WOW
That's more Mac OSX Infections that Windows 7 infections
From the department of cosmic justice comes this gem, spotted by researchers from Symantec: a trojan that targets Windows, Mac, and Linux computers contains gaping security vulnerabilities that allow rival criminal gangs to commandeer the infected machines. Known as Trojan.Jnanabot, or alternately as OSX/Koobface.A or trojan. …
Consider how many Windows versus Macs there are out there. This was always likely to be the case.
The massive XP figures shouldn't be a surprise either.
It's a ten year old OS that didn't have great security to begin with. Combine this with a massive footprint of home and small businesses who buy a PC and allow their free 3 months Mcaffee etc expire and think they're safe.
Worryingly, a similar lax attitude to AV is very common amongst Mac users too. As virii on Mac get more common, many of the mac community really need to grow a little healthy cynicism.
Techincally yes, but if you compare OSX ( 16%) to Windows, as a whole, the ratio changes some what.
If you'll pardon the expression, let's compare Apples to Apples, eh?
After all the bluster about cross-platform infection, where's Linux in this little chart?
"After all the bluster about cross-platform infection, where's Linux in this little chart?"
From the article...
They didn't show any infections on Linux machines. Turner said that Jnanabot attacks on the open source platform weren't able to survive a reboot.
"All the Linux fanbois I know continually bang on about never needing to reboot their Linux boxes, to the extent that most of them go out of their way to avoid doing so out of sheer bloody-mindedness."
We use Linux on the majority of our machines here, but we still turn them off when we go home at night. We're not thick - electricity costs money, and business like money.
"I'd say that makes the Linux infections a little more relevant."
And yet again you miss the point that they were unable to find any. Maybe Linux users were savvy enough not to get infected, maybe a reboot got rid of it, but either way there were no infections to display, so they can't display them.
> Linux users don't get bit because we're not stupid
> enough to believe a "You must install this codec"
> message given to us by the web browser
Or perhaps we're all just terribly paranoid and prone to run things like no-script that may bypass stuff like this entirely.
I didn't say "recorded" infections, although perhaps I should have said "potential infections" to help your brain process the possibility of future events. See, it's called irony. Irony is when, for example, a trojan has a major weakness such as not being able to survive a reboot, yet the impact of that poential weakness is reduced due to certain penguin-heads' propensity for continually demonstrating that their Linux boxes almost never need rebooting. Irony, the point you clearly missed in my post.
Sheesh.
One must remember, these figures are from Symantec, and thus, it means that this distribution is based on THEIR software DETECTING the infection on the computer. So, only people who have Symantec installed (and have their phone-home-stats bit being allowed...) are in the mashup. Now, considering the number of OSX users running Symantec AV, having 16% of infections is a VERY concerning thing. If the virus survived a Linux reboot, I'd express the same concerns with their (non-)figures. Not that they'd stray from their ClamAV or the like anyway...
It is striking that only 7% of Vista/Win7 machines were infected though. I guess the numpties haven't bothered buying a new computer in a while. How many unwashed mass members do you know that would be bothered to buy Win7 and install it on their current computer anyway?
/paris, because even for the elites, protection is needed
Enterprise edition? I'm guessing bent copies rather than actual corporate installations though.
64-bit? Also quite likely.
I think we can probably come up with enough others in the mystifying firmament of MS OS versions to account for the size of this group without have to resort to embedded. The missing bit of information is how they are identifying the version.
Ok, I'll rephrase that: The bank I work for, who has one of the largest ATM networks in Europe, no longer use NT4 or W2K, instead they use XP pro and starting to move onto Vista.
I'm not aware that any bank runs key, customer facing, systems on NT4 - MS won't even let you pay for support any more.
Actually, if something is running within a user process, it would be pretty easy to put something in the .bashrc script. (And when's the last time you checked that?)
Admittedly, this means it only starts when user logs in, but as this obviously only affects desktop machines. (You have to browse and run a JAR file), its pretty much the equivelent.
It wont affect server machines, unless you let your users browse on them, but it wont affect Windows server machines for the same reason either.
There are many more places than just the .bashrc (assuming you're using bash, of course, I prefer the AT&T software toolbox ksh myself). Both KDE and Gnome (and most other X11 Window mangers as well) have user startup directories and rc files to allow attacks on systems accessed with a GUI, and you would, of course, have the normal PATH and LD_LIBRARY_PATH attack vectors that could be used to subvert commands that people use all the time, and there are many more.
