Previous 1 2 3 4 Next 100 Replies Latest reply: Jun 26, 2013 4:29 PM by MadMacs0 Go to original post Branched to a new discussion.
  • ds store Level 7 Level 7 (30,315 points)

    MadMacs0 wrote:

     

    I just want to point out that you don't give the Trojan your password, only the installer. 

     

    So a root level installer from the same people who are attempting to deliver a Trojan is to be trusted?

     

    Oh, thanks, I really needed a laugh.

     

     

    MadMacs0 wrote:


    At that point the Trojan isn't even installed, let alone running and able to do anything with it.

     

    The installer with root access is placing the Trojan in place, I see it makes little difference. Both are bad.

     

     

    MadMacs0 wrote:

     

    I can also assure you that the installer scripts I have analyzed to date don't do anything with it, either.  I doubt that they would be able to.

     

    Exactly,  "to date" is my point.

     

    If someone who comes here with what appears to be the same exact malware on the surface, might not be the same exact malware underneath right?

     

    There is absolutely no way to justify reinstalling the OS.

     

    But I just gave you a darn good justification.

     

     

    You can't, with all good intention, recommmend people not take any chances and possibly leave parts of new malware unattented in their operating systems.

     

     

    And here's another good reason, a 20,000 strong botnet of Mac's, done by a Trojan from people who installed P2P copies of software.

     

    The Mac botnet was "activated" quite some time later, so all those people didn't know they were compromised during the waiting period.

     

    http://www.networkworld.com/news/2009/041709-first-mac-os-x-botnet.html

  • WZZZ Level 6 Level 6 (12,685 points)

    Several people in the past few weeks have reported getting the Trojan download from hotmail. Has anyone figured out how this is happening? Though it's not at all clear from his initial post if it's the Trojan, here's someone who may be getting it from gmail.

     

    https://discussions.apple.com/thread/3055969?tstart=0

  • MadMacs0 Level 5 Level 5 (4,545 points)

    ds store wrote:

     

    MadMacs0 wrote:

     

    I just want to point out that you don't give the Trojan your password, only the installer. 

     

    So a root level installer from the same people who are attempting to deliver a Trojan is to be trusted?

    The installer is an Apple application.  That is the only thing that receives your password.

  • MadMacs0 Level 5 Level 5 (4,545 points)

    I'd like to challenge whoever marked this as the correct answer.  I do not believe for a moment that giving the Mac OS Security popup your password when requested by the installer would allow the installer package to access the password at all, let alone send it anywhere.  I would be willing to bet that even the installer application only receives an up or down from the security software and doesn't retain the password.

  • ds store Level 7 Level 7 (30,315 points)

    The installer is an Apple application.  That is the only thing that receives your password.

     

    Well that just goes to show how lame these particular malware writers are, huh?

     

    Several people in the past few weeks have reported getting the Trojan download from hotmail. Has anyone figured out how this is happening? Though it's not at all clear from his initial post if it's the Trojan, here's someone who may be getting it from gmail.

     

    https://discussions.apple.com/thread/3055969?tstart=0

     

    Hotmail/Windows Live Mail rollout is just the mega-hot bed of malware transfer between PC users.

     

    I compare it to like giving prisoners cell phones, where they can better communicate and orchestrate their nefarious behavior.

     

    Every couple of weeks I have to clean this lady's computer, she won't quit Hotmail and she turns off UAC, I threaten to lock her machine down every time.

  • ds store Level 7 Level 7 (30,315 points)

    MadMacs0 wrote:

     

    I'd like to challenge whoever marked this as the correct answer.  I do not believe for a moment that giving the Mac OS Security popup your password when requested by the installer would allow the installer package to access the password at all, let alone send it anywhere.  I would be willing to bet that even the installer application only receives an up or down from the security software and doesn't retain the password.

     

    Well the original poster accidentailly gave hiimself the correct answer, even when he didn't post a question in the first place.

     

    Obviously the new forums still need some work, like being able to remove the correct answer and bestowing fortunes on others who need them.

     

    Trust me, the there isn't much going on in the Lounge, just some casual chitchat and alerting the hosts to this or that.

  • MadMacs0 Level 5 Level 5 (4,545 points)

    ds store wrote:.

     

    Trust me, the there isn't much going on in the Lounge, just some casual chitchat and alerting the hosts to this or that.

    OK, well in that case you might want to take a look at what Derek Currie had to say about "FUD! FUD! FUD! FUD! Anti-Apple Security FUD for the last SEVEN and a half years! Hee hee hee!" for a change in pace.

  • WZZZ Level 6 Level 6 (12,685 points)
    Hotmail/Windows Live Mail rollout is just the mega-hot bed of malware transfer between PC users.

     

    I know hotmail is a plague of spam and malware. I'm asking how this things operates/transfers from hotmail.

  • thomas_r. Level 7 Level 7 (30,105 points)
    So a root level installer from the same people who are attempting to deliver a Trojan is to be trusted?

     

    We're talking about a specific threat here, not something theoretical.  Have you actually analyzed the installer or anything else about this trojan?  I would swear, from some of the things you're saying, that you have not actually seen it and are just reporting on stuff you've heard third-hand...  some of it not remotely accurate.

