When Antivirus Software Fails You: How to Stop (and Defeat!) a Real-World Trojan & Social Engineering Attack
It isn't every day you get to see what a real Trojan or Social Engineering attack looks like.
When you do, there's seldom time to even take screenshots: you just want to get the heck out of Dodge.
But, this time, in putting together material for our upcoming free workshop, Get Secure, when I came across a real attack I was able to record it.
If you've ever wondered what an attack looks like, here's your chance to see one.
Here's the best/worst part: nothing stopped it.
- Not our Internet Security Software.
- Not any of our browsers' built-in malware protection
- Not even Windows 10 built-in security.
See for yourself how it happened and what you can do to stop it.
This file opens in a new tab / Window for you.
Since we began the site in 2006 the marketshare of the Mac / OS X has grown steadily.
In terms of both competition and reducing the amount of homogeneity in the computing ecosystem. This is a good thing.
In contrast, if every computer in the world were the same, it would be easier to find "The Flaw," that will make everything grind to a halt. Increase diversity (i.e. reducing homogeneity) means it's harder to find one flaw that affects everyone.
In a round about way, you could even say the success of the Mac and OSX actually makes PC's safer.
Which leads us to:
What's the Best Mac Antivirus Software?
Even though we've been testing PC antivirus software for nearly ten years and we have an embarrassingly large database of viruses, rootkits, bootkits, trojans, worms, adware, keyloggers, spyware, and every other kind of malware imaginable, for a long time it has been primarily for the PC.
That doesn't mean the need hasn't been there (or that our readers haven't been asking for it for some time now.)
So, without further ado, here's our first list of best Apple / Mac OS X antivirus software.
People sometimes question why antivirus software that's not a part of the operating system is a must.
With Windows 8 for instance, Microsoft has announced they're including their own antivirus software right in the operating system itself.
To be blunt: this is meaningless, particularly in the way of making a PC safer. The first antivirus software the virus writers will make sure their software evades will be that which is built into Windows! And so, this A/V software means nothing more than a false sense of security for most people and some delays for the bad guys.
Having good third-party antivirus software means you have another layer of protection the bad guys don't necessarily know about. Sure, they may try to avoid detection by independent antivirus programs, especially the most common ones, but if they're at least beating the baked-in antivirus software, their battle is largely done.
Yes, it might make it harder to find ways to infect PCs to begin with, but all that does is slow them down a bit.
Now, let's bring Apple into the picture.
Apple was first criticized for its slowness first in applying the patches to Java that Oracle made months ago (they delays which caused the Flashback Trojan to hit Macs as virulently as it did to begin with), then a second time for not working with the antivirus community that was eager to help, and then a third time for not releasing detection and removal tools.
Luckily, the antivirus companies entered the picture. First was Dr. Web with its disclosure of the trojan (and "sinkholing" of the botnet's command-and-control domain names).
Then F-Secure came into the picture with manual instructions for determining if your Mac had been compromised. On the heels of that was Kaspersky with free, automated Flashback detection and removal tools.
All of these companies beat Apple--by a LONG shot--at protecting their customers (and non-customers alike) with their steps and tools they each respectively made.
Oh, and lest it go unsaid, Apple did release an update to Java that patches the hole and removes
the most common variants of the Flashback malware.
Here's what the update looks like in Software Update:
First a little clarification about the trojan: this infection is caused by a security flaw in Oracle's Java and isn't a whole per se in OS X. That said, the biggest surprise about the trojan for most people is that
Flashback has been around in one form or another for more than six months now.
As most of us know by now more than 600,000 Macs running OSX have been infected, so this isn't a tiny one-off threat. It's a bona fide Mac botnet.
This is really the first time Apple finds themselves in a position Microsoft has long ago mastered: how to handle the three prongs of dealing with a virus outbreak,
- security researchers
- virus writers
Unfortunately, it's really nothing more than,
Apple is developing software that will detect and remove the Flashback malware.
