First Scareware For the Mac

I Don't Believe in Imaginary Property sends us news from F-Secure of what they claim is the first rogue cleaning tool for the Mac. MacSweeper is a Mac version of Cleanator, hosted from a colo somewhere in the Ukraine. The article points out that the company's About page is lifted verbatim from Symantec's site. With the Mac's market share closing in on double digits, perhaps it's not surprising to see the platform targeted with crapware as PCs have been for years. The F-Secure author adds as a footnote that a journalist said to him something you don't hear every day: "I visited the macsweeper.com website. I know I probably shouldn't have but I used a Windows PC so I knew I wouldn't get infected."

Not the smartest journo

[MLCT]

The journalist should have visited using a linux livecd. If the site hosts mac malware then it is a pretty good bet they already have established "businesses" in the field of windows malware.

Yeah and moon is made from..

[Fri13]

What, you need to download something to your mac and then INSTALL it?

This kind software has be there long time ago and there is nothing new to see here.
Market share is still smaller than GNU/Linux and it is not having this kind problems, wait, it has.

Come back again when F-secure and others have proof for worm or virus what works like windows platform, automatically.

Unfortunately, this is likely to become more

[ibbie]

common as Macs continue to grow in popularity. Malicious code tends to gravitate towards the largest user base (more targets), and Apple's market share (or perhaps, more importantly, positive PR) is growing at a decent rate. I'm surprised that it hasn't happened sooner.

The same could happen to Linux, (Free|Open|Net)BSD, etc. All it takes is an uneducated* user behind the console, and Linux's drive to take on the desktop makes that all the more likely.

* I mean uneducated in the security sense. You can be highly intelligent, have 3 PhD's, and still not know a thing about what downloads to avoid. We can't know everything about everything, after all.

Re:Wait, why would you even use this?

[NewbieProgrammerMan]

Well, assuming Apple's market share is increasing (which I don't know for sure, just taking it as a given for making my point), some significant fraction of those new Mac owners are former PC owners. Many of these people will assume that all the crapware they "needed" for their Windows machine is just part of owning a computer. It's not that there's a problem with a Mac, it's that a lot of people just don't know any better.

Re:the shit hits the fan!

[jmauro]

But the Applications folder does not run as root, but as the regular user. The malware can only screw up the current users session, it cannot access or modify anything that needs root permissions without asking for the root password. Without root, malware is annoying, but not difficult to get rid of.

Re:the shit hits the fan!

[GaryPatterson]

Yes, but if you ask a user what they care more about - the OS or their data - you'll find few who care that they'll have to reinstall the OS. It's an irritant, but easily replaced from the source media.

Our data is far more critical, making the ~/Applications folder (or the ~/Desktop folder) a dangerous place for executables.

Of course, in these enlightened days we all have regular backups now or Time-Machine-enabled external drives. Hmm...

Re:the shit hits the fan!

[willyhill]

The malware can only screw up the current users session

I'm sure people care more about the contents of their /bin folder (or whatever passes for that in OS X) than the graduation pictures of their kids and their tax returns. So I guess that's OK. The OS was never compromised! Incidentally, you don't need root to turn a machine into a spam-spewing zombie. On any OS.

it cannot access or modify anything that needs root permissions without asking for the root password.

Well then, it will just ask for the root password. You're thinking here that the user won't provide it for some reason? They just clicked on a "Punch the monkey" banner, after all.

Re:Oh no!

[Tsiangkun]

I'd prefer to focus on the ZERO self propagating pieces of malware in the wild.

Re:Yeah and moon is made from..

[postbigbang]

Your comment is somewhat disingenuous. For argument sake you can cite that there are probably an equal number of stupid people buying Macs and PCs, by percentage.

Now take a look at the architectures. A dozen years of Windows since Win95 has only progressively made Windows more secure, and while better than before, still full of a superfluity of exploits (for differing reasons, again, not counting user "stupidity"). You have to do a lot of work to iteratively get past the gatekeepers in both operating systems; it's not as trivial an exercise as it once was; all the really wide-open machines are 0w3d by someone by now.... as part of a botnet.

Given a 5-10% of the market for Apple, depending on whom you believe, you're only now seeing a MacOS ruse. Think about that for a moment. Think about both motive and opportunity. Motive we understand. Opportunity hasn't been very strong until now. The weapon? Two decades in to desktop operating systems (three if you count CP/M, UCSD Pascal and so on) we're only now seeing a MacOS exploit. A common denominator among the exploitable: stupidity. Now let's scratch off stupidity and talk about architecture. It's not Microsoft's fault that they used a root-level database (the 'Registry') that could be twigged by any user-mode app in pre-XP SP2? Hmmmm. Or the mindless ways that people found to explode IE? Or the TCP/IP stack? Or how long it took to get a WEP-128 parser and still longer for a WPA parser? Microsoft's sloppy code created an industry, one to fix the code, and another to exploit it. They didn't take security seriously, then paid it only lipservice. They're paying the price in disrespect for not being respectable!

