I run a mac-heavy shop. About 40 of them at present.
The naysayers who want to downplay this as business as usual are wrong.
I have had three cases of this within two weeks at my company. Prior to that time, I have not had a single piece of Mac malware infect my machines over a period of 8 years.
This is not business as usual. I expect to find a whole lot more of this in the near future, and for the first time since I've managed IT at this company, I'm researching anti-malware solutions for Mac.
I'd advise you to educate your users (as not to enter their passwords every time the computer asks them for no apparent reason), run proper backups and check Safari (and other browser) defaults.
As an alternative to anti-malware? You're kidding, right?
Do you really think that Mac users are inherently less gullible than Windows users?
I have been in this business long enough to know that there are always certain users who will click anything that pops up on their screen, no matter how clearly you try to convince them otherwise. If education solves your future Mac virus problem, then more power to you. But that's just not the real world.
Gullibility isn't even necessary to have machines get infected by malware. There have been cases in the past of ad networks serving ads infected by flash zero days. You don't have to run a downloaded executable to get an infected machine.
Exactly. I'm not worried about downloading an email, most of the non-savvy users I know understand not to do that anymore, I'm worried about something like Flash being the vector of the virus.
I could be incorrect, but if you require administrative rights to install anything (so your users can't), wouldn't this solve the problem (at least in this case?)
Understandably, this would require you to micro-manage all your users who want to have their own, specialized setups, but...
You can not even begin to understand what micromanaging users' installs is like until you have tried it. You will either change your tune quickly or bring on a whole team of people to focus on that goal (which is what the large companies do).
You don't need to solve your future problems. Solve the present ones. Mac users may have become comfortable with their false sensation of security, but now is the time to teach them to be suspicious and to put them on your side.
Good luck with your search for anti-malware. For what I have seen on the windows side of the fence, things aren't pretty.
Any real solution goes through user education. When they know what to expect from their computers, they become much more difficult targets. You may enlist the help of some clever programs, but software won't solve the problem.
Do I have to repeat the mantra, "Security is not a product, it's a process" to satisfy your pedantic streak?
Why is it that you assume that I am not educating my users just because I am looking into Mac anti-virus software? Did I say that anti-virus software is the end-all be-all of security?
I have windows users here also. Every one of them runs anti-virus, and it has saved my department countless hours cleaning or rebuilding machines. I have the metrics to prove it.
If you really think that an enterprise can get along with education alone, you clearly have not spent much time in the IT support trenches, dealing with the average computer user.
Our small shop had to clean up one of these yesterday. It's not hard, for now, but there are all sorts of really neat hidey-holes in MacOS for these kinds of things, and so far this piece of malware has been evolving pretty fast. It's changed names three times, and it first started propagating as a fake JavaScript alert on sites that looked like a Windows screen; now there's a pretty reasonable Finder mock-up doing the dirty deed instead.
It doesn't help that there's a setting in Safari to automatically run "safe" downloads.
I'm intensely curious about how far this thing goes. If it were to, say, start hooking into launchctl ... well, that would be interesting indeed.
It used to be worse. Early versions of Safari would automatically execute a shell script as part of a "safe" download. They 'fixed' it by changing the disk image spec rather than the Safari feature. This type of exploit probably reflects how much thought was put into the feature.
The "safe download" social engineering attack was outlined years ago, so it's somewhat surprising it took this long to widely exploited.
Isn't it still programms that the user explicitly has to install?
If normal users keep their random application installing limited to the app store they should be fine. If you DO install "video players" from porn sites or download stuff off the pirate bay, you might end up with malware...
I'm not so worried about the malware apps that ask permission as much as the malware app that takes advantage of yet another Adobe Flash exploit. Well, I really shouldn't pick on just Flash, but you get the idea.
"Exactly. Nothing will protect you from stupidity."
I'm getting so tired of this blame-the-user-for-everything attitude on Slashdot, HN, and elsewhere.
Some of the blame belongs to Apple/Safari. You see, Safari's default settings allow for the automatic download and execution of "safe content".
The clever authors of MacDefender/MacProtector packaged things up so that by merely visiting a hostile web page in Safari, it causes Safari to automatically download and automatically run the MacDefender/MacProtector installer.
For example, you may be browsing Google Images. You click on one. The next thing you know, and this happens in just a second or two on a broadband connection, the installer program for MacDefender/MacProtector is running.
Now fortunately, the installer process itself is benign. If you quit the installer, you won't get infected. If you continue through the installer, however, the Trojan will be installed.
I can see how a lot of people might think Apple automatically pushed out an anti-virus, or something, and that's why the installer starting running automatically.
Feel free to blame the user all you want...right now, it seems very popular to blame "those stupid users" for everything. But in this case, Apple/Safari deserve a nontrivial share of the blame for Safari's outstandingly asinine defaults.
I am not disagreeing that Safari's default behavior is stupid (open "safe" files).
The fact the the install process is benign is not "fortunate" though -- to qualify as "safe" they're running Apple's installer from a pkg. If they provided their own installer, the installer wouldn't be considered by Safari to be "safe" and the whole thing wouldn't work.
You must not have parents with computers. It's not stupidity - it's the assumption that what you see on the screen isn't actively lying to you. For somebody accustomed to being told that the computer is always right, this is a hard thing to grasp, and attitudes like yours really don't help.
Telling anyone that "the computer is alway right" is the problem. The Mac attitude saying " relax, the software knows what to do" is really putting the users at risk in this case. They just dont have the dismissive reflex windows users have acquired for such situations.
