Another Scathing MacScan Review

--
If you read my stuff, you know I despise ripoffs. This week MacScan is being sold as part of the MacUpdate promo bundle, advertised as a 'security' program. Not much of one IYAM. Today I posted an updated review of MacScan at VersionTracker.com. I decided to provide it here as well:

Just to keep this issue hot on the burner:

Much as I very much like the idea of what MacScan is 'supposed' to do, it FAILs.

1) If you want to detect all the 'malware' on your Mac, you have to run the thing OVER and OVER and OVER. One run is never enough. That's crap programming. And yes folks: I personally have been telling them this for YEARS and YEARS and YEARS. Then they do nothing to improve their detection engine. Instead they post friendly little notes asking for more feedback. Right.

2) Their list of Trojan horses has NEVER been adequate. Right now there are 4 types of Mac OS X Trojans with a total of 22 different strains. MacScan does NOT detect all of them. So what's the point?

3) It claims to find 'spyware', but there is NO illicit spyware for Mac OS X. Not a one. Everything MacScan detects is 'legal' spyware that is freely sold commercially or as shareware to be used by employers or owners of computers in order to keep track of where their users are going and what they are doing with their computers, particularly useful for parents who care about their children. Detecting such stuff can be very useful if someone has secretly installed one of these things on your Mac for nefarious purposes. But this stuff is NOT malware.

4) It is debatable whether tracker cookies are malware. At worst they are a violation of your personal privacy. So turn on the setting in your browser that prevents downloading 3rd party cookies and turn off the setting in Flash that allows any site to put cached data on your computer. You're done. That's for free. It doesn't require MacScan.

I seriously hope MacScan can actually, factually improve and become a useful product that does what it says. But for now it is junkware, not worth paying for, well worth ignoring in favor of real anti-malware applications like VirusBarrier, ClamXav, and iAntiVirus.

--

Quickie Reviews of ClamXav, iAntiVirus and MacScan

--
Recently, I've been testing the free anti-malware options for Mac. At the moment, none of them are perfect. But there is progress! Below are posts I made this week over at the VersionTracker.com sites regarding iAntiVirus, ClamXav and MacScan:

I) MacScan Is Unreliable:

I've tested MacScan several times over the course of several versions. The results are consistently flaky. It is impossible to get it to detect items reliably. Instead you have to run it over and over and over and over to get the thing to pick up everything.

For some purposes, like detecting the full raft of 'legal' Mac Spyware and Tracking Cookies, this is the only show in town. But OMG does it suck. IMHO MacScan requires an entire rewrite in order get a rating better than one star. The developers have done some nice things like providing some sort-of working removal tools for current Trojans. So they aren't evil. They're just lousy programmers.

II) iAntiVirus Is Basic, Not Perfect, Mostly Works:

Keep in mind that this thing is FREE:

Despite some outright dishonest flame reviews of iAntiVirus here at VT, it actually does work, mostly. I let it loose on a folder full of Trojans a friend shared with me and it successfully found MOST of them:

Trojan.OSX.RSPlug.C, D & F
Trojan.OSX.iServices.A & B

Problems:
1) It did NOT find Trojan.OSX.RSPlug.E, of which I had a number of copies in my folder-full-of-Trojans. That is upsetting.
2) It also uses wrong names for the iServices Trojans. But sadly, despite a clear naming convention for malware, hardly anyone bothers, which is of course pathetic.
3) The app only gives you two choices when it finds malware: Either remove the malware or nothing. There is no sophistication to this app whatsoever.

Maybe the 'Pro' version is way better. I don't know. The PC Tools website certainly 'claims' iAntiVirus detects all the current Mac malware. Judging from the free version, it only finds some Mac malware. Maybe I'll test the Pro version some time.

In the meantime, I own Intego VirusBarrier, which frankly is the ONLY anti-malware app for Macs I can recommend. It works great, detects everything, is updated daily, is entirely reliable, is never a CPU hog, and has all the bells and whistles you could want.

If you want to stick with free stuff, the best idea is to use BOTH iAntiVirus AND ClamXav. Between the two of them you're probably just fine. This is thanks to the fact that the excellent author of ClamXav went out of his way to convince the ClamAV project to accept contemporary Mac malware sample definitions. *Applause*

Addendum: I should note that iAntiVirus also fails to detect RSPlug.I and .L.

III) ClamXav: Progress! But Still Waiting For Full Mac Malware Detection:

Recently, ClamXav developer Mark Allen went out of his way to convince the ClamAV project to accept contemporary Mac malware samples for definition integration. *Applause*

However, my testing today shows only partial progress from the ClamAV project.

MY TEST: A friend provided me with a large collection of recent Mac Trojan horses including all the iServices and RSPlug malware. There were 18 samples in all. I used them as my testing ground.

RESULTS: ClamXav, via the latest engine and definitions of ClamAV, found 10 of them and successfully put them into my quarantine folder.

As my control, I used Intego VirusBarrier, latest version with current definitions. It found all but one of the malware. (The undetected malware was a .pkg with the payload inside a .bom file).

What ClamXav, via ClamAV, didn't detect:
DMG files containing:
RSPlug.D
RSPlug.E
RSPlug.F
RSPlug.I
RSPlug.L

I'm testing iAntiVirus, (runs on Mac OS X Leopard only). But it too is unable to detect RSPlug.E [as well as .I and .L].

CONCLUSIONS:

1) ClamXav is the best of the free anti-malware application options. But the ClamAV database of current Mac malware is still not completely up to date. However, it is far better than it was a couple months ago thanks to Mark Allen's work.

2) Even with the combination of ClamXav and iAntiVirus, it is still possible to have a current Mac Trojan sneak by. But then again, Intego VirusBarrier missed one as well, possibly due to the way the Trojan was packaged.

A high quality paid anti-malware application remains the best way to go for professional use. But for casual use, ClamXav is the best, despite remaining ClamAV deficiencies. I would combine it with iAntiVirus as well if you are running Mac OS X Leopard.

--

'Legal' Spyware Abuse In World Dictatorships. And Elsewhere? ->The FinFisher Spyware

--

While I catch my breath from the Java scandals and we wait for me to finish my yearly Mac malware review...

This was too good to pass up:

Google engineer finds British spyware on PCs and smartphones
FinSpy turning up in dictatorships across the world

By Iain Thomson in San Francisco • 31st August 2012 23:30 GMT • The Register

Two security researchers have found new evidence that legitimate spyware sold by British firm Gamma International appears to be being used by some of the most repressive regimes in the world. 

Google security engineer Morgan Marquis-Boire and Berkeley student Bill Marczak were investigating spyware found in email attachments to several Bahraini activists. In their analysis they identified the spyware infecting not only PCs but a broad range of smartphones, including iOS, Android, RIM, Symbian, and Windows Phone 7 handsets...

Parallel research by computer investigators at Rapid7 found command and control software servers for the FinSpy code running in Indonesia, Australia, Qatar, Ethiopia, the Czech Republic, Estonia, Mongolia, Latvia, and the United Arab Emirates, with another server in the US running on Amazon's EC2 cloud systems. Less than 24 hours after the research was published, the team noted that several of these servers were shut down.

The gritty code details can be found here:

The SmartPhone Who Loved Me: FinFisher Goes Mobile?

