Harden your Mac against malware attacks

Version 63
Last Modified: Apr 25, 2012 2:59 PM

Hello and welcome to my User Tip



We have all heard about exploits targeting Mac's, so I'll inform you how to go about hardening your Mac and yourself against these attacks.



10.5 and earlier users


Apple is not fixing security issues or providing OS X updates/changes any longer, backup, erase and reinstall/restore if infected.


Since Apple is the source for Java, one should remove it or disable it permanently. Also watch out for Flash, it might no longer get any updates. Use Firefox for your web browser, it is still receiving updates.


I don't advise users of 10.5 or earlier to be engaging in any sort of online banking transactions or behavior in sums one is not willing to accept losing.


Since Apple isn't applying much change for 10.5 and earlier, like what occurs with 10.6 and later versions, you may want to consider a more stricter commercial version, root level installed anti-malware solution that is more locked down in it's approach.


You might also want to consider employing, bootable clones and Deep Freeze as well, so a simple reboot will return the machine back to it's OS X clean state. Thawed zones for users files on external drives can be created with this software.



If your considering upgrading your OS X version, I advise nearly all 10.5 era machines to upgrade to 10.6.3 via the retail disk sold only online (search Apple for "Snow Leopard")


Then once you have backed up files off the machine and upgraded to use the Apple menu > Software Update to 10.6.8 and stay there. Forget iCloud and any other bait Apple offers to get you to upgrade to 10.7 Lion, that's more for people who's machines originally came with 10.6 than those who hardware came with 10.4 or 10.5.


10.6 will run a lot of your presently installed 10.5 software using Rosetta, perhaps with a update. 10.7 will not run a lot as it has no Rosetta, plus some software isn't ready or no longer available for 10.7




10.7 is a radical change and serious "bag of hurt" on older hardware and 10.5 software, my advice if your machine originally came with 10.4 or 10.5, is to stay put on 10.6.8 as it's a LOT faster than 10.7 with it's RAM hunger (4GB preferred). Know that your 10.4/10.5 era issued Mac is likely at it's end of life stage (4-5+ years old) and prepare yourself to buy the soon to be released 10.8 Mt. Lion on new hardware after this summer. That way one gets the free three months of Apple hand holding dealing with the new OS version changes.


A LOT of third party PowerPC code based software (using 10.6's Rosetta) had to get a rewrite for 10.7, some like Photoshop CS6, will be coming out this summer  and run on both 10.7 and 10.8 as both are 64 bit operating systems, so only a little tweak is necessary to get 10.7 programs to run on 10.8.


So basically if your going to be spending huge sums of money on software upgrades, IMO wait for 10.8 and new hardware rather than upgrade and go through all that pain and suffering.




10.6 and later users


Run your Software Update until clear, disable Java (not JavaScript) in all your browsers preferences. This will remove the malware.


Apple has the Flashback problem under control, (notice Safari type issues?, fake plug-ins etc?) read on for hardening and preventing future attacks.






No computer or device is not 100% secure, even Macs (especially one's not using the latest 2 OS X versions in circulation) but they are a bit more secure than Windows machines depending upon usage. There is malware targeting Mac's, driveby's and trojans mainly, so you take some pre-cautions in that regard.



Like with gambling, do not deal with amounts online that your not willing to risk losing.


Your bank will NOT issue a refund if a loss occurs, it's out of their responsibility what occurs on your machine. Far as they know, you transferred all your money to another bank and then withdrew it all or worse, they can claim you had a accomplice! So you see their position why they don't issue refunds, they would be scammed by many often.


It's rather easy to set up a secure savings account with more substantial funds and use a more accessible online/checking/debit account with less funds and transfer some from one to the other occasionally (but not via online banking of course) with either no or very limited overdraft protection, only keeping what one is willing to lose in the less secure accounts that is exposed to the world.


Entire bank accounts have been drained by hackers, the money wired overseas and withdrawn before the theives are caught or even anyone even knowing it occured. If the hack occurs on your machine, there is little recourse, the government is swamped and you may get little or nothing back, certianly be without for quite some time. IS that really worth risking for the convience of online banking?


