Mac Malware/poisoned images

Look, as it is being formulated, there is no way to end this discussion. If the Trojan has bypassed any quarantining or sandboxing, evaded and penetrated the layers of protection in OS X, installed a rootkit, and is cloaking itself from detection, then, yes, the only way to be completely certain it has been eliminated is to completely reinstall everything from bottom up.

I have seen nothing here or issued anywhere by any of the AV companies or any security expert that this is true, but since we're dealing with something that either doesn't exist or which might be completely invisible, there is no way to rule it out.

Until one of your highly advanced forensics experts weighs in on the subject -- after doing an exhaustive, reproducible analysis, double and triple checked by other forensics experts, I think further discussion is pointless and sophomoric. It's like taking sides on whether there are invisible elephants on Saturn.

Can you give it a break now?

Well your reply is more acceptable cause at least you are citing other resources as AV companies, which probably would have a different approach to this matter than the one I've red so far, moreover they have just a little more authority than people on a board. As far as I know it's not fair to post here any link to any of those companies cause it would be an advertising for them, and I don't want be addressed also about that after being the "feeling hurter" of the day 😀.

I did closed my point way long ago, but people here kept saying that I have to install and test the malware before speaking. As far as I know they could be the ones creating it (just joking, it's an extreme point) LOL!

I can't understand why there is so much bother if someone tries to perfect something by the way, anybody that want to can get some documentation about security and Computer Forensic as I did and as I've linked. Addressing also common clichés like the one that people are forced to use an administrator user otherwise they can't use applications, is not a crime (yet) and it seems to be just something people with common sense would naturally do, at least in a free country.

That said I'm done and I think that whom has a little of interest on understanding how to avoid some security issues got stimulated by what Mr ds store and I have added to this topic. If they would feel more secure they can also install an anti-virus or an H.I.M., find a stronger way to configure a firewall (possibly also ipfw which is at a packet layer instead of the application layer) and so on.

I'm sorry if I sounded rude sometimes, it wasn't my intention to offend anybody, I was just stressing hard some points (and I apologized plenty while someone else's never did even if said he was doing something on purpose).

Now I can say bye cause my corrupted Time Capsule backups are finally being archived and restored. This is another thing Apple has to work on to improve it.

Sure, cause you checked with a Host Integrity Monitor any change happened to the system after the malware installs, right?

That does not make any sense in the context of the message you are replying to, which was about the efficacy of installing a combo update to remove malware. Do you understand what a combo updater does?

Rayced,

A couple of points:

1. It is acceptable to post links to commercial AV companies' info. We do this often, which you would know if you had followed the several discussions about this malware. However, the Terms of Use prohibit advertising & specify how posts that might bring you compensation should be handled. See section 2.6 for more about this.

2. Host integrity monitoring systems like Osiris are not designed to be installed on a single computer like AV software is. Only the scan agent should be run on monitored computers. The management monitoring processes & associated logs & data files must be on a separate, trusted host system, typically one isolated from the Internet & used for no other purpose. (See for example the Osiris User Handbook for more about this.)

For this & other reasons, this kind of malware detecting system is not suitable for most users.

Thanks for your specification. I was getting some infos about this crap on Intego's security blog. I think that probably I've ran into it a few time ago, quite before it turned out to be malware (I remember having the prompt of infected while surfing the web).

About Osiris I know that. I never said it is a solution for common users, but it is a solution for whom wants to understand something about a malware and make sure that nothing else's get modified in the system while it is installed beside installing new files only pertinent to it. I remember playing with it for a while on my laptop 3 or 4 years ago, and I installed it at that time just to see what was going to be modified by anything installed or updated. It worked quite fine even though that is not the correct and safe way to use it as a Computer Forensic tool.

You said, "If they would feel more secure they can also install an anti-virus or an H.I.M. …" My point is a host integrity monitoring system like Osiris is not in the least secure if installed on the same system it is meant to protect, as you apparently did with your laptop.

If you are just interested in seeing what is modified or updated there are single-computer tools designed for that, some provided with Apple's own Developer tools package, but you will most likely notice that a large number of system domain files are constantly being modified during normal use & that it takes a lot of OS X specific knowledge to make much sense of it.

