Flashback MacOS botnet
April 4, 2012 5:12 PM   Subscribe

Flashback is the first significant MacOS botnet, reportedly infecting and controlling over half a million Macs. Flashback has been around for since September 2011 but recently got a boost with a Trojan that exploits a security hole in Apple's Java distribution; a vulnerable Mac can be infected simply by visiting a web site, no user password required. Apple released a fix for the Java exploit yesterday, some six weeks after Microsoft, Adobe, and Oracle released their fixes.
posted by Nelson (166 comments total) 24 users marked this as a favorite
 
I was kindly walked through this yesterday so I'll repeat here:

The practical upshot for Mac users is that you should run Software Update.

You can do this by going to the apple icon in the top left corner of your screen and selecting "Software Update" and following the prompts. (Caveat: For me, it took probably 30 min to download and install the update, so do this when you have time.)

Once it's done, I was able to confirm it had updated by going to Applications>Utilities>Java Preferences and checking the "Info" of that utility... the updated version is 13.7.0.
posted by LobsterMitten at 5:20 PM on April 4, 2012 [7 favorites]


And for people who are running 10.7, the Java Preferences version number is 14.2 for patched, 14.1 for not patched.
posted by LobsterMitten at 5:22 PM on April 4, 2012


And for people who are running 10.7, the Java Preferences version number is 14.2 for patched, 14.1 for not patched.

Provided you are even running Java in 10.7. Java wasn't part of the default installation. It had to be specifically installed by the user.
posted by Thorzdad at 5:26 PM on April 4, 2012 [5 favorites]


Apple isn't that great at security when working with their own code; it should be remembered that a lot of the jailbreaks that have come up on the iPhone were in fact remote root security holes through mobile Safari. Likewise their Java code has proven problematic.

Vendor specific implementations generally suck, and this isn't exactly a core product for Apple.
posted by jaduncan at 5:28 PM on April 4, 2012 [1 favorite]


The day Windows died.
posted by i_have_a_computer at 5:30 PM on April 4, 2012 [3 favorites]


What's most interesting to me is how long it took for this to happen. For year Apple advocates have claimed MacOS was significantly more secure than Windows. Skeptics pointed out that there just weren't enough Macs to be worth infecting. If it turns out that Flashback really does control 500,000+ computers, both sides will be wrong.

I resisted editorializing in the FPP, but Apple did their users a terrible disservice sitting on this patch so long. Microsoft learned the hard way how important it is to get security patches out quickly; Apple may just now be learning the same lesson.
posted by Nelson at 5:35 PM on April 4, 2012 [4 favorites]


Hopefully this puts a dent in the "It's more secure/you don't have to worry about viruses" Apple hubris out there. Macs were never more secure, rather, virus writers all targeted windows XP because it was popular and a lot of those guys knew the win32 API and core inside and out. Moving to the mac would require learning not just a whole new API, but all the exploits and deep low level stuff.

But, as apple products have become more popular, they're now more targeted.
posted by delmoi at 5:36 PM on April 4, 2012 [3 favorites]


Yeah, but if you go to a web page that requires Java you get prompted to install it automatically. Which oddly I was, just today, when I went to Google's home page.

(Why did that happen? I'm confused. I literally just went to Google's home page. Am I missing something? I'd think the big G would be the last site to use Java. It was the only page I went to!)
posted by JHarris at 5:36 PM on April 4, 2012


(Why did that happen? I'm confused. I literally just went to Google's home page. Am I missing something? I'd think the big G would be the last site to use Java. It was the only page I went to!)
That's pretty bizarre. Chrome doesn't even launch java without asking the user first now. So if Google put java on their front page, that would breaking their front page in their own browser. So it seems really unlikely to me.

Soo... you may want to do a virus scan.
posted by delmoi at 5:39 PM on April 4, 2012 [5 favorites]


Welcome to the big show.
posted by Artw at 5:39 PM on April 4, 2012 [1 favorite]


For year Apple advocates have claimed MacOS was significantly more secure than Windows. Skeptics pointed out that there just weren't enough Macs to be worth infecting.

Really? Most Mac users I know hold the opinion you attribute to the skeptics. In any discussion I've had regarding the relative "security" of Macintosh--which is admittedly not a frequent conversation for me--has come down to the fact it's probably just not worth the effort for someone looking to cause a ton of damage.
posted by Hoopo at 5:46 PM on April 4, 2012 [2 favorites]


It's a trojan, not a virus, BTW.
posted by SPrintF at 5:47 PM on April 4, 2012 [8 favorites]


Whew: Looks like I'm clean.
posted by rollbiz at 5:48 PM on April 4, 2012


I run Windows so I don't have to worry about this sort of thing.

So that's what it feels like
posted by fullerine at 5:53 PM on April 4, 2012 [58 favorites]


Running ClamXav now, that should find something if it's there, should it not? I'm not as familiar with what will find what as I am on Windows, where I'd just throw in a Defender boot CD and scan overnight.
posted by JHarris at 5:56 PM on April 4, 2012 [1 favorite]


Apple isn't that great at security when working with their own code; it should be remembered that a lot of the jailbreaks that have come up on the iPhone were in fact remote root security holes through mobile Safari.

Three iOS jailbreaks (out of many) have exploited holes in Mobile Safari - in 2007, 2010, and 2011 - and the second two were both crafted by one extraordinarily talented person who Apple subsequently hired. So I don't know if that particular vector can be used as strong evidence for Apple being not-so-great at security, and I believe Apple released software updates fixing each of those within a couple weeks.

Not six weeks like this, which is the weird part. I was about to link to Chrome's fascinating "Fuzzing at scale" article where they explained how they found tons of bugs in the Flash plugin within a short period of time (and got them fixed), but doing that wouldn't be any good anyway without releasing prompt updates for known bugs...
posted by dreamyshade at 6:01 PM on April 4, 2012 [2 favorites]


It's a trojan, not a virus, BTW.

How are you defining virus? The old definition of virus is malware that self-spreads by infecting removable media, which rarely happens anymore, since removable media is much less frequently used. I think the definition of virus is evolving to mean malware that spreads by exploiting a security vulnerability, such as in a web browser. A trojan is malware that infects systems by the user naively executing a malicious program, the distinction being in that case the user is the one responsible for elevating the malware to give it permission to infect the system, the malware isn't actively exploiting a security vulnerability.
posted by zixyer at 6:04 PM on April 4, 2012 [1 favorite]


Little Snitch is a firewall program for Mac OS X. If the program is found, the installer will skip the rest of its routine and proceed to delete itself.

*feels smugly secure*

Seriously, if you own a Mac that connects to the internet, you should have Little Snitch installed.
posted by acb at 6:05 PM on April 4, 2012 [12 favorites]


Three iOS jailbreaks (out of many) have exploited holes in Mobile Safari - in 2007, 2010, and 2011 - and the second two were both crafted by one extraordinarily talented person who Apple subsequently hired. So I don't know if that particular vector can be used as strong evidence for Apple being not-so-great at security, and I believe Apple released software updates fixing each of those within a couple weeks.

That's three remote root exploits that could be taken advantage of by any site on the internet for relatively long periods. It's not a great record.
posted by jaduncan at 6:26 PM on April 4, 2012 [2 favorites]


I live in a mac-only household, and my department at my employer is also mac-only(we run VMWare for occasional Windows testing), yet I can't help but to feel a little glee at this happening.
posted by owtytrof at 6:32 PM on April 4, 2012


Kudos to Dr. Web for ending their article with:
Doctor Web recommends Mac users to download and install a security update released by Apple…
instead of:
Dr. Web recommends Mac users to install Dr. Web's industry-leading anti-virus software for Mac OS X…
CREDIBILITY +10
posted by designbot at 6:34 PM on April 4, 2012 [6 favorites]


It's a trojan, not a virus, BTW.
It's a grey area, but either way a virus scanner should pick it up. I think many people consider trojans a subset of viruses.
posted by delmoi at 6:35 PM on April 4, 2012


I would love to know why Apple is so slow to issue security patches. They've certainly got the infrastructure to push them out quickly, so there's some internal process that they're stumbling on. Compatibility testing?
posted by ChurchHatesTucker at 6:35 PM on April 4, 2012


Oh dear, the Apple update is 66.6 MB. Couldn't they have padded that by 10KB?
posted by mkb at 6:36 PM on April 4, 2012 [5 favorites]


Three iOS jailbreaks (out of many) have exploited holes in Mobile Safari - in 2007, 2010, and 2011 - and the second two were both crafted by one extraordinarily talented person who Apple subsequently hired. So I don't know if that particular vector can be used as strong evidence for Apple being not-so-great at security, and I believe Apple released software updates fixing each of those within a couple weeks.
Wrong wrong wrong. There are extraordinarily talented virus writers out there, and it only takes one person to do it. Besides, once the jailbreak is done, anyone, including malicious hackers can analyze how it was done and utilize it on any iOS device that hits a site they control ('officially' or 'unofficially').
posted by delmoi at 6:38 PM on April 4, 2012


The Mac's first botnet, and only a half-million bots. More than a decade and a billion or so bots behind Microsoft. Apple should really do a better job of making its exploits more readily exploitable to catch up.

Sorry... I'm not feeling the "both sides are bad" vibe, here.
posted by Slap*Happy at 6:59 PM on April 4, 2012 [4 favorites]


Thanks for the heads up via this FPP that I did, in fact, need to run Software Update and not put it off for a while like I often do when the updates require a reboot.

I'm all new and fresh now. Thanks again.
posted by hippybear at 7:02 PM on April 4, 2012


Oh dear, the Apple update is 66.6 MB. Couldn't they have padded that by 10KB?

I got a 79.4 MB Java update. Which on my crap internet connection will take approximately all night to download. (Not really, but my internet connection is crap.)
posted by hoyland at 7:05 PM on April 4, 2012


Slap*Happy: I went looking for a reliable source of botnet statistics to put Flashback in context but couldn't find one. Here's a 2009 article of 10 botnets ranging from 200,000 to 3.6M Windows boxes, but I have no idea how accurate it is. I don't particularly trust the 550,000 estimate from Doctor Web for Flashback, for that matter, although the methodology seems plausible.
Each bot includes a unique ID of the infected machine into the query string it sends to a control server. Doctor Web's analysts employed the sinkhole technology to redirect the botnet traffic to their own servers and thus were able to count infected hosts.
BTW, here's an article about 2009 MacOS botnet named OSX.Iservice. I left it out of the FPP because I don't believe it ever got very large.
posted by Nelson at 7:10 PM on April 4, 2012


I would love to know why Apple is so slow to issue security patches.

Java on OS X has never been a priority for Sun. I recall back when I went for my Sun certification testing when I had to clients and servers, and I tried doing development on my little iBook. Java has always lagged behind Sun's Solaris and Windows releases by at least one major version.
posted by Blazecock Pileon at 7:11 PM on April 4, 2012


I was about to link to Chrome's fascinating "Fuzzing at scale" article where they explained how they found tons of bugs in the Flash plugin within a short period of time

That is a fascinating article, not least because it's Google doing something for Adobe that they really should have been doing themselves. It's couched in language that sort of crosses the line from diplomatic over to flattering (thanks for fixing these bugs so fast guys, great job and great commitment to security!), but you have to imagine that there is at least one engineer at Adobe who got the underlying message of "clean up your shit, for god's sake, you're fucking up the internet for everyone."
posted by whir at 7:11 PM on April 4, 2012 [6 favorites]


Regular OS X user, and I'm surprised that it's taken so long to get to this point. I try to be as paranoid as is practical using OS X; I don't normally log in as a user with admin privileges, I didn't install Java when I upgraded to 10.7, I use clicktoflash. I'll be sad if have to start taking even more defensive and annoying measures.
posted by 1970s Antihero at 7:32 PM on April 4, 2012


I'm getting the update now but how do I know if I'm infectbuyd1sc0unt_vi@grA!www.v4u.ru
posted by Blue Meanie at 7:33 PM on April 4, 2012 [5 favorites]


Apple's BSD-based security model for many years was much more secure by design than Windows OS.

The empirical security of Mac OS was a combination of better design choices and low exposure. Expert users always knew Macs were not invulnerable, just less vulnerable than Windows machines.

