Mac Virus - One for Blister

UKworkshop.co.uk

Help Support UKworkshop.co.uk:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.
Usual scare. This is an email I sent to one of our Google groups after one of the members posted this 'news' story today.


As ever, these announcements are made by the makers of anti-virus software. The old cynic in me rather suspects their motives. When said maker is also from Russia which is also the source of many viruses, trojan horses and botnets etc, I become doubley suspicious.

I would not deny the possibility of Mac malware, its just very rare indeed and likely to remain so until the Mac takes over the market which isn't going to happen. The bad guys are interested in the maximum return for their investment and that means Windoze machines.

However, there is no reason to be blase about it. If anyone is worried, I would suggest they download Sophos Home edition and run the scan and keep their Mac protected. As ever, scanning my Macs bought a blank response as it always has.

http://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-mac-home-edition.aspx
 
gus3049":2ta44ull said:
Usual scare. This is an email I sent to one of our Google groups after one of the members posted this 'news' story today.


As ever, these announcements are made by the makers of anti-virus software. The old cynic in me rather suspects their motives. When said maker is also from Russia which is also the source of many viruses, trojan horses and botnets etc, I become doubley suspicious.

I would not deny the possibility of Mac malware, its just very rare indeed and likely to remain so until the Mac takes over the market which isn't going to happen. The bad guys are interested in the maximum return for their investment and that means Windoze machines.

However, there is no reason to be blase about it. If anyone is worried, I would suggest they download Sophos Home edition and run the scan and keep their Mac protected. As ever, scanning my Macs bought a blank response as it always has.

http://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-mac-home-edition.aspx

I read Gorden's post :!: :!:

All I can say now is


I LOVE MY MAC EVEN MORE

:mrgreen: :mrgreen: :mrgreen: :mrgreen: :mrgreen: :mrgreen: :mrgreen: :mrgreen: :mrgreen:
 
Hi, Blister

Do you have a virus scanner on your mac? and is it up to date?

Scanners rely on the company finding out how the virus changes the files on your computer and scanning for those changes, you can't scan for a virus directly, so you can be infected by a virus before your scanner in updated to include the latest virus discriptions. This has happened a couple of times at work, we have a scanner on ALL machines, pc and mac.

I would be very wary about those reports about saying "usual scare stories" They are making cross platform viruses that infect pc and mac.

So don't think it will never happen to me.

Pete
 
Pete Maddex":3cv0klhp said:
Hi, Blister

Do you have a virus scanner on your mac? and is it up to date?

Scanners rely on the company finding out how the virus changes the files on your computer and scanning for those changes, you can't scan for a virus directly, so you can be infected by a virus before your scanner in updated to include the latest virus discriptions. This has happened a couple of times at work, we have a scanner on ALL machines, pc and mac.

I would be very wary about those reports about saying "usual scare stories" They are making cross platform viruses that infect pc and mac.

So don't think it will never happen to me.

Pete

Hi Pete,

I did suggest that Mac owners download the FREE Sophos scan software just in case the very unlikely happens.
 
gus3049":18sh9rqy said:
Usual scare. . ...... .. . . .I've not read the full article etc etc


I think your guilty of reading only the start of the news story. Apple itself and Java have issued a patch against it.



Just to be clear, this still isn't a downer on the apple macs, just a friendly reminder to be aware that mac = no virus is a myth and to still be carefully online. Mac has a long way to go before it reaches the depths of some of the windows viruses, I can't remember the name but a few years back there was that prolific virus that turned off your computer, everyone I knew got that one, some more than once.
 
Chems":2wegpxun said:
gus3049":2wegpxun said:
Usual scare. . ...... .. . . .I've not read the full article etc etc


I think your guilty of reading only the start of the news story. Apple itself and Java have issued a patch against it.



Just to be clear, this still isn't a downer on the apple macs, just a friendly reminder to be aware that mac = no virus is a myth and to still be carefully online. Mac has a long way to go before it reaches the depths of some of the windows viruses, I can't remember the name but a few years back there was that prolific virus that turned off your computer, everyone I knew got that one, some more than once.

Not true, I read the whole article in ALL the papers and on the MacUser website. Further reading revealed that this 'scare' is unconfirmed by anyone else, although I admit that Apple have issued a Java patch just in case.
 
