back to article New Mac scareware variant installs without password

Scammers have developed a strain of Mac scareware that avoids the need to trick a mark into entering an administrative password. Earlier rogue anti-virus strains, such as MacDefender, need permission to run, a hurdle MacGuard neatly sidesteps. MacGuard works on the premise that home users have administrator rights, meaning …

COMMENTS

This topic is closed for new posts.
  1. Greg J Preece

    Oh don't say that!

    "meaning they don't need to enter the administrator password to install software in the Applications folder."

    When I pointed this out, a whole bunch of fanbois told me I was wrong.

    1. lglethal Silver badge
      Jobs Horns

      Solution...

      Send them the link for MacGuard... let them see if they need to enter the password for it to install... ;)

    2. Anonymous Coward
      Jobs Horns

      Don't laugh

      He who laughs last, laughs longest.

      I can see a smile appearing on the MS fanbois now :)

      1. Marvin the Martian
        Pirate

        @AC: He who laughs last, hasn't understood the punchline or is retarded.

        chmod ug-x /Applications

        That is all.

        1. Anonymous Coward
          Boffin

          Looks so simple

          90% of the people who own a Mac OSX based system at home wont have a clue what you just wrote.

    3. ThomH

      They were confused

      "Administrator privileges" tends to be synonymous with unfettered access to anything on a computer. A default install of OS X will require a password be entered for a bunch of tasks, such as viewing things stored on the keychain, making changes to certain system preferences and some other things.

      However, you're quite right because on a default install, and I'll wager on 99.9% of machines out there, the single user has a tick against 'Allow user to administer this computer' and can write whatever they want to /Applications, whenever they want. Combine that with Safari shipping with 'Open "safe" files after downloading' ticked by default and it's easy to see how this program installs itself, given that archives are considered safe and I guess one of the archive formats doesn't properly guard against absolute paths.

      All of the proper, internal paths should be properly locked down by default, so in theory this program shouldn't be able to do anything to stop you from just dragging it to the trash and hence uninstalling it. That said, it should still be a major embarrassment that it can install itself in the first place.

      1. heyrick Silver badge
        WTF?

        Whoa, wait!?

        The user has some sort of admin priv by default? Isn't that the reason why XP gets hit by so much crap? Are the Apple devs so stuck in rose-tinted glasses that they didn't look to see that that was one of the big cock-ups of new-gen Windows (i.e. when they took the NT security model and completely rogered it)?

        1. Anonymous Coward
          Anonymous Coward

          Actually...

          The problem with the Administrator account on XP was that it WASN'T the main (single) user account - it was an extra hidden (unless you look for it) default account that always had the same username/password and never prompted the user to set anything to secure it.

          1. Tom 13

            95 and 98 didn't have admin accounts

            nt, 2000, and XP did. If you ran the installation disk, you were prompted to set the admin password. The admin password was NOT blank by default - that was a choice made by the manufacturers who shipped pre-configured PCs. Lots, and Lots of Fail there, but not by MS.

            1. Peter Gathercole Silver badge

              On Windows 95 and 98,

              there was effectively only a single user, with some slight trickery to allow some applications to store their defaults in different places for different 'users'.

              All users were effectively administrator accounts, and as Fat16 and Fat32 filesystems did not have any form of security-by-user, the entirety of the system disk was vulnerable to infection by any account logged onto the system.

              As a sideline, this last point is exactly why you should never do a WinNT, 2000 or XP install using Fat32 as the filesystem for the system disk, as this negates almost all of the security that segregated privileges provides.

              On a side note, on XP and Windows 7 (not done a Vista install), the administrator password that is asked to be set up during install is indeed a hidden account that can only be used when the system is brought up in system recovery mode (or similar). This is intended to be used when the system will not start, or when users forget their own passwords.

              By default when using the MS XP install process, the first named user account that is set up will be an administrator account unless changed. If you set up more than one user account during the install, the subsequent ones will be not have administrator rights, by default, but this can be changed.

              But there is another point here. Many 'canned' Windows installs (for example, from system recovery disks) will not use the normal XP installation process, so even those users who have restored their system will not have seen this setup process. Only those wearing hair-shirts, and doing everything from lowest common denominator (MS install disks and vendor driver disks) will have seen these accounts being set up. But those of us who have done it this way KNOW that Windows installs are FAR, FAR more painful than some of the other OS offerings out there.

              1. Tom 13

                I've never worn a hair shirt, but

                I have both built systems from the ground up and used system restore disks. Frankly, I cut my teeth IT teeth on Radio Shack PCs left the hobby for a while and then started learning it again with DOS 3.3.

                Once MS realized the PR problems they were having because system vendors (and don't get me started on the early broadband providers helpfully setting accounts to auto-login admin users) were bypassing the account password setups they changed the OEM agreements to require the use of abbreviated setup screens where users are required to provide the passwords. So while the end user doesn't see the exact same screens as an OEM installer, they still answer the same questions. You can still enter a blank password, but it is an ACTIVE choice instead of a default.

                I'm no MS apologist. Frankly if I had been the judge in the Netscape case they would have lost their shirts for violating their prior consent decree to not tie application sales to their OS, and it is possible some of their lawyers would have been turned over to the bar for ethics violations. But facts are important things and it is therefore important to keep them straight. And all of that is because of the number of times I installed their software for our OEM shop back in the day.

            2. Michael C

              could still be blank

              It wasn;t until XP SP2 (if slipstreamed) that when installing you were required to enter a password. It did prompt for one, but it was possible to leave it blank with little more than a warning.

          2. Peter Gathercole Silver badge
            FAIL

            @AC 14:40 - Wrong.

            That is the admin account for system recovery. Can't use that to log in when the system is booted normally.

            The install process gives first user account set up admin rights. Subsequent ones will normally be ordinary users unless specifically changed. I always create my own admin account as the first account, and then create additional ordinary accounts for each of the kids for day-to-day use. I never give the kids the password for the admin account I created. I normally install any programs that then need admin rights.

            For those awkward programs that have to have admin rights in order to run, I also create a second admin account, which I then fix in the Registry so that you can't log in using it, and tell the kids to use "Runas" with this account for any applications that won't work from their ordinary accounts.

            It's not perfect, because you can really run anything with Runas as long as you can find it on the disk. But it meant that I was able to have one of our shared machines virus free for years (also have external firewall to block direct malicious traffic).

            I think some of this must have stuck in the kids minds, because now they are older, and have their own systems that they control completely, they often keep using this model, and generally have less problems that their peers.

            1. Anonymous Coward
              Anonymous Coward

              @Peter Gathercole

              I can personally assure you that if you are on the Welcome Screen, press Ctrl + Alt + Delete, type Administrator and the password set there it works. It is the Local Administrator account, which can be logged in to.

              1. Zippy the Pinhead
                FAIL

                @ AC 13:46

                Not on my XP computers. The default admin account has been disabled and renamed and I work off a different admin account I have personally set up.

          3. Anonymous Coward
            Anonymous Coward

            err

            Apart from the installer prompting you to set the administrator password when you install the OS of course?

          4. heyrick Silver badge
            Meh

            Actually²...

            There is an Administrator account, yes. It may or may not have a password, yes. But why bother when *by* *default* the user account generated at start-up is given system wide "admin" permissions? I have two accounts on my little machine. The first, "Rick", was created during the initial setup. I can do anything from the get-go. The second, "Internet", that I created, is a limited user and can't do much. Can I run as a limited user all the time? No, for updates and stuff only appear to the priv account (remember, this is XP, I think they finally made this work properly in Win7?). There's more, but it's boring...

            So, to the "average" home user: How many would you imagine even realise there are Admin/Limited account options, and understand what the differences are?

            Anyway... can't believe this mistake is still being made. <sigh>

        2. Tom 13

          Yep. But I do understand why they did it.

          The consumer market always makes a the tradeoff between ease of use and security to favor the non-technical consumer. Linux, not being as widely adopted for consumer market general purpose computer, doesn't make the same tradeoff. Because it tends to be used/deployed only by knowledgeable techs, the tradeoff is kept on the security side. I think once you see Linux more broadly adopted by the consumer market, you'll see similar issues there. The technorati will still have relatively secure computers but the masses won't.

          I still think Linux is inherently better positioned to be configured securely, it is just that mass market deployments don't support security.

          1. Peter Murphy
            Linux

            I hope not, Tom 13.

            "I think once you see Linux more broadly adopted by the consumer market, you'll see similar issues there. The technorati will still have relatively secure computers but the masses won't."

            Read the fine print in the article, Tom 13:

            "MacGuard works on the premise that home users have administrator rights, meaning they don't need to enter the administrator password to install software in the Applications folder."

            Both Linux and MacOS are based on Unix. However, even more user-friendly versions of Linux force their users to _deliberately_ take superuser privileges (such as via sudo) every time they want to do anything administrative. Each time, users have to enter the right password.

            Linux distributors assume that people do not need administrator rights 24/7. So there is no easy "Allow user to administer this computer" checkbox that gives users automatic administrative privileges. Nor do I hope there ever is - because the result would be a spit in the eye of the principles of Unix. Neither do I think this checkbox will ever be necessary - sudo is a one line command that is easy to type. (But typing your password should make you think.)