Microsoft has improved their security model and Windows (all versions) continue to be much more widely exposed than (combined versions of) Mac OS. Successful as they are, Macs running Mac OS X (with Java installed) make up less than 10% of Internet-connected computers [citation needed, you dig it up].

Macs running the current version of Mac OS (10.7 aka Lion), as mentioned upthread, do not come with Java installed. I'm surprised to hear that Google has prompted at least one user to install Java. That's very odd and I'd love to have more details about that request.

Thanks, nelson, for this heads up. Though I am a developer, I was completely unaware of this exploit and have updated the machines I admin.
posted by mistersquid at 7:34 PM on April 4, 2012 [5 favorites]


Awesome! Things seems much snappier now.
posted by mistersquid at 7:38 PM on April 4, 2012 [1 favorite]


The Mac's first botnet, and only a half-million bots.

Is there anyone besides a particular virus company, that happens to sell a solution, saying this?
posted by Brandon Blatcher at 7:51 PM on April 4, 2012 [3 favorites]


For year Apple advocates have claimed MacOS was significantly more secure than Windows.

And we will continue to do so for years to come. Signed certificates, sandboxing, randomized buffer memory, etc. Apple is generally so slow on these fixes because they don't want to fuck up someone's Mac.
posted by cjorgensen at 7:57 PM on April 4, 2012 [2 favorites]


Apple isn't that great at security when working with their own code; it should be remembered that a lot of the jailbreaks that have come up on the iPhone were in fact remote root security holes through mobile Safari. Likewise their Java code has proven problematic.

This isn't Apple's code by the way. This is also why Apple has stopped shipping Java with the Mac (and Flash), because if you ship it, you own it. If you choose to install suck code on your PC or Mac don't cry when shit breaks.

I haven't had Flash installed for over a year. I'll probably remove Java at this point. I don't think I ever use it. I guess we'll see. Javascript yes, Java, bah! Could care less.
posted by cjorgensen at 8:04 PM on April 4, 2012 [3 favorites]


Apple's BSD-based security model for many years was much more secure by design than Windows OS.

The empirical security of Mac OS was a combination of better design choices and low exposure. Expert users always knew Macs were not invulnerable, just less vulnerable than Windows machines.
First of all, macs were not less vulnerable then windows machines. In hacking competitions they were often easier to break into.

Windows NT, 2000, XP, etc all had the same security model that Unix machines have, the difference is that by default you ran code as administrator. That means, essentially, that if there are security glitches in any code you run those glitches can get 'root' access. If there are no glitches, however, there's no problem. (but, it was possible to create non-root users, most ordinary users never did this, but people running computer labs typically would).

Basically that means you have a very large attack surface Any program the user runs, could potentially have a root exploit.

On unix machines, including OSX, you don't run as "root" by default. That means if there is a security glitch in a program you're running, all it can do is, for example, mess with your personal files. It wouldn't be able to install itself as a virus at the root level, it can't mess with the hard drive, etc.

Since windows Vista, windows works the same way. So really in terms of design they both have the size attack surface

The claim that windows Vista/7 has a larger attack surface then OSX is false. And XP/2000 could be made to work the same way if you really wanted, but most people didn't.

Basically, the claim that OSX si more secure by design is just more Apple user hubris. The defaults before vista were more secure, but the 'design' worked the same way. Since vista the defaults aren't even a problem anymore.

But the other problem is, even if you have a small attack surface if you have security flaws then, well, it doesn't matter. Even if you have the most secure "design" in the world, if you have a security flaw, hackers can get in.

You can think about it like a building with a lot of doors and windows. The more doors and windows you have, the more chance you might have one unlocked, so you might have more a of a chance of someone being able to break in.

On the other hand, even if you have only two doors compared to 100, if one of those doors is unlocked, well, then you're simply not secure, no matter how good the 'design' is.

Essentially what happened here is that apple left a door unlocked for a few months.
And we will continue to do so for years to come. Signed certificates, sandboxing, randomized buffer memory, etc. Apple is generally so slow on these fixes because they don't want to fuck up someone's Mac.
Huh? Windows has had all that stuff for years.
posted by delmoi at 8:09 PM on April 4, 2012 [8 favorites]


How did this Flashback thing ever make it through App Store review anyway?
posted by mattoxic at 8:13 PM on April 4, 2012 [7 favorites]


The claim that windows Vista/7 has a larger attack surface then OSX is false.

Suuuuure.

posted by Slap*Happy at 8:15 PM on April 4, 2012 [1 favorite]


Again confusing attack surface with security flaws.
posted by delmoi at 8:16 PM on April 4, 2012 [1 favorite]


I have no idea what point you're trying to make.
posted by Slap*Happy at 8:20 PM on April 4, 2012 [2 favorites]


So... are people on OS X 10.5 vulnerable? Because the update is for 10.6 and above.
posted by gryftir at 8:20 PM on April 4, 2012


Basically, the claim that OSX is more secure by design is just more Apple user hubris. The defaults before vista were more secure, but the 'design' worked the same way. Since vista the defaults aren't even a problem anymore.

And I'll argue that default choices are part of the design.
posted by cjorgensen at 8:22 PM on April 4, 2012 [1 favorite]


Well, crap. After reading this I went and let Software Update do its thing, and now my Mac won't boot. Just sits there with the apple logo and the little spinny widget. Not happy.
posted by Mars Saxman at 8:25 PM on April 4, 2012


I have uninstalled Java on every computer I control except the one where I play Minecraft. That includes all our work computers. Java has been a huge target lately, both on Windows and on Macs, and the risk of keeping it installed isn't worth the minor utility that you get from it.

Everyone I know in the it security industry are recommending uninstalling Java completely, unless you absolutely must have it - no matter what OS you are running.
posted by gemmy at 8:27 PM on April 4, 2012 [1 favorite]


Number of hours I have sacrificed cleaning up viruses on macs. 0 hours.
Amount of data I have lost due to a mac virus: 0 bytes.

Number of hours I have spent cleaning up PC viruses: Fuckloads.
Amount of data lost: No way to know.

Number of years working on macs: 20+
Number of years working on PCs: 2.

My PCs all run McAfee with up-to-date DATs.
I run various flavors of mandated virus scans on the macs, but have never had them find anything other than harmless to the Mac .exe viruses.

Number of Sysadmins I know: Shitloads.
The only ones that don't have similar experiences to the above are the ones that refuse to believe Macs have a place in the enterprise.

The last time I ran virus protection on my personal macs was OS 8.6 or 9. I willingly visit sites google warns me about just to see if I can get it to hurt my Mac. Hasn't yet. I'm willing to open strange attachments. I've never had an issue. I once saw a Mac floppy that was infected with the "Monkey-B" virus (or something like that), but I was still too young to legally drink.
posted by cjorgensen at 8:36 PM on April 4, 2012 [8 favorites]


It's a trojan, not a virus, BTW.

On what basis? Because it doesn't spread from the infected machines out to other ones? That's the only thing I see about it that it lacks in terms of "virus like" characteristics.

But it doesn't use any sort of social engineering to get the user to bypass security and install it, which has always seemed like the key hallmark of a trojan (and the reason they're called "trojans" in the first place; they get into your system under the guise of something else, like a crummy utility or pirated software).
posted by Kadin2048 at 8:43 PM on April 4, 2012


Interesting development, thanks for sharing. I've now updated my macbook pro and will be updating the (much less used) mini later tonight. I used to work at an Apple retailer on an equivalent "Genius Bar" (only we just called ourselves "pros" not geniuses) and whenever someone asked me about security on the Mac this is what I would tell them:

1. Yes, Macs have been historically virus free, partly because of more secure architecture but mostly because the payoff for your average hacker is greater in the windows world.

2. But! That doesn't mean you're totally immune. At any given moment there are a few bits of nastiness out there that could infect your machine. You still need to be careful. Also just because there's a low incidence of Mac malware doesn't mean you won't still get hit with "social malware", i.e. phishing sites, Facebook spoofs, eBay email scams, etc...that crap is OS-agnostic.

3. Sure, it's a good idea to have some kind of anti-virus software installed, the totally free ClamXav is perfectly fine (though I personally only follow this advice when I can be bothered to remember).

Side bonus: tooling around in the Java preferences finally convinced me to get 64-bit Java working for MineCraft. Yay far-distance rendering!
posted by Doleful Creature at 8:46 PM on April 4, 2012 [1 favorite]


I think it's worth nothing that this trojan prompts the user for his or her administrator password (under the guise of Software Update). It really really irritates me when any app prompts me for my administrator password. Unless there is some underlying framework to be installed in the unix guts of OS X, that should not happen. I don't think Software Update prompts for a password ever, but I could be wrong, so that is a warning sign.
posted by jabah at 8:49 PM on April 4, 2012 [1 favorite]


*worth noting*
posted by jabah at 8:50 PM on April 4, 2012


First of all, macs were not less vulnerable then windows machines. In hacking competitions they were often easier to break into.
Cite please.

In fact, how about just please, period? My point is that Mac OS X has been and continues to be an *empirically* more secure OS.

I'll leave the theoretical security model to the purveyors of broken-into Windows machines.

</so-called Mac-user hubris>
posted by mistersquid at 8:54 PM on April 4, 2012 [1 favorite]


Everyone I know in the it security industry are recommending uninstalling Java completely, unless you absolutely must have it - no matter what OS you are running.

What breaks/won't work without it? (OSX 10.7.3, mbp)
posted by rtha at 8:56 PM on April 4, 2012


Attack surface for a hacker means "how many doors and windows can I check to see if they are unlocked" for the amdin it means the opposite, locked.

A smaller attack surface should be easier to defend.
posted by roboton666 at 9:07 PM on April 4, 2012


Thanks, gilrain. I think I vaguely remember that one.

I should appropriately adjust my position, rather than merely reiterate it.

Macs *are* easier to exploit than Windows machines and the security I and millions of other Mac OS X users have enjoyed for more than a decade and continue to enjoy today is a silly matter of empirical fact that does not take into account artificial conditions and theoretical contexts.
posted by mistersquid at 9:15 PM on April 4, 2012 [3 favorites]


I never bought the 'security through obscurity' argument, which goes: there are no viruses for OS X because there are fewer Macs, so it's not worth virus writers' time. This doesn't happen in the real world. If there's a niche, someone always tries to fill it. You don't hear McDonalds saying "We don't bother with small towns, because way more people live in the big cities." You don't hear robbers saying, "We don't bother with convenience stores because Walmart keeps so much more cash on hand." Mac users historically 1) have money and 2) are lax about security. And virus writers historically crave glory, albeit anonymously. So the idea that Mac users are 'not worth the effort' doesn't sound likely.

And yet, you have this major operating system, now 12 or so years old, with no self-replecating viruses in the wild. (The trojan under discussion here prompts the user for his administrator password, which would be oh so quaint for a Windows virus.) There have been holes in OS X security over the years, but no one seems to have take advantage of them. I kind of wonder if this doesn't have to do with the abject hatred many have had for Microsoft (due to their poor code and cruel business practices) ... the very same hatred which seems to be transferring over to Apple, the new king of the hill.
posted by jabah at 9:24 PM on April 4, 2012 [3 favorites]


Not sure if someone's linked to it here, but this seems to be the latest info. Some of the features claimed in this thread (eg. that it asks for an admin password) appear not to be the case for the most recent version.

It looks like this runs through the Java browser plugin, so merely having Java on the system isn't enough. (Good news for Eclipse junkies...) But if it can run the plugin, it will install without any notification. If it can't, it falls back on the social exploit (appearing to be an installer) to convince the user to let it in.

Since it relies on the Java plugin, I am hoping that ClickToPlugin would catch it, but I haven't seen any confirmation of that. It's also not clear to me how the fake installer launches if it can't go through the plugin.

It looks like part of the exploit is installing to the /Users/Shared folder -- I've never used it but it seems like it allows software installed under one user's permissions to affect all users. Pretty questionable security, if you ask me.

Also, the fact that it looks for login information on other systems illustrates that merely running without admin privileges isn't really "secure" -- the valuable info on your computer isn't your own root password, it's your Google login and bank password and other stuff that's fully accessible at the user level.
posted by bjrubble at 9:36 PM on April 4, 2012 [2 favorites]


It seems entirely possible that the attack surface of Mac OS was at one point, likely just after the OS9 -> OS X transition when the system was basically all new, smaller than Windows at the time. (Bearing in mind that at the time, Windows 95 was probably the most popular variant.) But it's also entirely possible that things have switched in the intervening 10+ years.

