Apple Mac users being targeted in new Malware Attack.

[GJH]

we were usually either after the guys up to no good or they were after us

There was a difference?

 

[DuxDeluxe]

There was a difference?

Well, my company's whole purpose was certification of goods etc. So we catch the cheats. The cheats also try to forge our certification to negotiate millions of US$ in letters of credit. The biggest problem was corrupt governments who didn't like their little lucrative games being exposed. Internal security were rather intimidating people even when I reported something to them..... Caught a good few, though.

 

[GJH]

Well, my company's whole purpose was certification of goods etc. So we catch the cheats. The cheats also try to forge our certification to negotiate millions of US$ in letters of credit. The biggest problem was corrupt governments who didn't like their little lucrative games being exposed. Internal security were rather intimidating people even when I reported something to them..... Caught a good few, though.

Different scale in money terms but similar in essence to some of what I did in IT security work Great when you catch the ones who think they are oh so clever ain't it?

 

[Gromett]

Nothing will download unless you expressly tell it to and even then it won't auto install.

I just posted a link to a recent patch that apple applied that allowed malware to install without any notification to the owner of the Mac. These bugs do happen. Just because you don't see a download/install doesn't mean one didn't happen.

I don't see the point of VPN software at all unless you're up to no good

I use a VPN using a cert for authentication. This then means that any other server I log onto can have their SSH port blocked at the firewall for everyone except my one static VPN IP.

Lots of companies block access to their internal network unless you connect via a VPN.

Journalists and bloggers will use a VPN to post anonymously to avoid censorship or retribution.

Some companies use a VPN using Certs on keys because they don't trust their employees to keep secure passwords.

I could go on and on an on for the uses for VPN's

 

[Gromett]

Nothing will download unless you expressly tell it to and even then it won't auto install.

Just in case you are interested, I read a report back then about it. Luckily I had it bookmarked so was able to find it again for you.

https://www.f-secure.com/weblog/archives/Aquilino-VB2012.pdf

Makes for interesting reading.

^{_{Subscribers  do not see these advertisements}}

 

[Deleted member 29692]

Just in case you are interested, I read a report back then about it. Luckily I had it bookmarked so was able to find it again for you.

https://www.f-secure.com/weblog/archives/Aquilino-VB2012.pdf

Makes for interesting reading.

I haven't had time to read it properly now but I will later. It does look interesting

I've had a quick scan though and it does appear that that one requires the user to download an update from somewhere other than Adobe. If you work on the principle that genuine OS X Flash player updates are only available from Adobe and are not available from any third party site so anything you are encouraged to download from such a site isn't likely to be genuine then you should remain pretty safe.

 

[Gromett]

I haven't had time to read it properly now but I will later. It does look interesting

I've had a quick scan though and it does appear that that one requires the user to download an update from somewhere other than Adobe.

Keep reading

The next month, however [5], Flashback started to exploit an (at
the time) unpatched vulnerability in Java: CVE-2012-0507.
Oracle , Java’s developer, had already patched this vulnerability
in the previous month but Apple had not yet released the patch
for the Java distribution of OS X . This left OS X users with Java
installed on their systems vulnerable to infection if they simply
happened to visit the wrong site at the wrong time.

Just last Oct they had to patch an EFI issue..
https://support.apple.com/kb/DL1848?locale=en_US

This firmware update improves security of Mac systems by addressing an issue where EFI could potentially be overwritten without authorization.

 

[mariner]

I don't have, and have never had, any kind of AV or other security software on any of my Macs

Firstly you can download any software you like but OS X will not allow you to open the .dmg file unless it meets your security requirements!

Secondly I agree you should never start any down loads unless you are 100% sure of it's origin.

Finally I believe that all OS X users should have, something in place to prevent them from infecting others computers by passing on or forwarding an infected email, link, file etc.

It is rather selfish to say that it wont infect my Mac and I don't care if I send it on, infecting my friends PC!

 

[Deleted member 29692]

It is rather selfish to say that it wont infect my Mac and I don't care if I send it on, infecting my friends PC!

