX identifies and warns users if and when you are attempting to download, install, or run a Trojan. There are, at last count only 18 known trojans in five distinct and easily identifiable families of Trojans... and each of the are easy to avoid.

The "security by obscurity" canard has been shot down so many times and proven wrong it is ludicrous. There are better than 55 MILLION OSX Macs in the wild and the number of OSX viruses, worms, and involuntary spam bots is still ZERO. . . after TEN YEARS OF TRYING. That is NOT because it is obscure, MrShoop. Crackers have written viruses and worms that have infected installed bases of fewer than 12 THOUSAND vulnerable machines because it was economically worth doing. You cannot say that a target of 55 MILLION sitting ducks with no anti-virus protection is not an economically desirable target with that kind of evidence slapping you in the face. The simple fact is, contrary to all the screaming the Windows' fanatics do, that it is REALISTICALLY that much harder to do. If it were not, it would have been done and there would be thousands of Mac Spam bots out there. There are not. Prima Facie evidence that it has not happened.

[Wayne07]

OSX is harder to attack (i have an iMac, BTW), but not impossible. You are wrong that there are zero instances of worms/malware/spambots. In fact there were recently numbers released that macs made up 16% of the infected computers in the Jnanabot network. Apple has been recommending anti-virus software for 3 years now. Your attitude is going to make it worse for mac owners because you are discouraging caution which is clearly warranted.

http://www.symantec.com/connect/blogs/exploiting-jnanabot-fun-and-profit

[Wayne07]

Some infection numbers from Sophos from people who run their software. http://nakedsecurity.sophos.com/2010/11/18/free-anti-virus-for-mac-150000-active-users-and-plenty-of-malware-found/

[PA Engineer]

There is actually one very bad malware in the wild that is attacking many Apple computers, slowing them down, overloading computer resources and crashing applications..... Flash Player! ;-)

[Mind-numbed Robot]

I suspect that the chart reflects the activity of Sophos software installed on Macs. (Yes, some people can be conned into buying av for Macs.) It says that is what Sophos saw and intercepted. What it does not say is that had there been no Sophos software that the Mac OS would have also intercepted those things and warned the users not to install them, or they simply fell harmlessly to the side with no affect on the Mac.

[Gomez]

I checked the top three infections and according to Sophos they are Windows malware. It doesn't look like they would run on a Mac even if someone with admin privileges wanted to install them. Mal/ASFDldr-A
Troj/JavaDl-V
Mal/JavaKC-E

[Mind-numbed Robot]

Thanks. I forgot about that. In the past I ran an av application on my Mac and that was the case with it, too. I would get an alert that it had caught a malware attempt and it was always an MS virus instead of some attempt to infect my computer.

[ReignOfError]

OSX is harder to attack (i have an iMac, BTW), but not impossible. You are wrong that there are zero instances of worms/malware/spambots. In fact there were recently numbers released that macs made up 16% of the infected computers in the Jnanabot network.

Threat Assessment
Wild
Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy

16% of 0-49 infections = a maximum of eight Macs. My hypothesis is that those infected Macs were running Windows in boot camp. As described in the technical details on the Symantec site, Jnanabot only affects Windows; it infects a system by writing to the registry and downloading and installing several .exe files. The numbers in that pie chart are "from artifacts of the file system."

[TheBattman]

There is some truth to this statement - but not the way the author intended:

The "big" part refers to market share - and while one can see that as a significant reason Windows has been the primary focus of malware pushers, the second part - the "juicy"- is the real open door. Malware pushers are like any other criminal - they look for lucrative - and they look for easy targets. Windows, for a variety of reasons I won't waste time rehashing here, has long been filled with countless back doors, faults, and gaping holes. Microsoft has slowly tightened things up - but some of the insecurities are related to factors that are not so easy to just "close" - including legacy support and the open handles that are necessary for Windows to run on any cobbled together hardware one can assemble (one of the good/but bad facts of the more "open" hardware that Windows runs on... to be able to do that requires lots of access and "open doors"). Microsoft has tightened the screws down somewhat - but the evidence is - there are still vulnerabilities that can cause real problems.

