Educause Security Discussion mailing list archives
Re: Adware/Spyware on Mac/OS X
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Thu, 7 May 2009 18:39:59 +1200
On 5/05/2009, at 5:38 AM, Gene Spafford wrote:
But what software is involved? Are those machines also running Windows in a VMware type environment? I have been monitoring various news outlets and samples, and have yet to see a real threat running in the wild. (Leaving out the attack that is included in pirated software that leads to the botnet.)
We have seen generic unix (perl) bots on macs - normal vector for compromise is poor password on accounts and ssh enabled. I have been told by folk who study botnets that Linux and Macs are in demand as bot controllers as they are far more flexible than windows systems (surprise!). I have also seen spyware user agent strings generated by Macs. Most of these are 'free' user installed programs that perform some vaguely useful function and monitor/report your web usage. Some are written in Java and are cross platform. We have also seen fake codecs aimed at macs. Not huge amount of any of this but bad stuff for macs is out there in the wild. We have purchased a license for Sophos AV (not enough to cover all our macs) and we run it on a modest number of machines. The rational being that, although the risk is small now that could change fairly quickly and we want to be in a position where we have the infrastructure in place to deploy Mac AV quickly if we have to. I.e we have local servers set up and we have a product that we know -- all we need to do is call the vendor and wave $s. I would be running it on my macbook if I could convince it to coexist with filevault. :( sophos claim it is a bug in macos... The basic Mac security model is still superior to windows but this is not much help when many of the attacks now rely on social engineering. If you can convince the user to install your malware for you the game is over as far as the OS is concerned. All that said our experience in the windows world over the last 6 months strongly suggest that the bad guys are winning the arms race. I am now regularly uploading malware to virus total and getting detection rates < 20% :( Signature based AntiVirus is reaching its use-by date :( I would like to see Apple extend their tagging of files downloaded from the net to include first execution in a sand box with more sophisticated monitoring for suspicious behaviour (rather than just the "app xxx want to open ports..."). Russell
Current thread:
- Re: Adware/Spyware on Mac/OS X, (continued)
- Re: Adware/Spyware on Mac/OS X King, Ronald A. (May 04)
- Re: Adware/Spyware on Mac/OS X Mark Borrie (May 04)
- Re: Adware/Spyware on Mac/OS X Gene Spafford (May 04)
- Re: Adware/Spyware on Mac/OS X Cal Frye (May 05)
- Re: Adware/Spyware on Mac/OS X Stanclift, Michael (May 05)
- Re: Adware/Spyware on Mac/OS X Cal Frye (May 05)
- Re: Adware/Spyware on Mac/OS X Christopher Jones (May 05)
- Re: Adware/Spyware on Mac/OS X Joel Rosenblatt (May 05)
- Re: Adware/Spyware on Mac/OS X Stanclift, Michael (May 05)
- Re: Adware/Spyware on Mac/OS X Cal Frye (May 05)
- Re: Adware/Spyware on Mac/OS X Russell Fulton (May 06)
- Re: Adware/Spyware on Mac/OS X Morrow Long (May 07)
- Re: Adware/Spyware on Mac/OS X Russell Fulton (May 07)