I tend to agree but I don't forward email or attachments unless I know exactly what they are so doesn't really affect me.

 

[mariner]

I am guessing he is probably correct that on a properly configured Mac that DMG files shouldn't be installed without warnings. However I am also guessing that this warning wouldn't be necessary if this was foolproof. People are obviously falling for this and getting infected which tells me that the protection isn't foolproof so I am passing this on.

Thanks for you support @buttons

Karl, I do appreciate your efforts to warn of imminent or current attacks on OS X.
I am trying to point out to users and especially those new to OS X the importance of not interfering with the built in safety, that OS X offers, but also to be aware that many providers of protective software, do try to frighten users, into downloading and paying for their own software, which often has to be un-installed because of conflicts!
OS X will not open .dmg files unless they comply with current security settings, to the point where you would have to jump through hoops to open them. If you do jump through the hoops and open them you have only yourself to blame!
There are plenty of Mac friendly websites that will offer sound advice on protection software that is suitable for OS X, often free.

^{_{Subscribers  do not see these advertisements}}

 

[Gromett]

OS X will not open .dmg files unless they comply with current security settings

I have also pointed out that this is not always the case. You may be instilling a false sense of security in the more naive Mac owners.

Defence against these attacks can't rely on simply trusting Apple. I have made my points and if you have missed them I give up

 

[mariner]

Gatekeeper makes
downloading apps safer.

Gatekeeper makes it safer to download apps by protecting you from inadvertently installing malicious software on your Mac. The safest place to download apps for your Mac is the Mac App Store. Apple reviews each app before it’s accepted by the store, and if there’s ever a problem with an app, Apple can quickly remove it from the store. When you download software from any other place on the Internet, Gatekeeper makes that safer, too. Developers can get a unique Developer ID from Apple and use it to digitally sign their apps. The Developer ID allows Gatekeeper to block apps created by malware developers and to verify that apps haven’t been tampered with. If an app was developed by an unknown developer — one with no Developer ID — Gatekeeper can keep your Mac safe by blocking the app from being installed.

Gatekeeper gives you more control over what you install.

Gatekeeper gives you three security options. You can download and install apps from anywhere on the web. Or you can choose the safest option and download and install apps only from the Mac App Store. Or use the default option, which allows you to download apps from the Mac App Store as well as those signed with a Developer ID. If an app is unsigned, Gatekeeper blocks the app from being installed and warns you that it did not come from an identified developer. If you’re sure the app is safe, you can manually override Gatekeeper by Control-clicking the app and choosing to open it.

I disagree, unauthorised software cannot install itself!

If a user overrides Gatekeeper then that is up to them!

 

[Yorick]

More and more Mac users are becoming smug and fell they are 100% safe.

The hackers are seeing this and know that the users have no extra defences. Guess where they will attack?

AV companies don't write Mac protection for fun.

Be blasé at your own peril.

 

[mariner]

Be blasé at your own peril.

Just not falling for the numerous hypes, for products that are not suitable!

 

[Gromett]

I disagree, unauthorised software cannot install itself!

Disagree all you want. No software is 100% bug free. 1 bug = full access. Common sense and has been proven time after time after time.

Here you go to save you from having to check for yourself.

Sept Last year.
http://arstechnica.co.uk/security/2...-completely-bypasses-macs-malware-gatekeeper/

Now, a security researcher has found a drop-dead simple technique that completely bypasses Gatekeeper, even when the protection is set to its strictest setting

ok. That was patched (or was it?)
This year, January..
http://arstechnica.co.uk/security/2...bypass-macs-gatekeeper-without-really-trying/

"It literally took me five minutes to fully bypass it," Wardle, who is director of research of security firm Synack, told Ars, referring to the updated Gatekeeper. "So yes, it means that the immediate issue is mitigated and cannot be abused anymore. However the core issue is not fixed so if anybody finds another app that can be abused we are back to square one (full gatekeeper bypass).

And this guy is telling Apple. The hackers and blackhats don't tell apple. These exploits get sold on the underground and if you know where to look you can get them for as little as $50.