They do, however, give a good link on how to disable Java in your Mac's browser preferences.
Personally, I don't have Java enabled--never have--and if I find there's some content that requires Java, I turn it on manually for that one site then disable it again.
Many a blog have I written about the necessity of Mac antivirus software, hoping to get at least a few people to drop their delusions about how the Mac and Apple's OS X are impervious to viruses.
Now, don't get me wrong, I'm not trying to start a PC vs Mac flame war/battle. Really. (They're useless.) Nor do I want this to be an, "I told you so."
What I am saying is this: If it has a CPU, chances are at or near 100% that a virus can be written to attack that computer. It's only a matter of time 'til it happens. And, yes, some computers, operating systems, and software are inherently more secure.
Even still, it's important to realize "more secure" doesn't mean "secure."
In a way, we should consider ourselves lucky, like the MacDefender fake antivirus malware, this one is also getting a lot of coverage in the press and elsewhere, so it's raising the specter of viruses being mainstream for the Mac like they are for the PC.
And with that knowledge comes greater understanding of what can be done to protect ourselves. In this case the understanding came because Russian antivirus firm Dr Web uncovered the 550,000 strong botnet that spread via Trojan Backdoor.Flashback.39.
F-Secure also has a good write-up / manual removal instructions on how to remove the Trojan-Downloader:OSX/Flashback.I.
And, if you're a Mac user and you haven't yet gotten it, Apple has an important Java security update. (A Java exploit being the channel through which trojan is infecting the Mac to begin with.)
My $.02, if you're looking for antivirus software for your Mac, our testing is incomplete, but so far we like BitDefender Antivirus for Mac, so if you're in the market, take a look.
UPDATETurns out this Mac Trojan isn't some little deal. The folks at F-Secure have found out Mac Trojan Flashback.B Checks for virtual machine!
What's so significant about that?
Nearly all antivirus researchers rely heavily on virtualization software like Virtual PC, VMWare, Parallels, VirtualBox and others to help their research.
Using virtualization software allows the researchers to investigate viruses with the added safety net of doing so in a contained environment. And, in doing so they're able to more easily explore the innards of many viruses.
The malware writers for Windows have figured this out, and many of the most advanced viruses check to see if their virus is running inside a virtual environment and, if so, they shut down, thus making research slower, more tedious, and a lot more difficult.
This is one of those things that's been going on in the Windows virus arena for a long, long time. What's really unexpected though is that it's already showing up in a Mac virus, which on a couple of levels means virus writing is a lot more advanced for the Mac than many virus researchers--and certainly the general public--ever imagined.
The bottom line: if you're running a Mac and you don't have Mac antivirus software, it's time to consider it.
Since the Wired article, there has been just tons of coverage about how the worm came to be, about the threats to equipment like the Siemens controllers in the article, and what the real threats are from these types of attacks.
One of the best ones was in an ITWorld piece this week, "Does the Mac have an edge against state-sponsored hacking?"
This isn't just about state-sponsored hacking but about the question generally of: Does a Mac Need Antivirus Software?
This question is posed indirectly in the outsanding research document Macs in the Age of the APT [Advanced Persistent Threat] done by iSEC Partners.
There's a second question-within-the-question though: Does the Apple computer need antivirus software?
Let's start with a quote from the ITWorld article,
...and as you might expect this is where things get interesting.When hackers broke into Google's computer network nearly two years ago, their first step was to take over Microsoft Windows machines running in the company's China offices. Would Google have been better off had those workers been running the Mac?
"Not necessarily, according to researchers at iSec Partners, a security consultancy that is part of NCC Group.
"Speaking at the Black Hat conference in Las Vegas Wednesday, iSec founder Alex Stamos and his team of researchers took a look at the typical stages of the type of intrusion that hit Google -- called an advanced persistent threat (APT) attack -- and compared how the Mac would do versus Windows 7.
It's commonplace in the Mac community to believe--even recklessly--that Apple OSX is immune to viruses and other malware.
