Symantec: Mac OS X Becoming a Malware Target

tb3 writes "According to ZDNet 'Security vendor Symantec is warning that Apple's OS X operating system is increasingly becoming a target for hackers and malware authors.' They go on to warn that the only thing that's protected Apple users from exploits so far has been the small number of Macs on the net. Now that people are buying Apple products for 'style over function,' according to one analyst, Apple computer has become a target for new attacks. More coverage on Australian IT and Silicon.com. I guess sales of Norton Anti-Virus for Mac needed a boost." Symantec may well be right about this, but note that they also have the world's biggest vested interest in making Mac owners nervous enough to buy their anti-virus products.

style over function

[Anonymous Coward]

Really?

Even so... what's the matter? Style's still pretty good, even if the box is full of viruses...

Portability

[khromatikos]

That's great!

Once they have it for OSX it must be fairly easy to port it to FreeBSD. I guess they might have to add a new category in the ports: /usr/ports/malware

money for symantec from mac users

[tofucubes]

gee wonder why Symantec, an antivirus and firewall maker, would say such a thing...

Infidel!

[Faust7]

Is that so wrong?

Yes. Now, back to the bash prompt with you, heathen, and may the glistening tentacles of Aqua and Luna never intrude upon your conscience again!

(I kid, I kid. Luna doesn't glisten.)

How useful

[Anonymous Coward]

Symantec Anti-Virus OSX Version 1.0:

Please upgrade to signature file 032105.sgn, your current version only detects 3 viruses, however the new signature file finds and cleans 5 different viruses.

Re:Style over function?

[jav1231]

I think he meant "style over malfunction."

Re:Nothing to see here

[Anonymous Coward]

Accept that one that is never turned on and used.

I will gladly accept that one that is never turned on and used. Please ship to....

Re:Call me anal..

[Hungus]

Hey, I have a product I have developed that stops all known chartreuse buzzards from stealing your cheese if you send me 50 bucks I will letr you use it. (I mean since you are using a product that detects all known viruses on OS X you must be interested in using my product too right?)

Re:style over function

[carpe_noctem]

I said the same thing about my ex before she gave me herpes. =(

Re:Style over function?

[Elwood P Dowd]

"Don't hate me because I'm beautiful."

&c.

uh oh

[Heisenbug]

I try sticking to the bash prompt, but I keep seeing Safari through the translucent Terminal window and coming back to check Slashdot.

Maybe I'm doing it wrong.

Re:Infidel!

[PedanticSpellingTrol]

... God rest his soul.

The new version...

[lullabud]

...finds and cleans 5 different viruses which exploit vulnerabilities that were all patched in the latest point release of OS X 10.2 and 10.3.

I have Symantec AV Corp 9.03 for OS X

[ellem]

and it kinda sucks. Every now and again (and not when it is scanning) it just takes over all the CPUs attention. So you kill it and then it comes back. So you kill it and then it comes back. So you disable it and this story comes out.

Looks like this is my fault. Sorry.

WOW

[electricdream]

This is such a deep insightful article! Do I understand it correctly? Here's what I think it says:

A virus proctection and half-ass security company says that as the marketshare of one of the platforms it supports increases so should sales for the products it creates for that platform.

Did I get that correct?

Re:Yes it is...

[Anonymous Coward]

"The one thing that bothers me about KDE is the fact that every application's name begins with a "K""

Ive always wanted to make some software named something like "Usable Network Toolkit" and have it added to KDE - just to see if they persist with the K prefix ;)

Re:Yes it is...

[aichpvee]

iLife, iMovie, iTunes, iPod, iMac... iKnow I'm forgetting a lot of them...

Re:Style over function?

[flyingsquid]

Yes, but OS X has the most stylish viruses and malware around!

I can't wait for an OS X virus or...

[bob670]

spyware outbreak to show up so that...
1. Windows users can say "told ya' so"
2. Mac users will be, albeit breifly, completely silenced
3. People can start submitting new "Apple Death Knell" articles.