Take some precautions, seperate your funds increase the security and reduce the access for higher amounts, and only gamble online with what your willing to risk losing.


Don't completely buy the banks online banking game, they just love pushing it because it reduces their costs at your expense.





Hardening your Mac and yourself to prevent future attacks


It's important to harden your Mac, especially for those who can't upgrade their OS X operating system to within the last two OS X versions in circulation as that's the only two currently supported by Apple.


In the military there is a form of security called "compartmentalized security" and basically it's about not allowing anything to have access to everything, but rather to place more barriers, "hoops" and security checks in place before a target reaches it's goal, especially something of great value.


This method also reduces the attack surface area when surfing the web, sort of like channeling your enemy to have no other choice but to attack though one door or limited opportunity, like only though the browser, instead of the browser + Java, JavaScript, QuickTime, Flash, Silverlight etc.


It assumes, like it should be, that the web is a hostile zone and you need to have no trust, until you establish that trust before lowering your defenses.


Unfortunately most web browsers and users today go around assuming the web is a warm, safe happy place, and one can click on and do anything.


"la la de da, I have a Mac and nothing can hurt me, because Mac's never get viruses"


Don't think like that any longer, Mac's have been attacked, not as frequently or as easily as Windows, and not by viruses mainly, but through other means.


Nothing gives hackers more pleasure (and a challenge) than to beat cocky Mac users behind and root their machines en massé like what has occurred with the Flashflake botnet and other Mac based botnets in the past.




So a little explanation is in order of what is what.



Browser attacks


These depend upon a flaw in the web browser itself, which may or may not include the assistance of scripts or plug-ins installed in the web browsers.


Keep your web browsers updated by running the built in updater, via the developers site or for Safari via Software Update under the Apple Menu.


Obviously don't surf to websites that are going to attack your browser, even if there has been no exploits reported just for the fact that there are many that are NOT being reported.


If your going to engage in this sort of risky behavior visiting hostile sites, either use a virtual machine guest OS, "guest account" or another General User account, or even another computer that you don't care out wiping and reinstalling the operating system, and certainly don't install anything with your admin password on these potential hostile sites.


Have more than one browser on your machine, this way you can switch to another until a update for your primary one occurs or in case you have problems with your Safari and Apple's website download version isn't updated yet.


Your alternate browser choices are Firefox (highly customizable, lots of add-ons), Chrome (more secure, but from a advertising company that tracks you online), Opera and some others.




Script & plug-in based attacks


Web browsers use JavaScript, Java, Flash, Silverlight, QuickTime and many others to do do things in your browser. You need to keep the ones you control updated.


If your not using any of these scripts on a constant basis then turn them off in your browsers preferences.


It's highly advised to turn off Java (not JavaScript) in all your browsers preferences (if installed) unless you specifically need it then only use it for trusted sites.


Flash (lots of security issues) and Silverlight (kept secret) is depending upon use, read about NoScript below.


JavaScript is used quite often, so you should leave that one on.


This handy online checker will inform you of outdated scripts, especially Flash and Silverlight which are the most commonly used ones that have to be maintained by the user.





Direct links to trusted source downloads:


Bookmark these links in your browser



Flash  - no matter what pops up in your browser etc., download and install from here,


Lots of websites have Flash content




Silverlight  - no matter what pops up in your browser, download and install from here, used for Netflix





Perian - provides extra codecs for QuickTime, optional install





Flip4Mac - allows playback of copy protected Windows Media files on Mac's, optional install.




Java, JavaScript and QuickTime


for these, just run Software Update under the Apple menu. Apple will take care of them, provided your on 10.6 or later that is.


Java should be disabled/removed on 10.5 and earlier machines if no update is available.




Virus attacks


Viruses are malware that attach themselves to known files and shared amongst users unawares.


So far there hasn't been any Mac based viruses in a long long time.