Re:Oh no!

[Anonymous Coward]

Don't forget to focus on the MANY pieces of common third-party software you won't be able to run in your malware-free haven, or the number of third-party products where the performance of your machine will go to waste because there was no point the third party writing up-to-date, optimized drivers and utilities on a platform used by a tiny fraction of their userbase.

Re:the shit hits the fan!

[Taevin]

I keep seeing people posting this concept... I have a hard time understanding it to be honest. Let's take a (very simplistic) look at Windows vs. OS X (and yes, I am aware you can make Windows nearly as secure as other operating systems, but I'm looking at base install here): Windows:

• User Data: not protected
• System Data: not protected

OS X:

• User Data: not protected
• System Data: protected

Ok, sure, OS X is not perfectly safe. Clearly it is the better choice though in terms of protecting system data. I really only made this reply because some of these posts (not necessarily the one I'm replying to) seem to be implying the OS X is somehow less safe. At worst it's no more secure than Windows; at best it is significantly more so.

Protecting system data may not be the most important thing in computing, but it's a bit ridiculous to claim it's less important than user data. You're probably right: the affected Joe User probably cares a lot more about his photos that he's procrastinated on backing up for the last 3 years than whether or not his OS is functional. However, I'm pretty sure that the other users on that PC are very glad that they weren't affected by Joe's actions. And let's be realistic here: how often does a piece of malware destroy files wholesale? Save the occasional virus writer that hates the world, most malware creators are much more interested in profit (i.e. getting users to buy something, typically through inserting advertisements).

Re:Oh no!

[bigstrat2003]

Doesn't matter. Stupid users trump all possible security measures (except locking them out of the system for their own good, which isn't really feasible), and there's no shortage of them. Until the programmers can prevent stupid users from infecting their systems, it doesn't matter how damn many malware samples there are in the wild, and you have no right to be smug about the security of your OS.

Re:double digits?

[nmb3000]

Most companies that can only maintain a small percentage of the market place fold. I suspect that the reason Mac hasn't is due to the exceedingly large size and growth of the consumer PC business.

If you're making a profit it doesn't matter how many customers you have: you're still in the black. Sure, more customers then means more profit, but usually you hit a wall where you have to cut profits in order to stay competitive. If a company is happy with its single digit market share (what most would call a niche) then there's no reason to change anything. If you look at Apple's products (especially their audio division), I imagine they have a significantly higher average profit margin than somebody like Dell.

Re:Oh no!

[Garridan]

As a linux user, I am under no delusion that my system is "more secure" than a windows box or a mac.

For me, the worst thing that can possibly happen, is somebody destroys my home directory. Ok, that's easy, if a virus is logged in as me. If they hose my system, so what? I can always re-install linux, that isn't a problem. There aren't any other users. I allow myself access to the internet and to email, so if a virus starts spamming the world, well, that isn't stopped by security policy either.

What you're talking about is a linux server. There, it's hard to root the machine and cross-infect, sure. But what spreads viruses the most these days is users downloading shit in email and not knowing that their browser just executed something. Linux is *not* more secure. *I* am a user am less prone to viruses because I maintain a strict policy of which sites I use each browser for, where I take cookies from, and I browse sketchy shit only inside vmware and restore from a clean image frequently. But I'm still vulnerable to all sorts of attacks -- if google pushes an ad with linux-targeted malware, for example.

If you think linux is somehow inherently virus-proof, you're deluding yourself. Using linux on the desktop is the same as using any other desktop system -- if somebody else knows how to make an executable for your system, it's probably vulnerable.

Re:Yeah and moon is made from..

[postbigbang]

User idiocy aside, the inherent architectural differences, not the sheer number of idiots IMHO, have made Windows a vulnerable target at many levels. In a perfect world, we would train people on using things before we let them loose with them. But we don't.

For this reason, until four years ago (Windows early XP era), Windows and its myriad faults were untenable. MacOS X, by contrast, at least warned people before they were about to get a knife stuck in their operating system. FireFox, Mozilla before it, Safari, IE, all of the browsers (sorry Opera, Ieft you out) have been vulnerable to one piece of malware or another. Microsoft's products (and I've been watching them from long before they went public) didn't button down their architecture. The registry has been eminently hackable in user space until XP SP2 locked it down.

Sure there are idiots out there. But that's why we have stop signs, yellow lines on the road, seat belts, and in some areas, vehicle inspections-- so that a common set of operating criteria can be used to insure safety of use.