            MacGuard-like behavior would affect Linux machines where (a) the only user is root, or (b) a user gave himself administrative privileges by default. But both these behaviors are actively discouraged by any Linux distribution you care to name. And if people do this and get infected, others will reckon "serves the bastard right for being so stupid!"

          2. jcipale
            Coat

            In other words

            There are still a collection of idiots who should be given an Etch-a-sketch and told it is a computer and in order to erase a file, they simply hold it upside down and shake side-to-side (with apologies to Scott Adams).

      2. Anonymous Coward
        Anonymous Coward

        'Open Safe Files'

        'Open Safe Files' shouldn't ticked by default anymore - I don't think it has been for quite a few versions of Safari now, not since it was pointed out how obvious a security flaw this could be in the early days of psuedo-Trojans like the Applescript disguised as a JPG or MP3.

        This malware STILL requires the user to install it as far as I can see - it doesn't auto-run the installer package.

        I've seen the MacDefender and MacGaurd pop-ups appearing a LOT recently when following links from Google's search results en-route to reputable sites. It's the social-engineering aspect which always was, and still is, the weakest link.

        1. Herba

          Got it on a link and it didnt auto-install

          indeed, i got it from a google link yesterday. It did downloaded automaticly without asking but at the install step I got a confirmation pop-up. In fact, nothing can be install on my mac without prompting for the password and I didnt changed any settings regarding security.

          1. Anonymous Coward
            Angel

            and that means

            you are already screwed.

      3. Peter Gathercole Silver badge

        On modern Linuxes

        the first account setup is an 'admin' account, but by default this gives them very little additional access to the system. What it does, however, is add them into the "admin" group which is setup so that they can use sudo when required to run commands with enhanced privileges. Thus in normal day-to-day use, the system is safe, and you can just worry about things that fire up the request for the password.

        If you set up additional accounts without adding them to the "admin" group, they will not even be able to run sudo or use any of the additional commands that need sudo access to run (like package managers, for example). This makes those user accounts safe even from users who click "yes" to everything. Their personal information is still vulnerable, of course, but they will not be able to touch any of the system files or directories.

        I though that OSX was the same, but if there are application directories that can be written to by one of these accounts without needing to use sudo, then it's security is significantly weaker than I thought. I will thus nod to everybody who has been saying that OSX no better than Windows, admitting that I was not totally correct, but point out that it is still better than the all-or-nothing situation in the pre-Vista Windows world.

        1. jcipale
          Flame

          On Modern linuxes...

          They buggered the pooch by disallowing the 'Root' account (now one must go in and finger-f*** the init files to enable a root login.

          The prior linux/unix security mode worked perfect, until they started to futz with disallowing root login and forcing sudo. This, IMO is a much greater security hole than they had before. And many of my long-time linux/unix peers agree.

          Trying to 'simplify' linux to appeal to mac-lusers and windows-whiners creates a set of problems which never existed before.

          1. Anonymous Coward
            Boffin

            Why I avoided Ubuntu like the plague...

            And use the upstream Debian instead. Debian has it the other way round: Sudo disabled for all users by default, and a root password is mandatory. Counterintuitive to Win9x users, yes. But I was sold on the idea of safe computing on the very start. Granted that I do log in to the root account from time to time to perform dist-upgrades, but SSH on the box is disabled, and it's behind one helluva tight firewall on a separate dual-homed BSD machine. Tight as in nothing gets in or out- the computers can only connect to the internet via a set of proxy servers (Squid, Socks and RTSP) set up on said firewall.

            I also find Debian's sudo disturbing- why does it grant superuser access with just the standard user's login? Asking for the root password (like OpenSuSE's sudo does) is the correct thing to do!

  2. The Alpha Klutz
    Boffin

    I guess that's the way

    the cookie crumbles.

    1. P Zero
      Jobs Horns

      YYYYYYYYYYYYYYEEEEEEEEEEEEEEEEEEAAAAAAAAAAAAAAHHHHHHHHHHHH

      The post is required, and must contain letters.

    2. studentrights
      Jobs Halo

      Your cookie crumbled?

      The user still has to approve the install, even if it doesn't require a password.

      If you're going to approve the install, then you would have given it your password anyway, because you want to install it, right?

      This changes nothing.

      1. pan2008

        why is that different?

        Do you think you don't have to press OK in Windws to install something, it just installs by itself? There is always some button but to novice as most of us are it looks like a ligitimate OK. Macs are less secure than Windows generally speaking, they are just not attacked as much. Expect more similar stories in the future.

        1. Joe 35
          Thumb Down

          "There is always some button"

          Nope, that the issue, there isn't ALWAYS "some button". Google "drive by installs"

        2. Zippy the Pinhead
          Stop

          @pan2008

          Not with a silent install. I can push pretty much any application I want to a PC on my network and many times the user on the other end will have no idea I've done anything until they restart their computer.

      2. Anonymous Coward
        Anonymous Coward

        "If you're going to approve the install, then you would have given it your password anyway"

        Providing that it's actually your machine and you have the password, that is.

  3. Anonymous Coward
    Anonymous Coward

    This changes everything, again.

    I can hear a million hearts breaking across the world right now.

    #smugnessfail

  4. Anonymous Coward
    Jobs Halo

    THE REG LIES AGAIN

    This so called "story" is a complete fabrication.

    Macs are super special awesome and never have viruses. They are soooo much more secure than everything else.

    Reg reporters need to learn to be a real reporters and do some research... This is completely false. Nothing, not ever Fort Knox, is more secure than Apple.

    1. Paul_Murphy

      Wait...

      Is this sarcasm? irony?

      I think the all caps heading means it's a bot doesn't it?

      so hard to tell nowadays.

      ttfn

      1. Doug Glass
        Go

        Yes, No, Maybe ...

        ...press the button to choose.

    2. Anonymous Coward
      Joke

      The only reason Macs have 'no' virusses

      is that Apple charge the devs a bloody fortune for the license to write them :D

  5. Anonymous Coward
    Anonymous Coward

    Hahahahahahahahahahahahahahahahahaha

    Welcome to the party.

    At least MS admits its problems and attempts to fix them.

    Enjoy your FUD fanbois.

    1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Umm

      I think Apple already admitted the problem and is attempting to fix it via software update?

      Did you miss yesterday's news? http://www.theregister.co.uk/2011/05/25/apple_acknowledges_macdefender/

      1. Ilgaz

        will they dare?

        Number 1 problem is "open 'safe' files" default setting, notice the quotes there, put by Apple themselves!

        You can also make "Downloads" non executable, UNIX has that capability but, they won't dare as it will create serious usability problems and idiot developers still insist on not using OS X installer (including browser makers) so, drag&drop would be effected.

        If I was Apple, I would assign couple of developers to anonymously contribute data to Clam database as Clam guys have problem understanding Mac threats and taking them serious.

        1. Barry Lane 1
          Troll

          @ wil they dare?

          "Open safe files" has not been a default setting for a couple of years now, plus a Mac user would have to be as dull-witted as the average MS fanbois to actually install this POS. All right, I'm just trolling you there, but there are countless people with pee-cees and Macs who happily click on anything they think looks interesting or, better still, free. Most of humankind who use a computer haven't the faintest idea what makes it tick. I drive a car, but if it went wrong and I had to fix it, I wouldn't know which end of a hammer to hit it with. You and I might be cynical and clever enough not to click on an "install trojan now" button, but there you are. Maybe we're just lucky.

          I use Macs and I have Intego Virus Barrier installed on all three (no, this isn't an ad for Intego) and have done so for several years. Now that Macs are becoming so popular it is inevitable that the Russian Business Network or whoever is behind it would turn their attentions to the shiny stuff as well. They might be crooks but they're not completely stupid.

  6. Anonymous Coward
    Alert

    Double FAIL.. but not all Apples.

    So I was thinking about this trojan recently. Not just the Mac version, but the Windows as well.

    Ok, so first we have the actual transmission method of this trojan, which relies on poisoning Google's search results with links to the malware . Google's failure 1.

    Then Chrome, Safari and even Firefox (if you have Google's stuff) all have an option to warn about malware. They all are powered using Google's Safe Browsing feature, which keeps a central database of sites found to serve malware, but apparently not this one. So that's failure 2.

    Isn't that a lot of failing from Google?

    Isn't also Google now pushing out their ChromeOS, which - due to it's design doesn't run apps or let you install anything - is impervious to these type of attacks?

    I find the timing very convenient.

    1. sabroni Silver badge
      WTF?

      so this is Google's fault?

      no wonder you post anonymously.

      1. Anonymous Coward
        Anonymous Coward

        @sabroni

        "so this is Google's fault?"

        Well the fanbois have got to find somebody to blame for (a) there being a big hole in their OS and (b) their fellow Mac users being stupid enough to fall for it.

    2. Greg J Preece

      The reality distortion field at work

      Mac screws up, blame Google!

