Mac Malware/poisoned images

WZZZ wrote:

Did you learn something new that's making you say this? We had been thinking, until now, that simply trashing the files would be enough. Or is this coming from taking no chances/ better safe than sorry? That's pretty drastic medicine.

So far, I only skimmmed the second link you gave, and maybe that's why I didn't notice it, but I didn't see an explanation for needing to do a clean install.

If the Admin password was not given to the Trojan, then the browser needs to be Force Quit, rogue Log-in Items unchecked and a through search for malware program files and removed.

A complete reinstall of OS X isn't necessary if the Admin/root password was not given.

WZZZ wrote:

NoScript turns off all scripts and plug-ins by default, which you enable on a per site, per need, per visit type basis by clicking the NoScript button.

Turns off all plug-ins?

NoScript doesn't turn off all plug-ins on default install of the add-on for you?

Plug-ins: Flash, Java, Quicktime, Silverlight?

Does here. After all Flash is the biggest exploit angle.

WZZZ wrote:

Still don't understand you're recommendation for a clean install, if user gives password. Again, I thought it had been established that just cleaning out the malware files was adequate. That's why I'm asking what new did you learn, if anything, to lead you recommend this drastic remedy?

None other than the website at the link stating it need the root password to install.

"For the application to be installed, the user needs to input his root password."

http://www.securelist.com/en/blog/6211/Rogueware_campaign_targeting_Mac_users

It's wrong to assume this malware or any malware is going to remain what it is. Or assume what you see is what you get.

If the code was examined of this present version of the malware and found not to cause any further damage outside of installing itself, then that's one thing, but the potential to do more damage is there in future or other versions of this exact malware is there.

Remember a goal of a lot of these malware authors is to gain control of the machine for later use.

If they know their rogue code is going to attract attention, they could be using the "MACDefender" as a cover, hope to get some fools dropping $99, let people THINK that it's a easy removal when in truth it installs or changes something much more covert, calls home, opens a port or some other action that will allow return access later.

So far this malware has changed

Best Mac Antivirus, MACDefender, MACProtector, MACSecurity, Apple Security Center...

If the user doesn't give it (or any malware) the admin password, perhaps just removing the files like before will be adequate depending upon the privilege level the malware was run in and upon close examination of it's code.

However, most users can't just can't simply assume the malware they see is the same one as before and a simple deletion is fine and dandy.

To refresh:

OS X has three "privilege levels": General, Admin and Root

Without using some sort of privilege escalation exploit, any malware running uses the privileges of the user level it's running in.

Root user is turned off by default, however a Admin level user can access the "sudo window" 5 minutes of Root User privileges by giving their Admin Password to a rogue program.

This is how Software Updates and program installs across users, hooks into the operating system etc., are performed.

So the following situations can occur depending what the user privilege level is and what the user does with the malware.

A: Very bad: (root level access)

If the user gives the admin password to any malware, the malware has a 5 minute "root user" time window to do whatever it pleases to the computer. Complete and total access to everything, including firmware. There is hope that if the firmware(s) wasn't attacked, the user can simply boot off the installer disk, zero their boot drive in Disk Utility and reinstall OS X.

Most likely, if a user gives malware their admin password, they are going to need professional help to ensure the firmware isn't compromised or the malware can return.

B: Can be very bad: (admin level access)

If the user is a Admin User and any malware is run, with no password entered, it can certainly do considerable amount of damage, alter programs and root the machine eventually by slow methods including privilege escalation(s). Most certainly can delete or encrypt user files.

Since OS X is setup as the first user being a Admin, and a lot of people remain that first Admin user, in this case it's perhaps best not to take any chances and backup > reinstall OS X, fresh programs from sources etc., to completely clear the machine.

If one has the capability to examine the malware code before it's run and has the opportunity to delete parts of itself, is well trained in programing and so forth. Naturally a compete wipe and reinstall is unnecessary, they know that already.

C: Is bad, but easily recovered if certain things don't happen. (general user access)

If the user is a General User and any malware is run, with no password entered, it can do damage to user files,. If they are then encrypted like what ransom ware does, then it's bad if there is no uninfected backup of the data.

Rogue code has the least amount of access in General User, thus it's easier to remove as it's confined to the General User's access folders. Once it's all found and removed, the computer's security should be restored.

Still the malware could upload all user files and unencrypted files read by others.

So, since this malware asks for the Admin password to install, it has to be assumed it had total and complete access to the machine.

If the user can't understand the code, then they really don't know if the simple removal methods were adequate enough.

Thomas A Reed wrote:

If you've installed the trojan and gave it your admin password, you need to backup your files to a external drive and c boot off the installer disk and Disk Utility > Erase with Zero your whole boot drive and reinstall OS X fresh

I have played with this trojan extensively, and nothing that I have found supports this recommendation. Following the MacDefender/MacSecurity/MacProtector removal instructions on my blog is adequate. For that matter, even if reinstallation of the system was required, zeroing out the entire drive would serve no purpose whatsoever.

Again Thomas your assuming things the way they are and not what they can or going to be.

That's exactly how the malware authors want people to think. And that's why they purposely but out low grade versions of their malware first, to flood the web with outdated, ineffective removal techniques, just so they release the more potent variant and have people assume a few simple deletions here and there are going to suffice.

It's wrong to get lazy on malware, "ah you don't need to zero your drive and reinstall" "just delete this and that and your done"

That's fine for this particualr version of malware today, but not for the one's tomorrow or on another server someplace, is what I'm trying to say.

This "MacDefender" obviously needs social engineering in order to work, so something has to be "gamed" on the user to accomplish that and not to cause further security or from the user doing the exact thing I'm recommending, which is a complete Zero and install.

If "Boris" is meant to suggest the malware authors are Russian, you need to know Russians enjoy chess immensly.

If we assume what we see now as a given, then we give the malware authors the chance to change things to suit their needs, we will be behind in all steps, they control the game.

Am I making sense?

Allan Eckert wrote:

No.

Allan

Are you being a smart @ss?

Looking at the payload, it looks like it root kits the OS:

/usr/lib/dyld

/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa

/System/Library/Frameworks/WebKit.framework/Versions/A/WebKit

/usr/lib/libgcc_s.1.dylib

/usr/lib/libSystem.B.dylib

Well there it is there. 🙂

Since you asked, you strike me as totally paranoid.

Allan

I rebuild people's infected Windows computers, what do you expect? 🙂

MadMacs0 wrote:

I just want to point out that you don't give the Trojan your password, only the installer.

So a root level installer from the same people who are attempting to deliver a Trojan is to be trusted? 😀

Oh, thanks, I really needed a laugh. 😀

MadMacs0 wrote:

At that point the Trojan isn't even installed, let alone running and able to do anything with it.

The installer with root access is placing the Trojan in place, I see it makes little difference. Both are bad.

MadMacs0 wrote:

I can also assure you that the installer scripts I have analyzed to date don't do anything with it, either. I doubt that they would be able to.

Exactly, "to date" is my point.

If someone who comes here with what appears to be the same exact malware on the surface, might not be the same exact malware underneath right?

There is absolutely no way to justify reinstalling the OS.

But I just gave you a darn good justification.

You can't, with all good intention, recommmend people not take any chances and possibly leave parts of new malware unattented in their operating systems.

And here's another good reason, a 20,000 strong botnet of Mac's, done by a Trojan from people who installed P2P copies of software.

The Mac botnet was "activated" quite some time later, so all those people didn't know they were compromised during the waiting period.

http://www.networkworld.com/news/2009/041709-first-mac-os-x-botnet.html