"Mac Security" Scamware: Variations on a Fake

How I love the hunt!

Today's prey is an Internet rat known as species 'Scamware stupidicus'.

The rats who brought you the scamware (rogueware) "MAC Defender" (see my previous blog post) have now tweaked their code slightly and renamed the thing "Mac Security" with an installer entitled "BestMacAntivirus2011.mpkg.zip" which expands to the installer file "MacSecurity.mpkg". Expect there to be other name variations.

Good old Intego discovered this new variation, posting an article and a "How It Works" video here:

Intego Discovers New Variants of Mac Defender Fake Antivirus

You can directly watch the video on YouTube HERE.

Intego have updated their Virus Barrier malware signatures to detect this new rodent excrement.

What is hilarious about this scamware is the LAZINESS of the hacker rats who wrote it. The interface for the scamware is that of Microsoft WINDOWS!!! Hardy har. If you've used Windows in the last decade, you'll spot it immediately as BOGUS.

At this time the dangers are:

A) You fork out $money$ to buy useless garbage.

B) You give away your CREDIT CARD to criminals. It's a good as posting your card publicly on the Internet.

C) You give away your computer's PASSWORD. (This is now clearly evident from Intego's provided video). Consider yourself as good as PWNed (i.e. botted, i.e. zombied, i.e. no longer in control of your computer). So far the Trojan horse software is 'empty', containing nothing dangerous. But it could! Most likely, future variations will.

As with all current Mac malware, this POS relies upon social engineering, aka LUSER behavior, to entice the user to install it. Don't do that!

To keep ourselves safe, let's chant the mantra of...

The Top Two Rules Of Computing:

I) Make A Backup.

II) Verify All Software Before Installing It Or Running It.

(I'm considering using the following as Rule III:
III) Verify all links before clicking them).

Happy shooting!
--

May 12: Massive Mac Update Day

--
Macintosh updates on the second Tuesday of the month?! Déja vu man. Is Apple syncing updates with Microsoft? Is this to make Enterprise IT folks happy? I strongly suspect so.

I prefer the ASAP approach. Waiting around for the second-Tuesday-of-the-month is a dim idea from my POV. Hmph. What happens in the Microsoft world is that hackers get geared up for THE DAY and pounce on all the announced security holes via new malware. This works very well because only a small percentage of people update their Microsoft software on THE DAY. This allows hackers a window of opportunity to get into user machines while the getting is good. Alternatively, the ASAP approach provides no expectation time for hackers. It also gets security patches out in the field immediately rather than waiting around for potentially weeks, during which time each security hole sits out there ripe for the hacking.

Therefore, I hope this second-Tuesday-of-the-month security update is merely coincidence. Sorry Enterprise IT folks! Having THE DAY each month for security patches may be convenient, but it is BAD security protocol. Security wins in this business.


Rules for System Update Preparation:

1) You know what I'm going to say: Make A Backup! Expect updates to go wrong. They often do.

2) Repair your boot system! It is amazing how many system updates go bad simply because the boot system was corrupt. What else would you expect? Boot from your system installation disk and run the repairs inside Disk Utility.

3) Repair your boot system preferences! Despite the myths, bad file permissions are also a prominent reason why system updates go bad. Again, what else would you expect? Note: You also need to repair your permissions AFTER the update. Adobe always leave behind a mess. Even Apple make slip ups! Apple left behind bad permission settings after Leopard Server Update 10.5.6! Expect it to happen. Use Disk Utility.

4) Don't forget to update! Keeping up with system updates is very important! Check this out:

An example of how few computer users actually apply updates: The Microsoft Windows security hole exploited by the Conficker worm was patched way back in October, 2008. And yet, the Conficker worm zombied an estimated 15 MILLION+ Windows boxes after Microsoft provided the patch. Incredible.

The Update List:

Your Mac's System Update app will tell you what updates are necessary for your particular setup. The list of updates from 5/12 is long. All the links below are for each update's general description and download page. Each page has a further link to its detailed information page. If you would like to go directly to the security improvements list for each update, please go HERE.

Safari v3.2.3 for Windows, 19.69 MB

Safari v3.2.3 for Tiger, 26.29 MB

Safari v3.2.3 for Leopard, 40 MB

Safari v4.0 Public Beta Security Update for Tiger, Leopard, Windows XP and Windows Vista

Security Update 2009-002 for Tiger PPC, 75 MB

Security Update 2009-002 for Tiger Intel, 165 MB

Security Update 2009-002 for Tiger Server PPC, 130 MB

Security Update 2009-002 for Tiger and Leopard Server, Universal, 203 MB

Mac OS X Combo Update 10.5.7 Leopard, including 2009-002, 729 MB

Mac OS X Server Combo Update 10.5.7 Leopard, including 2009-002, 951 MB

Mac OS X Update 10.5.7 Leopard, including 2009-002, 442 MB

Mac OS X Server Update 10.5.7 Leopard, including 2009-002, 452 MB

Coming up will be my summary and analysis of the security improvements provided by these updates.
--

Before: My current POV on Mac security

--
Before what? Before I read this article on Mac security:

Mac OS Xploitation
by Dino A. Dai Zovi

When (more likely than 'if') I have changed my POV after reading it, I'll post an 'After'. I find this sort of thing amusing. Consider me eccentric.