Re:More scared people -- more sales

[vwjeff]

Apple fans are the perfect audience. Most are technically non-savvy arty types who are easier to FUD.

I believe general stereotypes are bad but do have an example that fits this.

I work for the local school district as a computer tech. Recently, the art department bought a Powerbook for every art teacher. I got a call last week from an art teacher and said she was having problems installing a program. I told the user I would help her install it.

I get to the computer and ask her where the software is. She said she got it in an email from a friend. The subject was "Spring screensavers for you."

Of course the attachment was a zipped .exe containing a keylogger trojan. If this would have been a Windows box she would have unknowingly attempted to install a trojan. (All of our Windows boxes have AV software centrally managed)

I guess my point here is what if that trojan was coded for a Mac? A multiuser system is pointless if the user knows the admin/root password. (Our users do not have admin access.) In my experience, entering a password is more of an annoyance than a security measure for many users.

Ok, now I'm going off to another story but it is worth reading. A person of importance in the district recently got a new computer with XP Pro. She had previously had a Windows 98 PC and was in a habit to cancel past the Microsoft login. I don't blame her. There is not security there. Her new computer is shared between two people so I made an account for each of them like I do on every new computer. This person did not like the idea of having to type her password in just to get into her computer.

On Friday at 3:45 (work ends at 4:00) I got a call from the user demanding that the password be taken off the computer. She just wanted to turn on her computer and be at the desktop.

I did as she asked but also took the liberty to change her important documents to hidden. I was hoping I would get a call today. I did.

After getting a desperate voicemail for the user, I slowly made my way to her office. There she asked me what had happened to her documents. I played stupid and asked what documents. She said all of her important files were in the My Documents folder on Friday and there are not there anymore. I then came up with some bs about how I would need to recover them because someone must have been using the computer over the weekend and must have deleted them by accident. (Strangely enough there were children in that room over the weekend. Perfect scapegoats.)

I waited for about ten minutes and when she left the room I removed the hidden property from the documents. I then said I could enable the password so no one could get into her computer. She was more than willing.

Was my action unethical? Perhaps. Was it funny? I think so. I'm just happy I got my point across with no damage done.

This is only OK under one circumstance...

[gt_swagger]

The malware has a slick looking, brushed gray metal GUI... and is clean, sipmle, effective, efficient, and beautiful.

Re:As an IT person who is deploying OS X

[robogun]

Here is what I have:
He is running a G4 with OSX 10.2.8
He opened the email with 1.2.5
He runs Camino as a browser
1) He received an Ebay phishing email. The subject line was 'Please verify your eBay account'
This email appeared similar to others received on a daily basis.
2) He opened the email, but states he entered no information, as he knew what it was.
3) He reports the screen "flashed for a second." Otherwise, the computer appeared to continue to operate normally.
4) After some time, he noticed no new emails were arriving. He knew something was up when not even spam was appearing.
5) He dialed Earthlink Customer Service, and after a couple of hours, it was determined an attacker had obtained his Earthlink account information and set up email forwarding.
6) Also, he logged into Ebay and discovered a number of auctions for high-end goods in progress under his screen name. The attacker had changed his ebay email address to the forwarded address.
7) After more bouts with Customer Service, he recovered his accounts and passwords were changed.

Any ideas what happened?

Mmmm... tentacles.

[Shag]

Let me just tweak com.lovecraft.fhtagn.cthulhu.plist real quick.

Re:Style over function?

[CodeBuster]

I manage a group of offshore foreign software engineers and they will use VBScript to run FTP with the shared directory mapped to the root of the C drive using the domain administrator account over the Internet. I have tried to explain to them why this is not a good idea, but their argument is always, "We haven't had any [security] problems yet...if you don't like it then rewrite it [the software] yourself." One step that Microsoft is taking is to require Certified Partners to adhere to the best practices, which include not requiring root privileges to run the software (unless of course the program is an OS service or other administrative related application that requires root by definition). You are right though, plenty of developers are ignoring these best practices. However, there will come a day, and the day is fast approaching, when no serious company will be able to sell their Windows software if they do not get it certified and signed with a code-signing certificate. So at least in that regard the trusted computing initiative may be a good thing.