      If I remember correctly from the original article, Safari will auto-open any file it recognises as being "safe", which is part of the problem. Wouldn't you call that a massive fail from Apple?

      1. Anonymous Coward
        Anonymous Coward

        @Greg J Preece

        I did say in the original title, FAIL but not only Apple.

        Apple of course is to blame here with the "safe" file opening, but surely Google being the ones pushing out the links and failing to update their own malware detection service has to share some of it?

        Like I said people on Windows are also being affected by a variant of this.

      2. Semihere
        Stop

        Re: The reality distortion field at work

        "If I remember correctly from the original article, Safari will auto-open any file it recognises as being "safe", which is part of the problem. Wouldn't you call that a massive fail from Apple?"

        The article's wrong though. Apple 'fixed' this issue several version of Safari ago. It no longer ships with the option checked by default, you'd have to deliberately turn that option on yourself.

        Fail averted?

        (although you're still right about the distortion field LOL)

        1. RAMChYLD Bronze badge
          FAIL

          Fail not averted

          Problem is, I've met tons of Macs users who had never, ever run System Update. Ever. Under the excuse of "It ain't broke, why fix it?".

          Seriously, the solution to this problem is to teach safe computing in school. Be it Linux, Windows, Mac OS, Solaris or BSD, if the user is gullible, then the computer is always at risk.

    3. Maxson
      IT Angle

      Unless...

      The files are included in torrents, or e-mailed to a user? You seem to be expecting google to administer the whole internet, which is not their job, they offer some tools to warn you about potentially malicious sites, but end users will frequently click through the warning, or - for the obvious reason - Google won't have a warning in place for that particular site.

      (Hint: The obvious reason is that it's impossible to make a system 100% impervious without dedicating a disproportionate amount of staff to it, and having that staff never make mistakes. Google's system, I believe, is automated, and needs to be updated to deal with emergent threats, they can't make it too automatically strict as it will make lots of false positives).

      1. Anonymous Coward
        Anonymous Coward

        @Maxson

        You missing the main thing here, this particular trojan has to convince users to install it by posing as an antivirus. It can only work (and barely) on the web.

        E-mail has no way of knowing the OS, the people behind the malware would have to pick either the Windows or Mac UI in advance. Plus people are much more into e-mail scams, I doubt anyone would believe an e-mail saying they have viruses, it's ridiculous.

        1. Anonymous Coward
          FAIL

          @A/C @Maxon

          Right you do understand what spam is?

          I will enlighten you, so you don't get caught.

          <Snip>

          Congrats you may have wone 1,000,000 english dollars. Click link to claim

          http://nationallottery.com (link actually directs to dodgy site in nowherestan)

          <snip>

          Click link

          Land on page, detect OS (VERY easy to do), redirect to correct page.

          Install....

          1. Anonymous Coward
            Anonymous Coward

            @AC 12:14

            So you click on that dogdy site link, it opens the web browser, which should then check the link against Google's Safe Browsing list, right?

            I don't see how does change my original comment?

            There is an anti-malware layer in most browsers these days even before you get into the operating system, be it OSX, Windows, or Linux. That layer IS NOT WORKING, although is advertised as doing so.

            That layer is also operated by Google. Why is no one seeing this?

            Forget your Windows or Mac preferences and look at what's going on.

            1. Wensleydale Cheese

              @Anonymous Coward 12:43

              "So you click on that dogdy site link, it opens the web browser, which should then check the link against Google's Safe Browsing list, right?"

              The "dodgy site" in both cases that my browser got redirected to this malware was Google Images.

              Google images is notable for its non-functionality if you have Javascript enabled, so even that safeguard is denied. I think you have a point.

              images,google.com 127.0.0.1 added to my hosts file

              And yes, I do all my work on OS X in a non-admin account, Just like I have always done on any other OS.

            2. Anonymous Coward
              Anonymous Coward

              Re

              So when the malware makers design a new site they have an EDI feed and send that data over to Google?

              Do you even know what a zero day exploit is?

              Can humanity really be this stupid?

              1. Anonymous Coward
                Anonymous Coward

                @Bullseyed

                You know what a zero day exploit is, really? How 1337, lulz. Loved the EDI bit, says a lot.

                This original trojan has been around for over 21 days with only 3 variants, the MD5 checksums and even the javascript download code are all well known.

                Google Images was one the main sources of the malware:

                http://thenextweb.com/apple/2011/05/02/bogus-macdefender-malware-campaign-targets-mac-users-using-google-images/

                Can Google really be this stupid and not remove these from search results or flag them on the Safe Browsing list for so long?

        2. Anonymous Coward
          Anonymous Coward

          "I doubt anyone would believe an e-mail saying they have viruses, it's ridiculous."

          It might be ridiculous but that wouldn't stop people from believing it.

          1. Anonymous Coward
            Anonymous Coward

            @AC 12:46

            Fair enough, they would believe it, but they would still need to go to a webpage to install it.

            There's no way the e-mail would include Windows and Mac executables of the "anti-virus" and still get through the e-mail AV scanners (fortunately those tend to work better than Google's Safe Browsing crap)

            End of the day, no matter the entry point, users still need to go to a webpage for an attack like this, and the primary provider of webpage malware scanning (Google) is not only not doing their job properly but also providing the original malware links as highly ranked search results in the first place.

            They also are beginning to sell ChromeOS where the inability to install malware like this (or any actual software for that matter) is one of main selling points. There is a clear conflict of interest here.

            1. Anonymous Coward
              FAIL

              Re

              "There's no way the e-mail would include Windows and Mac executables of the "anti-virus" and still get through the e-mail AV scanners"

              Fortunately Mac advertises worldwide that Mac "don't get viruses" so AV software is unnecessary. Without AV software the kit appears to run faster, so they can lie about being a better OS than Windows, while having no security!

    4. Anonymous Coward
      FAIL

      Soooo....

      ...if I use Bing or Yahoo I'm safe.

      Phew. Thankyou for letting me know.

    5. Anonymous Coward
      Facepalm

      Stop thinking right now

      It is not working for you and may cause further damage.

  7. Anonymous Coward
    Anonymous Coward

    Nice.

    *sits back, reaches for popcorn and 24oz Coke*

    1. Anonymous Coward
      Joke

      24oz coke

      Crikey...you planning to drink that, or go swimming in it?

      1. Anonymous Coward
        Happy

        24oz coke

        What he meant to write was - "24oz of coke"

      2. Aaron Em
        Pint

        Only a pint and a half

        I thought you lot *liked* things that came in pints...

        1. Havin_it
          Coat

          RE: Only a pint and a half

          >I thought you lot *liked* things that came in pints...

          Well, sure, doesn't everyone like elephants?

          1. Anonymous Coward
            Angel

            PMSL

            I just LOL'ed in the middle of the office you b@stard!!! PMSL....

  8. Magnus_Pym

    Eh!

    As an attack vector does 'Downloading to a different folder' seem a bit easy not to have been used before?

    1. Tony Barnes
      Thumb Up

      Does seem a bit obvious..

      ..doesn't it? Who needs complicated exploits when you can just alter the save path!

    2. Maxson

      Much of the reason for that...

      Is likely because Macs are only nwo becoming popular enough to be an obvious target...likely the issue isn't patched because Mac users always thought they were too big to fall, too.

    3. ThomH

      As above, my guess is...

      ... downloading to another folder is achieved by supplying an archive with an absolute path, and one of the built-in extractors failing to validate that properly. bsdtar is safe, so I'll guess it's a zip problem. The default set up also doesn't allow users to write to absolutely anywhere on the system, but it does allow them to write to /Applications, so whatever they're doing probably doesn't allow a write to anywhere.

      Yes, though, it's a big gaping hole.

  9. MCG
    Jobs Halo

    Question!

    Am I right in thinking that it's mainly users of the execrable Safari who are affected, since Safari has the option to open 'safe' files after downloading checked by default??

    1. Semihere
      FAIL

      Re: Question

      Safari doesn't open safe files by default anymore. It stopped doing that about 3 years ago.

  10. Anonymous Coward
    WTF?

    Apple screws up *nix...

    What the heck has Apple done to the *nix security model in OS/X? They must have done something bone-headed because there is no-way no-how that software can install on a *nix box without being a sudoer AND having to enter your password; its the only way to make sure it's a person doing the install and not some piece of bovine-excrement software. If they of the pomaceous fruit changed the security model to allow this kind of thing then I would stay away from the whole Mac family. Use Free BSD or Linux.. avoid Windows and Mac.

    1. Anonymous Coward
      WTF?

      What?

      I can install any software that doesn't need to change things like /etc or /var on Linux or any Unix under my own user, without sudo.

      Even run crontabs to start them again after system reboot.

    2. Rob Carriere

      That turns out not to be the case

      You can easily install software on any brand of *nix box without ever entering a password. You cannot install the software to one of the system directories, but stuff in your private ~/bin will execute just as well as the stuff in /usr/bin. The system directories are only interesting if you want to infect everybody on the machine (likely irrelevant on a PC-class box) or if you need SUID/SGID privileges. Unless you're trying to install a root kit or do vandalism along the famous "cd /; rm -rf *" lines, you don't.

