Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Defense: Malware targeting Mac's

Mac's users running any browser with JavaScript turned on by default are vulnerable to being tricked into clicking on a trick image and/or link.


That image may appear to be a standard OS X window with a close box or the typical OS X looking window asking a question with OK or Cancel. It can look like anything really, it's purpose is designed to get you to click anywhere on it and initiate a download to your computer.


Safari tries to be helpful and "Open Safe Files" by default, which is being used with numerous success to run code on one's machine, by bypassing the normal user action of 'open the downloads folder and then clicks on the download to run' process in exchange for convenience.


Most Mac's are used with one person, and the initial setup of a new Mac (or a new OS X install) is the first user is automatically a Administrator User. Running one's typical day to day use while in Admin User mode gives any code running on one's machine more privileges and access than it would receive if the user of the computer created another OS X account and ran most of their computer use as a General User.


The ultimate access for rogue code would be Root User, which on Mac's is turned off by default, however a temporary access window to Root User is allowed when a Admin User provides his or her Admin Password. Once rogue code gets Root user access, it's all over, OS X is completely compromised.



The key to security on a Mac, or any computer system actually, is a process called "Compartmentalized Security" where the more privileges code receives, the more it's subjected to time and scrutiny to determine it's legitimacy.


Web browsers are the forward troops facing a overwhelming enemy, the World Wide Web. Not one modern web browser is 100% safe, not Safari, not Firefox, not IE, not Chrome, not Opera. Neither are plug-ins or scripts that run within these browsers 100% safe.


So the key to maintaining security is to provide a high level of "Compartmentalized Security" steps which shifts the exploit potential further down the privilege level so it can't do much of anything or gain further access.


People can get carried away with downloading and installing software in a rapid fire manner, this provides a ripe opportunity for malware to get onto one's computer, even gaining root access right away.



So in order to provide better compartmentalized security, provide more time and steps before potentially installing rouge code. I suggest the following actions:


1: Run most of your day to day computer use as a General User with less privileges. This can be done by creating a new Admin User, logging out of the present user and into the new Admin User, then turning the first user into a General User.


Whenever certain actions are needed, like accessing the Application's folder (where programs can be changed by malware) a Admin Name and Password will be required. A small hassle, but it provides another step for it to get past.



2: Use Firefox web browser and the following Add-ons: NoScript, Ad Block Plus and Public Fox.


Under the Toolbar customization, drag the NoScript button to the toolbar. NoScript turns off all scripts and plug-ins by default, which if you trust the site your on, you click the button for turning them on and the page automatically reloads.


In Public Fox preferences, set a password on downloads, this way a popup window appears before any download occurs, keeping malware from sneaking into your downloads folder and potentially being clicked on.


With Ad Block Plus, subscribe to the Easy List which automatically appears in the browser window. This will auto-update to keep advertising, which has been used numerous times as a attack venue, from appearing.


Click&Clean, Ghostery, BetterPrivacy, FlagFox, WOT, HTTPS-Everywhere (from the Electronic Frontier Foundation) are also highly recommended add-ons.



3: In Safari preferences, turn off "Open Safe Files" install the Ad Block Plus add-on and the Click2Flash add-on. If any add-on appears in the future to simulate what NoScript and Public Fox does on Firefox, then enable those add-ons.



4: Check the staus of your browser plug-ins. These websites makes it easy, bookmark them in a obvious place so you remember to visit them routinely. As soon as a vulnerability appears, either update or turn off the affected plug-in in your browser until a patch is issued.


https://www.mozilla.com/en-US/plugincheck/


https://browsercheck.qualys.com/



5: If you enjoy surfing the backalleys of the Internet and you have at least a decent dual core Intel based Mac, I'd highly advise installing the free VirtualBox and loading a free ISO of Linux Mint DVD 32 bit 10.10 (most consistent and easy to use, everything included, Linux distro)


http://www.virtualbox.org/


http://www.linuxmint.com/download.php


The object is to load and install Linux Mint into the virtual machine like installing a operating system onto a regular computer. Once completed, then save a snapshot to revert to after your Firefox browsing session (in Linux) is completed. All and any potential malware, caches etc is flushed when you revert the entire guest OS back to the earlier state. Keep the Guest OS updated via the Software Update option and save a new snapshot.



6: Use common sense, if it don't look right, then stop and flush the OS X based browser from memory via the Apple > Force Quit menu.


7: Install the free ClamXav, it will remove the OS X malware it knows about, offering some after the fact defense and Windows malware from their files.


http://www.clamxav.com/


I don't advise a full time, always on and running anti-virus solution for Mac's due to Apple's tendancy to change the underlining OS themselves to thwart potential malware. So something like Norton which maintains tight control over OS X should be avoided.


