Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: [botnets] re MAC trojan (fwd)
From: Gadi Evron <ge () linuxbox org>
Date: Thu, 1 Nov 2007 19:55:44 -0500 (CDT)

There have been many threads on this subject, but I believe this post 
below covers what some of us are trying to say on why this issue is 
significant.

Obviously some people are far more articulate than me.


---------- Forwarded message ----------
Date: Thu, 1 Nov 2007 16:47:17 -0400
From: PinkFreud <pf-botnets () mirkwood net>
To: Gary Flynn <flynngn () jmu edu>
Cc: botnets () whitestar linuxbox org
Subject: Re: [botnets] re MAC trojan

To report a botnet PRIVATELY please email: c2report () isotf org
----------
[My apologies if this has already been covered - I started this email a
few hours ago, and haven't had a chance to finish it until now.]


I think the point Gadi (and Alex of Sunbelt Software, in his original
blog entry) is trying to make is that professional malware authors have
begun to take notice of Apple.  As a piece of malware goes, this trojan
is nothing remarkable in itself, other than the fact that it's aimed at
Mac users.

As Gadi mentioned, there are a number of known issues that Apple has
yet to address.  If the professional malware authors are now taking aim
at Mac users, Apple appears to be making it easy for them.

There are a few comments that I've seen in this thread that are rather
worrisome:

::: Interspace System Department
Relax. MAC users are not that stupid as MS users...

Are you a Mac user?  If so, you just proved yourself wrong with that
statement.  :)</flame>

Users are users, and their knowledge of computers varies greatly from
one to the next.  I've supported a number of Mac users who tend to be
clueless when it comes to computers, and I've supported Mac users who
know quite a bit about the machines they use.  Like any Windows or *nix
user, Mac users can - and will - fall prey to this kind of scheme.

Again, the trojan is not what's important here.  The fact that it was
written for Macs is particularly noteworthy, however.


::: Jeremy Chatfield
InfoSec is there to make sure that I can run my business, not as an end in
itself. It *prevents* profit making activity by having effort expended on
internal needs. So if the Mac hasn't *needed* higher level of security
hoops, previously, that's good. So long as weaknesses are fixed *when
needed*, I'm a happy bunny. If there's a Day Zero attack that hits a Mac,
I'll be disappointed, but it's not a uniquely Mac situation to be in... If
the failure was an obvious weakness, I'm actually still pretty sanguine,
because it hasn't yet been exploited, despite being "well known".

Security issues should be fixed as soon as feasable, not 'when needed'.
If all security vulnerabilities were fixed 'when needed', the malware
authors would be having a field day (which, of course, implies they're
not already... hmmmm.).

Apple has a history of badly-written software.  As far as recent
examples go, take a look at tar and rsync on Tiger (10.4) - they've
been modified to support extended attributes like ACLs and resource
forks, and they're quite broken - extended attribute support introduces
a serious memory leak.

If that doesn't quite hit home, you can get a further idea of how their
software is written by taking a look at the man page for sharing(1), on
OS X Server (for those of you without access to OS X Server, take a
look at
http://developer.apple.com/DOCUMENTATION/Darwin/Reference/ManPages/man1/sharing.1.html
).  Pay particular attention to the description for the -s, -g, and -i
options - do their developers (or tech writers) know the difference
between AND and OR?  :)



On Thu, Nov 01, 2007 at 08:56:22AM -0400, Gary Flynn babbled thus:
This is nothing more than simple downloadable malware exacerbated
somewhat by permissive configuration settings. It exploits no
security defects.

As I understand it, the operator is given multiple opportunities
to refuse the program:

http://www.jmu.edu/computing/security/#macmalware

(I'm only subscribed to the archive so I apologize if this
  has been already pointed out or already proven incorrect
  today)

--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

-- 
PinkFreud
Chief of Security, Nightstar IRC network
irc.nightstar.net | www.nightstar.net
Server Administrator - Blargh.CA.US.Nightstar.Net
Unsolicited advertisements sent to this address are NOT welcome.
_______________________________________________
To report a botnet PRIVATELY please email: c2report () isotf org
All list and server information are public and available to law enforcement upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault