Friday, May 29, 2009

Microsoft Senior Security Architect Said WHAT?!

Someone needs a good spanking and a time out for bad behavior. He's considered to be a professional computer security expert, (so it's not me!).

This afternoon I was checking out the Intego Mac Security Blog and read about interviews ZDNet Australia had done with security specialists regarding the question "Do Mac Users Need Antivirus Software?" (They got the software category wrong as usual. It's anti-malware, not 'anti-virus'. I'll go down in history as the curmudgeon who chanted this fact to the grave, and nobody cared. Poor me). So I clicked over to ZDNet OZ, read their article and watched the video, found HERE.

In the video, note the fellow in the white shirt with a British accent. That's Greg Singh from RSA. As Intego point out, Singh is incorrect to say Mac users will have to get used to the degradation in performance caused by anti-malware applications. He could be talking specifically about Symantec's Norton Antivirus for Mac, in which case no one could argue with him. He also insinuates that Apple have said Mac OS X is not susceptible to 'viruses'. Oops, I think he got his Apples mixed up. He must have meant Apple Corps, the folks who make Beatles CDs. Yeah, I'd agree that Beatles recordings are not susceptible to viruses. **snicker**

Then there's the guy in the black t-shirt and hat reading 'ULTIMATE-DEFENCE". That's Rocky Heckman from Microsoft. He has the title of "Microsoft Senior Security Architect". I was freaked at what was coming out of his mouth. First he thinks BSD is something new to Mac OS X Tiger. He was born yesterday. Then he says that because BSD is part of Mac OS X, hackers are now realizing they can write 'viruses' for it, "and there have been a couple out there." He's from the Bizarro World. There are no viruses for Mac OS X. There are only Trojans, and he knows the difference. I wrote a ripping comment about Mr. Heckman over at the ZDNet OZ site. See below.

Then there's an Australian fellow in a white striped shirt with a big pad and marker hanging around his neck. I don't know his name, sorry. His odd statement, if you listen carefully, is that anti-malware products for Mac OS X are 'immature'. Based on what information? Based on ignorance. Very strange.

OK, so where were all these incorrect people when they were interviewed? The AusCERT 2009 IT Security Conference. The mind boggles.

Here is the concerned comment I wrote to ZDNet Australia regarding the statements of Mr. Heckman from Microsoft:
Microsoft Senior Security Architect Said WHAT?!

"Microsoft senior security architect Rocky Heckman said AV became necessary when Apple in 2001 decided to underpin OS X Tiger with the BSD operating system because it made Macs an easier platform to write malicious code for."

Why did anyone ask Mr. Heckman his opinion? We certainly have no reason to care. Windows is the single LEAST secure operating system, commercial or Open Source, available on the planet.

Why Heckman's opinion is lunatic:

1) Apple didn't decide to underpin Tiger with BSD. NeXT decided to underpin NeXTStep with BSD decades ago! Mac OS X inherited it when Apple decided to make NeXTStep/OpenStep the foundation for Rhapsody, which was then developed into Mac OS X.

2) The three most secure operating systems on the planet have been repeatedly proven to be:
A) OpenBSD
B) FreeBSD
C) Mac OS X
Mac OS X incorporates elements of both OpenBSD and FreeBSD into it's core OS called Darwin OS. So what Mr. Heckman it talking about is incomprehensible. He is either a blithering idiot or is pulling a FUD manoeuvre by telling the opposite of the truth in order to fool the public that black is white, war is peace, hate is love, the usual doublespeak routine from the book '1984'. Shame on Mr. Heckman.

This has to be one of the most dishonest statements from a Microsoft executive of all time. It's running neck-and-neck with Bill Gates' moronic statement that Mac OS X is exploited everyday, when it fact it is HIS operating system that is exploited every day.

Or maybe there's lead in the water over at Redmond. (o_0)

Tuesday, May 26, 2009

Hope For ClamAV For Mac

As you recall from our last episode, ClamAV was essentially worthless for detecting and removing the current 11 malware for Mac OS X. However, hope appeared last week thanks to the persistence of Mark Allan, the developer of the ClamXav GUI application, and myself.

I wrote a series of posts over at the ClamXav Forum last week that revved up some interest in sorting out the problem with ClamAV. I found out that a number of people, including Mark Allan himself, had submitted MOSX malware to the ClamAV project, using the official protocol, and had been entirely ignored. From my experience, there are a number of plain old dickheads over at the ClamAV project who resist any improvement in MOSX support. You have to wonder what goes on in some people's heads.

