Gasp! A major and unknown threat for OSX

[joe1946]

I have several Macs including the new 6-core Mac Pro and never had any of the security issues I have with my PC . I was a Windows fan boy for over 20 years because I like building my own PCs but after my first Mac in March 2009 ( 2.26Ghz Dual Core Mac Mini) I started to think about using Macs more often.

My current PC was built four years ago (6-core AMD, 6950 graphics, 256GB SSD boot drive , Windows 8.1) and some of the browsers are unusable with all of the malware even after MalwareBytes scans since the kids play games on it like Minecraft and click on the bad links out there. They use my older Mac Pro (2008 3.1 with 1TB PCIe SSD boot drive, Yosemite 10.10 beta ) to play Minecraft against the other on the PC and it never has the same malware issues like on Windows 8.1.

 

[jaked.902]

There are no known Viruses afflicting OS X, none seen in the wild that is, however there is plenty of Malware and Adware that OS X is vulnerable to: The Safe Mac » Tech Guides

 

[Randy B. Singer]

Apple is based on Linux, and there are far more viruses for Linux than Windows ever had.

Whenever someone tells you that there are "viruses" for OS X, ask them for an example (i.e. what its name is), and ask for a citation to an authoritative Web site about that virus that says that it is indeed something that is specific to the Mac and that the latest versions of OS X aren't already inoculated against it.

Tell them that you are only asking for one example.

That usually shuts up people who don't know what they are talking about.

 

[Randy B. Singer]

There are no known Viruses afflicting OS X, none seen in the wild that is, however there is plenty of Malware and Adware that OS X is vulnerable to: The Safe Mac » Tech Guides

The Safe Mac currently lists only 47 examples of malware for the Macintosh.
The Safe Mac : Mac Malware Guide
About half of these can safely be called "extinct" because they don't exist in the wild. The rest are mostly either of no concern because OS X's built-in XProtect system inoculates Macs against them (or an update to Java or Flash does the same), or they are so rare that just about no Mac users could find them even if they went out looking for them. (Several are targeted attacks in Asia.)

I don't know if this qualifies as "plenty" of malware. I'd characterize it as "nothing to be concerned about at this time as long as one takes simple and logical precautions, like keeping your software up to date."

I'm on over a dozen Macintosh discussion lists, and though most Mac users, by far, do without any sort of anti-virus software, you just about never hear any credible reports of anyone being infected by any sort of malware. (I say "credible" because recent switchers blame every problem on a suspected virus, though that is never really the cause of any of their problems.)

By contrast, there are well *over a million* pieces of malware for Windows!!!:
BBC NEWS | Technology | Computer viruses hit one million
(And this article was from 8 years ago!)
and Sophos says that they see over 95,000 new threats for Windows *every day*!!!
Top Ten Tips to Avoid the Regulatory Auditor's Wrath - Data Threat Detection and Prevention | Sophos Security Topics - Virus, Malware, Web, Antivirus and Social Media Security Trends - Cloud Antivirus, Endpoint, UTM, Encryption, Mobile, DLP, Server,
(See item #5.)

I'd say that we Mac users are in pretty good shape. The press has been saying that there will soon be a deluge of malware for the Mac since OS X was released...13 years ago. But that's because the press thinks that since Windows and the Mac OS look the same, they must be essentially the same. That's simply not the case. It's hard to write malware for the Mac, and when the bad guys do it, their efforts are nullified before they can realize a profit from doing so. So it's both hard, and there is a disincentive for doing so.

 

[midway40]

The media usually over-hypes these things anyway--on any OS platform.

"...there are far more viruses for Linux than Windows ever had ..."

I'm a relatively new Mac user and even I can see what an asinine statement this is.

 

[Rod]

Guess no matter what my complaints in Indonesia unlimited at 1.5 mgb down and 0.50 up is pretty good for $25/mth.

 

[Exodist]

Wow, that's some pretty horrendous speeds right there..I'm currently at $60/month for 75 Mbps up & down. I was at $40/month 50 Mbps down/25 Mbps up and recently upgraded..

