Mac Security: Malware #9: iAdware spyware

Discussion in 'Apple' started by Derek Currie, Nov 29, 2006.

  1. Derek Currie

    Derek Currie Guest

    [Preface: Why is this malware #9? I am learning diplomacy. I think we
    are only up to #8. But some sources say this is #9, so I am going to do
    the 'go with the flow thing' and let them have their way. It's no big
    deal].


    This is turning out to be a busy week in Macintosh security. Let me get
    to the point right away:


    Introduction:

    There is still NOTHING for Mac users to get worried about. Everything
    going on right now is GOOD. There are a slew of Mac OS X vulnerabilities
    being discovered, and gradually they are being patched. Check out the
    post following this one regarding yesterday's release of Apple's latest
    security update.

    You may think it is terrible to discover that Macintosh machines can be
    vulnerable to malware, but the fact is that this is no big surprise at
    all to those who understand the current messy state of computer
    programming. What is GOOD is that none of the Macintosh malware is
    malicious. Every single piece of malware so far written for Mac OS X has
    been a DEMO, what is called a 'Proof Of Concept'. None of it is viable
    in the wild. None of it is loose in the wild. So mellow out. You're not
    using Windows.

    That being said, I consider it more imperative than ever to get prepared:

    1) Download and install 'Paranoid Android' by Unsanity. It's free.
    2) Download and install 'ClamAV', which is free; or download 'Tiger
    Cache Cleaner' which includes ClamAV, cost $9. KEEP THEM UP TO DATE with
    the latest malware definitions.
    3) Download and install 'Little Snitch', cost $25.


    I) iAdware - SPYWARE for Mac OS X:

    Unlike what the security news is saying, this is NOT NOT NOT the first
    spyware for Mac OS X. I have written about this previously. Just go to
    VersionTracker and search for 'spyware' and you will be able to download
    at least a couple legal forms of spyware, typically used to monitor
    employee's or children's activities on computers.

    The difference with iAdware is that it has apparently been created to
    show how secret and unwanted spyware can be snuck onto and run on Mac OS
    X for malicious intent. I will go into the details below. First let me
    quote from the SANS announcement of this spyware:
    <http://www.eweek.com/print_article2/0,1217,a=194912,00.asp>
    <http://www.theregister.co.uk/2006/11/24/mac_os_x_adware/print.html>

    The original report of this spyware can be found at:
    <http://www.f-secure.com/weblog/archives/archive-112006.html#00001030>

    Here is my quick summary of the information currently available:

    A) There is a method whereby this spyware program can be installed onto
    a machine as a system library without asking the computer user for
    administrative permission. How this is possible is unclear. Being able
    to get anything into the system library without permission is extremely
    dangerous. It sounds like Apple need to fix this.

    B) The spyware can be activated each time an application is run. What
    happens next in this case is that the spyware will then start up Safari
    and bring up website windows from URLs of its choice. Theoretically this
    could lead to pummeling the user with advertising crap. But read on for
    more possibilities.

    C) This particular spyware apparently does NOTHING ELSE. It is otherwise
    inert. But it has the potential to do what any other spyware program can
    do, if the code were added:

    1) Toss up pop-up windows of advertising (as noted above) or lure
    you to go to some dodgy website for phishing purposes, infect you with
    further malware, infect your browser with malicious cookies, etc.

    2) Watch exactly what you do on your computer and report back to
    home base. Sony pulled this nasty trick on purchasers of their CDs. They
    presumably used it for marketing purposes. They could find out what
    music you played, what online music stores you visited, what kind of
    porn you like...

    D) There is zero indication that someone without direct access to your
    computer could infect you. This malware is NOT viable in the wild. It
    has to be manually planted on machines by a human being. Theoretically
    this access could be over the Internet, over your LAN, or via someone
    sitting at your workstation. But they apparently must be able to log in
    to the machine first. The problem is that once they have machine access
    they can (by some as yet undisclosed means) bypass administrator
    permissions to install the spyware. Once installed the spyware works
    with ALL accounts on that machine.


    II) Prevention

    What will stop this malware?