Malware on Mac's are a scarce thing because of Apple's top down approach, but trojans are a potential attack venue and people need to insure more steps to avoid being tricked.

MacBook Pro, Mac OS X (10.6.7), XP, Vista, 7 many Linux distros

Posted on May 8, 2011 4:40 AM

Reply
Question marked as Best reply

Posted on May 8, 2011 5:11 AM

Run most of your day to day computer use as a General User with less privileges.


That causes problems for some apps, which won't run on anything but an admin account or on the account they were installed on. And it's not a guarantee of security - a user who gets in the habit of authenticating to admin to install stuff from their Standard account is no safer than the user who gets in the habit of authenticating to install from their Admin account. This is a good general suggestion, but may not work for everyone and provides practically no real security against "social engineering" by itself.


2: Use Firefox web browser and the following Add-ons: NoScript, Ad Block Plus and Public Fox.


Again, using things like these won't protect you by themselves. How do you know if a site is trusted and should have JavaScript turned on? And most folks are finding this malware via trusted sites that have had malicious JavaScripts "sneaked" into their code, through malicious ads or search engine optimization poisoning. How can you know if your trusted site is affected? And, given how much this malware has been jumping around over the last week, I seriously doubt Ad Block Plus can keep up.


3: In Safari preferences, turn off "Open Safe Files" install the Ad Block Plus add-on and the Click2Flash add-on.


Note that even folks with Safari's Open "safe" files after downloading option turned off have been affected by opening the installer manually. And some have been alerted to the presence of malware by the automatic appearance of the installer. I'd still agree, though, but would add that you should keep your Downloads folder cleaned out, so that any suspicious items that turn up will be easily recognized, and not mistaken for something you downloaded earlier.


As to Click2Flash, I think nobody should be on the web without it! I don't trust Flash as far as I could throw Adobe.


I'd highly advise installing the free VirtualBox and loading a free ISO of Linux Mint DVD 32 bit 10.10


That is not a realistic suggestion for the average person, who will have neither the desire nor the knowledge to run Linux.


6: Use common sense, if it don't look right, then stop and flush the browser from the Apple > Force Quit menu.


This should have been #1! AV software has struggled to keep up with all the variants of MacDefender, malware sites move on sometimes an hour-by-hour basis and malicious code sneaks into trusted sites. In all, no automated defense tool will protect you from a new threat... only your "wetware" can do that!

86 replies

May 15, 2011 5:41 PM in response to R C-R

Shmoo group has ported OSIRIS on Mac Os X, which is the standard now for computer forensic. Now if we really want to start talking about security, than probably we also have to know first what's the protocol to respond to an incident.

One of the steps, when studying a malware impact, is to collect data. Which is usually done with a tool like Osiris installed on a "fresh" system that will be infected on purpose for the analysis of its behavior.


That is probably just one of reason why the Shmoo Group is relevant about this matter.


Computer forensic is a science, and as any science has its tools and procedures. I didn't find any of this on those links to Mr Reeds website. With all my respect for him as a person and for his efforts on giving the Mac community some sort of support he just describes the process of the mac getting infected and the processes that runs after that. He never checked if any system file was modified, which is something you do using a tool like Osiris.

Moreover, the procedure I described you at first is the correct one to collect data and analyze the behavior of a malware. So he has to do that starting with a fresh factory install, exactly what ds store is trying to say.

May 15, 2011 5:58 PM in response to Rayced

@Thoma A. Reed: about the very basic suggestion of not using an Administrator user on a daily basis, probably you can find quite interesting that Apple is suggesting that itself, as stated on this official documentabout installing and config SL secure.


As others have already said, I never suggested that one should use an admin account day-to-day. What I said was that, if one is dependent on certain applications (cough Adobe cough), then one may be forced to, whether or not that is a good idea. Saying that those applications are improperly coded is absolutely correct while at the same time absolutely irrelevant to those who must use them.


Figure out that there's people who keep saying there aren't known malware on Mac Os X nowadays still.


Nobody I know says that. People say there are no viruses, which is completely and totally true. Certainly this has no bearing on the current discussion, so I wonder why you bring it up here.



are you trying to say that an user on this board that played a bit with one malware has more knowledge about security than the founders of "The Shmoo Group"?


I find your dismissive comments extremely offensive. I do not claim to be a security expert. I am good at explaining technical concepts to non-technical people, and I do have some good knowledge about Mac-specific malware. If you wish to dismiss the knowledge I have in favor of people whose focus is not even remotely the Macintosh, you are welcome to do so. But to disparage me in public like this with such lack of justification shames you, not me.


