Wednesday, June 1, 2011

Real-Mac-Malware

In case you Macintosh owners haven't picked up on it yet. the scare-ware has moved from Windows to Macintosh.  Here was Apple's take on how to handle the situation:

http://support.apple.com/kb/ht4650

I hate to say this Apple, but it is a case of too little, too late.  You are having the spin doctors write this so you need to have them back-track and give Apple owners all the things that they can do to make themselves safer. Why?  Within a few days these hackers not only have it installing the new software using two packages, a mini-downloader and then the main package, but now no password is required to do the install.  Why is no password required?  Because the first account created for a Macintosh is an administrator account and it doesn't need a password.  The only thing that is reminiscent of it in the Linux world is Fedora 12:

No Password Required

See comments 72 by Garry Dolley and 77 by Keith G Robertson-Turner.  It is one of many reasons I abandoned the Fedora effort that an admin password was not required to do an install of software.  But Garry has now acquired new knowledge.  It is now obvious to the entire world that you can install software into the Macintosh system's (as opposed to the user's) Applications folder and that no password is required.  There are at least three problems on this score.  First is that it seems Apple shows both the system's Applications folder and the user's Applications folder as being one thing in the GUI.  Hopefully I am wrong about that. Most of the time I guess it doesn't matter because very little to almost nothing is ever put in the users Applications folder on most people's machines.  But by making things easier for the user, they have made the mistake of obfuscating what is really going on.  If I owned a Macintosh I would be finding out real quick how everything is set up.  The problem is that they have departed so far from the old Unix model that can be at times confusing.  In case you are wondering, I used to own a NeXT machine. Mac OS-X is only faintly similar to it. But it is especially irritating when you talk to people who don't know what is what on a Macintosh that own a Macintosh.  In case you haven't guessed it yet, that is over 95% of Macintosh users. I contrast their privilege escalation model to sudo, except it seems it isn't because there are tens of thousands of Macintosh owners with infected machines that did nothing.  So it is sudo with a twist to make it less secure.  It seems you don't need an admin password to do an install into the systems Applications folder if you are an administrative user.  Dumb!  Really dumb!