One of the places I hang out on the net is the MacEnterprise list. It is run by the Mac OS X Enterprise Deployment Project. I've cross-posted between here and there previously. Here is my post this evening to the list:

On Mar 16, 2009, at 03/16, 2:12 PM, Allan Marcus wrote:

This paper is from the author of the Mac Hacker's Handbook . It's rather scary and concludes . . .

The conclusions were fairly standard "Mac OS X is scary insecure!" stuff. Before reading the article, here was my reply:

I'm going to give it a read through as I am interested in Mac security.

But I have to give a few bits of perspective from my current POV. I know I'll get contentious arguments to the contrary, but here goes anyway:

1) This sort of article, in part, amounts to FUD (Fear, Uncertainty and Doubt). It is extremely rare to find articles with a full explorative comparison between UNIX (which is what Mac OS X actually is, legally, officially, etc), Mac OS X (meaning the other stuff Apple put on top of UNIX), Linux and Windows. Empirically, Windows is the single least secure commercially available operating system on the planet. There are plenty of people who have a stake in its success, despite this blatant problem. Therefore, it is extremely popular among them and the people who believe their con-job to FUD every other OS at every opportunity. The result is chaotic disinformation leading to stagnation, aka the status quo. I don't believe you have to take a 'political' or 'religious' stance to understand that this is the case.

2) And yet the seemingly endless barrage of FUD, initiated in August 2005 by none other than Symantec, has done nothing but *GOOD* for Mac OS X. All the FUD mongers and earnest, honest security experts out in the field have driven Apple out of their security slumber. Apple's resulting attention to Mac OS X security has increased exponentially. This is one reason I value competition in the marketplace. It keeps the competitors awake and innovative. Does this mean Apple is in high gear to make Mac OS X security impenetrable? I don't think so. But I do believe they are now serious and alert.

3) Apple's most insecure program is QuickTime. Mac OS X has its problems, but QuickTime has been Apple's security bane. If you go through the list of security fixes since December 2006, when this problem became blatantly clear over at MySpace, you'll find this assertion to be correct. Microsoft has gotten slammed for its poor multimedia code. But QuickTime has had its share of very similar problems, without getting nearly as much attention.

4) I don't care what OS you talk about. Buffer overrun problems are consistently the horror of programming to this day. I like to slam Microsoft for still using ye olde DOS memory management under the hood. But programmed memory management messes are just as prevalent everywhere else. From my limited coding education, I have to point to the now antiquated programming languages we have to use. Remember how Java was supposed to have solid memory management, among other miraculous safety features? Forget it.

5) Despite what gets thrown about in the FUD mongering chronicles, the fact remains that Microsoft have perpetrated some outrageously insecure code. Examples: JScript remains one big reason 'JavaScript' is insecure these days. ActiveX scripting is another Microsoft 'Welcome Hackers!' security hole made for the Internet. Vista is not entirely immune to either of these lousy technologies.

6) There never was such a thing as 'Security By Obscurity' for Mac. It's a total myth, and no one foisting the myth has ever presented a sane argument in their favor. Anyone can do the math. We currently have eight (8) Mac OS X Trojan horses. That is the full extent of Mac OS X malware in the wild at this moment. We have a market share that is maybe 1/10th that of Windows. So how come Windows has a massively disproportionate number of malware in the hundreds of thousands, with thousands more every year? There is something more going on here than Macs having 1/10th or less market share. That's a big 'DUH' in my estimation.


So I say, Bring On The FUD!

Despite the fact that every single piece of current Mac OS X malware requires social engineering methods to break into a Mac, that does not mean other methods are not possible. There is plenty of evidence to the contrary. There is no harm to the Mac platform whatsoever by striking fear of security breaches into hearts of its users. It just makes the platform that much stronger. Just don't go out and buy rubbish anti-malware programs from the FUD meisters. Equally, don't count on the freeware to cover your butt. For example, I've totally given up on Clam providing any relevant protection for Mac OS X. It's not happening. Instead we currently have to train users to not fall for social engineering tricks, while keeping up with security updates and watching Mac OS X relevant security news. If a time comes to use anti-malware programs for particular situations, so be it. Right now I'd turn to Sophos and Intego for the best quality solutions.

Please remember, this is just my personal limited POV. Obviously, gather in many more perspectives and make the best educated security decisions you can for your situation.

Thank you for reading my blether-fest,

:-Derek

--