      It is possible to remove this option, but that's hardly the standard "*nix security model".

    3. jeffo

      Re: Apple screws up *nix...

      I think you're confusing Admin OS X user with the Unix root user here. You have to enable root access in OS X, if you want it. This is never turned on by default.

    4. Ilgaz

      No, it is UNIX model

      Under UNIX, a user is free whatever to do in their home directory except installing "servers", especially stuff serving between port 1-1024.

      I use my system as a completely non priveleged user thanks to that model as I install my usual software to ~/Applications in my home directory...

    5. Anonymous Coward
      Anonymous Coward

      Yes they did, indeed

      Apple did do a hamstring job on the underlying BSD security model. They bypassed it.

      No doubt, I'm sure they thought they knew best.

      Its a sad mistake oft repeated.

      1. Peter Gathercole Silver badge

        @Craiggy

        It's still the UNIX security model, it's just that the default user almost certainly has a particular group in their groupset, and the directory in question has group read-write-execute on it.

        It's been possible to do such things as this since the year dot, or at least UNIX V7 circa 1978.

  11. Thomas 4
    Dead Vulture

    There's an error in the article

    It states that a Mac was infected by malware, which is clearly a mistake. Only PCs suffer from malware.

  12. Annihilator
    Coat

    Sits back

    I'm just wondering what the come-back will be... *watches with interest...*

  13. jeffo
    Thumb Down

    Wrong!

    If you read the blog you linked to: http://blog.intego.com/2011/05/25/intego-security-memo-new-mac-defender-variant-macguard-doesnt-require-password-for-installation/ it DOES NOT download to the Applications folder, but to the downloads folder. The user still has to go through the installation process, just will not be prompted for a password.

    I don't think there's any way on Mac or Windows for a file to decide where it downloads to, other than the default or selected download folder. Also, if it did downlaod to the Applications folder, it would just sit there, as it would never run without an installation script adding it to the start up items.

    But hel, why spoi; a good story!

    1. Dan 55 Silver badge

      "it would never run"

      It doesn't matter where it downloads, Safari's default action is to run installer packages as they're considered 'safe' and installer packages can install an app somewhere in the user's home directory and add it to the startup list on login without asking for a password.This is not a good thing.

      The automatically open safe files option is an accident waiting to happen, it shouldn't have made it into V1 of Safari let alone survive up to V5.

  14. MrCheese
    Boffin

    This is only the beginning

    Now Apple have got salemen, managers and executives up and down the country braying for the latest frutiy status symbol regardless of the technical ramifications we're only going to see more of this kind of thing.

    Think about it, anyone in a business organisation with an i-device is probably fairly high up the org chart and as such it's making the marks easier to identify, just target the iOS/OSX platform and you've already seperated much of the wheat from the chaff in any company.

    All that remains to be seen is how Apple respond to the threat, in theory having a linux-derived OS should make it easier but how much are they willing to break the seamless UX in the name of safety and security and mundane things like that (mundane to the marketing wonks that is).

    1. Paul_Murphy
      Coat

      ooh - fighting talk

      >having a linux-derived OS

      I'm sure someone will have something to say about this (when they have calmed down and stopped frothing at the mouth).

      he he

      ttfn

      1. ThomH

        @Paul_Murphy

        Allow me: OS X contains a BSD layer, derived from BSD. Because it has a terminal, it also contains a bunch of open source components that you commonly see included in Linux distributions. WebKit is notably a fork from KHTML and KDE is generally closely associated with Linux distributions. There's even a rootless X11 manager if you want to use it (though I don't think it's a default install).

        So, fine, technically it's not Linux-derived because its original development predates that of Linux and Linux is just a kernel, whereas OS X explicitly uses a completely distinct kernel. But it's quite accurate to say that it shares a large code footprint with what people idiomatically call 'Linux' and that at least some components were part of idiomatic Linux before they were part of OS X.

        I'm sure that you could find a bunch of BSD, Linux or OS X people that would be angered by the statement, but hopefully not at as irreverent a site as this.

  15. Desktop Mobile
    Jobs Halo

    Steve's got it covered

    I can guess Steve' Face timing the board now!

    Based upon the Theory people only spend time writing malware for an Os with enough market share to make it worth while just treble the price!

    Returns will increase even though market share fall (some people like designers with buy a mac whatever the cost) and the malware problem will go away as the "developers" concentrate on erm... Windows

  16. Anonymous Coward
    Thumb Up

    and now

    the game is on.

  17. Steve Todd
    Stop

    Sounds like BS to me

    For two reasons.

    Firstly Safari doesn't give you any options as to where it's going to download files. Everything goes to downloads. How does this code manage that trick.

    Secondly even after you copy a downloaded app to the Applications folder the system will warn you that it is a download and do you really want to run it?

    1. Velv
      Pirate

      Platfom Independent - Education

      User gets message - "We've detected a virus on your computer"

      "oh dear" says user.

      Message says - "We've got a free fix for your problem - just click here and follow our instructions"

      User thinks - "ooo, this is a dangerous situation, but they've got a free fix, so I'll click it to fix it"

      System asks - "you're trying to run some really dangerous shit here, are you sure you want to run it" (or it says "Are you sure?")

      User thinks - "of course I want to run it, I've got an infection I need to clean up"

      Click, BOOM!

      1. Thomas 4

        The OS for the masses

        System asks - "you're trying to run some really dangerous shit here, are you sure you want to run it" (or it says "Are you sure?")

        This is the sort of message an operating system needs to give people, along with such favourites as "Stop clicking that fucking mouse button a billion times, I know you want to open up Internet Explorer to look at porn, I'm working on it. It's not my fault you didn't bother to give me a decent processor or RAM."

    2. Anonymous Coward
      Thumb Down

      Safari

      Preferences, General, eight item down, combo, there you can change download directory from Downloads to Other

    3. Anonymous Coward
      Anonymous Coward

      Wrong

      "Firstly Safari doesn't give you any options as to where it's going to download files. Everything goes to downloads"

      No. It doesn't. You *can* specify where your downloads go. Its been a user preference for a while.

  18. Wulff

    Admin password

    The attack is trivially avoided by not letting your main user account have administrator privileges. Fair enough, Apple should perhaps insist on the creation of a separate admin user when first running the setup assistant, but manually adding an admin & demoting the first user account to "regular" user is the work of moments.

    1. TuckerJJ

      pre UAC windows admin perms != OS X admin perms

      This isn't entirely correct as it implies that a user with admin permissions has total and unfettered access to the system - this was always a big gaping hole in Windows security until UAC, but with OS X an administrator account has always needed the user to enter a password for access to system files, prefs and other sensitive areas.

      The malware is using the equivalent of the Windows "install for current user" (as opposed to "all users") to avoid the need for an admin password. This does mean that even when installed it could only wreak havoc within the users account, not the whole system.

      I'm splitting hairs as this is still pretty shitty from the users point of view.

  19. clanger9
    WTF?

    So it still needs user confirmation to install then?

    What seems to happen is that an installer will pop up unexpectedly while you are sufing, yes?

    You would still need to click on "Continue" to proceed with the install.

    Wouldn't the sudden (unexpected) appearance of a "SoopahVirusCheckerOhYes Installer" window give the game away to most users?

    1. Spartacus
      Alert

      give the game away to most users?

      There's an old adage somewhere about underestimating stupid.

      For any mac'er who thinks he is safe because he has NOT entered his password, this is D-day..

    2. sparky66
      Thumb Up

      Correct

      You still have to confirm you want to install it, it just no longer requires a password. I can see my daughter panicking after clicking on a bad Bieber image and following the instructions out of fear she's going to get in trouble for wrecking the computer. The password part would have stopped her.

  20. Ocular Sinister
    FAIL

    Administrator?

    Are you joking? You log in as an administrator by default on a OS X? What? Have they learned nothing?

    1. clanger9
      FAIL

      Re: Administrator?

      Umm, not quite.

      On a Mac, "Administrator" != root

      Even as administrator, you still need to enter your password to carry out anything as root (via the sudo mechanism). Actually, I don't think there *is* a root account by default.

      "Administrator" has write-access to /Applications - a bit like a power user being granted write perms on /opt/usr/bin on Unix. They can install stuff that is accessible by other users, but they still need root privileges to do anything in /usr/bin...

    2. ThomH

      It doesn't mean what you think it means

      All the stuff you would need administrator privileges to adjust on another UNIX requires the entry of the user's password in a default OS X install. However, write privileges to /Applications are gifted without password.

      Acting as the default user, if you have to sudo to do it in Linux or BSD, you have to sudo to do it in OS X.

    3. Anonymous Coward
      Grenade

      Unfortunatly yes

      Much like XP the first user is created as an administrator (but not the root user). The number of bosses I have had to persuade not to let users run as an administrator say's a lot about what it takes to become an IT Director unfortunately my own brother wouldn't hear of it. I've even had a user leave the company in a huff when she was told she couldn't have administrator access to install software on the mac we provided to her to do her job. Still I can smile smugly in the knowledge that people who have trusted me to install a mac properly are safe and anyone who didn't can frankly suck on it because my problem it ain't!