It'd be interesting if it was true and it was down to a java problem because Apple's argument against flash was that it exposed the system and is the reason apple mobile devices don't support it. They are all for HTML5. I couldn't see how they could replace Java though.

I think the pair of patches from Apple and Oracle confirm something's out to be worried about.
 
gus3049":35sf2678 said:
Further reading revealed that this 'scare' is unconfirmed by anyone else, although I admit that Apple have issued a Java patch just in case.

F-Secure is mentioned in the BBC article Chems linked to - and last time I checked, they were a perfectly credible, non-Russian security company! It's just not worth it for big security companies to completely fabricate threats, they'd lose their credibility and then nobody would give them any money any more.


The bottom line is that it is inevitable that something like this would happen sooner or later. I love my Mac and OSX and all that, but the way the company has been continually happy to play on the cultish devotion often shown by Mac fans and cheerfully spread around dangerous lies like this "Macs can't get viruses" rubbish in order to grab sales is nothing short of disgusting. :/

It's true that there are more Windows machines around than anything, but a larger and larger proportion of users are running anti-virus and anti-malware protection these days; MS have made great leaps in offering a built-in solution so the majority of users have something out of the box. Apple hardware continues to be largely completely unprotected, and sooner or later it's going to get to the point where it's easier to target Macs not because they're more prevalent, but because less effort is involved. Especially when known security fixes in mainstream software like Java go completely unpatched for weeks!
 
Chems":3j2aayjn said:
I can't remember the name but a few years back there was that prolific virus that turned off your computer, everyone I knew got that one, some more than once.

The 2 viruses I remember getting whacked by were Blaster and Sasser. Most people I know got caught by one or both. A warning appeared on screen telling you your machine would shut down in 60 seconds and no matter what you did you couldn't stop it or save any unsaved work.(or something like that). Symantic released a free removal tool very quickly and the world returned to normal. That was back when many didn't take the threat of viruses seriously enough. Never been hit since as free anti-virus is more than adequate to keep my machine clean as a whistle.

When there's sufficient numbers of Mac users to warrant some attention from the virus makers the oh-so-holier-than-thou brigade had better hope Symantic are in a generous mood.

Roy
 
That's the one Roy, 60 seconds to shutdown. I found that if you actually clicked shutdown it reversed the process and you could quickly remove it from the system whilst clicking shutdown each time the process started again. Fun times.
 
Apple's biggest technical weakness was caused by their marketing team: going over to Intel (essentially x86-based) chipsets for the hardware. Previously the G-x series chips had different instruction sets from Intel, and were an order of magnitude harder to write effective viruses for. OS X, initially, at least, was very secure - the hardware wasn't like Intel, and the Unix-derived operating system could be locked-down properly. But the public demanded "Windows compatibility", and the cheapest way to provide that was Intel hardware (even though there were software emulators out there at the time).

Now there is a set of instructions common to processors on Windows and OSX machines. This means that life is FAR easier for virus writers, because they're in known territory.

Because of the Unix ancestry of OSX, you can still lock it down quite securely. Setting up a user account without root equivalence and using that for normal day-to-day activities, makes many types of virus attack impossible. You can do the same on a Windows machine, to an extent, although the Windows' security model is quite flawed, IMHO (you have to explicitly restrict rights rather than grant them, for a start, and different types of 'rules' interact with each other in complex ways).

Nothing is perfect however, and anyone who thinks either, "I have a Mac: I'm invulnerable!" or, "I have anti-virus software: I"m protected!" will eventually have a nasty shock.

A controversial thought: there is a massive logical flaw in the concept of Anti-virus software. It can only detect what it can detect. By definition, the moment a virus-writer comes up with a truly novel method of attack, it blindsides the AV software, and can propagate very fast indeed. There are many examples of this happening down the years - two decades ago, I was given a disk with a virus on it by the (unaware) R+D lab of a Fortune 100 company!

By far the best approach is an educated user base. If people know what actions and activities are dangerous, and understand the risks in doing them (and the costs if they collect malicious code in the process!), they are far less likely to take risks.

I don't (and won't) run AV software in the background. I do run occasional scans though, more frequently when I'm doing risky things.

