Defense: Malware targeting Mac's

Shmoo group has ported OSIRIS on Mac Os X, which is the standard now for computer forensic. Now if we really want to start talking about security, than probably we also have to know first what's the protocol to respond to an incident.

One of the steps, when studying a malware impact, is to collect data. Which is usually done with a tool like Osiris installed on a "fresh" system that will be infected on purpose for the analysis of its behavior.

That is probably just one of reason why the Shmoo Group is relevant about this matter.

Computer forensic is a science, and as any science has its tools and procedures. I didn't find any of this on those links to Mr Reeds website. With all my respect for him as a person and for his efforts on giving the Mac community some sort of support he just describes the process of the mac getting infected and the processes that runs after that. He never checked if any system file was modified, which is something you do using a tool like Osiris.

Moreover, the procedure I described you at first is the correct one to collect data and analyze the behavior of a malware. So he has to do that starting with a fresh factory install, exactly what ds store is trying to say.

@Thoma A. Reed: about the very basic suggestion of not using an Administrator user on a daily basis, probably you can find quite interesting that Apple is suggesting that itself, as stated on this official documentabout installing and config SL secure.

As others have already said, I never suggested that one should use an admin account day-to-day. What I said was that, if one is dependent on certain applications (cough Adobe cough), then one may be forced to, whether or not that is a good idea. Saying that those applications are improperly coded is absolutely correct while at the same time absolutely irrelevant to those who must use them.

Figure out that there's people who keep saying there aren't known malware on Mac Os X nowadays still.

Nobody I know says that. People say there are no viruses, which is completely and totally true. Certainly this has no bearing on the current discussion, so I wonder why you bring it up here.

are you trying to say that an user on this board that played a bit with one malware has more knowledge about security than the founders of "The Shmoo Group"?

I find your dismissive comments extremely offensive. I do not claim to be a security expert. I am good at explaining technical concepts to non-technical people, and I do have some good knowledge about Mac-specific malware. If you wish to dismiss the knowledge I have in favor of people whose focus is not even remotely the Macintosh, you are welcome to do so. But to disparage me in public like this with such lack of justification shames you, not me.

To respond to one point you brought up:

He never checked if any system file was modified

Clearly you did not bother reading enough of my blog to see that I compared an infected system with a pre-infected clone of that system, file-by-file.

Clearly you haven't read what I wrote. There was no intent on offend you, I beg your pardon if you feel so. I do respect your intents, but your job is far away from what security experts would do.

For example it would be interesting if you can describe us how did you compared an infected system with a pre-infected system. Moreover you've done that without knowing if the malware would spread out on the network or not. I think in your approach you are just assuming to many things and not using the right tools as an expert would do in this kind of analysis (using a tool like Osiris).

My conclusion is that it harms more to rely on this sort of self-made method than actually follow wise directions as the ones gave by ds store (factory re-install), even though I appreciate your efforts.

That said I don't think we had nothing more say each other, except that I suggest you to get some good books about computer forensic if you're seriously interested on this matter.

PS Adobe products like Photoshop CS4 doesn't need anymore to be run by an administrator user.

For example it would be interesting if you can describe us how did you compared an infected system with a pre-infected system.

That information has already been published on my blog. If you wish to learn my methods, rather than dismissing them without having all the information, then you may read it here:

Further analysis of MacProtector

Perhaps my methods will not satisfy you, but if you can find a Mac security expert who is willing to share the level of information I have, I would love to have his/her name.

Moreover you've done that without knowing if the malware would spread out on the network or not.

I have already documented in my analysis the fact that I was using Little Snitch to watch network connections, and that I have also captured and posted all the packets sent to and from the malicious server the malware was communicating with.

I think in your approach you are just assuming to many things

Your previous statements prove it's not me who is assuming too much.

@Thomas Reed: I have already answered to you about your analysis and why I found it not comparable to an expert. You want to keep playing this game? Ok I just hope they will not lock down the thread.

You have used Little Snitch as a firewall to determine the network behavior? Well excuse me but a firewall on application layer is not the right tool to do that.

In fact (even if this could be the case for this particular malware) if a malware would modify a previously allowed process than it will not get caught.

The right approach would be, for example, to close any connection via ipfw firewall (which resides on a lower layer than an application firewall) and log it.

Another one is to let just some basic network processes sniffing the packets to understand if there's any anomaly. But the very first thing to do is to check if the system was changed by the malware, and that is done via a tool like Osiris (which basically would do a checksum comparsion, but of course it has way more power than just that).

Excuse me but you can read all about this science on some books about computer forensic as I did, than probably you will get my point.

Still, I'm not saying your job is totally crap, you are awesome for what you've done, ok?

But it's not professional and it doesn't follow a procedure and uses the standards tools to do that.

To make an example: I'm able to cook a comestible meal, that doesn't make me a chef of the "cordon bleu". I'm able to shoot an appealing photograph, that doesn't make me a professional photographer.

I'm sorry if I hurt your feelings, it wasn't my intention at all, but do you seriously think that Little Snitch is a professional tool for computer forensic?!

BTW a good starting point for you is to read this document made by a programmer that designed another Host Integrity Monitor called Shamian. After reading this you will probably understand why I've found ds store's point of view much more adherent to the right approach at getting rid of a malware.

I've been following all the threads regarding the trojan/malware for obvious reasons and I must say, I've had about enough of the personal attacks in this one.

These are user to user forums. We try to provide the best answer we know of. We are not forensic professionals (or maybe some of us actually are - who knows).

