Re: [Full-disclosure] mac trojan in-the-wild

[Paul Schmehl]

--On Monday, November 05, 2007 14:54:52 -0400 Dude VanWinkle 
<[EMAIL PROTECTED]> wrote:

> On 11/2/07, reepex <[EMAIL PROTECTED]> wrote:
>> I guess you never heard of full disk encryption, finger print readers, or
>> caged machines.
>
> Well, caged machines fall outside of the "dont have physical security"
> issue.
>
> Finger Print readers dont have anything to do with Physical Security,
> unless they are tied to encryption software
>
> as for the full disk encryption: You got me there. That will protect you
>
And, of course, the number of people who actually *have* full disk 
encryption and are *using* it is somewhere just north of 1 or 2% right now.

A good encasement of concrete will work fairly well, especially if it's 
strong enough to withstand a nuclear blast.

But then, we *were* talking about the unsophistcated average Mac user, 
whose understanding of this trivia would be close to nil.

-- 
Paul Schmehl ([EMAIL PROTECTED])
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[Dude VanWinkle]

On 11/2/07, reepex <[EMAIL PROTECTED]> wrote:
> I guess you never heard of full disk encryption, finger print readers, or
> caged machines.

Well, caged machines fall outside of the "dont have physical security" issue.

Finger Print readers dont have anything to do with Physical Security,
unless they are tied to encryption software

as for the full disk encryption: You got me there. That will protect you

-JP

>
>
>
> On Nov 2, 2007 3:51 PM, Dude VanWinkle <[EMAIL PROTECTED] > wrote:
> >
> > On 11/2/07, J. Oquendo <[EMAIL PROTECTED] > wrote:
> > > Dude VanWinkle wrote:
> > >
> > > > A program installed under false pretenses that will give the
> > > > author/distributer remote access to the victim machines.
> > >
> > > Right... Guess those local are not a threat.
> >
> > ?? Local to the machine??
> >
> > all prevention methods fail if physical security is compromised.
> >
> > There is nothing short of hooking a claymore to the inside of your
> > case that will stop someone knowledgeable who has physical access to
> > your machine from doing whatever they want
> >
> >
> >
> > > Vranisaprick is that you
> >
> >
> > ?
> >
> >
> > > > -JP
> >
> >
> >
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[Peter Besenbruch]

> On Thu, Nov 01, 2007 at 03:36:00PM -1000, Peter Besenbruch wrote:
> > Firefox throws up a download dialog, asking what I should do
> > with "prettyyoungthing.rpm," while a Javascript pop-up explains that to
> > see these great images, I need to save the file, and type "rpm -i
> > prettyyoungthing.rpm," and that I need to do it as root.

On Monday 05 November 2007 00:34:18 Ben Wheeler <[EMAIL PROTECTED]> wrote:

> Ok, let's make it easier. What can you install with one click, or maybe
> two, but definitely just
> clicky-clicky-don't-bother-to-read-it-just-click-ok rather than having to
> type anything? A: Firefox extension. As well as ripping off your internet
> banking login details (probably more valuable than pwning your machine
> anyway), maybe it can add a special MIME type which opens with an
> application that prompts, as innocuously as possible, for the root pw so it
> can install a "new codec" or whatever.

Yes, but not you are talking about a different kind of exploit than what has 
been previously discussed. We were, in fact discussing the kind of exploits 
that owned machines. What you raise is a separate issue that should be 
discussed in a separate thread.

-- 
Hawaiian Astronomical Society: http://www.hawastsoc.org
HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[David Harley]

> you'll be *prompted* for 
> the root password, not asked to run it as root.  Big 
> difference, and one that many users do not appreciate at all.

Good point. A lot has been made of the number of steps involved, but if you
accept the manifest impossibility that -any- Mac user would ever fall for
social engineering, it really isn't that hard to wind the garrotte round
your own neck.