As previously mentioned, OS X is not just another variant of UNIX. Even though it is based on a BSD kernel, there are significant differences even at that fundamental level. Beyond that, there are quite a few other significant differences, especially in restricting root user access by processes that usually run in other *NIX variants without those constraints.

That doesn't make it impervious to all possible malware attacks, but it does make it much more resistant to things like rootkits or privilege escalation than with many other *NIX variants, as well as making it more difficult to understand what is being modified by what.

Foremost you can't know what's the configuration of everybody out there. An HID is a tool and there are various ways to use it. For example there might be someone having a network that might configure an HID on a secure machine. Sure is that the way I used it in past, even if not conforming to the specific configuration you noted, was enough to catch an hostile system change that was not taking in account the presence of an HID on the machine.

Better than nothing, what do you think?

Here comes the second part of of your post: if you know which part of the system is weaker and you want to control if it and when it gets changed than you can do that locally with an HID. The main reason to install it on a different machine is because once you get an intrusion an intruder might also manipulate the logs of both the system and the HID itself. As far as I read from your posts this are cases that you won't define as common and on a large scale, right?

You're still mention something well known, as well known is that many tricks to scale privileges on Mac Os X are still taking advantage of BSD bugs.

But the more important thing that you are trying to hide is this: I've suggested the use of an HID to study the install process of the malware, since Mr. Reed's study and analysis lack of any detail about this matter. Have you red anywhere that he has actually reported about which scripts that installer runs? No. What he did was being brave installing the malware on a clean system and then he checked what new file he got on his system. Moreover from his study there is nothing about eventual interactions that the malware can have with other third party software installed on the machine (which are common for a large percentage of users).

Now since it's not so common for people to have an HID installed even locally on a machine, and for the large scale factor you mentioned in a previous post (the malware is not made to specifically made to attack a restricted group of users), there are little possibilities that whom wrote that malware also get in mind that he had to cover up traces also on an HID. Moreover at the same time the install is launched any file change would be reported by the HID, so if you are specifically studying the malware you put your attention of any eventual change that could lead to also modify its report (not to mention that those logs are gonna be on a database which it's something else that the malware writer has to take in account).

So said, it's obvious that if an user wants to install and study both the behavior and the install process of this malware via an HID, of course it would be better to install the HID and its database on different machines, but that is just yet one more precaution.

Not to talk about the lack of a detailed description of the machine used, its configuration and the eventual third party software installed. For example, was Rosetta installed on the configuration he used to test the malware?

I'm done with this thread since I've got removed by the moderator of this board any link to resources that I've previously posted to circumstanciate my opinions.

I don't know if it was their own initiative or if someone is playing it dirty just cause he's not able to handle a critic, I don't want to accuse anybody but that is an option I have to think about too.

In both cases it's obvious that the ambient where this discussion is being done is not neutral anymore. Though it would be a waste of time for anyone and will just lead to confusion to keep up.

Whom has followed this thread for a while and has red what I've previously linked might understand the reasons behind my objections to Mr. Reed's case study, which doesn't mean that at this stage of the incident it couldn't be effective even if I find it lacking in many things.

That is the main point here that both you and him don't want to admit: I'm trying to integrate his case study and make it better. Both of you have granitic convinctions, when it comes to security those convictions have to be circumstanciate to the case and explained; otherwise is legitimate that another user (even if he's not polite, dirty, ugly or stinky) would raise a doubt.

Rayced wrote:

But the more important thing that you are trying to hide is this: I've suggested the use of an HID to study the install process of the malware, since Mr. Reed's study and analysis lack of any detail about this matter. Have you red anywhere that he has actually reported about which scripts that installer runs? No. What he did was being brave installing the malware on a clean system and then he checked what new file he got on his system. Moreover from his study there is nothing about eventual interactions that the malware can have with other third party software installed on the machine (which are common for a large percentage of users).

Sorry, I may have read his report too quickly and don't have the time at this moment to re-read it, but I thought he adequately explained what the installer did. Since I have taken it that far, allow me to tell you about the latest version of MacProtector I have which was captured on Saturday with a date of 5/11/2011.

