Friday, January 30, 2009

Re: "The Mac Malware Myth"

I'm a Daniel Eran Dilger fan. I've enjoyed bantering with him in the past over at ye olde Mac Advocacy Usenet newsgroup for many years. He writes one of my favorite blogs called RoughlyDrafted Magazine.

Yesterday Dan posted a great article called "The Mac Malware Myth". Being my notorious self, I posted a few replies to the article. Seeing as the replies are directly applicable to Mac Security, I decided to toss them here as well. My replies are a bit redundant of previous stuff I have written, but I also find them to be nice little summaries of useful information. So here goes:

Reply #1:

HISTORY: ‘The Sky Is Falling’ FUD started in August of 2005. The first perpetrator was our old pal Symantec. Who else. McAfee fell in line by the end of the year. But oddly, the CEO of McAfee was then quoted as saying the single best way to avoid malware on computers was to, you guessed it, use a Mac.

In the following three years there was an actually wonderful event: The FUD got to Apple and they got seriously serious about Mac OS X security. Believe me, Apple had NOT been serious about it previously. As a result there was an exponential increase in Apple Security updates. There was also one enormous revelation: Apple QuickTime was a massive security hole. If you review the security improvements in Quicktime over the last year you’ll realize this is a fact. The problems first became obvious in December 2006 when one of its vulnerabilities was exploited by hackers at MySpace who managed to use a cross site scripting hole in Quicktime to hack thousands of MySpace pages. Apple rapidly provided a fix and got to work cleaning up the rest of their messed up code.

In October 2007, the very very very first Mac OS X malware in-the-wild showed up in the form of a porn site Trojan horse masquerading as a Quicktime component you were supposed to install in order to watch a website porn video. That was over TWO YEARS after ‘The Sky Is Falling’ FUD began. Then over the last year a horrifying TRICKLE happened. While Windows was flooded with thousands of new malware, including real life viruses, Mac OS X was made slightly damp with another seven Trojan horses. Did I feel a drop?

Reply #2:

“Security By Obscurity”
… Is a joke, always was, and I suspect always will be. I wrote a shocking article, over at my Mac-Security blog, about how to prove it is a joke to all but the most dimwitted among us. It uses mathematics, which apparently confuses dunderheads and trolls.

Why is there no such thing as ‘Security By Obscurity’ for Mac OS X?

Because Mac OS X is UNIX. It’s certified! Look it up! UNIX was built from day one to be profoundly secure. Windows never was. That’s why Microsoft, to this day, have the single least secure operating system commercially available. Very sad. Very true.

Do not ever expect Mac OS X, even if it becomes as popular as Windows, to have any amount of malware as massive as Windows. Mac OS X is, here’s that word again, PROFOUNDLY more secure than Windows. There is no such thing as perfect security. Mac users have no excuse for not paying attention to security. But never let any joker, dimwit or troll fool you that there is such a thing as ‘Security By Obscurity.’ What really exists is solid state Mac OS X security that prevents hacking and cracking far better than anything Microsoft will ever come up with. That is literally why they have 99.99999999% of the malware and Mac OS X users statistically have next to nothing. And yes, they’ll hate you for telling them the truth. Just smile back.


Reply #3:

OK, so you want to be a responsible Mac OS X user, and want to be prepared for any Mac malware lingering out there in the wild. What do you do?

1) Never install anything that you have not verified as 100% legitimate software. That means specifically two things:

A) Never believe any notice anywhere that says you must install something being offered to you. Go check it out and download it from a reputable site that checks out software and provides user reviews. These include Versiontracker, MacUpdate,, TuCows, etc.

B) Never install pirated software. The most recent Trojan for Mac OS X specifically hides inside pirated software installers, pretending to be an installer package, installed right along side the legitimate installer packages.

2) Go get a decent free anti-malware program. (The term ‘anti-virus’ is out of date). My only recommendation for a FREE program is ‘iAntiVirus’ free edition from PC Tools. It is up to date. Do NOT bother with ClamXav. It is well over a year out of date regarding Mac malware. (I have personally attempted to improve this situation but found it fruitless).

Of the commercial/shareware anti-malware programs, the only one I recommend is Intego’s VirusBarrier. It works great. I own it. Got a nice deal on it too. Downside: You have to pay every year for updated malware definitions. Not worth it! See #1 above. Go get iAntiVirus.

3) Keep up with security updates. Always install Apple Security Updates when they are provided via Software Update for your Mac. Always install updates to applications and plugins. Quicktime has security holes. Adobe Flash has security holes. RealPlayer has security holes. Etc.

4) Use security tools and techniques. This includes working as a ‘Standard User’ on any network, not as an Administrator. You can also encrypt your account using Apple’s provided File Vault. You can also lock down your Mac using a Firmware password. There are loads of other security utilities on the net. Three I like are 1Password, Little Snitch and Gnu Privacy Gaurd (which is free!)

5) The #1 Rule of Computing, repeat after me:


If you don’t, you get what you deserve. Cruel. Reality.

That’s my list!

The end.

Friday, January 23, 2009

Mac Malware #8: OSX.Trojan.iServices.A

Intego, makers of VirusBarrier, posted an alert on Thursday 2009-01-22 regarding a newly discovered Trojan horse specific to Mac OS X. They have designated it "OSX.Trojan.iServices.A". It was found in torrented/pirated copies of Apple's iWork 09 installer.

Conclusion: If you have torrented, downloaded or been given any pirated copy of iWork 09, do not install it! Throw it away!

Cures: Intego of course has provided a removal method in the latest malware definitions file for VirusBarrier. The folks at MacScan have also provided a FREE removal tool here.

A MacRumors article about the Trojan can be found here.

How does it work?

1) Included with the iWorks 09 package is an added bogus Trojan package entitled "iWorkServices.pkg". When you install iWork 09, the Trojan is installed along with the legitimate program packages. It is specifically installed as a startup item within your system.

2) According to Intego: "The malicious software connects to a remote server over the Internet; this means that a malicious user will be alerted that this Trojan horse is installed on different Macs, and will have the ability to connect to them and perform various actions remotely. The Trojan horse may also download additional components to an infected Mac."

Essentially, you've been zombied. The cracker controlling the program can do anything with your computer. Examples include money making schemes such as stealing your identity, spamming the net or using your machine in a denial of service attack.

For Mac users, this method of infection is entirely new. It can also be used in any other similarly pirated program installer, not just iWorks 09. The only things specific to iWork 09 about this Trojan are the name of the package used and its placement along side all the other installer packages for iWorks 09.

In other words, pirated Mac program installers are now all suspect. Pirates beware.