The use of an open registry, easy access to system files, legacy exploitable executables, all of these cause(d) problems. If you expect civilians to uptake technology, then you have to ensure their safety, and Microsoft didn't do that, both in the quality of their code, and its basic architecture.

Re:Isn't any "cleaning tool" rogue on a mac?

[Atlantis-Rising]

I dunno, I'd say some recent switchers from Windows to Mac ("average" users, not the Slashdot know it all types) might feel a little naked without their antiviruses and all that. It's almost understandable, seeing as they've had years of conditioning that everything they do invites trojans and viruses. Kind of like how a New Yorker who moves to the suburbs is amazed he doesn't have to lock his car doors.

Which is ironic, because just as you should still lock your car doors in the suburbs, the principle of defense in depth is just as applicable to any *nix-based OS as it is to Windows.

Both switchers are getting exactly the wrong impression.

Re:Oh no!

[morbiuswilters]

Almost every techie I've ever met who makes a broad statement like "(Linux|OS X) is way more secure than Windows" has been so security-retarded it's not even funny. I've used Linux exclusively for years but I'm under no delusions that any general-purpose execution environment is malware-proof. I used to run Win98 and Win2k without anti-virus or firewall and I only got a single virus in 6 years because I opened an exe sent to me by a friend. On my Linux box, anything worth doing can be done as me: stealing personal information, sniffing passwords and credit card numbers, running a botnet client or a daemon on a non-privileged port. I've also got SSH keys that grant me access to my own dedicated boxes, as well as dozens of my employer's servers, not to mention the source code to proprietary applications worth millions. What makes Linux safer is that most people aren't writing trojans for Linux. It's almost sad to watch the Mac market grow like it is, knowing what it will rain down on the smug little bastards. I've got nothing against Mac users, but at this point their hubris is almost Titanic in its proportions. Additionally, Linux has a steeper learning curve than Windows or Mac OS X, meaning most users are more likely to be aware of proper security concepts. Still, I've found rootkits on the servers of many *nix sysadmins. Oh, and they all believed Linux was "way more secure" than Windows.

Re:Oh no!

[dryeo]

1. Privileges, an ordinary user can't mess up the entire system. Unless the user is *really* stupid, they are not root and therefore do not have Write privileges on system-critical files. So even if you ran "rm -rf /" as a normal user, you would only lose the files you had access to and not break the system.

So you figure it is better to only lose your home directory containing everything you care about, email, pictures, personal documents, all your settings like bookmarks etc. As long as the rest of the system, which is easy as hell to reinstall, is not compromised?
As a desktop user I severely disagree, I'd rather lose everything but ~ and if I'm stupid enough to run malware that malware will have the necessary permissions to delete everything I care about.
And about opensource being better because people can look at it and find vulnerabilities. Have you ever looked at the Mozilla code? Lots of people have and yet regularly there are new exploits found, some that have been there since the browser was called Mozilla.
I monitor a few open source applications mailing lists and often when a security vulnerability is found, it has been there a long time. How many more are lurking in that mess of C++ code?

infection

[Tom]

I know I probably shouldn't have but I used a Windows PC so I knew I wouldn't get infected."

Right, because a baddie trying to infect your Mac will absolutely not ever get the idea to put some IE exploit on his page as well, just for good measure, you know?

Stupid, meet journalist, your brother.

Re:Oh no!

[atraintocry]

Obviously nothing's ever for sure, especially not with your computers. But if your browser isn't running with elevated privileges, then you don't need to worry about malware coming in through it the way people with WinXP + IE6 do, save for any specific & isolated exploits. So I would argue that linux is more secure (if by linux we mean "your average linux distro") because your average distro is going to install software from a trusted repo, not have a default install that leaves you running your browser as root every day, and will also give you the tools to control your network interface. And even if you don't use those tools, the fact that 9/10 of the linux users out there do use them does in fact make you a little safer. It gets better...the myriad differences in distros, software packaging, and choice of software means that any "linux" exploit is not going to affect all linux users, unless it's at the kernel level, and even then, there's plenty of variation in people's kernels. Safety in numbers, I guess.

Re:Oh no!

[brad77]

What the hell are you talking about?

Re:Hi i'm MacSweeper Developer

[mzs]

Oh dear LORD if this app will be deleting files in such a manner you will break SO MANY things. Just do the honorable thing, pull it before it does serious damage.

OpenBSD is more secure...

[emil]

...here [openbsd.org] is why:

• strlcpy() and strlcat()
• Memory protection purify
  • W^X
  • .rodata segment
  • Guard pages
  • Randomized malloc()
  • Randomized mmap()
  • atexit() and stdio protection
• Privilege separation
• Privilege revocation
• Chroot jailing
• New uids
• ProPolice
• ... and others