Another Trojan hits Mac OS X

Another Trojan hits Mac OS X

Summary: From a Slashdot article posted by "kdawson", written by "Don't Believe in Imaginary Property": "F-Secure is reporting that there are two new Mac OS X trojans. The first is just a proof-of-concept from the MacShadows people that takes advantage of the unpatched ARDAgent vulnerability to get root access when run by the user.

SHARE:

From a Slashdot article posted by "kdawson", written by "Don't Believe in Imaginary Property": 

"F-Secure is reporting that there are two new Mac OS X trojans. The first is just a proof-of-concept from the MacShadows people that takes advantage of the unpatched ARDAgent vulnerability to get root access when run by the user. The second relies on social engineering: it's a poker game that requests the user's password, claiming to have detected a 'corrupt preference file.' It then takes control of the computer. Now that the source of the proof-of-concept is publicly available, we can expect that future trojans won't just politely request your password."

Interesting, we already knew about the first, we've covered it here.  This second, while it relies on social engineering, is an interesting attack.  Due to the way the Mac requests the password for privilege elevation, it would seem that a user could be fairly easily convinced here.  I'm not saying we should scrap the ask for password to elevate privilege though... but maybe a re-think?  What if it also required a random value to be appended to your password that would be displayed when elevating privilege?  Sort of like the CAPTCHA concept.

Maybe that's overkill, maybe not.  I guess we'll have to see how useful this type of attack is to hackers.

-Nate

Topics: Apple, Hardware, Malware, Operating Systems, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

61 comments
Log in or register to join the discussion
  • This is good for Apple

    I would say that malware counts are the [b]best[/b] indication of desktop PC marketshare so congrats Apple, you really must be doing well now that you are being targeted so much! I'll leave you with a sobering thought:
    It is easy to avoid being infected when you are never attacked. It is tougher to actually repel attacks. Note that the attacks don't have to be sophisticated or even rely on any weakness in the OS. I believe it was the Bagle worm that emailed itself to you in a password protected zip file (to avoid virus scanners) and gave you the password in the email. The user had to open the zip attachment, enter the password, and then run the program inside to get infected and pass the worm on to all his/her friends. It worked. Don't discount socially engineered attacks as "meaningless" since they have been extremely successful and will continue to be extremely successful, no matter the OS.

    Anyway, congrats Apple! Hopefully it will take the general public a long time to realize that they aren't any safer with OS X than they were with Windows. Your marketing seriously depends on it. :)
    NonZealot
    • Confused

      "Don't discount socially engineered attacks as
      "meaningless" since they have been extremely successful
      and will continue to be extremely successful, no matter the
      OS."

      Spot on

      "Hopefully it will take the general public a long time to
      realize that they aren't any safer with OS X than they were
      with Windows."

      How do you figure? You start with market share as an
      indicator of malware attractiveness. By your reasoning Mac
      OS X market share significantly below windows therefore
      sificantly less attractive to malware writer, surely then
      safer?

      This is a privilege escalation vulnerability which requires
      local user access. No desktop operating system has been
      shown to immune to privilege escalation attacks.

      Really root access isn't even required, for desktops almost
      the same damage can be done as the local user account
      anyway.

      Whilst this is a bad one given it's triviality (very bad Apple)
      Apple users should rejoice in there low market share. Even
      happier are desktop Linux users. Happier still are desktop
      linux users on unusual platforms (e.g. PPC)
      Richard Flude
      • That's a bit like saying.

        living in Antartica would bring great happiness to everyone since they would then not be exposed to airborne viruses nor allergens to pollute their bodies. <br><br>
        I think the happiest people prefer to take necessary precautions, and live among the majority.
        xuniL_z
    • nonzealot weariness shows through sarcasm

      nonzealot says "Hopefully it will take the general public a long time to realize that they aren't any safer with OS X than they were with Windows.".

      Just because certain types of attacks rely upon user gullibility and are OS-independent, there are SO MANY MORE security exposures in MS Windows than in Mac OS X because of the architecture alone that your sarcasm only reveals how beat up you are using Windows. The fact that you wish your same misery on Mac OS X customers is just a whole lot of "looking for company" -- a bit desperate ... sad loser ...
      tahoe_blue
      • Or so you like to think.

        in 2003/2004 OSX was no more secure than XP, nor was linux. <br><br>
        http://www.techworld.com/security/news/index.cfm?newsid=1798
        <br><br>
        And since Vista, many security professionals are saying it is heads and shoulders above OSX security. <br><br>
        The SDL lifecycle produced an OS with a lot of exceptionally good baked in security that OSX simply does not have. This data is pre-Leopard but note the Leopard memory randomization, to my knowledge has been a failure and easily defeatable. <br><br>
        Over the objections of the whole industry, Microsoft has locked their kernel. At Black Hat, Matasano demoed malicious MacOS X kernel code that transparently virtualizes the whole operating system out from under itself.

        The standard Microsoft libc heap is tripwired so that malicious pointer overwrites abort the program instead of handing control over to attackers.

