Gonna take a wild guess and say that Mac owners probably have nothing to worry about.
posted by bardic at 9:23 PM on March 21, 2009 [6 favorites]

Nothing except a scorching case of self-satisfaction, as usual.
posted by limon at 9:29 PM on March 21, 2009 [141 favorites]

So Microsoft has finally figured out a way to get people to upgrade to Vista?
posted by doctor_negative at 9:30 PM on March 21, 2009 [6 favorites]

Right, bardic, except for that fringe minority of Mac users who enjoy the use of the internet.
posted by e.e. coli at 9:30 PM on March 21, 2009 [6 favorites]

Ah, the smugness, I can feel the delightful burn on my fingertips as I type this.
posted by sararah at 9:31 PM on March 21, 2009 [1 favorite]

eponysterical!

also, while we're at it,

Metafilter: The "best" possible outcome

Seriously, though, scary stuff. Cool post. When all the worms call home... that sounds like singularity shit, man.
posted by Rinku at 9:32 PM on March 21, 2009

Unless the authors have one hell of a server farm, I'm willing to bet that when they all phone home, the authors suffer a nice DOS attack of their own doing.
posted by inthe80s at 9:35 PM on March 21, 2009 [11 favorites]

Unless the authors have one hell of a server farm, I'm willing to bet that when they all phone home, the authors suffer a nice DOS attack of their own doing.

Yeah, I'm not quite sure what the point would be in having ten million machines hit the Bot's "home" location at once. And if we know their home location, then all we have to do is take over the IPs or DNS entries.

Now, the smart thing to do would be for the bots to form a P2P network and then try to connect to that network, and send digitally signed commands. If they're smart enough to figure all that other stuff out, then it's likely that's what they're doing.
posted by delmoi at 9:38 PM on March 21, 2009

Mac is the first to fall in Pwn2Own hack contest

From an interview with the guy that owned Mac Safari:

"Why Safari? Why didn’t you go after IE or Safari?

It’s really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don’t do. Hacking into Macs is so much easier. You don’t have to jump through hoops and deal with all the anti-exploit mitigations you’d find in Windows."

So, no, they actually have as much to worry about as anyone.
posted by GuyZero at 9:40 PM on March 21, 2009 [26 favorites]

Yes, it seems to be a common misconception that Macs are extremely secure. They aren't. They have many of the same design flaws as Windows, such as insufficiently fine-grained permissions structures, but haven't had the dozens of band-aids patched over them that Windows has. For a truly secure network operating system you have to look at purposefully hardened Unix (Unices?). Even Linux, out of the box, isn't particularly secure. It usually has far too many daemons and services enabled.

OpenBSD is cute, though.
posted by sonic meat machine at 9:54 PM on March 21, 2009 [6 favorites]

Unless the authors have one hell of a server farm, I'm willing to bet that when they all phone home, the authors suffer a nice DOS attack of their own doing.

New York Times:

For example, the Conficker worm already had been through several versions when the alliance of computer security experts seized control of 250 Internet domain names the system was planning to use to forward instructions to millions of infected computers.

Shortly thereafter, in the first week of March, the fourth known version of the program, Conficker C, expanded the number of the sites it could use to 50,000. That step made it virtually impossible to stop the Conficker authors from communicating with their botnet.

posted by dgaicun at 9:58 PM on March 21, 2009

Unless the authors have one hell of a server farm, I'm willing to bet that when they all phone home, the authors suffer a nice DOS attack of their own doing.

In deploying Conflicker, the virus authors have indeed created one hell of a server farm. It essentially creates a Freenet-like P2P network. The authors could insert themselves into this P2P network and get whatever data they want out of it. Read the article. They've thought this shit though.
posted by zsazsa at 9:59 PM on March 21, 2009 [1 favorite]

I had this a while back. It was icky and unfun. It also made browsing much slower (is the adjective "hella" appropriate here?)
posted by LSK at 10:05 PM on March 21, 2009

I've been reading about this worm for about a week or so, and it seems to be a pretty capable thing. The one thing I don't understand, though, is this: how do they know what Conficker.C will and will not be able to do? It isn't even out yet, as far as I know.

Are their claims (the ars technica article) about what this worm will do real, actual facts gathered in a journalistic manner, based on evidence? Or is it just speculation from experts about what they think will happen next?
posted by localhuman at 10:09 PM on March 21, 2009

localhuman: It should be able to do anything the authors want it to do, if they are able to successfully communicate with it and send commands, which they probably will be able to do.
posted by delmoi at 10:18 PM on March 21, 2009

how do they know what Conficker.C will and will not be able to do? It isn't even out yet, as far as I know.

Whose to say? It runs arbitrary code send from its owners via the P2P network it builds. It can do anything a computer program can do.

That said, I hope this is a wakeup to the industry and the government. I dont see why computers should default to allowing all traffic via the firewall. Id love to see a feature that blocks all countries except for your own and requires users to manually uncheck the IPs of countries outside their own. Why does this computer in Chicago need to ever speak to a Russian, Chinese, or Brazilian computer? If that situation ever comes up then send me a pop-up notice in my tray to allow or deny. That right there will stop the spread, or at least control it. MS could implement this in a week. Sure, trojan writers will do their best to move command servers to more countries, but without the global openness of the internet at their disposal then they will be greatly handicapped.

Conflicker spread through the recent SMB vulnerability. Obviously people arent patching. Obviously people are still downloading random executables and running them. Moving towards a walled garden approach like the one I mentioned above can help them when the next big MS vulernability comes out. I block these countries at work and cut down on the pre-analyzed spam by 80 percent.

On top of this, why am I still seeing outgoing port 25 connections from residential netblocks? What the fuck? Theres no reason for a residential DSL or Cable modem to be doing outbound 25. Whitelist people running servers by having them call and verify their identities. Dont let Joe Residential run a mail server from his home by default.

Why are credit processors still processing for shit like antivirus 2009? I just read in the Security Fix blog that someone had to write a newsppaper article exposing scammers before the processor would shut them down. In the meantime they were loving their 1.5 percent cut.

MS give up on autorun. Completely.

People give up on XP running as administrator. Run Vista or a make a user account.

All this is fixable. Shame the industry credit processors, and the Obama administration are just focused on profits as the only healthy metric of the computer industry. This Wall Street mentality destroyed banks and its destroying computers. Someone should regulate ISPs so they disconnect zombie machines and block port 25 for residential networks. I mean, they can detect when Im downloading a Radiohead album, but they happily ignore all the zombies.
posted by damn dirty ape at 10:24 PM on March 21, 2009 [14 favorites]

I understand that, but I don't understand how the articles' authors can claim to know what the Conficker.C authors are planning to do with the bug. Do they some how know what will happen through some evidence of some sort, or just guessing what a malware coder would do next?
posted by localhuman at 10:24 PM on March 21, 2009

It's sort of beside the point, but the understanding I have of the Pwn2Own Safari exploit is not that it necessarily seized control of the OS or could do anything beyond what Safari could necessarily do, i.e. change user files, read data outside the app's memory, maybe? The rules just state that they need to show "code execution". Going from executing a kernel panic inducing buffer overflow to directed execution isn't always a given.

But even beyond that, I'm hearing that the guy who won sat on his Safari exploit for a _year_ because he had two lined up before last year's competition, and only needed one. This is good for the security world exactly how? But my main complaint is probably the vagueness that surrounds the whole affair - which is intentional, I know. Should I be bunching up my panties that black hats can pull off a drive by keylogger or trojan installer, or are we talking a (relatively) run of the mill remote code exploit that still only inherits my user permissions and runs into the usual limitations therein? As it stands, it just seems like it's only good for making people worry and give partisans something to humpf humpf about.
posted by Kyol at 10:28 PM on March 21, 2009 [6 favorites]

Mostly theyre guessing. The assumption is that the authors of this trojan are the same as the authors of Antivirus 2008/2009. The assumed authors are a illegitimate group of hacker businesses call the Russian Business Network. Their MO is to scare people into buying their illegitimate products via credit card (thus my hatred of lax credit processors). They also use hijacked computers to send out spam, which is profitable.

So history tells us that these two actions make money. Its easy to assume these machines will do just that.
posted by damn dirty ape at 10:28 PM on March 21, 2009

I'm reading the article in the first link, and between the fact that it is way over my head, and the fact that I was planning on going to bed half an hour ago, I think I may be confused, but here goes:

On April 1, this worm will create a 50,000 item list. Each PC will create a unique list. Of these 50,000 items, 500 will be selected, also at random, and used. These 500 items are each queried, once. If they hit a site setup by the hackers, then they will download up to 512k, or for 5 minutes, whichever comes first. Then, 4 days later, they will run whatever they got, if they can.

But, it seems like out of the incredibly massive list of domains they would create with 50,000 random tries, and with only acting on 1%, don't they stand a good chance of not hearing from a huge percentage of these computers for a very long time? Or do they just have control over at least 1 in 500 websites?

Sorry if I'm missing something obvious, but it seems like this approach risks the whole Japanese soldier still fighting a decade after the war thing.
posted by paisley henosis at 10:29 PM on March 21, 2009

A "best-of-breed" malware ought not make itself so bloody obvious and demonstrate the need to kill it immediately. The best invasions should fly under the radar, so a hapless infected user doesn't know the malware is there, what it is doing, or that they need to take appropriate action(s). The rest of the malware that acts like this one are just "look at me and what I can do to your computer" show-offs.

In any case, the swiss army link in the post already shows automated programs that offer protection on this critter. And I bet computer-savvy users with some experience removing viruses, or patience and an ability to carefully follow directions, could manually wipe that thing out. I didn't see anything that is insurmountable in its laundry list of actions, or that much different from what all the other common viruses before it have done. It just does more of them.

But panics can be fun, if only it weren't for the Linux- and Mac-preening, although that must serve as a driving force there, as well.
posted by mdevore at 10:33 PM on March 21, 2009

Sorry if I'm missing something obvious, but it seems like this approach risks the whole Japanese soldier still fighting a decade after the war thing.

It depends on what the authors want to do. If they just want to send some spam, they certainly don't need all 10 million hosts. Even if they only manage to effectively communicate with 0.1%, that's still 10,000 machines.
posted by delmoi at 10:37 PM on March 21, 2009

You know, I've long wondered what would happen if someone as smart as Schneier made it over to the dark side. I mean, obviously the guys who made Conficker were just smart hacks. But I mean, what happens once someone REALLY smart starts doing it?
posted by Afroblanco at 10:37 PM on March 21, 2009

OK, so since I can see microsoft.com, obviously I don't yet have this worm. How are people being infected? How can one avoid being infected?
posted by Effigy2000 at 10:41 PM on March 21, 2009

But, it seems like out of the incredibly massive list of domains they would create with 50,000 random tries, and with only acting on 1%, don't they stand a good chance of not hearing from a huge percentage of these computers for a very long time?

You're looking at it from the wrong point of view. Yeah, it's true that the vast majority of infected machines won't connect up.

But a hell of a lot (in absolute numbers) will connect up, creating an immense and likely profitable botnet for the bad guys. That's all they care about.

1% of ten million is a really huge botnet.
posted by Chocolate Pickle at 10:43 PM on March 21, 2009

e.e. coli: "Telltale symptoms: you can't view such web sites as Microsoft.com, symantec.com, avast.com, or any other computer security-related sites the worm authors have thought to include in the blacklist; you can't run any of the superb Sysinternals utilities, or many other utilities, because they get killed within a second of starting them up; your antiviral software is impotent."

I had a nasty bug with similar symptoms a few weeks ago, and am reasonably sure I got it cleared off my system. Here's the AskMe I posted about it, with solution included, for anybody experiencing problems like these.
posted by Rhaomi at 10:44 PM on March 21, 2009

{macuser} mmmmm...your tears are like CANDY! {/macuser}
posted by sexyrobot at 10:48 PM on March 21, 2009 [1 favorite]

My understanding of this virus is far from perfect, but I think I can answer a few things.
localhuman - The ArsTechnica article is badly written, Conficker.C was actually detected 10 days earlier. They're describing actions that they know the C variant will take, and on April 1st it will presumably update itself to what will be known as Conficker.D.

paisley henosis - The worm also has the ability to set up a sophisticated p2p network. The 1 in 100 infected computers that contact the correct domain name will share the update with the rest of the swarm.
posted by TungstenChef at 10:54 PM on March 21, 2009

I'd like to think that there is a special hell just for malware coders. They can get out of this hell if and when they successfully finish installing a fresh copy ofWindows XP. But the installation always craps out at the very last step, and they have to start all over again from the beginning. Repeat ad infinitum.

and this is different from installing windows in the real world how, exactly?
...srsly, like sweet, sweet candy!
posted by sexyrobot at 10:56 PM on March 21, 2009 [7 favorites]

This is the part where the dude in the spandex outfit fails to prevent every phone in the world from ringing at the same time, isn't it?
posted by maxwelton at 10:59 PM on March 21, 2009 [1 favorite]

On top of this, why am I still seeing outgoing port 25 connections from residential netblocks? What the fuck? Theres no reason for a residential DSL or Cable modem to be doing outbound 25. Whitelist people running servers by having them call and verify their identities. Dont let Joe Residential run a mail server from his home by default.

Port 25 is for SMTP, you would generally need to send outbound on TCP port 25 if you wanted to send mail from a client on your machine to an SMTP server.

I think you have this backwards and are insisting there's no reason for someone to accept port 25 inbound to their "home", which isn't exactly accurate. Many people run servers off of their local home networks because they don't need/want/think that others should be or are responsible enough to provide the services they need. Maybe they just want to learn, but the point is that locking down portions of the internet is an excellent idea in principal but breaks down in practice.

There are a couple of problems I have philosophically with going to a "walled garden" approach. The internet at it's base was designed to work around blocks in communication. Segregating the networks globally is counter to the design principals and operationally is probably infeasible given the structure and assignment of addressing. Further, when going with a walled garden approach, at what level or layer and who controls the walls and defines what is acceptable in and out of the garden?

The attack vectors available today are simply staggering, and you can't close them off by wholesale eliminating ports and access to them. Complex systems as the increase in complexity are generally more exploitable, the "fix" in as much as there is one is solid systems architecture backed up by automated remediation of vulnerabilities. At the end of the day you'll never get around the user education problems and the only fix for that is someone getting burned and taking responsibility for their systems and those systems security.

All this is fixable. Shame the industry credit processors, and the Obama administration are just focused on profits as the only healthy metric of the computer industry. This Wall Street mentality destroyed banks and its destroying computers. Someone should regulate ISPs so they disconnect zombie machines and block port 25 for residential networks. I mean, they can detect when Im downloading a Radiohead album, but they happily ignore all the zombies.

I know it's fun to go on a bit of a rant now and then but you're melting your tin foil hat. I'm a network and security professional, I design the systems and services used every day by millions of people, I understand the architectures of the systems you're referring to and the standards and compliance measures they need to adhere to. The Obama administration has nothing to do with this, you cannot legislate people in to secure practices and habits, further the Obama administration has nothing to do with the PCI standard (something you should probably consider reading once or twice). The "wallstreet" mentality you are referring to is the one where the banks made bad bets with their investors money and insurance companies insured those bets leading to a credit crisis and innacurate valuation of assets? I'm not really sure what the fuck you're on about, so I think we'll move on...

Again with the port 25. Port 25 is SMTP, the applications that would be impacted by SMTP are in general: MS Exchange 2003/2007, Sendmail, Qmail. Those are generally run and maintained by ISP's, and don't have many unpatched holes in the wild (and over the last several years *haven't*).

So, exactly what mechanism do you propose ISP's use to detect compromised machines on their customers local networks, and what level of traffic snooping are you comfortable with? If we're still talking about Downadup, the worm/exploit is peer to peer and uses a fairly clever mechanism to insure that compromised systems remain within the host network.