Malarky. If it has a CPU, it can get a virus. Full stop.
Right now there are still fewer--far fewer--threats for the Mac. No question.
Some pundits claim this is because there are fewer Macs than PCs; others will claim this is because the Mac is so much more secure, it's all but impervious to attacks technologically.
While that may--and I want to emphasize may--be true, that doesn't mean the Mac really is impervious technologically. It's not. It's just that the bad guys haven't publicly put the attention onto the Mac that they have onto Windows.
Further, the Mac is no more immune at all than a Windows 7 PC against a social engineering attack where the user is tricked into installing malicious software.
Again quoting the ITWorld piece on the iSEC research,
Interestingly, Stamos echoes the same key point we like to make about security: Security isn't just about protecting against technological attacks. It's also about protecting against social engineering attacks, too.Their conclusion: Macs provide good protection against the initial phases of the attack, but once the bad guys are on the network, it's a whole different story.
"'They're pretty good for [protecting from] remote exploitation,' Stamos said. '[But] once you install OS X server you're toast.'
"The problem is that many of Apple's server protocols -- mDNS, Apple Remote Desktop, the Mac Kerberos authentication, for example -- use weak authentication models that give the attackers ways of getting access to parts of the network that should be blocked.
"'Every password-based authentication mechanism in OS X has problems,'[Editor's Note: Emphasis mine.] Stamos said.
And, it isn't even so much a question of getting tricked. It's also a question of accidental installations, too.'Most people get malware because they intentionally install it,' he said. 'At an institution of thousands of employees, you have to assume that one of them going to get tricked.'
Who hasn't been typing away when suddenly you get some popup message from your OS or your web browser as you're typing in something else and you accidentally hit [space] or [enter] to the popup message as you're going?
"Oh crap. Did I just hit [OK] to something? What was that message?"
And this, regardless of threats from government- or crime syndicate-funded viruses and crackers, is why the Mac--just like its PC brethren--does need antivirus software.
The ITWorld piece goes on to say how the attacks are much more commonplace than you might think. And there's research to back this up.
Here's the thing, too. A lot of these companies are very sophisticated companies. Just take Google for example.McAfee released a report saying that it had uncovered evidence of a sophisticated hacking operation that had broken into systems at more than 70 companies over the past five years.
"I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion," wrote Dmitri Alperovitch, McAfee's vice president of threat research in a blog post.
Most anyone would be hard pressed to come up with a more technologically adept company. Yet, they got hit with an APT attack.
The point being, if a highly sophisticated company can get hit, doesn't it stand to reason that you can, too? Even if you do run OS X?
As the iSEC researchers said so well in their pdf,
Huh. I think that's great advice for PC users, too.Bottom Line: Run your Macs as little islands on a hostile network.
MacDefender now showing up with yet another name, "MacShield."
Not much else to say. It's as bogus as ever and brings the total number of aliases it shows up as to five, including:
Just more crapware to keep an eye out for. We'd love to hear from anyone who has spotted these things in the wild so we can do proper investigation on them.
We're specifically looking for more screenshots of the ads of these things and also of what websites we can download them from.
So far it looks like the same-old-same-old:
There have been a couple of different variations on the infection method that MacDefender uses, which I've shown in previous blog on MacDefender removal and on MacDefender spreading on Facebook.
Joel's wrap-up to the piece is great and worth reading. To paraphrase:
- Buy software from reputable places you go to
- Buying software from a popup window just isn't smart
- Educate yourself on what's out there and how to tell
If you were walking down the Las Vegas strip, you'd know a conman from a mile away! When some huckster approaches you with his wares, you get leery--you know better than to deal with them.
You've educated yourself.
One of the steps Apple is taking to thwart MacDefender and other viruses and malware on their systems, is a new item in the 'System Preferences / Security' Preferences pane.
This option, "Automatically update safe downloads list" was one of the key components of the last Apple security update, which was covered in a prior blog on MacDefender Removal.
What does it do?