Ergo, I am now rescinding all previous advice to move from Windows to Macintosh to enhance your security.  I still don't like sudo only ways of doing things.  That is just the closest model I can use to describe how the Macintosh works. But all of this is pointing out that the following things need to be done:
  • First, Apple is going to have to put in a password request for all software installs.  At one time I used Fedora.  I don't care that they put in a patch and went back to a more secure way of doing things.  Both Fedora and Apple having once done this wrong leave me pondering just how much else they have done wrong.  They have fallen into the trap of not realizing security comes through several redundant layers of defense.
  • Second, Macintosh owners are going to have to modify at least one of their Safari browser settings on Downloads so that the dmg (which is really just a zip with special formatting of folders, etcetera), zip and other files like that so that they are not automatically openend.  Here is a good place to start:  Safer-Safari-SettingsWarning!  Do not download, unzip. or run the program at the bottom of the page without checking them out first!  Get the idea?  It may very well be, you guessed it, something like MacDefender! How do I know?  IfThenSoft.com is at a GoDaddy pseudo-park IP address notorious for redirecting to malware and this one does a redirect. Not only that, but the host they redirected to is redlined at the Web of Trust. (2011-June-21: I submitted it to the AV companies and my look at it and theirs comes up clean so it is probably safe to use.  That still does not excuse the author for doing the things he did and I gave him pointers for how to do it better - like redirecting to the download hosts instead of a host that is red-lined with MyWOT.com.)  The information on safer browser settings is correct. That is my only reason for giving you this web page. But why are they telling me to use IPassword?  Does it have a security hole? An AES-256 encrypted file may not be as convenient but that is what I use. You can also use Intego's blog information which is always changing.  Here is where Intego's blog is at: http://blog.intego.com/ .  Do not stop there.  Rummage around and tighten things down in Safari, even if you no longer use that browser but use Firefox or another browser instead.  There is a slight chance the other browser will message Safari to do some of the rendering.  Even if it doesn't, cross browser scripting attacks are quite common.
  • Third, if you shifted to using Firefox instead, back up and tighten down Safari anyway.  Then do about the same thing with Firefox.  A lot of mine have been transformed to "Always ask" except for zips and exe files which are automatically downloaded into my /tmp/Quarantine folder.  The default is "lets be helpful and unzip that zipped file for you."  That applies to tbz, tgz, zip.  If you install 7-zip it may try to unzip that as well.  It is almost as bad as Windows unzipping zipped files that are just sitting there on the desktop. Browser, keepa your hands off and let me handle it!  All downloads go to /tmp/Quarantine for me with all browsers (Chrome, Firefox, Opera) on Linux.
  • Fourth, consider using an antivirus program.  There is a secondary reason for me having a ClamAV user on both of my Linux systems.  I can login as clamav and clean out any user infection.  This especially holds for sudo oriented systems which is what I have to lump the Macintosh into being.  It is not really that but that is as close as I can come to what they are doing.  You noticed I mentioned Intego.  I have nothing to do with them.  Just be sure what ever you get is the real thing.  Intego pointed out that somebody posing as HuffPost Community Moderator was plugging the malware as the solution to get rid of the malware.  That is probably good for several hundred thousand Macintosh owners. That is one of the things the hackers do - confuse you into putting on the wrong thing.  But Apple is already going the wrong way by enumerating the bad and giving you a warning on known bad package names.  The hackers will start using new names all of the time and the AV packages will fail to detect what is bad when it is too new.  If you have a no questions asked install, as long as just 5% of Macintosh owners get infected the hackers consider it to be a good ROI.  Paradoxically, they haven't used rootkits yet, which are a malware problem that came from Unix systems to Linux and then on to Windows. It doesn't matter whether it is McAfee, Symantec, or Intego.  Just make sure it is legitimate AV software. What I am leading you toward is this final step which is the most important.
  • Fifth, create an administrator account called admin, god, or something like that first but then use that account to create another user account and only use the second account to do your normal work.  If you can, make the second user account you use all of the time a non-administrator account.  It will enhance your security considerably. It doesn't help in this case if you also make your second user account an administrator account. because Apple just gave the hackers the keys to the kingdom with a no questions asked install.  I am thinking primarily of scrambling to a second administrator account to clean out a user infection.  But why should a hacker do that when Apple just handed the hackers the keys to the kingdom in allowing them to install the system area?  Effectively, Apple took out the Mandatory Access Control (MAC) protection of Unix file permissions and threw them out the door.  Make that second account you use all of the time a normal account until you understand how the Macintosh works thoroughly.  But once you understand how it works in depth it will probably stay that way until Apple does point one here.  You still may do it if you think you can be conned into accepting the fake.  If the bad thing cannot be installed at all it can never hurt you.  If it can be installed only if you supply a password, then it may hurt you.  But if it can be installed with no questions asked all you are counting for your protection is the luck of the draw in never encountering the bad stuff.  Actually the odds are much better than you think if you stay away from porn and other trashy areas of the Internet and don't click on that link in your Facbook account that promises you the low down dirt on some person of interest.  If you click on those more likely than not you will be one dead duck.
So there you have it.  For the first time Apple may be running scared, but I sincerely doubt it. They should be.  The regular hackers only use one vulnerability at a time.  The reason for that statement is that Stuxnet used multiple vulnerabilities. Vulnerabilities are precious resources that normal hackers hoard and use only one at a time and constantly search for new ones. One of the vulnerabilities is Java.  If you don't need Java, remove it. Another vulnerability is flash, although that has become better over time.  The problem isn't the flash but that Javascript that can be hidden in the flash file.  All of this brings to mind those stupid Mac ads where they contrasted Macs with Windows PCs.  I found the ads offensive. Linux users don't chortle.  I can see ways that can be employed to foist off stuff on you as well.  Yes, now that the Fedora 12 debacle is in the past you can at least count on having to type a password.  But if the hackers can fool you into seeing something as a system upgrade (how do you tell the difference between a system panel and something the hackers pops up that looks just like it?) they are in.  That is exactly what they have done on Windows and now they are doing it on Macintosh as well.  Not only that but now they are finally detecting your OS and browser to deliver the correct payload.  That is rather strange because for many things I use wget instead of a browser.  I almost always use wget instead of the browser download if I can help it and when it comes to pulling down the malware try to always use wget instead of the browser.

All of this brings to mind me trying to get my sister to see what the scareware links looked like two years ago.  She didn't understand that I made sure it only led to Windows malware.  I just wanted her to see what it looked like so she could prepare for the future when it came to the Mac.  Well, that opportunity is past.  I cannot count on something that didn't do OS detection yesterday still doing it today. Since I am on Linux a lot of these scare-ware links in web pages won't work for me any more once they detect I am not using either Windows or a Mac. In that case when they do the browser detection they just do nothing with either wget or a browser on Linux. It is rapidly approaching the point that where there is nothing I can do any more.  The Mac owners and Windows owners get infected and I see nothing. So far, all I have for Linux are two browser toolbars that don't uninstall completely and continue reporting every place you go and what you do back to the toolbar data collection servers.  I block them in my filters.  Actually for the second tool-bar, you must use the blocking hosts file.  Over seven million of these tool-bars were installed through Mozilla because they used to list it as an add-on.