Maybe next time you put away the bottle a little bit earlier before posting an incoherent rant on technologies you don't understand.
posted by iamabot at 11:02 PM on March 21, 2009 [53 favorites]

Dumb question: if the virus already has a secure P2P network, why is the April 1st domain thing necessary?
posted by MetaMonkey at 11:05 PM on March 21, 2009

Port 25 is for SMTP, you would generally need to send outbound on TCP port 25 if you wanted to send mail from a client on your machine to an SMTP server.

Most modern mail server software lets you set up an alternate port for SMTP. When I did support at a web host, a large fraction of calls involved telling people how to configure their mail client to use that port. Blocking port 25 at the ISP level is an efficient way of preventing many spam zombies from doing their thing.
posted by TungstenChef at 11:11 PM on March 21, 2009

Blocking port 25 at the ISP level is an efficient way of preventing many spam zombies from doing their thing.

Security through (not even very good) obscurity.
posted by mrnutty at 11:21 PM on March 21, 2009 [5 favorites]

The domain thing does seem unnecessary. Why not use BitTorrent with DHTs to distribute signed code?
posted by crn at 11:24 PM on March 21, 2009

Those with any normal Security AV/AS software are fine, Conflicker = Downadup, and Symantec, AVG, Mcafee are all ove rit, lets not PANIC!!! Current MS paches and updated definitions for AV programs are all you really need. If in doubt, turn the system off for the day then back on and update. and dont open any .exes in the email Mmkay?
posted by Elim at 11:26 PM on March 21, 2009

Most modern mail server software lets you set up an alternate port for SMTP. When I did support at a web host, a large fraction of calls involved telling people how to configure their mail client to use that port. Blocking port 25 at the ISP level is an efficient way of preventing many spam zombies from doing their thing.

Without getting stuck on this, blocking outbount port 25 did the following:
1) Created a lot of work for your webhost telling people how to reconfigure their clients.
2) Annoyed a lot of customers.
3) Didn't appreciably decrease the amount of spam being generated, the issue with blocking spam at the compromised host isn't that hosts ability to connect to a server on smtp, we're way way past that point.

Going back to the actual focus of the post, Downadup doesn't even spread this way, although it could be used some day to send out spam, there are far far more profitable ways to leverage the p2p infrastructure that has been built.
posted by iamabot at 11:28 PM on March 21, 2009 [3 favorites]

Security through (not even very good) obscurity.

You're absolutely right, but in the real world easily implemented solutions that partially solve the problem often do more good than completely correct but difficult ones.
posted by TungstenChef at 11:30 PM on March 21, 2009 [1 favorite]

Blocking port 25 at the ISP level is an efficient way of preventing many spam zombies from doing their thing.

Security through (not even very good) obscurity.

I think he means the ability for clients to connect to SMTP servers out on the internet, not the web hosts, and yes it's still an idea (practice) I don't like, because you then are not adhering to the reserved services lists, which is kind of silly. You're referring to the security gained by moving a service off of a well known port, and I agree if that were the goal it would be really ineffective. The solution for that is smtp-auth and certificates.
posted by iamabot at 11:31 PM on March 21, 2009

> On top of this, why am I still seeing outgoing port 25 connections from residential netblocks? What the fuck? Theres no reason for a residential DSL or Cable modem to be doing outbound 25.

Many ISPs do block port 25 traffic that isn't routed to their own mail servers, usually then requiring people to setup ports 2525 to allow users to relay through their own mail server (guess what, I want to send email from @mydomain, which many ISPs will not relay, just email with @yourisp.com).

Most mail servers are following rfc1912 nowadays anway. In other words, if you say you are mail.foo.com with ip address of 123.123.2.2, but 123.123.2.2 reverses to customer47.isp.com, you get a +3 potential spam bonus. In order to get the reverse IP entry created (so 123.123.2.2 reverses to mail.foo.com), you need the owner of the IP address to create that entry. In short, you have to already call your ISP to do that. If your mailserver is not already doing that, it should.

As for blocking country of origin subnets, that is just ridiculous. Most users will disable that right away. Why? because they will keep getting notices every time they want to torrent something. Or do we just keep a blacklist of "bad ip ranges" which would cause all sorts of chaos in the internet political section. I am not saying this is a bad idea from a network / server admin standpoint, but from a default out of the box configuration for uninformed users, it would just get disabled. Not to mention if MS starting shipping blocking China as default in the US, guess who will stop talking to MS? China, who still actually has money right now.

Hell, even the credit processors are a problem. Ask the mods here, but in the past a spammer who has been banned from Mefi will complain to PayPal about unsold services. PayPal, in their wonderfully horrible customer service will sometimes halt Mefi payments until it is resolved. So, yes, the credit card processors are evil money grubbing bastards, but at the same point, would you want your business shut down because the guys who used to run bot nets switched to internet extortion and figured out how to spam your CC processor with legitimate looking complaints about your business?

Of course there is a problem for the software manufacturers, most users have just created bad habits as a result of the updates causing problems, or never seeming to stop, or "guess what, we think you stole this software, so your computer can only be a zombie now" type extortion also.

And FWIW the ISP doesn't (usually) know jack about what you are downloading, they are just getting automated emails from RIAA saying they found your IP as a seeding peer on torrent tracker X. And since these malware guys are using the same P2P protocols everyone else is using to swap files (or bypass oppressive government firewalls), do we really want to ask for them to start filtering MORE (and looking at the performance hit that Australia's firewall/filtering will create, any large scale filtering would be pretty useless)?

Look, the internet is a dark and seedy place, and as long as there is a potential to make money by bending or breaking the rules, people will continue to do so. Calling for a totalitarian government/software monopoly cooperation to crack down on it is not going to be the answer.
posted by mrzarquon at 11:35 PM on March 21, 2009 [12 favorites]

3) Didn't appreciably decrease the amount of spam being generated, the issue with blocking spam at the compromised host isn't that hosts ability to connect to a server on smtp, we're way way past that point.

Wait, what? By host do you mean the ISPs servers? Blocking port 25 isn't meant to block spam from being received by an ISP's mail servers, it's meant to block spam being sent from an ISP's customers computers that are zombified and acting as mail servers to send outgoing spam. I don't know where you'd find figures for that sort of thing, but there are likely millions of infected computers connected on cable and DSL that are capable of being used as spam servers.
posted by TungstenChef at 11:39 PM on March 21, 2009

Wait, what? By host do you mean the ISPs servers? Blocking port 25 isn't meant to block spam from being received by an ISP's mail servers, it's meant to block spam being sent from an ISP's customers computers that are zombified and acting as mail servers to send outgoing spam. I don't know where you'd find figures for that sort of thing, but there are likely millions of infected computers connected on cable and DSL that are capable of being used as spam servers.

I think we're talking about the same thing, I know what you're talking about and the point in that comment was that you can block port 25 outbound within customer assigned IP blocks but it is not going to appreciably lower the mount of spam because of the number of hosts on service providers who specifically won't block outbound port 25, or who are running SMTP on other ports, or have open relays (although thankfully the open relay problems is dropping off a bit).

As noted by mrzarquon , thankfully rfc1912 and specifically checking for compliance to the rfc by MTA's is a more effective way of cutting down on mail coming from zombied hosts. It's not perfect, but it's a step in the right direction to fixing the problem by addressing the technology rather than trying to stick your finger in the dam.
posted by iamabot at 11:47 PM on March 21, 2009 [1 favorite]

Gotcha, I think it's one of those "have to agree to disagree" things. I originally shared your viewbecause I had to deal directly with customer annoyance over the blocks, but eventually I came to understand the ISPs motivations for it. They're under a lot of pressure to reduce spam coming from their networks, and in a world of finite resources, it's an easy way to accomplish that. Who can say if, in the big picture, it increases everyone's pain by customer annoyance, or decreases it by shutting down yet another source of spam?
posted by TungstenChef at 11:56 PM on March 21, 2009

> Wait, what? By host do you mean the ISPs servers? Blocking port 25 isn't meant to block spam from being received by an ISP's mail servers, it's meant to block spam being sent from an ISP's customers computers that are zombified and acting as mail servers to send outgoing spam.

It hasn't had a dent in the flow of spam, while it may have alleviated some of the ISPs bandwidth issues by forcing only their customers to use only their own relays, and some ISPs will only relay email messages from @isp.com that originate from their subnets.

So now you just have spambot writers updating their code to figure out how to make a proper email that the ISP will happily relay for you, because they sure as hell aren't going to try to implement a real time email scanning virus detector to handle their millions+ daily message load. The volume of which has tripled because they blocked their customers from using a different smtp server for relaying (ie, the customers own business server), because somehow they thought that would reduce spam.
posted by mrzarquon at 11:57 PM on March 21, 2009 [1 favorite]

While we're still talking about spam...here's a link to several methods to combat spam implemented withing varied MTA's.

And while I'm at it, the wikipedia page on Downadup.
posted by iamabot at 11:59 PM on March 21, 2009

Maybe next time you put away the bottle a little bit earlier before posting an incoherent rant on technologies you don't understand.

Right, Im crazy. Hell, verizon just did block 25. Now their clients use 587 with mandatory authentication for contacting mail servers. 25 should only be for mail server to mail server communications. Defending the defacto system of messy hacks is ridiculous and whats got us to where we are at.
posted by damn dirty ape at 12:01 AM on March 22, 2009

Why? because they will keep getting notices every time they want to torrent something

Exemption per application would be trivial to implement.
posted by damn dirty ape at 12:03 AM on March 22, 2009

> Exemption per application would be trivial to implement.

But then what if the application itself (after it has become exempted) is exposed to a vulnerability?

What if a malformed torrent stream can cause code execution, and that code to be execute includes a local privilege escalation? Then you are back to ground zero, your walled garden is useless because someone gave a set of keys to the gardener, so the thieves knew to break into his shed instead of knock down the front door.
posted by mrzarquon at 12:07 AM on March 22, 2009

Never said it was perfect but its better than today's implementation: nothing.
posted by damn dirty ape at 12:08 AM on March 22, 2009

Right, Im crazy. Hell, verizon just did block 25. Now their clients use 587 with mandatory authentication for contacting mail servers. 25 should only be for mail server to mail server communications. Defending the defacto system of messy hacks is ridiculous and whats got us to where we are at.

The move to port 587 is for ESMTP and the implementation of submission queues as noted in RFC2476.

Oh, my last spam analysis showd almost ziltch from verizon now, so eat shit, imabot.

I thought we were talking about downadup in this thread? Anyway, As you may have noticed, you are still getting spam, indicating that while yes, Verizon has blocked outbound TCP 25, it has not appreciably changed the volume of spam you are receiving because it's not an effective solution to the problem. Verizon blocking port 25 outbound as part of their move to a new MTA procedure implementing what is described in a 10 year old RFC doesn't exactly bolster your case for blocking 25 outbound, assuming that was your original point, and how does this impact or relate to the spread of Downadup? I'm still not sure what the fuck you're on about..
posted by iamabot at 12:12 AM on March 22, 2009 [1 favorite]

I've heard that one of the things some of the Russian hacker rings have been doing is to run protection shakedowns. "Give us money or we're going to DDOS your web site into oblivion." I've also heard that some people do pay up. (How the money gets to the black hats without being traced I don't know, but apparently there are ways and means.)

I wonder if that's one of the things this lot has in mind. If they really do control a botnet with upwards of a hundred thousand nodes, spread all over the world, it'd be damned hard to defend against.
posted by Chocolate Pickle at 12:13 AM on March 22, 2009

I wonder if that's one of the things this lot has in mind. If they really do control a botnet with upwards of a hundred thousand nodes, spread all over the world, it'd be damned hard to defend against.

The thing is botnets of this size (100k) aren't all that uncommon, they've certainly been seen before and will be again, I think a lot of the problems with downadup is that the folks who wrote it and update it are rather clever and their level of cleverness could lead to some of the more scary scenarios that other rather clever people can think up.

Many previous worms were rather clever, but the author missed something critical that allowed the botnet to be compromised and eliminated or didn't have a built in distributed mechanism for updating, or didn't have strong encryption of payloads, but this one is special. It's taken the knowledge from previous failures and wrapped up the paths to combat them in a nice tidy package The author(s?) know(s) how to code reasonably well, knows the mechanisms by which it would generally be removed, and is actively trying to avoid them. Someone who puts that level of thinking and effort in to their product is likely bright enough to figure out how to use it for some unpleasant things that require imagination.
posted by iamabot at 12:21 AM on March 22, 2009

I think I had this a few months back on the (running XP) lab systems. Dirty, dirty shit you can't get rid of...

A "best-of-breed" malware ought not make itself so bloody obvious and demonstrate the need to kill it immediately.

I (personally) run Linux on a mac... I'm guessing no worry for me. Except everything else being affected and down.

""Tyler, my ports aren't open."
posted by Avelwood at 12:22 AM on March 22, 2009

Never said it was perfect but its better than today's implementation: nothing.

See also: PATRIOT act.
posted by maxwelton at 12:23 AM on March 22, 2009 [7 favorites]

One of the major features that makes computers in general vulnerable to worms and the like is the lack of diversity.

Diversity is a good thing, you see it in nature all the time, it's why one variant of a cold will knock out 4 of 10 people but the other 6 may not get sick at all. Diversity in operating systems, web browsers, applications, AV scanners, etc is generally a good thing, it keeps certain parts of the population safe and lets you learn from the vulnerabilities present without it all crashing down. Obviously you can't have the amount of diversity that you have in nature, but the more diversity the better at this point. It makes the job for black hats that much more difficult to capture large segments of the computing population. The homogeneous windows environments means that the majority of the computing population is vulnerable to the same cold virus, except this time we've got the black plague running around. So rant and rail against the Mac users, taunt the Linux users, and poke fun at the folks running the latest Windows O/S, but because they are not running around with the operating system with the biggest operating share they are less likely to catch a cold because it's not as effective for someone after pure resources to spend their time on targetting those systems.
posted by iamabot at 12:32 AM on March 22, 2009 [4 favorites]

Well this explains why I stopped being able to access the microsoft site.
posted by Allan Gordon at 12:37 AM on March 22, 2009

iamabot- and now we get into the real problem, which is for people to be able to have a diversity of computers, we need a set of standards for communication. And something broader than IP.

I think something like ODF really taking off and relegating Office to having to compete on features alone (now that "being able to display the document I just received from a client" is no longer the major selling point of their product) would do a lot towards breaking up the monoculture, and my monoculture I mean monopoly.

Same goes for PDF, Video, etc.
posted by mrzarquon at 12:50 AM on March 22, 2009 [1 favorite]

I'm not gonna sit here and point and laugh and be smug in the security (however feeble that may be) of running OS X, but I wanted to quickly repeat something the good John Gruber once said :

There are all sorts of ways that Windows executes software that don’t have equivalents on Mac OS X. Services get installed in the Windows Registry, and the Registry is an opaque labyrinth.

This just isn’t a problem on the Mac. Even if you ended up with piece of crapware installed, there simply aren’t that many places where it could hide. Assuming the crapware needs to launch itself automatically, it’s either going to be installed in one of the various /Library sub-folders, or it has to be listed in your user account’s Startup Items in the Accounts panel of System Preferences.

The closest thing to malware/spyware I've had on my system was installing some desktop-based app for accessing Veoh. I normally wouldn't install such a thing, but I worked for a competitor at the time and wanted to see what was going on in the greater web video space. Turns out, about an hour after I downloaded their app, a hidden app ran in the background (long after I had quit out of the actual Veoh app I had installed) that made calls to their servers.

I know this because I use Little Snitch and it alerted me to such a thing, and told me which app was responsible. Doing a simple Spotlight search for the app would be all it took, but I thought it would more fun to check and see how such a thing could run had I not uninstalled it. Sure enough, right there in my startup items, I found "Veoh.app". Once that application was run, it would also launch the background application that it didn't tell you about.

Simply removing it from the startup items prevented that background app from ever running on its own again. Anyway, I deleted anything Veoh-related and that was the last of it.