    A) Use an 'anti-virus' or 'anti-spyware' program that can use a
    definition file to recognize, disable and remove it. ClamAV will at
    least detect malware for you. Be sure you keep it up to date with the
    latest definitions. There actually is one anti-spyware program for
    Macintosh, but I have never read a good review of it. Ignore it for now.
    Search for it at VersionTracker if you can't control your curiosity.

    B) Install and use Paranoid Android by Unsanity. It stops any
    application from starting another, dead in its tracks, and asks you for
    permission. How it works in this particular case has yet to be proven.
    We are talking about spyware that installs as a system library. But
    theoretically the system's call to open an application would also be
    caught by Paranoid Android and stopped. We shall see.


    III) Happy Smiley Wise Advice From Skoudis Of SANS:

    One of the SANS folks tacked this note at the end of the report of this
    spyware. What can I say? He's right! No FUD in sight. Take heed.

    :-Derek

    --
    Fortune Magazine, 11-29-05: What's your computer setup today?
    Frederick Brooks: I happily use a Macintosh. It's not been
    equalled for ease of use, and I want my computer to be a tool,
    not a challenge.
    <http://money.cnn.com/magazines/fortune/fortune_archive/2005/12/12/8363107/>
    [Frederick Brooks is the author of 'The Mythical Man Month'.
    He spearheaded the movement to modernize computer software
    engineering in 1975]
     
    Derek Currie, Nov 29, 2006
    #1
    1. Advertisements

  2. Derek Currie

    Derek Currie Guest

    Derek has a re-think:

    Rereading what little information there is on this spyware has convinced
    me that this thing is even more harmless than I first thought. Here is
    why:

    My understanding at this point is that whoever plants this spyware onto
    a Macintosh MUST HAVE ADMINISTRATIVE PRIVILEGES.

    In other words, there is no 'undisclosed means' for bypassing
    administrative permissions involved. Indications in the reports to the
    contrary are merely failures in semantics.

    Which brings up this question: Why would a Macintosh administrator want
    to infect a machine under their control with malicious spyware, such as
    this could be? I can't think of a single reason!

    So is this spyware completely pointless?

    Yes, it well might be!

    In the meantime, however, it is entirely possible and useful for a Mac
    administrator to plant keylogger spyware on a machine. (You can get it
    at VersionTracker). As I previously mentioned, there may be a good
    reason to watch what employees or children are doing with their
    computers. This is called 'good' spyware.

    Of course there is always the danger of some scumbag discovering an
    administrator ID and password. And couldn't they then do whatever they
    liked with machines under their control anyway? This points out the
    importance of having complicated, non-obvious passwords. Avoid writing
    them down, and never keep them anywhere obvious, like in your work
    space, bag, etc. It is also important to CHANGE THEM regularly.

    Conclusion: Tempest in a teapot here me thinks. But better safe than
    sorry.

    --
    Fortune Magazine, 11-29-05: What's your computer setup today?
    Frederick Brooks: I happily use a Macintosh. It's not been
    equalled for ease of use, and I want my computer to be a tool,
    not a challenge.
    <http://money.cnn.com/magazines/fortune/fortune_archive/2005/12/12/8363107/>
    [Frederick Brooks is the author of 'The Mythical Man Month'.
    He spearheaded the movement to modernize computer software
    engineering in 1975]
     
    Derek Currie, Nov 29, 2006
    #2
    1. Advertisements

  3. The programing we do at my school essentially shows that "POC" (proof of
    concepts) are hollow shells with no functionality whatsoever.

    POC are the inception phase of a project, before even 10% of the work is
    done.
     
    Peter Bjørn Perlsø, Nov 29, 2006
    #3
  4. PS:

    Derek, do get a blog or some other form of webpage and publish your
    updates on.

    csma is a too small audience to justify your work.
     
    Peter Bjørn Perlsø, Nov 29, 2006
    #4
  5. Derek Currie

    Maverick Guest

    Whoever it was, thought wrong.
    Where are the spyware on Macs?
     
    Maverick, Nov 29, 2006
    #5
  6. Derek Currie

    Derek Currie Guest

    I have had this suggested to me before. I've to a server and URL where I
    could put it. But I want this stuff to be useful to the most people.
    Tossing up some obscure web page is a waste of my time. These two
    newsgroups are great places to post the topic.