The MacProtector.mpkg consists of the macprotector.pkg which runs no scripts and only installs MacProtector.app in the Applications directory. The macProtectorInstallerProgramPostflight.pkg only function is to run a postflight script which launches the application with the following bash script:

RESULT=`/usr/bin/open '/Applications/MacProtector.app'`

The original MacDefender postflight script was defective in that started with:

RESULT=`/usr/bin/open -b 'com.alppe.spav.plist'`

RESULT=`/usr/bin/osascript -e 'tell application "Finder" to reveal application file id "com.alppe.spav.plist"'`

which not only doesn't make sense, but was also impossible since the preference files are installed by the application, so they aren't even there at the time the script is run. Those have been removed and as I recall the prefs file is now named com.aple.spav.plist. I am not aware of it's contents.

The application itself is intel only which means there would be no reason to install or use rosetta. It also precluded me from going further with the test, which is why I am, like you, reliant on Thomas' follow-on tests results for what happens after installation is complete.

Rayced wrote:

That is the main point here that both you and him don't want to admit: I'm trying to integrate his case study and make it better.

You are doing nothing besides posting confusing, rambling replies that contain no more than superficial information about security issues in general & nothing at all specific about this trojan.

Can you please tell me where did he state on his case-study that the application is intel only? I don't recall reading anything about.

Moreover I'm not going to visit his blog anymore cause he has already showed his lack of respect to user's privacy posting details on this board regarding my last visit on it… Talking about "terms of use" as some people does here while suggesting users to install this malware on their systems. And I'm the one who has seen his post linking to some security information resources getting trashed. No this is unfair, and would drive nuts anybody with a little of brain in his head!

Not to talk about his specific advice to not secure trash those items installed by the malware installer: a contradiction in terms.

Contrary to what you've just stated I'm not reliant on his results at all now. The main reason is clear to anybody since his reactions to my comments on his blog being rejected. Moreover there are other case studies of this malware on other resources as Intego's security blog where of course they don't give a solution on how to get rid of the malware since they are selling their product, but I can state the same about this board since Apple's marketing strongly advertise Mac Os X as the most secure platform around.

While it can be so it's not totally immune as this is the basic law of security in IT, and as it was fully demonstrated not only by this episode but in many other occasions ("def con" and so on).

That said this guy is giving his solution, for what I remember, even without a statement saying that is "as is" and the users are going to use it on their "own risk".

Pragmatically I recommended people to read official documentation made by Apple about security and get informed by themself on how to improve their system security, re-install their system after securely trash those evil files. Otherwise they can install a complete free-trial version of a major AV mac software that has definitions to deal with this threat.

Thus is up to who own a Mac if they want their secretary or their children, for example, to have an administrator user to use their systems. Probably after spending 15 minutes of their life reading an official Apple's document about how to make robust the security of their system, they might avoid some mistakes.

The problem here is that on this board there are many persons opening new threads saying "hey I've just the MacProtector malware, how can I deal with that?!" and almost every answer to them is to follow Mr Reed's directions as it is the bible. I would erase those files permanently with a secure trash dump for example.

I would check first if the malware got in some way backed up by Time Machine and eventually sanitize that backup too, another thing that I don't recall reading on his solution and I don't find as such a speculation as someone is trying to make people think here. And all of this depends also on the grade of experience and confidence users have with Mac systems, so probably for someone it would be even better to just bring their computer to an Apple Center or at least to contact it.

Bye.

Rayced wrote:

Can you please tell me where did he state on his case-study that the application is intel only? I don't recall reading anything about.

I don't believe he did. I know I brought it up when I first became aware of it, a couple of weeks ago, but may not have posted it here in the discussions.

I would erase those files permanently with a secure trash dump for example.

I would check first if the malware got in some way backed up by Time Machine and eventually sanitize that backup too, another thing that I don't recall reading on his solution and I don't find as such a speculation as someone is trying to make people think here.

Both of which are worth exploring, IMHO. I don't recall you or anybody else suggesting them before, but then I don't pretend to have read everything that has been said about this problem here.

That's because of all the manipulations that someone has done here on this board by somene that keeps saying I'm speculating.

The whole discussion started because mr ds store was trying to understand if there was more underlaying what was discovered till now about this malware which was labeled as minor security issue. Well I don't know on which basis a trojan horse can be labeled as a minor threat, talking about standards are not, but I don't want to be addressed as a "terrorist" now.