With the amount of malware/spyware that's out there for Windows-based systems, why hasn't MS cooked a little-snitch-like app right into the OS? It's very simple - if an application you've never run on your computer before tries to access the internet, an alert comes up that says "this particular app is trying allow your computer to send information over the internet to this exact location. Allow or Deny?". The options are "once", "until quit", and "forever". So, you can block an application from ever accessing the internet (like, say, this random virus that you don't even see in your taskbar and you've no idea what this website it's trying to access is) or you can allow it ONE time just to see what it's trying to do in the first place (and/or whether you should proceed to allow that app to do so in the future). Every time Firefox does a huge upgrade, for instance (from 2.0 to 3.0 - not point upgrades), OS X considers that a new app, and therefore so does Little Snitch and I saw "Allow Any Connection - Forever" on initial launch and voila!

(interesting to note, I still get pop-ups in both Safari and Firefox when I visit secure sites like Apple's store, and my bank's website, since they use different ports and Little Snitch is smart enough to know that's outside of my original "Allow All Connections" preference).

At any rate - it's a fucking shame that anyone's ever made viruses of any kind. They serve no useful purpose and they're the scourge of the earth. I'm not here with a smug smile on my face -- this shit will very much affect me, too, I know -- I've just long wondered how much MS really, truly cares about security and/or if maybe, just maybe, they're making either a cut from the profits of anti-virus folks --- or, more importantly, are leaving certain backdoors open for their own software to do semi-malicious shit (like, ya know, checking your Windows Serial Number against known registered serials).
posted by revmitcz at 12:59 AM on March 22, 2009 [7 favorites]

mrzarquon - Totally agree. Closed systems are bad contrasted with the open systems alternatives, and in the long run they are bad for the users, they are bad for security, they are bad for the evolution of technology. Closed systems combined with wide adoption, poor user education, and a focus on the profit margin go directly to the situation with Downadup and what has enabled it to be such an effective worm.
posted by iamabot at 1:02 AM on March 22, 2009

Well that was easier to fix than expected.
posted by Allan Gordon at 1:14 AM on March 22, 2009

At any rate - it's a fucking shame that anyone's ever made viruses of any kind. They serve no useful purpose and they're the scourge of the earth.


well, at any rate these viruses perform as the best QA team ever assembled.
posted by localhuman at 1:16 AM on March 22, 2009 [5 favorites]

See if I was to create a virus or malware I wouldn't worry about having it phone home or downloading anything else from the internet. I would create a virus that every time you try to run a program or save a file your computer screen would turn into a 300 piece puzzle and you would have to put it together before you could complete the task. I think that would worse then having your computer hijacked and downloading a bunch of stuff.

Or another idea would be to have a small process running that would send a command to kill the fan any time it was needed to be on, that way your computer would over heat and be destroyed.

Just something a little different every once in awhile.
posted by lilkeith07 at 1:27 AM on March 22, 2009

{macuser} mmmmm...your tears are like CANDY! {/macuser}

Meh. Disk imaging is your friend. Seperate your OS and applications from your data, and you can roll back to a known clean installation in less than 5 mins for less than half of what it used to cost me to let Steve Jobs buttfuck me without the lube.
posted by PeterMcDermott at 1:32 AM on March 22, 2009 [2 favorites]

Nothing except a scorching case of self-satisfaction, as usual.

Nope, I won't be worrying about that, either. After a decade of eating shit for picking from the safer and better options, I'll be at my Mac sipping a tall, cool glass of awesome while your machines burn. Enjoy your comeuppance.
posted by Blazecock Pileon at 1:51 AM on March 22, 2009 [4 favorites]

I really don't want to add fuel to Mac vs. PC flamewar going on here, but it should be noted that John Gruber's security cred is weak. In fact, he's even wrong in the quote revmitcz just repeated: I can think of at least 3 other places just off the top of my head that a nasty executable could hide (cron, launchd, input manager) and that's just userland stuff.

That said, Macs are great. PCs are great. *nix is great. Computing technology in general is great. But all software has bugs, and nothing is impermeable. Can we please all get along?
posted by patr1ck at 2:17 AM on March 22, 2009 [5 favorites]

"why hasn't MS cooked a little-snitch-like app right into the OS?"

Because MS has a vested interest in two things: 1) Making crap software in the very model of planned obsolescence and 2) Making it overly confusing and opaque so that even a reasonably smart lay-person has no hope of fixing simple problems, and hence they need to contact MS once again and stay firmly in the money/control loop of their software masters.

FWIW, I'm typing this on a Vista machine. But it ain't smug for Mac users to point out what's obvious to the known world -- MS sucks donkey dick.
posted by bardic at 2:33 AM on March 22, 2009 [1 favorite]

2) Making it overly confusing and opaque so that even a reasonably smart lay-person has no hope of fixing simple problems

Not really taking sides here because I use both OS'es, but anyone who doesn't keep decent backups doesn't really count as reasonably smart, IMO.

Also, I wonder how many lay OSX users would be comfortable digging around in the bowels of BSD? Not many, I'd wager.
posted by PeterMcDermott at 3:34 AM on March 22, 2009

It's true that the computer industry is like the banking industry, there's a lot of very clever people saying "that will never happen to me".

I say clever, more like educated really. I say educated, more like lucky. *waits untill April 2nd* I say lucky...
posted by fullerine at 3:39 AM on March 22, 2009

paisley henosis: 500 will be selected, also at random, and used. These 500 items are each queried, once. If they hit a site setup by the hackers, then they will download up to 512k, or for 5 minutes, whichever comes first. Then, 4 days later, they will run whatever they got, if they can.

But, it seems like out of the incredibly massive list of domains they would create with 50,000 random tries, and with only acting on 1%, don't they stand a good chance of not hearing from a huge percentage of these computers for a very long time? Or do they just have control over at least 1 in 500 websites?

The key thing is it generates 50,000 new domains to try every single day, of which it tries 500.
Assuming the controllers only register one of these generated domains a day ahead of time (and they know what they are, because they wrote the algorithm that generates them), that's still a 1/100 chance they'll update a given infected pc per day. They can of course register many more of the domains a day; 100 a day, and they stand a good chance of getting to send an update to infected machines. Registering that many domains is easy, a fact spammers already exploit; you can bulk register domains with certain registrars on a trial basis, then give them back after a short period if they turn out not to be 'profitable', for next to no fee.

Anyway; those updated machines will then continue to spread and communicate with others, helping to update already infected machines via p2p, or infecting new ones with the new version via the unpatched RPC flaw over the 'net, cracking passwords on local network shares or infecting flash drives with its silent autorun poison. Of course, once a machine is infected, it stops it getting antivirus or microsoft patches, making it harder to remove or block automatically.

Basically, it's a way of adding the spread of new versions of the worm, without relying on the primary route of infection. Earlier versions of conficker had the same mechanism, but used a much smaller range of domains a day, so researchers in the 'conficker cabal' are able to predict them and get there first. With 50,000 new domains a day as the attack surface, it's effectively impossible to stop communications going out.

Once conficker C machines start getting their update to conficker D, it's pretty much anyone's guess what they'll do with it. 10 million spam bots? A 10 million strong DOS to take down microsoft.com (or apple.com!)? Just steal 10 million pcs worth of documents and financial information?

Bear in mind that many of the western computers that are infected are ones on company networks with slow or no automated patching process in place, as well as home users with dodgy copies of windows too afraid of getting caught to run windows update. Or just people who have patched, but use a thumbdrive from someone who IS infected, and never bothered to pay for the symantec update once the trial ended, so think that 6 month old AV database is still protecting them.

Even if your own PCs are macs, or linux, or firewalled, patched and up-to-date AV protected - bear in mind what might happen to the net once 10 million pcs start banging on it in nasty ways, or if people and companies you share information with are infected. Do you totally trust every shop you've ever given your credit card details to to be entirely secure, up to date with their patches and antivirus?

We're about to find out.
posted by ArkhanJG at 3:55 AM on March 22, 2009 [2 favorites]

What puzzles me about operating system security is why Microsoft and Apple don't just throw money at the problem. Offer $100,000 or more for discovering a new serious exploit and you bring some talented, curious people out of the woodwork instead of letting them drift towards black hat activities. After a year or so and a few million dollars they'd end up with vastly more secure systems.
posted by malevolent at 4:06 AM on March 22, 2009

And in case you're wondering, no, security researchers can't set up their own websites to order conficker to uninstall itself.

a) it wants the files it downloads to be securely encrypted. There was a flaw in the way conficker B did this, but conficker C is fixed. Without the master key that the botmasters holds, it's pretty much impossible to create an update that the conficker C machines will accept as genuine. Brute force cracking that key might take thousands of years with current tech; current encryption is very strong.

b) it's a LOT of websites. Previously, researchers could register them all to stop currently infected machines getting any new versions, but with 50,000 new ones a day, that's too many to effectively lock down.

c) even if they solve a and b, the fact remains that issuing updates to other people's pcs without permission is against computer hacking laws, even if it's meant benignly. The punishment would be less, but it's still a crime. Even if that was solved by government involvement, you still run the risk of doing more harm than good - what happens if your automated tool also removes a key windows dll and stops the computer booting altogether? Lawsuit ahoy.
posted by ArkhanJG at 4:08 AM on March 22, 2009 [2 favorites]

malevolent: Microsoft offer $250,000 reward for information leading to the arrest of the conficker botmasters.

There are also white/greyhat security conferences, where there are rewards for finding new exploits, for thousands of dollars.

The problem is, blackhat exploits of the bugs are potentially worth millions to the spammers and other net-scum, a 100k simply doesn't cut it. Plus, many of them are already in deep in the blackhat community, and claiming a prize from microsoft may well end up with an arrest warrant attached to it.

Even proper whitehats sometimes get handcuffs instead of thanks; witness dmitry sklyarov, or the people involved with that travelcard hack. I know I'd be reluctant to come forward with an exploit these days, better to report it anonymously and hope they don't come after me for trying to help.
posted by ArkhanJG at 4:16 AM on March 22, 2009 [3 favorites]

malevolent, it's because right now the brunt of the cost of an exploit is borne by the end user. It's like this in identity theft as well, and neither software exploits or ID theft will go away, ever, as there is no profit motive for the companies involved to be proactive.

If Microsoft, for example, had to provide a working machine within 24 hours of being told of a security problem which rendered a machine unsafe, pay restitution to the user plus a penalty, you can bet half of Redmond would be dedicated to trying to break the other half's software rather than the "ship it and let's see what happens" attitude they have now. Or if Transunion had to make whole the victim of identity theft, including the time spent to fight it, plus a hefty monetary penalty, overnight you would see vast improvements to how they handle your credit data. If it was law that the loss of a laptop or media containing consumer records was a felony, and that the company employing the person who lost the laptop had to pay a $10K penalty per individual record lost, you'd see the idiotic practice of carrying around machines like that stopped dead.
posted by maxwelton at 4:22 AM on March 22, 2009 [1 favorite]

One last bit about conficker. Here's some systems that have already been infected and affected by conficker or other windows viruses lately:

French Navy fighters grounded due to conficker

US army base in afghanistan

The FAA employee database

Some of the computer systems on the space station.

Just because our own systems may not be affected because we took precautions (i.e. bought a mac), doesn't mean we won't be affected when conficker C gets D, and actually starts doing something.
posted by ArkhanJG at 4:27 AM on March 22, 2009 [3 favorites]

I'll be at my Mac sipping a tall, cool glass of awesome while your machines burn.

And I'll be at my PC doing much the same. I've been running XP since pretty much day dot, and I have never, ever had a virus or other malware. How? It's not that fucking hard to stay patched and not run random dodgy executables.
posted by markr at 4:28 AM on March 22, 2009 [19 favorites]

If Microsoft, for example, had to provide a working machine within 24 hours of being told of a security problem which rendered a machine unsafe, pay restitution to the user plus a penalty, you can bet half of Redmond would be dedicated to trying to break the other half's software rather than the "ship it and let's see what happens" attitude they have now.

Linux and other free OSs would also vanish. Commercial operating systems that continued to exist would lose most of their features and abilities and develop at a glacially slow rate. Most likely, they would just move out of the country and computer usage in the US would be effectively outlawed. Penalties that make companies pay attention to security could be useful, but don't go overboard.
posted by JiBB at 5:41 AM on March 22, 2009 [1 favorite]

I'm on Windows 98, so I'm invulnerable!!
posted by Mister_A at 6:10 AM on March 22, 2009 [5 favorites]

Invunerable... just like inflammable!
posted by blue_beetle at 6:56 AM on March 22, 2009 [2 favorites]

The malware author is likely German, or studied in Germany. Its a play on English and German. Its supposed to sound like "configure." But "ficken" is to fuck in german, so instead of getting configured, you get fucked.

So the author got a bunch of media people to use German swearwords.

Also, macs are less vulnerable solely becuase they have low market share world wide. Imagine the percentages of mac and pc ownership switched. Mac would be a huge target and PCs would barely be touched. There's no fun (or profit) for hackers and Russian crime syndicates to go after only such a small segment of computer operators.

However, Apple is a brilliant marketing machine if nothing else and they play up this angle to keep brand loyalty high. They not only have to sell an OS, they have to sell machines as well.
posted by Ironmouth at 7:05 AM on March 22, 2009 [1 favorite]

Nice little thread, here.

Also, I wonder how many lay OSX users would be comfortable digging around in the bowels of BSD? Not many, I'd wager.

*Quietly raises hand a little bit* Though not so much since 10.3, when we started getting more GUI function for the things I was mucking about in (and Apple locked down some of the cool single-user exploits). It was fun learning for me.
posted by Devils Rancher at 7:07 AM on March 22, 2009

Gonna take a wild guess and say that Mac owners probably have nothing to worry about.

Guess what. I run Windows and have nothing to worry about either.
posted by juiceCake at 7:48 AM on March 22, 2009

And I'll be at my PC doing much the same. I've been running XP since pretty much day dot, and I have never, ever had a virus or other malware. How? It's not that fucking hard to stay patched and not run random dodgy executables.

Ditto - it always makes me feel vaguely guilty when folks who hate Microsoft grind on about the poor, stupid Windows users and their crippled PCs.
posted by Alvy Ampersand at 7:52 AM on March 22, 2009 [1 favorite]

> I'd like to think that there is a special hell just for malware coders.

As long as there is at least one level that's deeper and meaner, for the OS designers who let any executable alter system fundamentals as the default setting.

My own brushes with virii are few: I caught the Slammer virus a few years back from simply running a Microsoft-supplied development version of SQL Server - it was vulnerable to remote exploits. Most recently, even though I run AVG and browse like a puritan, last month I was hit with virtumonde and it was a real bugger to get rid of. I didn't fully eliminate it til I ran CD-bootable Linux-based AV tools from Avira and Kapersky AV. The latter also checks for updates (so you're working with the latest info even though you booted from CD), and itallows you to find, back-up and/or delete files that you couldn't touch when Windows was running.

Bookmark Avira and Kaspersky. Burn a rescue CD now. You just never know...
posted by Artful Codger at 8:03 AM on March 22, 2009 [7 favorites]

""why hasn't MS cooked a little-snitch-like app right into the OS?"

Because MS has a vested interest in two things: 1) Making crap software in the very model of planned obsolescence and 2) Making it overly confusing and opaque so that even a reasonably smart lay-person has no hope of fixing simple problems, and hence they need to contact MS once again and stay firmly in the money/control loop of their software masters."

Wait. What? Windows firewall does exactly what he's talking about. Even with the options he talked about. And Windows likes to bitch at you annoyingly if firewall isn't on, then tell you exactly how to fix it.

Smug mac people are missing the point. Their system isn't really better (although I do love my macbook), nor are they better, smarter people. There are just fewer of them.
posted by kavasa at 8:11 AM on March 22, 2009

or maybe they were so clever as to anticipate it's mis-spelling/pronounciation -- conflickr -- reminding one of the coming conflikt, which of course leads to filk circkles...