I don't use any popular email software - any virus would fail, trying to access my address book, for example. I delete unsolicited email unopened.

I run Firefox with NoScript, because it can warn me of dodgy web pages, and I shun both Chrome and Internet Explorer, because of the former's ability to snoop on me and the latter's poor track record.

My machines are connected to the Internet 24x7. So far, I haven't had an active virus on any machine on the system since that incident years ago. I must have been sent thousands though.

Incidentally, my kids have grown up using Macs and Wintel PCs in equal measure - they've always had Macs at home, but been forced to use Wintel at school. The eldest used to do "IT-monitor" duties, helping peers use the IT suites, because he had better understanding than Wintel-only brethren. They are all pragmatic about it - they prefer Macs as users, but realise it's still a Wintel world out there. They never had any problems with software incompatibility or electronic assignments. That issue died over a decade ago.

Oh, and we're finally having to replace my wife's Mac this year. We worked out it's over 13 years old now. In the same time, I've been forced to replace my own PC three times and laptop twice. You decide if Macs are cost-effective or an expensive gimmic.

Happy Easter everyone.

E.
 
Eric The Viking":7iypooyh said:
Apple's biggest technical weakness was caused by their marketing team: going over to Intel (essentially x86-based) chipsets for the hardware. Previously the G-x series chips had different instruction sets from Intel, and were an order of magnitude harder to write effective viruses for. OS X, initially, at least, was very secure - the hardware wasn't like Intel, and the Unix-derived operating system could be locked-down properly. But the public demanded "Windows compatibility", and the cheapest way to provide that was Intel hardware (even though there were software emulators out there at the time).

Now there is a set of instructions common to processors on Windows and OSX machines. This means that life is FAR easier for virus writers, because they're in known territory.

Because of the Unix ancestry of OSX, you can still lock it down quite securely. Setting up a user account without root equivalence and using that for normal day-to-day activities, makes many types of virus attack impossible. You can do the same on a Windows machine, to an extent, although the Windows' security model is quite flawed, IMHO (you have to explicitly restrict rights rather than grant them, for a start, and different types of 'rules' interact with each other in complex ways).

Nothing is perfect however, and anyone who thinks either, "I have a Mac: I'm invulnerable!" or, "I have anti-virus software: I"m protected!" will eventually have a nasty shock.

A controversial thought: there is a massive logical flaw in the concept of Anti-virus software. It can only detect what it can detect. By definition, the moment a virus-writer comes up with a truly novel method of attack, it blindsides the AV software, and can propagate very fast indeed. There are many examples of this happening down the years - two decades ago, I was given a disk with a virus on it by the (unaware) R+D lab of a Fortune 100 company!

By far the best approach is an educated user base. If people know what actions and activities are dangerous, and understand the risks in doing them (and the costs if they collect malicious code in the process!), they are far less likely to take risks.

I don't (and won't) run AV software in the background. I do run occasional scans though, more frequently when I'm doing risky things.

I don't use any popular email software - any virus would fail, trying to access my address book, for example. I delete unsolicited email unopened.

I run Firefox with NoScript, because it can warn me of dodgy web pages, and I shun both Chrome and Internet Explorer, because of the former's ability to snoop on me and the latter's poor track record.

My machines are connected to the Internet 24x7. So far, I haven't had an active virus on any machine on the system since that incident years ago. I must have been sent thousands though.

Incidentally, my kids have grown up using Macs and Wintel PCs in equal measure - they've always had Macs at home, but been forced to use Wintel at school. The eldest used to do "IT-monitor" duties, helping peers use the IT suites, because he had better understanding than Wintel-only brethren. They are all pragmatic about it - they prefer Macs as users, but realise it's still a Wintel world out there. They never had any problems with software incompatibility or electronic assignments. That issue died over a decade ago.

Oh, and we're finally having to replace my wife's Mac this year. We worked out it's over 13 years old now. In the same time, I've been forced to replace my own PC three times and laptop twice. You decide if Macs are cost-effective or an expensive gimmic.

Happy Easter everyone.

E.
Can't argue with any of that!!

We only have one Intel Mac but that's the wife's so it don't matter do it? (We also have various old Macs still running system 9 and one actually still on 8, perhaps I should use them for the net!! AND of course, they are still going strong after all these years - value indeed)

It seems most of it is just being careful and trying to make sure you actually know what you are doing. Trouble is of course that PCs are now just white goods and used accordingly - mostly.
 