Windows has gone through two full development cycles (Vista and 7), while Mac OS has received what appear to be mostly incremental updates and feature additions. It probably doesn't help that Microsoft has a lot more programmers than Apple does to throw at the problem, and Apple seems to have been substantially distracted (by iOS) from OS X -- and at least in my experience, it's stuff like code audits and non-user-facing bug fixes that are most likely to get postponed when resources get scarce.

This is all speculation, of course, and it hinges on an arguable premise, which is that old, crufty code is less secure and contains more bugs than freshly-rewritten code, which may not be true at all (if the old code was good and the new code is bad, then it could be quite the opposite!). But it does at least provide a somewhat-plausible explanation for why Mac OS could have been more secure at one point, but there's little reason why that is necessarily the case today, or indefinitely.

There just aren't any architectural differences between Windows (NT) and Mac OS (XNU) that you can point to anymore that would explain a radically different security profile. They're both hybrid-kernel OSes (both, in fact, inspired or directly descended from Mach) implementing very similar security features, running on similar hardware... it's very hard to come up with a reason why one is architecturally superior to the other in a meaningful way. In the past, you could have argued with some merit that Windows shipped with really shitty defaults, and it's the default configuration that matters more than the underlying architecture, but they seem to have gotten the message lately.
posted by Kadin2048 at 9:42 PM on April 4, 2012 [5 favorites]


I believe this is what happened to my Macbook starting about five weeks ago. It was maddening to try to figure out what was happening and how to fix it as there was almost zero discussion of it that was recent or relevant on the Web.

In the Apple discussion boards wherein similar (or identical?) symptoms were being discussed the thread invariably detoured as a few resident experts would show up to say "Impossible!". Truly surreal.

I ended up following the steps in this thread and they worked but no way could my parents or most other Apple users I know have done that kind of fix (Terminal, vi, etc)
posted by noway at 10:04 PM on April 4, 2012 [2 favorites]


I have no idea what point you're trying to make.
You linked to a list of security flaws which had been exploited. You seemed to be implying that had something to do with my statement about windows not having a larger attack surface. If you don't understand those concepts, I suppose it would be hard to understand my point.

An attack surface are the things you leave open intentionally, security flaws are unintentional. If you're talking about design, you look at what's intentional (the attack surface). If you arguing about practical security, you look at security flaws.

A larger attack surface means there's more likely to be a flaw. But the point I was making was that windows and OSX have the same design when it comes to running code as non-root/administrator. The idea that it has a "more secure design" is incorrect.

Also, all the security exploits you linked too had been patched, sometimes years ago. The problem is people running old, pirated code, with windows update turned off, etc. Microsoft only gives out security updates to non-pirated versions of windows, which, obviously is going to lead to lots of insecure systems due to pirated copies. Kind of a dick movie, IMO, but that's one big reason why systems aren't always patched.
And I'll argue that default choices are part of the design.
Uh, right, but those haven't been the default choices for over 7 years. We might as well be arguing about how OS9 is insecure due to a lack of real protected memory or something.
Number of hours I have spent cleaning up PC viruses: Fuckloads.
Amount of data lost: No way to know.

Number of years working on macs: 20+
Number of years working on PCs: 2.
McAfee and Norton are complete garbage. Get Microsoft security essentials. I have no idea what you're doing that would cause so much time spend deleting viruses, unless you're downloading random .exe files off the internet and running them.

Seriously, if you think that Mac OS is more secure then windows "by design" what exactly are the design differences that you think the OSes have? The only thing I've heard in this thread is a simple assertion that the design was better, and someone listing features that are new to OSX but have been in windows forever, even before Vista.

It's kind of a "There are no tanks in Baghdad" thing, there was a huge gaping security flaw in OSX, left open for months, and you guys are all still claiming that OSX is more secure.
Cite please.
Like other people mentioned, it's the pwn to own contest:
"Those days are over. Every year in the Pwn to own contest the Mac is the first computer to fall. This year it was pwned in just 5 seconds using a Java exploit in Safari."
In fact, how about just please, period? My point is that Mac OS X has been and continues to be an *empirically* more secure OS.
Yeah, there are totally no tanks in Baghdad dude!
decade and continue to enjoy today is a silly matter of empirical fact that does not take into account artificial conditions and theoretical contexts.
Not attacked != secure. Just because there aren't automated systems going after you to the same extent that windows is, doesn't mean that you are secure. It would be much easier, for example for a targeted attack to get you. There was a several month window where, if someone could just get you to visit a particular URL they could get into your system. That isn't secure.

The most insecure system is the naïve user, who doesn't know what they're doing. You can add extra layers of security, like windows vista/7 and that will protect them somewhat. But if mac users simply say "I'm secure, I'm on a mac!" then, well, the probability of it going well for them is going to continue to decline.

(Although, one thing to keep in mind, the last thing botnet writers want to do is fuck the user. Their goal is to be as benign a pathogen is possible. In the real world, viruses that harm their hosts the least have the most evolutionary success. If a virus completely screws up a system, well, it's going to get wiped quickly.

I remember reading an interview with an spyware/adware author from back in the early 2000s. His spyware would wipe all the other common spyware/adware variants off the system, so users who had his spyware would actually see their machines speed up - so users who actually have this stuff installed may not ever see problems. )

posted by delmoi at 10:08 PM on April 4, 2012 [11 favorites]


I don't know about artificial conditions... the methodology of that contest sounds pretty good, to me, but sure, yeah... it's designed to let the security experts strut their stuff I suppose.
I don't feel fighty despite expressing my point sarcastically. My point in emphasizing empirical vs. artificial conditions is that the winner of the contest had "remote control" access to the computers in question. In particular (from your link),
Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but on Thursday the rules were relaxed so that attackers could direct contest organizers using the computers to do things like visit Web sites or open e-mail messages.
That's an artificial condition if I ever saw one and I sarcastically adjusted my position to emphasize the day-in-day-out fact that Mac OS X was and continues to be more secure than Windows OS. Not invulnerable, just more secure.

Some people feel the need to qualify this long-standing empirical fact by pointing out Macs are *more* vulnerable than Windows machines (which I suppose the contest demonstrated… for proper values of "suppose"). Some feel the need (not you, gilrain) to declaim observations that in practice Macs are exploited less than Windows machines as statements of hubris.

I know all networked systems are vulnerable and I do take precautions. I am not a security expert and have no desire to become one. However, it does not take a security expert to understand that Mac OS X has been exploited much less than Windows, and using this reduced attack vector as a criterion for deciding which of the two operating systems is safer to use is, to my mind, plain common sense.

So, yeah, I find myself a bit exasperated at the refusal to simply acknowledge facts and, instead, to qualify facts as if the facts don't really matter.
posted by mistersquid at 10:09 PM on April 4, 2012


delmoi, I check my logs for automated attacks on my systems all the time. The automated attacks are there (targeting SSH primarily using brute force) but are just ineffective.

Also, if you're going to point to trojans as evidence of exploitability/unsecurity why don't we just call it a day and let me email you my root password?
posted by mistersquid at 10:13 PM on April 4, 2012


Anyway, I don't really like analogies, but since 'attack surface' is already an analogy let me expand on that a little bit.

Lets suppose you had some diamonds you wanted to keep safe. You put them in a safe, in a room in a building.

What you need to figure out is 1) How many doors open from the outside to the lobby, and 2) how many doors are there from the lobby into the room with the safe?

Having a large external attack surface is like having a lot of doors that lead into the lobby. Having a large internal attack surface is having a lot of doors from the lobby to the inside.

The design of both windows and OSX. Have only one door on the outside. It's very secure and automatically locks behind you once you bring something in. (Essentially, in order to run code, you have to personally, manually download it)

But once someone is in the lobby, can they get to the safe? thats where OSX, Linux, and Vista/7 differ from XP and 2000.

Essentially, the difference is, in XP all the internal doors were unlocked by default. Not the external doors. By default, you were safe from external hackers. But once you brought 'someone' in. And lots of noob users brought 'people' into the lobby all the time. Plus, your applications (like anything from adobe) might accidentally let people get in even if you don't want them. (If you go back even further to systems like OS9 or Windows 95, they didn't even have internal doors, just curtains or something)

Users in XP could chose to lock the doors if they wanted too, and companies would typically do this, but most ordinary users wouldn't do so on their home computers, because they didn't know how.

With With Vista and windows 7, the internal doors are locked, just like OSX. There is no difference in this aspect of the design.

The problem is, something like this is like having a huge window in the room where you keep the diamonds. So the "design" of the doors is irrelevant. An attacker can go straight from the outside, right into your diamond storage room.

The safe, in this case, would be your antivirus software. And since unfortunately mac users think they are totally secure, well, a lot of them don't have safes at all. That's where the hubris comes in.
In the Apple discussion boards wherein similar (or identical?) symptoms were being discussed the thread invariably detoured as a few resident experts would show up to say "Impossible!". Truly surreal.
No. Tanks. In. Baghdad!!!
Some people feel the need to qualify this long-standing empirical fact by pointing out Macs are *more* vulnerable than Windows machines (which I suppose the contest demonstrated… for proper values of "suppose"). Some feel the need (not you, gilrain) to declaim observations that in practice Macs are exploited less than Windows machines as statements of hubris.
When people talk about "security" they are talking about vulnerability. If you live in a nice neighborhood, and you don't bother to lock your door, you are not secure. For years, mac users have been living in a "nice neighborhood" and simply haven't had to worry worry about locking your doors, much less making sure your windows were closed, that you had solid locks, cameras, police, etc.

Now what's starting to happen is that all the criminals in the bad neighborhood have started to have trouble breaking into the old haunts, since so many people keep their doors locked and security is solid. And they're starting to realize that A) there are a lot more people there now then there were before and B) hey, all these people not only leave their doors unlocked, they refuse to belive it could be a problem.

The big difference, though, is that the hackers aren't going after you, they just want to use your house as a staging ground for further crimes. usually. So people don't even notice when they've been broken into. Or sometimes they'll just plaster the inside of your house with ads. That's annoying, but not the end of the world. So it's not like crime in the real world, and people don't really take it that seriously anyway.
Also, if you're going to point to trojans as evidence of exploitability/unsecurity why don't we just call it a day and let me email you my root password?
first of all, If you're so confident, why not post it along with your IP in the thread?

Second, This thread is about a trojan.

Third, If you'd been paying attention, you'd see this didn't require the user to install directly, if they had the out of date java version that Apple hadn't patched. they just had to visit a web page. That's how the vast majority of hacks take place these days. If you're running an IDS you're not the typical user who typically gets hacked.

Fourth, if you think OSX has a safer "design" then what exactly is the actual difference in those designs?

I still haven't seen anyone bother to explain this.
posted by delmoi at 10:36 PM on April 4, 2012 [5 favorites]


mistersquid: Macs *are* easier to exploit than Windows machines and the security I and millions of other Mac OS X users have enjoyed for more than a decade and continue to enjoy today is a silly matter of empirical fact that does not take into account artificial conditions and theoretical contexts.

And what we're trying to tell you is that those days are ending. Macs have, apparently, finally crossed the line into viability for self-propagating viruses; they are now a sufficient percentage of user machines to support a self-perpetuating botnet. There's nothing inherently more secure about OS X than about Vista or Windows 7... in all honesty, Apple has taken far fewer security precautions than Microsoft has. It's easier to crack an OS X machine, and it always has been -- this is why they cannot lock their iDevices down, despite trying desperately hard to do so.

To my knowledge, every iOS device has been jailbroken, despite very, very active engineering by Apple to stop it. This should tell you that OS X, which is far more open and to which Apple pays far less attention, is at least equally easy to break into, and probably a lot easier.

The only reason you've been safe is because you've been obscure. But now Mac OS installations have crossed some hidden percentage of client machines, and have become worthwhile targets. This will become more and more frequent.