I think part of the problem is that people have been sold on the idea that Macs are safe and "there aren't any viruses for the Mac." There is this ill conceived notion that naive users hold that they aren't at risk so they'll more more inclined to install malware without thinking about or understanding the consequences.
There are a lot of programs that require the admin password in order to be installed, for them to be installed system-wide... Usually, a single user install would be enough, but they don't provide the option (or I couldn't find it).
As a consequence, users are trained to give their password to random apps, and they end up not paying attention anymore to which app they give it to.
Apple has never let backwards compatibility constrain them. 10.6 is Intel-only, Rosetta is gone in 10.7. I won't be surprised at all if 10.8 heavily deprecates non-app-store apps and 10.9/11.0/iOS Desktop prevents them altogether.
As far as developers are concerned, they'll be welcome to purchase Mac Pros at their usual insane markup.
if they do, I'll finally switch to Linux
Ditto, and Apple won't care one bit about losing us.
I wasn't aware that installs on Ubuntu where restricted to Synaptic. It's not really the idea of an 'app store' that people don't like. It's the removal of freedoms.
They are not. It's just that Synaptic (and that other newer thing I keep forgetting the name) is so convenient it's been a while synce I last had to manually install something.
It's kind of disappointing overall, because package management has always been the solution to this kind of problem. You tell users "never install anything you don't find in the repo", but now it seems somehow tainted. I guess maybe it's that nobody cares about it until Apple can make 30% of your software's retail price through it.
I'm glad that systems are finally getting the same kind of package management that we have enjoyed on Linux for well over a decade, but it's a serious bummer that it has to come with such scammy-feeling commercialistic trappings before it can be brought to the masses. It's hard to put my finger on the feeling exactly.
Except for iOS, usually you can still optionally install software in another way, or even create your own repository (Linux packages, Android markets). So the "tainted" bit is the totalitarian aspect of it.
You advocated and disparaged the App Store concept, and then you railed against capitalism. Regardless of how you perceive the App Store concept, you cannot deny that it works, and it works well.
Frankly, what's wrong with a package management system that charges consumers and pays commissions to the host?
You're missing the point. The App Store is not a package management system.
In Ubuntu, I never, ever install one-off DEBs. Every single piece of software is installed through a repo. I'm able to trust that software and I don't let other apps get root privileges unless I grant them and know what's going on.
The Apple App Store is not a package management system. It's a store. Developers have to relinquish control and money to have their apps listed there. Thus, many apps must still be installed manually. It's not an open ecosystem and it's not really fair to compare them.
Synaptic and trusted repositories saves me from malware because there is no reason not to use them. There are many reasons not to use Apple's.
The really terrifying thing about this is how easily malware writers are able to slip their downloads into major web sites. I got the MacDefender alerts on MSNBC.com.
Until last week, Mac malware was as common as unicorns. Now there is one. And, as pointed out, Safari's default behaviour of running stuff it deems safe automatically is very dangerous.
>Until last week, Mac malware was as common as unicorns. Now there is one.
That might be true if "malware" includes only exploits that call attention to themselves and disseminate indiscriminately.
But OS X has many times been the first OS to fall in the pwn2own competition, and since there has long been a market in OS X exploits, clearly some Mac have been being compromised.
- The Mac is often the best Pwn2own gizmo
- It gives high cred to whoever pwns it.
- Nobody pays as much attention to owning a Windows box
- Windows vulnerabilities may get more than the Pwn2own prize on the market.
The infection doesn't actually occur within Safari. When you click a link, your browser is redirected to a file download. The default behavior in Safari is to unpack and run "safe" downloads. So, what happens is:
1. You click a link in Safari
2. The installer package is downloaded
3. Safari unpacks it and executes the installer
Note: you are not infected yet
4. The user completes the installer wizard, entering their password along the way
5. The computer is "infected"
This sucks, but it's not a drive-by infection. Yet.
Chrome does not unpack and run downloads, so you'd have to execute the downloaded package yourself.
There's been serious malware on the mac for ages.
You have to be doing some really stupid things to get it, e.g. illegally downloading software, several porn sites do it, etc.,
It looks as if it's now requiring much less stupidity to get malware on the mac, but that's really all that's changed. Email scams are now considering the fact that I might be using a mac.
Yesterday I spent several hours going through discussions.apple.com and collecting requests for help from Mac users who have been affected by this issue. I found more than 200 separate discussion threads, many of them from people who have been tricked into installing this software and are desperately trying to remove it. It started with four posts on April 30; this past weekend there were 42 unique, new discussion threads on this subject.
I am not unfamiliar with Apple’s forums. I’ve done similar searches in the past, especially after reading some of those same posts that Gruber called out from 2008. I have never found more than one or two in-the-wild reports. This time, the volume is truly exceptional.
This appears to be the first widespread malware attack.
I did, actually. Before I responded to you. Your comment was, however, thoroughly ambiguous. What "it"? Your response here doesn't exactly convince me to be more concerned than I was last week.
His links to the Apple forums to "confirm" what a big deal this is:
"I have never found more than one or two in-the-wild reports. This time, the volume is truly exceptional."
I went to the forums and searched for Mac Defender, Apple Security, and Mac Protector and found a few dozen posts. Plenty of people posting straightforward solutions.
The naysayers who want to downplay this as business as usual are wrong.
I have had three cases of this within two weeks at my company. Prior to that time, I have not had a single piece of Mac malware infect my machines over a period of 8 years.
This is not business as usual. I expect to find a whole lot more of this in the near future, and for the first time since I've managed IT at this company, I'm researching anti-malware solutions for Mac.