You all beat me.. I am paying 2500 Ph Peso (about 60 USD) for 2.5 mega bit.. Takes me every bit of 5 hours to upload a 1GB video file.. Luckily download speeds are about 4 times faster.. 315k on average.. No limits though..

 

[Exodist]

Guess no matter what my complaints in Indonesia unlimited at 1.5 mgb down and 0.50 up is pretty good for $25/mth.

LOL I am just north of you in Mindanao.. About the same here..

 

[vansmith]

"Sir! You are wrong on that. Apple is based on Linux, and there are far more viruses for Linux than Windows ever had. I know that for a fact - Linux is what we run here and we are always having to update our antivirus."

This is the point at which you just say "nope" and walk out. Apple is a company, the product he's talking about (OS X), as you pointed out, is BSD based and Linux is even more secure that OS X. So much hurt in that one statement.

The rest are mostly either of no concern because OS X's built-in XProtect system inoculates Macs against them (or an update to Java or Flash does the same), or they are so rare that just about no Mac users could find them even if they went out looking for them. (Several are targeted attacks in Asia.)

[...]

I'm on over a dozen Macintosh discussion lists, and though most Mac users, by far, do without any sort of anti-virus software, you just about never hear any credible reports of anyone being infected by any sort of malware.

You can't say that malware is not a security threat when you start a discussion with ensuring that Apple's anti-malware solution is front and centre. That would be like a doctor saying "Rabies shots are great and you need one but there are no credible threats...".

 

[Randy B. Singer]

You can't say that malware is not a security threat when you start a discussion with ensuring that Apple's anti-malware solution is front and centre. That would be like a doctor saying "Rabies shots are great and you need one but there are no credible threats...".

I didn't say that malware is "not a security threat." Please don't put words in my mouth.

Precisely what I said was "I'd characterize it as nothing to be concerned about at this time as long as one takes simple and logical precautions, like keeping your software up to date."

My point isn't that there is no malware for the Macintosh. (Or, using your example, I'm not saying that there are "no rabies.") There is. It's just that, once again, stretching your example, we are all currently *already* inoculated against rabies. That is, there is no reason for anyone to become paranoid about rabies that you can't catch.

It's likely that one day there will be something nasty out there that we can all catch, but that day isn't today. When that day comes, we can all download anti-virus software if that seems like the best course.

 

[vansmith]

I didn't say that malware is "not a security threat." Please don't put words in my mouth.

I'm not putting any words in your mouth. Saying that there is nothing to be concerned about is equivalent to saying that it's not a threat. In other words, if there's nothing to be concerned about, logically there can't be a threat (threats, after all, are what they are precisely because there is a concern about something happening).

My point isn't that there is no malware for the Macintosh. (Or, using your example, I'm not saying that there are "no rabies.") There is. It's just that, once again, stretching your example, we are all currently *already* inoculated against rabies. That is, there is no reason for anyone to become paranoid about rabies that you can't catch.

This is a dangerous argument though. You can't make the claim that Mac users are inoculated (this itself is a dangerous word because, by definition, it implies immunity). It's also an interesting argumentative strategy to jump to the polar opposite response (paranoia). Why are there only two options? Why does one have to have blind faith in "inoculation" or be paranoid? Is there not a more reasonable middle ground (see below)?

Apple can't possibly account for all malware and if their rather unresponsive reaction to malware/exploits is anything to go by, I wouldn't be putting a whole lot of faith in XProtect.

It's likely that one day there will be something nasty out there that we can all catch, but that day isn't today. When that day comes, we can all download anti-virus software if that seems like the best course.

Vouching for reactive security against malware is terrible advice. Why not establish best computing practices now, encourage people to critically think about malware and be open to the idea that viruses and more pernicious malware is coming. Indeed, there's a reason that doctors often vouch for preventative medicine and not the reactive variety. At the very least, this mitigates the dangerous and often vehement complacency of Mac security experts.