So I don't see the need yet to install a always on, CPU hogging, potentially conflictive software like always on anti-virus for Mac's which break when Apple issues a Software Update that changes something in OS X 10.6+


But it is appearing likely now, especially given Apple's non-attention to providing OS X updates for older OS X versions in major circulation, that one may soon have to employ a always on, commercial version anti-malware with more of a "lock down" solution for 10.5 and earlier versions.


Currently the only anti-virus software I have found that hasn't caused any conflict so far with OS X in 10.6+ is the free ClamXav, likely because it's a run as you need it, not a always on "load at boot time" sort of anti-virus which a lot of the others are.


A Mac can act like a Typhoid Mary and transfer Windows viruses to other Windows users on shared files, so perhaps it's would be good to clean these using the free ClamXav which you run as you need too.


Malware  has the opportunity of getting around before anyone knows about it. The reason Windows machines still get infected despite having anti-malware installed is the anti-malware is looking for signatures, definitions or behavior of what it's supposed to find. Since there isn't any for new exploits, the malware gets on and disables the anti-virus or worst, uses it to keep other malware off and trick the user into thinking they have a clean machine.


The user experiences heavy CPU load, assumes it's the anti-virus and doesn't even consider malware is on their machine. So most all anti-virus / anti-malware software is sort of like closing the barn door after the horse has already escaped, but can help stop the spread of malware eventually.


Malware writers use the same anti-virus software to "test" if their malware gets by it, also they have the ability to spread their malware far and wide before anyone picks up there is a problem. So you can see why it's important to employ a strong defense on one's behavior and machine to reduce the chance of malware getting on.


The best offense against malware is a secure operating system and third party software, which so far the Unix/Linux based operating systems are more secure, like OS X your using.


Windows 7 has done a much better job of catching up compared to previous Windows versions where malware outbreaks were a almost weekly occurrence, still not near as good as OS X, although no operating system or browser is 100% perfect.


The problem with malware on the Mac's has mainly come from not viruses, but via exploits in third party browser plug-ins, driveby attacks, social exploits and Trojans.



Trojan attacks


Trojans are programs or files you think are one thing and turn out to be another, or do what they say but have sinister portions to it, you need to trust the source of your downloads. Check with many others about the developer, the site your downloading from etc., before committing.


Usually it's installing stuff from untrustworthy sources like from links on thread posts where there isn't a trust worthy site admin, P2P networks or other means like emails attachments, files and links and such avenues that it's hard to locate the person(s) responsible.


Apple has incorporated a Trojan check for all downloads, but again like viruses on Windows, it also suffers from the time delay with new ones.


A good rule of thumb is to wait and watch a site your thinking of downloading software from, usually if they are out to screw people over they won't be up for long or get bad reviews.


If you get a lot of files via e-mail, you may want to consider installing the free ClamXav to clean the filth, however most of them are going to be for Windows.



Social exploits, tricking the user attacks


If your asked for your password or to do something like install this or that "codec to watch this movie", or "update your Flash here" or Software Update window appears, or "OS X has found a virus" window appears while a web browser is open, consider not going ahead, rather exit the browser and reboot the computer to clear the memory.


Check the status of your plug-ins using the trusted Mozilla check or links above, or from a site you know is the developers site, run the Software Update from the Apple menu. You might find out that you were lied too, and the site you were on was trying to trick you into giving up your password.


Don't believe everything that pops up to notify you of something when surfing, I know Flash and Software Update does this so don't click on it or give it your password, Force Quit the browser by switching to the Finder and using Apple menu, reboot the computer and then check Software Update and Flash for updates yourself with the links I've provided above.


Browser scripts have the ability to mimic OS X looking and other programs windows, like the Flash updater.


Browser and scripts based exploits have the ability to access the Users files and upload them online. So if one has a plain file containing password reminders, private information, consider using a small third party program to encrypt files or folder, a encrypted USB key, Keychain Access, etc etc.



Driveby attacks


Driveby attacks occur simply by visiting a website which then take advantage of a vulnerability in a browser or plug-in, no tricking of the user is needed. This is how Flashback first attacks, silent and deadly using your third party plugins, this time it was Java. Since Java isn't used too much at all online, I suggest you turn it off.