Sorry Mariner, but I deal with security on almost a daily basis and have done for 20 years now. If there is one thing I know for sure is that there is no such thing as perfect protection and every single solution bar none has multiple exploitable holes in it.

^{_{Subscribers  do not see these advertisements}}

 

[Yorick]

Disagree all you want. No software is 100% bug free. 1 bug = full access. Common sense and has been proven time after time after time.

Here you go to save you from having to check for yourself.

Sept Last year.
http://arstechnica.co.uk/security/2...-completely-bypasses-macs-malware-gatekeeper/


ok. That was patched (or was it?)
This year, January..
http://arstechnica.co.uk/security/2...bypass-macs-gatekeeper-without-really-trying/



And this guy is telling Apple. The hackers and blackhats don't tell apple. These exploits get sold on the underground and if you know where to look you can get them for as little as $50.

Sorry Mariner, but I deal with security on almost a daily basis and have done for 20 years now. If there is one thing I know for sure is that there is no such thing as perfect protection and every single solution bar none has multiple exploitable holes in it.

I politely told him this, but seems to think he's foolproof.

 

[mariner]

If you care to read my post #5 you will see that I have protection installed which, as I also said, picked up this Malware, before it even got to Gatekeeper.
My beef, is with these companies, and their more often than not, not totally true, scare stories, to try and separate, Mac users from their money.
If any Mac users want additional protection there are some very good free ones out there!
Should they want a paid for one, by a provider that doesn't need to go around trying to scare the pants off everyone, there are those too!

 

[Gromett]

If you care to read my post #5 you will see that I have protection installed which, as I also said, picked up this Malware, before it even got to Gatekeeper.
My beef, is with these companies, and their more often than not, not totally true, scare stories, to try and separate, Mac users from their money.
If any Mac users want additional protection there are some very good free ones out there!
Should they want a paid for one, by a provider that doesn't need to go around trying to scare the pants off everyone, there are those too!

It was you that kept bringing the anti malware software into this thread. I have not mentioned it once I recommended an approach to defend against this attack that didn't require you to pay anyone any money.

A couple of points on that subject.... The AV vendors may make their announcements "sexier" to get them into the press. However the things being reported are true and in the case of the sources I follow are second sourced and verified. I absolutely hate software like McCafee and Nortons as they are bloated monstrosities that weigh a system down beyond belief. There are many ways to protect your computer. My original post pointed to a method to avoid this particular problem...

Installing a reputable anti malware package however "can" protect you even if it doesn't know about the particular instance that is looking at your computer. These white hat security researchers are extremely good. They not only track existing malware out in the wild and analyse it they also search for and find new security holes in vendors software and report it to them so they can fix it before it is exploited. They earn money when they find valid attack vectors. The black hats however sell their exploits to the criminal element who then write the malware. The way a good quality AV package will protect you is that a lot of Malware has functionality built in to test if any of the AV packages are installed and will avoid infecting that computer. They do this to try to avoid the AV companies from finding out about them. They try to fly under the radar as long as possible.

Just today there is a new example of this.

http://arstechnica.co.uk/security/2...of-malicious-ads-spreading-crypto-ransomware/

According to a separate blog post from Trustwave's SpiderLabs group, one JSON-based file being served in the ads has more than 12,000 lines of heavily obfuscated code. When researchers deciphered the code, they discovered it enumerated a long list of security products and tools it avoided in an attempt to remain undetected.

Please note It is not just Trustwave that is reporting on this attack.

One final point. You keep mentioning scare stories. This Mac targeted attack is not a scare story it is true and verified. Your confidence in Gatekeeper is not shared by the security community. We all think it is a good brick in the security wall. But it is not foolproof and it is not enough on it's own. Your comments on how good it is and your certainty that it is an absolute block can and probably will lull others into a false sense of security which is not good. It is in effect a very good quality padlock that provides a degree of protection on one entry point. It can however be sidestepped and in rare cases completely broken. Please stop saying it is a 100% protection when configured correctly. It isn't.