I'm not saying that every user needs to go install A/V but there's a particular irony in effectively discrediting A/V companies now and saying that, when the time comes, faith in them will somehow magically manifest itself.

 

[Randy B. Singer]

I'm not putting any words in your mouth. Saying that there is nothing to be concerned about is equivalent to saying that it's not a threat. In other words, if there's nothing to be concerned about, logically there can't be a threat (threats, after all, are what they are precisely because there is a concern about something happening).

I think that you are arguing semantics where it really isn't necessary. "Threat" is a term of art that computer users tend to use to describe individual pieces of malware. But if you want to go back and isolate and finely define (or re-define) all of the terms used in this thread, I guess there would be no harm in that. I'm not interested in doing that myself, though. I think that folks understand what I'm saying.

I'm not saying that every user needs to go install A/V but there's a particular irony in effectively discrediting A/V companies now and saying that, when the time comes, faith in them will somehow magically manifest itself.

Once again, you are putting words in my mouth. I haven't said that AV companies are evil, that their products don't work, or anything like that. (But they do tend to exaggerate to sell their products. I don't think that anyone who knows computers would argue that.) I have said that most Mac users don't need their products right now, and I stand by that. But that doesn't "discredit" them. In another thread here on Mac-forums I've even linked to a comparison test that showed that some Mac AV software is surprisingly effective. It's effective against malware that no one here is likely to ever encounter, but it is effective nonetheless.

Vouching for reactive security against malware is terrible advice.

Where have I said that "reactive security" is the *only* way to go? Why do you insist on putting words in my mouth?

Sure, there are a number of small things that one can do to decrease one's potential exposure to malware: turn off Java in your browser (or don't install it at all if you don't need it), turn off "open safe files", don't click on links in e-mails if you aren't absolutely sure that they are to somewhere safe, etc.

Didn't I just recommend some of this to help folks avoid the Javascript scareware that fools folks into believing that it is Cryptolocker?

Why not establish best computing practices now, encourage people to critically think about malware and be open to the idea that viruses and more pernicious malware is coming.

And where have I said that Mac users shouldn't do all that? I've frequently given links to sites that instruct in such practices.

Why don't you write us a long post on "best computing practices" if you think that is important?

I certainly believe that more malware is coming. In fact I'd be willing to bet on it.

However, I wouldn't bet that it is sure to be "more pernicious." In fact, I believe that the MacDefender debacle, where the perpetrators were all caught and put into Russian prison after they spent a huge amount of time and money creating their Mac malware, will act as a cautionary tale to organized crime syndicates contemplating pursuing Mac malware as a viable means of making money.

Time will tell. But since Mac AV software doesn't work against as-yet unknown malware (it requires that a sample be found, examined, and that an update be created and pushed out to users), I certainly don't recommend that folks purchase AV software to protect themselves from malware that doesn't exist yet, and which may never exist, or which may at some point exist but never be a concern.

 

[MToo]

Not so fast. Just had a lock up that would not permit booting from internal drive, by locking out the keyboard. Had to go in by Safe mode and repair the disk 8 times before a partial boot worked. The repair reported 98,000 file permissions repaired. That don't happen by accident. Not without loss of data.

And it's not a fluke. Same thing happened last year, and the Apple store could not repair it. Got a manual (should come with the mac) and again fixed permissions manually. Found my Admin id erased and an unknown admin in it's place. Again that don't happen by accident.

Malware is out there. And you can't fix a problem until you admit you have one.

 

[MToo]

The error message I received saying this post was not received was in error.

 

[Randy B. Singer]

Not so fast. Just had a lock up that would not permit booting from internal drive, by locking out the keyboard.

Did your machine do anything typical of malware, such as throw up a ransom notice? Did a run of anti-virus software identify a known piece of malware?

Unless you can point to something that indicates that there was malware at work, and/or you can show that you aren't the only person in the entire world to have encountered the effects of this alleged malware, then what you encountered was more than likely simply a hardware or a software problem. Computers aren't perfect, they can have problems without malware being introduced. Paranoia doesn't make the existence of a new piece of malware fact.