[btw, is it just me or is google down?]

anyway, so if the BBC has a botnet and obama has a botnet, i wonder if we might be on the verge of an "instantaneous phase change" :P

US computer scientists have found that random networks – the mathematical description for networks we experience everyday in forms such as the internet and global flight connections – have the potential for extreme behaviour never seen before...

Networks that grow randomly, like the global connections between computers that make up the internet, usually rapidly and smoothly gain a central backbone of connections that make it simple to travel between any two points, in what is called a fully connected structure.

The team has used simulations to find a way to grow a network randomly, but significantly delay the emergence of that backbone... Random networks are usually grown by selecting two nodes at random to become connected. Instead, Achlioptas' team pick two pairs of random nodes, but only connect one of them – the pair with the fewest pre-existing connections to other nodes...

The result is that for a long time the network grows, but does not become fully connected. Instead it contains a large number of unconnected chunks, each containing a few nodes. Eventually, the addition of just one link triggers an instantaneous phase change and the network becomes fully connected.

such that, at the 'boss level' of enlightened self-interest, there "is competition not between individuals in a group but between groups. That is because whereas selfishness beats altruism within groups, altruistic groups are more likely to survive..."
posted by kliuless at 8:18 AM on March 22, 2009 [1 favorite]

I had the anti-virus 2009 thing pop up on my work pc not long ago (searching for torrents with ie is dumb). Just loaded up hijack this killed a few processes and rebooted and it was gone. Otoh my boss let a virus sit on her computer for three weeks before asking anyone to look at it and by the time I saw it she had a dozen processes and services running on it and there was no way it was going to be completely cleaned without a reinstall.

The horrifying thing about it was that rather than do that she'd have been fine with just leaving the virus on. I don't think that she understood that her pc was totally open to any hackers that wanted to steal her credit card number or read her mail and that Russian hackers were probably buying and selling her laptop in a chat room somewhere.

A lot of people are just not aware of the danger they are in if they leave these things running or get infected by these things so don't take precautions.
posted by empath at 8:24 AM on March 22, 2009 [1 favorite]

damn dirty ape: On top of this, why am I still seeing outgoing port 25 connections from residential netblocks? What the fuck? Theres no reason for a residential DSL or Cable modem to be doing outbound 25

What the fuck, indeed. Anyone that runs their own domain (which almost always includes email) needs outgoing port 25. Duh. Or, do you want to make that illegal?? I wouldn't mind registering with my ISP (AT&T) to get access to port 25, but I'd wager that I'd be the baby that gets thrown out with the bath water. After all, I'd wager again that most people running their own domain have a very low incidence of infection. (I've never been infected with anything, as far as I can tell).
posted by e40 at 8:25 AM on March 22, 2009

Thanks for all the answers to my question.
posted by paisley henosis at 8:53 AM on March 22, 2009

There's no real point to arguing about the relative security of Windows vs OSX vs Linux. There are differences but since there are problems on any platform, the attackers could really go after any base. The real problem is the homogeneity. With a near-monoculture on the desktop, it makes sense to go after The One OS Almost Everyone Uses. (Especially since this is the OS that some of the least educated users also use.) Simplifies the coding and so forth.
posted by DU at 8:59 AM on March 22, 2009

I partly switched to Ubuntu because of a worm I picked up a couple weeks ago. It is surprisingly awesome. I've tried it several times in the past, including two prior versions of Ubuntu, but this time everything on my laptop except the wireless Just Worked or is quickly available, and I happened to have a spare USB wireless device around so that was no problem.

CD/DVD burning? Works, and without having to shell out money for every trivial little feature like most vendor-supplied tools. Video drivers? In restricted (meaning works, but requires confirmation before it'll install). Flash? In restricted. Microsoft fonts for web browsing? In restricted. Read-write NTFS access? Works, no thanks to Microsoft. MP3 and DVD playback? In restricted. Shifting around and resizing partitions, even NTFS ones, from the LiveCD and having everything remain bootable? Works. Hotswapping USB devices? Works, and while unmounting a USB drive in Windows involves crossing your fingers and hoping some random process, usually Explorer's thumbnail generator, hasn't decided to lock a random file on it, on Ubuntu it's always been a breeze.

Even though I typically keep many windows open at once, my 1.15GB RAM system has never used more than 60% of its memory that I can tell -- right now that's about the amount consumed, yet I have Firefox with 22 tabs open, a PDF open, an MP3 player on pause, a package manager, and a file browser open. Unresponsive programs gray out onscreen, and can still be dragged around.

And with Extra visual effects turned on in Gnome, it looks a hell of a lot better than XP or Vista. I've had endless fun just draging wobbly windows around, wobbly windows that still update in real time, Flash video included and it doesn't even slow down my machine. It's starting to seem almost BeOS like.

The only reason I still keep Windows around is a few stubborn holdout programs and computer games. For those I can dual boot. For getting work done, Linux is increasingly looking like the thing to have.

THESE THINGS SAID, you Mac users can clam it as far as I'm concerned. People have a plethora of reasons for using Windows. Running XP doesn't automatically mean you're an Aunt Mabel. Mac users end up paying a premium, and not everyone has that kind of scratch.

markr: And I'll be at my PC doing much the same. I've been running XP since pretty much day dot, and I have never, ever had a virus or other malware. How? It's not that fucking hard to stay patched and not run random dodgy executables.

That will not save you forever. I was fully patched, and I didn't get that worm by running LEETdiskKRAK.exe.
posted by JHarris at 9:06 AM on March 22, 2009 [3 favorites]

I don't know if Little Snitch (linked above) is any good as a security tool, but this particular post on the Little Snitch's author's own web site forum is a gem:

"Hi users, I am new here. I have a question for you. can I go more than 3 Hours for free? to overcome the Demo without paying? without buying the software? Thanks for replaying! I will wait for your answers!"

posted by davejay at 9:07 AM on March 22, 2009

Every four months we read some new article about how there's the biggest, newest, baddest botnet EVAR. Which isn't entirely a surprise, since botnet maintainers are at war with each other. And making a crapton of money renting their networks out. But at this point the Internet seems to be operating OK with 100,000 to a million zombie machines polluting it with crap. I wonder if that's just going to be the way things are from now on?

All you smug Mac users will get your comeuppance the moment enough people buy Apple's overpriced machines that they're a target worth bothering about. MacOS is not significantly more secure than WindowsNT based systems. But why bother writing exploits and bots for only 10% of the computers on the Internet when can just as easily pwn 85%?
posted by Nelson at 9:14 AM on March 22, 2009

"And I'll be at my PC doing much the same. I've been running XP since pretty much day dot, and I have never, ever had a virus or other malware. How? It's not that fucking hard to stay patched and not run random dodgy executables."

Until two weeks ago, I could have made the same claim. I got root-kitted (prunnet), vundo-ed, Look2Me-ed, and more all through a single click on a web site video link while I was running the latest version of Firefox. I am still trying to get this crap off of the machine. Alas, I was running briefly as admin and I was clicking on the link to get some instructions about a configuration issue I was trying to straighten out. I have been able to figure out that the infection came through a plug-in installed in Firefox but, which one, I still don't know.
posted by bz at 9:43 AM on March 22, 2009 [5 favorites]

What? Windows firewall does exactly what he's talking about.

I don't know about the later versions, but I'm pretty sure that older versions only actually blocked incoming connections.

If there's something on your machine trying to connect out, Windows Firewall used to be happy to just let it have its way.
posted by PeterMcDermott at 9:51 AM on March 22, 2009

bardic: Gonna take a wild guess and say that Mac owners probably have nothing to worry about.

sararah: Ah, the smugness, I can feel the delightful burn on my fingertips as I type this.

'Ah yes. Silly PC owners! Now I can still play with my little MacBook here in Starbucks! Of course, there's no coffee, since the fall of the international banking system resulted when the theft of 5 million credit cards pushed the economy over the edge - and this store itself is now a ruined shell of a building, since everyone in this country is unemployed - and I can't use the internet, since there is no internet anymore, and especially since Conficker E [which, by the way, the first link above points out we will probably see before this is over] adapted to infect OS X...

'But I can still load my iPod! Ha ha! Who cares if the world burns in a fiery Armageddon - I'll be listening to the new Radiohead album!'

seriously, apple owners being smug about conficker is like gentiles being smug about the holocaust.
posted by koeselitz at 10:35 AM on March 22, 2009 [6 favorites]

Reading this entire thread has made me far too paranoid to actually click on any of the links posted within. Grr.
posted by elizardbits at 10:39 AM on March 22, 2009 [1 favorite]

Also, macs are less vulnerable solely becuase they have low market share world wide.

If that were true, Mac infections would go up as the market share keeps going up. Since the market share keeps going up, but the infections do not, the evidence suggests this argument is nonsense.

Further, the people who constantly parrot this nonsense are fools, and millions of Windows machines are still infected and are still threats to the larger Internet and, more importantly, to public safety: I just hope the nuclear power plant industry has learned its lesson and moved to anything else.
posted by Blazecock Pileon at 10:41 AM on March 22, 2009 [1 favorite]

"And I'll be at my PC doing much the same. I've been running XP since pretty much day dot, and I have never, ever had a virus or other malware. How? It's not that fucking hard to stay patched and not run random dodgy executables."

No, but any security which depends on the user knowing that is not going to work for most users. I do network/IT support for an ISP. We educate people, but it's not realistic to think that security should depend on "don't be stupid, and learn how to do this technical thing (and maybe a lot of other things)". Not that people can't learn, but a lot of people simply won't. If it's a VCR, it means their clock blinks "12:00," because they don't know how to set it, but if it's their computer, it means they'll get infected eventually, and they may let it stay infected for a while before doing anything about it. That means their machine spews out spam or is acting as a node in a DDoS attack, etc.

You will eventually get infected, too.

"If there's something on your machine trying to connect out, Windows Firewall used to be happy to just let it have its way."

That's typically the better way to do it. If you depend on people knowing how to allow certain applications while blocking all others, you're deluding yourself if you think this will work for the average home user, if they have to do anything about it. Most don't know what a firewall is. That's not to say they can't learn, but most of the time what happens is someone gives the wrong answer when the firewall asks, and that renders their machine unable to connect to the internet, and they don't know how to fix it.
posted by krinklyfig at 10:43 AM on March 22, 2009 [1 favorite]

seriously, apple owners being smug about conficker is like gentiles being smug about the holocaust.

No, it really isn't.
posted by Sys Rq at 10:44 AM on March 22, 2009 [16 favorites]

seriously, apple owners being smug about conficker is like gentiles being smug about the holocaust.

Other logical comments as sensible as saying Apple owners are like gentiles being smug about the Holocaust:

"You can't infect my Windows computer, I know what I'm doing! So the Internet is really safe and we're all going to be just fine!"

"Mac users pay too much! And there are so few of them! And they all use a one-button mouse! So who cares that we are all at risk of serious consequences that could result from whatever this worm will do!"
posted by Blazecock Pileon at 10:53 AM on March 22, 2009 [1 favorite]

Not trying to fan the OSFlamewars flames here, but am I correct in concluding that Conficker will not infect Macs? (OS 10.4.11 here, using Safari 3.2.1) If it will, how can a not-technically-savvy user like me get rid of it? If I can get to the Symantec and Avast websites does that prove my computer is not infected?

Threads like this are mostly "inside baseball" for me and I have to believe that many MeFites are pretty much at my level computerwise, shocking as it may seem to the IT contingent around here. If this worm is really so threatening, and if stbalbach's link is really the best way to deal with it, maybe it should be sidebarred for us baseball outsiders?
posted by Quietgal at 10:59 AM on March 22, 2009

macs are less vulnerable solely becuase they have low market share world wide.

I've always found this to be a highly suspect concept. Macs may count for a small piece of the market... but Linux is even smaller, and there's viruses for that.

Also the Mac/Windows wars are 20-30 years old now and as passionate and angry as ever. You would think that with all the flame wars that take place every day over this issue, there would be at least ONE nasty coder out there willing to show all those fucking Mac users with their expensive shiny toys who's the boss. (Not to mention, Mac users are "stupid" and have all this disposable income from which they can easily be separated.)

But it doesn't ever seem to happen. It's really a mystery as to why - I mean, Macs do have vulnerabilities, and they find them all the time. There's a couple of Mac trojans out there. But no widespread viruses in the wild. What's up with that?
posted by fungible at 11:00 AM on March 22, 2009 [4 favorites]

Quietgal, currently Conflicker targets only Windows computers. This may change, but it's not usually the case that an infection would be ported to other platforms. Conflicker uses a specific Windows exploit. However, if you're running Parallels or Boot Camp, then your Windows can be infected.
posted by krinklyfig at 11:02 AM on March 22, 2009

> seriously, apple owners being smug about conficker is like gentiles being smug about the holocaust.
posted by koeselitz at 1:35 PM on March 22

And that's the bell; Godwin has arrived.

Thank you for your time, panelists. Folks watching at home, I hope you were able to learn something from this panel discussion; I know I did. Drive home, be safe, and remember to tell your significant other you love them today. Good night and God bless.
posted by ardgedee at 11:10 AM on March 22, 2009 [15 favorites]

If that were true, Mac infections would go up as the market share keeps going up. Since the market share keeps going up, but the infections do not, the evidence suggests this argument is nonsense.

The absence of evidence is not evidence of absence.
posted by PeterMcDermott at 11:14 AM on March 22, 2009 [1 favorite]

The absence of evidence is not evidence of absence.

You can use that to argue for the existence of ghosts, Gods, or pretty much anything without evidence. I couldn't disprove you, if you want to believe in the supernatural.

However, for lack of an event happening in one population, comparing two populations, you can apply inference to learn what's different and what's similar. For whatever reason that Macs are safer than Windows machines (as defined by a lower infection rate), relative numbers probably do not enter into it.
posted by Blazecock Pileon at 11:24 AM on March 22, 2009 [2 favorites]

The infected computers will be those that belong to people like my moron friend who once told me "My computers are much safer from infection than yours, because I turn mine off when I'm not using them", but then he didn't know the first thing about A/V, firewalls, or updating Windows.

The guy's logic has always been fucked. I mean, it's like saying you're less likely to die in a car accident than a race car driver, because you almost never drive. Meanwhile, when you do drive, it's only in reverse, while drunk, and on the wrong side of the street.
posted by autodidact at 12:09 PM on March 22, 2009 [3 favorites]

"You can't infect my Windows computer, I know what I'm doing!

In all fairness, a good sense of which sites to browse, what software to install, which programs not to rely on, etc. is key. You can get away with it in XP if you're fairly seasoned.

So the Internet is really safe and we're all going to be just fine!"

But most aren't. So, yeah, for every one of your responsible XP users, there are thousands out there making credit card purchases and checking email on infected systems, on unsecured wireless systems at the local coffee house, and generally keeping all personal data in a blatantly highjack-friendly space. This is a problem.
posted by Avelwood at 12:10 PM on March 22, 2009

As far as expired OEM copes of Norton and McAfee go, why doesnt the new Cybersecurity Czar or whatever theyre going to rename this position throw some money at the windows version of ClamAV, build an on-access scanner, and promote it. Sure, it would hurt the AV industry, but the cheap people who refuse to update their scanners arent paying anyway.
posted by damn dirty ape at 12:18 PM on March 22, 2009

But why bother writing exploits and bots for only 10% of the computers on the Internet ...

That's what they said at 2%, at 3%, at 6% ... There WERE viruses for OS 9, because it was a stupid, vulnerable OS. Back when Apple had 3% or so. They were spread by floppy disk. This argument gets increasingly fallacious with each percentage gain, and each passing year that there's not a virus that can infect the Mac OS.