However, Mark Allan and I chatted about the situation and he was inspired to try once again to contact someone sane over at the ClamAV group. And he SUCCEEDED. I could not be more pleased.

Mark is now working with the ClamAV project to provide them with Mac OS X malware. The resulting malware definitions will then be integrated into ClamAV. If this relationship works out, and Mark is able to continue his freely given dedication to Mac OS X security, we should soon see and continue to see ClamAV as a free useful tool for Mac OS X users.

You can read about and download ClamXav, Mark Allan's free Mac OS X GUI version of ClamAV, HERE. Donations are welcome. You can join in on the ClamXav Forum discussions THERE.

Thursday, May 21, 2009

Java is DANGER! Apple is SLOW POKE!

One of my favorite jabs at the anti-Mac security FUD mongers is to point out that their FUD attack party, ongoing since it was started by Symantec way back in August 2005, has happily prodded Apple to get serious about Mac OS X security updates. I then extend them a hearty handshake and gleefully, maniacally, laugh.

However, Mac security mavens point out that Apple is still a slow poke. Damned right! There are a couple short articles over at Intego about an ongoing security hole in the current implementation of Java in Mac OS X:
-> Apple Hasn’t Updated Java to Protect Mac Users from Critical Vulnerabilities
-> Intego Security Memo: Java Vulnerability

To defenders of the faith, such as myself, this is annoying. First off, we get to be poked by the FUD mongers with the 'see, I told you' routine. Second off, I am so sick of the corrosion that has happened to the great and shiny image in the sky of Java being this ultra-safe, can't break into your computer, can't hurt you, technology. Yeah, and Sun is now no more. Justice is served. But we're stuck with the mess as a web standard.
*rolling eyes*

Twitter Spamrat Attacks -> Nuisance

Last night I became aware that someone has, dare I say, 'hacked' Twitter such that logged in users are instantaneously befriended/followed by scum spammers. For all I know, this is deliberate by the Twitter folks or there is some other nebulous explanation. What I do know is that it is a BLOODY NUISANCE!

Thankfully it is easy to block the spamrats as they show up in your followers list. But then you have to scour through your followers list at least every day to kick them out. So far it is also easy to spot them by checking out their page. It will be full of moronic spam tweets. If by chance you've been vacant enough to choose to follow them and your tweet collection turns into a pile of blithering idiotic ads for rubbish, again it is easy to kick them.

I hope Twitter get a handle on this, if indeed it isn't some sort of sell-out collaboration, because it is soooo boring having to sort through your lists and play Spot-The-Loony. Bloody! Bloody I say!

Sunday, May 17, 2009

Current List of Mac OS X Active Malware

This evening I was busy over at the ClamXav forum. In response to a suggestion there, I provided a current list of Mac OS X active malware. I decided to cross-post the list here as well:

Below is a list of all the Mac OS X active malware I am aware of. I've been attempting to keep up to date on this subject since 2005. I have a blog where I share all my knowledge of Mac security:

As far as I am able to ascertain, the only active Mac OS X malware ClamAV is able to detect is Trojan.OSX.RSPlug.A (aka DNSChanger.A). In a previous thread I have asked for help trying to determine if any further Mac OS X malware are detected.

Note that there is only one official standard name for each of the 11 malware. This is what I use to name each family. However, anti-malware providers call them anything they choose. This is why I provide alternative names. There are four families of Trojans listed below with various strains/versions/variants designated by "A" through however many exist for the family. In the case of RSPlug I list A through G specifically because the PCTools site lists that many. Most other sites list only A through F.

If anyone knows of further names for these malware, or of any further ACTIVE malware (please not inert or proof-of-concept malware) please let me know at my blog.

The current list of active Mac OS X malware as of 2009-05-17:

I) Trojan.OSX.RSPlug family, aka DNSChanger or Jahlav.
01) Trojan.OSX.RSPlug.A
02) Trojan.OSX.RSPlug.B
03) Trojan.OSX.RSPlug.C
04) Trojan.OSX.RSPlug.D
05) Trojan.OSX.RSPlug.E
06) Trojan.OSX.RSPlug.F
07) Trojan.OSX.RSPlug.G

II) Trojan.OSX.Lamzev family, aka Malez.
08) Trojan.OSX.Lamzev.A

III) Trojan.OSX.PokerStealer family, aka Corpref.
09) Trojan.OSX.PokerStealer.A

IV) Trojan.OSX.iServices family.
10) Trojan.OSX.iServices.A
11) Trojan.OSX.iServices.B

Sources of these malware:

The RSPlug family are all offered by websites that tell you that you must install their file or program in order to access specific media they are offering. Originally these Trojans showed up on porn sites where you were told to download a video codec in order to view their videos. These days the websites could be telling you anything. The basic idea is to use 'Social Engineering' to fool you into installing their Trojan. The most recent of these Trojans can potentially zombie your computer and use it in a botnet.

