Malware in Tiger?

I made several points in my posting [ https://discussions.apple.com/thread/3897205?answerId=18301566022#18301566022 ] in this thread.

All of which were in support of elistu's - and other users' - concerns, having a very real basis, and I also gave some detailed descriptions of some settings where such issues might be of concern.

I've also seen it happen - including in educational settings - where malwares spread through networked computers of several different Platforms, including where one teacher re-infected all the Macs in the network by forgetting to first scan the media she plugged in to one machine in one instance, and re-infected al the Windows machines in another instance (the student computer technician who'd just gotten done removing the malwares, wasn't pleased about having to do all the removals all over again, in either instance).

I know plenty of users (including in user groups I'm part of) where people have Macs, Windows and Linux machines networked and have had some of them taken down - while others weren't (due to what took them down being inert under some versions of some OSes, but not others).

I also know of some instances where a relative of mine's Mac was infected by malwares, by the person doing the house-sitting going to some sites (that it would have been wiser to not go to) and clicking on links there.

In conclusion, while Macs of whatever generation certainly have fewer security issues/headaches in some areas, it is a multi-Platform, networked (both local, and internet) world out there, and speaking as a Mac user, elistu's - and other users' - concerns and questions are certainly reasonable.

Simply take measures to protect yourself against malware as explained in many many posts here.

Pete

>Almost no web sites use Java any more, except for malware vendors.

You are sorely mistaken...

Applet Usage Statistics

From the FAQ:

What is BuiltWith Trends?

BuiltWith Trends provides weekly updated free information about the most popular technology used on the web across all areas of web technology including but not limited to analytics, advertising, frameworks, ecommerce and website widgets.

How are the charts calculated?

The charts show the percentage of sites using the selected technology within the top 10,000, top 100,000 and top million sites over a historical period of time. We update the charts on a weekly basis.

In terms of just the current Flashback malwares:

When other users ask me for help, I'm aware of the I'm aware of the Terminal.app commands for Intel Macs for detecting some of the known Flashback malwares:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

defaults read /Applications/Firefox.app/Contents/Info LSEnvironment

ls -la ~/../Shared/.*.so

and I can direct users to web pages with instructions on how to manually remove the known Flashback malwares, if discovered.

For multi-booting users booting OS X and Windows (whether via Boot Camp or an non-Apple method or third party utilities) and/or for users using Parallels Desktop or VMware Fusion to run Windows while booted under Intel versions of OS X, I don't have an answer on how to detect if Flashback malwares are present on a Windows volume being accessed.

For OS X 10.3.9 PowerPC users and OS X 10.4.11 PowerPC users, I have no way to tell them how to detect if the currently inert under PowerPC Flashback malwares are contained in a file that might be shared with an Intel OS X 10.5.8 - OS X 10.7.3 Intel user

For NTFS volumes mounted under versions of Linux kernel-based OSes, I have no way to tell users how to detect if the currently inert under Linux kernel-based OSes Flashback malwares are contained in a file that might be shared with an Intel OS X 10.5.8 - OS X 10.7.3 Intel user.

For users running a version of Linux kernel-based OSes installed, who have enabled EXT2/EXT3 Volumes as read/write while booted under OS X (this is something that BSD/UNIX/Linux geeks are more apt to do than the average users), I have no way to tell users how to detect if the currently inert under PowerPC Flashback malwares are contained in a file that might be shared with an Intel OS X 10.5.8 - OS X 10.7.3 Intel user.

For Mac OS 8.6, Mac OS 9.1, and Mac OS 9.2.2 users, I have no way to tell users how to detect if the currently inert under PowerPC Flashback malwares are contained in a file that might be shared with an Intel OS X 10.5.8 - OS X 10.7.3 Intel user.

I also haven't found any program for scanning attachments in Emails for all known Flashback malwares - although I'd imagine there will be updates to at least some OS X anti-malware programs for at least Intel Macs, that will do this before long.