Not that it's perfect -- I don't just sit here and say it can NEVER happen -- that's insanity. But we're here at about exactly the 8th anniversary of OS X, and I haven't had to worry about it in that time-span. It's been pretty pleasant, to say the least. I don't mean that in a smug way. I mean that in a "thank g*d I don't have to mess with that virus crap, because I'd rather be aimlessly surfing Metafilter & posting snark with my valuable time" way.
posted by Devils Rancher at 12:29 PM on March 22, 2009 [2 favorites]

Yeah, sorry about the Godwin up there - it was late, and I was tired. Tired because I've been working overtime, because the little non-profit I work for that helps kids on probation had conficker all over the servers, and we've been trying to kill it all week. Finally succeeded.

I know I was going overboard -- but the reaction "ha ha, I'm a mac owner" is really petty when the livelihoods and even health and safety of thousands or even millions of people might be on the line. Yes, I know that's not necessarily going to be the case, but it's possible -- and that makes petty "my os is better than yours" bullshit pretty clueless.
posted by koeselitz at 1:02 PM on March 22, 2009 [3 favorites]

The reason Macs don't get hacked isn't because they're secure, they don't get hacked because they're expensive.

Most trojans/viruses come out of Russia, Eastern Europe, and China. Those areas tend to have low GDP per-capita (and therefore foster black-hat hackers due to high levels of education with low income). Low GDP per-capita means that Macs are unaffordable and they are unable to create viruses because they cannot test them. Hackintoshes are also not as easy to make, so they're a massive hassle and they might as well break Linux if they're going to be putting any effort into things.

It's interesting that economics and regional scarcity is what makes Macs secure.
posted by amuseDetachment at 1:02 PM on March 22, 2009 [10 favorites]

Mac users pay too much!

so do cadillac drivers, but social pretension has no price someone isn't willing to pay
posted by pyramid termite at 1:20 PM on March 22, 2009

but Linux is even smaller, and there's viruses for that.

No there aren't?
posted by miyabo at 1:31 PM on March 22, 2009

seriously, apple owners being smug about conficker is like gentiles being smug about the holocaust.

oooh, the tears of godwin...YUMMY!!! Oh, there's too many to drink! I'm drowning in their sweet, sweet nectar! me and my mac are rubbing them on each other...oh, how Deee-lish-ous! like the sweetest of candies! Oh!
posted by sexyrobot at 1:38 PM on March 22, 2009

No, but any security which depends on the user knowing that is not going to work for most users.

Sure. But if these mac jokers can feel smug about purchasing a particular brand of commercial electronics I can feel smug about knowing how to run a computer.

I don't really care much about OSs, other than wanting them to provide stuff like photo editors and music stores I just want them to provide an interface between my hardware and the applications I want to run. I run a fair bit of Linux, but at the moment, for the hardware and applications I want to use, Windows is the best interface. Mac doesn't work with either.
posted by markr at 1:41 PM on March 22, 2009

Doh, that should have been "rather than wanting them to provide..." other completely changes my point.
posted by markr at 1:43 PM on March 22, 2009

so do cadillac drivers, but social pretension has no price someone isn't willing to pay

Go configure a MacBook Pro, take note of what you're putting in the machine cPU-wise, etc. Now, go to Dell ,and configure a machine as closely to that as you can. Be sure to include Vista Professional Pro Super Edition™, which is usually extra. The Dell will cost about as much as the Mac, spec-for-spec.

You can buy a cheap-ass PC minus half of the stuff a Mac comes with, or a no-name box that ships with no OS, which is why they're cheaper.

Apple just doesn't do the super-low-end market.
posted by Devils Rancher at 1:45 PM on March 22, 2009 [4 favorites]

> Low GDP per-capita means that Macs are unaffordable and they are unable to create viruses because they cannot test them.

Crime syndicates make millions of dollars a year reselling their botnets. Macs are not safe because a Russian software contractor can't afford to import a $1,000 laptop. If there's money to be made from it, money will be found to do it.
posted by ardgedee at 1:47 PM on March 22, 2009 [2 favorites]

That's what they said at 2%, at 3%, at 6% ...

I doubt there's a linear relationshop here. Even with millions of machines infected the % of spam they send out that is filtered runs high in the 9x% levels. Putting in all this effort to get 100,000 macs isnt going to help the bottom line of the spammers, in fact, it would most likely hinder it. Their time is better spent writing variants of their trojans that have not yet been identified by the AV companies.

Actually, some would argue that trojan writers are looking at macs, perhaps not too seriously, and all the security in the world wont help you when you decide to download infected warez, which is one of the best ways to infect system regardless of OS. Its incredible how little non-infected software there is on the torrent networks nowadays. I sometimes like to visit mininova, go to the software section, and read the comments. They are usually "DONT DOWNLOAD THIS IT HAS A VIRUS." How many people bother reading those comments?
posted by damn dirty ape at 1:53 PM on March 22, 2009

If there's money to be made from it, money will be found to do it.

Opportunity cost. The time is takes to learn objective-c, the ins and outs of OS X, etc is better spent just working on variants of your existing trojan. The recent iwork/photoshop trojan only landed a few hundred thousand machines. A similiar windows trojan can potentially get millions.

Yes, the BSD underpinnings of OSX and Apple's commitment to security are impressive, but at the same time a lot of these botnets dont depend on a local exploit. They depend on fooling Joe User downloading the file and clicking install.
posted by damn dirty ape at 1:57 PM on March 22, 2009

"Sure. But if these mac jokers can feel smug about purchasing a particular brand of commercial electronics I can feel smug about knowing how to run a computer."

But it's just a pissing match.
posted by krinklyfig at 2:10 PM on March 22, 2009

Going back to the actual focus of the post, Downadup doesn't even spread this way, although it could be used some day to send out spam, there are far far more profitable ways to leverage the p2p infrastructure that has been built.

I disagree, spamming is simple, known, and profitable. I think divorcing spam from trojans is shortsighted and purposely burying one's head in the sand. These two things are connected and most spam comes from trojans.

do we really want to ask for them to start filtering MORE (and looking at the performance hit that Australia's firewall/filtering will create, any large scale filtering would be pretty useless)?

This unfair and highly disingenious. Australias list isnt a computer security list, its a political list. They arent blocking trojan sites, theyre blocking sex sites. Its backing is from an organization called Family First not CERT.

Yes, we should definately be asking ISPs to block more, specifically their zombied clients. When I work at university we detected zombie PCs very easily with snort and deactivated their port via mac address. ISPs could be doing this right now. We know they have deep packet inspection technology already installed, but right now they are more interested in blocking or slowing down my Radiohead torrents than they are of detecting my neighbor's zombied PC.

Again, I think the "profits first" mentality is killing is. Torrents are slowed because bandwidth costs money, thus slowing torrents saves money or at least postpones big buildouts for a while. ISPs taking responsibility of their zombie'd PCs costs money. Mcafee and Symantec want those renewal dollars for their AV products. MS is too afraid of breaking aging backwards compatibility beause it could hurt the bottom line. MS dragged its heels on making users non-admins by default.

Simply put, the free market approach to computer security has failed just like we see the free-market solution to healthcare fail. These are things too important to to leave to MBAs and bottom line profits. Yes, Id like to see the government release a free AV and ISPs regulated into stopping their zombies. I dont see parallels with this with Australian blocklist, I see parallels with this will the thousands of laws that regulate dangerous practices of everyday businesses. The libertarian/free market approach continues to fail.
posted by damn dirty ape at 2:11 PM on March 22, 2009

While mac users certainly shouldn't be smug about invulnerability to viruses (you're not immune to user-driver malware installs, and in my experience supporting both platforms the average mac user is no more security or computer savvy than your average windows user) there's no getting away from the fact that the primary infection routes for conficker are a remote root exploit in the RPC service, and exploiting autorun to automatically install off of usb media.

RPC, while useful in some business network circumstances, should never be exposed to the net interface; at the very least, it should be off by default. This isn't the first time autorun has been exploited either. Both exploits are a direct result of bad coding by microsoft, and more importantly, really bad design decisions that made them possible infection routes in the first place.
posted by ArkhanJG at 2:15 PM on March 22, 2009

The primary infection for the storm/zlobg/nywar botnet wasnt RPC. It was nothing. Just .exe's (ecards mostly) people were fooled into running. Yes, RPC on the net is ridiculous, but even if you take away a large portion of the low hanging fruit you still have the PEBCAK problem. That is why I advocate stronger ISP and government controls. The end user can always be fooled. Remote shutdown of zombied connections and firewalls that use blocklists or block high-risk countries shoud be the default, instead theyre extremely controversial ideas because they piss off the end user. The end user is the customer. When you piss off the customer you lose money.
posted by damn dirty ape at 2:27 PM on March 22, 2009

"Yes, we should definately be asking ISPs to block more, specifically their zombied clients. When I work at university we detected zombie PCs very easily with snort and deactivated their port via mac address. ISPs could be doing this right now. We know they have deep packet inspection technology already installed, but right now they are more interested in blocking or slowing down my Radiohead torrents than they are of detecting my neighbor's zombied PC."

I work for an ISP, and this is not practical for us, and it's not something our customers want. I don't want my ISP snooping my traffic at all, honestly. We do takedowns for spam and RIAA complaints, like most ISPs. University networks have different policies than ISPs for many reasons.

The model which depends on the user getting educated doesn't work, but the model which involves the government getting involved in security doesn't inspire confidence, either, at least not if you're talking about hacking around the edges at A/V, which doesn't deal with the problem very effectively.

Simply put, the free market approach to computer security has failed just like we see the free-market solution to healthcare fail. These are things too important to to leave to MBAs and bottom line profits.

Nonsense. The government didn't develop OpenBSD (neither did the free market, for that matter). But the law needs better teeth, and the government should be looking at how MS' products, for instance, help spread security threats which are potentially very expensive and cataclysmic on a large scale, both for the commercial markets and for government entities. I would be happy if the federal government started rigorously enforcing high security standards throughout all their departments, ideally working with the open source community to create appropriate, open systems which would benefit all of us, rather than relying on a single vendor to (maybe, finally) get it right. If it's comprehensive enough, then it could trickle down to local governments, schools, etc.
posted by krinklyfig at 2:27 PM on March 22, 2009

Hi. I'm one of the organizers of the PWN2OWN competition. Let me clear up a few things for you.

Macs are more insecure (than pretty much anything modern and common). The point that Charlie (and Dino in his talk) made, is that OS X has basically no exploit code prevention. Unlike windows and linux (and OpenBSD!) OS X (as far as I remember) doesn't randomize the stack, doesn't use any of the non executable memory tricks, and basically looks like any other unix back before everyone else stuck all the exploit mitigation stuff in to gcc/visual studio and the linux/windows/openbsd kernels. It also has a ton of fairly poorly QAed software running on top of that (quicktime and flash I'm looking at you), and is somewhat notorious in the security community for not patching stuff that has been fixed upstream until way after the fact. Apple also isn't particularly good about engaging the security community, and at least has the perception of sitting on bugs. This makes it relatively easy to write working exploits for the platform. Contest wise, that's awesome, because we require not just a bug, but a working exploit to win, and it's simply easier to do in OS X than it is in either Windows or Linux.

Now, all of that said, all the machines got popped in the PWN2OWN contest (and none of the smartphones did) and this is primarily due to dumb luck and economics. Windows vulnerabilities have huge economic value because there are a lot of them (so they make great botnet hosts) and business primarily runs on windows (at least at the desktop) and so they're good for getting specific targets (which the intelligence/leo types care about). OS X vulnerabilities are primarily good for the occasional specific target, and for winning contests like ours. No one really expected Nils to blow an ie8 zero day on winning a contest. We're glad he did, and it freaked the MS guys out a bit, but it certainly wasn't expected.

Back to the topic at hand. In my opinion (I might be wrong, and I doubt it's actually possible to know) the reason why there are basically no OS X worms is a combination of: 1) there aren't that many OS X boxes, and botnets are primarily a numbers game. 2) traditionally most malware authors have been developing for windows and probably can't be bothered to change what works even if uptake is rising. 3) Installing dodgy cracked software from untrusted sources is more common on Windows than OS X. 4) There is more third party software for Windows, and thus the attack surface is higher.

Also, for what it's worth a "win" in PWN2OWN is proof of arbitrary code execution. That means the attacker must prove that they have control of the instruction pointer (functionally this means doing something like popping up notepad to show that's the case). We don't require privilege escalation because that's not considered to be very hard, and is an additional vulnerability anyway.
posted by mock at 2:29 PM on March 22, 2009 [144 favorites]

"That is why I advocate stronger ISP and government controls. The end user can always be fooled."

It sounds like you're very much of the internet through appliance model on a controlled network. I don't really like that. I'd rather have the open platforms and the associated risks, but with more robust competition. I do think the next ten years will be interesting in this regard. MS' dominance will probably decline, but we may see more appliance-type connections and more of a temptation to lock down the internet "for the children," for security concerns, etc (we'll probably see a lot more cell phone/PDA infections). I think we should resist such temptations. There is interesting and worthwhile innovations at the edge, but not if you cut it off.
posted by krinklyfig at 2:34 PM on March 22, 2009 [1 favorite]

MacOS is not significantly more secure than WindowsNT based systems.

Is there an argument to go with that, or is it your garden-variety guess based on high faith in the following principle:

But why bother writing exploits and bots for only 10% of the computers on the Internet when can just as easily pwn 85%?

Because by this logic, web server compromises on systems running Apache should be much, much more frequent than compromises on systems running IIS.

Yeah, I'd allow that some of the vaunted Mac "immunity" is due to its minority status. It's pretty weak sauce to argue that's the whole story.
posted by namespan at 2:36 PM on March 22, 2009 [1 favorite]

"Remote shutdown of zombied connections and firewalls that use blocklists or block high-risk countries shoud be the default, instead theyre extremely controversial ideas because they piss off the end user."

Of course!

Dude, where I live is a fairly prominent Buddhist monastery and quite a few Chinese people - one of my own clients is a University professor from China, who travels there at least once a year, usually for educational purposes. A co-worker from an earlier job was Korean working here on a visa. You were talking earlier about cutting off China and Korea by default for security. That is a tremendously bad idea. That's like saying we should put a wall around Compton because it's too violent and dangerous for the rest of us, and the best thing would be just to shut them off entirely rather than allow someone to accidentally wander around there. Plus, a huge amount of our trade involves those two countries.
posted by krinklyfig at 2:43 PM on March 22, 2009

Its by default on consumer level residential software firewalls with easy to understand pop-ups not on edge routers. I explained this earlier.

This wouldnt affect email, unless youre using a foreign email server, and even then its a click. For those who do business with Korea all time, whitelist it.
posted by damn dirty ape at 2:47 PM on March 22, 2009

I work for an ISP, and this is not practical for us, and it's not something our customers want.

This is exactly the problem. You cant have end users dictate computer security policies.
posted by damn dirty ape at 2:53 PM on March 22, 2009

"Its by default on consumer level residential software firewalls with easy to understand pop-ups not on edge routers. I explained this earlier."

Yeah, a lot of my time is spend advising people to shut their personal firewall off, because it's not my job to learn every damn firewall out there just to help with your connection issues, unless we want to turn this into a paid support issue (which we don't do for that sort of thing - we're not Symantec Helpdesk). A lot of them are poorly implemented with horrendous interfaces. Oh, sure, easy to understand popups you say ...

Now, explain to Joe Sixpack what "whitelisting" means. Prepare to go through this conversation millions of times, that is if you want it to really work. Prepare to get into a further conversation about firewalls, security, networking, application execution, etc. ("Hello, helpdesk? Can I allow 'svchost.exe?' on my firewall? What's that?")

No, there is no way to have a serious conversation when you're talking about something that isn't going to happen. Any mandatory firewall which shut off entire countries would set off a political shitstorm across the world, the likes of which you've never seen. China buying all our oceans of treasuries to keep our economy afloat, and selling us all that cheap shit, and we're cutting them off as a policy? Yeah, right.
posted by krinklyfig at 2:58 PM on March 22, 2009

"This is exactly the problem. You cant have end users dictate computer security policies."