Eric The Viking":1jubsf5l said:
Apple's biggest technical weakness was caused by their marketing team: going over to Intel (essentially x86-based) chipsets for the hardware. Previously the G-x series chips had different instruction sets from Intel, and were an order of magnitude harder to write effective viruses for. OS X, initially, at least, was very secure - the hardware wasn't like Intel, and the Unix-derived operating system could be locked-down properly. But the public demanded "Windows compatibility", and the cheapest way to provide that was Intel hardware (even though there were software emulators out there at the time).

Honestly, I'm pretty sure Apple moved to Intel CPUs becaue the PowerPC range just wasn't keeping up performance-wise - new Windows machines were beginning to look notably faster than new Macs in comparison - and they had problems fitting the faster PowerPC chips in laptops without them overheating. The last G4 Powerbook I had I found pretty underwhelming compared to the XP desktop I had at the same time.

I'm pretty doubtful that having a common instruction set makes any difference to virus-writers, because basically nobody ever writes code using those instructions directly, these days. The majority of viruses exploit either problems in operating-system code, driver code or the code of applications with elevated permissions (which can be addressed using a high-level language which is completely removed from the chip instruction set) or - just as commonly - tricking users into giving the malware more permissions than they should.

Eric The Viking":1jubsf5l said:
You can do the same on a Windows machine, to an extent, although the Windows' security model is quite flawed, IMHO (you have to explicitly restrict rights rather than grant them, for a start, and different types of 'rules' interact with each other in complex ways).

I wouldn't call the Windows model flawed: it's in some ways more flexible. I think that the main problem is more that the average user doesn't have a clue what it all means anyway, and MS have never done a good job of educating people in that regard, so it's easy for people to cock it up. Which is then exacerbated by idiot third-party vendors who don't know how to write well-behaved software and just fall back on telling their customers to switch off their anti-virus or launch software in administrator mode, or whatever.

Eric The Viking":1jubsf5l said:
By far the best approach is an educated user base. If people know what actions and activities are dangerous, and understand the risks in doing them (and the costs if they collect malicious code in the process!), they are far less likely to take risks.

This, on the other hand, I absolutely agree with. It's not sufficient on its own, since there have been far too many instances of viruses which propagate without user intervention, but it's probably the single most important part of a secure computer.
 
Eric The Viking":2xjbxnuo said:
.....

Oh, and we're finally having to replace my wife's Mac this year. We worked out it's over 13 years old now. In the same time, I've been forced to replace my own PC three times and laptop twice. You decide if Macs are cost-effective or an expensive gimmick

E.

Well said.
 
I have just dumped the latest update for my MacBook, so I hope that it will delay the obvious. I also have a virus checker running on both here and our iMac. The iMac will be done tomorrow!

With the morons in this world that are determined to screw up other people for the sake of a laugh for themselves the only safe system is either a PC totally disconnected from the internet or an isolated mainframe with coax or twinax connected users.

My experience with twinax was with IBM on their lovely small mainframe systems, comme ça http://en.wikipedia.org/wiki/Twinaxial_cabling
 
OK for Blister and any other Mac users out there that are still concerned, here is some advice from MacUser. It seems I have been a little guilty of poo pooing the threat but then I can't afford the latest er... 'flash' Macs. I have installed a virus checker and disabled Java just in case. I always have click to flash installed and very rarely run anything with flash anyway. I'll still sleep easy I suspect.


What you need to know about the Flashback trojan
We’ve entered a new era in Mac security, but there’s no need to panic

by Rich Mogull, Macworld.com Apr 6, 2012 9:50 pm


On April 4, Russian antivirus vendor Dr. Web published strong evidence that more than 500,000 Macs have been infected by the latest variant of the Flashback trojan. As Mikko Hypponen, Chief Researcher at F-Secure pointed out via Twitter, if there are roughly 45 million Macs out there, Flashback would now have infected more than 1 percent of them, making Flashback roughly as common for Mac as Conficker was for Windows. Flashback appears to be the most widespread Mac malware we’ve seen since the days when viruses were spread on infected floppy disks; it could be the single most significant malware infection to ever hit the Mac community.

