Blah!
Ah well, we knew this would start happening eventually!
Just hours after Apple issued a security update to protect Mac users against a rash of scareware attacks, a new variant began circulating that completely bypasses the malware-blocking measure. The trojan arrives in a file called mdinstall.pkg and installs MacGuard, a malicious application that masquerades as security software …
Canonical better prepare, I dare say its users will be the next target of this scam.
I'll love to see them try and tackle Linux From Scratch though. This kind of malware largely relies on being able to pull the wool over a user's eyes as to what's really happening. Those who are in to the DIY OS might be a bit harder to hoodwink.
Despite the noise this is a very basic trojan, it doesn't do anything really clever, just relies upon the Safari default "Open safe files after downloading" (this was always asking for trouble), to install an app into the apps folder and add it to the users login items, It throws dodgy porn urls at safari and asks for credit card details but basically it runs in userspace.
Shocking how well they've done for what it is though.
If I can get my 2 cents in there, I'd like to point that most malware targetting Windows -or MacOS-machines these days are not self-replicating viruses. Most if not all do indeed require user interaction, regardless of the platform, and the ones that don't usually rely on 3rd-party software vulnerabilities, for which there are holes in ALL platforms, especially MacOS, as demonstrated by the last few Pwn2own contests. The "it's no virus" defense favored by some Mac fanbois is completely irrelevant: your credit info was stolen, but it's not a virus, so it's fine. Your life is ruined, but at least it wasn't a virus.
Of course there is also the bizarre reality distortion field that says: "every non-Mac box connected to the internet is pwnd within minutes, no user interaction needed"
Bullshit. User interaction is needed for Windows malware at least as much as for MacOS malware. PEBCAC, and the more you rely on a "jus works, no training required" doctrine the more vulnerable to cons you are.
It is malware. Even the Windows version of this crap is not called a virus.
Stop blaming 'fanboi' attitude, I very much doubt that a53 is a I'll-follow-Apple-into-the-abyss fanboi. He/she is simply fed up with something that's not a virus being called just that, a virus.
Use a generic term (like endpoint security vendors have for the last few years) that generally describes what viruses, worms, trojans, bots, etc are - malware.
"It is malware. Even the Windows version of this crap is not called a virus."
Right.
"He/she is simply fed up with something that's not a virus being called just that, a virus."
Right again.
So you are ready to admit that there is no widespread Windows virus then, contrarily to Apple's claims? Or is the "fed up" thing one-way-only?
Disclaimer: I am no windows luser. Nor am I MacOS luser. I am the one in charge of the cattleprod. KZZZZZERRT!
You appear to be suffering from the delusion that the meanings of words are decided by some ultimate authority which you can influence by loud assertions.
I know precisely what you mean (I think). This piece of malware doesn't (from the article) appear to replicate itself in any way, which was the analogy that gave rise to the term "computer virus". It therefore isn't a virus as we techies understand it, it's a trojan (a program that attempts to trick the user into believing that it's something else). However, the term "computer virus" long ago entered the public conciousness, and has (in my experience) come to have the meaning "malware" in the ears of the great unwashed.
If you're fond of analogies, you might try asking people whether a fish, or a bird, is an animal.
(nyelvmark) "You appear to be suffering from the delusion that the meanings of words are decided by some ultimate authority which you can influence by loud assertions."
No, just fed up with people calling things by the wrong names. Words are important, allowing them to be used wrongly causes misunderstandings. If we called birds fish, we'd get no-where. We have to stick to one name or the other. I get your bird/fish analogy, but if I didn't know the answer I'd look it up rather than make blind assumptions or wild guesses.
It isn't by the way just this article, it's almost every article on the subject. If techies allow those with less knowledge to remain in that state they do them a disservice.
When you get those 'contact your network Administrator' messages, you look up the error message in the NT/W2K/2K3/Whatever Resource Kit, and it just says 'Contact your network administrator'...
Exactly who do they think shell out for those kits, really?
Mine's the one with a few scratched up Technet CDs and a Knoppic LiveCD in the pocket...
