Mac Malware Evolves - No Install Password Required

An anonymous reader writes "The latest versions of the Mac Defender malware attacks no longer require users to enter their admin credentials (username and password) upon install. A threat called 'Mac Guard' installs itself into areas of the Mac OS X system that only require standard user privilege. On Windows the criminals did this to avoid UAC warnings, and have copied this trick to their Mac OS X releases."

Root access not needed

[mms3k]

I always find it stupid that even here people say that malware on Linux would not be able to gain root like in Windows. Spam bots, fake antiviruses, password stealing nasties and so on run perfectly fine under normal user account. There is no reason why they would require admin privileges. All the personal files are accessible on normal user account and spam can be send without root too. Sure, it could hide a little bit better if it had root access, but there's plenty of tricks to pull out under normal account too. It's like a guy making everything overcomplicated by thinking how he needs to act like a perfect guy and take the girl to a fancy restaurant and many dates before having intercourse with her. Sometimes it's just easier to go for a ladyboy - a woman with mens desire for sex. Requiring access to root account would be more common situation with something like hacking servers since you need to modify logs and really hide in the system. Most likely you also need to get access to HTTP ports and under Linux you need root account for those. But malware runs perfectly fine under user account.

Re:The difference

[betterunixthanunix]

This means the problem would be isolated to that particular user's account.

For many home users, that is all that really matters. We are not talking about an enterprise setup here, we are talking about some person's laptop. Frankly, in an enterprise setup I would be surprised if user home directories were not mounted with noexec (or whatever such an option would be called in Mac OS X), which would thwart this problem.

Re:PEBKAC

[Talderas]

On a somewhat-unrelated note, it still blows my mind when enterprise level IT still has users with full admin rights over the local workstation, as those machines constantly and continually get infected and reinfected through the ignorance of the users. Sure, it means that a user can add a local device more complicate than a printer without calling the helpdesk, but it also means that any piece of unauthorized software, whether the user intended to install it or not, or whether it's benign or malicious, gets on to the computer. When the IT department sets up the computers and privileges properly, and if the OS doesn't have local root exploits so large one can drive a Mack truck through, the user can do a lot less damage.

It's not entirely unsurprising. Telling the company owner that "We need to change the level of permissions everyone has on their machines, which means they won't be able to do this, this, and this." after the company owner and the entire user base is accustomed to having that level of permission doesn't typically get a go ahead flag from the company owner.

This is the evolution of criminality

[hellfire]

The malware is evolving from taking advantage of bugs in Windows, to social engineering. I had malware scanning on my PC because malware could get in the back door via services and other areas. Now, they are installing it right in front of your face trying to masquerade as something else.

They are going from the thief in the night who exploits the bad lock in the back door, to walking in the front door acting like the delivery man and given the run of the building by unsuspecting human beings. They are no longer exploiting Windows or Mac OS X... they are exploiting the users directly and making it look like it's the OS's fault.

I've seen plenty of PCs pwned by this type of malware, and it wasn't Windows fault in those situations either, the user simple installed something that took over the system.

Re:More damaging for Apple than most think...

[Shados]

The vast majority of Windows infections also come from viruses that "must be installed". Not 100% obviously, but if you take out the ones that infected users months after patches were released, and the ones where users clicked through a UAC prompt to install anyway, you end up with a very very small sample.

Its all about social engineering now.

Re:Good

[_Sprocket_]

Hi profile attacks that occur in user space help to underscore that the obsession OS vendors have with admin access doesn't do much of anything to prevent a machine from being compromised -- it only serves to give users a false sense of security.

I have a hard time completely dismissing privilege escalation. There is still some value in being able to separate user data from the system proper - if only to make clean-up easier. But I do completely agree with the overall lesson here. An overly simplified view of security might very well overlook the fact that there's still a lot of value with operating in the context of an unprivileged user. And as such, users should remain wary whenever they're acting outside the boundaries of their local environment.

It strikes me that this is a subset of the dancing pigs problem [wikipedia.org]. The promise is that computing is being made easy. And in doing so, the end user gets all manner of over-simplified, friendly (or frightening) messages wanting their rubber-stamp to do various unknown black-box things. Whether you promise dancing pigs or protection from evil hackers, it comes down to the same thing. Present the proper dialog box and end users are likely to accept it.

This is a problem that won't be solved by more dialog boxes. At some point, the user needs to be exposed to some level of the complexity of their environment and hopefully given enough information and skepticism to make reasonable decisions.

Re:No surprises here

[gad_zuki!]

How about the comments in the last article from the fanboys screaming "BUT THEY NEED TO PUT IN THEIR PASSWORD UNLIKE SHITTY WINDOWS" and then modded up to +5 insightful.

Welcome to the new reality. I think they'll find that userland rights on any modern OS are pretty lenient and will allow for a great deal of scammy malware activities. Malware doesnt need to run in any system directory or open any low ports or anything.

Now is probably a good time to invest in OSX AV products.

Re:More damaging for Apple than most think...