Welcome to the wonderful world of viruses.
posted by Malor at 10:47 PM on April 4, 2012 [2 favorites]


Considering there are well over a million Windows viruses and now like, uh, one OS X virus, obscurity must be the greatest security one could ever have.
posted by jabah at 11:15 PM on April 4, 2012 [1 favorite]


Apparently the virus has infected your machine, jabah, and hides the first 70 comments of every Metafilter thread.
posted by hincandenza at 11:56 PM on April 4, 2012 [13 favorites]


Zing.
posted by zoo at 12:15 AM on April 5, 2012


Interestingly, this Trojan even refuses to install itself if you have Xcode installed.

Presumably the authors regard machines with Xcode installed as being owned by people who are more likely to notice that their machine has been compromised. Clearly the Trojan authors were very interested in remaining under the radar as long as possible.
posted by pharm at 1:38 AM on April 5, 2012 [2 favorites]


"There just aren't any architectural differences between Windows (NT) and Mac OS (XNU) that you can point to anymore that would explain a radically different security profile. They're both hybrid-kernel OSes (both, in fact, inspired or directly descended from Mach) implementing very similar security features, running on similar hardware... it's very hard to come up with a reason why one is architecturally superior to the other in a meaningful way. In the past, you could have argued with some merit that Windows shipped with really shitty defaults, and it's the default configuration that matters more than the underlying architecture, but they seem to have gotten the message lately."

This thread is making me feel old and completely professionally antiquated. I sometimes wonder how much my twelve years of being out of the industry has hurt my expertise, and I guess it's a lot. But there was a time when not that many people knew more about the PC platform than me. Anyway, please excuse any ignorance or mistakes I make in the following; I'm antiquated.

I guess the question I have about the above is not about the security model, precisely. After all, the NT filesystem security model is much, much more finely-grained and powerful than the UNIX-standard model, but that has proven to mean very little (because it's vastly underutilized in practice — or overdesigned in a useless way — and for reasons external to the filesystem). It's about whether the OS is designed, at its core, to be a single-user or multi-user OS. And this has always been Windows's weakness, even NT, and it's always been the strength of UNIX. Even the Pentagon-certified security strength of the original NT was certified for a single-user, unnetworked machine only.

Now, I was a little surprised to read 1970s Antihero's comment earlier, "I don't normally log in as a user with admin privileges...". Do people do that on OS X? I had assumed that the ethos on OS X would be the UNIX ethos that unless you're doing something administrative that requires being an administrator, you don't do this. And you don't screw around and run random user apps when you're doing it. You do what you need to do and then log-off.

Meanwhile, because of users accustomed to the pre-2000 versions of Windows and their completely lack of security, the transition of Windows to the NT kernel in 2000 and backwards-compatibility for apps meant that to do much of anything, the user had to be effectively be root/admin. And so things like file-permissions and such meant basically nothing.

And here's the thing: even Vista and 7 with their vastly reworked security are still working around this problem. Originally, the OS itself thought of pretty much anything other than superficial changes to the user's experience, most especially regarding installation and removal of apps, to occur within the context of administrative work. And there was in practice little distinction between OS-critical executables and processes and user-level executables and processes. Everything installs to Program Files and System32. It's always been possible to not do this, though MS's assumptions and inertia made it in practice extraordinarily difficult to do. And it's still like this. In contrast, in the UNIX world, an admin can install an app to be available for all users, but often apps are user-installed into user file space and infected executables simply don't have any access at all to OS-level/critical filespace. This is the way that OS X should work, but maybe it doesn't? (I have a jailbroken iOS device and my vague familiarity with it does look to me like Apple has centralized a lot of stuff and weakened the security model in order for the devices to be user-friendly. And they are, in practice, single-user systems. Which is probably a bad-precedent to be setting from a security point of view, especially considering they are inherently networked.)

You know, it's only been this year that I've noticed some apps installing on my Windows 7 machine exclusively into pure user filespace. To which my reaction was finally.

Anyway, even if OS X was built around a UNIX core to be, mostly, a desktop single-user OS and thus the security model weakened, and then even more weakened as the years have gone by; and even if Windows began at the opposite extreme and has been moving away from it since then; it's still the case that they come from exactly opposite paradigms of typical use with regard to security. I can't see how you can claim that there are not architectural differences with regard to security. Those differences may have been obscured by evolutionary changes by which both platforms are meeting somewhere in the middle; but those design differences are still very much there. And one of them is superior from a multi-user, networked security point-of-view. Microsoft is still basically kludging their way to a more secure OS. Apple may have weakened the security model of the inherent base design of OS X, but it would be a lot easier for them to tighten it up to be very, very secure than it would be for Microsoft to reach the same place. I think MS could do this working from the current OS, but it would break so much backward-compatibility that they never will.
posted by Ivan Fyodorovich at 1:46 AM on April 5, 2012 [2 favorites]


If you have the following files on your machine, the Trojan automatically deletes itself.

/Applications/Microsoft Word.app
/Applications/Microsoft Office 2008
/Applications/Microsoft Office 2011
/Applications/Skype.app

Yes, Microsoft Word will protect you from this Trojan.

Wait, what?
posted by eriko at 2:35 AM on April 5, 2012 [2 favorites]


Ivan: What you're saying is mostly true, but the services that Apple provides to userspace are many and varied, and not really separated out in terms of permissions. Everything they layered on top of Unix had security as basically an afterthought, something that received only token attention.

Now that they're actively trying to keep users out of their own hardware, they're having to rethink things, but their absolute failure to keep any of their devices locked should give you a clue as to just how much like cheesecloth their security has been. It is getting better, finally, but they're at least five years behind Microsoft. They may not have as much work to do to gain parity, but they're nowhere near parity yet.

XP always had the ability to be highly secure. It had excellent, fine-grained permissions. But the problem was that nobody paid any attention to them, and many applications demanded system-level access. You could run an XP box pretty darn securely, but there was a fair bit of software you couldn't run (especially games), and it was pretty inconvenient to use for more than just doing the exact same stuff every day.

Vista finally got serious about enforcing that security model. The squawking from users was epic, and they backed off a bunch in 7. That was probably the biggest security mistake they've made as a company, out of a long, long list. They should absolutely have stuck to their guns, and the pain would now be almost entirely gone. The butchered version of UAC they went with instead is barely protective at all.

And don't even get me started on the Linux kernel. The Linux kernel is a complete clusterfuck as far as security goes, to the point that they actively try to hide how dismal it is. Userspace is fine, but the kernel is not trustworthy. Example: they don't even feel they can safely provide shell access on kernel.org anymore.... their security is so bad that they no longer even try to securely share hardware among multiple users.
posted by Malor at 3:16 AM on April 5, 2012 [1 favorite]


Oh, an example on OS X: on the first version I owned, which I think was 10.1, I was exploring the system, and discovered the 'nidump' utility, which would dump out all the user names and their hashed passwords, even running as the 'nobody' user.

This is a security cockup so large it's hard to explain well -- protecting the hashed passwords from other users is important, because it usually makes brute-force cracking attacks implausible. But anyone on a Mac, even the explicitly untrusted user account, had full access to all the system password hashes.

They've pulled nidump completely out of more recent versions of the system, but that should give you an idea of the security focus they started with. BSD was pretty secure, but BSD is just a flavor running under the Mach kernel, and all the stuff NeXT, and therefore early OS X did, was ludicrously terrible. Until they started trying to lock users out of their own hardware, security simply didn't matter to them.
posted by Malor at 3:22 AM on April 5, 2012 [3 favorites]


Fourth, if you think OSX has a safer "design" then what exactly is the actual difference in those designs?

Microsoft's API's, documented and undocumented, allows deeper access to the OS internals. Handy if you're a developer... or someone looking for an exploit. Apple is famous for breaking undocumented API's, Microsoft is famous for leaving them alone across revs. Take a look at the list of "in the wild" exploits posted previously - they all rely on application and system software, not necessarily the OS. Microsoft's OS design, since the first rev of NT, has been famously secure - based largely on the model of VMS. They've also conveniently baked in ways of circumventing that strong security as not to inconvenience big developers and large customers. This is why the Mac is worse with proof-of-concept attacks, but does much better against real-world attacks. Apple doesn't just patch a bug, they rework their APIs as needed, and don't much care which devs they piss off. You're pretty much stuck with Zero-Day attacks as your only vector. (The exception being Flashback - but it ain't going to be around for long.)

While you can claim the "attack surface", whatever that is, is smaller than Mac OS X, the exponential disparity of "in the wild" attacks proves that Microsoft, with Windows 7, still hasn't gotten religion.
posted by Slap*Happy at 4:17 AM on April 5, 2012 [2 favorites]


Ivan, OS X has a couple of layers of user privileges. There's the root user, which can do pretty much anything, but users don't normally have direct access to that account. Then there are users who are members of the admin group, who have permission to write in certain areas of the filesystem, like /Applications and /Library, and can temporarily get root access (after getting prompted for a password) to perform certain tasks. So if a user in the admin group is compromised, it can do more damage to the system than a regular user, and if the user can be tricked into typing their password, it can be even worse.

This is assuming that the attacker isn't using some sort of privilege escalation attack to get root access; Linux is horrible in this regard. Darwin seems to be better, (or it just could be that hackers haven't dug into the code the way they have with Linux).

Lately, Apple has been nudging developers to sign and sandbox their apps, and encouraging users to only install apps from the trusted App Store. Again, Apple's focus has been less on patching individual exploits, but rather on redesigning their APIs to be more secure, and forcing developers to use them.
posted by 1970s Antihero at 5:48 AM on April 5, 2012 [1 favorite]


But it's also entirely possible that things have switched in the intervening 10+ years. Windows has gone through two full development cycles (Vista and 7), while Mac OS has received what appear to be mostly incremental updates and feature additions… old, crufty code is less secure and contains more bugs than freshly-rewritten code…

Wait, you're arguing that Mac OS X (about to see its 8th major release and moving to a yearly release schedule) is less secure than Windows because it's updated infrequently and limited by crufty backwards compatibility—unlike Windows?

Really?
posted by designbot at 6:04 AM on April 5, 2012 [1 favorite]


Java on OS X has never been a priority for Sun. I recall back when I went for my Sun certification testing when I had to clients and servers, and I tried doing development on my little iBook. Java has always lagged behind Sun's Solaris and Windows releases by at least one major version.

It was always an odd little arrangement. Sun would not provide binaries at all for OS X (the download page would just say "use System Update"), and Apple would, but Apple would always be 6 months or so behind. I think Apple wanted to own the UI so they could make it look native, but in practice Java was neglected and only updated when the OS was.

Their new arrangement is much better, though I'm a bit unclear on how the updates will work now. Will Java be in the Mac App Store?
posted by smackfu at 6:32 AM on April 5, 2012 [1 favorite]


I always assumed the reason Macs where more secure was that they come pre-infected with iTunes.
posted by srboisvert at 6:59 AM on April 5, 2012 [3 favorites]


I didn't realize until your last post, delmoi, that this exploit is technically a trojan that does not require a password to install. My own machines never having been to my knowledge in jeopardy of such exploits, I falsely presumed trojans require user authentication to deliver their payloads rather than the mere interaction of an http request. This is an important thing to understand and as you've put it, at great length no less, many previously unexposed users will be introduced to more compromises in the future.

I am not good at explaining the differences between pre-UAC Windows machines and OS X Unix security but from everything I've read on the web from authoritative sources, I still am of the opinion that UNIX systems are more secure than even modern UAC Windows machines. If the actual "security" of Mac OS X is only the result of living in "good" neighborhood then I'm sure you'll correct me and I'll continue living in my good neighborhood.

As for publishing one of my IPs, delmoi, it's not a matter of confidence. I'm not so foolish to think that servers I admin are invulnerable. I am confident, however, that someone knowledgeable as yourself would have a difficult time in breaching a server I admin. Shall we make it a friendly wager, say a beer and a burger whenever we're in the same town?

I will send the IP of one of my servers to you, and only you, over memail (i.e. you are not welcome to link this challenge and the IP I send you to anyone other than yourself). I ask that you notify me from which IPs you will be attacking and that when you do successfully breach my server you notify me. I also ask that you stop testing that server's security once you have breached it, that you refrain from downloading any non-public information from that server, and that you refrain from uploading any data. I will consider any use outside these parameters to be unauthorized.