--
David Harley
AVIEN Interim Administrator: http://www.avien.org 
http://www.smallblue-greenworld.co.uk  



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild -- antair restored

[gjgowey]

Apologies for the cut off posting (antair did it), but I have a few ideas that 
I've yet to see mentioned anywhere.  Maybe they exist already under a different 
name, but here's my two cents in how to fix this mess.

My approach is through the implementation of multiple mechanisms in the os.

1) any file (executable, library, registry entry) that needs to be overwritten 
for an upgrade should be done in such a manner that the original is recoverable 
(ala subversion/cvs recoverability).  This should be monitored and enforced by 
the os.  Windows sort of gets this right with system restore, but there's no 
advanced menu to allow for a more granular selection of what's to be restored 
and that's problematic at best.

2) each program should be executed in separate environments that have roll back 
and security capabilities not just disposability.  This is sort of an extension 
of what sandboxie does and then some.  By security capabilities I mean 
preventing being able to fine tune the read/write access to certain directories 
so that if I want to wall off certain directories in my documents from say ie 
then I can do so.  Currently sandboxie does not offer any granular security 
controls just disposability.

The roll back feature would be to allow modifications to occur in each 
segregated environment, but have the capability to roll back changes of an 
individual environment without requiring a full system rollback.  This would 
allow a damaged environment to be restored without disturbing the whole system. 
 

Obviously I have drawn on sandboxie heavily here and for good reason.  Neither 
chroot, selinux nor anything else that I've seen allow applications to run in 
the native environment with access to the native executesbles and other files, 
but puts up a transparent barrier between the running program and actually 
modifying pre-existing files.  Ideally, the operating system its self should 
have all the above features.

The strategy du jour seems to be that users should have a good back up strategy 
and be prepared to completely reinstall when something breaks which simply 
isn't feasible for the majority of the population of computer users.  Isn't it 
time that we have an os that takes a different approach to read/write access, 
security, and backing up?  Total unmitigated read/write access where one rogue 
program can sink a whole system or send your confidential information all over 
the internet is the real problem.  The current security model of access 
controls is simply inadequate for todays dynamic environment.

The problem with the security model that presently exists is that it stems from 
the unix era when programs were not loaded on by the tonage and what was loaded 
on didn't change often.  All that was of concern was what data the users could 
access with the pre-loaded programs on the system. With todays systems it 
simply is not like that anymore as todays home user is not the grizzled systems 
administrator of old.  Time for a new approach that melds recoverability with 
security is what I say.

Geoff 


Sent via BlackBerry from T-Mobile

-Original Message-
From: [EMAIL PROTECTED]

Date: Fri, 2 Nov 2007 20:24:45 
Subject: re: mac trojan in-the-wild -- antair restored


That's an interesting figure (86% that is).  Can you give us some
insight into what you define as "user interaction"?

If it is clicking a link or reading an HTML email, then OK.  If it is
opening an .exe from an email, I'd like to see what client you are
talking about and what environment (meaning, what OS/email client and
what did they have to do to get it to run).  But specifically, how many
were exploits where a user had to visit an untrusted site, download an
executable, run it, and explicitly give it administrative credentials to
run?  Not just people running as administrator, but typing in the admin
account credentials to run it as administrator as one has to do on OSX?
My guess (and I'd really like to see details on your findings) is that
most "interactive" issues are the more "trivial" interactive issues
(like clicking a link and launching a vulnerable version of IE). 

But more importantly, let's look at things from the other side.  Let's
say I'm wrong, and that Gadi is right on target with his "hit hard"
prediction and that we should be very concerned with this.  Given the
requirements here, that again being flagrant ignorance where all the
above steps are executed (including the explicit admin part)-- what
exactly are we supposed to do?  If people are willing and able to go
through the motions above what can we as security people do to prevent
it?  Far too many people in this industry are far too quick to point out
how desperate the situatio
Sent via BlackBerry from T-Mobile
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[Simon Smith]

I beg to differ, a claymore is a bit large... it would have to be
something a bit smaller, especially if its a laptop.