 

[MacInWin]

Had to go in by Safe mode and repair the disk 8 times before a partial boot worked.

What is a "partial boot?" Either it booted or it didn't. And I suspect that a vast majority of the file permissions fixed were ACL present and not expected, which is AFAIK, meaningless.

 

[Randy B. Singer]

I suspect that a vast majority of the file permissions fixed were ACL present and not expected, which is AFAIK, meaningless.

These messages aren't meaningless, but generally they are not a cause for concern. They aren't error messages, and they don't mean that anything has been, or necessarily needs to be repaired.

If you are a Unix geek, when you do things like repair permissions from the command line the system gives you more than just error messages, it gives you *informational messages* that you may or may not want to act on. (This assumes that you understand how Unix works, and that you know what you are doing and what might be a good idea to do or not to do.) These informational messages are not something that should scare you. They are not necessarily indicative that anything is wrong. They exist to give advanced users helpful information for maintaining the computer. The only thing that is wrong is that Disk Utility isn't shielding normal users from more information than they know how to deal with.

For instance, you commonly see this when repairing permissions: "Warning: SUID file X has been modified and will not be repaired" SUID means "Set User ID." Every process that runs on your Mac (use Activity Monitor to see them all) runs 'as' a known user. That is each process has the rights, privileges and restrictions set for a particular user. When you run something it runs as you, with your rights, privileges and restrictions. However some things need a different set of rights, privileges and restrictions in order to do their job. Some need more rights than you have, some are more secure if more restricted, and some, like webservers (web sharing) and mysql servers, need specific settings. A SUID file is an executable application file that is set to be owned by a user that has the required rights, privileges and restrictions, and has the 'suid' bit set in its permissions. Whenever that application is run, whoever it is run by, it runs as the user set to be its owner.

One example is 'usbmuxd' - the USB multiplexer daemon. It controls all the traffic through your USB ports. It has to be running early in the boot sequence before the keyboard is required, and so would be started as 'root'. This would be rather dangerous, so there is a special user called '_usbmuxd' with much restricted abilities, and the usbmuxd is SUID so that it runs with those restrictions when started.

There are also application binaries that are SUID 'root' so that even though you start them (or your login sequence does) they run with full root privilege because they need wider access in order to work. For instance 'ccc_helper' (part of Carbon Copy Cloner, the clone backup program) runs as root because it needs to be able to copy files that an ordinary user doesn't have privileges to read. It is automatically installed that way.

Obviously making sure that only the correct files are SUID is quite important. If you are a unix administrator those SUID messages allow you to make sure of that. If you are an ordinary Mac user, you don't need to see such messages and they can only serve to confuse and possibly scare you. At different times, and with different versions of OS X, Apple has fixed things so that informational messages don't appear when repairing permission in Disk Utility. But for some reason new versions of Disk Utility keep appearing where this fix has been reversed. But be assured that these information messages aren't anything to be concerned about. See:

Mac OS X: Disk Utility's Repair Disk Permissions messages that you can safely ignore

 

[MacInWin]

From the Apple paper cited:

You can also usually ignore any "ACL found but not expected..." message. These messages can occur if you change permissions on a file or directory; they are accurate, but generally not a cause for concern.

From Dictionary.com, definition of "meaningless":

without meaning, significance, purpose, or value; purposeless; insignificant:

So, those messages are without value, insignificant, therefore, meaningless.

Yes, it's pedantic, but I stand by what I said.

 

[Randy B. Singer]

From the Apple paper cited:
From Dictionary.com, definition of "meaningless":
So, those messages are without value, insignificant, therefore, meaningless.

Yes, it's pedantic, but I stand by what I said.

Well, they may be without value to *you*. But intrinsically those messages have meaning, and they are valuable to those who know what to do with the knowledge they impart.

 

[MacInWin]

Heh! I'd also say they were of little or no value or purpose, as Apple says to ignore them as "not a cause for concern." But if you find them of value, enjoy them!