Here’s what you need to know about Flashback, what you can do about it, and what it means for the future of Mac security.

What is Flashback?
Flashback is the name for a malicious software program discovered in September 2011 that tried to trick users into installing it by masquerading as an installer for Adobe Flash. (Antivirus vendor Intego believes Flashback was created by the same people behind the MacDefender attack that hit last year.) While the original version of Flashback and its initial variants relied on users to install them, this new form is what’s called in the security business a drive-by download: Rather than needing a user to install it, Flashback uses an unpatched Java vulnerability to install itself.

If you visit a malicious (or unwillingly infected) website hosting Flashback, the program attempts to display a specially crafted Java applet. (We don’t yet know how many websites host Flashback.) If you have a vulnerable version of Java installed and enabled in your Web browser, the malicious code will infect your system and then install a series of components. Since Apple did not release an update for that vulnerable version of Java until April 3rd, many users were and are still susceptible.

After initial infection, Flashback pops open a Software Update window to try and obtain your administrative password, but it does so only to embed itself more deeply into your Mac. Even if you aren’t fooled at this point, you are still infected.

Once it succeeds in infecting your Mac, Flashback inserts itself into Safari and (according to F-Secure) appears to harvest information from your Web browsing activities, including usernames and passwords. It then sends this information to command-and-control servers on the Internet.

The significant thing is that, unlike almost all other Mac malware we’ve seen, Flashback can insinuate itself into your system if you merely visit an infected webpage and are using vulnerable software. You do not need to enter your administrative password or to manually install anything.

Am I at risk?
You are at risk if you meet four criteria:

1. You have Java installed on your Mac. One way to find out: Open Terminal and type java -version at the prompt. If you do have Java installed, you'll get a version number. It is installed by default on OS X 10.6 Snow Leopard, but not by OS X 10.7 Lion. (But is installed the first time you need to run it, which means most Macs likely have it).

2. You do not have the Java for OS X Lion 2012-001 (if you're running OS X Lion) or Java for Mac OS X 10.6 Update 7 installed (if you're running Snow Leopard) or you were infected before either of them was installed. Both of those updates install Java version 1.6.0_31; running that java -version command above will tell you if that's what you've got.

3. You allow Java applets to display in your browser. In Safari, go to Preferences > Security > Web Content and see if the Enable Java option is checked. You can turn that option off by unchecking it.

4. You do not have certain security tools installed on your Mac that Flashback checks for, including Little Snitch, Xcode, and a few anti-malware tools.

Antivirus vendors do not appear to have detected this particular version of Flashback for a few days after it appeared in the wild, though some vendors—including Intego—protected users with updates in late March. Malware often shares bits of code from earlier versions that may be detectable by antivirus products before those products have been specifically updated to catch newer versions, but such protection is hit-or-miss.

How can I tell if I’m infected?
F-Secure posted instructions for checking your Mac, which require running a few commands in Terminal. All antivirus products should also be detecting it at this point if you have the latest signatures installed. (Usually, you can do so manually in your security app’s preferences, but this varies from product to product; most automatically update).

How can I protect myself?
The first thing to do is run Software Update and make sure you have the latest patches. This will prevent any infections that exploit the current vulnerability; there aren’t any other known infection vectors (other than tricking you into installing it, which won’t go away anytime soon and doesn’t rely on Java).

There are a few other things I’d recommend you do to reduce the chances of future drive-by malware infections:

Disable Java in Safari and other Web browsers. Unlike Flash, you rarely need it these days. Again, in Safari, go to Preferences -> Security -> Web Content and uncheck Enable Java. The folks at TidBITS posted instructions and screenshots for doing the same in Chrome and Firefox.

Uninstall Flash and use Google Chrome as your browser. Google Chrome includes an embedded, sandboxed version of Flash that reduces the chances an attacker can infect your system. Download the Flash uninstaller, then install Google Chrome.

If you don’t need Java at all, disable it. The Java Preferences utility is in /Applications/Utilities; uncheck the boxes next to the versions listed in the General tab. Be careful, though: Some programs such as CrashPlan (which I use) require it. But there aren’t many apps like that on the Mac market anymore.