      1. Kevin 6

        @AC Thursday 26th May 2011 12:46

        reminds me of the IT director at my 1st job when we had an e-mail virus doin rounds on the network

        He sends out an E-mail stating DO NOT OPEN ANY ATTACHMENTS YOU ARE NOT EXPECTING

        10 mins later he opens one(didn't read his own e-mail apparently), and re-infects the ENTIRE network(think 1000+ machines WE JUST finished cleaning)... Reason we knew it was him we traced the origination IP back to his machine, and when checking his machine we saw the E-mail... It read something like IMPOTANT TAX INFORMTION OPEN NOW (yes it was mis-spelled actually worst than what I put)...

        Thing most apple loving reg readers should understand is the majority of computer users are complete twats that will ok the install of ANYTHING that looks even the slightest bit legit, which most reg readers even piss drunk would notice something was up, and deny the install.

        Just look at how many complete morons fell, and continue to fall for the nigerian philantropist scams

  21. Anonymous Coward
    Anonymous Coward

    Welcome to the mainstream

    See title. Fanbois keep your fingers pressed firmly in your ears while going 'lalalala', I hear it helps with malware infections, errr I mean not-malware infections.

  22. g e

    Security through obscurity

    Given the degree of obscurity Apple obsesses with...

    Hark! What's that?

    It's the sound of a million unpatched Apple devices spamming you

  23. nigel 15

    my favourite fanboi quote

    "Ignorant Mac users are only downloading and installing this App because they believe that Mac viruses exist - a myth perpetuated on this forum and others. Anyone who knows there are no OSX viruses is not going to be fooled into installing this trojan App...."

    in case you think that is a joke, I did, it is not. you may have missed it but he is drawing a distinction between a trojan app and a virus.

  24. Anonymous Coward
    Happy

    Flip

    Here's a thing...I've got a w7 machine that's had WSE installed since day one. It hasn't picked up a single infection/Trojan/malware etc. Needless to say, neither have my 2 OS X boxes.

    Am I visiting the wrong parts of the Internet maybe?

    1. El Cid Campeador
      Badgers

      Spin the cylinder, pull the trigger.....

      You've been lucky. It doesn't happen all the time, but legitimate sites can get the ads hijacked. I had one of my users call me over to his desk because he'd been on a well-known news site and his desktop was covered with scareware popups. The funny thing is that I was on the same site at the same time and saw nothing--why? While we were both using Firefox, I was using AdAware/NoScript/RequestPolicy which kept the offending ad from running.

  25. jpaylor
    Megaphone

    Is this not a BROWSER exploit? Is OSX really to blame?

    Exactly how does the application download itself in the first place? I'm assuming it's via a browser, in which case is it not the fault of the browser software for allowing installation of software on the machine without first prompting the user to accept that download, as opposed to it being the fault of OSX for running an application as it normally would once it is installed?

    1. nigel 15

      safari or OSX two sides of the same coin.

      when that browser is safari and in shipping condition it allows for automatically downloading files and running them then apple is to blame. which particular part of apple is neither here nor there.

  26. The Fuzzy Wotnot
    Happy

    Well...

    How about avoiding going to iffy websites and clicking on banners without thinking?!

    Irrespective of the O/S, no amount of patching can stop an innocent and naive user digging themselves a bloody big hole to fall into and getting turned-over for their CC details!

    1. JEDIDIAH
      Linux

      The Flanders Effect

      > How about avoiding going to iffy websites and clicking on banners without thinking?!

      How about actually enforcing the bright line between data and applications.

      No user should ever need to fear data. However, in the modern "the user is too stupid to be bothered" culture, things are automated in a foolish way that leads to all of the virus shenanigans you see on Windows.

      If Apple has followed Microsoft's lead in this regard then shame on them.

  27. Anonymous Coward
    Alert

    Am I missing something

    If all it does is install an executable in the applications folder then a solution would be:

    Delete the executable (without ever running it)

    1. Anonymous Coward
      Anonymous Coward

      Yes, yes of course.

      But we're talking about end users here, the sort of person who bought a Mac 'because it just works' and they don't need to dick around knowing anything about computers so 'just delete the executable' might as well be a sample of noise from SETI.

      Like I said in another comment thread, treat your users like morons and pretty soon all your users are morons.

  28. Anonymous Coward
    Anonymous Coward

    See?

    For ages fanbois have made the assumption that OSX is secure and that they are safe from malware, based purely on the fact that there has been little or no malware for their beloved OS. In reality there has been little or no malware for OSX simply because nobody could be bothered with such a pathetically small user base.

    Of course presumably this means that the user base is no big enough for the black hats to bother with them. Surely they should be proud. Actually knowing the average fanboi's mentality they will accuse Apple of having sold out and try to find some even more obscure platform.

    1. Mike Moyle
      Coat

      @ AC 12:43

      "...they will accuse Apple of having sold out and try to find some even more obscure platform."

      ... Linux, perhaps...?

    2. sparky66
      Happy

      Free from malware?

      Really? I don't think anyone ever thought Macs would be free from malware . After all, RealPlayer ran on Macs.

  29. Lorlen
    FAIL

    Disappointed in general maturity level of ms fanbois

    It's quite sad that people get so happy over the further spread of malware purely because it is infecting a mac. People who use windows have a lot of things to worry about, people who use linux/unix have a few things to worry about and people who use macs also have a few things to worry about. How is any of this a 'good thing'?

    1. Anonymous Coward
      Anonymous Coward

      Re

      When liars are exposed, the truthful and honest rejoice. There is something along the lines of that in the Bible, but it may not be in the St. Jobs edition you keep in your nightstand.

    2. Figgus

      Re: Disappointed in general maturity level of ms fanbois

      Maybe if the smug Apple fanbois hadn't rejoiced so much about Windows viruses I'd see your point.

      1. byrresheim
        FAIL

        Rejoice? About Win diseases?

        Resigned to it is the word. Just one of many examples: a few years ago, my then GF bought a computer (Win, at the instigation of her sister, who thought she needed one). Obviously pains were taken to avoid any input from me.

        It took said sister two days to get the thing infected w/ everything on the book. It then turned out that the install disk had somehow not been included in the package & ... & ... & ...

        As all three of us were freelancers at the time, it could easily be computed that the combined waste of time would have paid for an extra powerbook for the sister as well.

        So now, after 20 years of carefree mac usage the time has come to be a bit more careful than used to be necessary and I'm supposed to shed tears?

        Utter nonsense.

    3. Anonymous Coward
      Anonymous Coward

      When someone calls you immature, just say ...

      "When liars are exposed, the truthful and honest rejoice. There is something along the lines of that in the Bible, but it may not be in the St. Jobs edition you keep in your nightstand."

      And there was much schadenfreude, and the Lord saw it and it was good.

      "Maybe if the smug Apple fanbois hadn't rejoiced so much about Windows viruses I'd see your point."

      They started it!

    4. Anonymous Coward
      Headmaster

      Spectrum vs. Commodore or ST vs Amiga

      It's just like the playground again in here today, this time involving grown adults goading each other and enjoying the suffering of others.

      Time to go down the wood-work block, the teachers down there always treated you like adults!

  30. Matthew 17

    This certainly never used to be possible

    You don't run as root on OSX so to install something you'd need sudoers permissions so any application that wanted to install would prompt for a password. If Apple / Safari / Whatever have altered it that users who are in the sudoers list effectively run as root all the time then something has gone astray. That said I've never been able to install software or alter the system without being prompted for the password so I suspect that it is as was and there's more to this exploit.

    But it's nice to see that the MS fanbois are rejoicing that OSX could be as shit as theirs, but I still won't be installing any anti-virus software on my machines, will just stick to an Application-based FW (Little Snitch) for the time being.

  31. Flocke Kroes Silver badge

    Only for utterly clueless newbies

    The article said this trojan requires a newbie to run a browser as root. The embarrassment is that running a browser as root on an Apple does not require sufficient computer literacy to know better.

    How to download to a different folder (these are oldies that should have been fixed years ago):

    *) Create a symbolic link to /Applications or ../Applications

    *) If the naughtiness scanner runs too early and is only looking for / as 2F, try C0 AF, which is converted to / by defective UTF8 decoders.

    *) If naughtiness scanning is done way too early, you can get away with %2F or &#2F;

    *) If the programmer was utterly incompetent, he will let you start a file name with $(echo $'\57')

    1. ThomH

      See above

      The default user is an Administrator in OS X parlance. Such privilege is not the same as and is significantly less than root.

  32. Dennis Wilson

    Same old story

    "After advising support staff not to help users who might be infected by MacDefender for at least a fortnight"

    Apple, you are a gem. I cannot thank you enough for your part in dispelling the myth that the Mac is bombproof and bulletproof. Your delivery of the Microsoft crap-shoot was timed to perfection. You have now replaced Sony as my rodent of the year.