We don't. We do, however, respect their privacy. If we had no regard for that, then our security would be very tight, yes.
posted by krinklyfig at 3:00 PM on March 22, 2009

If it makes you feel any better Snow Leopard is going to use larger address spaces of 64-bit machines to improve its ASLR feature to make it more random (and hopefully enable it on the dyld dynamic linker library) and all writable memory is marked non-executable by default which should innately help with exploit control on 64-bit machines.
posted by Talez at 3:17 PM on March 22, 2009 [1 favorite]

It not only drops it pants, it bends over, it spreads its asscheeks, and waggles it in the window. Windows is the goatse.cx guy of the OS world.
posted by Hovercraft Eel at 3:56 PM on March 22, 2009

Speaking as an ISP employee.

We block outgoing connections with a destination port of 25 except to our mail server automatically on all dynamic IPs. You can turn it off in the control panel but I don't see the point really. You really need a static IP to run a mail server like a sane person. If you have a static we allow you out on port 25 but will block you after a few spam reports. After that you have to fix your shit before we give you it back.

Safest way if you have little to no clue? Relay to your ISP's mail server and turn on your outbound port 25 blocking. They have the resources to make sure you're not spewing shit on the outbound.

There's no reason for dynamic IPs to have outbound 25 except to the mail server. Just get a damn static already. You can put a PTR record on it so Hotmail doesn't have a massive cry about your dodgy mail server.
posted by Talez at 4:10 PM on March 22, 2009 [1 favorite]

Whitelist people running servers by having them call and verify their identities.

You'd better mean just mail servers. Nobody who would force me to jump through hoops to run SSH servers on my home computers has any business running an ISP.
posted by oaf at 4:19 PM on March 22, 2009

"We block outgoing connections with a destination port of 25 except to our mail server automatically on all dynamic IPs. You can turn it off in the control panel but I don't see the point really. You really need a static IP to run a mail server like a sane person."

I use about eight different email addresses on several domains. The SMTP servers I use do not all offer port 587 or 465, and a lot of ISPs don't offer their own SMTP anymore. There are other reasons to use port 25 than running a mail server on your own network.
posted by krinklyfig at 4:48 PM on March 22, 2009

macs are less vulnerable solely becuase they have low market share world wide

All you smug Mac users will get your comeuppance the moment enough people buy Apple's overpriced machines that they're a target worth bothering about.

I really wish people would quit trotting out this canard. (And Apple's laptops are generally cheaper than comparable models from competitors, so you're wrong about that too.)
posted by oaf at 4:57 PM on March 22, 2009

When I work at university we detected zombie PCs very easily with snort and deactivated their port via mac address.

what

Did you block the MAC address, or disable the port? Those are two separate actions.
posted by oaf at 5:04 PM on March 22, 2009

I use about eight different email addresses on several domains. The SMTP servers I use do not all offer port 587 or 465, and a lot of ISPs don't offer their own SMTP anymore. There are other reasons to use port 25 than running a mail server on your own network.

If you're accessing a server outside your network you should be using authenticated SMTP on port 465 only. 25 wasn't even supposed to be for consumer use in the first place. And an ISP not doing SMTP? How would a home user send mail? It's unthinkable.
posted by Talez at 5:46 PM on March 22, 2009

Devils Rancher: That's what they said at 2%, at 3%, at 6% ... There WERE viruses for OS 9, because it was a stupid, vulnerable OS. Back when Apple had 3% or so. They were spread by floppy disk. This argument gets increasingly fallacious with each percentage gain, and each passing year that there's not a virus that can infect the Mac OS.

mock: In my opinion... the reason why there are basically no OS X worms is... 1) there aren't that many OS X boxes, and botnets are primarily a numbers game.

Do you see why the % argument does make sense, Devils Rancher? Because we're not just talking about viruses; viruses were looking to exploit or attack anybody and everybody, but just shot out centrally into the stratosphere. Trojan-based botnets are different -- they thrive on the interconnected nature of all these computers and the similarities they have. This isn't some kind of silly little Blaster or Samy worm that puts up some silly message for the stupid virus creator's personal pleasure. This is a ridiculously large botnet designed to take over a very large number of computers through advanced exploitation of TCP/IP and Windows. I guess I'm not the experts, but the conficker goons clearly are, and I'm betting they chose not to work on an OS X botnet not because they couldn't do it, but because the nature and necessary flexibility of botnets means that you can't make them cross-platform.

Botnets are really the new crop of viruses -- they're what we're facing now. And that's why the percentages change. Where before, virus writers were thinking about straight market share, now somebody who contemplates writing an OS X botnet is thinking: "what are the odds that one Mac will meet another Mac directly on the internet?" Those odds may be increasing, but they're still tiny.

mock's comment is pretty awesome, by the way
posted by koeselitz at 6:15 PM on March 22, 2009 [1 favorite]

It's really a mystery as to why - I mean, Macs do have vulnerabilities, and they find them all the time. There's a couple of Mac trojans out there. But no widespread viruses in the wild. What's up with that?

Speaking for myself, when I bought my Mac I found that I'd lost interest in screwing around with every fun toy and application that came my way. I made a few web searches, determined the best tools for the things I need to do with a computer, discovered a number of free, open-source versions that are more than adequate (ie. VLC Player, Opera, OpenOffice), and bought both TextMate text editor and the Apple iWorks suite because I screw around with web/programming, and because my wife sometimes needs to lay out a page for her work materials.

Not a whole lot of entry points in terms of my installing something that could infect me. The browser is really the only risk I'm aware of, and I tend to disable cookies and give low privileges to Java/JS/Flash/etc.

No idea if this minimalism thing is common with Mac users.
posted by five fresh fish at 6:33 PM on March 22, 2009 [1 favorite]

but the reaction "ha ha, I'm a mac owner" is really petty when the livelihoods and even health and safety of thousands or even millions of people might be on the line. Yes, I know that's not necessarily going to be the case, but it's possible -- and that makes petty "my os is better than yours" bullshit pretty clueless.

You guys choose to drive a Pinto that's on fire and you're still calling other people clueless. The laughter and tragedy never end.
posted by Blazecock Pileon at 6:34 PM on March 22, 2009 [5 favorites]

Jeez, BP: The point people are making is that it's foolhardy for a small minority of users to be sneering at the majority of users for having bad habits and/or poor technology when the consequences of the majority's actions can potentially affect all users.

To extend your Pinto on fire analogy - which is actually far less apt than koeselitz's, which while in poor taste, was fairly bang on in characterizing the "I'm Y, so what happens to X doesn't affect me" mindset as being wrongheaded and detrimental to all involved - you're laughing at guys who drive Pintos that are on fire; Unfortunately the road is clogged with tons of them and you drive the same route.

Your apparent unwillingness to acknowledge and/or inability to recognize that Conficker C could negatively affect, albeit indirectly, non-PC users and instead use it as an excuse to crow and after being made to 'eat shit' ("I remember back when Mac users had to type at the back of the Starbucks!") is what people are saying is clueless, not your choice of OS. Personally, that matters to me about as much as whether you're a Pepsi or Coca-Cola man.
posted by Alvy Ampersand at 7:04 PM on March 22, 2009

Actually, that's not true: Viva La Coca-Cola!
posted by Alvy Ampersand at 7:05 PM on March 22, 2009 [1 favorite]

the nature and necessary flexibility of botnets means that you can't make them cross-platform

Yeah, it's a shame that Microsoft Office and the Mozilla suite of applications aren't available for anyone who isn't using Windows. If the authors of this worm have taken all the precautions they appear to have, porting it to another OS is not going to be a huge impediment, especially if it makes it more likely that they'll have some critical mass of machines under their control.

mock is simultaneously claiming that Mac OS X is far easier to exploit than Windows and that nobody bothers actually writing exploits for the Mac because there aren't enough Macs around to make it worthwhile. I guess he can decide which one of those he'd prefer to be wrong about, at least until we find out for sure.
posted by oaf at 7:10 PM on March 22, 2009

I'd say Windows is more like a Palomino than a Pinto.

El Camino with an unsecured gas cylinder rolling around in the back?
posted by Alvy Ampersand at 7:16 PM on March 22, 2009

Oh, and—

"what are the odds that one Mac will meet another Mac directly on the internet?"

This isn't the pertinent question. In order to infect a computer with a particular OS, you don't actually have to have a computer with that OS. Just run the Windows exploit first, then the Mac exploit. When you have control of a machine, you tell it to download its platform-specific code.
posted by oaf at 7:19 PM on March 22, 2009

Krinklyfig, thank you.
posted by Quietgal at 7:27 PM on March 22, 2009

Look, the internet Wall Street is a dark and seedy place, and as long as there is a potential to make money by bending or breaking the rules, people will continue to do so. Calling for a totalitarian government/software monopoly cooperation to crack down on it is not going to be the answer.

fixed.
posted by hippybear at 7:28 PM on March 22, 2009

Blazecock Pileon: You guys choose to drive a Pinto that's on fire and you're still calling other people clueless. The laughter and tragedy never end.

Pinto on fire, nothing. Debian GNU/Linux 5.0.0 'lenny', fully patched, here.

Oh, and what do you drive? A BMW? Well, that's mighty fancy. And you say it hardly ever breaks down? How wonderful for you. What do you do when it does break down?

What's that? You have to take it to a dealership? That's too bad. And you say the dealership never even lets you look under the hood -- you just have to trust your mechanic Mr. Jobs when he says that he's really sorry, but you can't know anything about the magic he uses to make that fantastical car run, you just have to oh wow, look at the cool design of the dashboard!

Understand that -- your Mac OS X is the same as MS in every way that matters to a malicious hacker. It's full of code that you aren't supposed to look at, code that the company that made it doesn't want to show you, code that anybody can look at anyway if they try hard enough. It's an awful nice favor Steve Jobs and Bill Gates are doing to those hackers; kinda like the favor the Italian government does for criminals when it makes extremely restrictive gun laws that criminals can circumvent easily -- if nobody but criminals has a gun, then criminals can kill indiscriminately. That's why Italy has the most restrictive gun law in Europe and the highest gun murder rate in Europe.

In the same way, if nobody but criminals has the source code, then criminals can hack indiscriminately.

I know that Mac OS X is more secure at the moment, but that's just because no one has written a botnet for it and probably won't bother yet. But once the money starts rolling in from this little scheme, you can bet they'll start buying up the MacBook Pros they've always wanted and get cracking. And most OS X users will be royally screwed, because they don't know the basis of the system -- and there's no way to find out.

The Windows way actually makes some sense in this respect. Bill Gates is a fuckwad, Ballmer more so, but at least enough people have dug around in the internals of every Windows ever released that it's easy to get information about anything you need or want to. It's easy to prattle on about "blah blah blah windows sucks because they put everything in a central registry blah blah blah" but I defy you to tell me how OS X handles the same task - applications have to be registered somewhere, it's only a matter of where. Making the registry writeable by default was silly, yes, but it was still limitable in certain ways, and that's been fixed in large part anyway in Vista.

You yourself said about that you were mucking around with OS X internals until Apple pulled the plug and locked that stuff down. Locking that stuff down is a shoddy way to deal with security. MS has been trying to do that shit for two decades, and look where that got them.

Also, by the way, you should go back and read this comment. 'The laughter and tragedy never end'? Yes, I'm sure you'll be laughing your little ass off when the US Army, the French Air Force, the international space station, and the FAA all simultaneously get hacked and go offline. It's not really that hilarious. And sniggering at my little non-profit for being vulnerable just because we can't afford an office full of Macs may seem like fun for you, but it's really an exercise in self-indulgence, especially when you're running a machine that is for all intents and purposes just as insecure as a Windows box -- for all you know. G'wan, quote me the line numbers of the part of the OS X source code that make it secure.
posted by koeselitz at 7:45 PM on March 22, 2009 [4 favorites]

You guys choose to drive a Pinto that's on fire and you're still calling other people clueless.

i found it necessary to use 400 to 500 hundred $ computers - apple chose not to make any - there's a whole market out there that's being passed up

if anyone's clueless, it's them
posted by pyramid termite at 7:54 PM on March 22, 2009 [1 favorite]

oaf: If the authors of this worm have taken all the precautions they appear to have, porting it to another OS is not going to be a huge impediment, especially if it makes it more likely that they'll have some critical mass of machines under their control.

'Well, Mr. Vasilyev, we've done it! We've got a botnet now that can infect up to 30 million computers worldwide, at best! It's likely we'll only get 10 million, but that's pretty good, no?'

'NO! Dmitri, have I taught you nothing?!? It must be bigger! it must be at least 50 million!'

'But Mr. Vasilyev! ... How will I make up that ridiculously high number for our April Fools botnet?'

'Dmitri, you fool! The answer is obvious! Spend 24 hours a day, day and night, translating everything to OS X! I know it won't be porting, really, since you'll be completely rewriting a worm that is deeply correlated with the operating system, and since OS X is so vastly different from MS Windows - but I don't care! It must be done!'

'But... Mr. Vasilyev... that will probably net me at most 3 million, more likely 1 million more computers! Wouldn't it make more sense to refine our code a bit more?'

'NO! It must be done!'

&c...
posted by koeselitz at 7:58 PM on March 22, 2009 [1 favorite]

speaking of cluelessness, most of us have gotten past the high school thing where we think other kids suck because they're buying their clothes at "uncool_cheap_clothes_store" instead of "cool_expensive_clothes_store_with_logos_on_the_clothes"

most of us
posted by pyramid termite at 8:02 PM on March 22, 2009 [6 favorites]

oaf: This isn't the pertinent question. In order to infect a computer with a particular OS, you don't actually have to have a computer with that OS. Just run the Windows exploit first, then the Mac exploit. When you have control of a machine, you tell it to download its platform-specific code.

Yes, but as I say above, the cost of such code is too high. Rewriting it, first of all, would be more time-consuming than you're giving it credit for; confickr is one of the best ever, and 'porting' it to OS X would mean a completely different approach. It's also a compilation of solutions to the problems we've found so far in the viruses that have been written before -- most of which were on Win32.

Finally, and most importantly, wasting all that time porting it to OS X introduces a vast array of vulnerability to the security researchers around the world who are trying to crack conficker. The coders who came up with this clearly wanted to minimize their vulnerability, and they weren't going to spend weeks coding a whole separate version just to give everybody a bunch of new fronts to crack in just for the sake of a tiny increase in the number of computers they own.
posted by koeselitz at 8:14 PM on March 22, 2009

You have to take it to a dealership? That's too bad

The next time I drive through Redmond I'll keep an eye out for Microsoft's brainwashing schools. This one-mouse-button bullshit must come from somewhere.

And sniggering at my little non-profit for being vulnerable just because we can't afford an office full of Macs may seem like fun for you

Bullshit. I'm snickering at Metafilter's insufferable need to shit on Mac users at every opportunity, which you're joining in by dragging your "little non-profit" into this discussion. If you had to care about cost, you'd be running Linux. Unless you're pirating Microsoft Windows and Office, of course. Do you think those commercial software licenses grow on trees?
posted by Blazecock Pileon at 8:16 PM on March 22, 2009

i found it necessary to use 400 to 500 hundred $ computers - apple chose not to make any - there's a whole market out there that's being passed up

I find that limit interesting, when you can get a brand new Apple computer for $550 if you're in a non-profit group.
posted by Blazecock Pileon at 8:18 PM on March 22, 2009

I'm snickering at Metafilter's insufferable need to shit on Mac users at every opportunity

Is this like when people accuse MeFi of being far left-wing?
posted by Alvy Ampersand at 8:30 PM on March 22, 2009 [3 favorites]

Blazecock Pileon: If you had to care about cost, you'd be running Linux.

I do. At home. Like I said above. And if you have any ideas about how to convince Denver Juvenile Probation to jump over to Linux, please let me know.

Look, let me be clear: I'm not trying to shit on Mac users, I don't mind them any more than my clients personally, but I just think it's somewhat insensitive to giggle about a problem that could very well be on the scale of a natural disaster.

