Bot attacks Linux and Mac but can't lock down its booty From the department of cosmic justice comes this gem, spotted by researchers from Symantec: a trojan that targets Windows, Mac, and Linux computers contains gaping security vulnerabilities that allow rival criminal gangs to commandeer the infected machines. Known as Trojan.Jnanabot, or alternately as OSX/Koobface.A or trojan. …
Consider how many Windows versus Macs there are out there. This was always likely to be the case.
The massive XP figures shouldn't be a surprise either.
It's a ten year old OS that didn't have great security to begin with. Combine this with a massive footprint of home and small businesses who buy a PC and allow their free 3 months Mcaffee etc expire and think they're safe.
Worryingly, a similar lax attitude to AV is very common amongst Mac users too. As virii on Mac get more common, many of the mac community really need to grow a little healthy cynicism.
Techincally yes, but if you compare OSX ( 16%) to Windows, as a whole, the ratio changes some what.
If you'll pardon the expression, let's compare Apples to Apples, eh?
After all the bluster about cross-platform infection, where's Linux in this little chart?
"After all the bluster about cross-platform infection, where's Linux in this little chart?"
From the article...
They didn't show any infections on Linux machines. Turner said that Jnanabot attacks on the open source platform weren't able to survive a reboot.
"All the Linux fanbois I know continually bang on about never needing to reboot their Linux boxes, to the extent that most of them go out of their way to avoid doing so out of sheer bloody-mindedness."
We use Linux on the majority of our machines here, but we still turn them off when we go home at night. We're not thick - electricity costs money, and business like money.
"I'd say that makes the Linux infections a little more relevant."
And yet again you miss the point that they were unable to find any. Maybe Linux users were savvy enough not to get infected, maybe a reboot got rid of it, but either way there were no infections to display, so they can't display them.
> Linux users don't get bit because we're not stupid
> enough to believe a "You must install this codec"
> message given to us by the web browser
Or perhaps we're all just terribly paranoid and prone to run things like no-script that may bypass stuff like this entirely.
I didn't say "recorded" infections, although perhaps I should have said "potential infections" to help your brain process the possibility of future events. See, it's called irony. Irony is when, for example, a trojan has a major weakness such as not being able to survive a reboot, yet the impact of that poential weakness is reduced due to certain penguin-heads' propensity for continually demonstrating that their Linux boxes almost never need rebooting. Irony, the point you clearly missed in my post.
Sheesh.
One must remember, these figures are from Symantec, and thus, it means that this distribution is based on THEIR software DETECTING the infection on the computer. So, only people who have Symantec installed (and have their phone-home-stats bit being allowed...) are in the mashup. Now, considering the number of OSX users running Symantec AV, having 16% of infections is a VERY concerning thing. If the virus survived a Linux reboot, I'd express the same concerns with their (non-)figures. Not that they'd stray from their ClamAV or the like anyway...
It is striking that only 7% of Vista/Win7 machines were infected though. I guess the numpties haven't bothered buying a new computer in a while. How many unwashed mass members do you know that would be bothered to buy Win7 and install it on their current computer anyway?
/paris, because even for the elites, protection is needed
Enterprise edition? I'm guessing bent copies rather than actual corporate installations though.
64-bit? Also quite likely.
I think we can probably come up with enough others in the mystifying firmament of MS OS versions to account for the size of this group without have to resort to embedded. The missing bit of information is how they are identifying the version.
Ok, I'll rephrase that: The bank I work for, who has one of the largest ATM networks in Europe, no longer use NT4 or W2K, instead they use XP pro and starting to move onto Vista.
I'm not aware that any bank runs key, customer facing, systems on NT4 - MS won't even let you pay for support any more.
Actually, if something is running within a user process, it would be pretty easy to put something in the .bashrc script. (And when's the last time you checked that?)
Admittedly, this means it only starts when user logs in, but as this obviously only affects desktop machines. (You have to browse and run a JAR file), its pretty much the equivelent.
It wont affect server machines, unless you let your users browse on them, but it wont affect Windows server machines for the same reason either.
There are many more places than just the .bashrc (assuming you're using bash, of course, I prefer the AT&T software toolbox ksh myself). Both KDE and Gnome (and most other X11 Window mangers as well) have user startup directories and rc files to allow attacks on systems accessed with a GUI, and you would, of course, have the normal PATH and LD_LIBRARY_PATH attack vectors that could be used to subvert commands that people use all the time, and there are many more.
Linux is not immune from attack, it's just that an attack needs to do more things to really pwn it . For instance, if a user has iptables configured to control inbound and outbound traffic on a Linux system (assuming that the user does not run everything as root), you would have to engage in tricking the user to sudo a command, or otherwise obtain escalated privileges to alter the configuration or turn it off, unlike most windows systems.
There is no such thing as a totally secure OS, it's just more difficult to mess with Linux.
The OSX statistics in the article are a surprise, however.
>and I think that everybody would be surprised
>if Jnanabot was able to permanently install itself
>on a Linux machine via an ordinary user account.
You're assuming said user doesn't log on again after a reboot - nothing would stop malware from adding itself to the user account. It's what all the cool kids are doing to avoid UAC on Windows now anyway.
Of course it could get permanent residence on a Linux box, you don't have to be root to install software to your home directory, for example. Granted though, it would be practically impossible to hide it, except in plain sight.
I think the real reason that it doesn't survive a restart is that the writers really don't care about infecting Linux as a desktop platform, given the (lack of) market share.
