About | Buy | Forum | Industry Watch | Learning Curve | Products | Search | Twitter | Xnews
Home » Learning Curve

The First Real Malware?

Discount it to inexperience or hysteria but it's not true and most importantly it's not relevant.


Buy It

Try It

First we had the professional losers at Microsoft going 'hahahaha' because Apple's OS might just have a single attack vector when they have hundreds of thousands.

Now it's hysteria going in the other direction: for some reason an increasing number of sites/blogs/posts are claiming this silly ARDAgent exploit is the 'first malware for the Mac'.

Which of course is utter nonsense. But it's also irrelevant.

Why It's Nonsense

Professional security hats have been hacking into Apple's OS X all along. They've also been hacking into Linux, FreeBSD, and all the rest. People forget things. No system is secure out of the box - it has to be configured to be secure. And things change all the time. As Charlie Miller's pointed out.

[Security people don't hack into Windows - they just look and breathe in its general direction. Ed.]

Some of these 'exploits' turn into serious malware; others don't. There's the 'rm My Mac' campaign which showed how easy it could be for a serious security guru to achieve privilege escalation on OS X.

[Unbelievably enough there were people who protested about that one - and thereby revealed how little they understand. Ed.]

Opener's got to be the all-time greatest and most significant 'malware' for OS X. Like all the exploits seen up to now it's a case of 'exceptions to the rules': the basic security model's OK but there's a chink in the armour that needs to be fixed.

[Don't try talking to Microsofties about security models - they've never heard of them. Ed.]

Oompa Loompa was also a cute piece of work - and was particularly interesting because it didn't use 'chinks in the armour': Oompa Loompa exploited outright design flaws. Not in Unix - in Apple's 'revision' of Unix.

Both the Opener hole and the Oompa Loompa hole have since been patched.

The Month of Apple Bugs also produced a plethora of information.

Why It's Irrelevant

Trojans like the PokerGame trojan circulating around are irrelevant - unless you get hit - because ultimately they're no big deal. Shit happens. But it's not like - as with Windows - getting a whole lorry of fertiliser dumped on you.

Anybody can in theory put a trojan in any application. Rixstep demonstrated long ago it's relatively simple to fake an Apple authentication dialog to steal user passwords; shit happens.

You don't need root to toast someone. You can create an install script - much like iTunes 2.0 - that doesn't ask for a password but simply executes the following.

# Toast the sucker's entire home directory
rm -fr ~

The lesson to be learned here is: anybody can trick anybody at any time and it's got nothing to do with security holes. You're never to run unknown or untrusted software, say Apple over and over. Like Microsoft said in May 2000 about mail attachments.

And if you don't take proper precautions shit will happen. But that's not to say the sky is falling. For it is not.

The ARDAgent trojans are not the first. Not that it matters. And not that it's relevant.

See Also
Learning Curve: A Suggestion
Industry Watch: You're Root, Dude!
Industry Watch: You're Toast, Dude?
Learning Curve: The First Real Malware?
Learning Curve: Apple Redefine 'Epic FAIL'?
Industry Watch: It's Not New It Starts with 10.2
Apple Developer Connection: AppleScript Overview
Industry Watch: Huge, Crazy, Ridiculous OS X Security Hole
Apple Developer Connection: Apple Events Programming Guide

About | Buy | Forum | Industry Watch | Learning Curve | Products | Search | Twitter | Xnews
Copyright © Rixstep. All rights reserved.