Lamzev is a hacker tool used to create backdoor access into a computer. The only way to 'catch' it is if a hacker has physical access to your computer and hand-installs it. Note that there are plenty of other hacker tools around, but this is the only one listed as a Trojan because of the potential damage it can do to a victim computer.

PokerStealer originally called itself "PokerGame". You download it, install it and are infected. The original version put up a bogus warning message that a corrupt preference file had been detected and that your administrative password was required to repair it. It then sends your ID, password and IP address to crackers who can then access your computer via SSH and do whatever they like with it. Theoretically this Trojan can be named anything.

iServices showed up earlier this year in pirated programs, buried inside their installer. The original A and B variants were buried in pirated versions of iWorks 09 and Photoshop CS4. You install the pirated program and get infected. There are reports that the installers actually fail to install the listed program and only install the Trojan. In any case, iServices zombies your computer and makes it part of a botnet. This Trojan formed the first officially verified Mac botnet back in February. It apparently consists of thousands of computers. It has so far been used in a DDOS attack. Note that once a Mac is zombied, the 'bot wranger' or cracker-in-charge can do anything they like with the computer. This particular zombie botnet is so far is being used for money making ventures over the Internet.

If/when further Mac OS X active malware is discovered I'll list it in my blog.

Friday, May 15, 2009

Proof Of Concept Trojan.OSX.Tored.A & Related Rants

Last month an eMail distributed proof of concept (aka nonfunctional) malware program was discovered for Mac OS X. A couple different companies claim they 'discovered' it. It is being labeled as a 'worm' because it is able to replicate itself after infection. It does not qualify as a virus because it does not damage the host computer. However, it is actually a Trojan horse because it requires user error in order to be installed. Its worm behavior is therefore secondary and cannot be used in its name. Sorry. (;_;)

Rant: I'm a biologist who became addicted to Mac technology and works as a professional Mac technologist. So how come I, without a computer science degree, am able to distinguish a Trojan horse from a worm while professional computer security companies can't? I am thoroughly baffled. Was there perhaps one person who made the initial error and everyone followed along like good little sheep? Likely. It became evident eight years ago in the USA that sheep are the 'in' thing to be. Shameful. End of rant.

The best reports I found on Tored.A are over at Intego, F-Secure and CA. The lamest report is at Sophos, not worth linking.

An interesting short article about Tored.A was posted over at the HowStuffWorks blog. I wrote a reply to the article and tossed in some of my usual educational chatter. Here is a repost for your pleasure:

Here are some useful facts:

1) Symantec started the Anti-Mac security FUD campaign back in August 2005. In the intervening three and a half years Mac OS X has failed to be deluged in malware. There was no doom and gloom. The sky did not fall. Symantec continues to make the single worst anti-malware app for Mac. Figures.

2) There is a standard naming system for malware. This is how it works: First comes the type of malware. Tored-A is a Trojan horse. It is NOT a 'worm' until AFTER it has been installed by a computer user, which is of secondary importance. Therefore, the first part of its standard name is 'Trojan'. Second comes the name of the operating system on which it runs. In this case it is 'OSX'. Third comes that identifying 'name' of the malware. The discoverer in this case chose 'Tored'. Why is up to them. Last comes the 'strain' or version of the malware. The first discovered version is called A. Next is B, etc. Take note that despite this long published standard, anti-malware companies usually don't care. That's why there are often many names for exactly the same malware, resulting in needless chaos and confusion.

3) There never was any such thing as 'security by obscurity' for Mac OS X. The fact is that Mac OS X is incredibly harder to hack than Windows. That is why there are only Trojan Horses for Mac OS X. They require user error in order to break into a Mac. There are no viruses, worms or illegal spyware/adware for Mac OS X for that reason.

Responding to the article:
"Many accounts say that the MacOS is naturally more secure than Windows."