reepex wrote:
> I guess you never heard of full disk encryption, finger print readers,
> or caged machines.
> 
> 
> On Nov 2, 2007 3:51 PM, Dude VanWinkle <[EMAIL PROTECTED]
> > wrote:
> 
> On 11/2/07, J. Oquendo <[EMAIL PROTECTED]
> > wrote:
> > Dude VanWinkle wrote:
> >
> > > A program installed under false pretenses that will give the
> > > author/distributer remote access to the victim machines.
> >
> > Right... Guess those local are not a threat.
> 
> ?? Local to the machine??
> 
> all prevention methods fail if physical security is compromised.
> 
> There is nothing short of hooking a claymore to the inside of your
> case that will stop someone knowledgeable who has physical access to
> your machine from doing whatever they want
> 
> 
> 
> > Vranisaprick is that you
> 
> 
> ?
> 
> 
> > > -JP
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
> 
> 
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


-- 

- simon

--
http://www.snosoft.com

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[reepex]

I guess you never heard of full disk encryption, finger print readers, or
caged machines.


On Nov 2, 2007 3:51 PM, Dude VanWinkle <[EMAIL PROTECTED]> wrote:

> On 11/2/07, J. Oquendo <[EMAIL PROTECTED]> wrote:
> > Dude VanWinkle wrote:
> >
> > > A program installed under false pretenses that will give the
> > > author/distributer remote access to the victim machines.
> >
> > Right... Guess those local are not a threat.
>
> ?? Local to the machine??
>
> all prevention methods fail if physical security is compromised.
>
> There is nothing short of hooking a claymore to the inside of your
> case that will stop someone knowledgeable who has physical access to
> your machine from doing whatever they want
>
>
>
> > Vranisaprick is that you
>
>
> ?
>
>
> > > -JP
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[Dude VanWinkle]

On 11/2/07, J. Oquendo <[EMAIL PROTECTED]> wrote:
> Dude VanWinkle wrote:
>
> > A program installed under false pretenses that will give the
> > author/distributer remote access to the victim machines.
>
> Right... Guess those local are not a threat.

?? Local to the machine??

all prevention methods fail if physical security is compromised.

There is nothing short of hooking a claymore to the inside of your
case that will stop someone knowledgeable who has physical access to
your machine from doing whatever they want



> Vranisaprick is that you


?


> > -JP

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[J. Oquendo]

Dude VanWinkle wrote:

> A program installed under false pretenses that will give the
> author/distributer remote access to the victim machines.

Right... Guess those local are not a threat.

> -JP

Vranisaprick is that you


-- 

J. Oquendo

SGFA (FW+VPN v4.1)
SGFE (FW+VPN v4.1)

"I hear much of people's calling out to punish the
guilty, but very few are concerned to clear the
innocent." Daniel Defoe

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E



smime.p7s
Description: S/MIME Cryptographic Signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[Dude VanWinkle]

On 11/2/07, Nick FitzGerald <[EMAIL PROTECTED]> wrote:
> (there are no
> absolutely hard and fast definitions of "Trojan" in this context,

A program installed under false pretenses that will give the
author/distributer remote access to the victim machines.

Bam!

:-)

-JP

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[David Harley]

> Actually, on that same note, I recently did an analysis of 
> the last three years of published Windows vulnerabilities.

Thanks, Roger. That's a really useful, apposite and timely item. 

--
David Harley
AVIEN Interim Administrator: http://www.avien.org 
http://www.smallblue-greenworld.co.uk  

