Security Quest #9 – OSX.RSPlug.A Brings Macs Mainstream

There was news last week of a piece of malware targeting OS X. It’s called OSX.RSPlug.A (a.k.a. DNSChanger) and it’s a trojan distributed through porn sites (no puns). A lot was made of the fact that this *could* redirect browsers to malicious websites, such as phishing sites.

The only real news here was that OS X was specifically targeted by a malware writer. It didn’t exploit any deficiency in OS X security. The only way to get the malware to install was to convince the user that they wanted to install the software. Intego and other security software vendors are promoting the fact that they can detect the trojan.

Let’s look at what’s involved to infect a Mac with this bug. You had to:

  • Visit a website, in this case a porn site, and be enticed into downloading a file. In this case it was said to be a codec needed to view some videos.
  • After downloading the DMG file you had to open it and run the installer.
  • When the installer ran you’d be prompted for your password which you’d have to enter.
  • Then the software would install.

So the only security hole was between the keyboard and the chair, not in the software.

MacWorld has a good article on how to detect the trojan.

The first rule of PC (personal computer, including Macs) should always be only install software from trusted sources. This wasn’t a drive-by install where the user visited a website and it automatically installed. On the other hand, there are people who say they visit websites in bad neighborhoods with Macs since it’s safe and secure. This does show that Macs are beginning to be targeted so that is probably not a good attitude. As much care needs to be taken on Macs as on Windows machines.

One of the things that make Macs a less than perfect choice for visiting bad neighborhoods is that Safari has “Open Safe Files after downloading” enabled by default. It’s a poorly named option and should be turned off. Safari doesn’t determine safety. What it really means is that it will open files which don’t automatically execute anything when all system are working. This includes DMG and PDF files which have recently carried malware. If a vulnerability was found that enabled auto execution this default setting could be deadly. If nothing else, the name gives a false sense of security since it sounds like OS X can determine if the file is safe or not. This is set under Safari preferences, on the general tab. Click the thumbnail at the beginning of this paragraph to see the setting. The screen shot shows the Safari defaults.

If you want to visit bad neighborhoods or want an extra level of protection there is software available to help protect your Mac.

ClamXAV is an free (donationware) virus checker for OS X that’s built on the open source ClamAV anti-virus engine. The software allows certain directories to be watched and all file changes in those directories will be scanned. Scans can also be scheduled. There isn’t any real-time scanning, other than the watch directories feature. I used ClamXAV under Tiger but there are currently Leopard issues so I haven’t re-installed it since upgrading. These issues appear related to scheduling an other non-detection related features.

Intego has a full menu of security products. They are clearly the market leader in OS X security software. When I switched from Windows I naturally wanted anti-virus software so I purchased an earlier version of their anti-virus software. While I never came across any viruses for it to detect the software seemed fine. My main complaint is I feel they’re expensive. Be aware that their products that include definition updates may have just a one year subscription. I stopped using them when my subscription ran out and I didn’t feel the upgrade cost was justified for me. They also promoted paid upgrades through the same update engine that pulled down virus definition updates but didn’t identify them as paid until the update was selected, which was annoying. Intego has stated all their products are Leopard compatible. Trial versions are available.
MacScan by SecureMac is AntiSpyware program for OS X that is currently Leopard compatible. This is a traditional anti-spyware program that scans the Mac on demand or on a schedule. Detection ranges from tracking cookies to key loggers. A thirty day demo is available. I downloaded and ran the demo today. I’ll have more info when I’ve run it awhile but it’s a fairly simple interface as is shown by the thumbnail at the beginning of this paragraph (click to see full screen). The 41 pieces of spyware detected in the scan where all tracking cookies from websites and web ads. When spyware is detected you have the option of picking and choosing which you want “isolated” in MacScan terms. Despite the term, tracking cookies are just deleted.

Both McAfee and Symantec have security software for the Mac. Neither seems to have particularly good reviews available. The Symantec software can be viewed here (select Macintosh Products from the drop down list). McAfee information is here. Neither Symantec or McAfee products appear Leopard ready.

ClamXav and MacScan appeal to me because they are non-intrusive on the system. They are also the lowest cost solutions. I’ll probably stick with ClamXav.

