back to article Malware hidden in vid app is so nasty, victims should wipe their Macs

It's going to be an unpleasant weekend for some Mac users who are facing a complete system wipe and reinstall – after hackers stashed malware in legitimate applications. Eltima Software, which makes the popular Elmedia Player and download manager Folx, today confessed the latest versions of those two apps came with an …

Page:

              1. Lord Elpuss Silver badge

                Re: A complete wipe?

                @Doctor Syntax

                "That assumes the recovery partition hasn't been affected."

                On Macs from 2012 onward the recovery partition is Internet-based - downloads a live environment direct from Apple and doesn't touch the HDD/SDD at all during boot.

                1. Daniel B.

                  Re: A complete wipe?

                  Internet recovery is only used if the user explicitly chooses it, or when there is no recovery partition on the HDD/SSD.

                  1. Lord Elpuss Silver badge

                    Re: A complete wipe?

                    So explicitly choose it.

                    1. CrazyOldCatMan Silver badge

                      Re: A complete wipe?

                      So explicitly choose it.

                      Doesn't always work - especially in heavily-proxied corporate environments.

                      1. Lord Elpuss Silver badge

                        Re: A complete wipe?

                        "Doesn't always work - especially in heavily-proxied corporate environments."

                        Well, I would guess that if you're in a heavily proxied corporate environment then you have an IT department who can presumably deal with the issue for you - in our case, that would typically mean they give the user a new laptop from stock and reflash/zero the old one at their leisure.

                2. CrazyOldCatMan Silver badge

                  Re: A complete wipe?

                  On Macs from 2012 onward the recovery partition is Internet-based - downloads a live environment direct from Apple

                  Not *entirely* true. You can build them that way - you can also build them the old-fashioned way.

                  Which we have to, being in a proxied environment where the proxy doesn't like Macs much.

            1. CrazyOldCatMan Silver badge

              Re: A complete wipe?

              probably easier to boot from the recovery partition, no?

              Well yes. Assuming that you trust that the malware hasn't infected that as well..

        1. Charles 9

          Re: A complete wipe?

          "The only way to get around that would be to have a firmware persistent malware at which point you'd have to wipe and reinstall the firmware for everything as well, probably over USB."

          Except if something like BadUSB hoses the USB controller, you can't trust it, either. Some malwares are getting SO bad that they can permanently brick hardware.

          1. patrickstar

            Re: A complete wipe?

            That would, of course, be a firmware backdoor. Just USB controller firmware as opposed to the "main" BIOS/UEFI.

            And well, unless you find some OTP ROM to stick your backdoor into, it's technically not permanent. But in some cases reflashing is difficult enough that it might well be.

        2. Rob Moir

          Re: A complete wipe?

          I agree that you can't trust the OS itself afterwards, but with Linux at least it would be possible to...

          And the 'average person' type who might typically be running Windows or OSX isn't going to know how to do that. It's arguably better to give them "over the top" advice which they can follow and which will result in a clean machine than something they won't understand and won't do anything with (having said that, I'm far from convinced that the 'average person' would wipe their machine no matter how simple it was...)

      1. Dan 55 Silver badge

        Re: A complete wipe?

        Once it has root there's no telling what it has done.

        The latest Mac OSes are supposedly rootless so having root shouldn't happen. What went wrong here?

        1. CrazyOldCatMan Silver badge

          Re: A complete wipe?

          The latest Mac OSes are supposedly rootless

          Well - they still have an effective superuser login. It just isn't called 'root'

    1. rmullen0

      Re: A complete wipe?

      Step 1: Reboot.

      If that doesn't fix it,

      Step 2: FORMAT C:

      1. Anonymous Coward
        Anonymous Coward

        Re: A complete wipe?

        I tried that command on my mac and it didn't work.

      2. CrazyOldCatMan Silver badge

        Re: A complete wipe?

        Step 2: FORMAT C:

        "Drive /C: not found. Do you mean /dev/sda?"

    2. patrickstar

      Re: A complete wipe?