[Vokkyt]

The problem with this assessment is that it's the exact same assessment that OS X has been receiving for the past 6 years whenever a new Trojan pops up. And no, this trojan really isn't any different than its predecessors. I'm not trying to defend OS X as the almighty glorious Mac Master Race computer, but it's a little ridiculous to see this cycle every time an OS X Trojan pops up (and they've pretty much all been trojans -- IIRC, a few were classified as worms, but I really don't remember clearly):

1. Malware appears for OS X
2. AV companies advertise it wildly
3. Journalists/"Analysts" declare that age of Innocence for OS X is over, no longer "immune" to Malware
4. Message Board users declare the end of OS X/Catastrophic damage
5. Time passes and reality sets in -- the Malware/Trojan fails to reach any noticeable level of threat

Again, this isn't to say OS X is immune. Absolutely not. But every time a bit of Malware appears, this exact cycle happens -- and OS X and Apple's sales only go up.

So uh...

[bmo]

Where, exactly, is this going to hide from htop, top, ps or any other process listing facility?

Unlike Windows, OSX and Linux and every other sane OS in the universe, there is no such thing as a "hidden process."

As a user process, it also cannot patch top, ps, or htop, or any other process lister. It cannot fuck with logs. It cannot do anything at all that the ordinary user cannot do. Indeed it runs under the same UID as the logged in user.

ps -uax | grep $USER
OH HEY GUYS THAT LOOKS WEIRD
killall -9 $SUSPICIOUS PROGRAM
rm $PATHTOSUSPICIOUSPROGRAM/SUSPICIOUSPROGRAM

And not even have to have a # in your prompt. No sudo, no su, no nothing.

Go on with life

Wow. That's...difficult.

--
BMO

Re:No surprises here

[gad_zuki!]

That's a little like saying "Oh just run noscript or make disable the java plugin" in the Windows world. Most end user have no clue what "safe files" are or what any of what you wrote means.

Not to mention, any web based exploit can install this malware now. It runs purely in userland. Java exploits, flash exploits, browser exploits, etc open the gate for this malware. Today its the safe files in Safari, tomorrow its one of dozens of Java exploits.

Its simply easier for end users to do updates and buy an AV than to dick around with settings they don't remotely understand. To Apple's benefit they're usually good about software updates and also update Java (at least for now).

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:No surprises here

[elrous0]

You get those kinds of warnings in Windows too. Doesn't stop an idiot from being an idiot, though.

Re:No surprises here

[cavreader]

So the Windows community is to blame for lax user practices on a Mac OS? This current piece of MAC malware is only the beginning. And the reason the number of compromises will continue to grow is that for years MAC users have been told that the MAC OS is totally immune to viruses, trojans, and all the other threats floating around the web. The surprising thing is the number of techies who seem to be under the impression that the MAC OS security framework is invulnerable and there is nothing to worry about. The criminals know there is a ton of money to be made going after OS X, iOS, and all the different permutations of the Android OS. Plus Windows security has improved greatly since the days of Win95 and IE6 making the number of potential exploits harder to take advantage of. Windows users have also been pounded with security notices and updates for years and that has also helped raise user awarness. I have also wondered how much easier it would have been to create exploits for the Windows OS if Microsoft had open sourced it. It will be interesting to see if open source will encourage more people to target Android in the future.

Re:PEBKAC

[makomk]

This still requires the user to deliberately install the malware.

Something like 97% of Windows malware infections these days are caused by users "deliberately" installing malware, and that's with Windows putting a lot more obstacles in the way of websites wanting to convince users they should install something malicious than Mac OS X does. Doesn't stop Windows malware infections from being a big selling point for Macs. (Even in the bad old days of Windows security, an awful lot of infections were due to users agreeing to install the malware.)

Re:I am safe.

[amicusNYCL]

It is a computer that is personal, not a Personal Computer.

"A computer that is personal".. that's the same thing as a personal computer. So a Mac is, in fact, a personal computer. So it's not incorrect to refer to one as a PC, if you're into the whole brevity thing.

I know you and the dumb-shits wasting mod-points on this conversation are not this ignorant.

You're right, I'm not ignorant, I just don't base my definitions on marketing drivel, thank you very much.

Re:No surprises here

[gad_zuki!]

I'm responsible for more windows machines than I care to admit and we dont have this issue. I did see it at my old employer and after some investigation I found:

1. All the machines that got this had out of date Adobe Reader or Java plugins.

2. Or the end user installed it clicking yes at every warning prompt.

Most likely your plugin security isn't up to snuff. Stats released by Brian Krebs at his security blog show that crimepacks that use this exploit Java or Reader vulnerabilities 90% of the time, and the rest of the 10% is old patched browser or windows exploits.

Re:PEBKAC

[psydeshow]

The end result would be the same, all its going to do is effect a single user.

Can we retire this meme?

Nobody besides IT gives a shit if the trojan can hack into the kernel or system libraries. If it can run in user space it has access to my contacts, my photos, my browser history, my bookmarks, my email, my music, and pretty much every-fscking-thing I care about on the computer. It can send mail as me, post to websites as me, drop files in my downloads folder, and put stuff on my desktop.

I mean, great that it can't infest drivers and start servers below port 1024. But the primary user of the computer (the non-admin shlub who actually needs to get work done) is infected.