> 86% required local end-user interaction (i.e. social 
> engineering) to be pulled off.
> http://www.infoworld.com/article/07/10/19/42OPsecadvise-inside
r-threats_
> 1.html
> 
> I didn't analyze Linux or BSD threats, but my gut feeling 
> puts them at the same level or even higher.
> 
> With 86% or more of the past threats requiring social 
> engineering to pull off, we can safely say the "future" you 
> state below is here now.
> 
> Now, what is interesting is that any exploit requiring social 
> engineering to work has so far been less of a problem than 
> the vast majority of "remote buffer overflow" exploits like 
> the Blaster and SQL worms.  Social engineering-required 
> malware still works, and works well, but not with the same 
> success of remote buffer overflow malware. There is very 
> little we in the security space can point to as a 
> success...but the overall decrease in remote buffer overflows 
> is one.  Unfortunately, the social engineering malware is 
> getting better day-by-day. We can no longer count on 
> mispellings (sic) and bad grammar to be malware indicators. 
> Our users, regardless of the OS, are ready as ever to click 
> on interesting content, malicious or not. We've got to design 
> our defenses to pay more attention to client-side attacks, 
> but it is the weak point now, not in the future.
> 
> Roger
> 
> *
> *Roger A. Grimes, InfoWorld, Security Columnist *CPA, CISSP, 
> CISA, MCSE: Security (2000/2003), CEH, yada...yada...
> *email: [EMAIL PROTECTED] or [EMAIL PROTECTED] 
> *Author of Windows Vista Security: Securing Vista Against 
> Malicious Attacks (Wiley) 
> *http://www.amazon.com/Windows-Vista-Security-Securing-Malicio
us/dp/0470
> 101555
> *
> 
> 
> -Original Message-
> From: Alex Eckelberry [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, November 01, 2007 5:49 PM
> To: Thor (Hammer of God); Gadi Evron; [EMAIL PROTECTED];
> full-disclosure@lists.grok.org.uk
> Subject: RE: mac trojan in-the-wild
> 
> The future of malware is going to be largely through social 
> engineering.
> Does that mean we ignore every threat that comes out because 
> it requires
> user interaction?  Seems like whistling past the graveyard to me. 
> 
> Alex
> 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[Dude VanWinkle]

On 11/1/07, nnp <[EMAIL PROTECTED]> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> I'm not sure if you accidentally quoted my reply or not there, because
> if you did you're completely missing my point. My issue is with the
> format and content (or lack thereof) of the first post, I don't think
> I mentioned the iPhone, *BSD, MS or at any stage said anything at all
> that would indicate I was taking any side in the 'which OS sucks more
> balls than any other' debate.

With respect to my OSX comments: I was just trying to point out there
are some similarities (9X vs OSX) as far as consumer confidence and
education. It took blaster and 66k other viruses before the average
windows user knew what a computer virus was. Will it take the same
level of SNAFU for Apple customers to know they shouldn't click on a
text file that has #!/bin/sh or have they learned from Windows
mistakes that you only need to worry about .bat and .exe files? Only
time will tell. (I know it asks if you want to display or run the
files)

In respect to which OS is better: The OS you know how to best use is
the better of the two. I will take education over default
configuration any day.

With respect to the iPhone comments: I brought that up because like
win9x, everything is run as "root".

With respect to the MS comments: Well, I tend to babble a lot :-)




-JP

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[Robert McArdle]

NOTE: Resending this was blocked last time.

Profit-driven malware has gotten very good at using Social Engineering
(backed up with Exploits) to spread itself. Zlob and it Codecs are one
particular example that has worked very well on Windows, even by
simply getting the user to install the software willingly. The
Storm/Zhelatin/Russian Business Network group however are by far the
best at this. They have shown time and time the power of simple Social
Engineering in order to infect victims machines. Zlob may have been
the first for profit malware to make the jump, but if it proves
profitable it will not be long before the others follow.