      Utterly regardless of whether it's Windows, Linux, MacOS, or something else entirely, the standard advice (CERT et al.) has long been to reinstall the OS after an admin/root-level compromise.

      However, if you know what you're doing and have a reasonable idea about what the attacker has done (like when it's some random standard malware and not a targeted attack), you can - of course - clean up an attack without a OS reinstall, regardless of which OS it is.

    3. Robert Grant

      Re: A complete wipe?

      That does not sound like the Unix-way to me.

      Don't make decisions based on learned conclusions (e.g. "Unix is better because you can script things!") Learn how stuff works, and conclusions will take care of themselves.

    4. Jakester

      Re: A complete wipe?

      What's wrong with a complete wipe? Sometimes that is the most efficient and effective way to eliminate most malware (except for those that installed into the firmware on the hard drive). Windows 10 is much easier to start from scratch compared to Windows 7. Once I was having issue with my one of my Ubuntu installations - that was even easier to reinstall. I have notes on each Linux installation I maintain (basically descriptions of partitions, software installed from the store, special configurations, mount points, etc) that are usually less than a page in length. My Windows reinstallation notes take a little more space, about 3 pages, but make starting from scratch much easier and less frustrating.

    5. Wayland

      Re: A complete wipe?

      You'd need to wipe the drive from orbit (to use a Globe Earth analogy).

      You'd need to boot from a clean drive and run nothing from the suspect drive until you'd run anti-virus. You would really want to replace every executable with a clean one and hope that you can clean out any viruses in the data files.

  1. Anonymous Coward
    Mushroom

    Wow

    Simply wow .. that's a nasty hit.

    Just goes to show how vulnerable these systems are, UNIX/Linux, Windows, and macOS.

    I'm not sure about Apple low level security, but could the UEFI and harddrive firmware be compromised as well, or is there some built in check the Apple UEFI bios? If it were PC/Windows, I'd toss the HDDs and reflash the bios with a "known good" copy.

    1. Sandtitz Silver badge

      Re: Wow

      I'm not sure about Apple low level security, but could the UEFI and harddrive firmware be compromised as well, or is there some built in check the Apple UEFI bios? If it were PC/Windows, I'd toss the HDDs and reflash the bios with a "known good" copy.

      Through the rabbithole with the paranoias.

      Many - not all - PC makers only allow signed UEFI updates. Of course if the malware writers have pwned the mfgr's internal systems they could sign their own updates. Like they did with Eltima in this case.

      If your UEFI has a virus - something the TLAs could possibly cook - it could either a) deny further flashing, or b) allow flashing BUT still remain. Computers these days don't have a socketed EPROM for DIY flashing - perhaps the mfgrs still have the tools to reflash securely through a JTAG or something similar?

      1. Anonymous Coward
        Anonymous Coward

        Re: Wow

        @ Sandtitz

        Just because you are paranoid doesn't mean they are not out to get you. 'And here, obviously, they are.

        Anyway, I wasn't sure about UEFI, as I've only ever updated UEFI for the sake of updating it, never on cause of an attack. I would venture then that the UEFI bios of these Macs are 'OK'. I'd still be looking to toss the HDDs though.

        On the big iMac that is a complicated process where one has to unstick the glass screen beforehand .. there are videos on YouTube though on how to prepare for and perform the removal and reattachment of the iMac glass screen. Doing so on one's own would void the warranty, so perhaps an Apple Store could give advice.

        Of course, going that far is a business decision. If the machine is used for casual email and web surfing, the impetus would be less. If it houses one's own business, especially one "hackers" would be interested in, then it would be worth looking into taking the step to replace the harddrive. If you don't believe me, Bing the term harddrive firmware infected.

        1. anonymous boring coward Silver badge

          Re: Wow

          You would throw away the hard disk?

          Seems a bit extreme?

          Just boot a fresh external drive and reformat the original disks.