"That's more Mac OSX Infections that Windows 7 infections"
No, not really - OS X 10.4 was out at the same time as XP and 10.5 was out just before Vista. If you ratio them out they correspond roughly to their user bases. The user ratio of the current version of OS X (10.6) to previous versions is roughly 2:1 - So it would seem that the main lesson we learn is "Old versions of both OSs are more vulnerable that newer ones".
As an aside, when I teach people to use OS X, I recommend that they turn Java off in Safari - They almost never seem to need it...
Sorry, I did not make myself clear to you. I wrote that OX 10.4 was out at the same time as XP - I did not say when they came out, or which came out first. The timeline is:
Mac OS X Server 1.0 in Jan 1999; 10.0 Desktop (not really usable) Mar 2001; OS X 10.1 (free upgrade from 10) Sept 2001; 10.2 (paid upgrade) Aug 2002; 10.3 (paid upgrade) Oct 2003; and, as you say, 10.4 April 2005; 10.5 came out in October 2007 and 10.6 in Aug 2009.
Windows XP RTM - August 24, 2001; XP Retail: October 25, 2001( I was a Microsoft DAAP and Developer, so I got mine early); XP SP1 (free upgrade) Sept 2002; XP SP2 (free upgrade) Aug 2004.
Windows 2000 Retail: 17 February 2000 (Again I got mine early - We were shipping products that ran on NT 3.51 & NT 4.0).
So we are talking about a few weeks difference between when a punter could buy usable versions of XP and OS X. Vista RTM November 8, 2006; Retail: January 30, 2007
> XP was MS's RESPONSE to OS X
Nonsense. Finally ditching the rotten undercarriage of MS-DOS made moving to an NT kernel for the "consumer" version of Windows PAINFULLY OBVIOUS. Serious power users had already ditched DOS based Windows for NT of some sort by that time already.
NT was lingering around since before the transition from 16-bit Windows.
...if we can cast aside 'mine's tougher than yours' and any other technical squabbling for a moment here, let's look at the real cause of infection.
People.
Attention starved, 'think later', bang-on-the-nose DESPERATE herds that will everytime, without fail, 100% guaranteed, in spite of all warning click on / install / allow anything if they think someone is giving them said attention.
I'm sure we can all think of a least a few folk that we could make do ANYTHING online at the vaguest whiff of 'someone fancying them' etc. They simply cannot control their base urges and this cack will continue to happen, irrespective of technical origin / platform impact ad infinitum. It's comically easy to engineer people, it takes almost no savvy at all. People can and will adandon all common sense at the behest of their ego.
Paris, because she never hides her directories.
.. they call privacy old fashioned. But once their checking account is cleaned out because they can't resist using their debit card ("it's so easy and convenient") they sing a different tune. And also ask for help. Pathetic. I have no sympathy for them and just give them my assembled list of sites to visit to learn about security and privacy. Doesn't take; they get cleaned out again and change banks because the bank let it happen. Typical, blame others and always expect someone else to watch out for you. Suits me, flaming crashes get to be quite interesting a spontaneous human combustion of the tantrum variety get to be funny rather quickly.
I think @wow is referring more to the absolute percentages, 16% is more then 9%.
What strikes me more is that given market share I would expect OSX to be infected something like 5-10% instead of 16%. Maybe that's to do with the fact that it is Java based, which is one of the plugins, pieces of software that I try to void most on a Windows machine.
Possibly. I don't think we can project too much from the original stats other than we should suggest that home users consider updating to newer versions of their operating systems (or new machines for Windows XP Home users).
If we look at market share by OS type/version:
http://marketshare.hitslink.com/operating-system-market-share.aspx?qprid=10
The numbers for Windows Vista and 7 show a 9% Infection rate for 33% distribution (good @ ~1/3 of expected infection) XP has 75% infection for 57% distribution (~1.3 times infection rate).
"OS X Other" (Presumably OS 10.6 plus all previous versions of OS X other than 10.58 and 10.11.4) has 3% for Infection for 3% distribution (corresponding infection?). OS 10.5.6 has 9% Infection for 1.5% distribution rate (6 times infection rate) - OS 10.4.11 has 4% infection for 0.4% distribution rate (10 times infection rate).
What I do find surprising is the numer of XP Professional infections. Generally, we could think that XP Professional is managed by "professionals" whilst the perception is that OS X is often managed by "users". If the Windows XP "professionals" were doing their job properly, the rate of infection should be lower.
If we believe Symantec (and I personally haven't used any of their products for the last 6 years), the original Windows versions of the Trojan.Jnanabot infection had 0-49 infections on October 26, 2010. The article says that the number of infections is now "in the thousands" (maybe 10,000?) so we are looking at maybe a few hundred Windows 7/Vista infections with a few more hundred OS X infections of which the substantial majority are on old systems.
I help run (as a volunteer) classes for retirees. We use Windows XP, Vista & 7, OS X and Linux. We get pupils to set up separate 'admin' accounts and 'user' accounts for their systems. The advice that we give is "Only use the 'user' account for normal tasks - If you get a message asking you to install something, be suspicious."
I note that the MacBook Air no longer ships with Java and that it now can be downloaded from Oracle - I, like you, try to avoid Java on client machines.
So in conclusion: Unless we know the breakdown of "OS X Other", I might suspect that Symantec are trying to whip up interest in their Apple producs to a growing Apple "Home User" market as their Windows Home market share is threatened by the free Microsoft Securty Essentials product.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