I believe that if enough users from all of the aforementioned Platforms - Intel/AMD and PowerPC hardwares and various OSes alike - were willing and pooled their knowledge and experience together, a web page covering most of these things could be created, written in a manner that the average user could understand and use (rather than users piecemeal hunting around a mass of web pages on Apple's site and different other sites, trying to find answers).

Totusek wrote:

I believe that if enough users from all of the aforementioned Platforms - Intel/AMD and PowerPC hardwares and various OSes alike - were willing and pooled their knowledge and experience together, a web page covering most of these things could be created, written in a manner that the average user could understand and use (rather than users piecemeal hunting around a mass of web pages on Apple's site and different other sites, trying to find answers).

Given that this forum is specific to Lion and in particular non support of PPC then it is probably not the place to try to kick off your idea. If you want to develop such a website, find contributors and publish it somewhere then good luck. One Flashback malware stopped in it's tracks by secure measures does not concern me too much.

Good Luck

Pete

Totusek wrote:

In terms of just the current Flashback malwares:

When other users ask me for help, I'm aware of the I'm aware of the Terminal.app commands for Intel Macs for detecting some of the known Flashback malwares:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

defaults read /Applications/Firefox.app/Contents/Info LSEnvironment

ls -la ~/../Shared/.*.so

and I can direct users to web pages with instructions on how to manually remove the known Flashback malwares, if discovered.

But these commands will not find the first two files installed by Flashback "K" that presumably infected 600,000 Macs at the end of March. In any case, why should users who are unfamiliar with the Terminal application do this when the three Apple updates for users of OS X 10.6.8 and above appear to be a far superior solution and for other Intel Macs there are proven tools available to do this automatically, specifically the one from F-Secure http://www.f-secure.com/weblog/archives/00002346.html.

For OS X 10.3.9 PowerPC users and OS X 10.4.11 PowerPC users, I have no way to tell them how to detect if the currently inert under PowerPC Flashback malwares are contained in a file that might be shared with an Intel OS X 10.5.8 - OS X 10.7.3 Intel user

You forgot OS X 10.5.8 PPC users like myself, but in any case there are two types of files that could possibly harm an Intel user. The first would be the earlier FlashPlayer.pkg installer files that were distributed as (obviously) updates to FlashPlayer. Despite all my attempts to download a sample file from known malware server sites, I was never able to do so, but at exactly the same time as I was being diverted to Adobe's real Flash site, a colleague of mine had no problem downloading it to his Intel Mac and sending it to me.

Virtually every A-V software vendor that runs on a PPC Mac contains multiple signatures for these early variants, yet there have been zero reports here, in the A-V vendor forums or the media of a PPC user finding any of them. So at this point I must conclude that the chance of a PPC user distributing one of these files is slim at best and not worth worrying about.

The recent installer variants are all Java Applets that are loaded directly into RAM to accomplish the initial stages of installation. I believe that initially one could find a cached version of the Applet on the hard drive, but the latest versions delete the entire Java cache to insure anonymity. The next stage is to install the updater and it's initiator (those files I mentioned before that your Terminal Commands won't find) into the users Home folder. I can't imagine a scenario where a PPC user would somehow transfer an invisible file at the root level of his home folder and a launchagent to an Intel user who would then drag them to those same locations on his hard drive, with one exception. If a user obtains an Intel Mac and migrates his user account from an older PPC Mac, those files would almost certainly be migrated across.

But again, I must say that as a PPC user I was totally ignored on known Flashback distribution sites while my Intel Mac colleague had no problem at all infecting his sandbox. And no PPC users have reported finding any infection using the only tool that I've found that runs on a PPC from Norton http://us.norton.com/mac-flashback/promo or by using Little Snitch to intercept the updater commands. So again I must conclude that this is not of concern.

If you can find an example of PPC infection please let us know, otherwise there are many other things of greater importance to most of us at this time.

Many PPC Macs here... & I cant get infected no matter how I try, but I do use Little Snitch, Firefox/TenFourFox with mny add ons, & OpenDNS which says they block FlashBack. 🙂