          1. robidy

            Re: Wow

            Not sure a straight format passes the sniff test. One assumes you mean wipe the partiton table? Or as I found with some odd raid partitioned drives you actually have to zero the first part of the drive for good measure.

            One does wonder how this could be exploited...not to mention the recent TPM issues.

            1. anonymous boring coward Silver badge

              Re: Wow

              But if you worry about this level of infiltration, then you can't possibly be running any standard OS with standard connectivity! You might as well accept that you are effed then.

              1. TheVogon

                Re: Wow

                "But if you worry about this level of infiltration, then you can't possibly be running any standard OS with standard connectivity!"

                Given the amount of effort needed to code and execute such an attack, they are probably primarily going to be developed by government agencies. However recent history shows that eventually either such attacks are discovered in the wild or the exploit installers leak. And therefore it's quite possible that one day these attacks will be used by something zero day in the wild. So no harm in being paranoid and patching whenever there is a fix. Baring in mind the potential insidious nature of such malware once installed, prevention where it exists is probably easier than a cure.

          2. John Brown (no body) Silver badge

            Re: Wow

            "You would throw away the hard disk?

            Seems a bit extreme?

            Just boot a fresh external drive and reformat the original disks."

            This guy demonstrates how to hack the HDD firmware in a persistent way such that you can still get into a box after wipe/reinstall. He then goes on to install linux into the HDD controller board, just for fun.

        2. Kiwi
          Black Helicopters

          Re: Wow

          If it houses one's own business, especially one "hackers" would be interested in, then it would be worth looking into taking the step to replace the harddrive

          No really. From Kaspersky :

          For starters, hard drive reprogramming is much more complex than writing, let’s say, Windows software. Each hard drive model is unique and it is very expensive and painstaking to develop an alternative firmware. A hacker must obtain the hard drive vendor’s internal documentation (which is nearly impossible), purchase some drives of the exact same model, develop and test required functionality, and squeeze malicious routines into existing firmware, all while keeping its original functions."

          Despite what some people imagine, it really is quite difficult to maliciously alter firmware in a number of devices - the address space is small and if you want your alterations to go unnoticed, you have to keep the thing running as normal - no loss of functionality and no loss of speed. Having a HDD that noticeably slows down is going to be noticed, and an IT team will replace a slow HDD as it's showing signs of failure, even if quite new. Also, a machine generating a lot of network traffic (gigs of data being uploaded to the hackers) above what it should will be noticed and dealt with. And despite what some say about taking only small amounts at a time, if you want to be able to go through my files for anything interesting then you need all of my files, and if that's a terrabyte of data then downloading at 20kps will take you a very long time. It's been done, sure, and systems that send a lot of traffic are going to be harder to watch for excessive amounts of uploads.

          If you don't believe me, Bing the term harddrive firmware infected.

          There's your problem (though Google's results aren't exactly much better these days). Bing. From the company who thought the "Good Times" hoax was a good idea and made it possible to get infected just by clicking on the email...

          1. Wayland

            Re: Wow

            There are tools that can get deep into a hard drive. It's likely you could do a hard drive firmware or boot track infection on a whole swath of Apples fitted with the same drive. It's right that RAID drives have something written to them which survives formatting. X-Box drives are also modified in some way as are drives from TV recorders.

            I'm not saying the virus did these things but with root access a person could do this therefore a virus could.

        3. TheVogon

          Re: Wow

          "I would venture then that the UEFI bios of these Macs are 'OK'."

          I wouldn't. See for instance:

          https://arstechnica.com/information-technology/2017/09/an-alarming-number-of-macs-remain-vulnerable-to-stealthy-firmware-hacks/

          There have been at least 3 different MAC EFI vulnerabilities found and exploited in the past, so likely given enough effort likely more could be found...

    2. Remy Redert

      Re: Wow

      AFAIK all Apple machines run on Intel hardware, so if the malware writers really wanted to there's a few gaping holes in the management engine to exploit. I'd bet that even if a patch is available, the vast majority of machines will not have installed it.