        The Microsoft C runtime guards activation records on the stack, so that overruns in stack variables don?t allow attackers to overwrite return addresses. The Win32 runtime also defends its exception handlers. How resilient is the (vastly more complex) Objective C ?Cocoa? runtime against the same attacks?

        On supported platforms, Microsoft takes advantage of CPU ?no-execute? memory protection. Apple?s current support for the same chip features is bypassable.

        Win32 has first-class support for managed code (C# and the CLR), which sandboxes programs and provides a fine-grained privilege model within individual programs. Apple just deprecated Java; their high-level development platform has no runtime security.

        The Win32 address space is randomized, so that exploits with hardcoded addresses (read: virtually all exploits) have a negligable chance of succeeding. Despite the fact that this is technology pioneered by BSD, MacOS X does not have address space randomization.

        None of these technologies require end-users to purchase anything. They?re built into the operating system and the runtime libraries. Most of them are enabled by default. They address the same code flaws that MacOS X faces; why doesn?t Apple have them?

        <br><br>
        The truth of the matter is, Vista has created an OS environment that is very secure and quite possibly moreso than any other OS available today. If you have evidence otherwise, feel free to present it.
        xuniL_z
      • nonzealot is the most active anti-mac poster on these forums...

        based on the sheer amount of hours that number of anti-mac posts must take, I'd venture to guess that he will be the last forum user to actually weary of these types of posts. In fact I'd venture that he must be enjoying or getting something from spending that level of time on the subject. At the very least he feels strongly about the subject, as even noted by the choice of usernames.
        jjarman
        • who, then, would you say is the most active....

          ABMer on these forums? You've got the majority of the posters on here to choose from, so let's see who you vote for, let's not stop at one product. well? <br><br>
          Also, if you read NZ's posts over time, they are often meant to bring a little levity to an otherwise overly geeked out, anti-ms setting. <br><br>
          And i don't know that he "attacks" the Mac per se, but isn't he pointing out Apple's business policies, the user tendencies (blogged daily by many so it'd be hard to say it's tiresome, unless you are a mac loyalist and are somehow "hurt" by his posts. <br><br>
          ok, now for the most prolific ABM poster please?
          xuniL_z
  • I have tended to avoid...

    taking Apple to task as I have no horse in that particular race. I see the technology world through the eyes of a developer, and I've never written a line of Apple-specific code in my life. When I look at a breakdown of my work, it tends to be along the following lines... 60% Windows specific development, 30% generic web development and 10% Unix/Linux specific. I started out my professional life as a Unix developer working primarily with the Informix line of products. I'm highly critical of Microsoft because I do so much Windows and SQL server work. I'm highly critical of Oracle and Informix because I do so much database work on those platforms. Products I don't use normally don't even show up on my radar screen. That said, it's time to start broadening my horizons. Software companies are giving technology a very bad name. Failure to relaease secure products is no longer even an expectation. The marketplace has learned to not only accept failure, but relish in defending it. The real problem with this mentality is pretty simple...technology is supposed to help solve problems. That's its whole reason for existence. The airline industry is a perfect example of what happens when consumer confidence sinks to this level. Consumers start looking at the market as a nuisance, to be utilized only when absoutely necessary. The end result winds up being an industry completely reliant on government welfare to remain afloat. IT isn't quite there yet, but if the path we're on doesn't change significantly it is inevitable that's where we'll wind up. The attitude of "Hey, bugs are a part of life. Deal with it." has simply got to change.
    jasonp@...
    • Your code is 100% bug free?

      [i]The attitude of "Hey, bugs are a part of life. Deal with it." has simply got to change.[/i]

      No unintended side effects? You've never patched your code? Fixed it? It's worked 100% perfect since initial release? I'm very skeptical it is.

      The attitude isn't one of acceptance. It's one of acknowledging reality. Software, even yours, has bugs. We're not yet at a point where bug free code is a reality. Someday maybe...but not today.
      ye
      • Yes...

        In the 1980s as a still wet behind the ears developer I pushed out software with a bug in it. This was an internally developed medical billing application, and the bug managed to make it past 2 developers who were supposed to catch any mistakes I might make as a rookie. They didn't, and my mistake caused about 2 hours of downtime while we restored the database from backup. From that point on I made certain of 2 things that has prevented me from pushing another bug into a production environment. First, a testing framework is mandatory. Anything that doesn't pass 100% of the tests 100% of the time doesn't go out the door. Second, a testing environment is mandatory. This environment is customer specific and matches the customers environment exactly. This eliminates any guesswork on my part. Now is no longer the 1980s. Test driven design is an absolute must, not the ahead-of-it's-time thing it was in the 80s. Now I'm a single developer running my own business. If I can exactly replicate the environment of some 200+ customers, software companies with thousands of developers should be able to keep pace. So let me recap...since I started using good development practices in the 1980s, yes my code has been 100% bug free. Had those good practices been in place when I sufferred my first humiliation of releasing bad code to a production environment, it never would have happened. Maybe if younger developers felt that sense of humiliation for putting out bad code rather than being patted on the back and told "oh, it's ok...all software has bugs" we wouldn't be in the mess we're in now.
        jasonp@...
        • your wrong...

          your just simply wrong, or you write very small amounts of simple code....