     

    Yes, there's always the possibility this thing could change into something else.  There is no evidence that that has happened, despite some wild speculations here.  Lots of things could happen that never do, and if it does, it won't exactly stay a secret.

     

    We really don't need you continuing to spread FUD and inaccurate information about this trojan here.  It is not helping anyone.

  • WZZZ Level 6 Level 6 (12,685 points)

    Don't know if it's anything different: A new, live link from a redirect from msnbc. Can you report it for editing once you've copied it, if you want to.

     

    https://discussions.apple.com/thread/3056402?tstart=0

  • thomas_r. Level 7 Level 7 (30,105 points)

    That link is already down.  These guys are spending a lot of effort on keeping this thing moving around from server to server, so that as they get blocked there's another ready to go.

  • ds store Level 7 Level 7 (30,315 points)

    Thomas A Reed wrote:

     

    So a root level installer from the same people who are attempting to deliver a Trojan is to be trusted?

     

     

    Thomas,

     

    That question was addressed to another poster and answered. Please review the thread.

     

     

     

    Thomas A Reed wrote:

     

    We're talking about a specific threat here, not something theoretical.  Have you actually analyzed the installer or anything else about this trojan?  I would swear, from some of the things you're saying, that you have not actually seen it and are just reporting on stuff you've heard third-hand...  some of it not remotely accurate.

     

    Yes, there's always the possibility this thing could change into something else.  There is no evidence that that has happened, despite some wild speculations here.  Lots of things could happen that never do, and if it does, it won't exactly stay a secret.

     

    We really don't need you continuing to spread FUD and inaccurate information about this trojan here.  It is not helping anyone.

     

    I'm not going to play with any malware on a $4,000 machine if I can't know for certain I can flash the firmware(s) and scan or Zero hidden partitions. Any place 1's and 0's exist in software, I need to be able to replace them with copies I can verify the source.

     

    I'm certainly not going to spend the considerable effort to analyze every version of the malware (if I could get a hold of them all) and play constant catch-up, changing my removal instructions as the malware changes.

     

    I'm not going to assume that what a user is reporting on the screen is indeed the exact same malware underneath and certainly not going to remote analyize to confirm my removal instructions are accurate and I'm not leaving people I advise  computers in the hands of a botnet.

     

    I'm certainly not going to be used as a unwitting tool by malware authors who change the code underneath at a moments notice or selectively, knowing only parts of their malware will be removed by my soon to be outdated instructions on my blog site.

     

    Rather, I'm going to advise people if the give anything malicious their admin password, to assume the worse and take appropriate action. Backup/Zero/Re-install.

     

    Excuse me, I'm late to my charity Windows support group where I repair comptuers for free, and advise people to get Mac's.

  • thomas_r. Level 7 Level 7 (30,105 points)

    I'm not going to play with any malware [...]

     

    I'm certainly not going to spend the considerable effort to analyze every version of the malware [...]

     

    Then why did you start this thread yourself, including inaccurate information obtained through third-hand (possibly fourth- or fifth-hand) sources?  If you aren't willing to analyze this trojan, don't advise people on how to deal with this trojan.  If you want to offer advice for dealing with malware in general, fine, I don't really have a problem with that.

  • R C-R Level 6 Level 6 (15,790 points)

    ds store wrote:

    Am I making sense?

    Not even remotely.

     

    In the first place, malware authors are interested in profit, not playing games. They know they may have just one shot to convince any given user to install their code, & they aren't going to waste it on some "low grade" version.

     

    In the second, a trojan can't magically evolve into some other, more potent kind of malware threat, as you seem to think it can. Trojans are the simplest, least technically sophisticated kind of malware there is.

     

    You seem to know very little about this particular trojan & even less about malware in general. I suspect you have read a bit about one or maybe more Black Hat proof of concept exploits, but don't understand what they actually have proven or what would be required to turn them into viable malware that could be deployed over the Internet.

     

    You don't seem to understand what does & doesn't survive a HD erase or reformat, what part EFI plays in the boot process, the limitations on firmware-based exploits, the difference between an Apple & third party app, how processes gain root level access or the restrictions on that, or for that matter even how the anti-virus software you sometimes recommend as an effective solution to this trojan works.

     

    Your only real justification for your latest recommendations boil down to "maybe there will be more potent stuff in the future." While that is certainly a possibility, each new type of threat will require an appropriate, measured response, based on what it actually can & can't do. Your suggestions that (variously) a "complete Zero & install" or even a hard drive replacement either will or won't completely eliminate the threat just create fear & confusion without actually helping anybody.

  • R C-R Level 6 Level 6 (15,790 points)

    ds store wrote:

    Rather, I'm going to advise people if the give anything malicious their admin password, to assume the worse and take appropriate action. Backup/Zero/Re-install.

    And I'm going to advise people to remember that for good reason the terms of use for ASC advise users to Test your answer. When possible, make sure your Submission works on your own computer before you post it.

     

    It would seem you have not done this, or even examined the malware without installing it, nor or you willing to defer to those like Thomas who have. I know you are trying to be helpful but you are just confusing users with hearsay & wild speculation, much of it not based on any known facts or evidence.

     

    It might be time to give this a brief rest & do a little more research.

Previous 1 2 3 4 Next