      1. CrazyOldCatMan Silver badge

        Re: Wow

        Intel hardware, so if the malware writers really wanted to there's a few gaping holes in the management engine to exploit

        I don't think Apple includes IME in their motherboards.

    3. Wayland

      Re: Wow

      Well it could set up a boot loader of some kind which then boots the main drive once infected. Many PCs these days can access the Internet from the BIOS.

  2. Anonymous Coward
    Anonymous Coward

    That image!

    Is it meant to evoke the widening of a sphincter post-installation?

  3. Anonymous Coward
    Anonymous Coward

    Perhaps developers should work offline

    or alternatively release only a finished product that doesn't need Microsoft style updates all the time.

    Oh yeah right, "it is impossible to write application code that doesn't need to be changed after release"? I totally believe you dude

    1. d3vy

      Re: Perhaps developers should work offline

      Are you mental?

      Of course it's not possible to release code that doesn't need updates.

      Requirements change.

      Features are added.

      Bugs are fixed.

      Even without the bugs updates would still be needed to support new hardware configurations etc..

      1. Anonymous Coward
        Anonymous Coward

        Re: Perhaps developers should work offline

        @d4vy like I said, I totally believe you dude

        Requirements change,features added = new product.

        Bugs fixes = you released bad code and are an incompetent liability to your customers.

        Whilst it remains okay for chancers to release code with errors/vulnerabilities then expect them to continue to be exploited just as they have been for years.

        If you want security then do not buy mass produced, off the shelf crap produced by people who sell "coding is more complex than any other human endeavor".

        My code has never been exploited and has never needed any updates, this simply because it was bespoke i.e. different for each customer and all written with the old computing definition of security in mind.

        1. This post has been deleted by its author

        2. Kiwi

          Re: Perhaps developers should work offline

          My code has never been exploited and has never needed any updates, this simply because it was bespoke i.e. different for each customer and all written with the old computing definition of security in mind.

          So... No repeat business, code insignificant enough that errors in the compiler aren't triggered by it, insignificant enough that changes to the OS don't cause any issues with it. Oh, and insignificant enough that ONE person writes it.

          I can understand a lot of the bugs with MS stuff - their code has to support quite literally MILLIONS of possible hardware configurations. On top of that, there are millions of software configurations as well. The interaction between different bits of hardware or software, especially on complex programs, and sometimes that can throw up some serious surprises.

          Of course, if you really did write code like you want us to believe, you'd know that what you have in your test environment may not match what your customer has in their RealLife environment, and any changes to their RL environment could well result in changes to the function of your code. Also, no matter what coders think to test for, no matter what we think is a "so stupid it will never happen", RL invents users who, on the first time just looking at your software, manage to break it in ways you never dreamed possible.

          And that's before the next lot of updates to the OS, or other running software (what about all those deprecated system calls, API's that no longer exist, DLL's that have changed name or location on disk etc etc etc etc etc etc etc etc etc etc etc?)

          El Reg - an icon that represents a steaming pile of male bovine excrement would be much desired.

          1. Charles 9

            Re: Perhaps developers should work offline

            So what happened in the days BEFORE the Internet, where the limited methods of distribution pretty much meant you only had one shot at getting it right?

            1. patrickstar

              Re: Perhaps developers should work offline

              Then we simply learned to live with the bugs software had (there were probably less bugs since software was less complex, but it still felt like they numbered in the gazillions). And a bug having widespread security impact was much rarer since things weren't as connected, and most OSes had no real security anyways.

              A 'security incident' meant getting infected by some random virus - not your confidential data getting sent to the US, Russia and China all at the same time.

            2. Anonymous Coward
              Anonymous Coward

              Re: Perhaps developers should work offline

              "So what happened in the days BEFORE the Internet"

              It wasn't possible to remotely attack most computers, so it was far less of an issue. Also things like internet banking and Paypal didn't exist so there was typically far less to gain by doing so.

              Updates where needed (usually data updates or software bug fixes rather than security fixes) were typically mailed monthly or less frequently on floppy disks!