August 29, 2012 • The Citizen Lab

iOS 

It was developed for Arm7, built against iOS SDK 5.1 on OSX 10.7.3 and it appears that it will run on iPhone 4, 4S, iPad 1, 2, 3, and iPod touch 3, 4 on iOS 4.0 and up... 

This application appears to provide functionality for call logging...

And here:

Analysis of the FinFisher Lawful Interception Malware

Posted by Claudio Guarnieri, Aug 8, 2012 6:31:35 AM • Security Street, RAPID7

It's all over the news once again: lawful interception malware discovered in the wild being used by government organizations for intelligence and surveillance activities. We saw it last year when the Chaos Computer Club unveiled a trojan being used by the federal government in Germany, WikiLeaks released a collection of related documents in the Spy Files, we read about an alleged offer from Gamma Group to provide the toolkit FinFisher to the Egyptian government, and we are reading once again now with the same one being delivered to human rights activists in Bahrain along with some spearphishing attacks. 

We all are very aware of a rising market of Western companies developing and selling malware for the use of government organizations all around the world, but whenever one of these products is found in other geographical areas, the potential political and ethical implications tend to generate interest...

Uh oh.

The method of infecting devices/computers with this 'legal' spyware is not clear. Theoretically, it has to be physically installed onto the devices, either by hand or over a network by someone with administrative access. But it has been used via a Trojan horse.

We've seen FinFisher before on the OS X platform. In the past, FinFisher infected OS X machines via a security hole in the iTunes updater that allowed FinFisher to fake itself as a Trojan horse iTunes Update. That security hole existed for YEARS in iTunes before Apple patched it at the end of 2011. Not Apple's finest security hour.

I've written about 'legal' spyware previously. The one application dedicated to detecting and removing spyware on the Mac platform is MacScan. Unfortunately, MacScan does NOT at this point in time, detect FinFisher. I suspect this will be corrected ASAP, because I will be pestering them. ;-) The MacScan/SecureMac folks have a spyware list and discussion available HERE. I'm no big fan of MacScan as it requires repeated scans in order to catch everything on your system. But for detecting spyware, this is THE application. They provide a free demo version. The program is easy to use.

Some other anti-malware apps are also capable of finding and removing spyware. Check the developer's website for details. I know that Intego's OS X and iOS anti-malware apps scan for and remove related spyware. Because of this iOS spyware revelation, I'm going to begin testing Intego's VirusBarrier iOS for review. Apparently, Intego's VirusBarrier for iOS has not yet been optimized to detect actual spyware FOR iOS. I'll be chatting with Intego about this situation, now that we know about the abuse of the FinFisher spyware.

No doubt there will be further revelations about the abuse of FinFisher and other 'legal' spyware applications. I'll post when something directly relevant to all OS X and iOS users appears.

C U soon with the other half of my 2012 malware summary. Fur shur. No doubt. Not kidding. Count on it. Be seeing you.

--

Mac-Security Column for December 2007

[NOTE: This is an article I published in the Syracuse Macintosh User Group (SMUG) monthly newsletter, AppleTree. Anyone is welcome to further publish it wherever they wish as long as the article is not further edited while my name as author and my copyright remain intact. Breaka da rulez and I breaka you head].

Mac Security column
2007-12-16
© Derek Currie

Last month I made a quick mention of Clam as a cross platform freeware anti-malware application. For Mac OS X you can obtain and use it in the form of ClamXav or Leopard Cache Cleaner (which runs on Jaguar, Panther and Tiger as well). This month I wanted to point out a couple more shareware anti-malware programs that may or may not be of interest.

But first let's take a tour through the many security enhancements Apple have provided in the past month:

November 12th Apple released the iPhone and iPod Touch version 1.1.2 update. It addressed an all too familiar problem with maliciously crafted images being able to terminate a running program or being able to run arbitrary code, also known as an infamous buffer overflow. This happens when the memory space designated for an application is overrun with data such that it runs into the next contiguous memory sectors. The resulting data can bomb the program using the offended memory sector, or if the trouncing data is properly designed and executed it could potentially take over your computer.

November 14 Apple released the Mac OS X 10.4.11 update as well as Security Update 2007-008 which is applicable to Mac OS X 10.3.9. The both cover the same security issues. Security repairs were provided for the following parts of Mac OS X:

• AppleRAID
• BIND
• CFFTP
• CFNetwork
• CoreFoundation
• CoreText
• Kerberos
• Kernel (6 fixes)
• Networking (5 fixes)
• NFS
• NSURL
• remote_cmds
• Safari (2 fixes)
• SecurityAgent
• WebCore (9 fixes)
•WebKit (3 fixes)

This update also provides a new security fix version of the Flash Plug-in.

November 14 Apple also released Safari 3 Beta version 3.0.4 for Windows. It patches two vulnerabilities in Safari itself, three vulnerabilities in WebCore and three vulnerabilities in WebKit. The most numerous patches it provides are related to cross-site scripting.

November 15 Apple released the Mac OS X 10.5.1 update, which included three security updates to its firewall. The Leopard firewall has been met with skepticism and disdain. These patches address the most noted problems.

December 13 Apple released QuickTime version 7.3.1 which includes three security updates. Earlier in the month Apple had been slammed by the likes of Secunia and SANS Institute for the continuation of a seemingly unending string of QuickTime security flaws. This update address a few of the problems specifically related to maliciously crafted RTSP movie files, QTL files and the QT Flash media handler. This update is for Mac OS X 10.3.9 on up as well as Windows XP SP2 and Vista.

December 14 Apple released Java 6 for Mac OS X 10.4. Does anyone remember when we were all fed the marketing spin that Java was supposed to the 'safe' programming language that couldn't harm your operating system and hardware? Yeah right, we wish. Surprise! This update covers thirty security flaws in Java for Mac OS X. The fixes prevent the ability of a malicious web page to raid or add to your Keychain (which is an outrageous security flaw) the usual arbitrary code execution and privilege escalation.

In all, these security updates are crucial, many of them patching vulnerabilities that could potentially lead to a hacker taking over your computer. Therefore, as usual, be sure you keep your Mac OS X security updates up-to-date! You can read about all these security updates in detail at:

http://docs.info.apple.com/article.html?artnum=61798

CONCLUSION: Software coding remains a mysterious art that is constantly full of flaws. Microsoft may be the masters at security blunders, but like it or not there are blunders using even the most deliberately secure of contemporary coding methods. In other words, expect more Mac security flaws and perhaps more Mac malware in the future. But also feel secure that Apple are on their toes these days cleaning up Mac OS X security problems.


Now on to a couple more anti-malware programs for Mac OS X. The first is called MacScan, which claims to identify and isolate Mac OS X Trojans, spyware and Tracking cookies. It is a shareware program that costs around $25. When it is downloaded you are provided with a 30 day demo period. The second program is freeware called Zebra Scanner, which claims to identify disguised Trojans. It has not been updated since 2005.

Let's save some time and let me share my conclusion that both of these programs are useless and unnecessary. However, there are a couple caveats to that statement I will provide below if you care to keep reading:

MacScan has been known in the shareware world as 'MacScam' because of the rather high price for its ability to do next to nothing. Example: I used it to scan for the demo Trojan that Zebra Scanner provides. It couldn't find it. I used it to find Tracker Cookies. It found false positives, it failed to find others until I ran it a second time, and when I asked it to remove those it found it did absolutely nothing. I had to remove the Tracker Cookies by hand. And I'm supposed to pay for this privilege?