Slashdot user dspisak 'at risk from attack'

[dspisak]

Symantec has warned that as dspisak's Slashdot mind share increases his PC will start to come under increased attack from trolls

Security vendor Symantec is warning that dspisak's Slashdot posts are increasingly becoming a target for hackers and malware authors.

In its seventh bi-annual Slashdot Internet Security Threat Report, Symantec said over the past year, security researchers had discovered at least 37 serious typos and duplicate story submissions in dspisak's Slashdot useage. According to Symantec, as dspisak increases his mind share -- with new low content posts such as the Comment mini -- his fanbase is likely to come under increasing attack.

"Contrary to popular belief, the Slashdot discussion forums have not always been a safe haven from poor spelling and grammar," Symantec said. "Out of the public eye for some time, it is now clear that dspisak is increasingly becoming a target for the malicious activity that is more commonly associated with Jon Katz and various Slashdot editors like timothy," the report said.

"dspisak has become a target for new attacks... The appearance of a -1 Troll rating for a post called "Boo-Fuching-Hoo" in October 2004, serves to illustrate the growth in vulnerability research in dspisak's comments... The various dspisak comment vulnerabilities allow attackers to carry out information disclosure, punctuation bypass, troll execution, comment escalation, and IQ attacks. Symantec believes that as the popularity of dspisak's new paradigm continues to grow, so too will the number of attacks directed at it," the report said.

Symantec's concerns were echoed by James Turner, security analyst at Frost & Sullivan Australia, who said many of the people who read dspisak comments were not concerned about factual correctness, which left them wide open to attack.

"The duplicate story submissions, funny in-joke humor and mini Comments are cool creations," Turner said. "The by-product is that people are agreeing with these comments for style over actual usefulness. They say it looks pretty and then read it but don't fact-check it. As dspisak increases his mind share, he will be a legitimate target for the Secret Service".

Trend Micro senior systems engineer Adam Biviano said all complex comments had grammatical flaws and the more popular the person, the more likely he would be attacked.

"All sophisticated comments -- dspisak, bperens, goatse or anything else -- especially Natalie Portmans hot grits will have vulnerabilities," Biviano said. "The only reason goatse has had mass exploits written for it is the sheer number of connected people reading it that are present on most networks. As soon as you start seeing mass deployment of any comment mind share you are going to see exploits".

According to Biviano, while there have not been any mass outbreaks of viruses targeting dspisak, the potential does exist.

"You don't see dspisak trolls in mass outbreaks but you do see them in the labs as proof of concepts. There aren't any outbreaks because there are simply are not enough [dspisaks] out there. For a troll to be successful it needs a combination of a worthy jab and a large target audience," said Biviano, who nominated the mobile phone market as an example of malware writers targeting the comment, not goatse's mind share.

"Look at where mobile comments are going and they are not targeting goatse -- they are targeting the market leader, which is cmdrtaco," he said. The Symantec report found in the second half of last year, an increasing proportion of malware was designed to expose spelling errors. The report also found that phishing attacks increased by 366 percent while the number of goatse-based worms and viruses increased by 64 percent, when compared to the first half of 2004.

I should write a virus scanner for Mac OS X

[Laconian]

1. Write a Cocoa app that makes a progress bar that fills to 100% and says "No viruses found!"
2. ... (spread FUD)
3. Profit!

Mac Users in Fairyland

[draxredd]

A friend of mine just complained to me about his iMac... because he can't open .exe mail attachments, so he wants to buy a PC...

Re:Style over function?

[OwnedByTwoCats]

As soon as Apache is as popular as Microsoft's superior IIS, there will be just as many exploits for Apache as there are for IIS.

Oh, wait a minute....