Bugtraq mailing list archives
Re: [botnets] re MAC trojan (fwd)
From: Gadi Evron <ge () linuxbox org>
Date: Thu, 1 Nov 2007 19:55:44 -0500 (CDT)
There have been many threads on this subject, but I believe this post below covers what some of us are trying to say on why this issue is significant.
Obviously some people are far more articulate than me. ---------- Forwarded message ---------- Date: Thu, 1 Nov 2007 16:47:17 -0400 From: PinkFreud <pf-botnets () mirkwood net> To: Gary Flynn <flynngn () jmu edu> Cc: botnets () whitestar linuxbox org Subject: Re: [botnets] re MAC trojan To report a botnet PRIVATELY please email: c2report () isotf org ---------- [My apologies if this has already been covered - I started this email a few hours ago, and haven't had a chance to finish it until now.] I think the point Gadi (and Alex of Sunbelt Software, in his original blog entry) is trying to make is that professional malware authors have begun to take notice of Apple. As a piece of malware goes, this trojan is nothing remarkable in itself, other than the fact that it's aimed at Mac users. As Gadi mentioned, there are a number of known issues that Apple has yet to address. If the professional malware authors are now taking aim at Mac users, Apple appears to be making it easy for them. There are a few comments that I've seen in this thread that are rather worrisome: ::: Interspace System Department
Relax. MAC users are not that stupid as MS users...
Are you a Mac user? If so, you just proved yourself wrong with that statement. :)</flame> Users are users, and their knowledge of computers varies greatly from one to the next. I've supported a number of Mac users who tend to be clueless when it comes to computers, and I've supported Mac users who know quite a bit about the machines they use. Like any Windows or *nix user, Mac users can - and will - fall prey to this kind of scheme. Again, the trojan is not what's important here. The fact that it was written for Macs is particularly noteworthy, however. ::: Jeremy Chatfield
InfoSec is there to make sure that I can run my business, not as an end in itself. It *prevents* profit making activity by having effort expended on internal needs. So if the Mac hasn't *needed* higher level of security hoops, previously, that's good. So long as weaknesses are fixed *when needed*, I'm a happy bunny. If there's a Day Zero attack that hits a Mac, I'll be disappointed, but it's not a uniquely Mac situation to be in... If the failure was an obvious weakness, I'm actually still pretty sanguine, because it hasn't yet been exploited, despite being "well known".
Security issues should be fixed as soon as feasable, not 'when needed'. If all security vulnerabilities were fixed 'when needed', the malware authors would be having a field day (which, of course, implies they're not already... hmmmm.). Apple has a history of badly-written software. As far as recent examples go, take a look at tar and rsync on Tiger (10.4) - they've been modified to support extended attributes like ACLs and resource forks, and they're quite broken - extended attribute support introduces a serious memory leak. If that doesn't quite hit home, you can get a further idea of how their software is written by taking a look at the man page for sharing(1), on OS X Server (for those of you without access to OS X Server, take a look at http://developer.apple.com/DOCUMENTATION/Darwin/Reference/ManPages/man1/sharing.1.html ). Pay particular attention to the description for the -s, -g, and -i options - do their developers (or tech writers) know the difference between AND and OR? :) On Thu, Nov 01, 2007 at 08:56:22AM -0400, Gary Flynn babbled thus:
This is nothing more than simple downloadable malware exacerbated somewhat by permissive configuration settings. It exploits no security defects. As I understand it, the operator is given multiple opportunities to refuse the program: http://www.jmu.edu/computing/security/#macmalware (I'm only subscribed to the archive so I apologize if this has been already pointed out or already proven incorrect today) -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
-- PinkFreud Chief of Security, Nightstar IRC network irc.nightstar.net | www.nightstar.net Server Administrator - Blargh.CA.US.Nightstar.Net Unsolicited advertisements sent to this address are NOT welcome. _______________________________________________ To report a botnet PRIVATELY please email: c2report () isotf org All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Current thread:
- Re: [botnets] re MAC trojan (fwd) Gadi Evron (Nov 02)