          Just because you haven't found a bug, and your users haven't found a bug, doesn't mean it doesn't exist and could be taken advantage of if someone found it.
          doh123
          • Simple code...

            My last large-scale project wound up at around 290K lines of code. I have taken a single call since rolling out to production 6 months ago. The reason for the call was that none of the client applications I wrote seemed to be connecting to the backend web service I also wrote. Upon further review it was found that the IT department of the company had changed the IP address of a number of servers, including the one hosting my web service. Since magically figuring out a host IP address had been changed was never in scope for the client piece of this project, that one wasn't a bug.

            The vast majority of my work is in the ERP vertical market. This is what I know, and I have taken great pains to be as good as I can be, to know as much as I can know about it. My customers are very cognizant of this, that's why they don't hesitate dropping money in my pocket time and time again. Sure, some of the things I do are pretty trivial...reports, minor screen or data mods, things that wind up costing them a grand or two. My bigger customers don't even blink when I send out quotes for $100K. That's because they know my work. Nobody but me has control over the quality of my work, and I refuse to be humiliated again like I was in the 80s. I take my work very personal. If everyone took their work personal and simply refused to fail, we'd be at a much different place now in IT. Sure, people are going to fail. That's life. But failures should be few and far between, and they should never just be accepted. Ever.
            jasonp@...
          • Maybe use names?

            I'm not sure why changing an IP address would break your software. You should probably do that through DNS names to prevent that sort of thing. That is something I consider sloppy development, not a bug.

            Also, 290k lines of code isn't that much when you consider the scope of an Operating System and all the functions it has to serve. Does any of the code you write have to interact with code you've never seen? Do people install their own toolbars into your software? Ahhh, then you're comparing apples to whatever.

            I doubt any of your software is directly exposed to an attack anyway, but no software is bug free. None.
            LiquidLearner
          • A few answers...

            1. Why use IP addresses? Because that's what the client asked for. The are transmitting data across the public internet to an outward facing server. It was their choice.

            2. The could certainly install their own toolbar if they wished. The client piece is highly customizable. They can even create their own screens, insert their own business logic, etc.

            3. 290K lines of code may not seem like much compared to an OS, but OS writing companies have thousands of developers, I have me. I think that's a fair comparison.

            4. The concept that no software is bug free is a load of crap. It's been propogated by developers looking to excuse their failures. I'm sorry you bought that line my friend, but that's your problem, not mine.

            5. In case you missed it, part of that project was an outward facing web service in a billion dollar a year corporation. Do you really think it doesn't get hit by attackers? If so, that belief combined with your other belief that no software is free of bugs would make you a perfect candidate for a bridge I've been looking to sell. It's in a prime location and well under market value. Interested?
            jasonp@...
          • Also...

            don't assume difficult = impossible. It certainly isn't easy to write bug free code, but to go from that valid premise to saying it's impossible is just plain silly.
            jasonp@...
          • No, it isn't

            A program with 290k lines of code is not bug free. The bugs may be minor, may go unnoticed for years, but they are there. There are probably a fair number of nasty bugs too.

            I would also bet there are more than a few security issues, it's just the code's never been subjected to hundreds of criminals looking for a way to steal a buck.

            After all, hackers are endlessly finding bugs no one ever suspected could even be bugs.

            How many paths are possible through 290k lines? Tens of millions? And you tested every single case?

            Not possible. Thus, you can't guarantee the code is bug free. If you believe it is, you're simply deluding yourself.

            Having said that I've no doubt you take every precaution to eliminate bugs, and that you've been very successful.

            But there's a world of difference between "almost all" and "all".
            wolf_z
          • Testing your assertion...

            It would appear that you and a number of other people in ths forum are contending that it is literally impossible to write bug free code. Given that assertion, how about we put your theory to the ultimate test. Here's a classic application taught to every beginning C++ student. Please be kind and point out the bug.

            #include <iostream.h>

            main()
            {
            cout << "Hello World!";
            return 0;
            }
            jasonp@...
          • re: Testing your assertion...

            Easy, it fails in it's basic design goal. Horribly.
            rtk
        • You either write very simple programs or...

          ...you're very dillusional. I suspect the latter since you said your code was ~290K in size. There's bugs in it. Maybe not a lot but they're there.

          Also ~290K is peanuts compared to a modern operating system.
          ye
          • As I pointed out in another post....

            companies that write modern operating systems employ thousands of developers. I employ me. I honestly can't even belive I'm sitting here debating quality of code with someone who uses the phrase "There's bugs" in a public forum. I guess if you can't master the English language, how can you master writing complex applications. Had you indicated "There are bugs" I might put a little more stock in your words.
            jasonp@...