Probably just my IT mentality, but we're all in this together -- OS X is just another flavor of computer. I wish to god they'd open their source, since that would really help prevent this happen to Macs in the future, but it doesn't keep me up at night -- I just helped order a MacBook for my wife, a MacBook that I recommended to her because it's a well-designed machine.

I'm only saying that smug superiority has no place in computing or security. No place whatsoever. Not for Win32 users, not for OS X users, not even for Linux users.
posted by koeselitz at 8:38 PM on March 22, 2009 [4 favorites]

you can get a brand new Apple computer for $550 if you're in a non-profit group.

i'm not - and i can get better than that for 500 if i choose a pc - and i don't have to settle for some puny mini model, either

1 gig of memory and a 120 gig hard drive for $599? - no expansion slots?

sorry, but i work harder for my money than that
posted by pyramid termite at 8:43 PM on March 22, 2009 [2 favorites]

One more slight clarification.

There is a difference between finding bugs and writing exploits. In order to write an exploit, one must have a bug, but having a bug is not sufficient for writing an exploit. Writing exploits is easier in OS X because it doesn't have a lot of the protections that other OS vendors have baked in that make it difficult to get the payload to work correctly. This is why we say it's "more insecure." To make software more secure, you can do two things: reduce the number of bugs, or make it harder to exploit. As far as I know Apple has not discovered a new way of doing QA that drops the number of bugs drastically - their bug rate probably looks the same as every other large mature software project. As far as I know Microsoft isn't any better at producing bug free software either. They are, however, better at making it hard to write exploits on their platform.

None of this really has any bearing on botnets however. Allow me to explain by example.
I think everyone can agree that I know of at least two vulnerabilities that are currently unpatched in OS X software that can be remotely exploitable (I was at PWN2OWN, and while I don't know the absolute details of the vulnerabilities found (only zdi and the authors know that for now) I know enough that I could with some work probably independently discover them (that is to say, I know they exist, and I know roughly where they are)). I could take the week off of work and write a botnet for OS X that exploited one of those unpatched vulnerabilities, and every OS X machine on the internet would be potentially exploitable, as Apple has not yet released a fix for them. There is a reason why I don't do this, and why nobody else does either, and I hope I've made it fairly clear that it doesn't have anything to do with the security (or lack thereof) of the platform.
posted by mock at 8:46 PM on March 22, 2009 [10 favorites]

This is why I'm sticking to my Commodore 64 and my 300 bps modem forevar.
posted by bardic at 9:01 PM on March 22, 2009 [5 favorites]

i can get better than that for 500 if i choose a pc - and i don't have to settle for some puny mini model, either

I couldn't, and I built my own PC from scratch from components I picked, and I paid for a legal license of Windows. The whole "Windows-is-cheaper" argument is a lie.
posted by Blazecock Pileon at 9:13 PM on March 22, 2009 [1 favorite]

I wish to god they'd open their source, since that would really help prevent this happen to Macs in the future

Here you go. And here's some more. If that's not enough, here's yet more.

I don't think people will be happy until they get paid to use Apple's stuff. It's really insane.
posted by Blazecock Pileon at 9:25 PM on March 22, 2009 [2 favorites]

@Mock - I'm curious how those OS X botnet virus/malware exploits would work. Last I checked, every virus/malware exploit that happened upon OS X was something either attached to a program you were installing anyway (like someone's mention of a virus that was installed alongside a cracked iWork install) -- which, to me, doesn't constitute a major threat of any kind to 99% of OS X users (and would also require one to re-enter their administrative password in order to patch or alter the low-level system files necessary to pull off an exploit) --- or, the last major one I'd heard of which exploits a vulnerability in Apple's Bonjour service.

From the sound of it -- and I'll readily admit I have no idea what was discovered at PWN2OWN -- the vulnerability found in Safari could very well be an exploit in Apple's Bonjour service (since Safari allows Bonjour bookmark synchronizing). Again, this would require at least one mac connected to at least one more Mac via a physical (or wireless) network, and one of those Mac's owners would have to run some code that would compromise the security of the other one (maybe even while the other one was actively running), which is worrying but hardly as dire a circumstance, nor as common an occurence, as this Conficker virus.

I know you can't release the full details of the particular vulnerability shown at PWN2OWN, but I'd genuinely love to know what it is that occurred, and how it might (if released in the wild) affect the average OS X user. I'm not being snarky - I think its important for people to know, and I'd love to be more informed on these things, but I can't seem to find the information necessary to tell me what it is that I might need to protect against in the first place.
posted by revmitcz at 9:29 PM on March 22, 2009

Rewriting it, first of all, would be more time-consuming than you're giving it credit for

The only reason you're correct on this point is that you'd have to find an exploit for OS X that's similar to the RPC exploit, which would be the most time-consuming part of the process. (I'm not saying such an exploit doesn't exist—it probably does—but it needs to be found.)

Debian GNU/Linux 5.0.0 'lenny', fully patched, here.

Depending on how old your computer is, make sure you've regenerated your SSH keys.

There is a reason why I don't do this, and why nobody else does either, and I hope I've made it fairly clear that it doesn't have anything to do with the security (or lack thereof) of the platform.

That conclusion can't be drawn from the data you have.
posted by oaf at 9:35 PM on March 22, 2009

Ah, so apparently even though OSX has security holes you could drive a bus through, and there are plenty of partisans more than willing enough to do something just to prove a point or just to be destructive, we still haven't seen a directed threat against OSX's security model yet. Remember, we're not just talking about Conficker or botnets in general here, we're talking self-replicating viruses or any sort of attack vector.

And yet aside from a few easily cleaned (and entirely user driven) trojans, there hasn't been a lot of evidence out there to support the "OSX's security is inherently flawed" argument. Money isn't the only reason for all the various malware on XP boxes, there's a certain degree of hacker pride involved too. And imagine being able to tell ones' black-hat buddies that you control an OSX botnet. Nobody else has ever done it! Street cred _galore_, man. And even below a botnet - OSX's first clickthrough virus would devastate tech news for a solid reporting cycle

And frankly, I think Adobe should get a bigger share of the blame in this than they do. I can think of 3 major Adobe vulnerabilities in the past year or so, one of which basically opened up your machine to whoever wanted to buy a flash ad from an ad placement service. So glad we can't live without the additional security threat, guys!

(and would also require one to re-enter their administrative password in order to patch or alter the low-level system files necessary to pull off an exploit)

Well, the annoying bit is that while 99% of OSX software drops into /Applications without needing any special security, I believe iWork actually asked for the admin password, so there was no way to tell just from that that it was doing nasty things behind your back. Mind you, there's a relatively easy way to resolve this: Require anything that prompts for the Admin password use a cryptographically signed install receipt, and if it tries to install things that aren't in that receipt into protected spaces, give the user an option to abort.
posted by Kyol at 9:39 PM on March 22, 2009 [1 favorite]

I couldn't, and I built my own PC from scratch from components I picked, and I paid for a legal license of Windows. The whole "Windows-is-cheaper" argument is a lie.

the best buy flyer in today's paper tells me otherwise - amd athlon x2 dual-core 4450e+, 19" LCD widescreen, vista home premium, 3 gig memory, 250 gig hard drive, lightscribe labeling nvdia 6150se graphics for 449

and of course, there's expansion slots

please explain how it is a "lie" that this computer offers 2 gig more memory, twice as much hard drive space, a somewhat faster processor AND a 19" monitor for 150 bucks less

oh, yeah, you get a keyboard and a two-button mouse, too - imagine that
posted by pyramid termite at 9:47 PM on March 22, 2009

@Kyol - ahh, but there's the rub. In order to have gotten that iWork virus, you would've had to download and attempt to install a pirated version of iWork, received over BitTorrent. Seems silly to me that anyone would do that, when you could download a fully-functional 30-day demo from Apple and just hope in 30 days someone releases a serial number (exceedingly likely).

At any rate, I don't think the victims of Conficker were trying to do anything illegal, or even semi-illegal. For all I know, they clicked a link in their inbox, or maybe followed a link on a website to something that interested them. That's entirely different from trying to pirate (cheap! $79 for the iWork suite, for fuck's sake!) software. If you're doing things like that, I can't say you deserve a virus, but you're hardly "playing it safe and doing nothing wrong".
posted by revmitcz at 9:48 PM on March 22, 2009

For all I know, they clicked a link in their inbox, or maybe followed a link on a website to something that interested them.

I think it's more like "connected an unpatched machine to the Internet."
posted by oaf at 9:56 PM on March 22, 2009

I'm snickering at Metafilter's insufferable need to shit on Mac users at every opportunity

And why beholdest thou the mote that is in thy brother's nether eye, but considerest not the beam that thou art straining to excrete?
posted by me & my monkey at 10:01 PM on March 22, 2009 [13 favorites]

@revmitcz: Oh yeah, agreed - I think that's the thing that finally got me off of XP entirely. I mean, OSX still more or less requires you to be complicit in your own undoing (for what there is, occasionally), XP has gotten to the point where an undetected malicious site can hit you with something that will weasel itself into your OS so tight that you're never entirely sure you're clean or not. *shudder* I mean, even after taking all the protections you want, you're still never entirely sure.
posted by Kyol at 10:02 PM on March 22, 2009

If I don't believe there is a God that I will answer to or that created me and others, why would I care about the products of conception?

At what point? At the very moment of conception, I couldn't give a damn about the product — and neither does your god, because more often than not, that little ball of human DNA fails to implant. Your god aborts the product of conception as casually as I eat Cheetos.

At some point, I do give a damn about the product — and if we've got to use god-language, well, then, so does your god: a natural pre-mature birth that is viable, instead of a spontaneous abortion.

People who deal in the real world recognize that we will never achieve perfect human behaviour from all people in our society. We have a responsibility to deal with these human imperfections as best we can: to deal with them in a manner that allows us to maintain a long-term, stable society that lessens human suffering. So long as we choose banning abortion in preference to fixing the problems in our society that lead to its use, we are failing.
posted by five fresh fish at 10:16 PM on March 22, 2009

Jesus Fucking Christ, don't you people ever get sick of the Windows/Mac/Linux/BSD wars???

Jesus Fucking Christ.
posted by dirigibleman at 10:31 PM on March 22, 2009 [7 favorites]

This was almost an interesting thread to me because I got infected by this fucker or something closely related earlier this year and ended up restoring my system partition from a backed up image. I was astonished at how thoroughly evil it was, preventing me from accessing useful websites and redirecting search requests.

All of you people who derailed this thread arguing about OSes can go eat a Shit.
posted by fleetmouse at 10:52 PM on March 22, 2009

revmitcz: I can't talk about any of the specific vulns, however I can give you a general hypothetical botnet/worm attack scenario based upon an exploit that fulfills the requirements to win PWN2OWN.

From the final rules we can see that the assumption is that the attacker is assumed to be able to trick the user into going to a specific URL on the net, from which arbitrary code must be run on on the victims computer. Both vulnerabilities were shown on day 1, which means that they were in the default install of Safari, without any other plugins installed, and of course everything was patched up to the latest and greatest.

So, here's how a simple worm might be written. First of all, we'll keep it relatively simple. No attempt to become persistent, and no attempt to gain privileges. All the worm code running only within the browser's process. For simplicities sake we'll also assume that no one will be actively attempting to shut the worm down, and that it can get it's payload from a simple stable url like http://example.com/wormpayload. Our worm might start out as an img tag on a popular forum. The image tag will cause the browser to open the url in the src attribute (http://example.com/wormpayload) thus running our exploit and inserting our worm payload into the running browser process. Since we now have control of the browser, our payload would consist of some code to watch for http posts of over a certain size, to which we'd append our img tag with the src attribute set to http://example.com/wormpayload again. We'd also make these tags invisible to the user, by removing them before any html is rendered for the user. The result would be that whenever the victim posted something on any forum, the worm would append itself as an img tag on that post and any other browser that was vulnerable would be similarly infected if it viewed that forum post and go on to infect other forums. Hopefully our victim would never even know he was infecting forums because the worm would edit out the infected img tags from his view (this might break for all sorts of reasons). And there you have it, a worm that spreads via forums and *any* browser vulnerability which conforms to the PWN2OWN rules.

What makes conficker interesting is not the vulnerability that it exploits, but rather all the other stuff which makes it difficult to catch and contain and allows it to modify it's behaviour on the fly. None of that is OS specific.
posted by mock at 11:07 PM on March 22, 2009 [8 favorites]

what iamabot means is that filtering the tubes causes your interwebs to taste like russia
posted by 29 at 12:21 AM on March 23, 2009 [2 favorites]

The best analysis of conficker that I have seen thus far is here.
posted by iamabot at 12:47 AM on March 23, 2009 [2 favorites]

(I should note that it's the initial analysis of A, B and B++ that isn't in the original post, although the follow up of C is)
posted by iamabot at 1:05 AM on March 23, 2009

You know, I've long wondered what would happen if someone as smart as Schneier made it over to the dark side. I mean, obviously the guys who made Conficker were just smart hacks. But I mean, what happens once someone REALLY smart starts doing it?

Its too heterogeneous an environment now, with botnets self-patching security flaws and hardening against competitors, intelligence only gets you a slightly larger botnet than the next guy. What I worry about more than intelligence is ideology or personality; anarchists, nihilists or sociopaths getting control of the botnets. At least organized criminals and money-motivated hackers have a vested interest in keeping the system up. I shudder at the idea of a virus that corrupts just a few database entries or transactions stealthily so that they get backed up for years before anyone realizes what the problem is. Alternatively, viruses or hacks targeted at infecting embedded systems in hospitals, traffic light, sewage, electrical, water, and gas infrastructure.
posted by BrotherCaine at 1:27 AM on March 23, 2009

It's three weeks old, and I have the release candidate of 'lenny' from Valentine's day a month ago. It's patched.

If you've got keys that are weak, patching does absolutely nothing to fix the vulnerability I linked to.

My point was also that that vulnerability was introduced because a programmer didn't like seeing compiler warnings and so broke OpenSSH to get rid of them.
posted by oaf at 4:49 AM on March 23, 2009

And why the hell aren't you using testing (squeeze)? I'd put even odds on lenny being the last stable before mid-2010.
posted by oaf at 4:56 AM on March 23, 2009 [1 favorite]

Hi. I'm the original poster in this thread.

I hadn't posted to MetaFilter for quite some time, so it was not only disappointing, but also kind of shocking to see the ensuing "conversation". We have pointless platform evangelism, sure, but also many posts from people who clearly didn't even *begin* to read the linked-to article but still had opinions about it. What the hell?

Thanks to the well-informed and rational people who actually contributed something of substance.
posted by e.e. coli at 7:40 AM on March 23, 2009 [4 favorites]

don't you people ever get sick of the Windows/Mac/Linux/BSD wars?

Let me guess... you use emacs.
posted by ROU_Xenophobe at 8:55 AM on March 23, 2009 [4 favorites]

Reading iamabot's link reminded me of something (yet another thing) I've been furious as hell about lately.

My dad's got a fairly recent Dell computer. Some time ago, he wanted its hard drive reset for some reason, so I restored it to factory from its install CDs.

Everything went well except that, after getting Service Pack 3 installed, Windows Update stopped working. I considered this to be worrisome, and even more worrisome now that I've heard about these worms, but Dad refuses to let me run the process through again, choosing to let his antivirus software shield him.

His attitude in the matter was damaged by a support phone call to Dell, and this is where my FURIOUS ANGRY RAGE comes into it. He told them about the issue, and the Dell support "technician" actually told him not to worry about it, as most Microsoft updates are targeted for Vista these days anyway.

Grrah!
posted by JHarris at 10:19 AM on March 23, 2009

I think mock's most recent point is probably one of the most salient. Conficker is nasty not because of the specific exploit, but because of the tool sets it includes, the O/S debate is stupid and infantile in the context of the Conficker worm and what it represents technically.

