Re: mac trojan in-the-wild

[David Farber <dave () farber net>]

Begin forwarded message:

From: "Peter Sahlstrom" <peter () stormlash net>
Date: November 1, 2007 10:16:16 AM EDT
To: dave () farber net
Cc: ip () v2 listbox com
Subject: Re: [IP] Re: mac trojan in-the-wild

Dave,

I'm waiting for "the big one" as much as anyone, but I think this
report is a bit premature.  I know that there is a lot of frustration
at Apple's somewhat arrogant stance on security (if not at Apple
itself, at least at the archetypal "Mac user"), but this trojan is
just another in a long line of purported watershed moments in OS X
security.  Some examples:

The "opener" rootkit for OS X, announced in 2004:
http://lists.apple.com/archives/macos-x-server/2004/Oct/msg01502.html
OSX/Leap-A, "The first OS X Virus", from February 2006:
http://www.macrumors.com/2006/02/16/the-first-mac-os-x-virus-a-new-os-x-trojan/
The "OSX.Macerena" virus, released November 2006:
http://www.macworld.com/news/2006/11/03/macarena/index.php

I think there's one thing especially worth noting about this latest
trojan report that also applied to the three listed above: the user
still has to manually execute a file they have downloaded before the
virus can install itself.  In this latest trojan, even if you have
"Automatically open safe files after downleading" checked, this will
only mount the drive image containing the virus; the user must still
manually execute the application and type in an administrator password
before the trojan can install itself.

As Victor Marks mentioned earlier, operating system designers are
still trying to figure out how to help users recognize the risk in
running programs they have downloaded, just as society at large tries
to figure out how to keep users from using products they have
purchased in harmful ways.  Mac OS 10.5 has some interesting ideas
(tagging of downloaded files as potentially dangerous, giving
developers the option of signing their binaries), but the fundamental
issue is the same: how far should an operating system go in protecting
users from themselves?

-Peter Sahlstrom
peter () stormlash net

On 11/1/07, David Farber <dave () farber net> wrote:
> Begin forwarded message:
>
> From: "Victor Marks" <vxm () miglia com>
> Date: October 31, 2007 10:04:55 PM EDT
> To: dave () farber net
> Cc: ip () v2 listbox com
> Subject: Re: [IP] mac trojan in-the-wild
>
> For IP if you wish Dave,
>
> Gadi,
>
> It just means that OS X is the new Linux, having joined Linux in
> possessing vulnerabilities and smug users who like to make fun of
> Windows.
>
> http://www.google.com/search?q=linux+worm&hl=en&client=safari&rls=en&start=30&sa=N
>
> Apple is using some of the same GNU and BSD licensed software and has
> some of the same vulnerabilities. http://apple.com/opensource
>
> Apple regularly issues security updates, although some security
> researchers have expressed disappointment with Apple in the past.
>
> In other cases, Apple has chosen to strike a balance between security
> and annoying the user. Microsoft chose a different balance with
> Vista's User Access Control (confirm, deny). Now apple will likely
> re-evaluate the whole safe auto-opening business, but in the end of
> the day:
>
> 1) users will still want to download items to their computers
> 2) they may be tempted by social engineering (want porn? get shiny new
> codec-trojan!)
>
> How far should the operating system makers go to prevent users (owners
> of their systems) from installing third-party software? Should they
> make it hard to download and install software? (Apple already requires
> an administrator password to install software that touches beyond the
> reach of the user's files.) Should they attempt to determine malware
> and prevent its installation for the user?
>
> If they should somehow attempt to determine between good software and
> bad software for the user, what's to say that doesn't open a whole can
> of worms for operating system makers and using such a thing against
> competition?
>
> IP readers here are some general questions that can be answered
> regardless of your favorite operating system distribution:
> what do you think the right way forward is?
>
> protecting users from themselves in some fashion (please elaborate) ?
>
> leaving users to their own devices and just more strongly encouraging
> not running as an administrative (non-root) user?
>
> encouraging operating system makers to take security more seriously
> (how?)
>
> Other?
>
> Regards,
> Victor Marks
>
> On 10/31/07, David Farber <dave () farber net> wrote:
> > Begin forwarded message:
> >
> > From: Gadi Evron <ge () linuxbox org>
> > Date: October 31, 2007 7:23:55 PM EDT
> > To: dave () farber net
> > Subject: mac trojan in-the-wild
> >
> > For whoever didn't hear, there is a Macintosh trojan in-the-wild  
> > being
> > dropped, infecting mac users.
> > Yes, it is being done by a regular online gang--itw--it is not yet
> > another proof of concept. The same gang infects Windows machines as
> > well, just that now they also target macs.
> >
> > http://sunbeltblog.blogspot.com/2007/10/screenshot-of-new-mac-trojan.html
> > http://sunbeltblog.blogspot.com/2007/10/mackanapes-can-now-can-feel-pain-of.html
> >
> > This means one thing: Apple's day has finally come and Apple users  
> > are
> > going to get hit hard. All those unpatched vulnerabilities from years
> > past are going to bite them in the behind.
> >
> > I can sum it up in one sentence: OS X is the new Windows 98.  
> > Investing
> > in
> > security ONLY as a last resort losses money, but everyone has to  
> > learn
> > it for themselves.
> >
> > Gadi Evron.
> >
> >
> > -------------------------------------------
> > Archives: http://v2.listbox.com/member/archive/247/=now
> > RSS Feed: http://v2.listbox.com/member/archive/rss/247/
> > Powered by Listbox: http://www.listbox.com
>
>
> -------------------------------------------
> Archives: http://v2.listbox.com/member/archive/247/=now
> RSS Feed: http://v2.listbox.com/member/archive/rss/247/
> Powered by Listbox: http://www.listbox.com


--
Peter Sahlstrom
peter () stormlash net
http://peter.stormlash.net


-------------------------------------------
Archives: http://v2.listbox.com/member/archive/247/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com