The Firefox + NoScript method below will reduce your browser/script exploit possibilities as you surf the web as you enable scripts only on sites you trust.



Driveby downloads


A website can initiate a download simply by being visited, so say your surfing a trusted site and get redirected really fast to another site or click a trick link you think is something else but is actually a link to download.


A download occurs, (especially on a fast connection with a small file) and there is a nice neat little package of pain awaiting your click in the Downloads folder. Could  be named something your used to installing like Flash, or Java, and here you go giving it your admin password to install, directly into root and your pwned.


Well to stop this you don't use a browser that doesn't allow you the option to inform you before the download occurs. Firefox does if it's preferences are set that way.


Next you keep your Downloads folder clean and don't use it to store things or installers, move the trusted installer packages to a new folder somewhere else.  When you go to download something, make sure the Downloads folder is empty first.




Consider running as "General User"


There are four user permissions levels on Mac's. Root, , Admin, General and Guest



Root Level User


This is the most dangerous user, it or anything else can do anything on the machine, it's disabled for a very good reason. Programmers work in root all the time (and offline mostly) as they prepare code, so for them having to enter a Admin password each time to gain Root is a pain.


Single User mode is Root, and used as a troubleshooting and problem solving means when the computer isn't functioning normally.


Running as root user all the time is suicide for most anyone else.



Admin Level User


When a Mac user first sets up a machine that account is called a Admin account. Most single users of the machine keep it this way either unawares or to facilitate doing things with the machine, installing programs and having Software Update automatically run.


Running all the time as "Admin" is a bit dangerous, as anything that gets in via the web browser or anything else has a lot of freedom to move around and wait to attack at the opportune time, even alter other programs.


However to gain root level it must ask for the Admin password, trick the user or alter another program to use a "sudo window" (super user do, aka "root") which gives it a few minutes to do whatever it wants to your machine, once in root, it's all over.


If you in Admin Level user and something asks for your Admin password, it means it needs root user powers, so if this occurs while surfing with a fake pop-up window looking like a Software Update, you can see how easily a user can be tricked (that's how one of the Flashback attacks works)


If malware attacks while your in Admin User, even without needing your Admin password, the cleanup efforts likely still will require a complete erase of the entire OS X with a "fresh install" of everything and returning vetted user files from a clean backup.


So essentially, Admin and Root user require the same cleanup efforts if something unawares gets on the machine.



General Level User


The next level down is General User, this restricts some things one can do (and thus malware) unless one enters the Admin name and password to effect change outside the General User account.


Use the General User all the time in your daily use of the machine as a form of protection by restricting whatever gets on one's machine unawares to less privileges and permissions access of only the General User account.


One would have to consciously give further permission to the malware, so it reduces the potential for behind the scenes malware from gaining further access to programs or OS X and forces the hidden malware to announce itself or try to deceive the user via a social exploit or Trojan to do so.


If one suspects a attack occurred, they can reboot the machine, log into Admin user and delete the General User account, reboot, recreate it. Restore clean copies of files from backup.


To convert your present Admin level user account to General User, simply head to System Preferences, create a new Admin account, (different password obviously) and then log out and into this new Admin User. Head to System Preferences there and change the first Admin account to General User, log out and into the General User and use that.


When one needs to do more things that isn't allowed in General User, like trashing or installing a program, a window will appear to ask for your Admin name and password just to make sure it's you making the change.


Run the Software Update manually once in awhile as it doesn't run automatically in General User. One must have at least one Admin User account on the machine, it's also beneficial to have another (admin) account on the machine for data recovery purposes if one can't log into their General user account.



Guest Level User


This is a temporary user account given to those who want to let someone to use their machine for a short period with nothing saved when they log out. It has no access to anything and nothing is saved.