If you're interested, memail me and we can talk about a timeframe for you to begin and end your testing. (If we determine the results are of general enough interest, we can consider writing it up. If others want in on this challenge, just memail. Depending on interest, further negotiation and formalization may be required.)

As a side note, I'm thrilled Slashdot has gotten around to posting this. From the point of view of someone who prefers to use Mac OS X, I like the take-it-down-a-peg spirit of Slashdot schadenfreude.
posted by mistersquid at 7:55 AM on April 5, 2012 [1 favorite]


Am I correct in thinking that the boffins in this thread have moved beyond simple Mac-vs-PC crap and into a serious discussion of security on Mac- and Windows-flavored *nix systems?
posted by theora55 at 8:48 AM on April 5, 2012


No, Apple hasn't released an update for 10.5's build of Java (Java update 10 includes 1.6.0_25 which should have this vulnerability). We still have a large amount of folks running 10.5 and use Java to access the campus systems, so we are hoping a patch comes out soon. Hopefully they will.

Apple has been pushing for sandboxing, which in theory would prevent this from happening (some thing with Gatekeeper) or spreading faster, but as discussed in other threads, people who disable will be left vulnerable.

The most impressive part of the Flashback trojan isn't that it is using this exploit to be installed, whatever, its a vulnerability, when you are working on a trojan, you modularize it so you can adapt it to use whatever zero day exploit you find (and yes, there is a problem with the fact that this isn't even a zero day exploit, its a two month old one that has been patched on other systems). The impressive part is they actually know enough about OS X coding practices and admin practices to use things like local environment variables (.MacOSX folder) to inject code into web browsers. Previous trojans all looked like they were written by someone scraping macosxhints.com for how tos on "how do i keep a file from being deleted" posts, this actually uses a lot of properly designed system hooks to keep itself in place. Now only if the AntiVirus manufacturers were as skilled at writing their software so it actually wasn't painful to use under OS X.

In serious circles (i.e., those of us who manage macs professionally) the conversation about Trojans/Virus's on OSX has always been about When not If. Luckily today I am also doing a presentation about actually getting a real change control system in place for our Mac systems here on campus, so I can demo my policy with finds and patches out of date versions on Java on workstations, and how we can also use the same framework to detect and patch machines. Supposedly Apple should be able to push a signature to their app blacklist like they've done in the past with MacKeeper, but they have been pretty tightlipped about the whole thing.
posted by mrzarquon at 9:23 AM on April 5, 2012 [5 favorites]


theora55: Am I correct in thinking that the boffins in this thread have moved beyond simple Mac-vs-PC crap and into a serious discussion of security on Mac- and Windows-flavored *nix systems?

Well, yes, but we usually end up in something approximating that conversation when we really start talking about security here. As MeFi tech threads go, this one is actually on the weaker side.
posted by Malor at 9:59 AM on April 5, 2012


My Mac was clean as a whistle, but I decided to look into uninstalling Java as a precaution (I've already uninstalled Adobe Flash because of its vunerabilities). Apparently this is a non-starter if you use Adobe software. So thanks (again), Adobe.
posted by entropicamericana at 10:53 AM on April 5, 2012


cjorgensen: Signed certificates, sandboxing, randomized buffer memory, etc. Apple is generally so slow on these fixes because they don't want to fuck up someone's Mac.

Oh please. They didn't do those things because they didn't throw resources at them, and they didn't throw resources at them because for a long time they didn't need to. It's standard corporate behavior, and Microsoft was the same way for a long, long time.

This isn't Apple's code by the way. This is also why Apple has stopped shipping Java with the Mac (and Flash), because if you ship it, you own it. If you choose to install suck code on your PC or Mac don't cry when shit breaks.

They still supply Java. It's still their suck code.

mistersquid: I should appropriately adjust my position, rather than merely reiterate it.

Commendable. If only more people would do that!

I am confident, however, that someone knowledgeable as yourself would have a difficult time in breaching a server I admin. Shall we make it a friendly wager, say a beer and a burger whenever we're in the same town?

Er, I don't think delmoi was offering to hack your system as a proof-of-concept....

jabah: I never bought the 'security through obscurity' argument, which goes: there are no viruses for OS X because there are fewer Macs, so it's not worth virus writers' time.

There have been proof-of-concept Mac viruses for a long time, to my knowledge, but they haven't been a problem in the wild because there hasn't been the financial incentive to "weaponize" them. Mark my words: this isn't the last we've seen of Mac trojans.

Malor: To my knowledge, every iOS device has been jailbroken, despite very, very active engineering by Apple to stop it.

I've kept up a little with the situation, considering that jailbreaking makes my iPad 2 a lot more fun/useful. The iPad2/iPhone4S was substantially harder to jailbreak than earlier versions of the OS, partly due to the A5 processor not having a security hole that was much used under earlier chips. It is currently not jailbroken for the most recent version of the OS (5.1), but has an untethered jailbreak under 5.0. To my knowledge the iPad 3 has yet to be jailbroken, but give them time. (That's the "new iPad" in silly Apple marketing language, what are they going to call it when the iPad 4 comes out?)

But it's a shame that Apple's iOS security model is aimed against attacks posed by the user.
posted by JHarris at 10:56 AM on April 5, 2012


That's the "new iPad" in silly Apple marketing language, what are they going to call it when the iPad 4 comes out?

The "old iPad".
posted by ChurchHatesTucker at 11:01 AM on April 5, 2012


JHarris, I saw a claim that someone had already broken security on the new iPad, but I'm not aware of a convenient jailbreak tool yet.

Eventually, Apple will have things nailed down well enough that you really won't own your own hardware, but I think that's a ways off yet.

And I'm no marketer, but I suspect that all iPads are the new iPad. :)
posted by Malor at 12:00 PM on April 5, 2012


"The New iPad S"
posted by double block and bleed at 12:25 PM on April 5, 2012 [1 favorite]


And here we are trading conspiracy theories about iPads in an OS X / Java thread. Good job!
posted by entropicamericana at 12:34 PM on April 5, 2012


> That's the "new iPad" in silly Apple marketing language, what are they going to call it when the iPad 4 comes out?

Same way they distinguish between Mac Pro, iMac, Mac Mini, AppleTV, MacBook Air, iPod (nano/classic/shuffle).

In fact, Apple calling the iPhone and iPad anything BUT iPhone and iPad is what is out of place here. The model name isn't "new iPad" it is iPad, when iPad 4th Gen comes out, it will be New iPad then.

posted by mrzarquon at 2:04 PM on April 5, 2012


Er, I don't think delmoi was offering to hack your system as a proof-of-concept....

I don't know anything about hacking, I feel like I have a pretty good idea how to keep things secure on a server: Just keep the number of ports open to a minimum, and check to make sure whatever version of the software you're running doesn't have security holes

Servers, though, are a lot easier to keep secure then Desktop systems. With a server, you only have the stuff running that needs to run. You never install anything else. With a desktop system, you're exposed all the time through your browser and any other content you get off the interent. Which is basically PDFs, Flash, Html/Javascript and Java. Security holes in any of those things pose a risk, and unfortunately they are all incredibly complicated. They all have a large attack surface on their own, and Adobe is notorious for sucking. Java as well, unfortunately (I like Java, personally)

IMO PDFs have been the worst, while Firefox and Chrome have had the best record as far as keeping things secure in terms of HTML/Javascript. I actually recently turned of PDF reading in firefox completely, so if I want to view a PDF it gets downloaded (or not) first.

With chrome, PDFs are rendered natively in the browser, with all the bullshit extensions turned off (so they load, way way faster as well). That's probably a huge plus for security right there.

Honestly, if you run a mac, you might want to consider switching to chrome from safari. It still uses webkit, just like safari, so the layout and everything should be the same.

I do think Google has a really good record on keeping things secure. If you're worried about Google's appitite for data, Firefox might be a good choice.

But yeah, anyway I don't know anything about how to actually go out and hack servers. I try to keep up on what kinds of threats are out there and how to prevent them, but I don't pay much attention to how to actually exploit them.
posted by delmoi at 2:42 PM on April 5, 2012


> Honestly, if you run a mac, you might want to consider switching to chrome from safari. It still uses webkit, just like safari, so the layout and everything should be the same.

Except Safari has the option to disable 3rd party cookies while Chrome does not.

Also, unless you have installed Acrobat Reader, you are rendering PDFs in Preview.app instead of Acrobat, so again, you are using a separate rendering than Acrobat. In terms of security, the webkit vulnerabilities in Safari vs Chrome were both exploited at pwn2own recently, but Chrome had 0days that broke the sandbox and did code execution.

And in this case, Flashback could attack any browser which loaded Java, which I believe with the exception of Firefox 11 which blocked only the most current java plugin from loading (1.6.0_31), is all of them.

In fact, a default out of the box 10.7 machine wouldn't be vulnerable to the current Flashback without user intervention because it doesn't have Java installed in the first place. It also doesn't have Reader or Flash, the other two common vectors. Of course, from a social engineering perspective, prompting to install flash was one of it's previous ways of getting users to install the software.
posted by mrzarquon at 2:56 PM on April 5, 2012


I resisted editorializing in the FPP

That was you resisting?
posted by obiwanwasabi at 2:57 PM on April 5, 2012


Honestly, if you run a mac, you might want to consider switching to chrome from safari. It still uses webkit, just like safari, so the layout and everything should be the same.

I'd rather not actively help Google snoop on me. OS X opens PDFs with Preview.app out of the box, so no plug-ins needed.
posted by entropicamericana at 2:59 PM on April 5, 2012


(and /lols at Window users: if schadenfreude that somebody else caught a cold when you're regularly infected with syphilis is the best thing going for you, might be time for a rethink, yeah?)
posted by obiwanwasabi at 3:03 PM on April 5, 2012


Does chromium work on Safari? My understanding is that it's chrome without the tracking.
posted by hank_14 at 3:06 PM on April 5, 2012


On Mac even. On Mac.
posted by hank_14 at 3:06 PM on April 5, 2012


Huh, apparently XCode is close enough to "anti-virus" software that it's on the list where Flashback just gives up:

On execution, the malware checks if the following path exists in the system:

/Library/Little Snitch
/Developer/Applications/Xcode.app/Contents/MacOS/Xcode
/Applications/VirusBarrier X6.app
/Applications/iAntiVirus/iAntiVirus.app
/Applications/avast!.app
/Applications/ClamXav.app
/Applications/HTTPScoop.app
/Applications/Packet Peeper.app

If any of these are found, the malware will skip the rest of its routine and proceed to delete itself.

posted by Bokononist at 3:16 PM on April 5, 2012


> That's not true.

My bad. It still allows 3rd party by default, vs Safari's disabled by default (since v1).
posted by mrzarquon at 3:40 PM on April 5, 2012


Also, unless you have installed Acrobat Reader, you are rendering PDFs in Preview.app instead of Acrobat, so again, you are using a separate rendering than Acrobat. In terms of security, the webkit vulnerabilities in Safari vs Chrome were both exploited at pwn2own recently, but Chrome had 0days that broke the sandbox and did code execution.
Ah that's good. I actually have acrobat (the full version), so I can't just remove it from my windows machine. That's why I disabled PDF in firefox. On chrome it's a non-issue.

Privacy is another aspect of security. Firefox is my main browser, and in fact one of the reasons I got chrome was to use FB, since I wanted an easy way to use it without needing to remember to log out so FB couldn't track me around the web.

I do have to say that the 'user experience' with chrome is a little better then Firefox, but I think it's important to support a non-profit model that doesn't need to extract as much cash out of users as possible. Is firefox on the mac any good? I don't really know much about safari.


You guys should definitely consider getting some kind of antivirus software. On windows Microsoft security essentials is good, and free. Norton and McAffee are total garbage and practically adware themselves. What AV software is good on the mac?
Huh, apparently XCode is close enough to "anti-virus" software that it's on the list where Flashback just gives up:
It's probably not 'anti-virus' so much as "This user might know enough to find me". It's smart. Remember, the goal of a virus writer (at least in terms of botnets) is to avoid detection. The more adept the user is, the more likely they are to notice what's going on and remove it (as well as reporting it)

So, profiling technical and non-technical users on the basis of what apps they have installed is really smart.
posted by delmoi at 4:40 PM on April 5, 2012 [1 favorite]


(and /lols at Window users: if schadenfreude that somebody else caught a cold when you're regularly infected with syphilis is the best thing going for you, might be time for a rethink, yeah?)
Well, disease isn't a good analogy because ultimately it's just your computer. You might mock someone for having their computer infected, but you wouldn't mock them for getting AIDS.