The one useful thing MacScan does provide is a list of known 'LEGAL' spyware programs for Mac OS X. You can find this list on their website as well. Legal spyware includes keystroke loggers, VNC and remote administration programs that are openly provided to the Mac market. They are typically used in professional network situations where the network administrator or the boss want to keep track of the work being done by their computer clients or employees. You can find a slew of them available for download by searching with the term 'spyware' at VersionTracker.com.

Meanwhile, I tried to find the blacklist MacScan is supposedly using to identify Tracking Cookies, but I failed. Something tells me I can find one on the Internet, so I will be in search of it this coming month and will share it when I find it.

What are Tracking Cookies? They technically are a mini-version of spyware under the guise of website cookies. They watch where you go on the web, store that information, then feed it back to their home site the next time you visit. It is supposed to be a marketing tool that a website can use for choosing what products to advertise to you. Personally, I consider it privacy intrusion. So I enjoy removing tracking cookies and blocking them from being allowed by my browsers.


Last and least we come to Zebra Scanner. Back when it was written there was a scare than hackers were going to attack the Mac with Trojans that were disguised as such benign things as JPEG files and text messages. But a security fix in Mac OS X 10.4 ended that possibility. Therefore, Zebra Scanner became useless. But there is one small possibility you could still get fooled by a malware application in disguise. That would be if you have your Finder set to NOT show file extensions. I am someone who was rather angry that Apple chose to go with file extensions to identify Mac OS X file types as opposed to the file types being embedded in the file's headers. Those stupid 'dot three' extensions on files are so Windows, so Luddite, so retro, so ugly. Apple actually compromised on the issue and still allows header file type identification, but for the purposes of avoiding Trojans, the dopey file extensions actually come in handy. Here is the example Zebra Scanner provide:



Suppose you are sent something that has a folder icon and has the title 'Christmas Icons'. Great, you figure it has nifty Christmas icons inside the folder. But darn, you have the Finder set to NOT show file extensions. So you have no idea that this bogus folder is actually an application with a fake folder icon pasted on top. So you 'open the folder' but actually find you are infecting yourself with the Trojan.


If you think you could be subject to that infection method, then you should use Zebra Scanner. If however you leave your file extensions left ON, then you can't be fooled. That fake folder's name has '.app' as an extension at the end.


So what if some goon physically removes the '.app' extension? It is very easy to do in Mac OS X. Then what you can do is a Get Info on the file before you do anything with it. The operating system will STILL tell you that it is an application. Therefore, don't run it.

Don't bother trying to come up with other crafty ways to fool the operating system. If you fake an application to be a .txt file the OS will attempt to open it ONLY as a .txt file. It will NOT run it as an application. You are safe. What you will get is an error message saying that the text file is unreadable, which makes sense since it is actually an application. This same routine follows if you change the application to any other extension as well.


CONCLUSION: Be wary of anything at all you receive out of the blue and don't absolutely know to be safe. Expect it to be bad news. (1) Have your extensions turned on in the Finder (2) Always do a Get Info on suspicious anything. (3) To be extra-super-safe, only use your Mac inside a standard account, not an administrator's account. This will help prevent Trojans from doing nasty stuff on an adminstrative level. Only your current standard user account can be hurt.

Next month I will hopefully have a source for a Tracking Cookie blacklist. So stay tuned if you are interested. In the meantime you can keep track of my ongoing Mac security news here at:

http://mac-security.blogspot.com

Share and Enjoy,

:-Derek

Ongoing Crazy Security Issues: Nothing Much And Too Much To Say

--

INTRODUCTION

There are a great many computer security issues going on these days. The increase in ongoing security issues over this past spring and summer could be called an ongoing explosion of mushroom cloud proportions. The number of ongoing issues is quite literally overwhelming. As a computer security watcher, researcher, analyzer, commentator and teacher, I'm intimidated by having so much to comprehend.

Should I be writing about all of this within the context of this my Macintosh Security blog?

Because of my manifesto for this blog, my answer is no. I wish to write here only about directly dangerous issues to Apple computer users. I also wish to write articles that provide useful information, summaries and teaching Apple computer users. I have no interest in being redundant to other people's blog work on the Internet, except in an effort to bring their work to the attention of others. I also focus what I write here at average Apple computer users. My goal is to take the complicated and translate it into information that can be both comprehended and used by average Apple computer users. Let folks like me comb through the, frankly chaotic, world of geek level information and summarize it down into something readable by mere humans.


WHAT TO SAY WHEN THERE'S NOTHING MUCH AND TOO MUCH TO SAY

Without directly helpful information to share, despite the exploding mushroom cloud of ongoing computer security issues, I say nothing. I do this because I despise FUD! Needless FEAR, UNCERTAINTY and DOUBT are worthless. They're used a methods of manipulation and propaganda. These nasty tools are used to drive we humans into a state of despair and desperation, what I call 'Desperation Mode' whereby we will blunder our way into actions that suit the manifestos of the scum humans who are manipulating them. I have zero interest in playing these self-destructive, disrespectful games.

Therefore, when the only affect of my writing would be to create FUD, I don't write. I'm very happy to rip the mask off off FUD! I'm pleased when I can point out and satirize FUD. But I never see a point in messing up others by making my own FUD.

However, I believe it is useful to at least point out what's going on in the background while I wait for something useful to provide here in the blog. There's nothing much to say, but here's what's cooking:


WHAT COOKING ON THE APPLE COMPUTER SECURITY STOVE?

It's difficult to create a priority list regarding these subjects. What's more important? What's a more imminent problem? So I'm not going to bother. I'm simply going to list them as I see fit in the moment.


Oracle's Internet Browser Java Plug-in:

Java remains the single most dangerous software you can run via the Internet. If you don't need to, then don't. Uninstall the Java Plug-in. Only install the Java plug-in if you run into a website that requires you to use it. Even then, use Java security features in your web browsers as well as Java security add-ons. Apple has made the most recent versions of Safari extremely save against abusive Java code. It's not perfect. Using the features can be intimidating and dysfunctional. But they are entirely worth using. I strongly suggest reading up on Safari's new Java control preference features as well as similar features in other browsers. I may provide my own write up about these settings in the future.

One good change I can point to is Oracle's ongoing efforts to babysit Java by informing users when their installed version of the Java Plug-in is out-of-date. This is no substitute of the sandboxing of Java, as was originally intended by Java's creators Sun Microsystems. But's it's better than letting nasty little brat Java run around without a nanny to swat it when it's being naughty.


Adobe's Reader, Flash, AIR and Shockwave software:

Adobe's Internet freeware remains the second most dangerous software you can run on the Internet. If you don't need to use it, then don't. Instead, uninstall it. Only install Adobe's freeware if you run into website that requires you to us it. Even then, use Adobe plug-in security features in your web browsers as well as Adobe plug-in security add-ons. At this point, these features are no longer intimidating or dysfunctional. In general, they work quite well and are entirely worth using! Read up on the Adobe plug-in control preference features available within web browsers if you have questions about what they're doing.

I personally cannot stand the invasiveness of Adobe's update notification and installation features. Instead, as an advanced Mac user, I keep up with available updates on my own. Doing the same is a lot to ask of average Mac users. Therefore, it may well be best to allow Adobe's root level Launch Agent to run on your system so it can help keep you up-to-date. It's up to the user to choose what to do. Adobe's update notification is available in their installers if you'd like to use it.