Then we turn to the Apple OS (a UNIX implementation). The whole concept - even if a malware writer were to come up with a "working" model - because of the separation and delineation between portions of the Kernel, serious breeches of security and/or operating system are not likely. I didn't say impossible - but it does require a great deal more effort, and a willing user with administrative permissions. There have been a handful of "proof on concept" bugs demonstrated that can affect the Mac OS. Yet how many have actually appeared "in the wild", causing data loss, security breaches, or hardware hijacking? I have yet to find a credible report of such. Why? The installed user base of OS X computers connected to the 'net is in the hundreds of millions. Is that not a large enough target to draw lots of attention, especially if these were "easy targets" as these writers would like to imply? Remember - criminal-types LOVE easy targets. Most crooks will target the unarmed little-old-lady with $20 in her purse over the dude packing a .45 on his waist, but carrying $50. Its about easy targets. I am sure, as Apple's market share continues to increase, that there will be more attempts. A publication I read monthly has a section of stories where crooks try to rip off/attack armed citizens... and the outcome (not so good for the criminal). And I wouldn't even be surprise if some day, some wise-jerk develops a real, and functioning bit of malware that can really hose a Mac. It is technically possible. I figure it is more likely to be someone with a grudge or a name to make than someone who is actually trying to steal data. But whatever -

Kind of like choosing where to live. You can live in a city with a serious drug/high crime problem, or you can choose to live in a city that has very low crime statistics. Maybe the high-crime city is bigger. Maybe it has a few more stores or restaurants. But which one is going to feel (and be, statistically) safer?

[TheBattman]

OF course - that is, and always has been, the weak point of computers: Users.

Long before “administrator passwords”, computer users were downloading pirated software and music, pron, and other commonly identified sources of infection... all with the well-documented danger. So it isn’t really much of a step for folks to blindly type in passwords to every box that pops up...

That being said - There are viruses/malware for Windows that STILL can infect/cause trouble without ever seeing a warning or opportunity to NOT give permission.

[TheBattman]

“infection numbers” is a truly deceiving name - considering how many in the list are even CAPABLE of “infecting” an OS X machine....

A more accurate naming would be “malware detected”... because this would include such that were in downloaded files, in emails, etc. This does NOT mean these machines were actually “infected”.

A Mac can be a carrier, just as that thumb drive you carried files to work on. But that thumb drive isn’t necessarily “infected”... just has a malware file stored on it.

[Wayne07]

At the time of the article (~5 months old), the folks at Symantec said the number of Jnanabot infections so far is “measured in the thousands.”. What you are looking at is the state of trojan 5 months later, after it has been detected and removed from many systems.

[ReignOfError]

Whatever the peak numbers were, I stand by my hypothesis that the Macs were running Boot Camp. The technical info on Symantec’s site (http://www.symantec.com/security_response/writeup.jsp?docid=2010-102616-4246-99&tabid=2) lists only Windows as vulnerable, and describes the mechanism of placing entries in the Registry and downloading .exe files, neither of which affects Macs.

The pie chart was based on “artifacts of the file system.” A Mac running Boot Camp does mount the Mac OS volume, so that file system would be visible. The blog post does not describe how, or whether, they account for systems with more than one OS present.

[Wayne07]

Also, you can see Jnanabot has code specific to the Mac to allow it to run. It is definitely not windows only..

http://www.symantec.com/connect/blogs/trojanjnanabot-trojanaffecting-multiple-platforms

This particular Trojan (that Symantec detects as Trojan.Jnanabot) is one such attempt to target multiple platforms. Jnanabot has numerous functionalities that include key logging, connection to IRC servers, and posting malicious links on social networking sites, affecting users on Windows, Mac OSX, and Linux platforms.

The threat is composed of multiple files. I will address them as components throughout this blog. Each component is meant for a specific task. Some components are compiled Java files whereas others are platform specific executable files.

1. Library component:  Contains Library files needed to run the threat on various platforms namely: Mac OSX, Linux with AMD 64 machines, Linux with x86 machines, Windows with x86 machines
2. Main component: The main .jar file that controls execution of all the components.
3. Install/update component: Installs and updates the threat.
4. IRC component:Connects to remote IRCs and waits for further commands from the master.
5. Key logging component.
6. Crypt component: Windows and Mac executable files to decrypt the packaged files.
7. Facebook component: We are currently analyzing this component. From our brief analysis it seems as if the threat can read cookies of logged on user and may post malicious links on the social networking site.