But the thing is, windows just isn't all that insecure if you have an up to date system. It's easy to be safe if you use windows, you just have to follow some basic common sense stuff, like keeping your system updated.

To extend the analogy, lets say person A likes to have lots of sex with lots of people. They always practice safe sex, get tested for STDs regularly, and so on, and they chose partners they think follow the same practices. They've never contracted anything.

Lets say person B doesn't have sex very often, and always mocks person B because they're in a committed monogamous relationship. They think that, because of that, they have nothing to worry about and take no precautions. Then one day, their SO cheats on them, just once, and they end up with gonorrhea. Person A might feel a schadenfreude.

But like I said, biological diseases make a poor analogy because if you felt schadenfreude about someone actually getting a real disease, you wold be a huge asshole.

(And schadenfreude isn't really the right word, more of a "See, you guys aren't so superior after all!"/we-told-you-so feeling, hearing mac users talk about how much better/awesome/more secure they are)
posted by delmoi at 5:39 PM on April 5, 2012 [2 favorites]


> What AV software is good on the mac?

None really, supposedly intego can stop Flashback, but Apple also has it's own system in place to scan for / remove malware as well.

Apple hasn't updated it yet for Flashback.k yet, it may still be in the pipeline, but any 10.6/10.7 system would pickup that update automatically, by default every 24 hours. It is a very conservative list, since there really are no end user controls / overrides, so it doesn't stop an outbreak, but once a virus is tagged and added to it, it halts it.

And since most AV software still sucks on the Mac (I just got this notice today about how to fix a runaway process of McAfee, which still uses cron as a task scheduler instead of launchd which was made to schedule jobs without processes stepping on each other, and whose symptoms include "computer on for a while" and workaround is "reboot"), I'd still say folks are pretty good at just keeping their systems updated, and with 10.7, only installing Java if they actually know they need it.

And I don't know how quickly the intego virusbarrier update got pushed out to the clients either (or when they got their hands on the trojan, how quickly they pushed a copy of it back to Apple, or even knew someone at Apple they could send it to: there isn't really a want to submit those things to Apple's security that I know of).
posted by mrzarquon at 8:46 PM on April 5, 2012 [1 favorite]


Slashdot user daveschroeder (516195) is pretty knowledgeable regarding Mac OS X systems and network admin. If I recall correctly, he once (and may still) admin part of U Wisconsin Madison technology infrastructure. I've been reading his posts for years and he's neither a shill nor a slouch.

Regarding AV software for Mac OS X, he suggests the Sophos free edition in a post to the Slashdot Flashback thread.

I use ClamAV on one of my servers and understand ClamXav is a free GUI front-end for those inclined to client-side computing. I like ClamAV pretty OK.
posted by mistersquid at 9:49 PM on April 5, 2012


> admin part of U Wisconsin Madison technology infrastructure

Yes he does, and he works for the Navy's cyberwarfare unit (and has his own subdomain).

Although I don't recognize his name from the various Mac sysadmin lists I follow.
posted by mrzarquon at 10:06 PM on April 5, 2012


Microsoft's API's, documented and undocumented, allows deeper access to the OS internals. ... Apple is famous for breaking undocumented API's, Microsoft is famous for leaving them alone across revs. -- Slap*Happy
If you have root on OSX, you can do whatever you want. If you have admin on windows, you can do whatever you want. There may be lots of great APIs for low level access to windows, but those are useless if you don't have root.

On the other hand, if you have root on OSX, ultimately, you don't need any APIs, you just replace the bootloader with a rootkit, and done.

If Windows had more system level APIs available to non-privileged users that would mean a larger attack surface, but once you have root it's over.

I know for, example, that apps that do 'system-y' stuff like read CPU temperature of image drives need root to run properly, so a lot of those APIs will require the user to grant access.

Anyway, I don't really buy the "more functionality = less secure" argument.
While you can claim the "attack surface", whatever that is, is smaller than Mac OS X
whatever it is [2, 3, 4, etc], and I said they were about the same size.
If the actual "security" of Mac OS X is only the result of living in "good" neighborhood then I'm sure you'll correct me and I'll continue living in my good neighborhood.
I'm hardly a fan of Microsoft, and I'm always planning on switching to Linux at some point, and I have a couple of machines running Ubuntu, and I think it's great. And of course I have an android phone. I'm still running a copy of Vista I got for free as a college student, and other then that the OS just comes with new laptops. I doubt I'll get windows 8 other then with a new laptop.
As for publishing one of my IPs, delmoi, it's not a matter of confidence. I'm not so foolish to think that servers I admin are invulnerable. I am confident, however, that someone knowledgeable as yourself would have a difficult time in breaching a server I admin. Shall we make it a friendly wager, say a beer and a burger whenever we're in the same town?
Right, because as I said I don't know anything about actually braking into systems. So "As knowledgeable as myself" means, essentially, zero practical knowledge, just theoretical stuff based on knowing a lot about computers in general. And on top of that, I don't even have a mac to test exploit code. I'd have to either buy one or figure out a way to get it running in VMWare or something.

Anyway, the way attacks usually work these days is not just, here's an IP on the internet, go attack it. They work by social engineering. Rather then going after you, they figure out who your friends are, then forge an email (It's called spear phishing) so, an attacker would forge an email from someone you know, who you know plays social games or something say "check out my score in whatever" then you get taken to a realistic site with a real game that needs java or something, so you enable it. Then, game over. As long as there is an 'open' security flaw in the browser or any browser tech, you're at risk to that kind of attack.

That's how the Chinese spy on people in the U.S, that's how Valve lost the source code to half life 2, that's how major hacks go down these days. It's called an advanced persistent threat

On the other hand, if you just bundle a virus with pirated software, well, you won't get smart users but you don't need them.

And a hubris about not having any viruses on your OS might make people more willing to download random executables.

As a windows user, I'm super-paranoid about downloading any programs that aren't either open source or from a major company. If it's a small developer I'll do a lot of research first, and then only if it's something I really need.
That's the "new iPad" in silly Apple marketing language, what are they going to call it when the iPad 4 comes out?
Eh, it makes sense. Just like how Amazon calls the Kindle "Kindle" now, they are creating a platform/ecosystem/etc not just new products. Erin Burnet on CNN, who annoys the hell out of me was bashing apple for not coming out with an iPhone 5. Seemingly failing to realize that they could have called the phone an iPhone 5 if they wanted. This fixes the problem.
posted by delmoi at 11:58 PM on April 5, 2012 [1 favorite]


My problem with the "the new X" naming is that it makes cases where one has to refer to particular models problematic. There are some apps that won't run on the iPad 1 but will on the iPad 2. Presumably there will be some that run on the iPad 3 that won't on 2. When iPad 4 comes out, and it becomes the "new iPad," what will happen to 3? How will we refer to an app that runs on models 3 and 4? "It runs on new and newer iPads?"

Of course most people will just refer to them by number, like I have done here, which brings up the possibility that outsiders will be better able to talk about compatibility between Apple devices than Apple themselves.

The thing is, Apple actually started doing something like this back with the iPad 2, the packaging to which doesn't number the device. Nowhere on the box does it say that what it contains is version 2; it's just "iPad." It took seeing someone with an iPad 1 for me to be sure that what I got actually was the new(er) version.
posted by JHarris at 8:50 AM on April 6, 2012


> My problem with the "the new X" naming is that it makes cases where one has to refer to particular models problematic.

True, but this isn't a new problem for Apple, again, all of their hardware products with the exception of the iPhone/iPads (until now) have not had revision number attached to them. They have handy guides to ID things.

This may be a new problem for you, but not for Apple or people who have to support them on a day to day basis.
posted by mrzarquon at 9:46 AM on April 6, 2012


Hm. An uncharitable observer might take this as a sign of the marketing folk being excessively catered to over the needs of customers, tech support and common sense at Cupertino, but oh well.

In fact now that I think about it, I've been bitten by this problem, twice. I have an old PowerPC Mac Mini, a gift, that I've put more memory in, and a slightly-more-recent borrowed Intel model that I've also put more memory in. Internally the two are laid out slightly differently, and both are slightly different from later models. I managed to complete the procedure with the use of how-to videos, but was somewhat annoyed by having to figure out what exact model I had in order to make sure I was breaking them down correctly in order to get access to the RAM slots.
posted by JHarris at 9:53 AM on April 6, 2012


> Huh? Windows has had all that stuff for years.

Yes, but it works on the Mac.

(Yes, it did take me two days to come up with a comeback for that.)

I am starting to think this whole thing is another Mike Daisey story. There may be some truth to it, but so far not one of the macs under my control have been infected. I've also checked all my family members' Macs and chatted with the other SysAdmins that run macs and none of them show as infected either.
posted by cjorgensen at 10:08 AM on April 6, 2012


I am starting to think this whole thing is another Mike Daisey story.

There were plenty of pieces of Windows malware that I have no personal contact with, but that doesn't mean I assume they aren't out there. Don't make the mistake of thinking that something you haven't seen with your own eyes doesn't exist.

(At least the Java scare I had with that Mac Mini upthread turned out to not be an infection, although I'm still mystified as to why the machine decided on that moment to decide it needed to install Java. At the time I was changing the home page to Google. Safari asked me if I was sure I wanted to do that seeing as how there was a Google search box at the top of the window and I said yes. I don't see what any of that has to do with Java.)
posted by JHarris at 10:26 AM on April 6, 2012




Slashdot user daveschroeder (516195) is pretty knowledgeable regarding Mac OS X systems and network admin. If I recall correctly, he once (and may still) admin part of U Wisconsin Madison technology infrastructure. I've been reading his posts for years and he's neither a shill nor a slouch.


I work with him. Not directly, but we both work at the UW. I've met him a few times, and we have some interaction. He's a nice guy, and he's got a huge blind spot when it comes to discussing anything involving Apple.

It's never good enough to just say "Apple fucked this up." It always has to be coupled with "yeah, but" and "but, then" or "compared to microsoft..." Some sort of mealymouthed bullshit Apple defense system turned up to 11. I just got an essay from him about how this was a non-event.

As though holding Apple their own high standards is asking too much.

Anyway,

Apple shit the bed on releasing the patch to this exploit, full stop. Their patching and update system sucks and creates needless work for people, like me, who admin their systems.
posted by Pogo_Fuzzybutt at 10:31 AM on April 6, 2012 [1 favorite]


Don't make the mistake of thinking that something you haven't seen with your own eyes doesn't exist.

Not just my eyes. I said I talked to fellow admins. I have some 100 macs under my control. University friend has twice that, two local school district admins with twice that again, personal macs numbering about 30 (girlfriend, her parents, my parents, brother in law's family, etc.,).

500-600 macs of varying OSes back to 10.4. and not one infection.

I'm more afraid of my commute home tonight than I am this. Like I said, there may be some truth to it, but I'm doubting the veracity and severity of the story. That's why I specifically invoked Mike Daisey. Something here? Sounds like it. Something to worry about? Eh, I'm not going to.
posted by cjorgensen at 11:53 AM on April 6, 2012


A couple of updates.. Apple has issued a second Java update; it's not clear what's different but presumably it's required as well, or in addition. Also Dr. Web has posted some updated statistics on infections, with geographical details.

Two things I haven't found. One, some third party verification of the botnet size. There must be a community of security researchers who monitor botnets but I don't know where it is. And two, some accounting of the web sites that carried the infectious payload. Doctor Web reports most infections are in US, Canada, and England which suggests English language sites were compromised and responsible for the infections.
posted by Nelson at 12:04 PM on April 6, 2012


Not just my eyes. I said I talked to fellow admins.

Eyes was intended metaphorically, to mean the limits of your perception. I was addressing the implied sentiment of "It hasn't affected me, so it must not exist." That's a foolish attitude, which bites most people eventually who are caviler about the threat of malware. Take a lesson from the Windows guys here.