Heartbleed Bug:

I've written up a couple articles about the dangerous and ongoing problems with old implementations of OpenSSL. This problem is going to live on for years, not kidding. It's entirely curable! However, oblivious, careless and lazy server administrators aren't bothering. Therefore, this problem periodically does damage. There are now convenient hacker tools to take advantage of Heartbleed. They are scripted. You get them running, walk away, come back later and analyze the successfully harvested data. There are also analysis tools to help hackers patch together the 64-bit chunks of harvested data into a completed puzzle. If that puzzle contains exploitable user data, it is either exploited by the hacker or posted online for sale to crooks. The exploitable data can include anything from your mother's maiden name to a victim's card numbers and PIN.

Every single Internet server containing the Heartbleed Bug has now been documented. If an Internet server administrator does not know if their server is exploitable, they should be fired or sued in civil court. I strongly expect such lawsuits to begin appearing this coming year. It's all about responsibility.


Bash Shell 'ShellShock' Bugfest:

This is, for the moment, a dangerous problem for those running OS X server's that are directly exposed to the Internet. If you're behind a router, you are probably safe in the short term. I know full well that eventually there will be PWNing ('owning', taking over or zombieing) of routers and OS X client users. I'll address those exploits if or when they become evident. For now, only OS X Internet servers are at risk.

Describing this problem is a challenge because in and of itself it is turning into a mushroom cloud of security flaws. I'll simply say that Bash (Bourne-again shell) is a UNIX shell used by OS X, OS X applications and OS X users to access CLI (character line interface) applications that are installed in the OS X system. It is old, poorly vetted, incredibly insecure software. Oddly, its numerous security flaws were unknown, at least in public, for many years. Over the past few days, the report of one single security bug in Bash has lead to the revelation that Bash has an undetermined plethora of security bugs. So far, I know of two security updates for Bash that have been made available over the past few days. But they do NOT solve the ongoing revelations of further security flaws.

The result is that Bash itself is not fit for use on servers exposed to the Internet. The result, at the moment, is a debate and study of either:

1) Playing 'whack-a-mole' by daily patching Bash as each new security flaw is discovered.
OR
2) Using an adequate replacement of the Bash shell.
OR
3) Taking affected servers OFF the Internet until a full and final solution is developed.

Meanwhile: Bash Internet exploit tools have already been made available to hackers, and they're being used.

Replacing Apple's installed version of the Bash shell is a huge PITA unless you understand exactly why and what you're doing. I cannot recommend bothering with it unless you're an advanced user who knows how to use the CLI to run their Mac. It is such a huge PITA the I have consistently run into Mac computer geeks who have posted WRONG and INCOMPLETE instructions for replacing Apple's Bash shell. When the geeks can't get it right, no way should average Mac users touch it.

Thankfully, as I indicated above, no average Mac users need bother to worry about the Bash shell security flaws affecting their computer. Only OS X server administrators need worry about it, for now. This may well change! If the Bash problems aren't solved in a hurry, there will no doubt be related attacks on average user's routers and Trojan horses to abuse their Macs, if not outright PWN them. That's a worry for another day, if it happens at all. Meanwhile, we sit and wait for the experts to thrash through the Bash source code and clean up the potentially catastrophic mess buried therein.

There are piles of ongoing, constantly going out-of-date articles about the Bash ShellShock bugs. Keeping up will drive you nuts. If you're that kind of person, be sure to read only the most up-to-date articles AND be sure to read from a variety of sources. That's the only way to know what's actually going on at-the-moment. Bash analysis is constantly revealing new problems. New exploits are constantly showing up on the net.

Here's one very good overview, for today anyway, of the Bash ShellShock bugfest, posted by Intego:

http://www.intego.com/mac-security-blog/shellshock-vulnerability-what-mac-os-x-users-need-to-know/


Retail POS POS Device Malware:

"POS" has two meanings relevant to this problem. The first meaning is 'Point Of Sale' regarding devices that are used to collect customer payment data, be they Chip and PIN card readers or magnetic strip card readers. (To be clear, if a POS device has this problem, using Chip and PIN solves nothing-at-all. Don't be fooled by claims to the contrary). The second meaning is an deliberate punning obscenity which I'll leave you to translate. I use this obscenity because these devices are an obscenity of bad technology.

This is another curable security problem that lazy, stupid, cheap retailers are NOT patching. The stupidity involved is stunning and beyond comprehension. From my point of view, this catastrophe fits perfectly into my concepts of 'bad biznizz'. These are companies who literally don't give a rat's about their customers, to say the least, to state the obvious. They don't know how to run their businesses. They are distinctly anti-capitalist in their attitudes and their obliviousness. I'd like to be kind and say that these companies may only, innocently, be ignorant of the technology they're using to enable their businesses. But that is NOT the case. They know exactly what technology they're using and they are making the choice to IGNORE the requirements of owning and using that technology.

I've previously written about the source of this problem. My quick summary is this:
1) These devices user Windows XP Embedded as their operating system.
2) Windows XP exposes all collected data in-the-clear (having no encryption) in RAM on these machines.
3) Hackers on the Internet search for and find routes by which they are able to BOT (aka PWN) all the POS devices networked within victim company. They also BOT at least one node server computer within the same network.
4) The malicious malware hacking onto these machines sits in wait, watching all the data revealed in RAM, then sends that data off to a server node within the network of the infected companies. The collected data is then sent over the Internet to the hacker bot wranglers out on the Internet.
5) The collected data is then analyzed. Personal data is extracted. This data includes everything read into the retail POS devices, including card numbers and PIN numbers. (Yes, this includes Chip and PIN card data).
6) This personal data is then either used or sold on the Internet to crooks.

After the initial catastrophic revelations of this problem, (thank you Target, Neiman Marcus, ad nauseam), security updates were provided by Microsoft to update these archaic Windows XP Embedded devices. The updates did NOT solve the problem of in-the-clear exposure of personal data in RAM. They won't be able to solve that problem! But these patches have at least been swatting at each specific variant of malware being used to PWN these POS devices.

Except, a great many companies are NOT updating their POS devices. This is inexcusable. This is irresponsible. This constitutes customer abuse, as future court cases will no doubt prove. And of course, this is bad biznizz. The biggest recent new revelation of PWNed POS devices and the subsequent sales of customer personal data over the Internet, has come from the willfully stupid company Home Depot. The latest figure I have read is that Home Depot literally gave away 56 MILLION customer card accounts. Unforgivable.

New revelations of retail POS POS device PWNing are happening at an incredible rate. These revelations are not stopping. The number of worthless companies who are ignoring this problem is incomprehensible. Everyone loses, from the companies to the banks to the disrespected customers. The only winners are the hacker crooks. And yet this problem is NOT abating.

Obviously, this problem has no direct impact on Apple computer users. It does impact every credit and debit card user, many of whom are Apple computer users. Therefore, it's relevant here at this blog. Expect more of this curable security nightmare well on into the future.

The ultimate solution to in-the-clear data in RAM is end-to-end encryption. We're going to be hearing references to this concept also well on into the future until such time as it become the DEFAULT in the retail industry. And again: Chip and PIN cards do NOT solve this problem. They have nothing to do with it. Magnetic stripe cards have nothing to do with it. Insecure POS devices and bad biznizziz are the problem.


And so forth...