Your posts are getting dangerously close to and/or already have crossed the threshold of violating the ToU - you did read those, correct? Please refrain from attacking our volunteers who spend their Sunday trying to help others. If you are so good at what you claim to be able to do, simply set up a website with instructions including professional forensics of course and publish a link, or, better yet, instead of arguing, simply post your professional instructions here.

As you can see I've posted a plethora of useful informations about computer forensic.

I never claimed to be anything, can you say the same for others involved in this conversation?

Neither I'm linking any document that has not been written either by Apple Inc. or a professional computer forensic expert. Can you say the same for others involved on this topic?

I would like also you to define "personal attacks", please can you quote what you think is a "personal attack" that I've made?

I'll not fall for your trying to draw me into a useless argument. And I'm not about to waste my time - I don't have to prove anything to you.

I've made my point and I'm done with this thread.

I don't see a "plethora" of useful information.

Most of what you have been doing amounts to little more than some name dropping, with the names of several computer forensics experts, assorted jargon you have picked up, and reputed texts on the subject, without adding anything much substantive to the discussion.

Why don't you get a copy of this Trojan, do an analysis and then report back with the results, so we can all benefit?

I'm not drawing you into anything, you were the one talking about "personal attacks".

If you launch those accuses to me than you have also to circumstantiate them, otherwise, yes, you are wasting your time and mine too.

Bye, have a nice sunday.

Why do I have to do that when there are real experts doing that in the right way (ie following the procedure I've mentioned and that anyone can read on a textbook about computer forensic)?

The point is, if you had the time to read a link I've added earlier:

"Those this malware install a rootkit?"

Or better "Has anyone fully understood if this malware installs a rootkit?"

On that basis, since I haven't quite seen a decent analysis that prove us that anywhere, nor an Apple official report about this matter, this doesn't means I have to be the one that does that!. I would just recommend as ds store did a re-install to factory at this stage of the incident (while someone even made fun of him with sarcastic comments, and maybe those were the ones going against the community policy). Which is just wise common sense.

If people here, on an Apple support board ⚠ claims that this malware was studied enough by them and does no hurt to anything else on a system besides installing itself and "just" acts as a trojan, than, my apologize, but I would like to understand whom is saying that and on which basis since is not an official source of information.

Now if even this is now prohibited here, just let me know and I would be more than happy to not contribuite anymore.

Wow! this thread has turn into some kind of knowledge debate 😕 If I click on "stop notifications" will stop them for this thread or for all discussions?

Rayced wrote:

Why do I have to do that when there are real experts doing that in the right way (ie following the procedure I've mentioned and that anyone can read on a textbook about computer forensic)?

Because there are no "real experts" taking part in this discussion. Please study the Terms of Use for this site. Note that when possible you should test your submissions on your own computer before you post it. Thomas has done that & has published links to detailed info about how he did that.

You haven't tested anything. You have made some vague references to textbooks (without actually naming even a single one), mentioned some names you seem to be implying are somehow the only experts capable of defining standards for effective malware detection, tossed in a few buzzwords (sometimes without regard for their proper use), & claimed it is "a plethora of useful informations."

You have not provided anything substantive or based anything on your own efforts to analyse this malware. You have just found fault with the techniques of someone who has.

If you want to contribute something useful, nothing is stopping you from compiling & implementing your own deployment of Osiris or whatever other "standards tools" you want to use, applying that to an analysis of this malware's capabilities, & publishing your findings. You are the one claiming to know the proper steps, or at least which ones Thomas didn't follow.

If you can provide a factual rather than speculative basis for the need to "re-install to factory" (and an explanation of what exactly that is supposed to mean) if infected by this particular malware, I'm sure everyone so affected would be most grateful.

Ok, you were just trolling in a different thread as you admitted about this matter.

I've added some different points of view to the discussion. Now let's get pragmatic, ok?

1. while the machine is opened by the trojan horse do you think someone's can't scale Unix privileges using one of the BSD known flaws and install something else? If this didn't happened while Mr. Reed's tests doesn't mean it couldn't had happened to other people that were and are still having the trojan horse active on their machines.
2. I've mentioned that to do a more scientific study of this malware at least it must be used a tool like Osiris, ovvero a Host Integrity Monitor system. I've mentioned that not because I'm inventing it, but because people that are in IT security far before Mr. Reed and were also published (which maybe makes them a little more credible than a very good hobbyist) suggest and uses those kind of tools with security incidents.
3. I've also pointed that a network study of the malware made via Little Snitch can't be that reliable as one done using ipfw firewall; still this is something well known.
4. I'm going further. Mr Reeds suggests just to get rid of those files the malware installs. Since what I wrote at point n.1, it is probably better at least to re-install the latest Combo Mac Os X update if not re-install the system from scratch.

Let's get back on "philosophy" now.

This a matter of attitude towards people like me and ds store who are just trying to say "hey don't assume everything is like it resemble with something like this". The answers we got, instead of being technical explanations were on the tone of "you are insulting me cause you don't agree with my methods ⚠", or "you want people to be scared and lock their computers in a basement". While, for example, mr ds store has pointed out something very basilar on Safari's security, even reported in Apple's official guide to securely config Mac Os X, which is to disable the open safe download documents feature.

About me doing a study of this malware: I would do that for fun if actually I had every original firmware of my Apple hardware that was shipped from the factory together with them on physical support. That is for both to better study the malware itself and also in order to get my computer back at a safe install.