            3. ravenstar68

              Re: Perhaps developers should work offline

              So what happened in the days BEFORE the Internet,

              Erm well in at least one case you sent the cassette back to the software house and they sent you a replacement.

              Acorn Electron version of Elite back in 1984 had a bug that crashed the game when you used the galactic hyperdrive. That really was the fix. I sent mine off using registered post.

              1. tim 13

                Re: Perhaps developers should work offline

                I wish I had known that, it did the same on the Amstrad. I was a master of beating every enemy, by the time I could afford a docking autopilot I didn't need it and I had all the money I ever needed, but without being able to change galaxies the game was effectively over.

            4. d3vy

              Re: Perhaps developers should work offline

              "So what happened in the days BEFORE the Internet, where the limited methods of distribution pretty much meant you only had one shot at getting it right?"

              We posted each other floppy disks.

          2. Anonymous Coward
            Anonymous Coward

            Re: Perhaps developers should work offline

            "El Reg - an icon that represents a steaming pile of male bovine excrement would be much desired."

            So, a photo contest then? How would we retain our anonymity?

            1. TheVogon
              Thumb Up

              Re: Perhaps developers should work offline

              ""El Reg - an icon that represents a steaming pile of male bovine excrement would be much desired.""

              Maybe a competition is in order for a new row of icons?

              1. Kiwi
                Pint

                Re: Perhaps developers should work offline

                ""El Reg - an icon that represents a steaming pile of male bovine excrement would be much desired.""

                Maybe a competition is in order for a new row of icons?

                I've probably suggested enough for a couple of rows in the last year or two!

                But I agree, something to get the team/commentards working for at least one row! (would like to see some of the older ones make a comeback as well)

                (I also, when I screw up the tags in a post, would love to see a highlight in the approximate area of the invalid HTML, or when invalid stuff is detected colour-coding the bits it can figure out :) )

        3. Doctor Syntax Silver badge

          Re: Perhaps developers should work offline

          "Requirements change,features added = new product."

          Based on the assumption that a full product is bigger than an update - and bigger than the original as it contains new features, then this presents the customer with at least the same risks and possibly more than updates.

          "My code has never been exploited and has never needed any updates, this simply because it was bespoke i.e. different for each customer."

          Been there, done that. But neither you nor I have had the problems inherent in supplying product to a mass market. I don't think we'd have been in business very long if we insisted on selling new products for every new feature, at least, not without the Stockholm syndrome of Windows users.

          1. Anonymous Coward
            Anonymous Coward

            Re: Perhaps developers should work offline

            @Doctor Syntax

            "problems inherent in supplying product to a mass market" yes there are additional problems but then again the rewards are greater and yet strangely the security tends to be lower.

            I see posters here suggesting that complex projects demand "team" development when the reality is that it is just cheaper to get in a few people who know what they are doing and a lot of amateurs who need to be told.

            The sad truth is that there are programmers who can code without allowing any errors in the final product and then there is the majority who have been programmed to believe it doesn't matter.

            Add in development tools that are themselves insecure and management who value only getting the product out the door.

            Thus we have bad/insecure code simply because it is deemed cheaper in the short term than doing it right. As the saying goes if you pay peanuts then you get monkeys

            It used to be that if you wanted a computer based solution, you went to a guy who built the hardware, software basically everything from scratch, if he had to get help then clearly he was the wrong guy. Now we roll out "qualified" developers who could not build the hardware, have no clue how to write an OS and need a existing development package to write even just an office suit. How can anyone doubt that trusting these guys is a bad idea.

            You could blame the education system, the employers the users or you could just accept that unless you are that guy then you are an imposter, you are the reason for the "bugs" and vulnerabilities, simply because you do not know better. Better to have given matches to children.

            One guy on his own can still code everything, it might taker longer but if it is the right guy then he only has to write it once. When you add up the costs of updating and downtime then is the current situation actually cheaper for anyone, personally I think it is far to expensive to be allowed to continue

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like