The above are the big ongoing problems. There are smaller problems as well, the most prominent of which is:

ADWARE. My colleague Thomas Reed is brilliantly covering the adware problem and has created a detection and removal tool AdwareMedic which I highly recommend! I've been a beta-tester for Thomas's adware tool and have been thoroughly impressed. If you've been the victim of adware, head over to Thomas' The Safe Mac website for both documentation and the solution. Bravo Thomas!

Thomas's The Safe Mac website covers many Apple computer security issues that I don't. I'd check out Thomas's site side-by-side with mine. Thomas maintains what we both consider the definitive list of both old and new Mac malware. Because Thomas and I belong to a great group of malware researchers and writers created by Mark Allen, the creator of the terrific ClamXav anti-malware, many of us on the Internet are coordinating our work and publications. You'll find all of these colleagues listed on the right side of this page under 'Friends of Mac-Security'. I recommend the work of all of them.

For malware detection and removal I recommend that all Mac users check out and support ClamXav. It's donationware, free to download and use, well worth every installing on every Mac. It finds and removes the vast majority of not only Mac malware, but also Windows and Linux malware. It's a gem of the Mac community. ClamXav is available from the Apple App Store. I strongly suggest instead downloading it directly from Mark's ClamXav website as that version includes efficient, non-invasive real-time malware scanning. This feature means you can automatically scan every file you download from the Internet. If you wish, you can aim ClamXav's real-time specifically at your Downloads folder, a terrific way to catch Trojan horses and break social engineering by malware rats. (Unfortunately, at this time Apple does not allow real-time scanning in apps offered at the App Store).

There are a number of excellent commercial anti-malware programs. My personal favorites are from Intego and Sophos. Many people prefer anti-malware from F-Secure and Avast. (I would have put Kaspersky AV in this list. But Eugene Kaspersky's outrageous Mac security FUD mongering on his blog this week killed my enthusiasm dead. What a shill! What a Symantec-clone!)

[Update 2014-10-28: I added Avast to the preferred list above. My apologies for not putting it there in the first place. A good friend of mine considers Avast to have the best free anti-malware application available. My blunder: Confusing it with another free anti-malware app that was infesting victims with adware.]

There are also some awful anti-malware programs. I personally suggest staying away from, Symantec's Norton™ AntiVirus , PCTools iAntiVirus, and MacKeeper. I've found these applications to generally be inadequate, buggy, out-of-date or outright abusive to users.

For detecting both legal and illegal spyware, any of the recommended commercial anti-malware programs can be useful. The MacScan shareware application specifically targets spyware. However, I have never been impressed by the thoroughness of it's scans. Therefore, if you believe it might be useful, be sure to test it before buying it.

As usual, the very best overall advice I can offer is to:

1) Make A Backup! It's the #1 Rule of Computing. If you don't backup, you deserve what you get.
2) Keep Up-To-Date! This is particularly important for Apple software.
3) Before You Update OS X, be sure to:

• Repair your boot volume.
• Repair your boot volume's permissions.

(Yes, repair your permissions. It's not crucial, but it can be extremely useful).


Thus ends today's mind dump.

I hope you find this useful, versus merely mind-numbing.

:-Derek

Current Mac Malware, 2011-07: Introduction

In order to help Mac users understand the current state of malware on the platform, I am providing a review  of each current form. This will not be an exhaustive review, but should help relieve much misunderstanding and concern about the ongoing, many years old, anti-Apple security FUD Fest.

I will be going through the malware in reverse chronological order, featuring the most current concerns first and the oldies but gnarlies last.

The first thing to know is that technically, ALL currently active Mac malware are Trojan horses. That means that they are entirely inert until such time as a user (or 'LUSER', in cynical terminology) inadvertently installs them.

I am NOT including any hacker tools or 'legal' spyware in my details articles. These require a third party to be able to physically access your computer and directly install them for their nefarious purposes. You won't personally be in any danger of installing them unless a hacker or IT administrator directs you to do so. They require hackers or administrators to access your computer in order for them to do any harm. I may address these forms of software at another time. I am more concerned about what YOU might mistakenly install.

THE LIST:

1) Trojan.OSX.MACDefender.A - O [15 strains]

2) Trojan.OSX.BlackHoleRAT.A - C [3 strains]

3) Trojan.OSX.Boonana.A

4) Trojan.OSX.OpinionSpy.A - B [2 strains]

5) Trojan.OSX.iServices.A - C [3 strains]

6) Trojan.OSX.PokerStealer.A

7) Trojan.OSX.RSPlug.A - Q [17 strains]

The total number of Mac malware species are 7.
The total number of Mac malware strains are 42.


The 'Malware' Hacker Tools I Am Leaving Out:

'Trojan'.OSX.Lamzev.A

'Trojan'.OSX.Hellraiser.A - D [4 strains]

There are a number of inert malware as well as 'Proof of Concept' malware of no concern which I have also left out of my list. You may find them on other lists but you won't find them infecting anyone with up-to-date computers, apart for test computers in a lab. (A famous example of 'Proof of Concept' malware is Trojan.OSX.Oomp.A, aka Trojan.OSX.Leap.A. It is of no consequence or importance).

If you'd like a list of current 'legal' spyware, I suggest the list kindly provided at the MacScan/SecureMac site.

Note that, due to the lack of adherence to standards within the anti-malware community, there are a lot of name variations for the exact same malware. In the case of the MAC Defender Trojan I discovered 15 different names. I am not including them here in my list as these alternative names are irrelevant and needlessly confusing. What I have listed here are the 'official' names from my point of view as well as those whom I consider to be professional experts and original malware discoverers in the field. However, I will be listing a number of the alternative names in my subsequent articles that provide details about each of the current malware species.

As ever, I request corrections to my information. If I have missed a malware species or strain, please let me know asap. Much appreciated!

Removing Scamware: Generic Instructions

With the ongoing FAKE anti-virus scamware (rogueware/scareware) rat attack, I thought it would be useful to provide a generic set of instructions for removing these annoying and illegal programs. Clearly the rats perpetrating this garbage are persistent. As of May 8th there are three versions of this scam. Therefore, keeping these instructions generic is all the more useful. If you have any questions, please comment below and I'll do my best to update these instructions to provide better clarity.

BTW: Thanks to the folks at MacScan for getting the ball rolling with their instructions for removing the MAC Defender scamware.

How To Remove Scamware (v1.0.0):

Introduction: There are three concerns when removing scamware. The first is stopping the currently running scamware process. The second is removing the application. The third is removing any reference to application in your startup process files. You will see these three concerns addressed below. (Note that this removal procedure does NOT apply to rootkit infections, which require a more complicated removal procedure).

Stomping Steps:

1) Note the name of the scamware (rogueware) you have inadvertently installed.

2) Run the Activity Monitor program, located in your Applications/Utilities folder. Be certain that the pop-up menu at the top of the app's window is set to "All Processes".

3) Filter or scan down the list of active processes for the name of the scamware. In the case of "MAC Defender", the process is named 'MacDefender'. Similar process names most likely will apply to other scamware. (Note: It is easier to scan the list of processes if you click the "Process Name" column header in order to sort the process names alphabetically).

4) Click on the name of the scamware process to highlight it.

5) At the top left of the app window, click on the "Quit Process" button. It looks like a red stop sign.

6) In the resulting drop-down box, click on "Force Quit". That stops the scamware process from running in your computer, for the moment. You can Quit Activity Monitor at this point.