Linux is not immune from attack, it's just that an attack needs to do more things to really pwn it . For instance, if a user has iptables configured to control inbound and outbound traffic on a Linux system (assuming that the user does not run everything as root), you would have to engage in tricking the user to sudo a command, or otherwise obtain escalated privileges to alter the configuration or turn it off, unlike most windows systems.
There is no such thing as a totally secure OS, it's just more difficult to mess with Linux.
The OSX statistics in the article are a surprise, however.
>and I think that everybody would be surprised
>if Jnanabot was able to permanently install itself
>on a Linux machine via an ordinary user account.
You're assuming said user doesn't log on again after a reboot - nothing would stop malware from adding itself to the user account. It's what all the cool kids are doing to avoid UAC on Windows now anyway.
Of course it could get permanent residence on a Linux box, you don't have to be root to install software to your home directory, for example. Granted though, it would be practically impossible to hide it, except in plain sight.
I think the real reason that it doesn't survive a restart is that the writers really don't care about infecting Linux as a desktop platform, given the (lack of) market share.
"That's more Mac OSX Infections that Windows 7 infections"
No, not really - OS X 10.4 was out at the same time as XP and 10.5 was out just before Vista. If you ratio them out they correspond roughly to their user bases. The user ratio of the current version of OS X (10.6) to previous versions is roughly 2:1 - So it would seem that the main lesson we learn is "Old versions of both OSs are more vulnerable that newer ones".
As an aside, when I teach people to use OS X, I recommend that they turn Java off in Safari - They almost never seem to need it...
Sorry, I did not make myself clear to you. I wrote that OX 10.4 was out at the same time as XP - I did not say when they came out, or which came out first. The timeline is:
Mac OS X Server 1.0 in Jan 1999; 10.0 Desktop (not really usable) Mar 2001; OS X 10.1 (free upgrade from 10) Sept 2001; 10.2 (paid upgrade) Aug 2002; 10.3 (paid upgrade) Oct 2003; and, as you say, 10.4 April 2005; 10.5 came out in October 2007 and 10.6 in Aug 2009.
Windows XP RTM - August 24, 2001; XP Retail: October 25, 2001( I was a Microsoft DAAP and Developer, so I got mine early); XP SP1 (free upgrade) Sept 2002; XP SP2 (free upgrade) Aug 2004.
Windows 2000 Retail: 17 February 2000 (Again I got mine early - We were shipping products that ran on NT 3.51 & NT 4.0).
So we are talking about a few weeks difference between when a punter could buy usable versions of XP and OS X. Vista RTM November 8, 2006; Retail: January 30, 2007
> XP was MS's RESPONSE to OS X
Nonsense. Finally ditching the rotten undercarriage of MS-DOS made moving to an NT kernel for the "consumer" version of Windows PAINFULLY OBVIOUS. Serious power users had already ditched DOS based Windows for NT of some sort by that time already.
NT was lingering around since before the transition from 16-bit Windows.
...if we can cast aside 'mine's tougher than yours' and any other technical squabbling for a moment here, let's look at the real cause of infection.
People.
Attention starved, 'think later', bang-on-the-nose DESPERATE herds that will everytime, without fail, 100% guaranteed, in spite of all warning click on / install / allow anything if they think someone is giving them said attention.
I'm sure we can all think of a least a few folk that we could make do ANYTHING online at the vaguest whiff of 'someone fancying them' etc. They simply cannot control their base urges and this cack will continue to happen, irrespective of technical origin / platform impact ad infinitum. It's comically easy to engineer people, it takes almost no savvy at all. People can and will adandon all common sense at the behest of their ego.
Paris, because she never hides her directories.
.. they call privacy old fashioned. But once their checking account is cleaned out because they can't resist using their debit card ("it's so easy and convenient") they sing a different tune. And also ask for help. Pathetic. I have no sympathy for them and just give them my assembled list of sites to visit to learn about security and privacy. Doesn't take; they get cleaned out again and change banks because the bank let it happen. Typical, blame others and always expect someone else to watch out for you. Suits me, flaming crashes get to be quite interesting a spontaneous human combustion of the tantrum variety get to be funny rather quickly.