Getting at your files may be the objective of the malware


Sometimes malware is after your personal information, which if it is in the account your accessing the Internet with and a exploit occurs, is theirs for the taking. Law enforcement types have been known to try to trick criminals to rigged websites which then use a browser or other exploit to read/upload personal files, since the law can do this, it stands to reason so can the bad guys.


Filevault likely won't help much if the malware already has access to your account or even root, your browser certainly has read/write capability to your account, Filevault or not.


Enabling Filevault is not exactly so private, it's more for if you should lose your machine the bad guys can't get your data, that's about it. Because if you need your machine repaired, you have to give Apple etc., the password to fix your machine. Also law enforcement types will demand the password, along with Customs searches, court orders etc.


Filevault makes it hard to retrieve files or fix software on the machine in a indirect manner, like if OS X isn't booting for some reason. If you engage Filevault, make sure you maintain unencrypted backups someplace with physical security (like a safe) less you forget the password or other issue arises.


The fact that your machine may die at any moment and need repair, you might want to consider having a self encrypting external drive or USB (like a Iron Key) to store personal data on and off the machine at all times, and thus can take to any machine or program that can read the files. Hardware based encryption is more secure than software based which can be changed by malware.


You might want to consider less confining and more tailored alternatives.





Consider using Firefox web browser + NoScript


Safari is a good browser, it's fast, it's designed like most all other browsers to be easy for users as it must cater to all user experience levels.


So because of this all browsers allow the continuous running of all third party scripts, giving malware writers more of a surface area of attack to get into your machine if they find a exploit. (update: new Safari version disables Java applets after a time)


So I'm recommending a method that doesn't run the scripts all the time, until you first decide if you trust the website your visiting, then you can enable that trust for that website, either temporarily (ideal) or permanently.


Firefox has the NoScript Add-on that's only available on that browser and I haven't found anything even close to it on any other browser.


Use the Firefox's > Customize Toolbar option to drag the "Temporally Allow All" NoScript button to the toolbar. That's all you need to do to get started, no need to mess with the finer controls.




NoScript is hands down the best "web cop" on the Internet and will protect one against web side based trickery and attacks. Instead of all the web browser scripts running all the time, and taking your chances as you visit various web sites, the scripts are turned off by default and only enabled as you need it. Once you trust the site and it requires it, then click the Temp button and the page reloads with the scripts on.


You'll be surprised how little you'll have to click it and soon it will become second nature.


If you visit a site often and trust it completely, you can whitelist it in NoScript too. Also have NoScript allow scripts for all your Bookmarks.


So this way if your surfing and get a "redirect" to a hostile site which can occur in a matter of milliseconds, your scripts are turned off by default, reducing their attack possibilities to only the browser, instead of any of the scripts running in the browser which can be many.


If one had the NoScript method enabled and came across a MacDefender or Flashback malware attack, they likely went by unscathed and unaware a attempt was even made.


I recommend you clean out your NoScript "whitelist" once in awhile and start over with a new one


Also enable the "Show downloads window" in Firefox preferences to alert one of unauthorized or accidental downloads as it gives a window and a button to proceed or cancel before starting, not automatically downloads any link a user clicks like some other browsers do.


Consider installing the WOT add-on for Firefox (Web of Trust) that flags each link for trustworthiness and opinions of other users around the web this way before you click a link it will tell you the status of that site..


I also advise using Ad Block Plus and only enabling it on sites you trust, because advertising is fetched from other sites than the one your viewing, so it provides a nice attack angle for malware to get on many sites. Usually  quality sites will retain quality advertisers and poor quality sites with low character will care less about if their advertisements are infecting users computers.


All browsers, even Chrome, have fallen in the last Pwn2Own and other annual contests,  browsers communicate their operating system versions to websites so it's not like Apple isn't being represented online if you decide to use Firefox or Chrome instead.


Firefox has a higher degree of browser customization and security options to make one's appearance online different from the norm of 'Safari + all add-ons enabled' which make it a less inviting target as there are less avenues to attack.




