Mac malware that installs itself without admin password
May 26, 2011
A newly discovered group of hackers have developed a series of new malware that runs on Mac OS X that avoids the need to enter an administrative password, representing a huge security risk to Mac users.
Earlier rogue anti-virus programs such as MacDefender need permission to run, an issue that MacGuard neatly sidesteps. MacGuard works on the assumption that home users have administrator rights, meaning they don't need to enter the administrator password to install software in the Applications folder. And the attackers know that and now they are exploiting that as much as they can.
MacGuard downloads itself into that folder rather than the default download folder. The downloader then connects to malicious IP addresses hidden in its own resources folder. The appearance of the malware means that advice to treat all unexpected requests for the administrator password with suspicion becomes null and void.
"This isn't the end of the world but it certainly does change the game somewhat," writes anti-malware researcher David Harley.
Mac security specialist Intego reports that MacGuard, which it describes as a variant of MacDefender, is being distributed via various portals offering fake security scans. These portals are getting promoted through search engine manipulation.
Several variants have since appeared: MacDefender, MacProtector and MacSecurity, all of which are the same malware but using different names. The goal of this fake antivirus software is to trick users into providing their credit card numbers to supposedly clean out infected files on their Mac machines.
Intego today discovered a new variant of this malware that functions slightly differently. It comes in two parts. The first part is a downloader, a tool that, after installation, downloads a payload from a web server. As with the Mac Defender malware variants, this installation package, called avSetup.pkg, is downloaded automatically when a user visits a specially crafted web site, and then doesn't ask for a password to install itself.
And after advising support staff not to help users who might be infected by MacDefender, Apple rethought its position and posted an advisory on dealing with the malware on May 24. Part of its advice – to cancel the installation process and not to enter admin passwords – has been rendered redundant by the arrival of MacGuard.
Sophos has charted the evolution of Mac-specific malware which it says is "advancing fast and taking many cues from the Windows malware scene".
Although Mac OS X is generally considered a safer operating system than Windows since it is a variant of the Linux OS, Mac users are still advised to use caution when visiting sites that claim to 'have a solution to viruses' or other potential issues that are inherent in today's cyber environment.
In other Internet security news
The U.S. military says it will play a major role in defending homeland America from cyber attacks, and this will include providing cybersecurity and improved protection to key infrastructure on U.S. soil.
Deputy assistant secretary of defense for cyber policy Robert Butler briefed a few senators in Washington yesterday on the plans. Butler said that the Defense department would of course safeguard its own .mil domain, but would also closely collaborate with the Departments of Homeland Security and Justice to guard and patrol the rest of America's cyber territory in a diligent manner.
Philip Reitinger, a DHS senior manager, seemed to imply that the military would lead on cybersecurity even in the domestic sphere. "We each bring unique experience to the initiative," he added. "The DOD (Defense Department) has unparalleled technical expertise and cyber expertise."
Giving a hint as to just which parts of America the military would be the most eager to secure, Butler stated that the U.S. armed forces are critically dependent on the civilian power network, telecoms, transport and many other sectors that are currently run using various computer networks.
"Just as our reliance on critical infrastructure has grown, so have the threats," Butler told the Senate homeland-security committee. His remarks were reported by the U.S. forces press service.
It is the U.S. military's mandate to protect the United States from threats both foreign and domestic, but nonetheless there will be those worried by the prospect of military intelligence and security agencies getting involved in utility companies' networks and databases, and we fully expect that.
To some degree, this is already happening anyway. News emerged in 2010 that the National Security Agency (NSA) had set up a black secret program called "Perfect Citizen", intended to set up monitoring equipment on networks deemed to be of national-security importance, perhaps including those of utility companies.
This would allow the NSA to know exactly when attacks were happening, rather than relying on companies to realize this and then report it afterwards. But the prospect also existed that such equipment could allow for pervasive monitoring of such items as whether a given property was occupied, perhaps where a given car, truck or passenger train had been, and at what date and time, etc.
At the time the NSA insisted that Perfect Citizen is a research and engineering effort. There is no monitoring involved. It doesn't involve the monitoring of communications or the placement of sensors on utility company systems.
Nonetheless, the news that the NSA – whose chief is also in command of the uniformed Cyber Command and subsidiary single-service cyberwar units such as the 24th Air Force, 10th Fleet etc – is apparently to advise and guide – if not lead outright – U.S. domestic cyber security efforts may give rise to a little discomfort as well as some reassurance to a few.
Source: David Harley.
You can link to the Internet Security web site as much as you like.