7) Navigate using the Finder to the Applications folder. It is likely that somewhere in this folder will be the application file for the scamware. Either Search for it or scan down the list of applications (including inside the Utilities folder) to find it.

8) Click on the name of the scamware. Drag it to your Trash. Empty your trash. (Note that if you attempt to empty the trash while the scamware is still running, the system will stop you. Quit the scamware process first via Activity Monitor).

9) Remove any reference to the scamware from your startup process list: You can do this by opening your System Preferences the opening the 'Accounts' preferences pane. Along the top of the pane you will see two tab buttons. Click on 'Login Items'.

10) Scan down the list of Login Items until you see the name of the scamware. Click on the name to highlight it.

11) Click on the minus sign (-) below the list in order to remove the scamware from your Login Items. You're done.

That may be all you need to do to get rid of the thing. There are other ways for malware in general to infect themselves into your system. If further search and navigation methods are required to remove further traces of the scamware, I will add them to the instructions above and progress the version number of these instructions another iteration.

Hope that helps!

:-Derek

OSX/OpinionSpy:Mac's First Illegal SpywarePart I

--
RISK: HIGH
--

Introduction:

Up to this point in time, Mac OS X has only had 'legal', publicly available 'spyware'. The most common kind has been keyloggers installed by Mac network administrators into client accounts to keep track of what the client user is doing on the computer and on the Internet. You can grab a list of known 'legal' spyware over at the MacScan website. You can also search for them (using the terms 'spyware' and 'keylogger') at any of the shareware sites, such as VersionTracker.com and MacUpdate.com.

Ten years into the life of Mac OS X we now have our very first actual malware version of spyware. And it's a nasty one.

OSX/OpinionSpy:

I seriously doubt OSX/OpinionSpy is going to be the official name of this spyware. Using the current malware naming standard, my best guess is that it will end up being called Trojan.OSX.OpinionSpy.A. But don't quote me. I am calling it a Trojan horse form of spyware because of its method of infection. It requires you, the user, to install it by providing it with your administrator password. Once it has the admin password it can do what it likes, as is typical with the current crop of Mac Trojans. For now, I will stick with the name Intego have given it.

Thanks to Intego's vigilance in detecting and studying malware for the Mac, we now have some reasonable details about this spyware. We know what it does and we know a lot about where it comes from. At the time of this posting, Intego have two articles in their series on OSX/OpinionSpy:

Intego Security Alert: OSX/OpinionSpy Spyware Installed by Freely Distributed Mac Applications

Further Information about the OSX/OpinionSpy Spyware

NetworkWorld has joined in the research efforts and has come up with a preliminary list of applications that include OSX/OpinionSpy with their installation:

Intego updates Mac users on OSX/OpinionSpy Spyware threat

It might be useful to repeatedly check the article above for further additions to the list. I will also be publishing a continually updating list here in Part II of my own blog series on this malware.


What OSX/OpinionSpy Does:

Read the Intego articles for full details. Below is a very brief summary of what they have discovered:

1) At this time, the infected installers are downloadable from any of the shareware sites as well as from the source developer sites.

2) The download website or the installer may or may not tell you know that the spyware, calling itself a 'market research' program, is included in the installer. If you are warned, obviously don't install the software. I personally cannot abide any form or marketing research data collection on my computers. Sadly, the field of marketing is too full of parasites, aka what I call Marketing Morons (versus beneficial Marketing Mavens) to ever trust your data with anyone.

3) Once the Trojan horse is installed, it takes over your computer with full Root access. At that point it can do anything-at-all to your computer.

4) The basic behavior of OSX/OpinionSpy is that of most spyware applications. It collects masses of data about your computer and sends it off to a collection hub for evaluation and potential distribution to others. This can include all your account IDs and passwords, all your web surfing history, bookmarks, address book data, email addresses, literally everything about you that exists on your computer and on your local network. This is a very thorough method of Phishing you, aka stealing your identity. Plenty of criminals would gladly put your identity to work for nefarious purposes.

HOWEVER, that is not where this spyware stops.

5) It is capable of restarting itself if its process is stopped on your Mac. It is also capable of reinfecting your Mac despite you having deleted any one of the applications it has infected.

6) It opens an HTTP backdoor into your Mac using port 8254.

7) It upgrades itself with new variants of itself, or any other malware it chooses to install. So far one new variant called 'PremierOpinion' has already been discovered.

8) It eats your CPU cycles while it scans your computer files and sends out files and data to the 'bot wrangler' hub. (Typically these hubs are anonymous IRC rooms setup by the bot wrangler).

9) It intercepts and analyzes all data packets coming into and going out of your Mac.

10) It injects code, aka infects itself into the RAM space used by running applications. It also gathers data from application memory space, such as IDs, passwords, credit card numbers, PINs, etc.

11) It occasionally provides an interface for asking users for information it would like to learn, essentially Phishing for your identity via bogus surveys.

12) It is capable of crashing or stopping Macs it has infected, requiring the user to Force-Reboot their computer. Potentially it has corrupted your boot drive.

No doubt, further details about its behavior will be discovered. Considering that this spyware runs with Root authority, you might as well describe it has having botted, zombied or pwned your Mac. This is the worst possible infection situation.


Detection And Prevention:

Intego today provided a 'threat filter' (aka malware signature) update for active versions of VirusBarrier versions 10.5 and 10.6.

As with any Trojan horse, only install software on your Mac that you have verified to be legitimate and malware free. Intego recommend having 'real time scanning' running in their anti-malware application. Another option is to individually scan all application installers you download before you install them. If you fail to use either of these precautions, you should perform a full scan of your Mac.

Using a reverse firewall is also extremely helpful. I use Little Snitch. Intego also include a reverse firewall in VirusBarrier v10.6. In particular, keep an eye out for any application accessing ports 80, 443 and 8254. Personally, I set up a denial rule for 'All Applications' attempting to send data out of port 8254. This is unlikely to entirely block the actions of the spyware, but it can't hurt. This port is very rarely used.

Reverse firewalls also make it easy to scan down a list of applications with rules you have set for accessing your network or the Internet. This can help you identify whether you have some odd or foreign application making connections. If you find one, it is likely useful for you to scan your Mac for all instances of the spyware.

It is also useful to delete mysterious applications from your reverse firewall rules list in order to keep an eye on their further requests for network and Internet access.


Other Anti-Malware applications:

At the moment, only Intego VirusBarrier is able to detect and fully remove this malware. As usual, VirusBarrier is the only commercial anti-malware application I can recommend.

I'm going to keep an eye out for detection and removal by other anti-malware apps. Of the free options it is doubtful that ClamAV (via ClamXav) will detect this malware in the near future. iAntiVirus so far not does detect OSX/OpinionSpy, but I expect they shortly will.

A blog at Sophos describes the experience of running one of the screensaver spyware installers from 7art:

Mac OS X OpinionSpy – same old, same old

In keeping with the chaotic nature of the anti-malware community, Sophos are ignoring the published malware naming standard, calling this malware simply "OpinionSpy". They are also describing it as "monitorware" as opposed to spyware. Yeah, whatever guys.
(o_0)
[Patience requires that I start counting to 10, again...]


Infected Installers:

With time I will be posting a periodically updating list of dangerous installers that will infect your Mac. This will constitute Part II of my blog series on OSX/OpinionSpy. For the moment, the general shortlist is:

A) ANY screensaver installer from 7art-screensavers.com, version 2.6 or above. So far, 29 of their screensavers have been found to be vectors for installing this spyware.