I think @wow is referring more to the absolute percentages, 16% is more then 9%.
What strikes me more is that given market share I would expect OSX to be infected something like 5-10% instead of 16%. Maybe that's to do with the fact that it is Java based, which is one of the plugins, pieces of software that I try to void most on a Windows machine.
Possibly. I don't think we can project too much from the original stats other than we should suggest that home users consider updating to newer versions of their operating systems (or new machines for Windows XP Home users).
If we look at market share by OS type/version:
http://marketshare.hitslink.com/operating-system-market-share.aspx?qprid=10
The numbers for Windows Vista and 7 show a 9% Infection rate for 33% distribution (good @ ~1/3 of expected infection) XP has 75% infection for 57% distribution (~1.3 times infection rate).
"OS X Other" (Presumably OS 10.6 plus all previous versions of OS X other than 10.58 and 10.11.4) has 3% for Infection for 3% distribution (corresponding infection?). OS 10.5.6 has 9% Infection for 1.5% distribution rate (6 times infection rate) - OS 10.4.11 has 4% infection for 0.4% distribution rate (10 times infection rate).
What I do find surprising is the numer of XP Professional infections. Generally, we could think that XP Professional is managed by "professionals" whilst the perception is that OS X is often managed by "users". If the Windows XP "professionals" were doing their job properly, the rate of infection should be lower.
If we believe Symantec (and I personally haven't used any of their products for the last 6 years), the original Windows versions of the Trojan.Jnanabot infection had 0-49 infections on October 26, 2010. The article says that the number of infections is now "in the thousands" (maybe 10,000?) so we are looking at maybe a few hundred Windows 7/Vista infections with a few more hundred OS X infections of which the substantial majority are on old systems.
I help run (as a volunteer) classes for retirees. We use Windows XP, Vista & 7, OS X and Linux. We get pupils to set up separate 'admin' accounts and 'user' accounts for their systems. The advice that we give is "Only use the 'user' account for normal tasks - If you get a message asking you to install something, be suspicious."
I note that the MacBook Air no longer ships with Java and that it now can be downloaded from Oracle - I, like you, try to avoid Java on client machines.
So in conclusion: Unless we know the breakdown of "OS X Other", I might suspect that Symantec are trying to whip up interest in their Apple producs to a growing Apple "Home User" market as their Windows Home market share is threatened by the free Microsoft Securty Essentials product.
"Now, Symantec researchers have uncovered weaknesses in the bot's peer-to-peer functionality that allow rival criminals to remotely steal or plant files on the victim's hard drive. That means the unknown gang that took the trouble to spread the infection in the first place risks having their botnet stolen from under their noses."
It is not a weakness, it is a SMARTer Network Facility and Virtual Utility. The status quo and establishment markets might think drivers are all about selfish, exclusive competition for advantageous leading position, whereas other may practise and provide selfless, stealthy cooperation for greater mutual benefit.
And you do yourselves a grave disservice to not realise that what is being recoded/hacked and cracked wide open for new transparent servering of SMARTer IntelAIgent Services, are not just Open Source and proprietary Operating Systems, but rather more the Global Internetworking Grid with its Intranets and Extranets exchanging soft pawn information and hard core intelligence across World Wide Web Infrastructure Models.
The Enemy of Ideas thinks Foe, whereas Masters of the Genre think Friends .... which is what Semantic Web dDevelopment in NEUKlearer HyperRadioProActive IT is into in the Bigger Picture Show which hosts Truly Great Game Players ..... which might be an Alien Concept to Many but Perfectly Normal to More than just a Few, and increasing in number with the betaTesting and Passing of every ZerodDay.
I am not surprised Mac users would get a higher infection rate. Mac users are told over and over that macs CAN'T get a virus. Us in tech circles know this isn't true but the average Joe has to use what they are told. They are told Macs are safe so they buy a mac and are misled into believing they can click on anything and have no risk of getting infected so they do. The same goes for a lot of Linux users to be honest, that being said Linux tends to be more robust and a lot harder to infect properly but it is still possible. The rules of being careful what you click on still apply.
That's got a GUI, you can just click on it, if it wasn't already installed by default. Or did you miss that bit?
This is obviously so much harder than the Windows way - go to Oracle's site, find the right package for your operating system and architecture, download, install, put up with yet another update program.
