Re: Excellent news.. Malware for OS X!
- From: TheLetterK <none@xxxxxxxx>
- Date: Sat, 18 Feb 2006 15:31:16 -0500
Josh McKee wrote:
In article <W6KJf.19033$Ly6.2086@xxxxxxxxxxxxxxxxxxxxxx>,
TheLetterK <none@xxxxxxxx> wrote:
Dan Johnson wrote:
"Jim Polaski" <jpolaski@xxxxxxxxxxxx> wrote in message news:jpolaski-329152.11594318022006@xxxxxxxxxxxxxxxxxxxxxxxxxxx
In article <11velmg22d5ava2@xxxxxxxxxxxxxxxxxx>,
"Dan Johnson" <danieljohnson@xxxxxxxxxxxx> wrote:
Um, you have been reading with your biased glasses on since no one here
has said the Mac was immune. It's been said that it's harder to
compromise and that nothing is immune.
Well, that's progress, I 'spose. :D
Getting this trojan working is harder on a Mac because one needs to give
permission for it to run, that is an admin pw, unless you're running in
root, in which case you get what you deserve anyway.
From the reports, it runs as soon as you open it- no warning oranything. If it isn't already running as root, it will ask for the password
so that it can do so- but it's already running at that point, and
can do things like send emails or IM messages.
But can't do damage outside the home folder of the user that executes it. It's also relatively easy to fix if you have an a second account.
Like erase all of your important files.
But I *can't* erase the important files of the other users on the system. That's the point. With Windows, I would not only lose my files, but would also be able to trash everyone else's.
I am continually amazed by the insistence by many that malware needs to disrupt the OS for it to be of any concern. Damaging the OS is nothing compared to the lose of my personal files.
Except we're talking about a multi-user system. Your concern is valid, but limited. It's better to limit the damage to one user rather than allowing their stupidity to trash everyone else's data.
And if the user is an administrator, which is likely to be the case with the majority of Mac users, then malware has an even larger reach. For example safari.app or mail.app could be replaced with versions that log keystrokes. And every user on the system would use these compromised systems.
Not mine--/Applications is locked down even for administrator accounts (it's really pretty simple--don't give anything but root write permission on the directory, once you've got it fixed as you want). Doing what you suggest would require an attacker to harvest my password in the first place.
Another method of avoiding that is to simply copy everything in /Applications to somewhere in your home directory and changing links appropriately. If you're truely paranoid, you could run them off an encrypted disk image that only you have access to.
Don't believe me?
I believe you, and if they can do that on my machine, then they've already got my password and already have full access. That's like saying 'unix is vulnerable if the attacker has a root password'. It's also a lot more work than it is on Windows, where an attacker simply has to convince an administrator to execute an application. No harvesting nessesary.
This should help illustrate:
Show that group memberships of the account being used:
Lotus1:~ test$ groups
staff admin
Remove Safari.app from the "/Applications" folder:
Lotus1:~ test$ cd /Applications/
Lotus1:/Applications test$ ls -ld Safari.app/
drwxrwxr-x 3 root admin 102 12 Jan 20:23 Safari.app/
Lotus1:/Applications test$ mv Safari.app/ ~
Lotus1:/Applications test$ ls -ld Safari.app/
ls: Safari.app/: No such file or directory
Replace Safari.app with a bogus (named accordingly to illustrate a different file) Safari.app file located in the home directory:
Lotus1:/Applications test$ mv ~/Safari_bogus.app .
Lotus1:/Applications test$ ls -ld Safari_bogus.app -rwxrwxr-x 1 test admin 0 18 Feb 12:21 Safari_bogus.app
Lotus1:/Applications test$
In this case "Safari_bogus.app" is nothing more than an empty file. But it could be a modified version of the real Safari.app program which logs keystrokes. I could perform the same steps with mail.app. Same with iChat.app.
I'm aware of this exploit, which is why only root can write to /Applications on my box. Yes, this is not the default behavior, but it's very easy to implement. Much easier than giving normal user accounts on Windows a workable level of access.
Without asking for a password malware could easily replace legitimate files with illegitimate ones. For all we know if may have already been done.
Not on my machine.
[ snip ]
If they do that often, then their good deeds may soon be rewarded. It's
karma, no doubt. :D
I don't personally know any Mac users who run anti-virus software.
You might want to take that up with Polaski.
I don't personally know him.
.
Josh
- Follow-Ups:
- Re: Excellent news.. Malware for OS X!
- From: Josh McKee
- Re: Excellent news.. Malware for OS X!
- References:
- Excellent news.. Malware for OS X!
- From: Dan Johnson
- Re: Excellent news.. Malware for OS X!
- From: Jim Polaski
- Re: Excellent news.. Malware for OS X!
- From: Dan Johnson
- Re: Excellent news.. Malware for OS X!
- From: TheLetterK
- Re: Excellent news.. Malware for OS X!
- From: Josh McKee
- Excellent news.. Malware for OS X!
- Prev by Date: Re: Why doesn't this stupid OS know Acrobat is installed?
- Next by Date: Re: Excellent news.. Malware for OS X!
- Previous by thread: Re: Excellent news.. Malware for OS X!
- Next by thread: Re: Excellent news.. Malware for OS X!
- Index(es):
Relevant Pages
|