To respond to one point you brought up:


He never checked if any system file was modified


Clearly you did not bother reading enough of my blog to see that I compared an infected system with a pre-infected clone of that system, file-by-file.

May 15, 2011 6:10 PM in response to thomas_r.

Clearly you haven't read what I wrote. There was no intent on offend you, I beg your pardon if you feel so. I do respect your intents, but your job is far away from what security experts would do.

For example it would be interesting if you can describe us how did you compared an infected system with a pre-infected system. Moreover you've done that without knowing if the malware would spread out on the network or not. I think in your approach you are just assuming to many things and not using the right tools as an expert would do in this kind of analysis (using a tool like Osiris).

My conclusion is that it harms more to rely on this sort of self-made method than actually follow wise directions as the ones gave by ds store (factory re-install), even though I appreciate your efforts.


That said I don't think we had nothing more say each other, except that I suggest you to get some good books about computer forensic if you're seriously interested on this matter.

PS Adobe products like Photoshop CS4 doesn't need anymore to be run by an administrator user.

May 15, 2011 6:20 PM in response to thomas_r.

Ok, enough already, lets not get a thread lock. 🙂



Thomas, I appreciate what your doing in checking out this malware.


I was worried it was going to bite you worst than it originally appeared, it did change skins fast, in just a few days, but seems to remain just a low level threat.



I found OSIRIS for Unix


http://osiris.shmoo.com/



Something else you likely already know about DeepFreeze.


http://www.faronics.com/en/Products/DeepFreeze/DeepFreezeMacCorporate.aspx

May 15, 2011 6:24 PM in response to Rayced

For example it would be interesting if you can describe us how did you compared an infected system with a pre-infected system.


That information has already been published on my blog. If you wish to learn my methods, rather than dismissing them without having all the information, then you may read it here:


Further analysis of MacProtector


Perhaps my methods will not satisfy you, but if you can find a Mac security expert who is willing to share the level of information I have, I would love to have his/her name.


Moreover you've done that without knowing if the malware would spread out on the network or not.


I have already documented in my analysis the fact that I was using Little Snitch to watch network connections, and that I have also captured and posted all the packets sent to and from the malicious server the malware was communicating with.


I think in your approach you are just assuming to many things


Your previous statements prove it's not me who is assuming too much.

May 15, 2011 7:15 PM in response to thomas_r.

@Thomas Reed: I have already answered to you about your analysis and why I found it not comparable to an expert. You want to keep playing this game? Ok I just hope they will not lock down the thread.


You have used Little Snitch as a firewall to determine the network behavior? Well excuse me but a firewall on application layer is not the right tool to do that.


In fact (even if this could be the case for this particular malware) if a malware would modify a previously allowed process than it will not get caught.

The right approach would be, for example, to close any connection via ipfw firewall (which resides on a lower layer than an application firewall) and log it.

Another one is to let just some basic network processes sniffing the packets to understand if there's any anomaly. But the very first thing to do is to check if the system was changed by the malware, and that is done via a tool like Osiris (which basically would do a checksum comparsion, but of course it has way more power than just that).


Excuse me but you can read all about this science on some books about computer forensic as I did, than probably you will get my point.


Still, I'm not saying your job is totally crap, you are awesome for what you've done, ok?


But it's not professional and it doesn't follow a procedure and uses the standards tools to do that.

To make an example: I'm able to cook a comestible meal, that doesn't make me a chef of the "cordon bleu". I'm able to shoot an appealing photograph, that doesn't make me a professional photographer.


I'm sorry if I hurt your feelings, it wasn't my intention at all, but do you seriously think that Little Snitch is a professional tool for computer forensic?!


BTW a good starting point for you is to read this document made by a programmer that designed another Host Integrity Monitor called Shamian. After reading this you will probably understand why I've found ds store's point of view much more adherent to the right approach at getting rid of a malware.

May 15, 2011 7:17 PM in response to Rayced

I've been following all the threads regarding the trojan/malware for obvious reasons and I must say, I've had about enough of the personal attacks in this one.


These are user to user forums. We try to provide the best answer we know of. We are not forensic professionals (or maybe some of us actually are - who knows).


Your posts are getting dangerously close to and/or already have crossed the threshold of violating the ToU - you did read those, correct? Please refrain from attacking our volunteers who spend their Sunday trying to help others. If you are so good at what you claim to be able to do, simply set up a website with instructions including professional forensics of course and publish a link, or, better yet, instead of arguing, simply post your professional instructions here.

May 15, 2011 7:40 PM in response to babowa

As you can see I've posted a plethora of useful informations about computer forensic.

I never claimed to be anything, can you say the same for others involved in this conversation?

Neither I'm linking any document that has not been written either by Apple Inc. or a professional computer forensic expert. Can you say the same for others involved on this topic?