    CMSA is a great place to show that we Mac users know FUD from fact, and
    we have brains enough to understand and take computer security
    seriously. It also allows reinforcement of the fact that Mac OS X has
    the best security record of any GUI OS available. It's good advocacy,
    and I think CMSA should actually have some advocacy once in a while. ;-)

    CSMS is THE newsgroup to help people with Mac problems. I can't think of
    a more useful or general place to share Mac security information.

    If you know of other relevant public places to post that have a large
    audience, please tell me.

    :-Derek

    --
    Fortune Magazine, 11-29-05: What's your computer setup today?
    Frederick Brooks: I happily use a Macintosh. It's not been
    equalled for ease of use, and I want my computer to be a tool,
    not a challenge.
    <http://money.cnn.com/magazines/fortune/fortune_archive/2005/12/12/8363107/>
    [Frederick Brooks is the author of 'The Mythical Man Month'.
    He spearheaded the movement to modernize computer software
    engineering in 1975]
     
    Derek Currie, Nov 30, 2006
    #6
  7. Derek Currie

    Derek Currie Guest

    Search through this forum the last couple of
    months, I thought this point had been discussed
    and dis-proven. (i.e. that it was possible).[/QUOTE]

    Um, I think I understand your point. I have seen nothing discussion
    permissions escalation in the CMSA forum. However, there have been Mac
    OS X vulnerabilities discussions out in the professional world that have
    discussed this as being possible, typically by the usual buffer overflow
    due to opening malformed files of some type. So, theoretically it could
    happen.

    Thankfully, every time I have read about such vulnerabilities it has
    either been as part of the description of an Apple Security Update, or
    Apple have tossed out a patch in the next Security Update. I don't know
    of any such vulnerabilities that are pending for repair. But
    theoretically another such vulnerability could be found.

    No way is Mac OS X perfect. It's just the best we've got.

    :-D

    --
    Fortune Magazine, 11-29-05: What's your computer setup today?
    Frederick Brooks: I happily use a Macintosh. It's not been
    equalled for ease of use, and I want my computer to be a tool,
    not a challenge.
    <http://money.cnn.com/magazines/fortune/fortune_archive/2005/12/12/8363107/>
    [Frederick Brooks is the author of 'The Mythical Man Month'.
    He spearheaded the movement to modernize computer software
    engineering in 1975]
     
    Derek Currie, Nov 30, 2006
    #7
  8. Derek Currie

    Nashton Guest


    The Mac is secure because it's obscure. At the end of the day, that's
    what matters, as long as it remains within the 3-4 % global market
    share, we're safe.

    As for XP, it's been discussed ad nauseam that avoiding IE, running an
    anti-spyware program in conjunction with an AV (many of them free now),
    is what is needed to keep a computer clean.
    One of the greatest sources of malicious programs are warez sites and
    P2P networks. Avoid those or run an AV with every file downloaded and
    you'll be safe. The rest is semantics and academic.

    Remember: Obscurity=Security. And Jobs has done a great job in keeping
    the Mac obscure.
     
    Nashton, Nov 30, 2006
    #8
  9. Why not request to make it a regular column in one of the netzines, such
    as MacNN or IGM?
     
    Peter Bjørn Perlsø, Nov 30, 2006
    #9
  10. This is the Microsoft Astroturf Meme Spreading Bounty Program
    Administrator. We are sorry, but we must deny a bounty for this
    attempt to spread the "Mac is safer because it is unpopular" meme.
    The reasons for disqualifications are

    1) Obvious troll

    and

    2) Suggestion to avoid Microsoft product (namely Internet Explorer)
     
    Matthew Russotto, Nov 30, 2006
    #10
  11. Derek Currie

    Nashton Guest

    Oh, I'm really hurt. You're a mean, mean man.
    Are you saying that the Mac is safe from social engineering schemes?

    Sorry - I, for one, am
    Then don't. See if I care.
     
    Nashton, Dec 1, 2006
    #11
  12. Yes; macsurfer.com is a good place to start.

    Also, get a blog on wordpress.com, instead of blogger. It is much more
    flexible and extensible.
     
    Peter Bjørn Perlsø, Dec 2, 2006
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.