"But it's a well-known fact that Linux users never reboot their machines - which gives this crap a lot of time for acting out its nefarious duties."
"fact" ? "never" ? ;-) I would have thought that this is more likely to apply to server type users, which according to some posts above are less susceptible targets. For what it's worth I always close down overnight.
Lots of useful points in the thread anyway - I'm grateful for the pointer to NoScript :-) .
I use all 3 main platforms (OSX 10.6 on Mac, Linux in whatever form, Debian, Ubuntu, CentOS, Windows although less and less), and there is one little nagging question:
How do I know (and anyone else) that OSX and Linux are infection free? With Windows you have an enormous collection of software that checks, for the other platforms there isn't that much (I think Kaspersky does something for Mac) so you can't actually base a "free from infection" statement on any proof other than 3rd party observation..
You can't be sure any complex system built upon trust in multiple layers of previous systems is infection or malware free. The only way you could really guarantee this would be by not going beyond early 1950ies technology at the point this ceased to be capable of being fully verified by a single engineer.
All the antivirus programs tell you is that they don't detect anything they _currently know_ about. For an interesting and classic perspective on this, read Ken Thomson's paper, "On Trusting Trust": http://cm.bell-labs.com/who/ken/trust.html .
At the moment Eset are doing free Beta software for Linux. I believe it will be paid for after release but it seems to work from the testing I did on a ubuntu based system. It can be downloaded from http://beta.eset.com/linux
They also do Mac software which you could use a trial to check, but after 30 days again its paid for software.
I think a few other AV companies do Linux/Mac software but as much as I like the idea of ClamAV it isn't very effective according to reviews and AV tests.
Clam AV has a version available for free for Mac OS X. As you mentioned, there are paid products such as Kaspersky out there if you don't trust the open source freebie. The core Clam software is used in a number of server based anti-virus solutions and usually holds its own against paid packages.
Clam is included as standard in Mac OS X Server editions.
http://www.clamxav.com/
As competent Linux admins never have to deal with rootkits, there are no ready-made tools. But a good Linux admin or security consultant would simply:
1.) Mount a suspicious Linux disk in a diagnostic machine, but not boot from it or run programs from it from the suspicious disk. That's what experts also do with Windows disks, btw.
2.) Do md5 sums of all executables and executable library files. Maybe also standard config files.
3.) Compare these md5s against a known good Linux disk of the same OS version and patch state.
4.) Maybe write a script which will download RPMs from e.g.
http://rhn.redhat.com/errata/RHBA-2002-055.html
,unpack RPMs and calculate md5s to compare with 2.)
5.) write a tiny script to list all scripts on the system and look at them. If they have not been tweaked (only the case for complex servers), just compare md5 against the package source (as in 4.))
The places where a virus could still, theoretically (!!) hide are
A) application files of applications which have a zero-day hole (PDFs / Acrobat Reader for example). But these would be user-level only, no full pwning.
B) in a file-system-based exploit directly hiding in file system structures. I have never heard of that kind of exploit on any operating system.
I suggest everybody uses the brain and deinstalls Java, Acrobat Reader and Flash. And/Or use a different, non-priviliged user to view youtube and the porn sites. That works for Windows, Linux and MacOS. NoScript does not hurt either.
and on
C) on a hypervisor <http://theinvisiblethings.blogspot.com/2006/06/introducing-blue-pill.html>;
D) on firmware <http://www.phrack.com/issues.html?issue=65&id=7> and <http://www.phrack.com/issues.html?issue=66&id=11> for starters;
E) on CPU microcode.
Anywhere else I forgot?
Ahh, the low level stuff... Being wonderful as ever.
I would advise adding BetterPrivacy on top of NoScript. There are things such as tripwire for sanity checks on the system -- some OSes have signatures attached to all system binaries -- but that will not usually detect infected home accounts.
The MyOS-versus-YourOS hysteria aside, Java-based malware is not new and not the point of the story.
AV software is *always* playing catchup with the bad guys, it just can't be trusted.
Install AIDE or Tripwire. Setup a simple script to check for system changes before applying any updates, if any startup scripts have changed you can manually check them and remove any viral additions - seeeemplez.
#1) If this is the boonana variant that I think it is (which seems to be the case from the name), This is old news. Seriously - this was reported elsewhere with a video in October of last year. Google it.