 

[mariner]

story it is true and verified. Your confidence in Gatekeeper is not shared by the security community. We all think it is a good brick in the security wall. But it is not foolproof and it is not enough on it's own. Your comments on how good it is and your certainty that it is an absolute block can and probably will lull others into a false sense of security which is not good.

I keep telling you, that I have AV/Malware protection other than Gatekeeper and I also pointed out in my post, to others, that they should also have AV protection, but not be taken in by these scare stories and buy the products being pushed.
Good advice can be had from the many Mac Forums and also from Apple support Forums.
I also would advise all Mac users to stay well away from Software like MacKeeper and MacCleaner also the AV App. providers you mentioned, who create huge problems for those who fall foul of their scare tactics.
Many of the malware/viruses that Mac users suffer from, are those brought in, by running Windows in Applications like Parallels and VMware, where they have given the Apps., far to many permissions!
Finally, I promise not to tell you how to keep your PC secure, if you don't tell me how to keep my Mac secure!

 

[Gromett]

Finally, I promise not to tell you how to keep your PC secure, if you don't tell me how to keep my Mac secure!

I am not telling you how to keep your Mac secure. I was warning people about a problem with mistyped URL's leading to a possible Mac infection. I gave one possible solution to this, I didn't even mention AV software. You brought up AV software, it was you who stated categorically that Macs were secure from this if Gatekeeper was configured correctly. I corrected you on this and this only.

I have not recommended any Mac AV software or even suggested to install it. Nor would I do so as I am not a Mac specialist or even own one. I am however a security specialist and earn quite a bit of my living protecting systems from hackers and being called in to fix systems that have already been attacked. Due to this I keep up to date with all the latest information on this subject cross platform. I deal with everything from application exploits all the way down to rootkit clean ups so I know my way around this stuff pretty well. I just posted a fix to an increasingly common exploit on my blog (here). I will only post a warning on here if I think something is worth knowing in general. If I was to post every exploit/bug/malware incident on this forum I would be posting about 5-10 per day everyday. Most people don't go to dodgy sites where malware lives, most people know not to open email attachments etc. So I don't warn about things like that. This one was of particular note because it used a common mistake that people make and targeted a specific system.

Finally. You couldn't tell me how to keep my PC secure because I don't have one. I run on Linux. Linux is perhaps one of the most secure OS's around at the moment but even I am not stupid enough to think that it is totally secure and I therefore take precautions on all my systems.

^{_{Subscribers  do not see these advertisements}}

 

[Gromett]

@mariner Thought you might be interested in this one...?

http://arstechnica.co.uk/security/2...cks-malware-gang-steals-lots-of-certificates/

 

[Gromett]

One more for you @mariner and I promise this is the last one. I thought you might find this interesting.

2 different hackers at the pwn2own competition gained root access to Mac OS/X systems using browser based exploits. This was on the first day of the competition.

I love this competition which is held each year....

Both these hacks were performed via the browser so could be executed remotely if a user is directed to a site hosting the exploitable code. Totally sidesteps all protections and AV.... The only thing the hacker is allowed to do on the machine is point the web browser at a URL. Everything else has to be done hands off.

The hacks have to utilise a zero day exploit that has never been reported before and is unknown in the security community. I am seriously impressed with these guys and I am glad they don't work for the criminals or governments.

The second position is occupied by Jung Hoon Lee, a.k.a. Lokihardt, who earned 10 points and $60,000 for hacking Apple’s Safari web browser with the aid of four new vulnerabilities, including a use-after-free flaw in Safari and a heap overflow that he leveraged for root escalation.

Tencent Security Team Shield follows close behind with 10 Master of Pwn points and $40,000, which they earned for successfully executing code in Safari with root privileges. The exploit involved use-after-free flaws in Safari and a privileged process.

Don't worry though, The Mac has the highest prize money because it is the hardest. There is no prize for hacking firefox on any platform because it is considered too easy .

However Linux doesn't even get an offer. not sure if that is because it is too secure or what?

Lokihardt splatted Chrome last year in two minutes ... and went onto do two other systems as well earning himself $110,000.
Broken Link Removed