B) The installer for 'MishInc FLV to MP3' available from the MishInc.info website.

I don't know if Intego have contacted VersionTracker or MacUpdate about these dangerous application installers. I will be writing to both of them tomorrow to make certain they know what is going on. If you are a fan of other shareware download sites, please contact them as well.

Stay safe. Stay secure.

:-Derek

HellRTS,The Not Quite In-The-WildHacker Tool "Trojan"

"Take a deep breath and count to ten. One, two, three..."

This past couple weeks the incoherent, or should I say incompetent, nature of the anti-malware community has become evident yet-again through the discovery and discussion about a new variation of a hacker tool called 'OSX.HellRTS.D'. I am going to use that name because my best estimation is that it was first described by Intego, and that is their chosen name. It also follows the published malware naming protocol.

As per usual, other anti-malware companies could not bother to stick to the source name and have proliferated the usual WHATEVER of their own names, those being 'Hellraiser' and 'Pinhead'. Further confusion includes the addition of '.D' at the end of Intego's name. I have no idea why it is there. It indicates that this is supposed to be the FOURTH variant of this 'malware', and yet no one, including Intego of course, provides any reference to variants ".A", ".B" or ".C". I am going to toss out a wild guess that ".D" only means that this hacker tool has three previous versions known well only within the hacker community.

UPDATE: I have verified that 'Hellraiser' is the actual name of the source hacker tool of which HellRTS.D is the fourth variation.

Why I'm counting to ten: Because there are no signs of improvement in the chaotic nature of the anti-malware community. Anti-malware is supposed to be a 'professional' endeavor. The only reliably professional thing I have found so far in the community is that people make money in it. Otherwise, as a trained and experienced scientist, I find the community to be nothing more than 'A Pack Of Cards', as Lewis Carroll put it. That is to say it is a bunch of playing card characters disagreeing with one another over nonsense.

Which is to say quite bluntly:

The anti-malware community is not entirely scientific in nature.

(I am so itching to have someone disagree with my statement above. I dare you.)

Of course, enough of my own injection of subjective emotion into what should be an objective, scientific subject. Here's the lowdown on this new 'Trojan':

So far OSX.HellRTS is entirely ignorable. It is being distributed as a hacker tool out on the Internet, but has NOT been utilized as malware 'in-the-wild'. Instead it is being described as capable of being used as malware in-the-wild. When or if OSX.HellRTS becomes anything more than a hacker tool, I'll provide more detailed information.

In the meantime, here are some links for those who would like to dig around in the details:

David Harley has written a series of articles about HellRTS at his poorly named "Mac Virus" blog. David provides some very useful information through his professional work for the Mac community, which I very much appreciate. However, David also often makes his own contributions to the chaotic nature of the anti-malware community, fitting my fittingly harsh appraisal. Therefore, when you read his articles, "Take a deep breath and count to ten...."

Hellish Mac Malware

More on that hellish Mac malware...

OSX/HellRTS - more info

Here are Intego's source articles about OSX.HellRTS:

INTEGO SECURITY MEMO – April 16, 2010
HellRTS Backdoor Can Allow Malicious Remote Users to Control Macs

Intego Security Memo: HellRTS Backdoor Can Allow Malicious Remote Users to Control Macs

Now for the firing squad:

These are reports from other anti-malware companies that chose to use their own WHATEVER name for OSX.HellRTS. They should be lined up against a wall. As you click each of the links below, think to yourself:

"BOOM! HEADSHOT!"

Sophos: "OSX/Pinhead-B"

CA: "OSX/HellRTS"

iAntiVirus (PC Tools): "Backdoor.OSX.Hellraiser" <- Search on this page for 'Hellraiser' to read its description.

As usual I'm not going to bother with references to Symantec or MacScan articles. Why? Why bother.

If there are hackers who'd like to share the history of the Hellraiser hacking tool, please let us know via the comments! I'd be most interested.

Intego VirusBarrier Version 10.6 Review:Part I

--
Let's start with the GOOD NEWS:

Intego VirusBarrier is the only anti-malware program I can recommend for Mac OS X. Its interface and features are unmatched by any similar program. The signature updates are regular and reliable. Intego stay right up-to-date with all Mac OS X malware. The program is 100% compatible with Snow Leopard. Ignore all reports to the contrary. For Mac users who want a top notch single-user anti-malware program, this is the only one. Nothing compares, except perhaps Sophos, which is only designed for network users.

The new VirusBarrier 10.6 version adds a bunch of new security features worth the upgrade price. Some features are redundant to those already in Safari and FireFox. The reverse firewall is the only new feature I care about. Reverse Firewalls stop dead any way to zombie your Mac. They also stop all software from 'phoning home'. I've been using Little Snitch for years and love it. The reverse firewall in VirusBarrier 10.6 is not as good as Little Snitch. But it's there and it's useful.

A new single user license for VirusBarrier costs $49.95 and protects two Macs. A new family license is $69.95 and protects five Macs.The 10.6 upgrade is potentially free for those who purchased VirusBarrier 10.5 on or after November 25, 2009 through April 13, 2010. See Intego for details. Otherwise, the upgrade is $34.95 for single users. A family pack upgrade is $59.95 for protecting five Macs. Every new or upgrade license includes a year's subscription of malware signatures.

Intego also provide an occasionally useful and intelligent Mac Security Blog.

Now the BAD NEWS:

1) Accompanying the 10.6 update is a new advertising campaign that makes several wrong and ridiculous claims consisting of what is traditionally called BULL SHITE or FUD. Enjoy:

"More and more malware is discovered every day. Macintosh computers face threats from viruses, Trojan horses, worms and more."

Incorrect! There are ONLY Trojan horses for Mac OS X. Period. The End. If you believe otherwise, you've been duped.

"VirusBarrier X6, the Lowest-Priced Mac Antivirus"

No. FREE would be 'The Lowest-Priced Mac Antivirus', and there are a few of those to choose from. See below.

"... simply visiting a booby-trapped web page can compromise your Mac."

This has never happened on Mac OS X in the wild or in a 'Crack A Mac' competition without an account user providing deliberate sabotage assistance. However it 'could' happen if a JavaScript or Java security hole wasn't patched in your web browser or operating system. (Readers of my posts know what contempt I have for the state of JavaScript).


I hope Intego have brains enough to dump the false advertising before they get sued. I despise FUD and would hate to have to put Intego on a par with Symantec, the renowned masters of anti-Mac security FUD and makers of easily the worst anti-malware for Mac.



2) Yearly malware subscriptions for VirusBarrier are required and expensive. $29.95 for one year. Yikes! A two year subscription is 50% off the second year at $44.90. If you're up for renewal and are using version 10.5, you might as well upgrade to 10.6 at $34.95 and get the included one year subscription, saving yourself $25.

3) Intego outright refuse to provide a list of malware detected and removed by VirusBarrier. That's idiotic and I've directly told them so. They don't care. Instead, I follow the imperfect but useful Threats Database provided by the PC Tools site, the makers of the up and coming competitor program iAntiVirus.

4) And of course, if you turn on the Real-Time Scanner feature, expect VirusBarrier to eat your CPU. So turn it off. You don't need it unless you're dealing with LUSERs, in which case all you have to do is prevent them from having access to an administrator account and password. It's seriously that simple.