Conficker is a framework, it is the definition of what will come in the future and how weak our current mitigation strategies are against a worm of this nature. It is the next escalation in the arms race between asset protection and "unauthorized" asset use.

The analysis of the worm to date has been fantastic, but it shows how easily the tools created to secure applications, systems and networks can be used to also secure various pieces of software that are generally undesirable on a system.

At the end of the day, exploits are a separate discussion, and as I mentioned earlier as our software and systems become more complex the ease of exploitation grows. There are mitigation strategies to precluse exploits but there will *always* be something exploitable.

The far more dangerous piece remains the though put in to the structure of Conficker itself. We're still in the infancy of this type of software and what it's potential is. If it's not Conficker, it will be another worm in a year.

These types of threats are specifically why you see a big big push in the market place for application firewalls, integrated NAC, why companies are pushing products like CSA and integrated network isolation all the way down to the desktop, because as Storm and it's variants demonstrated it's becoming more a game of mitigating the damage than it is about preventing the infection in the first place.
posted by iamabot at 10:58 AM on March 23, 2009 [4 favorites]

five fresh fish: At some point, I do give a damn about the product — and if we've got to use god-language, well, then, so does your god: a natural pre-mature birth that is viable, instead of a spontaneous abortion.

Great, more people insulting Windows.

But seriously, I've been taking IT security classes and we're still being taught that the creators of viruses and worms are doing it for prestige. No mention of world-wide botnets being used by criminal organizations. I can't remember the last virus I saw on someone's computer that wasn't mercantile in its intent. Hell, I'd almost enjoy seeing a machine that had its wallpaper replaced with a skull and crossbones instead of "Buy our Anti-virus 2009 you stupid fuck!"
Okay, probably not.
posted by cimbrog at 11:33 AM on March 23, 2009 [1 favorite]

Um so where's our client hypervisors VMWare / Citrix? I want to be able to reset to base known good system images and keep my user settings on a network share. Has anyone been able to break past the guest operating system and into the hypervisor?
posted by geoff. at 12:36 PM on March 23, 2009

I have bad news Burhanistan - they've found a way to attack SMM memory via cache poisoning on intel CPUs, which includes the possibility of jumping out of a hypervisor amongst other nasty possibilities.
posted by ArkhanJG at 12:52 PM on March 23, 2009 [1 favorite]

and Geoff. - sounds like you might be interesting in VDI, now called View by Vmware - it's network based virtual PC instances for your clients. New, buggy and expensive, but a step up from thin clients by giving each user their own network accesed virtual PC.
posted by ArkhanJG at 12:55 PM on March 23, 2009

So far, not even the nastiest rootkit has been able to do anything other than futz the VM OS. But you're scaring the crap out of me there.

There are no current working exploits in the wild, but there have been noted issues that could mature in to an exploit based on how the systems respond to certain memory checks. Some of the potential exploits would require host file sharing/etc to be enabled. Assume it will happen eventually and hopefully buttoned up quickly.

The recent SMM issues are a potential problem, it will be interesting to see if it's practical to combine SMM with the toolsets in Conficker and if there are any synergies there...
posted by iamabot at 1:06 PM on March 23, 2009

and Geoff. - sounds like you might be interesting in VDI, now called View by Vmware - it's network based virtual PC instances for your clients. New, buggy and expensive, but a step up from thin clients by giving each user their own network accesed virtual PC.

Ah, I've been involved in several View deployments. Really wonderful, but 80-90% there. I'm really looking forward to Teradici, which promises to give hardware acceleration for that last bit of smoothness that end users want. Really though, all the buzz at the latest VMWorld was client hypervisors. Both Citrix and VMWare are pouring money into this, if they can do it would revolutionize corporate desktop deployment. I wouldn't be totally surprised to see managed desktops for consumers as well, or at least some sort of implementation of rolling back that is outside the OS.
posted by geoff. at 5:09 PM on March 23, 2009

LordSludge, your small font is a blatant and deliberate insult to the mighty hunters of bold italics! Gird your loins for war!

Er, or something like that. I was going to add something but I need to go make a club out of elk horn.
posted by Kid Charlemagne at 6:07 PM on March 23, 2009 [1 favorite]

five fresh fish: At some point, I do give a damn about the product — and if we've got to use god-language, well, then, so does your god: a natural pre-mature birth that is viable, instead of a spontaneous abortion.

Great, more people insulting Windows.

I must have caught a virus! [ha-choo! sniffle!]
posted by five fresh fish at 6:17 PM on March 23, 2009

So much for outgrowing slashdot.

[NOT NATALIE-PORTMANIST]
posted by YoBananaBoy at 9:52 PM on March 23, 2009

To update iamabot the SRI folks also have an analysis of the C variant.

Choice quotes include:

With this latest escalation in domain space manipulation, C ... highlights some weaknesses in the long-term viability of how Internet address and name space governance is conducted.

Perhaps the most obvious frightening aspect of Conficker C is its clear potential to do harm. Among the long history of malware epidemics, very few can claim sustained worldwide infiltration of multiple millions of infected drones.. Perhaps in the best case, Conficker may be used as a sustained and profitable platform for massive Internet fraud and theft. In the worst case, Conficker could be turned into a powerful offensive weapon for performing concerted information warfare attacks that could disrupt not just countries, but the Internet itself.

Those responsible for this outbreak have demonstrated Internet-wide programming skills, advanced cryptographic skills, custom dual-layer code packing and code obfuscation skills, and in-depth knowledge of Windows internals and security products.

This utility incorporates a potent arsenal of methods to defend itself from security products, updates, and diagnosis tools. It further demonstrates the rapid development pace at which Conficker's authors are maintaining their current foothold on a large number of Internet-connected hosts. Further, if organized into a coordinated offensive weapon, this multimillion-node botnet poses a serious and dire threat to the Internet.

Note that the creators of Conficker incorporated "a hash algorithm that had literally been made publicly available only a few weeks earlier" which really emphasizes the pace and effort behind the undertaking.

Imagine if they can get a hold of a vulnerability that hasn't been patched yet.
posted by zenon at 11:42 AM on March 24, 2009 [1 favorite]

This thread contains lots of interesting posts! And of course dickwaving, breastbeating, the usual embarrassing overcompensatory MeFi stupidity. And of course snark, for completeness. But still: interesting topic, smart comments.
posted by waxbanks at 3:11 PM on March 24, 2009

How awesome would it be, by the way, to write a virus that signs up for MeFi, sends in five bucks, and posts links to websites that give motherfuckers the virus?!
posted by waxbanks at 3:13 PM on March 24, 2009 [1 favorite]

At first this sounded real scary. After reading the links in the FPP and in this discussion I found out that Microsoft distributed a patch way back when that stops Conficker and that the vast majority of infected machines are in China, Russia, and Brazil, presumably running unpatched pirated versions of Windows. So that made me feel a lot safer. Then I read that infected systems outside those countries include certain military, hospital, and other IT overseen operations that didn't apply the patch at hand. You can shake your head at dumb Granny who doesn't know enough not to click the link in the bogus Microsoft e-mail, but these infections happened to machines being overseen by a pro! Now I'm scared again, not about my own machine becoming infected but my doctor's or my hospital's or NATO's missile screens or...
posted by CCBC at 3:16 PM on March 24, 2009

these infections happened to machines being overseen by a pro!

The problem is that all too frequently, administrators, due to Microsoft's history of updates fixing some things while breaking others, must decide between having the application continue to run (and having a higher chance that the box will get taken over) and patching the box (and risking breaking the application).
posted by oaf at 3:32 PM on March 24, 2009 [1 favorite]

I think there is a lot of "if it ain't broke, don't fix it" mentality for doing patches among the non-pro admin crowd, and this is a quick measure of how professional a shop might be.

Here are some estimations of unpatched PC's from Secuna's blog which isn't a random sample, but from people who downloaded their PC tool jobby.
Number of insecure programs per PC/user:
0 Insecure Programs:.............. 1.91% of PCs
1-5 Insecure Programs: ......... 30.27% of PCs
6-10 Insecure Programs: ........ 25.07% of PCs
11+ Insecure Programs:.......... 45.76% of PCs

The slapper virus allowed the folks at Rescorla to monitor in real time a group of quasi random *Nix machines that could be infected. From this article: 40 percent of administrators patched their systems in the seven weeks between the public announcement of {the} flaw and the release of the Slapper worm. Another 30 percent apparently patched the software after the Slapper worm started infecting SSL servers in September. Full report here where they note (and they shoot right for the heart here): they expected mod_SSL users to be better than average about installing security fixes fora number of reasons including: "UNIX users are widely believed to be more experienced in server administration than Windows users" and "the flaw allowed an attacker to take over the entire Webserver".

It would be great (terrible?) if all these non-pro admins and other software (looking at you MAC) folks did Patch Tuesday with MS, or about any other mechanism would be better than the current willy-nilly. At this point it appears that the conficker is doing a better job at rolling out updates and patches then a significant portion of the interwebs on the PC side of things.

(see how I got some PC's, some unix, and some macs- cause it's not just that we are in this together, or that they equally stink, its that fools aren't constrained to just sailing around on just one ship - I've seen my share of idiots on each platform, and more importantly no-one can be certain that next time it won't be my machine that burns while you dance.)
posted by zenon at 8:33 PM on March 24, 2009 [1 favorite]

And of course dickwaving, breastbeating

[Shakes head, sighs.] Oh, MetaFilter.

You're supposed to beat that and wave those.
posted by Sys Rq at 11:01 AM on March 25, 2009 [10 favorites]

OK, folks, what this really points up is the epistemological problem of all computer security: How do you know what you know?

Specifically, the definition of a successful exploit is one not detected by the end user.

This is platform independent. It's what's known as a Black Swan problem (made popular recently by Nassim Nicholas Taleb, but first put forth by Karl Popper... and heck, even Robert A. Heinlein makes a reference to it in the early 1970s).

Anyway, the short version of the Black Swan fallacy is this: No number of White Swans prove that Black Swans don't exist.

That means, for example, when partisans of a particular platform talk about how they haven't observed any (or much) malware on their platform of choice, all they're really observing is they've seen a bunch of white swans, and no black ones. Which is all well and good, but provides no evidence whether black swans exist in the first place.

That would be bad enough, but as noted in the definition above, if you can detect an exploit, it's unsuccessful. It is not possible to know if you've been successfully exploited -- by definition. All you can know is if someone attempted an exploit, and then screwed up. (White hats who tell you about exploits [and thus break them] are a subset of benevolent actors -- who are completely irrelevant to the black hats.)

Again, this is platform independent.

Which is why, as Schneier has noted, computer security is a thankless job.
posted by aurelian at 10:16 AM on March 26, 2009 [2 favorites]

I'm snickering at Metafilter's insufferable need to shit on Mac users at every opportunity,

I will defer to me & my monkey's far less inflammatory response pointing out what a twat you're being.

MeFi is one of the most overtly Mac-biased sites I vist.

Um so where's our client hypervisors VMWare / Citrix?

VirtualBox on a bunch of platforms, KVM on Linux, pick your poison.

And mock, thanks for your posts; most interesting, even if uncomfortably fact-filled for some.
posted by rodgerd at 1:11 AM on March 27, 2009

Some good info, but I am lost on one topic...

I run Mac OS X, Linux, Vista, and even eeebuntu (on the Acer Aspire One my ever-so-awesome girlfriend just bought me).

Who do I insult?
posted by Samizdata at 9:52 AM on March 27, 2009

> Who do I insult?

Amiga users
posted by mrzarquon at 10:24 AM on March 27, 2009 [1 favorite]

Well, you could always insult the IT guys that run the UK parliament network - they've been struggling with conficker infections all week.

Hey, it's not like the MPs computers have any confidential documents on them, or need to have secure email or anything. Hell, it's not even like any MPs or government officials will be taking their laptops to the G20 summit next week either, the day after conficker starts updating itself.

*smacks head on desk in disbelief*
posted by ArkhanJG at 11:14 AM on March 27, 2009

I'm snickering at Metafilter's insufferable need to shit on Mac users at every opportunity,

MeFi is one of the most overtly Mac-biased sites I vist.

The two are not exclusive. It could be, this is as positive as it gets. :)
posted by aurelian at 12:28 PM on March 27, 2009

> if nobody but criminals has a gun, then criminals can kill indiscriminately. That's why Italy has the most restrictive gun law in Europe and the highest gun murder rate in Europe.

I'm leaving it at that because this has nothing to do with the thread, but clearly you don't have a fucking clue about this. Death by firearm (US, 2004): 10,1% of total deaths - (www.census.gov). Death by violent cause or any kind of accident (including the proverbial flower pot falling from a window sill) (Italy, 2003): 3.85% of total deaths (www.istat.it).
posted by _dario at 12:19 PM on March 28, 2009

I guess I should mention I have an Amiga too then?
posted by Samizdata at 12:26 PM on March 28, 2009

> I guess I should mention I have an Amiga too then?

How about a BeBox?
posted by mrzarquon at 12:45 PM on March 28, 2009

An update out this morning on Conficker from Dan Kaminsky.

The nuts and bolts from what I gather is that Conficker has a unique signature from a network perspective, basically Conficker due to it's peer to peer nature will answer if you ask it via the network if it's infected.

The paper describing all of this is supposed to be out soon, but as noted, there was a bunch of code written over the weekend that should enable network/systems administrators to find infected hosts.

I suspect this code will make it's way in to the commercial vendors hands and make securing the larger corporate networks easier, but leaving the home networks in the same state unless the ISP's step forward and start locking down infected customers based on their analysis of their user base.
posted by iamabot at 9:08 AM on March 30, 2009

Yes, I'm a self-satisfied Mac user. Dumped my first PC after the Trojan Worm summer. My PC had every worm and every virus known to computerhood at that time and I had the hard drive scrubbed. Twice. I replaced the modem. Nothing got the damn worms off the thing.

So I ditched it and got a mac. That was my first mac. I'm on my 3d.

I will never ever ever ever go back.
posted by Tena at 9:01 AM on March 31, 2009

Conflicker Eye Chart via Waxy
posted by Catblack at 3:12 PM on April 2, 2009 [2 favorites]

Just resurrecting this old thread to link to this:

iBotnet: Researchers find signs of zombie Macs

So Macs are starting to become a target for worms and trojans, as one would expect as their popularity increases. Mac users beware!
posted by pharm at 6:46 AM on April 17, 2009

It is a trojan that uses no privilege escalation, that is installed as a result of a user pirating a copy of iWork or CS4. After the user has closed the "This Application was Downloaded from the internet, are you sure you want to install it" dialog that pops up. Honestly, I am surprised it took this long.

Run the installer, you are prompted for admin privileges, and the trojan is installed along with the application (or the application isn't installed, doesn't matter, if the application doesn't work properly, the user would just dismiss it as a result of their poor choice of software acquisition).

The worm itself isn't using any weird backdoor activity to hide itself from the user, or to make it particularly hard to disable (it is not going and replacing ps with it's own custom version to prevent the user from seeing the process running, etc.). It doesn't kill Activity Viewer, etc.

I would not be surprised if a security update from apple will include a CleanUpIService script, just as they have added to every update since 10.5.1 to remove Application Enhancer (APE).
posted by mrzarquon at 2:13 PM on April 17, 2009

The original Macs in System 3 (?) days were hugely susceptible to viruses. The floppy drives had the functional equivalent of Windows CD Auto-Run. Which would be used to put a virus into the machine. And then infect every floppy inserted thereafter.

Which made it a real bugger to share data files. Just popping in a thesis disk might end up whacking the Mac. Duuuuumb design.

This zombie Mac scare is stupid. You have to be dumb enough to pirate software to catch it. There's no guarding against that kind of stupidity. And pirate iWorks? The damn application is less than the cost of dinner date. How cheap do you have to be to risk your machine's integrity for seventy bucks?!
posted by five fresh fish at 5:34 PM on April 17, 2009