So far I'm gonna summarize my doubts about Mr Reed's case study:

1. Can you please give a complete list of the applications running and installed on the machine used for the test at that time?
2. You've already made clear that you didn't use for this test any intruder detection software, network intruder detection software, or host integrity system. Why?
3. Why is it enough a network analysis of the malware done by an application level firewall such as Little Snitch instead of using an IP firewall such as ipfw Mac Os-X built-in?
4. Have you tested also any interaction the malware could have with other third-party or other Apple software that might be commonly installed by users? (for example other browsers than Safari, OpenOffice, iWorks, etc. Adobe Reader, Adobe Flash Player, Skype etc.). If not do you plan any further tests in this direction for the future?
5. Can you exclude any interaction of the malware with BSD and other files of the OS so that a fresh re-install as well as a simple re-install of the latest Mac OS X Combo update is not justified?
6. Does the malware interact in some way with user/groups structure and permissions of Mac Os X?
7. Is the malware affecting also PPC users or Intel users having Rosetta (which is alternatively installed for Intel users that wants to run PPC code on their systems)?
8. Does the malware interact at any level with the kernel of the OS (ie installs any rootkit)?
9. You have specifically stated the malware files should be deleted not using the secure delete feature of Mac Os X. Is there any particular reason why you specifically suggested this solution? What if someone wants to remove those files using a secure erase method, is that going to weaken in any way the solution you proposed to permanently remove the malware from an infected system? And on the final purpose of permanently erase the malware, do you have any suggestion about the possibility it got backed up by any automated backup system installed by an user (Apple Time Machine as well as other third party solutions).
10. What about other hardware/software system that could be involved by the malware operating on a system (not just erased immediately after install) like routers, NAS, etc?
11. Why do you provided your solution without any statement that is given "as is" and "at own risk" of whom is going to use it? And what level of knowledge needs to have an user to adopt it and be sure is the right one instead of adopting other solutions? (For example install a trial AV software that can securely delete the malware leaving then the choice to the user to either dump it after removing this specific therath)

Lastly I have a personal question and I'm posting it here in public cause I don't have any way to communicate privately with Mr. Reed on this board: you have posted personal details about me (the country where I am from) even if in a form of "speculation" (you said assuming it from the email address I used to leave a comment on your blog which should be a private submission in any part of it). Is that the policy you have on your blog for any user visiting it and eventually commenting on it, or is it just an exception you made for me? (you could have just asked here where am I from and I would have answered you if it was my intention to reveal that information in public).

12 simple questions, but I can have a hundred more that I'm not going to post to avoid to be too tedious in just one post.

Regarding the need for a secure erase, once a regular erase is done the file system no longer retains a record of where on the volume segments of the erased files are located. Any subsequent writes to the drive, including those done in the background by the OS, might overwrite some or all of these segments with new data.

So even if the malware somehow retained somewhere an independent record of the sectors used to hide its code, there is no guarantee that it would remain intact for long. Obviously, if this record was in any of the files removed by a regular erase, any record of where that record was stored would likewise be lost & might be overwritten with new data.

Of course, it is possible to at least imagine malware sophisticated enough to get around this somehow, for instance by subverting the file system management routines in the OS, or stashing the bulk of the code in the EFI partition. The problem with that is the code becomes progressively larger, more complex & difficult to write, & its effects become progressively more difficult to hide. There is still the problem of finding enough protected space somewhere for its initiating executable code, complete with a record of where the remainder of it is located, & how to get the OS to execute it while that remainder is still intact & undisturbed. And all this must be done without compromising the OS to the point that it can't be used for whatever purpose the malware writer had in mind.

Basically, from the malware writer's standpoint it is a lot of work for an uncertain, low yield payoff. It is not impossible that someone would try this, but it is far more likely that they would try what we have seen, which is a simple social engineering exploit designed to get credit card numbers & money from unsuspecting users.

Moreover I'm not going to visit his blog anymore cause he has already showed his lack of respect to user's privacy posting details on this board

I have already apologized and said that I only mentioned you were from Italy because I thought it explained what I had read as rudeness, and I didn't honestly think you would care. I can't imagine anyone caring about people knowing what country they are from. Are you ashamed of being from Italy?

In any case, I'm tired of you trashing me and yet providing absolutely no information that is of any help to anyone. You think you know so well how it should be done, but you are not doing it. I'm done responding to you. I've said what needs to be said, and I am helping people. You're doing nothing but running your mouth. From this point forward, say what you like about me... you won't get the response you're looking for.