I would like also you to define "personal attacks", please can you quote what you think is a "personal attack" that I've made?

May 15, 2011 7:58 PM in response to Rayced

I don't see a "plethora" of useful information.


Most of what you have been doing amounts to little more than some name dropping, with the names of several computer forensics experts, assorted jargon you have picked up, and reputed texts on the subject, without adding anything much substantive to the discussion.


Why don't you get a copy of this Trojan, do an analysis and then report back with the results, so we can all benefit?

May 15, 2011 8:20 PM in response to WZZZ

Why do I have to do that when there are real experts doing that in the right way (ie following the procedure I've mentioned and that anyone can read on a textbook about computer forensic)?

The point is, if you had the time to read a link I've added earlier:


"Those this malware install a rootkit?"


Or better "Has anyone fully understood if this malware installs a rootkit?"


On that basis, since I haven't quite seen a decent analysis that prove us that anywhere, nor an Apple official report about this matter, this doesn't means I have to be the one that does that!. I would just recommend as ds store did a re-install to factory at this stage of the incident (while someone even made fun of him with sarcastic comments, and maybe those were the ones going against the community policy). Which is just wise common sense.

If people here, on an Apple support board ⚠ claims that this malware was studied enough by them and does no hurt to anything else on a system besides installing itself and "just" acts as a trojan, than, my apologize, but I would like to understand whom is saying that and on which basis since is not an official source of information.


Now if even this is now prohibited here, just let me know and I would be more than happy to not contribuite anymore.

May 16, 2011 2:03 AM in response to Rayced

Rayced wrote:

Why do I have to do that when there are real experts doing that in the right way (ie following the procedure I've mentioned and that anyone can read on a textbook about computer forensic)?

Because there are no "real experts" taking part in this discussion. Please study the Terms of Use for this site. Note that when possible you should test your submissions on your own computer before you post it. Thomas has done that & has published links to detailed info about how he did that.


You haven't tested anything. You have made some vague references to textbooks (without actually naming even a single one), mentioned some names you seem to be implying are somehow the only experts capable of defining standards for effective malware detection, tossed in a few buzzwords (sometimes without regard for their proper use), & claimed it is "a plethora of useful informations."


You have not provided anything substantive or based anything on your own efforts to analyse this malware. You have just found fault with the techniques of someone who has.


If you want to contribute something useful, nothing is stopping you from compiling & implementing your own deployment of Osiris or whatever other "standards tools" you want to use, applying that to an analysis of this malware's capabilities, & publishing your findings. You are the one claiming to know the proper steps, or at least which ones Thomas didn't follow.


If you can provide a factual rather than speculative basis for the need to "re-install to factory" (and an explanation of what exactly that is supposed to mean) if infected by this particular malware, I'm sure everyone so affected would be most grateful.

May 16, 2011 2:32 AM in response to R C-R

Ok, you were just trolling in a different thread as you admitted about this matter.

I've added some different points of view to the discussion. Now let's get pragmatic, ok?


  1. while the machine is opened by the trojan horse do you think someone's can't scale Unix privileges using one of the BSD known flaws and install something else? If this didn't happened while Mr. Reed's tests doesn't mean it couldn't had happened to other people that were and are still having the trojan horse active on their machines.
  2. I've mentioned that to do a more scientific study of this malware at least it must be used a tool like Osiris, ovvero a Host Integrity Monitor system. I've mentioned that not because I'm inventing it, but because people that are in IT security far before Mr. Reed and were also published (which maybe makes them a little more credible than a very good hobbyist) suggest and uses those kind of tools with security incidents.
  3. I've also pointed that a network study of the malware made via Little Snitch can't be that reliable as one done using ipfw firewall; still this is something well known.
  4. I'm going further. Mr Reeds suggests just to get rid of those files the malware installs. Since what I wrote at point n.1, it is probably better at least to re-install the latest Combo Mac Os X update if not re-install the system from scratch.

Let's get back on "philosophy" now.

This a matter of attitude towards people like me and ds store who are just trying to say "hey don't assume everything is like it resemble with something like this". The answers we got, instead of being technical explanations were on the tone of "you are insulting me cause you don't agree with my methods ⚠", or "you want people to be scared and lock their computers in a basement". While, for example, mr ds store has pointed out something very basilar on Safari's security, even reported in Apple's official guide to securely config Mac Os X, which is to disable the open safe download documents feature.

About me doing a study of this malware: I would do that for fun if actually I had every original firmware of my Apple hardware that was shipped from the factory together with them on physical support. That is for both to better study the malware itself and also in order to get my computer back at a safe install.

Defense: Malware targeting Mac's

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.