Trying to detect bad applications seems to me to be a wasted cause - just how effective is AV really? Most Windows boxes I have seen were taken by stuff that either (A) evaded the AV, or (B) convinced the meaty one that they really wanted/needed to install it.
Given the near infinite options for black hats to adjust their product to evade detection (a trojan need not keep a specific exploit trick that a virus needs, after all), and the time lag in AV catching up, it appears a lost cause. But lucrative to the AV snake^b salesmen of course...
So Mac is now targeted and failing, it seems partly due to "ease of use" installs that Windows foisted on the world so that uneducated masses could use computers more easily.
Linux would/will as well, given the behaviour observed on the machines I have set up for family/friends (dubious .exe files on the users desktop, WTF?)
The only viable defence against Trojans is in the meaty world: you either (A) educate your users to be suitably paranoid or (B) flatly deny them the ability to run/install arbitrary software.
Ideally (C) do both.
Actually the best way to defend your system against this kind of crap is to prevent it from getting into the system in the first place.
And thats where web blockers and exploit guard components come to play, if user cannot get to the hostile page, or the hostile advertisement cannot load user is safe.
Traditional AV is the last line of defense when more modern techniques fail
While we know that new malware has the potential to get past AV software, there is no point in punting it completely; it can block most malware that already exists. It will not stop a dedicated attempt to break into your computer, but it can protect against moments when you let your guard down, accidentally click a link, etc.
...and would like to apply it to the world of motor transport:
The only viable defence against fatal road accidents is in the meaty world: you either (A) educate your users to be suitably paranoid or (B) flatly deny them the ability to drive cars.
Ideally (C) do both.
Since none of A, B or C are practical, however, I take the bus.
"The only viable defence against fatal road accidents is in the meaty world: you either (A) educate your users to be suitably paranoid or (B) flatly deny them the ability to drive cars."
Yes, like a driving test perhaps?
And jail time and/or losing one's license for doing really stupid things on the road?
We are used to the concept of education and control where there are obvious physical consequences from our actions, which is why we limit the freedom to do certain things until one has demonstrated some degree of relevant skill and responsibility.
Computers on the other hand don't seem to be covered as there are no 'real' consequences from users' ignorance (or sometimes utter stupidity). Other than fraud of course. And blackmail. Oh yes, and extortion via DDoS attacks...
Nope, it's existing users - not new ones.
People get a license and belive that's all the need, they are now expert drivers and can drink as much as they like, ignore warning signs and generally not give a toss.
Legislation is generally to be ignored, insurance, tax, MOT are something for other mugs to pay out for. There is no need to learn how to go round corners, just find out how hard the right-hand pedal can be pressed.
You can't take a license away from someone who's never had one. Ban from driving? only if they are locked up. Points on what license?
Stupid is as stupid does and doesn't need a bit of paper or three to do it.
"So Mac is now targeted and failing, it seems partly due to "ease of use" installs that Windows foisted on the world so that uneducated masses could use computers more easily."
Ummmm.. so you're saying that a Mac is harder to use? That they have been known for years and years to be really hard to use... Ahhhhh no... Apple has always had the claim to fame that it was easy to use.
Ease of use has nothing to do with this! Social Engineering and gullibility are what this piece of malware tripe spreads by.
I've not used a Mac for more than a couple of minutes, but surely if the user had seperate admin and login accounts this wouldn't work?
I know my Linux box is infullible*, but the fact MUST enter an admin password to install anything is a pretty damn good protection as long as my wetware is in order -- the same ought to be true for Apple machines.
*pretty close to infallible
Unless you are using some distro which has ultra paranoid security, you don't need admin access to install stuff that can access users stuff.
Just install attack component as Gnome or KDE applet and you get both autostart and access to all user data. No root password needed.
"Tell me one, just one thing that would be of interest for attacker and could not be gained with user privileges."
The ability to key-log other user's accounts.
You know, like a child doing something silly like trying to install a game, and then the parents bank account being accessed?
On a multi-user machine that is a big deal, but as I already said, most home PCs do not enforce any real concept of user roles.
On a typical Linux box (e.g. Ubuntu that I use) by default I can read other's documents, but not modify them (so no encrypted file blackmail), nor can I install any system-wide changes (change programs, alter web browser settings, redirect DNS, etc).
