Educause Security Discussion mailing list archives

Re: Adware/Spyware on Mac/OS X

From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Thu, 7 May 2009 18:39:59 +1200

On 5/05/2009, at 5:38 AM, Gene Spafford wrote:

But what software is involved?  Are those machines also running
Windows in a VMware type environment?   I have been monitoring various
news outlets and samples, and have yet to see a real threat running in
the wild.  (Leaving out the attack that is included in pirated
software that leads to the botnet.)


We have seen generic unix (perl) bots on macs - normal vector for
compromise is poor password on accounts and ssh enabled.

I have been told by folk who study botnets that Linux and Macs are in
demand as bot controllers as they are far more flexible than windows
systems (surprise!).

I have also seen spyware user agent strings generated by Macs.   Most
of these are 'free' user installed programs that perform some vaguely
useful function and monitor/report your web usage.  Some are written
in Java and are cross platform.

We have also seen fake codecs aimed at macs.

Not huge amount of any of this but bad stuff for macs is out there in
the wild.

We have purchased a license for Sophos AV (not enough to cover all our
macs) and we run it on a modest number of machines.  The rational
being that, although the risk is small now that could change fairly
quickly and we want to be in a position where we have the
infrastructure in place to deploy Mac AV quickly if we have to.  I.e
we have local servers set up and we have a product that we know -- all
we need to do is call the vendor and wave $s.

I would be running it on my macbook if I could convince it to coexist
with filevault. :(  sophos claim it is a bug in macos...

The basic Mac security model is still superior to windows but this is
not much help when many of the attacks now rely on social
engineering.  If you can convince the user to install your malware for
you the game is over as far as the OS is concerned.

All that said our experience in the windows world over the last 6
months strongly suggest that the bad guys are winning the arms race.
I am now regularly uploading malware to virus total and getting
detection rates < 20% :(

Signature based AntiVirus is reaching its use-by date :(

I would like to see Apple extend their tagging of files downloaded
from the net to include first execution in a sand box with more
sophisticated monitoring for suspicious behaviour (rather than just
the "app xxx want to open ports...").

Russell

Current thread:

Re: Adware/Spyware on Mac/OS X, (continued)
- Re: Adware/Spyware on Mac/OS X King, Ronald A. (May 04)
- Re: Adware/Spyware on Mac/OS X Mark Borrie (May 04)
- Re: Adware/Spyware on Mac/OS X Gene Spafford (May 04)
- Re: Adware/Spyware on Mac/OS X Cal Frye (May 05)
- Re: Adware/Spyware on Mac/OS X Stanclift, Michael (May 05)
- Re: Adware/Spyware on Mac/OS X Cal Frye (May 05)
- Re: Adware/Spyware on Mac/OS X Christopher Jones (May 05)
- Re: Adware/Spyware on Mac/OS X Joel Rosenblatt (May 05)
- Re: Adware/Spyware on Mac/OS X Stanclift, Michael (May 05)
- Re: Adware/Spyware on Mac/OS X Cal Frye (May 05)
- Re: Adware/Spyware on Mac/OS X Russell Fulton (May 06)
- Re: Adware/Spyware on Mac/OS X Morrow Long (May 07)
- Re: Adware/Spyware on Mac/OS X Russell Fulton (May 07)