Security → Why Windows users should care about malware on Macs

By Ed Bott | June 6, 2011, 5:17am PDT

Summary
"Why is a Windows guy writing so much about malware on Macs? Because this problem affects all of us. Apple, Google, and Microsoft should be working together to respond to this problem, but that doesn’t appear to be happening.

So how effective has Apple’s response been so far? Not very."

Why is a Windows guy writing so much about malware on Macs? Because it affects me, too.

I have a Mac on my desktop. I use it regularly. I have friends, family members, clients, and professional associates who use Macs. Several of them switched specifically because they believed it would make them safer online. If they call with a problem, I need to be able to help, not just shrug my shoulders and tell them to call Apple.

Over the past few weeks, I have found Mac malware and Windows malware side by side on the exact same compromised web sites, served up by Google search results. The visuals and the payloads are tailored to match the visitor’s computing environment, but the social-engineering tricks are identical and are specifically designed to snare unwitting victims.

Apple, Google, and Microsoft should be working together to respond to this problem, but that doesn’t appear to be happening.

So how effective has Apple’s response been so far? Not very.

As I noted last week, Apple has begun playing a frustrating game of cat and mouse with the bad guys. They have released a new set of malware definitions for the XProtect feature in OS X 10.6.7 every day since they released Security Update 2011-003 last week. Six days, six updates so far. And each time the criminals behind the Mac Defender family have revised their product within a few hours so that it bypasses those signatures.

I captured two more samples of the latest Mac Defender variant in action on Saturday and Sunday. It’s now called Mac Shield:
»www.zdnet.com/blog/bott/ ··· acs/3430

And even today...MacDefender malware runs fine even on a fully patched Mac with the latest detection signatures from Apple.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

Another good article to be sent along to a naive friend using a Mac. "that can never get virus or malware!"

Probably those Mac commercials playing up Windows' susceptibility to viruses, trojans and spyware might have something to do with the lack of cooperation. Or the years of smug assertions by Mac owners that they didn't have worry about malware.

I would imagine everyone at Windows HQ is walking around with a smile on their face at the thought of Mac malware.

Just Apple trying to play catchup.

»www.pcmag.com/article2/0 ··· 7,00.asp

Several of them switched specifically because they believed it would make them safer online. If they call with a problem, I need to be able to help, not just shrug my shoulders and tell them to call Apple.

This guy is nicer than I am on most days. After fiddling around with various problems at work the last thing I generally want to do is provide more tech support to people after hours. If it was my mom or someone close that's a different story. But for just about anyone? Nope, not in my free time.

quote:

---

the criminals behind the Mac Defender family have revised their product within a few hours so that it bypasses those signatures

---

A signature based method. Well geez, they must have copied that from Windows. Considering it is FAIL in Windows, do they really expect more.

(And then older Mac version users don't get the updates anyhow. Kind of sounds like how IE9 is the "most secure", but wait, you can't install IE9 on XP. --I guess that's a little unfair. XP not being worth anything these days, just about out to pasture & only run by laggards. [I'm kinda serious & kinda joking here, but not sure which?])

Better hang on to that XP (and to even Vista) and Win 7 as Win 8 is going to kill Microsoft. Microsoft appears intent on killing Desktop computing and that will destroy Microsoft also.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

My, my! Just think! Of all the things! Who'd of thought of that! What's the world coming to!

A number of years ago, a Wilders Security Forum member who did a lot of testing, commented in essence that any set of code had the potential to be misused for malicious purposes.

So, none of this is a surprise to those who have followed the evolution of malware exploits and targeting.

It made me recall the early days of Firefox, where, in the Mozilla forum, you risked tar and feathering if you dared suggest that FF could be exploited.

Now, the message has changed: So what if exploits surface - Mozilla patches quickly.

And so it goes...

Now, no matter the application or Operating System, there are just two attack vectors,

• 1) Remote Code Execution (aka drive-by) tailored to the possible vulnerabilities in the user's system, a la exploit kits
  
  
• 2) Social Engineering tricks
  

Thus, the article again:


There you have it: the summation of malware attacks in two simple sentences


Since Win9x days, I've not known any security minded person who depends on the vendor to keep one's system secure.

Oh, sure, we know that there will be patches and fixes, and we expect them; but what to do in the meantime? At the height of the PDF exploits, for example, Adobe often delayed several weeks before issuing a patch.

And the contrary: Microsoft had a patch for MS08-067 in late 2008. Yet a month or so later, the Conficker worm emerged from its cocoon and successfully exploited -- yep you guessed it -- MS08-067, and went on to become the largest botnet at that time.

Conficker Worm: Help Protect Windows from Conficker
»technet.microsoft.com/en ··· dd452420

Two months later, Microsoft was pleading (encouraging) users to install the patch:

January 22, 2009: MS08-067 Conficker Worm Update
»blogs.technet.com/b/msrc ··· ate.aspx

So, in spite of the vendors' efforts, many users ignore the patches/updates anyway!

In those cases of delayed patches, those who know what exploits do (install trojan executables) already have protection in place, so that the patch, while nice to have, is really irrelevant in terms of providing real time protection.

Patches, updates, are always after the fact
That covers the remote code execution stuff.


This, of course, is a social engineering attack. Should we feel more sorry for Mac users than Windows users who have fallen for the same rogue security product trick?


Everyone I've known who help home users stress this basic security axiom: be prepared for the common attack vectors and let the vendors take care of themselves. The Cat-and-Mouse game dictates that there will always be ways to exploit the users, no matter the OS and applications that brag they are more secure than the competition. This applies to both attack vectors.

Well, back to the assertion,


What's next: Why Opera users should care about exploits against Sea Monkey?

All computer users, no matter the platform/application, should be concerned about cybercrime. To focus on specific targets misses the overall threat which targets ignorance. I don't use that term in a derogatory sense, just stating a fact: most users are ignorant (unaware) of how the two basic attack vectors work.

As I've written before, the most effective way, IMO, is to work one-on-one with those in our sphere of influence who will listen.

For the others, well, what can one say? It's a cruel world out there, if you let yourself be caught up in it.

regards,

-rich

The only reason I need to care about malware on a Macs—Windows user or not—is because Macs will now be part of future botnets. That’s it.