Anyway as we've seen upthread Flashback actually refuses to install itself on Macs with a number of different things installed in the hopes of avoiding study, and one of those things is Xcode. Depending on the nature of those computer labs, whether Flashback's Java exploit existed in previous versions, the fact that botnet trojans go out of their way to be invisible to the user, and just the plain old statistical invariance of college computer labs, those things hardly make this a representative sample.
posted by JHarris at 12:23 PM on April 6, 2012


> it's not clear what's different but presumably it's required as well, or in addition

The first update caused a problem with Xcode, and instead of creating another installer with a delta update, they just updated the original installer to include that fix as well.

So folks were patches with -001, but 002 fixes an Xcode problem introduced in 001.

I've found that some of the servers at support.apple.com/downloads weren't kicking out the -002 update, but this direct URL works and provides the 002 update properly.

Also the version in /System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Info.plist goes from 14.2.0 to 14.2.1.

This appears to only be relevant for Lion users as well.
posted by mrzarquon at 12:31 PM on April 6, 2012 [2 favorites]


There's a piece here, aimed at users like me who never pop the hood, on how to tell if your computer has been infected.
posted by The corpse in the library at 12:48 PM on April 6, 2012 [3 favorites]


Thank you, corpse.
posted by cybercoitus interruptus at 1:21 PM on April 6, 2012


Yes The corpse in the library, that's very useful! Now I'm certain the Mac Mini's not infected.
posted by JHarris at 1:53 PM on April 6, 2012


I'm more afraid of my commute home tonight than I am this. Like I said, there may be some truth to it, but I'm doubting the veracity and severity of the story. That's why I specifically invoked Mike Daisey. Something here? Sounds like it. Something to worry about? Eh, I'm not going to.

Insufficient paranoia is indeed a problem, however, in this case it seems misplaced. Ars reports Kapersky as confirming the ~600,000 infected machines.

It is unclear whether the primary route of infection is via a trojan or remote exploit, but it is clear that the days of just assuming your mac is invulnerable have passed.

The bigger problem isn't the exploits themselves - it's Apple's lackadaisical response. Hopefully, Apple doesn't have to learn the lessons MS did the way MS did.
posted by Pogo_Fuzzybutt at 6:11 PM on April 6, 2012 [1 favorite]


Thanks, Pogo_Fuzzybutt, that Kapersky confirmation is great:
We reverse engineered the first domain generation algorithm ... After domain registration, we were able to log requests from the bots. Since every request from the bot contains its unique hardware UUID, we were able to calculate the number of active bots. Our logs indicate that a total of 600 000+ unique bots connected to our server in less than 24 hours. ... We have used passive OS fingerprinting techniques to get a rough estimation. More than 98% of incoming network packets were most likely sent from Mac OS X hosts.
Now I just want to know how those 600,000 Macs got infected. There's so many compromised web hosts out there that it's not too big a deal to drop a Javascript drive-by on a site. But 600,000 computers is a lot to hit, and a lot of high traffic sites are reasonably well hardened.

As near as I can tell, the only reason my own Mac wasn't infected is pure luck; I'm 100% dependent on Apple to protect me from attacks like this. People rightly criticize Windows for years of poor security response, but Microsoft really has gotten their act together in the past few years. I hope Apple gets on top of it more quickly than Microsoft did.
posted by Nelson at 7:05 PM on April 6, 2012


I haven't followed metafilter.com, but asked questions on ask.metafilter, so please correct me if I'm outside the norms for this fascinating discussion. This is all there is on the Mac Trojan on metafilter.com. And, I'm not an "under the hood" type any more, tho I was 45 years ago!

I'm running OS 10.5.8 on a 3 1/2 year old iMac, two different tests show I'm clean at the moment, there are no new security updates to apply (thank you Apple (not)). From this discussion it sounds like I should get rid of Java (never knew what it did) , but how will that effect me? How do I do that?

Sounds like soon, if not now, is time to get virus protection. Yes?

And, re passwords, does anyone know if Flashback records keystrokes?
posted by judybxxx at 12:30 PM on April 8, 2012


From this discussion it sounds like I should get rid of Java (never knew what it did) , but how will that effect me? How do I do that?

From a desktop user's perspective, Java is largely used to run certain kinds of software which were written in the Java programming language. As an example, the Azureus bittorrent client is written in Java (but I don't think anyone uses it any longer). I don't know if there's any way to uninstall it altogether in recent versions of OS/X, but you can probably reduce your vulnerability to casual attacks by disabling Java in your browser (in Safari, that's under "security" in the preferences).

About virus protection, I have mixed feelings; the companies that sell anti-virus software have a considerable vested interest in exaggerating both the threat and scope of existing malware, and the effectiveness of their own software in detecting and removing it. I'd be curious about the thoughts of Mac sysadmins about this.
posted by whir at 2:09 PM on April 8, 2012


There's a piece here, aimed at users like me who never pop the hood, on how to tell if your computer has been infected.

From that site:
3. Click On Terminal: This is will bring up an old school DOS-prompt looking window.

A small part of me just died, I think. Because I 'pop the hood' just enough to know what unix is.
posted by hoyland at 7:27 PM on April 8, 2012 [1 favorite]


> From this discussion it sounds like I should get rid of Java (never knew what it did) , but how will that effect me? How do I do that?

Go to the Utilities folder on your Mac (/Applications/Utilities), and run Java Preferences.

Deselect "enable applet" and uncheck any options for Java 5 or 6.

Unfortunately Apple updated Java on 10.5.8 machines to 1.6.0_26 (which also has this vulnerability), but appears to have yet to release a patch updating that build to 10.6 and 10.7 versions. It isn't running by default (1.5 is) on 10.5 machines, but at my campus we switched machines over to run 1.6, because we needed it for our database system. Of course we are hoping Apple does something about a patch for that soon.
posted by mrzarquon at 11:34 PM on April 8, 2012 [1 favorite]


Re the Java Problem -
Thank you thank you. I disallowed Java in the Chrome preferences. Do I also need to do the Java Preferences too? it definitely gets turned off in Chhrome -"Do not allow any site to run JavaScript"

I turns out that youtube videos and Doodle polls , (so far) require it. At the moment I am turning on and off Java, briefly, to use Doodle. I'm not sure I understand - you get the bot by going to a compromised web site? or a fake one? and comments were made about large sites usually being pretty well defended.

Do you think it is useful and/or important to put queries on the apple support forum?
posted by judybxxx at 8:02 AM on April 9, 2012


You can enable JavaScript in chrome, it's the system wide java applets you want to disable in java preferences.

And posting to apple support that you are running 10.5.8 and are waiting for a patch may help them get one out. It's sad and disturbing if they have decided to drop security updates for a 3 year old OS.
posted by mrzarquon at 9:22 AM on April 9, 2012 [2 favorites]


Echoing what mrzarquon said, on both points. Java and Javascript are two entirely different languages; the naming confusion originated back in the days of Netscape Navigator.
posted by JHarris at 2:19 PM on April 9, 2012


Wait, you're arguing that Mac OS X (about to see its 8th major release and moving to a yearly release schedule) is less secure than Windows because it's updated infrequently and limited by crufty backwards compatibility—unlike Windows?

I was saying, as someone who has used every one of those Mac OS releases -- that I don't think any of them are nearly as major a rewrite as either the Vista or Win 7 releases were. Now admittedly, I've never seen a MLOC or percent-of-codebase comparison (setting aside whether that is a good security metric, as I questioned), but I doubt that there has been as much code carryover from Win 2000 or XP into Windows 7, as there has been from OS 10.0 to 10.7, especially if you discount code that Windows runs in a sandbox (which is all of the pre-NT code now).

But really, my general point was that 10 years ago, Apple was in a clear position of strength with regard to security. They had ditched and made a clean, if painful, break from their legacy single-user OS. Microsoft hadn't, and enjoyed a very messy breakup through a number of versions, drawing the pain out far longer than anyone reasonably should have. But in the years following, Microsoft seemed to realize the value of security and made it a focus -- particularly in Vista with the arguable human-factors failure of UAC -- while Apple wandered off to play with iOS and, with the exception of a brief focus during the migration from Power to x86,* has seemingly neglected Mac OS except for facelifts and feature additions. Now, I think they're going to learn what Microsoft learned a few years ago, namely that you can ignore security issues for a while, but when the gradual perception builds up that your OS is insecure, it's a big problem and one that takes a lot of effort to fix.

As someone who has owned and used a small flotilla of Macs over the years, and uses them heavily (though not exclusively, anymore) I really hope they pull it together and this attack is a wake-up call for them.

The yearly release schedule thing, incidentally, doesn't give me the warm fuzzies at all. It's as though they're admitting on one hand that they've neglected the platform, but rather than making an obvious commitment in terms of features (new filesystem? maybe? before it's old enough to vote?) they're just saying they'll drop something at least once a year -- and if I know Apple, they'll probably charge you for it. "Release when ready" sounds like a much better paradigm for a production OS.

As though holding Apple their own high standards is asking too much.

Yes, that exactly. For years, a lot of Apple users -- and I'll admit I was guilty of it too, from time to time -- would gleefully hold Microsoft's feet to the fire as they were figuring out how to secure a desktop OS in a hostile network environment with a huge userbase that is barely tolerant of security measures at the best of times. While certainly not perfect (as the amount of Windows malware still in existence shows), they at least learned, or have given every appearance of it. Apple has, again at least on appearances, not. That's pretty frustrating, and we should not cut them any slack that we did not cut Microsoft.

* The transition from PPC to x86 was pretty impressive, honestly, even if part of me wonders if it just distracted them from making the OS better if they'd either remained on the same architecture or gone with x86 from the beginning of OS X. But still, it was a neat trick.
posted by Kadin2048 at 6:16 PM on April 9, 2012 [1 favorite]


Kaspersky has released their free removal tool for Flashback as well.
posted by mrzarquon at 12:13 PM on April 10, 2012


Apple Snubs Firm That Discovered Mac Botnet, Tries To Cut Off Its Server Monitoring Infections

This really does not bode well for the future.
posted by Artw at 12:58 PM on April 10, 2012 [1 favorite]


> This really does not bode well for the future.

In general?
posted by The corpse in the library at 1:35 PM on April 10, 2012


Major players being blasé about security because they think their shit doesn't stink is bad news for everyone, yes.
posted by Artw at 1:40 PM on April 10, 2012


That's a sensational headline.

Flashback uses generated domain names to check in to control systems, this means it is harder to shutdown the servers (since the names aren't hard coded in the app, and the app can change the code it uses to check in with).

This security firm used the same code to register a bunch of domains to listen in on the bot chatter. Apple also has the same code and is using it to shut down all Domains that match it, regardless of who hosts it (friend or foe).

Kaspervys has pretty much said Apple taking them down is about apples newb status to real security threats, not something malicious. Their privacy culture means they don't interact with the security community's the same way other vendors do, and whoever is driving this policy to cleanup Flashback is new at it.

I'd love to see a write up by apple on why they failed and how they plan to fix it. After they issue a java update for 10.5.8, and they update their internal malware blacklist as well.
posted by mrzarquon at 2:16 PM on April 10, 2012


Also, I just got my confirmed hit with one user on campus has gotten it, possibly others, we don't have tools in place to monitor for it.
posted by mrzarquon at 2:34 PM on April 10, 2012


samba.org just announced a major remote root exploit in all versions of Samba up to 3.6.3, which means any Mac (excluding 10.7) with windows file sharing turned on can be hacked if a user can reach the windows service running on that machine (i.e. on the same network as it).
posted by mrzarquon at 4:02 PM on April 10, 2012


One week later, Apple has issued a support document on it.

I am not happy that the answer is to disable Java in the browser for 10.5.
posted by mrzarquon at 7:13 PM on April 10, 2012


This is appalling! On the advice from this thread, I disabled Java in Preferences. re-allowed javascript. with the default options.
So,, facebook, no photos, bearable (bye grandkids). But now, in chrome, gmail isn't working. Can't see icons, can't add a label.

enabled Java with default options
I went to firefox, got german login!

what have I done?
Shutting down,

back soone
posted by judybxxx at 6:45 AM on April 11, 2012


MacOS 10.5 is from October 2007, 4.5 years old. Apple apparently historically only provides security updates for the last two versions of MacOS. I appreciate Apple being explicit about not providing security fixes for Java but it may not be the wisest option; those old machines are a liability to everyone. Microsoft did the same calculation and still provides security updates for Windows XP, now 11 years old.