This checkbox tells your Mac to checkin with Apple's servers daily (and when you reboot) and look for new malware definitions. (Sounds a bit like Apple is building its own antivirus software into OSX, doesn't it?)
(Un)fortunately, the folks at Mac Antivirus maker Intego have discovered a bug in this setting, and although it sounds minor, it could leave your system exposed. Here's the scoop according to Intego and their discussion of the Security Preferences Pane Bug:
...if you open the Security preference pane, unlock it, and wait for more than 30 seconds, any changes you make to this setting will not stick.
"Do the above, quit System Preferences, then open the Security preference pane and you will see that the setting will be as it had before your last change.
I did exactly as described on one of our test PCs and personally confirmed this bug exists.
This isn't great, especially given the recent battle Apple and the MacDefender creators have been having, but at least it's easy to check on and easy to fix.
Now, given that we're all solutions-oriented geeks here, the first two questions I had, as with any antivirus software / definitions update mechanism, were:
- How can I tell when the last time was that OSX updated its malware detection signatures?
- How can I force it to manually update if the signatures are old and out-of-date?
Turns out, it's a piece of cake...
Here's how to tell when your OSX malware definitions were updated:
- Open Terminal (Finder > Applications > Utilities > Terminal)
- type this:
Here's what I saw when I ran it:
Looking closely at the text above, you can see:
<key>LastModification</key><string>Thu, 26 May 2011 02:24:41 GMT</string>
This is the key to everything here, as it shows how current your definitions are.
As of the writing of this piece, this is the most current update available. (Hat tip to Lex Friedman and Macworld for being one of the first of many places to cover, Checking & forcing OSX to update malware definitions.)
So now, how do you force it to run if the definitions aren't current?
- Click: Apple > System Preferences > Security
- Uncheck then re-check "Automatically update safe downloads list"
Just be sure you close the Preferences Pane in under 30 seconds, or as Intego discovered, the settings aren't saved.
What controls the OSX anti-malware updates?
In case you're curious, the new Mac anti-malware updater is, as I just learned from a blog on XProtectUpdater is
an executable by the name of XProtectUpdater.' It’s located in /usr/libexec/XProtectUpdater.
So, the bottom line is, there's a bug in the Security Preferences. If you follow the steps above, it's easy to check if you're current or not, and if you're not, it's easy to fix.
Just make sure your settings are correct and that your Mac antimalware definitions are current.
The ongoing battle between the OSX anti-malware team and the MacDefender malware creators has taken some interesting turns this week.
Apparently about eight hours after the anti-MacDefender update (which I talked about it yesterday's blog on MacDefender removal) was released, the bad guys regained the upper hand.
CNet has some great coverage by Topher Kessler who says,
Let the cat and mouse games commence.
"Less than a day after Apple tackled the malware threats in OS X with an updated implementation of its malware detection technologies, the MacDefender malware developers have issued another variant that bypasses Apple's definitions to root out and remove the malware.
Then, earlier today (June 6, 2010), there was this update from cnet:
The cat is back in the lead.
"Apple has updated Snow Leopard's XProtect yet again to tackle the new variant, and did so in less than a day after the original update was circumvented.
"Apple is taking a very active approach to prevent this malware from being a problem for people.
Apple definitely took a bit of a pounding publicly after having taken so long to respond to the MacDefender threat initially. Now though, it looks like they're showing their willingness to take on the Mac malware creators head-on.
Regardless of how effective this strategy is long term, every step they take now will make things more secure and close more and more holes in their operating system.
And, for that Mac owners should be grateful.
Does it eliminate the need for mac antivirus software?
I don't believe so.
It's clear Windows malware is lucrative--very lucrative--or else the malware Windows malware writers would've given up long ago.
And, what the MacDefender creators appear to've shown is that the Apple OS X system, while good, does have holes. How hard they are to find, how far the bad guys are to find them, and how lucrative it is for them to do so all remain to be seen.
The question is: Will Apple's virus situation become as bad as Windows?