CONCLUSION:

So what is VirusBarrier for? It protects you from LUSER behavior and lets you find and wipe out Windows malware you may be passing along to Windows users.

If you're a conscientious Mac user who checks the validity of all software you install, you don't need VirusBarrier to protect your Mac. There are less reliable free alternatives if you want to try them out, such as ClamXav and iAntiVirus. (Avoid MacScan, which is ultra-lame).

I'll be posting a detailed feature review in Part II after I test the new VirusBarrier 10.6.3 update.
--

The First Reported Mac BOTNET

--
Let me first share news from SANS Institute, then provide a brief perspective on the situation.

Below is a quote from SANS NewsBites Volume 1, Number 30, released last night. (I added some bolding for emphasis). You can sign up for the SANS newsletters HERE.

--Trojan in Pirated Mac Software Helped Create First Mac Botnet
(April 15, 2009)

Malware embedded in pirated versions of Apple's iWork and Adobe Photoshop CS4 for Mac that were available over a peer-to-peer network in January is responsible for what appears to be the first known Mac botnet. The zombie network attempted to launch a distributed denial-of-service (DDoS) attack against an unidentified website. The malware had spread to several thousand computers before it was identified.

http://www.cbc.ca/technology/story/2009/04/15/ibotnet-trojan.html

http://blogs.zdnet.com/security/?p=3157

[Editor's Note (Honan, Schultz): Looks like the Mac platform is an increasingly fruitful target for cyber criminals. ]

Indeed it has. "Several Thousand Computers." This is incredibly sad, but also inevitable.

While all the FUD mongers have a sadism party at our expense, (and they will), keep in mind that NONE of the current Mac malware is able in penetrate any Mac unless the user (often called the 'luser') deliberately installs a Trojan horse on their computer. This happens specifically because the user has been conned by what is called Social Engineering, or in this case, the luser is using pirating software that has had the Trojan carefully placed in the installer to go along for the ride. What do you call it when a dirty deed is done to someone pulling a dirty deed? How about 'Dishonor Among Thieves'. It is more like poetic justice, parasite chewing on parasite.

Anyway, Mac Botnets have arrived. What is done with them will be of interest. Typically these days they are used for money making schemes. Go read all the news about the Windows Conficker worm scare of April 1st and beyond. Once created via infection, a botnet can pull off just about anything you can do over the Internet except in mass numbers at one time.

OK! You're a luser and maybe you did something that could have gotten you infected. Now what?

What NOT to use:

ClamAV. Worthless for Macs. I've covered this disappointment several times.

MacScan. The botnet Trojans are out of its league. It's clunky unreliable software anyway.

Symantec Norton Whatever. I consistently get reports that Norton Anti-Virus continues to be one of the single most buggy and CPU hogging applications you can buy for Macintosh. Symantec also invented the anti-Mac security FUD campaign back in 2005. Save your money and your patience. Avoid. Run away. Just my opinion.

Freeware:

iAntiVirus from PC Tools. It can detect and remove all current Mac malware. You don't have to pay for the application unless you are a business or are running a large network. The paid version offers technical support. Note that it only runs on Leopard. I use it and find it to be very simple and unobtrusive.

Shareware / Commercial-ware:

Sophos Anti-Virus. It is designed for companies and networks of computers.

Intego VirusBarrier. I find them to be the best-in-class for single users. I'm disappointed at their disorganization as a company. But the program is top notch. Just be prepared to shell out money year after year. Bleh. Nonetheless, I own it, use it and like it.

I used to use Virex X, now called McAfee Virus Scan. But it got clunky. Many people downright hate it. I don't know why. These days it is designed for companies and networks, not single users. I would have shoveled McAfee into the grave along side Symantec for having FUDed the Mac. But oddly, their CEO ended up stating that the single best way to escape computer malware was to "buy a Mac." So they can't be entirely stupid over there.

There is other stuff around, but it makes me yawn. You can get a listing of it all at the download sites by searching for 'virus'.

DEFENSE!

If you are in charge of a home computer shared by others, or you are an IT manager, stop the luser users from installing Trojans by giving them Mac OS X accounts that Do Not Allow Program Installation! If a user wants a program installed, let them ask you to do it for them in YOUR account. Then give them access to the program.

But of course this means that YOU, the boss of the machines, have to be careful too. Always verify that what you install has specifically been tested somewhere. I always use the download sites like VersionTracker or MacUpdate. There are many others. Be sure that either the site itself has tested that version of the program and given it an OK, or that a lot of users have tested it and OKed it. Buy commercial-ware directly from the company, and make certain they are entirely, unquestionably reputable. Adobe.com = reliable. Jake's Super Deluxe Fly-By-Nite Site.com ≠ reliable. You get the idea.

And just to tick off the FUD mongers:

A) There is no such thing as a 'virus' for Mac OS X.
B) There is no such thing as a 'worm' for Mac OS X.
C) There is no such thing as illicit 'spyware' for Mac OS X. All Mac spyware is sold legally for the purpose of surveillance of network machines.
D) There is no such thing as 'security by obscurity' for Mac OS X. If you know how to do math, you can prove this for yourself. Go backwards in my blog if you want to read the gravestone I wrote for this mythological absurdity form of FUD.
E) As a Mac user you must keep computer security in mind. Follow the basic rules:

1. Make regular backups. This is the #1 Rule Of Computing.
2. Learn how to use your router's firewall and use it.
3. Learn how to use Mac OS X's built-in firewall and use it.
4. Always use password protected accounts. Make very sure your password is strong, obscure, unintuitive and plain old nasty. Be sure you remember it. Don't give anyone else access to it.

I've gone into greater detail about add-on measures in previous posts. The list above covers the essential basics.

And of course, don't ever pirate software. Now it's extra dangerous. If that gets you excited, welcome to the botnet.

:-Derek
--

Mac Malware #8: OSX.Trojan.iServices.A

--
Intego, makers of VirusBarrier, posted an alert on Thursday 2009-01-22 regarding a newly discovered Trojan horse specific to Mac OS X. They have designated it "OSX.Trojan.iServices.A". It was found in torrented/pirated copies of Apple's iWork 09 installer.

Conclusion: If you have torrented, downloaded or been given any pirated copy of iWork 09, do not install it! Throw it away!

Cures: Intego of course has provided a removal method in the latest malware definitions file for VirusBarrier. The folks at MacScan have also provided a FREE removal tool here.

A MacRumors article about the Trojan can be found here.

How does it work?

1) Included with the iWorks 09 package is an added bogus Trojan package entitled "iWorkServices.pkg". When you install iWork 09, the Trojan is installed along with the legitimate program packages. It is specifically installed as a startup item within your system.

2) According to Intego: "The malicious software connects to a remote server over the Internet; this means that a malicious user will be alerted that this Trojan horse is installed on different Macs, and will have the ability to connect to them and perform various actions remotely. The Trojan horse may also download additional components to an infected Mac."

Essentially, you've been zombied. The cracker controlling the program can do anything with your computer. Examples include money making schemes such as stealing your identity, spamming the net or using your machine in a denial of service attack.

For Mac users, this method of infection is entirely new. It can also be used in any other similarly pirated program installer, not just iWorks 09. The only things specific to iWork 09 about this Trojan are the name of the package used and its placement along side all the other installer packages for iWorks 09.

In other words, pirated Mac program installers are now all suspect. Pirates beware.
--