    Respectfully yours,

    All pc users

    1. Giles Jones Gold badge

      Nobody does malware support

      Ring up Microsoft support and ask for help about a virus, they will hang up the phone and charge you a fee for wasting their time.

      No OS vendor helps you with malware.

      1. Oninoshiko
        FAIL

        maybe you should look it up before you make an assertion...

        I think you are mistaken. Not only does MS provide malware support, they provide it without additional charge to end users.

        http://supportservices.microsoft.com/support/services/virus_malware_removal

        Now, a legitimate problem they will charge you insane fees and maybe not come up with a solution, but on malware they will support you. (full disclosure: I have never utilized this service)

  33. Anonymous Coward
    WTF?

    Stuck

    Can someone help me? I've got the program and the installer opened. I have to click continue to install it though.

    I thought this thread was about some sort of Mac virus? I've never come across a bit of malware where you have to say yes to it being installed, so I assume I have a different bit of software here?

    1. ElReg!comments!Pierre
      WTF?

      WTF right back at you

      "I've never come across a bit of malware where you have to say yes to it being installed"

      Oh really? It's been a while since I last saw one that DIDN'T. Lusers like to say "I didn't do anything, it installed by itself", a bit like how lazy pupil's dog eat their homework. 99.9% of the time it's pure bollocks, and the admins know it.

  34. Rowley

    Change your users!

    Create a standard user and use that account. That negates most, if not all of this "auto install" stuff, as you will need the admin password to authenticate anything going into the applications folder.

    1. Rob - Denmark
      Thumb Up

      Ehm...

      Yep, the average user will totally do that.

  35. Wade Burchette

    This is how malware beats Windows too

    On Windows Vista and later versions, any change that affects all users requires the UAC prompt, unless it exploits a security weakness. Most malware does not exploit weaknesses. Instead, what malware now does is to install in a folder specific to the user. In Windows Vista, this is usually the %localappdata% folder (c:\users\<my name>\appdata\local\). If it installs there, there is no UAC prompt, but the appdata folder is also hidden so most people don't know to search there. So now the malware creators have discovered that the same trick to avoid prompting for a password in Windows now works on Macs. If the file installs in a location specific to the user and not the system, it beats the password.

  36. wheel
    FAIL

    But you don't need to be in Applications anyway...

    While obviously delighting those Windows and *nix users who have axes to grind, I'm not sure that this is much of a story.

    Sure, you don't have to enter an administrator's password to install it. But you still have to manually go through the installation process. Nobody will install this software without knowing they are installing it.

    Furthermore, it would only work with machines in a home environment; any restrictions on user privileges would mess it up. So the only increased risk comes from someone who has access to the machine but not the user password, and who is concerned by viruses. The lesson? Give your kids their own, non-administrator, accounts.

    For those who are gloating about the security flaws in Mac OSX, perhaps you should note that this malware will not spy on you, turn your computer into a botnet zombie or try to infect the rest of the world via evil email attachments. No, instead it asks a user for their credit card details, hoping that they will be stupid enough to put them in.

    Perhaps this kind of software has started appearing on the Mac because so many idiots who used to use PCs are switching? ;-)

    1. Brian
      FAIL

      'Safe files' are executed automatically.

      "But you still have to manually go through the installation process. Nobody will install this software without knowing they are installing it"

      - re-read the article. 'Safe files' are executed automatically, the application auto-installs.

      "For those who are gloating about the security flaws in Mac OSX, perhaps you should note that this malware will not spy on you, turn your computer into a botnet zombie or try to infect the rest of the world via evil email attachments. No, instead it asks a user for their credit card details, hoping that they will be stupid enough to put them in."

      Yeah, it just tries to steal your identity. We know everyone is too smart to allow this to happen, that's whey identity theft isn't a problem.

      I don't see any reason why this application couldn't do every one of those things, even though it doesn't do them now.

      1. ThomH

        @Brian

        Safari defines 'safe files' as: movies, pictures, sounds, PDF and text documents, and disk images and other archives. It doesn't include executable files. Having read some other sites on this issue today, it seems that the program comes as an installable application archive. So the OS launches the standard package installer, prompting the user to click onward to install the app. They have a few screens to click through, including one where they select a target drive and then confirm the installation location.

        Anyway, 'execute' is the wrong verb. Safe files are opened. You can't throw arbitrary executable code onto a Mac using Safari's built in, designed behaviour.

      2. clanger9
        FAIL

        Re: 'Safe files' are executed automatically

        The article is wrong. The application is not auto-installed.

        What it does is auto-open the Mac OS installer and ask if you want to "continue with the install?"

        A subtle (but important) difference.

    2. Bob Camp

      LOL

      The trojan doesn't announce, "I'm a program that will do nasty things to your computer. Please install me by clicking this button." It quite often pretends to be a virus scanner itself, and prompts you to click "OK" to remove the detected virus. Or if somehow you are redirected to the bad web page (or a good page that's been hijacked) and try to navigate away, you get this choice in a pop-up window:

      "Warning: you are navigating away from this web page."

      The left button says "OK".

      The right button says "Cancel -- stay on this page".

      Guess which button installs the trojan? (Hint -- it's a trick question)

      As far as using non-admin accounts, some software insists that you be logged in as admin to run, or the software simply works better. If you call tech support, the first words out of their mouth will be, "Are you running as admin?"

      Also, home users don't use admin accounts because they are asked for their password too often, usually for the most trivial things. It becomes so annoying they just run as admin instead. I bet most Mac users are uneducated about security and don't even know the difference between an admin and non-admin account. I bet most have null or easy-to-guess passwords too.

      I tried setting up a PC and a Mac so the main account was a "regular/managed" user, and had to switch them to admin because I was getting phone calls every day.

  37. nyelvmark

    Oh, my god

    ...even the scammers are becoming fanbois.

  38. Anonymous Coward
    Jobs Horns

    Finally!!

    Malware that "just works"!

  39. Kay Burley ate my hamster

    Anonymous Coward

    Hey Ms Bee? Can we have a filter added to the comments, I find it hard to follow if the same Anonymous Coward is posting or multiple cowards, there are so many to scroll past....

  40. yosemite
    Jobs Horns

    Schadenfreude

    is a beautiful thing...

  41. Anonymous Coward
    Anonymous Coward

    Yes, we had it coming, but...

    The comments so far are a bit like laughing at a life boat sinking whilst watching from the Titanic.

  42. Anonymous Coward
    Anonymous Coward

    Interesting

    So how do they bypass the requirement for the user to write the password to access system files? Or how do they download directly to Applications?

    No reason to be anonymous, just testing V for Vendetta icon

  43. Anonymous Coward
    Anonymous Coward

    Dear God,

    Won't somebody think of the hipsters?

  44. Anonymous Coward
    Linux

    Oh, for flip's sake...

    Frankly, *anyone* using an administrator account as their normal user login, is practically asking for trouble - that applies whether you're on Mac, Windows, Linux or whatever.

    Ah, no, that would mean getting "normal" users to enter their password when they have to do something potentially dangerous, and noooooooooo, we can't be inconveniencing folk like that, can we?

    Tux, because running Linux since 2003 has taught me a couple of things... ;-)

  45. Stevie

    Bah!

    I've known for over a decade that the only secure way to browse the web was to use someone else's computer to do so.

    It was inevitable that malwarez would start migrating into the mac world because (and I know that this will be hotly disputed because mac fans have been denying this as the reason they've been "safe" for years) Apple has finally gotten a machine onto the market that has stolen the PC shiny and then some.

    I speak of course of the iPad. Malware developed to attack the mac can be seen by those not too blind to smell the coffee as testbedding an attempt on the world's most ubiquitous dimwit-user device.

    I'm not saying all iPad owners are dimwits, I'm saying the device is marketed as one which is easy and safe to use by the computer illiterati. Such people are, of course, the main vector for viruses, trojans and Azathoth knows what else in Wintel universe.

    And if you don't think people will be banking via these things before long, you have no grasp of long-term market strategy. Right now it is a useful toy, but that isn't where Apple sees the device staying or they aren't the company that revolutionized the recorded music industry.

    Again, it isn't about Schadenfreude, it's about the company policy on admitting to a problem. I thought people clever enough to pick Apple machines already subscribed to the essential idiocy of Security Through Obscurity, but here they are being distracted and failing to tell the man behind the curtain to Grow Up before their beloved machines are just PCs with a thousand dollars stapled to the case.

  46. Tim Jenkins

    Anybody noticed the bad grammer?

    Looks like the bad guys are using the same chap who translates all the phishing emails:

    "To help protect your computer, Apple Web Security have detected Trojans and ready to remove them."

    (http://sophosnews.files.wordpress.com/2011/05/mac-malware-06-big.jpg)

    Shame no-one reads anything anymore...

    1. Fibbles
      FAIL

      grammer...

      Seriously?

  47. ElReg!comments!Pierre

    I kept that for a Fry photo-novel but here it is

    What is the difference between Macs and PCs?