#2) It asks you to install, and you have to click through multiple warnings/certs, FROM YOUR WEB BROWSER. Show me anyone on Linux that would fall for that, and I'll show you someone that's not been using Linux for more than a few days (hint to Win users: You don't install anything on Linux directly from within the web browser - excepting FF/chrome plugins which you specifically have to ask to install).
>>Never experienced a virus on Mac or Linux in 5 years of intensive Internet use
Haven't had a virus since my Amiga, I've installed and used DOS/Win3.0/3.1/95/98/NT/XP/2K/2K3/2K8/Vista/7/Slackware/Debian/RedHat/Ubuntu/OSX/DRSNX SVR4/Solaris2.3/2.4/2.5/6/7/8/9/10/AIX5.2/5.3/6/HPUX10/11
Good practices (using trusted sources, clean builds, firewalls, min privs etc.) means you *shouldn't* need virus protection, but remember where words like "rootkit" come from - it didn't start as a Windows term, complacency is just as dangerous as ignorance.
These days I have a VM for surfing and email, when I've finished using it I roll it back to the orginal state, apply patches and updates and do another clean snapshot, if I ever did get a virus, chances are I'd never know and it would evaporate in the rollback.
"These days I have a VM for surfing and email, when I've finished using it I roll it back to the orginal state, apply patches and updates and do another clean snapshot"
That's a nice idea, but a massively over-engineered one I can't help but feel. Are you suggesting that you really need all those added layers of protection before you're comfortable to check your emails? You must never get any work done.
Also kinda weird when you consider that emails get shat out onto the web pretty much unprotected. It's amazing that people trust them at all.
>>That's a nice idea, but a massively over-engineered one I can't help but feel. Are you suggesting that you really need all those added layers of protection before you're comfortable to check your emails? You must never get any work done.
It works for me, I have three icons, StartVM, SaveVM, RollbackVM when I shutdown the host PC the guest is automatically rolled back (unless I have done a SaveVM before shutdown), the VM starts nearly as quickly as IE used to, filesystem space is cheap, if you think of the guest OS as merely an application in a sandbox then it makes sense, also if you want to try out a new app/plugin/patch it's really easy to undo with a rollback (great when the uninstall doesn't).
To be fair, my machine is dual quad 3.33Ghz with 24Gb so I can run a few VMs at the same time with no real problem, but the more procs and power we have, the more that this is practical.
As has been said, but it's worth pointing out, that anyone on a Debain based Linux distro, can use AppAmour. (K)Ubuntu comes out of the box with it installed, and profiles already created for the common Internet facing applications.
You can lock down these further, which I would do for Firefox (or any other web browser you might be using.
Of course, if you're this paranoid (nothing wrong with that! ;) ), then you'll probably be using NoScript, so the Java won't run yet anyway, and you'd also probably spot the oddity of why it wants to run a JAR in the first place...
Simples.
Oh , you mean it has a dot at the start of the filename. Wow , thats like totally l337 dude! That'll fool em!
I remember that HP-UX 9 allowed actual invisible folders (chmod +H or something) but I think that functionality got dumped once they realised what a security risk it was. Linux certainly doesn't have that sort of functionality , or at least nothing that could be accessed from within a JRE running as a normal user.
So therefore why does it still exist? If the article is to be believed it should be relatively easy to install software remotely onto these machines. So why is the software being installed remotely not anti-virus and anti-spyware which should solve the problem for good, or at least a removal tool which patches the vulnerability and removes the virus/spyware once done?
No, let's just study it and watch it continue to proliferate around the internet. That'll be far more rewarding.
You provide me with a suitable salary, or point me at some reasonable form of research grant funding ending in a Ph.D. and I'll happily follow through and "do the above".
Surely that's what Dan Turner should be funding or what Billy Rios should be aiming for as the result of his research. But no, actually it would do the likes of Symantec and McAfee the world of harm to actually take out the botnets as, your article proves, they are perfectly capable of doing. Clean up all the botnets, securing machines behind them and they could effectively reduce spam to close to nothing (compared to current levels). But that wouldn't be in their interests as it'd reduce the sales of their software or in Billy Rios case cut off the source of his funding.
It's a case of don't kill the Goose that's laying the Golden Egg, isn't it?