This new Samba vulnerability is serious, the worst kind, a remote root in any pre-Lion Mac that's sharing files to Windows machines. It'll be interesting to see Apple's response. I haven't heard anything about an exploit in the wild yet; part of what was so bad about Flashblock is that Apple's 6 week delay on getting the patch out allowed the botnet to be created.
posted by Nelson at 8:34 AM on April 11, 2012


Well hmm. Maybe this means I should just not try to fix whatever's wrong with my beloved old 12" powerbook, which I think is running some flavor of 10.4 (it won't stay booted long enough for me to confirm). Damn.
posted by rtha at 8:46 AM on April 11, 2012


MacOS 10.5 is from October 2007, 4.5 years old.

Not really, Apple sold machines with MacOS 10.5 until the day 10.6 came out, August 28, 2009. So 2.5 years.
posted by smackfu at 9:35 AM on April 11, 2012


> Apple apparently historically only provides security updates for the last two versions of MacOS. I appreciate Apple being explicit about not providing security fixes for Java but it may not be the wisest option; those old machines are a liability to everyone.

Apple has no official stated policy. Microsoft at least has this document I can make my planning from.

And if Apple is going to only support the last two revisions of OS X, and going to rev OS X every year, that means come August, with 10.8 comes out, they will drop support for 10.6 machines, some of which are still under AppleCare. Which is bullshit.

The issue isn't really that Apple doesn't support Java on 10.5, the issue is Apple has decided to not tell anyone this until after this major exploit happened. And they still haven't told anyone, they have just decided to quietly not provide an update to it and instruct 10.5 users to disable Java.

If Apple had a "10.5 support is EOLed on Dec 31st 2011" statement then it would allow institutions such as the office where I work to go through and plan accordingly. It would have meant that when the exploit dropped, we wouldn't be waiting for a 10.5 update, but would be figuring out a way to patch it or plan to upgrade users who were effected by it (or ideally, we would already have a 10.5 migration plan in place already).
posted by mrzarquon at 10:18 AM on April 11, 2012 [1 favorite]


Free Flashback removal tools released by Kaspersky and F-Secure. Apple says they'll be releasing a tool, too.
posted by Nelson at 10:50 AM on April 12, 2012


mrzarquon makes some good points. Anyone?
posted by JHarris at 2:55 PM on April 12, 2012


Apple releases Flashback Malware Remover. Details. "This update also configures the Java web plug-in to disable the automatic execution of Java applets".

JHarris, not sure what else to say to mrzarquon's observation. Apple doesn't have a clear policy about how long they issue security updates for an OS but their current practice is to not issue them for very long.
posted by Nelson at 3:39 PM on April 12, 2012


> Apple doesn't have a clear policy about how long they issue security updates for an OS but their current practice is to not issue them for very long.

The rule of thumb is "Current OS and Past OS, where Current OS is out of public release beta" IE the currently shipping OS reaches acceptable adoption rates, they stop providing updates for "really past OS."

Or to put it another way, once 10.7 hit decent adoption rates, they stopped shipping 10.5 updates. There was no public announcement about this, so if you didn't notice this (back in late 2011), you are kind of stuck in limbo.

And from my experience with Apple this has historically been a staffing thing. OS X Server is now developed by about 4 guys, and their project manager is actually only managing their project part time, he has other assignments as well. When they were small, and not targeted for viruses, this was not really a problem. But now folks have figured out how they can inject code into the runtimes using the dyld libraries and local profile environment variables.

Apple may respond with "certificate sign everything!" but that will only work for 10.8 machines, which is dropping support for even more hardware. And before leaving old machines unpatched wasn't a problem because there just weren't as many of them. But now Apple is 10% of the desktop market, and 10% of relatively insecure users is a really tempting target to go for, especially considering they wont patch your trojan or root kit until after it has been successful. Good way to make money selling exploit code, for one thing, because your code has a much longer shelf life than in the Windows world for one.
posted by mrzarquon at 10:49 PM on April 12, 2012 [1 favorite]


Apple may respond with "certificate sign everything!" but that will only work for 10.8 machines, which is dropping support for even more hardware.

1. That may only work so far, as iOS shows.
2. It will mean completing OSX's transition to a locked-down, iOS-style platform, a move they started with the Mac App Store, and how now there are entire APIs you only get access to if you use it.

I wouldn't doubt it's a staffing problem. Apple makes huge profits, maybe it's time to, I dunno, hire more developers?
posted by JHarris at 5:29 AM on April 13, 2012


Apple may respond with "certificate sign everything!" but that will only work for 10.8 machines, which is dropping support for even more hardware.

The other issue here is that you are relying on the security of all those certificates on developers systems everywhere. IIRC, some of the recent high-end windows exploits use drivers signed by stolen certificates. Apple can revoke a certificate technically, but not necessarily practically if it is being used to sign thousands of deployed apps.
posted by smackfu at 7:27 AM on April 13, 2012


> Apple can revoke a certificate technically, but not necessarily practically if it is being used to sign thousands of deployed apps.

Apple issues a unique signing certificate to each developer, which they then use to sign the code. I believe apple is pretty much generating an intermediary cert for the developer, so you get Apples base cert + developers to sign the code. Apple can pull the developers unique cert and kill all of their apps at once. It's not the same as the driver signing on the windows side, where you pay Thawte to sign for your app code, so the only option MS has is to trust that Thawte is verifying the cert, and if it runs rogue, they have to kill the thawte cert used to sign the certificate.

The benefit of greater control, of course also the downside, I am sure there will be a bottle neck for getting certificates and also for revoking them if need be.

> 2. It will mean completing OSX's transition to a locked-down, iOS-style platform, a move they started with the Mac App Store, and how now there are entire APIs you only get access to if you use it.

Actually as pointed out in the previous threads, the problem isn't that gatekeeper will be in 10.8 and be locking down the OS, the problem will be Gatekeeper is an all or nothing deal, so folks wanting to install 3rd party apps or games that can't use a certificate will have to expose their entire machine. Right now the process to selectively enable an application to run that isn't signed without exposing your machine is kind of difficult, and will more likely leave the machine exposed as the user won't enable gatekeeper after the fact. That might not be the majority of machines, but for example Apple isn't releasing an update to fix the 60,000 10.5 machines that have been shown to be exploited with Flashback. While only .1% of the installed base, it is still a very tasty target and having 60k machines at your disposal on a botnet isn't something to sneeze at.

As for hiring for developers, they've in a way picked up just about every experienced OS X developer on the market. Unfortunately most of them also aren't' experienced working with security because they haven't had to deal with that before. And a lot of the security folks I do know are more about public disclosure and transparency, so I can see them having trouble recruiting people who want to work for them in security while having to step back from participating in the field. I had a colleague have to suspend his DefCon talk because Apple asked him "nicely" to not do that, instead just submit his security stuff directly to them so they could patch it. So work on Apple security, and never get to go to the big industry events that help you stay ontop of the entire field, or work in your field as a free agent, but then Apple has no one with a legacy of working in the security field.
posted by mrzarquon at 1:23 PM on April 13, 2012


Apple issues a unique signing certificate to each developer, which they then use to sign the code.

Right, that's the one I was suggesting would need to be very protected by devs, because killing a developer's cert is basically killing their company.
posted by smackfu at 1:40 PM on April 13, 2012


Another trojan spotted in the wild. It also requires no user interaction, simply requiring that an OS X user navigate to a web page hosting the exploit.
posted by Malor at 6:31 PM on April 14, 2012


I'm guess my extremely boring browsing habits are to my benefit in this case. Sigh.
posted by rtha at 6:42 PM on April 14, 2012


Thanks, Malor. Looks like that new trojan also installs via Java and has been around for a month. Hopefully Apple's security patch covers this one, too.

Don't kid yourself about the sites you visit being "safe". A common vector for these attacks is ad networks. A lot of well known sites have been responsible for injecting Windows malware on people's computers.
posted by Nelson at 6:45 PM on April 14, 2012 [1 favorite]


Yeah, the Trojan uses the same exploit, so if you're patched you are good. But those who aren't patched are now subject to two strains.

Apples lack of response has drawn the attention of everyone who previously thought it wasn't worth their time. Now Spple has shown they will give folks Plenty of time to exploit their systems.
posted by mrzarquon at 7:20 PM on April 14, 2012


Our campus IT just got snort/IDS working on our network for Flashback.K, and it kicks out a new ticket for each new MAC address it finds.

Looks like at least 20+ machines on our campus (could be students on WiFi, could be 10.5 machines which still don't have a patch, etc) so far.
posted by mrzarquon at 10:22 AM on April 17, 2012 [1 favorite]




Mac OS X invulnerability to malware is a myth, says security firm:
Mac users can expect more OS X botnets, drive-by downloads, and mass malware from here on out. That's according to security researchers from Kaspersky Lab, who said during a press conference on Thursday morning that anti-malware software is now a necessity for Mac users, and that "Mac OS X invulnerability is a myth."
Admittedly, they're trying to sell you something, but they also happen to be right. OS X has far fewer exploit-mitigation measures than Windows, and security barely even registered as a priority at Apple until the iOS lockdown. They have a lot of exploit-riddled code, and now that there's a sufficient installed base to make Mac OS an interesting target, you can expect more and more attacks as the bad guys bring themselves up to speed.
posted by Malor at 1:16 PM on April 19, 2012


Apple just released a 10.5 Java update, stealthily.
posted by mrzarquon at 5:47 PM on April 19, 2012


Wait, this might be an old one, as it appears Apple released this java update (v10) last year. Still digging to see if this is the same payload or not.
posted by mrzarquon at 6:01 PM on April 19, 2012


Yup, false alarm so far, one of our admins got excited because it just showed up in the software update list for a 10.5 machine (guess it hasn't run in a year).
posted by mrzarquon at 6:06 PM on April 19, 2012


Flashback still infects more than 500,000 Macs. The earlier reports of the rapid decline were incorrect.
posted by Nelson at 9:22 AM on April 21, 2012




Another variant, Flashback.S is in the wild now as well.

A little easier to detect (but it nukes it's own install vector).

I'm meeting with out Apple rep tomorrow to see what their solution will be for our 10.5 machines we still have on campus.
posted by mrzarquon at 9:29 AM on April 24, 2012


One in five Macs holds Windows malware
posted by Artw at 9:42 AM on April 24, 2012


That is an idiotic article.

We did a campus wide scan with the enterprise McAfee we have installed on a large selection of Macs, and it found a ton of windows viruses. In users Junk mail folders on the filesystem, or .exe's from drive by website installs that are auto downloaded via javascript in hopes that an unlatched IE 6 box will execute them.

Claiming that Macs are "infected" with Windows malware is misleading and sensationalistic. Their hard drives have files on them which if they were run on a windows machine there is a chance that windows computer would get infected. Having a Mac on a windows network won't expose them to the files, and the majority of them have already been sequestered in a spam folder.

Pretty much someone at Sophos just read their raw scan reports from a collection of Macs and determined "presence of file = infection." It would be like saying every mail server is infected with Windows viruses as well based on the contents of it's mail store and file quarantine.
posted by mrzarquon at 10:29 AM on April 24, 2012


Another malware threat, this one uses the java exploit on Mac and windows in the same payload.
posted by mrzarquon at 2:53 PM on April 24, 2012


#!/bin/env python
from metasploit import p0wn

p0wn.allTheThings()
posted by mrzarquon at 3:06 PM on April 24, 2012


OSX.Flashback.K – The motivation behind the malware - $$$: Symantec found Flashback was redirecting Google ad clicks on victim machines, may have made $10,000 a day.

Flashback Botnet Updated to Include Twitter as Command & Control.

Apple-Targeting Flashback Botnet Still Kicking, But Shrinking By 100,000 Macs Per Week. “For a PC it would have been much, much quicker. Only the last ten percent of users would remain infected for weeks like this,” says Sharov. “What we’re seeing is the actual disinfection pace when you don’t have antivirus.”
posted by Nelson at 1:20 PM on May 2, 2012


« Older A different kind of Google goggles.   |   Outta the way HAL, humans have work to do Newer »


This thread has been archived and is closed to new comments