I still use Safari, but when I need Flash I switch to Google Chrome. I haven’t allowed Java to run in my browser for some years now, due to my fear of this kind of attack. Mac antivirus tools may help, but they still don’t catch everything. That said, the current programs are far less intrusive and performance-impairing than they used to be; some of them (including Sophos and ClamXav) offer free versions. Remember, antivirus tools aren’t perfect, and you can still be infected by new malware if those tools don’t specifically protect against it. Many Windows users learn this lesson the hard way on a daily basis.

Are there really more than half a million infected Macs?
Yes, it really looks that way.

While we don’t have independent validation, the techniques described by Dr. Web to measure the infection are plausible: Using one called sinkholing, Dr. Web redirected command-and-control traffic to its own analysis server. Since each infected Mac provides its unique device ID when connecting to the server, this allows Dr. Web to count infections on a per-machine basis; that’s more accurate than counting connections based on IP addresses (which might be shared by multiple Macs).

We also have anecdotal evidence supporting the claim. In linking to a report on Ars Technica about Flashback, John Gruber asked his readers at Daring Fireball to check their Macs and let him know if they were infected. Over the course of six hours, John received positive reports from about a dozen of his readers—who are generally experienced Mac users.

Is this different from previous Mac malware?
Flashback is the first widespread drive-by malware to attack Macs. This is one of the most pernicious attack techniques, which has long troubled Windows users, and it does represent a major advance.

Most Mac malware hides itself inside software programs—such as pirated software, obscure games, or non-standard video players—that the average users is unlikely to install. Because it can infect a vulnerable computer without user interaction, Flashback is far more serious. As we’ve seen in the Windows world, this is an extremely effective technique.

Intego says it has detected dozens of new variants in the past few days, which means the malware authors are working hard to extend the life of the infection.

Is Apple responsible?
The vulnerability in Java that Flashback exploits was patched in February by Oracle (which inherited Java as part of its acquisition of Sun Microsystems). But Apple waited nearly two months to update OS X with that patched version.

This is the single biggest security issue for Macs. OS X includes a number of software components from third-party vendors and the Open Source software community, and Apple has a terrible track record in updating those components. When a vulnerability becomes publicly known because it’s been patched on another platform, but it isn’t patched on another, the bad guys have a straight-line roadmap to compromising that unpatched system.

Apple may believe that not including Flash or Java in current versions of OS X prevents these kinds of attacks, but too many users still install these tools. Apple has made incredible strides in improving the security of its products, but its delayed patching of known vulnerabilities is still a problem.

What does this mean for the future of malware on Macs?
Flashback doesn’t necessarily mean that Macs will soon be as laden with malware as Windows computers. But the future of the platform’s security depends a lot on Apple and good old fashioned luck.

Drive-by attacks rely on vulnerabilities in Web browsers and other software—such as email and RSS readers—that view webpages. It’s not enough to run vulnerable software; that software needs to be exploitable, meaning it allows an attack to extend its tendrils into your system. Apple has been introducing a series of technologies—tools like Address Space Layout Randomization (ASLR), sandboxing, and DEP—to reduce the chances of exploitation even when a Mac is vulnerable and to limit the potential damage of an attack. But these technologies aren’t perfect, especially when complex programs that run Web content like Java or Adobe Flash are involved.

Apple clearly needs to start patching software that’s known to be vulnerable more quickly. After the success of Flashback, we can only assume the bad guys will move more quickly the next time they are given this window of opportunity. Cupertino should consider further sandboxing Safari. It should also explore the possibility of sandboxing Flash and Java independently; if the latter isn’t technically feasible, the company should work more directly with the vendors of those technologies to develop sandboxed Mac versions. Adobe recently added more-extensive sandboxing to Acrobat on Windows, and that has reduced the effectiveness of attacks.

Gatekeeper will significantly change the game for manually installed trojans when it’s released later this year; it will make that form of attack much less profitable (and thus less likely).

The bad guys clearly care more about Macs now. But we need to keep our perspective: We still see far less malware for Macs than we do for, say, Android phones. Yet there's no doubt that Flashback is a significant development. I believe it shows we will see more malware on Macs. I’m also convinced these will be infrequent events and not the ongoing onslaught of epidemics that some observers are predicting—as long as we all take precautions and stay vigilant.
 
Back
Top