The Intego, McAfee and Symantec products all cause me the same concern – that they’re too intrusive on the system and aren’t worth the performance cost. But if I knew I’d be going into bad neighborhoods I’d give Intego a try. At least they’re dedicated to the Mac platform. Just beware of feature bloat intended to justify their existence and upgrades.

I’m a believer that computer habits are better prevention than software. If your switching from Windows and used anti-virus, or have been using a paid virus scanner on the Mac ask yourself how many viruses were detected by the software you used.

Software News

CCleaner – Home – CCleaner is a freeware privacy tool and has recently been updated to version 2.02.525. Free download of 1Password 2.5.3, courtesy Macworld – 1Passwd is free for a limited time and with limitations (no upgrades, no access to online version). Mac software used by many.

News & Links Mac OS X 10.5: About the PubSub Agent – Apple let’s us know that it’s OK for PubSub to access our keychain. ModSecurity and WordPress: Defense in Depth – Paper about securing WordPress

Bogus FTC e-mail has virus | CNET – FTC’s name is being used by spammers to spread malware

Intego reporting new OS X trojan horse in the wild – The Unofficial Apple Weblog (TUAW) – New Mac trojan. Like the article says, it doesn’t install itself. It requires the user to install and provide admin permission. Secrets: How to: Discover malware before installing – MacWorld provides some tips with how to avoid and detect Malware without having to buy software

WashingtonPost.comDeconstructing the Fake FTC E-mail Virus Attack – Security Fix – interesting Security Fix blog post about a successful email phishing attack. The vulnerability exploited was the user. Note the update at the end which links to a report showing only 1/2 of AV software detected the malware. Hiding In Plain Sight – Security Fix – I’ve told windows to show file extensions for so long I forgot about this. A good reminder to set windows to tell all it knows. Acknowledges Data Loss – Security Fix – looks like fell for a phishing scam and lost control of some customer data, resulting in a wave of phishing emails targeting their customers.

Security Quest #1a: Introduction and Catching Up

I’ve been running another site called the Spam Chronicles which was last updated after Patch Tuesday in August. I’ve accepted that I don’t have time to keep both sites up to date. So, long story short – I’ll stop even thinking about updating the Spam Chronicles and will instead incorporate the new content here when it’s appropriate. The current Spam Chronicles will stay up, no reason to pull it down. (The site has been shut down.) When winter sets in I may find time to do a redesign.

A new feature here will be the Security Quest postings. I plan to do these every Wednesday (or so) since that gives me one easy topic each month – Microsoft Patch Tuesday. Today’s patch Tuesday information is in Security Quest #1b which will follow shortly. This one will serve as a round-up for news and information.

Software Updates

WordPress 2.2.3 is a security and bug fix release.

iTunes 7.4 (now 7.4.1) contained a security update which wasn’t mentioned in the download notification. If you get music files from unknown sources you should apply the update. If you only rip commercial CDs or download from iTunes you can hold off.

Lavasoft recently update Ad-Aware to work with Windows Vista. This includes the free version.

BitDefender recently updated the free version of their anti-virus software to version 10.

Security Information, News and Discussion

Skype is reporting that a worm is being spread through Skype for Windows. The worm spreads through the chat feature. via Wired Compiler Blog

Ars Technica has the story of Swedish security researcher that used TOR (The Onion Router) to collect password for embassy employees. TOR is used for anonymous Internet communication. He ran a sniffer on some tor exit nodes operated by his company. Unfortunately tor users probably didn’t realize their traffic was exposed to tor operators. A little encryption would help.

Ars Technica is also reporting an increase in botnet attacks on eBay users with the goal of stealing their eBay identity.

Mac OSX Hints tells us how to secure our Wireless connection at Starbucks. (Haven’t tried this myself, not being a T-Mobile user) via Lifehacker. has the story of the Quechup social network using questionable techniques to get users. They want to make YOU the spammer. They will ask for you email address and password (for common email systems like GMail) and then send invites to every member of your address book and send them under your name. First, never give anyone your password. Second, avoid Quechup. Hopefully the company will fail.

It’s legal to call spyware “spyware”. Techdirt has an article about a lawsuit against anti-spyware vendors being dismissed.

Slashdot has a discussion of the Ophcrack opensource Windows password cracking program.

Microsoft Patch Tuesday news will be in the next post.