Accounts have nothing to do with it. Mac OS X = UNIX = consistently proven to be the safest operating system commercially available. Its rivals are the Open Source operating systems FreeBSD and OpenBSD, both of which are integrated into Apple's CLI version of UNIX called 'Darwin OS', the basis of Mac OS X. That being said, UNIX / Mac OS X is NOT perfect. Security flaws are frequently being patched. Never at any time was there any myth that Mac OS X was not 'mortal'. If you want hacker heroes, applaud Dr. Charlie Miller and Dino Dai Zovi, the most revered of those who have proven how to break into a Mac (with user error required). They wrote a book about it called "The Mac Hacker's Handbook" published March 2009.

The least secure Apple software is NOT Mac OS X. It is in fact QuickTime, which Apple write and provide for both Windows and Mac OS X.

Windows was never designed to be secure until Vista. And even then Microsoft significantly failed. Theoretically Windows 7, which is mainly a paid service pack for Vista, may repair this problem, but it has not been proven at this time.

The future: Watch for the Mac malware coming out of Red China. Few people know that China formally declared a "Technology War" against the USA several years ago. China has been successfully cracking into US federal computers since 1998 when they formed The Red Hacker Alliance. Note that this was the year China was provided "Most Favored Nation Status" by the US government. Despite being caught red-handed cracking government computers all over the planet, the USA still maintains this favored status. Conclusion: We are out of our minds. Enjoy the results.

Wednesday, May 13, 2009

May 12: Massive Mac Update Day

Macintosh updates on the second Tuesday of the month?!
Déja vu man. Is Apple syncing updates with Microsoft? Is this to make Enterprise IT folks happy? I strongly suspect so.

I prefer the ASAP approach. Waiting around for the second-Tuesday-of-the-month is a dim idea from my POV. Hmph. What happens in the Microsoft world is that hackers get geared up for THE DAY and pounce on all the announced security holes via new malware. This works very well because only a small percentage of people update their Microsoft software on THE DAY. This allows hackers a window of opportunity to get into user machines while the getting is good. Alternatively, the ASAP approach provides no expectation time for hackers. It also gets security patches out in the field immediately rather than waiting around for potentially weeks, during which time each security hole sits out there ripe for the hacking.

Therefore, I hope this second-Tuesday-of-the-month security update is merely coincidence. Sorry Enterprise IT folks! Having THE DAY each month for security patches may be convenient, but it is BAD security protocol. Security wins in this business.

Rules for System Update Preparation:

1) You know what I'm going to say: Make A Backup! Expect updates to go wrong. They often do.

2) Repair your boot system! It is amazing how many system updates go bad simply because the boot system was corrupt. What else would you expect? Boot from your system installation disk and run the repairs inside Disk Utility.

3) Repair your boot system preferences! Despite the myths, bad file permissions are also a prominent reason why system updates go bad. Again, what else would you expect? Note: You also need to repair your permissions AFTER the update. Adobe always leave behind a mess. Even Apple make slip ups! Apple left behind bad permission settings after Leopard Server Update 10.5.6! Expect it to happen. Use Disk Utility.

4) Don't forget to update! Keeping up with system updates is very important! Check this out:
An example of how few computer users actually apply updates: The Microsoft Windows security hole exploited by the Conficker worm was patched way back in October, 2008. And yet, the Conficker worm zombied an estimated 15 MILLION+ Windows boxes after Microsoft provided the patch. Incredible.

The Update List:

Your Mac's System Update app will tell you what updates are necessary for your particular setup. The list of updates from 5/12 is long. All the links below are for each update's general description and download page. Each page has a further link to its detailed information page. If you would like to go directly to the security improvements list for each update, please go HERE.

Safari v3.2.3 for Windows, 19.69 MB

Safari v3.2.3 for Tiger, 26.29 MB

Safari v3.2.3 for Leopard, 40 MB

Safari v4.0 Public Beta Security Update for Tiger, Leopard, Windows XP and Windows Vista

Security Update 2009-002 for Tiger PPC, 75 MB

Security Update 2009-002 for Tiger Intel, 165 MB

Security Update 2009-002 for Tiger Server PPC, 130 MB

Security Update 2009-002 for Tiger and Leopard Server, Universal, 203 MB

Mac OS X Combo Update 10.5.7 Leopard, including 2009-002, 729 MB

Mac OS X Server Combo Update 10.5.7 Leopard, including 2009-002, 951 MB

Mac OS X Update 10.5.7 Leopard, including 2009-002
, 442 MB

Mac OS X Server Update 10.5.7 Leopard, including 2009-002, 452 MB

Coming up will be my summary and analysis of the security improvements provided by these updates.