Playing 'Mac-A-Mole' with Apple Computers

It's a silly game.

Get It Try It

EVERYWHERE (Rixstep) — The scourge of Mac Defender continues. Apple released a so-called 'security update' to take care of the attack but the Mac Defender people issued an update even before Apple that completely circumvented the new signature list.

Building defences on signature lists is stupid anyway. No one in the AV industry believes in them even though they continue to peddle them as a universal panacea. The notorious Zeus can't be stopped with signature lists and McAfee's George Kurtz is working on a new method of rooting out malware that's not based on signature lists - a method that would seem to build on kernel access and on looking 'upwards' through the stack to detect interlopers.

Not a Hack

The Mac Defender attack is not a hack in the ordinary sense of the word - it's a concerted project that's probably been going on for half a year. Peter Szor outlined how the project came to fruition in a revealing blog post the other day.

'This attack is impressive in the manner in which it can trick the user', wrote Szor. 'Through JavaScript, it makes Safari appear as if a fake scan is taking place in a search for 'threats' while the actual window uses elements from Finder.'

Impressive and impressive: any reasonably seasoned Mac user should immediately recognise the hoax for what it is.

But the actual attack is only the culmination of a lot of preparatory work, says Szor.

1. The first thing the Mac Defender crew did was attack FTP logins. They needed a few hundred successful attacks to move to the next step. Szor points out that FTP servers often store passwords in the clear or in easily recoverable forms.

2. Now it was time to begin uploading PHP scripts to the compromised sites. The PHP scripts are capable of generating a lot of HTML content. The crew used a sophisticated automation process to identify Google search keywords and combine them with top Google image searches.

3. The generated pages are linked into the actual content of the hacked websites. So teh Googles start indexing them. The Mac Defender crew also used 'no cache' requests to make it more difficult to identify the sites after the fact.

4. Sit and wait. The Mac Defender crew submitted the URLs to Google to get things working faster, but still and all. Once their pictures were populated to Google image searches, the unwashed masses starting clicking on them. That too took time. Finally the search results started showing the infected URLs on the first page.

5. Now the Mac Defender crew started distributing the malware - the fake AV products. One for Windows and one for sophisticated Mac users.

First Version Not a Win

The first version of Mac Defender for Mac OS X wasn't a complete success. It was wrapped in a 'package' which summons Apple's own Installer.app. Through an oversight or simply because the Mac Defender crew later found out how to bypass authentication requirements, the first version demanded a root password.

This in itself only put another speed bump in the way of system compromise. Anyone falling for the ruse is either a raw beginner or a full-blown idiot. Anyone keeping Apple's 'user experience engineer' setting for Safari to automatically run downloads is an idiot. (Apple's user experience engineers are already known to be idiots.)

Getting told you need to submit your password to allow an unknown process to gain unfettered access to your computer - and submitting it without thinking - is also the sign of a raw beginner / full-blown idiot / Apple user experience engineer.

But several hundred thousand Mac users did submit their passwords and got royally shafted. The ruse didn't actually discover any malware and it didn't eradicate any foul play but it sure did take your credit card details!

Now what if you panicked and ran to Mother Steve? You expected Apple to help you? Not quite.

Apple only help if you haven't got past the password prompt. Otherwise they don't tell you a thing even though Mac Defender can easily be removed from your system. Apple grunts on the AppleCare hot lines and in the 'Genius Bar' are instead supposed to recommend useless antivirus software - and expected to come up with suggestions of their own based on what Apple get a cut on in their own App Store.

And if that doesn't make you feel all warm and fuzzy inside then what will?

Here's the official list of what Apple grunts are not allowed to do for you when you ring up about Mac Defender.

• Show you how to force quit Safari
• Show you how to take Mac Defender out of your login items.
• Show you how to use Activity Monitor or the command line to kill Mac Defender.
• Refer you to any discussion forums at all - not just Apple's but anybody's.
• Give you hints. Once the customer mentions 'Mac Defender', they have to clam up.

Here's the beauty of it: your inquiry is logged as 'Non Technical Third Party Complaint' with 'Mac Defender' added to the product configuration section.

And people don't believe Steve Jobs when he tells everyone he really is an asshole.

Stupidity Should Be Painful

Stupidity should be painful. Raw beginners have an excuse but seasoned users and full-blown idiots do not. Yet Apple are caught between a rock and hard place here. For people will conclude either that Apple's platform is insecure (which it is not) or that most Mac users are full-blown idiots.

This of course is completely notwithstanding the fact that hundreds of millions of Windows users demonstrated their own infallible stupidity by clicking on ILOVEYOU.txt some eleven years ago. Or clicking on links for naked pictures of tennis star Anna Kournikova.

Or clicking for screenshots of an upcoming version of Mac OS X.

Stupidity's been here and gone on Apple's 'rock solid foundation'. But the issue isn't a chink in the armour - unless it's true the Mac Defender crew hacked Apple's jackass authentication hack.

Unless Apple faces up to the security issues its users face, its reputation for making secure operating systems, already damaged by its mishandling of these recently discovered vulnerabilities, will be further tarnished.
 - John Leyden, The Register May 2004

Special Links
Rixstep Coldspots: .SoftwareUpdateAtLogout
Digg: How a Malformed Installer Package Can Crack Mac OS X
Mac Geekery: How a Malformed Installer Package Can Crack Mac OS X
CNET Reviews: Securing your Mac from the new MacGuard malware variant

'I didn't have to enter my password to update. Is this typical for everyone?'
 - 'zapblast' at the MacRumors forums
'The media buzz over Opener went on the better part of a month and was then forgotten, but the fact remains that it is the single biggest security hole ever in the history of modern operating systems. No other operating system has ever offered such effortless escalation to superuser.'
 - Rixstep Industry Watch on Opener 3.9

See Also The Technologial: Apple Customer Support McAfee: The Art of Fake Antivirus Software Rixstep Industry Watch: The Legend of Oompa Loompa Rixstep Coldspots: .SoftwareUpdateAtLogout Revisited Rixstep Industry Watch: More on Mac Defender/MacGuard Rixstep Coldspots: Statement on the MacGuard Exploit Industry Watch: Opener 3.9 Learning Curve: Rooting 10.5.4 Developers Workshop: 061-7784 Industry Watch: Get Root on 10.5.4 Industry Watch: ARDAgent Here to Stay? Coldspots: The Strange Case of Safari 4.0.5 Learning Curve: Of Sticky Bits & Preferences Learning Curve: ARDAgent on Snow Leopard Hotspots: SLIPOC — Root Exploit of Mac OS X The Technological: Walking into an Apple Store Red Hat Diaries: Number One at Almost Everything Learning Curve: Symantec's OS X Threat Landscape Learning Curve: Rootkits Roam the World of Windows Industry Watch: For Apple, This is the Year That Wasn't