Barbarians at the Gate

By

post-2124-image-70ac9b7ab24587d7dbda51e10b152562-jpg

Photo by MrHappy via flickr

For years, one of the more compelling arguments in the debate between PC and Mac users held that Macs are more secure. With hackers worldwide dreaming up viruses and Trojan horse programs designed to crash hard drives and compromise personal data, Microsoft and security software manufacturers struggled to keep PC users safe by constantly releasing software updates and security patches for Windows operating systems.

Mac users surfed happily along the Internet’s boundless realms, content in the knowledge that Apple’s tiny OS market share was little incentive for hackers and malicious social engineers. As the universe of Mac users continues to grow, however, that sense of security may begin to prove false.

Jim Dalrymple writes for Macworld.com that SecureMac claims to have discovered a Trojan horse “in the wild” targeting OS X 10.4 and 10.5 users. Granted, you must willingly download the program, install it on your Mac and provide your keychain password for it to take effect, but the folks at SecureMac perceive a change in the security landscape nonetheless.

In a Security Alert labeled “critical,” the company describes multiple variants of a compiled AppleScript, called ASthtv05 (60 KB), and an application bundle called AStht_v06 (3.1 MB) that theoretically allows a malicious user complete remote access to the system, with the ability to transmit system and user passwords, and avoid detection by opening ports in the firewall and turning off system logging. Additionally, the company said this Trojan horse can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing.

Another security software developer, Intego confirms the critical nature of the stealth root access Trojan, and posted a separate, low-risk notice of a Trojan horse masquerading as a program for Mac OS X called “PokerGame”. The Trojan in question is a shell script encapsulated in an application, and is distributed in a 65 KB Zip archive; unzipped, it is 180 KB.

Running PokerGame.app activates ssh, then sends the user name and password hash, along with the IP address of the Mac on which it is running, to a server. It asks for an administrator’s password after displaying a dialog saying, “A corrupt preference file has been detected and must be repaired.” After gaining ssh access to a Mac, malicious users can attempt to take control of them, delete files, damage the operating system, and more.

Comments on the Macworld piece point to the fact that these kinds of security threats should only affect the most unaware users who might be duped into installing unknown software on their machines, and willingly providing their administrative passwords. Not a few of them express skepticism regarding SecureMac and Intego’s financial incentive for discovering and reporting on these Trojan horses “in the wild.”

As Apple’s desktop OS market share continues to grow, however, and the tens of millions of iPhone’s mobile OS targets hit the market, the lure for hackers and malicious program developers gets larger, increasing the likelihood of security turbulence for Mac users on the road ahead.

  • Jamie McFarlane

    This is why I’ve always been against Mac growth. The more people who convert to Mac, the bigger the crosshair will become.

    Hopefully Apple will keep plugging any holes in OS X though and make it as hard as possible for these f***wits to hack things.

  • JoViKe

    Not the “security through obscurity” argument again. Dear oh dear. That one was put to bed years ago.

  • imajoebob

    As I understand it, one of the great design decisions of OS X was to have a separate “machine” system – the UNIX base, and desktop OS – what most of us think of as OS X. It effectively works as a firewall to keep ne’er-do-wells from trashing your computer. While there may be a few instances of attacking Quicktime or some other programs, this design essentially quarantines the attack. Without specific Admin permission, multiple permissions in fact, it keeps catastrophic damage at bay. The user still needs to be a willing participant in making any virus/trojan/attack work.

    Is my impression correct? If so, I think that makes the user base a relative non-factor, except in attracting more attempts. And has their ever been any buzz about someone with even an inkling of how they’d do it?

  • Alex

    I come from an era where we’d have to use a ‘Disinfect Bath’ Mac to clean any floppies or drives coming into the design lab at university.
    Today’s threats to OS X just don’t compare with how things were back in System 7.
    Don’t forget the market share back then was still approximately the same as it is today.

    So far, all these nasties rely on the user taking to install and run.
    The social engineering aspect is what these things depend on.

    So really, as always, the user is still the weakest link in the chain.

  • SC

    @imajoebob

    It all falls down when you can escalate yourself to the “machine” (AKA root) account through security holes you could drive a fleet of buses through.

    http://www.rixstep.com/1/20080

  • Doctor S

    I’ve always suspected the ‘virus scan people’ to be behind the problem, at least to some extent. What better way to sell product and justify their existence than to create the problem and create the need. check out my blog: http://mdoncall.blogspot.com

  • imajoebob

    @SC,
    Thanks for the link. And the reassurance that I may have saved more than $129 staying on 10.4 (G4 helps in that decision, too).

    As best I can understand this blog,
    1) You have to be running Remote Desktop, so if you’re not one of the 50 or so using it you’re safe (okay, slight exaggeration on the users),
    2) You have to run the script – or at least allow it to run, and
    3) if it’s as easy to do as Rix is saying, he’s untrustworthy for publishing the scripts – even if they appear elsewhere, which makes what he says untrustworthy, which makes his scripts untr- ooh, I’m getting dizzy.

    Acknowledging my limited ability to understand code, this appears to be more of the stuff aimed at cooperative naîfs.

    Or maybe I’m just an uncooperative naîf.