Most home PCs don't enforce multi user roles because it is way too much hassle.
I use Ubuntu at home and we have single account for entire family because switching from one account to another is too much to bother. And I would guess that mine is the typical use case.
Also malware authors don't care if they get _all_ accounts they are content to steal just from the user they manage to catch.
Also good part of boxes have only one user, so no need to multi user accounts there either.
Answer: Those who care about their security and privacy.
It is not hard to have multiple accounts and switch users, after all only one person can physically use the keyboard/monitor at a time.
I have found most families rapidly get used to the idea and actually LIKE IT! Each can customise their own desktop, bookmarks, etc, and the parents are happier that the little ones have Google's safe search enabled, have their pr0n browsing kept out of the browser history, etc.
As already pointed out, even a single user PC can benefit from having more than one account. Yes it is hassle to switch often so you would not do this for minor things, but for most people the banking type activity is an occasional one, so switching account for that is no big deal.
So good idea for every OS type is to have something like:
1) An admin account, just for installing stuff (how often do you REALLY need to do that?)
2) Your normal user account.
3) Your banking account.
4) A guest account (for those cases when someone wants to use your PC but you would rather they did not mess with important stuff).
Paris, as you might want to add a pr0n account as well...
From the Qubes website:
"Hardware Requirements
Minimum:
* 4GB of RAM"
I stopped reading there. An *OS* that *needs* 4GB of RAM to run is not going to go anywhere near my kit. Even the boxes which do have enough RAM. Especially as I can have all the same features from a X desktop system that runs in under 50 MB of RAM. Actually I do seamlessly run concurrent apps under at least 4 different accounts every single day on my main work machine (1GB of RAM and as much swap, 90% of which is used by "productivity" apps): local root, main work account, work network admin account, and "leisure" account (the latter usually X-less: just a W3M set on El Reg website and a Tin for newsgroup tomfoolery). I don't do banking from work but I don't see why I would need a mammoth of a distro to create a local account dedicated to banking and launch a web browser from that.
Right now on thi home machine dedicated to network stuff "top" indicates 3 unique users (not counting root). It's more than 10 years old, too. 2x PIII 1 GHz, 1GB error-checked DRAM (shielded, please), graphics card with a whole 128MB onboard memory, and ultra-wide SCSI, fancy! (for a given value of fancy. A 10-y.o. one, namely). I don't think Qubes would even ackowledge that as a computer, yet it is a perfecty good machine, much more powerful than what a typical home user would need it it wasn't for delirious hardware requirements for just the fracking OS. Nowaday it looks like every kid coding a tic-tac-toe game designs it so that it needs 1 GB RAM , a 4 GHz CPU and two bleeding-edge graphic cards with crossfire to just play the intro animation. In my days we knew how to make do with single-digit RAM amounts (in Ko, I'm not THAT old) and 3-digits MHz was a status symbol (usually achieved by pushing the "turbo" button, mostly to show off in front of friends). Now get off of my lawn you scallywag.
DISCLAIMER: I do realize that the above makes me a mere PFY for some bearded old farts around here. Feel free to share stories from before they invented the "mega" in hertz and how you had to program ROM with a hammer and a tiny chisel. I'm too young to have dealt with anything older than a TO7. 1 MHz Motorola chip, 8 Ko RAM (extendable to a generous 32 Ko although cartridge contact buggyness made it a fickle process, as was customary in those days), directly pluggable into the Minitel network -the French Internet at the time- and with an optical pen as a context-sensitive user input device. Try it if you can get your hands on one, if only for the optical pen. That was amazing; "magical and revolutionary", I would say. Beats the mouse, by wide.Touchscreen for the masses, 20 years early. Dunno if an English-keyboard version was ever made, though.
> switching from one account to another is too much to bother.
There is your Trojan attack vector right there... the "can't be bothered" sort of user.
Yeah. Hitting that logout button and entering your own password is such a bother.
With that kind of attitude it's little wonder that so many problems happen in computing and even in other areas. Just apply that mindset to driving. I am sure all of you can think of suitable examples.