    By Stephen Fry, National Treasure(TM)

    Macs are mostly immune to malware because they are based on the UNIX security model. That is, any piece of software is run with the rights of the user who launched it and cannot affect the system. That is achieved by using slightly different coding: whereas programs on a PC are executed as 0s and 1s, which are generic, Macs use a user-specific coding, based on the user name. In my case, "Fry"s and "non-Fry"s. Of course programs need to be translated from more generic formats used for distribution (the internet can only carry 0s and 1s), which needs to be done in hardware because software would be too slow. That is what the EFI is doing which is why the hackintosh guys need the EFI, and that is also why in smaller devices like the iPhone rely exclusively on the App Store for software distribution: the EFI necessary to translate 0s and 1s into Frys and non-Frys (in my case) won't fit in the case, so the translation has to be made directly on Apple's server before the app is sent to the device. This is also why Flash cannot run on these devices.

    This makes Macs invulnerable to self-propagation viruses as well, as viruses need to be written in 0s and 1s to be transported, so they only run on PCs.

    There is an added bonus to that model: obviously, a "Fry" (in my case) carries more information than a 1. Three times as much to be precise, although it obviously depends on your name. More information means faster computers: that is the reason why Macs are faster than PCs. They are not 3 times as fast, because the extra information is only carried by Frys, not by non-Frys (non-Frys, like the 0s in PCs, are only empty gaps). So in my case the speed gain would theoretically be 1.5 times. It is actually smaller than that (roughly 23%) -and independant on the length of the name- because it is limited by the laws of physics: all the information is carried by electricity, and the faster the electricity goes, the hotter the computer gets. When the computer gets too hot, the electricity has to be slowed down (the electricity brakes are what makes the noise you can hear whe your computer gets hot), which limits the maximum speed of the computer. Whith the developpment of optical computing this limit might disappear very soon. This is interesting as it will allow PCs to run at or close to the speed of light; as Macs are faster (due to the better bit efficiency discussed above), they could theoretically run *faster* than the speed of light, effectively *travelling back in time*. How cool is that? Of course your Mac will not physically travel to the future, or even display a webpage before you actually clicked the link, that is not possible (and that would not be very practical), because of other constraints like the need to display the results on the monitor. But as the computing itself will travel back in time, any operation would only take the time it takes to display the result (1/100e of a second on a 100Hz monitor for example). That really opens exciting perspective, especially for Poland (where they have very long names).

  48. Getter lvl70 Druid
    Alert

    You do realize...

    “If you can make God bleed, then people will cease to believe in Him” - Ironman 2, 2010.

    Apple has always promoted the idea they were invulnerable to the black hats and I believe the black hats bought into it over the years and never bothered to try. Now it's on and I don't think Apple is as badass as Ironman.

    Just saying...

    1. Greg J Preece

      Deep, dude

      Deep

  49. Anonymous Coward
    Flame

    I know I am being a spoil sport, but ...

    1. To be able to log in as root on OS X requires some special fiddling. By default, "administrator" means someone listed in the sudoers file and, by default, this is configured to require the user to enter his password again. So, no matter what a browser does, if you started it as a normal user, even with access to restricted directories using sudo(1), quite apart from the usual checks that user will be asked for his/her password. Since most people do not even know about the sudoers file and even fewer understand the syntax, despite the manual pages, I doubt that the average user changes this.

    2. A belt and braces approach is, as said several times above, to keep sudo rights restricted to a specific user NOT used for normal working. Personally, I am aware if asked for my password and tend to trust that.

    3. Yes, a programme can be loaded freely into one's own directory, /var/tmp, drop box, downloads and so on and run from there. If the programme tries to do anything privileged, you will be asked for the password again, unless you have let it be setuid to root; but then you would have to install it as root.

    4. The most malicious programme run by you in normal user mode can do little more than corrupt your personal directory space, unless of course you have changed bin or applications to mode 777 for the sheer fun of it.

    5. Darwin really is a BSD off-shoot, for which the source is freely available.

    6. One can argue about if it should be made harder for a user to tick the box for admin. access (via sudo(1)).

    It is clear from the postings that few have used OS X recently and even fewer know much about UNIX (or Windows or Linux for that matter)..

    1. Rob Carriere

      Ah yes, but what sport are you spoiling?

      Your 1, 2, 3, 5, and 6 above are fine points. Sadly, number 4 is a serious underestimation of what can be done without elevated privileges.

      As you state, I could corrupt your personal directory space and, in the case of a network with a file server, any network directory you have write access to. Translation: your data is mine. I can read it and send the interesting bits to my server in Russia, I can alter it, trash it, whatever. I can also stash my stuff there -- and my stuff might well be illegal.

      In addition, I can use your network to zombie spam around the world (remember, I can bind to any port above 1024). I can also use that network to contact my command and control server. I can use cron to make sure I run at regular intervals even in the face of reboots.

      I can use the debug facilities to log your keystrokes or do ugly things to your browser when you visit your bank. Or I can think that's too complex and simply manipulate your configuration, so that when you think start your browser (or e-mail client, or whatever program I fancy), an executable of mine is started instead.

      To cut a long, ugly story short, give me access to your personal bin and I may not own your computer, but I do own you. For most criminal purposes, that's enough. And if not, I'll have the password the next time you enter it in response to some legitimate query.

      Fortunately, we're not that far down the road yet, but let's please not kid ourselves about what is and isn't possible. The OS security models (Unix, Windows, Mac OS X, heck, VMS or OS/360 for I care) were developed to protect users against each other, not to protect a user against himself. Consequently, they offer no protection against a threat that pretends to to act in the name of the current user. This is why buggy browsers are so dangerous: you have a program running with current user privileges and it is executing foreign code. If the browser sandbox fails, there is no further defense.

      1. Anonymous Coward
        Anonymous Coward

        Yes indeed

        You are right, in that a programme/script can do anything that the user himself can do and, yes, port > 1024 is open to all and, yes, it is somewhat surprising to consider the possible ramifications of this in a network in which rather a large proportion of users may have more power than they should.

        However, in the panic being propagated in this and similar cases, the fact is that the majority of users at risk are on stand-alone devices whose main connectivity externally is probably syncing with their mobile phone or similar - which, however, suggests some very amusing possibilities (I for instance sync my Nokia over isync) or their TimeCapsule. With any luck, people who know enough to connect to other computers, even just mounting, say, a Windows machine partition, are a little more informed (though experience suggests I am being optimistic).

        But yes, you are right of course. And even a b-gg-d user home directory can be a pain of the 1st order.

        Just, I would not slate OS X on this account, any more than any other UNIX or Linux host.

        1. JohnG

          Standalone?

          "...the majority of users at risk are on stand-alone devices whose main connectivity externally is probably syncing with their mobile phone or similar..."

          Although one or two of them might connect to the Internet every so often, which some might consider to be their main external connectivity.....

  50. Mike123456

    This may already have been said...

    with OS X, and a standard (IE, NON admin account) you can download from t'interbewb, in safari, and the file can (CAN) auto run.

    Now, (here's the tricky bit for PC users to grasp) That downloaded executable can install to 2 places, one will require Admin authentication, the other not.

    Install to Macintosh HD/Applications <DOES> require an admin to authenticate.

    Install to ~/Applications reqires admin authentication UNLESS the logged in user is an admin, if so, it'll install with unfettered ease.

    It's all down to permissions, on Unix, you can install an app anywhere, if the folder's +x for the logged in user, you'll not have to authenticate.

    Now, for all the PC users on this forum shouting that they don't use admin accounts for their everyday stuff, well done, you've been around long enough, and have probably copied corporate best practice to your home machine.

    Undfortunately, shouting about that on an IT forum will get you nowhere, we are the early adpoters, and ahead of the mainstream, that's how we know stuff to keep a roof over our head (plus, shit loads of hard work) However, for every one of us, there's a gazillion numpty's who bumble along with admin rights (the platform's irrelevant)

    So, PC/MAC/Unix/Linux/Whatever they all have their foibles, ease of use in different circumstances, and different attack vectors.

    It's only now that Apple's user base has got big enough to gain the interest of the same virus, trojan, whatever, writers that PC users have been suffering for years.

    The Apple <lalala, I've got my head in the sand> attitude is not good enough, it will change. Because if it doesn't, then people won't buy macs, and they'll go into the doldrums that faced PC users for yeard.

    'Nix users, currently enjoying the battle from their glass houses, watch out, if Ubuntu keeps up with it's trendover the last few years, you'll be next.

    1. Anonymous Coward
      Gimp

      exactly where's the difference?

      Mike123456 wrote "Now, (here's the tricky bit for PC users to grasp) That downloaded executable can install to 2 places, one will require Admin authentication, the other not."

      PC usually refers to "Personal Computer", which also includes Macs.

      I will assume you meant "Windows users", but that only makes your statement even more confusing. Why? Well, you just described the way Windows has been working since Windows 2000. (I think that is when they clamped down the default directory permissions, though I could be wrong and it might have been that all the way back to NT 3.1)

      Us "Windows fanbois" have been bitching for a long time that there is nothing inherently safer about OSX. If the user is a careless idiot, then bad things will happen. To sum it up: PEBCAK.