Consider installing LittleSnitch (advanced)


LittleSnitch is a payware outbound firewall checker that loads upon boot time in root (kernel extension file: kext) and watches for outgoing network traffic. It's useful for the fact that it pops up quick window alerting you of the outbound network traffic. If a program that hasn't already been cleared with you attempts to contact the network or Internet, use a different port that you initially allowed. LS will stop that from occurring until you give it the clear and set the access.


Most web traffic occurs on port 80, however sometimes you load a video or a game into the browser and it can open another port, LS will flag this to make sure it's ok before allowing it out, as it could be malware.


If the malware uses the browser and port 80, then there isn't much LS can do obviously as it can't determine if the outbound traffic is malicious or not, but it's added another level of defense as it confines browser based malware to port 80 to hide itself, hacking/using another process or program that has another port access or gaining root access to disable LittleSnitch itself. To gain root access, it would have to trick the user into giving up their Admin password.


Modern computers have a whopping 65,535 ports, gives lots of places to hide and communicate to the world without your knowledge. A  remote port scan of all 65,535 ports to see if any are responding would take a very long time and have to be run frequently.


Only small fraction of these 65,535 ports are used for legitimate purposes which LS is default configured to match OS X and allow out (or your computer would act unstable) so LS watches everything else for any unusual behavior.


BTW, Flashback malware deleted itself if it saw LittleSnitch, not saying all malware will do this, but it didn't want LS to alert to it's presence on the machine or to those curious enough to inform others  unusual behavior.



Deep Freeze  (advanced, restrictive)


Is payware software that does just that, it "deep freezes" your boot drive so when you reboot it returns everything to like it was before the freeze occurred. There can be "thawed zones" for users files, so those are allowed to change, but everything else can be frozen, thus no change to the boot drive is permanent. Apple uses this software in their stores where all the people fiddling around and then at night a shutdown and a morning reboot puts things right back where they want it.


One can use this type of software as part of a defense, to protect kids computers etc., however like anything, once the malware has the admin password it can gain root and do whatever it likes. Also since malware can run on the machine in the meanwhile or in a "thawed zone", despite not getting root, can certainly do a lot of damage in the meanwhile, grabbing or encrypting files (ransomware), gleaming other data etc., while it has control. Anyway it's something to consider, perhaps a whole machine frozen and user files stored on a external drive instead would work good with this type of software.


I advise this sort of defense tactic for Mac's with operating system versions Apple no longer supports (10.5 and earlier) and common area uses where a lot of people access the machines and thus make it difficult to track down who is responsible for the machines unauthorized changes.



Backup and prepare for the worst  (everyone)


Everything can be replaced except your unique users files, keep at least two copies of these on separate hardware in easily accessible formats (in addition to TimeMachine and bootable clones) so you can take your files to any machine, Mac or PC and go on with your life.


My view in regards to malware, since it can take a long time to discover, is to have a archived bootable clone(s), DVD's/CD's of your files, dated so you can go back before the malware started making the rounds. Your computer, operating system and programs can all be replaced, but not your personal files, so take the time to burn files to DVD's as a archive, you may need to use them someday.


Something learned about the Conflicker malware on Windows, the thing "hopped" to any rewriteable media, USB flash drives, hard drives, you name it, so it made eradication most difficult. Only DVD's archives of files, programs and operating system burned before the infection started were considered safe.


TimeMachine used as intended isn't going to protect one against a malware attack as it's connected too often. Having a couple of archived clones of one's boot drive pre-dating the attack will, provided before the restore occurs, the entire malware infected target drive (OS X , Recovery, Partition map, EFI etc)  is Zero erased from a non-writeable boot DVD first or all rewritable media simply replaced with a new ones, which in some Mac's can't be done by the user less they violate their AppleCare/warranty.


Given that DVD's and CD's are sort of on their way out, and with 10.7 there are no boot disks, some Mac's have no optical drives, one must plan ahead for malware of the Conflcker magnitude affecting OS X with a eradication method that can insure a compete erasure or replacement of a targets machines storage drive.





Secure your WiFi and privacy


Some good advice I have to share here






If this User Tip has benefited you, take a second to rate it down below.


Thank You