      OSX' saving grace has been a dire lack of users. There is just too little to gain from pwnage, so why bother? (well, up until recently anyway)

      It is perfectly possible to run a Windows PC without any third-party security software what so ever. I keep Windows Defender running (to avoid an annoying warning), but other than that my personal system is "wide open" and have been for decades. Number of malware attacks: 0. (Sure, my inbox floweth over with malware threats, but I have managed to resist the temptation on installing any)

      In constrast, my wife's laptop has, over the last two years, been attacked twice. ESET managed to find the piece of malware a month or so after I had taken care of it myself.

  51. Ted Treen
    Jobs Halo

    Never overestimate users....

    Security researcher finds 'cookiejacking' risk in IE

    http://news.cnet.com/8301-1009_3-20066419-83.html?tag=nl.e757

    And I quote:-

    'From its point of view, Microsoft doesn't see much real-world risk to cookiejacking.

    "Given the level of required user interaction, this issue is not one we consider high risk in the way a remote code execution would possibly be to users," Microsoft spokesman Jerry Bryant said in a statement sent to CNET.'

    Natch, MS users are far, far too savvy to follow instructions from a mal-site...

  52. DJ Particle
    Jobs Halo

    Seriously....

    Still. Not. A. Worm. </ysac>

    This one installs into the user's home directory, not the System directory, so of course it wouldn't require a password. There have already been Trojans like this on Mac. It's nothing new.

    Again: Don't be a PEBCAK, and this stuff won't happen. Plain and simple.

  53. Lord Lien
    Terminator

    Anyone else think Sophos ...

    .. developed this themselves?

  54. Anonymous Coward
    Grenade

    Am I missing something.

    Does not OS X security model allow any user to move an app to any folder including Applications because thex are not system folders and more importantly blocks the app from running no matter what folder it runs with wet another layer of security asking for yet another approval for all users on the system independant of the acceptance of any other users choice on the system?

    Or that if a user lets this run after acceptance of multiple warning check points that only their user directory is put at risk with the system and all other users still protected.

    Once the MS fanbois stop their frothing at the mouth in a DEVELOPERS DEVELOPERS DEVELOPERS inspired monkey madness and realise their 10+ years ignorance of all things OS X is shining through stronger than it ever has before they may find el reg is days and in some cases weeks behind with such stories and have curiously ommitted the details that make it less likely for a juicy fight to errupt.

    You ignorant masses are so easy to lead by the nose in any direction wanted.

    1. Arthur Kater (12345)

      The way you react...

      You react like if someone says something about your religion you don't agree with...

    2. Bob Camp

      Yes, you're missing something

      Trojans affect all platforms. Trojans are not labeled "infect_or_delete_all_files.exe", they are labeled as something nice and friendly. Since most home users are running as admin, and they only have that one user account, and no password is needed to install it, the trojan looks innocent enough. The user will happily click through all those prompts. Maybe the prompt for an admin password would slow them down, maybe not. But for a long time, Linux, Unix, and OS X fanboys have said that malware was not a problem for them because:

      1. It is impossible to install a program without permission. Well it turns out permission is very easy to give, and most home users can be tricked into giving it with a simple click of the mouse. Not even a password is needed.

      2. The malware only affects that user. Well, if that user is admin, as is the case in most home installations, it can affect all users. The OS may be unharmed, but it is easy to replace. All the other important data like photos, financial files, etc. can be affected and are not so easy to replace. Plus, most home PCs just have one user, so malware installed on one user account can affect all people using that computer.

      3. The OS is secure as long as the user is smart. Well, if you're targeting the computer-illiterate market as Apple has been doing, the majority of your users aren't proficient in PC security. They are the exact opposite. They're counting on your product to help them out. Your product has to share some of the responsibility. It needs to identify malware and warn the user in big, bold letters that he about to do something he will regret.

      4. No viruses exist for my platform, so it must be safe. Well, that can change in a hour without warning. I don't think anyone here would use that argument, because it's obvious the absence of something doesn't mean it can't happen. But certain fruity companies have used it.

      There is always a balance between security and convenience. It looks like Apple may have to adjust the balance a bit.

  55. Anonymous Coward
    Anonymous Coward

    Install on a Mac isn't the same as install on Windows

    When a Windows user "installs" an app that's usually an involved process that allows the app to do whatever it wants to the system--change file associations, set itself to run at startup, etc. etc.

    If a Windows app were to silently install itself that WOULD be a huge security breach.

    OTOH "installing" on a Mac basically just means you put the application's file in a more convenient, standard place. It won't run itself on startup or in the background etc. So who cares? You will still have to seek it out and run it for it to do anything bad, and at that point you will be warned that the app was downloaded from the internet and so on.

    Anyway I guess this is bad but I'm sure not worried about it and it's not going to make me switch to a different OS or install some kind of anti-malware software.

  56. Arthur Kater (12345)
    Grenade

    It's just the beginning

    Password, no password, that's not important. What's important is these visrusses get attention. And that's one of the reasons virus writers spend lots of time to develop them.

    MS has had some very bad experiences with visusses, and took action. They spent a fortune on making WIndows safe. Not all their methods where accepted with big enthousiasm, but in general, Windows is pretty safe.

    Apple hardly spent energy in making their OS safe. They where just lucky not many virusses where out there targeting them, which gave their users the false inception of a safe OS.

    I have no good word for virus writers. I think they are scum bags. But, I must admit, I would love to see Apple struggle when virusses target their systems.

  57. foo_bar_baz
    Jobs Horns

    Circle the wagons

    Apple will use this to tighten their grip on the OSX platform and raise the garden walls. Can you say application store?

  58. Keith T

    the religious devotion and technological innocence

    It is sadly pathetic, the religious devotion and technological innocence of Apple fanbois.

  59. Anonymous Coward
    Anonymous Coward

    What's that sound?

    It's the sound of a million apple fanboys screaming "Yeah, but....!"

  60. Volker Hett

    So "root" is a home user?

    Or are there OS X versions I haven't heard off?

  61. Jonathan White

    sigh

    "It is sadly pathetic, the religious devotion and technological innocence of Apple fanbois."

    But only 32% as sad as using the word 'fanbois'.

    Jon

  62. Anonymous Coward
    Mushroom

    there is no virusees for MAc

    and if u just wacth theeeeis imovie movie i made it will proo00ve it to u. once again i made theeee soundtrack in garage BAND and it plays on mi ipod so can u doo00o that with windows NO U CANT. that is Y mACS R better mate I am getting VERY angry with u.

    pls take this story down now because every1 noes the sm00ooth operatoin of macs is the better than PC and we dont puta up with you mistakon in this area.

    Sometime you will Leeeaaarn that there is a HI price 4 quality that is what CHARS DAWIN called sugar of the fittest. Also this predictive txt is saving me the ours of typing and u cannot do that with ur mircosoft fone now can u NO.

  63. Michael C

    misrepresentad a tiny bit

    ...and leaving out some other notes as well.

    A) Yes, it DOWNLOADS to the Applications folder, but it does not "install" There is not installer at all in fact, it is simply a single-file executable.

    B) It only does this if the user has previously told OS X not to bother them about future files being moved to the applications folder. The default is a prompt anytime anything is placed in this folder, regardless of the source.

    C) By downloading the the Applications folder instead of the Downloads folder in the dock, nor by providing a disk image on the desktop to "install" from, many mac users will be confused. Some might not readily find the app at all after it "installs."

    D) as the program was never "installed" running it the first time is a manual action, and it will further prompt a warning about running untrusted applications downloaded from the Internet. If somehow they manage to make it download by itself without a promt, the user may never know it;s there to bother to run it, and if they do they will see this warning and know it to be an app they have never run before that did not come with the mac or any other trusted application run through a true installer.

    E) Since it's not installed, there is no auto-launch, and it will not be running in the background without it being manually launched. no dock icon (unless it's running) might be a clue to people who think it to be a legit app that an AV app that does not launch with OS X is not a real AV app. Unlike a real AV app, even if it was running, and generated a pop-up (from the background) it would not produce a system level alert, but would be forced to dance in the dock to get the user's attention, another hiont it is not an intergrated security application.

    F) after all this, they still have to trick the infected user into giving them a credit card. Its not a worm running monitoring activity, it can't access protected user data or monitor web activity, it has to actually trick the user, and can only do that when manually run?

    Big deal, they have a handy trick to self-install on some macs, after already tricking a user to their web site portal, but they have crippled its true usefulness as a worm/trojan since it can't auto-run, and also removing it is as simple as dragging to the trash.

  64. Anonymous Coward
    Linux

    NEVER allow Java or Directx

    If a web site requires you enable java, move on to another web site. NEVER EVER surf the web unless you are using a virtual (read only) Linux session running a web browser with java disabled. 'nuff said.

  65. punk4evr
    Trollface

    Apple's answer...

    Apple's answer to the problem:

    Mac's are perfectly safe and secure.

    Its the user who is the security leak!

    Stop the users from using them, and they can't be compromised!

    BTW, your holding it wrong!

This topic is closed for new posts.

Other stories you might like