Robert McArdle
-- 
www.RobertMcArdle.com/blog/ - Techie/Security/Inane Ramblings


>
>
>
>
>
>
> On Nov 1, 2007 9:49 PM, Alex Eckelberry < [EMAIL PROTECTED]> wrote:
>
> >
> > > Let's not over-hype this-- while "Apple's day" has been coming, saying
> > that users will be "hit hard" on something the user has to
> > > manually download, manually execute, and explicitly grant
> > administrative privileges to is *way* over the top.
> >
> > The future of malware is going to be largely through social engineering.
> > Does that mean we ignore every threat that comes out because it requires
> > user interaction?  Seems like whistling past the graveyard to me.
> >
> > Alex
> >
> >
> >
> >
> >
> > -Original Message-
> > From: Thor (Hammer of God) [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, November 01, 2007 8:15 PM
> > To: Gadi Evron; [EMAIL PROTECTED];
> > full-disclosure@lists.grok.org.uk
> > Subject: RE: mac trojan in-the-wild
> >
> > > For whoever didn't hear, there is a Macintosh trojan in-the-wild being
> >
> > > dropped, infecting mac users.
> > > Yes, it is being done by a regular online gang--itw--it is not yet
> > > another proof of concept. The same gang infects Windows machines as
> > > well, just that now they also target macs.
> > >
> > > http://sunbeltblog.blogspot.com/2007/10/screenshot-of-new-mac-
> > > trojan.html
> > > http://sunbeltblog.blogspot.com/2007/10/mackanapes-can-now-can-feel-
> > > pain-of.html
> > >
> > > This means one thing: Apple's day has finally come and Apple users are
> >
> > > going to get hit hard. All those unpatched vulnerabilities from years
> > > past are going to bite them in the behind.
> >
> > Let's not over-hype this-- while "Apple's day" has been coming, saying
> > that users will be "hit hard" on something the user has to manually
> > download, manually execute, and explicitly grant administrative
> > privileges to is *way* over the top.
> >
> >
> >
> > > I can sum it up in one sentence: OS X is the new Windows 98. Investing
> >
> > > in security ONLY as a last resort losses money, but everyone has to
> > > learn it for themselves.
> >
> > Not "the new Windows 98" by a long shot - saying that is just
> > irresponsible.  While Apple is not used to dealing with security in the
> > same way that other companies are, comparing OSX to Windows 98 is not
> > only a huge technical inaccuracy, but you also insult MAC users out
> > there.  OSX had "UAC-like unprivileged user controls" way before Vista
> > did - let's not try to start some holy-war on this like people have
> > tried to do with Windows vs Linux in the past.
> >
> > If you want to report this, then report it-- but say what it is, a
> > totally lame user-must-be-drunk "exploit" that requires that all manner
> > of things go wrong before it works -- otherwise people will think that
> > you've dressed up as Steve Gibson for Halloween.
> >
> > t
> >
>
>
>
> --
> www.RobertMcArdle.com/blog/ - Techie/Security/Inane Ramblings



-- 
www.RobertMcArdle.com/blog/ - Techie/Security/Inane Ramblings

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[Robert McArdle]

Profit-driven malware has gotten very good at using Social Engineering
(backed up with Exploits) to spread itself. Zlob and it Codecs are one
particular example that has worked very well on Windows, even by simply
getting the user to install the software willingly. The
Storm/Zhelatin/Russian Business Network group however are by far the best at
this. They have shown time and time the power of simple Social Engineering
in order to infect victims machines. Zlob may have been the first for profit
malware to make the jump, but if it proves profitable it will not be long
before the others follow.

Robert McArdle
-- 
www.RobertMcArdle.com/blog/ - Techie/Security/Inane Ramblings

On Nov 1, 2007 9:49 PM, Alex Eckelberry <[EMAIL PROTECTED]> wrote:

> > Let's not over-hype this-- while "Apple's day" has been coming, saying
> that users will be "hit hard" on something the user has to
> > manually download, manually execute, and explicitly grant
> administrative privileges to is *way* over the top.
>
> The future of malware is going to be largely through social engineering.
> Does that mean we ignore every threat that comes out because it requires
> user interaction?  Seems like whistling past the graveyard to me.
>
> Alex
>
>
> -Original Message-
> From: Thor (Hammer of God) [mailto:[EMAIL PROTECTED]
> Sent: Thursday, November 01, 2007 8:15 PM
> To: Gadi Evron; [EMAIL PROTECTED];
> full-disclosure@lists.grok.org.uk
> Subject: RE: mac trojan in-the-wild
>
> > For whoever didn't hear, there is a Macintosh trojan in-the-wild being
>
> > dropped, infecting mac users.
> > Yes, it is being done by a regular online gang--itw--it is not yet
> > another proof of concept. The same gang infects Windows machines as
> > well, just that now they also target macs.
> >
> > http://sunbeltblog.blogspot.com/2007/10/screenshot-of-new-mac-
> > trojan.html
> > http://sunbeltblog.blogspot.com/2007/10/mackanapes-can-now-can-feel-
> > pain-of.html
> >
> > This means one thing: Apple's day has finally come and Apple users are
>
> > going to get hit hard. All those unpatched vulnerabilities from years
> > past are going to bite them in the behind.
>
> Let's not over-hype this-- while "Apple's day" has been coming, saying
> that users will be "hit hard" on something the user has to manually
> download, manually execute, and explicitly grant administrative
> privileges to is *way* over the top.
>
>
>
> > I can sum it up in one sentence: OS X is the new Windows 98. Investing
>
> > in security ONLY as a last resort losses money, but everyone has to
> > learn it for themselves.
>
> Not "the new Windows 98" by a long shot - saying that is just
> irresponsible.  While Apple is not used to dealing with security in the
> same way that other companies are, comparing OSX to Windows 98 is not
> only a huge technical inaccuracy, but you also insult MAC users out
> there.  OSX had "UAC-like unprivileged user controls" way before Vista
> did - let's not try to start some holy-war on this like people have
> tried to do with Windows vs Linux in the past.
>
> If you want to report this, then report it-- but say what it is, a
> totally lame user-must-be-drunk "exploit" that requires that all manner
> of things go wrong before it works -- otherwise people will think that
> you've dressed up as Steve Gibson for Halloween.
>
> t
>



-- 
www.RobertMcArdle.com/blog/ - Techie/Security/Inane Ramblings
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[Roger A. Grimes]

I included any exploit that took any end-user's interaction into the 86%
number. I included the list of exploits and what I considered a
client-side attack (versus truly remote) in the article:

http://weblog.infoworld.com/securityadviser/archives/WindowsExploitAnaly
sis.xls 

It's not perfect, and may even contain a few mistakes. However, I don't
think any of the mistakes would change the overall numbers much. The
exploit chart (I listed two years of vulnerabilities, not three as I
mistakenly said earlier) lists publicly disclosed Windows
vulnerabilities by CVE number and MS number (where it exists).  I did
not care about whether it was trivial to exploit or hard to exploit.
Per a report the Microsoft Security Response Center (MSRC) released
recently, exploits are trending to become less trivial to exploit, but
not incredibly so. My simple analysis was a very crude, binary analysis.
If the user had to click one thing or ten things to pull off the
exploit, I called it client-side.

I mostly agree, "If I can get you to run my malicious program, it is
always game over" and not always a "security problem", but it is the
reality a computer security professional has to manage, whether we like
it or not.  And yes, I don't consider a threat where the user
intentionally installs a malicious program and supplies their root or
administrator password a huge threat, but it is a risk we have to manage
either way.  

One way to manage some of the risk in an environment can be to not let
our users know root or admin passwords...or not to let them install any
unauthorized programs. Personally, I don't give as much value to end
user education as others do.  It works, but not nearly quite as well as
we wish it would.

I consider all client-side threats into my security defense
consideration. For example, if users begin installing unauthorized P2P
programs, it's part of my risk management strategy to reduce the risk
from this sort of threat, regardless of whether it is a true security
vulnerability...because it is a security threat to any environment.

Roger

*
*Roger A. Grimes, InfoWorld, Security Columnist 
*CPA, CISSP, CISA, MCSE: Security (2000/2003), CEH, yada...yada...
*email: [EMAIL PROTECTED] or [EMAIL PROTECTED]
*Author of Windows Vista Security: Securing Vista Against Malicious
Attacks (Wiley)
*http://www.amazon.com/Windows-Vista-Security-Securing-Malicious/dp/0470
101555
*


-Original Message-
From: Thor (Hammer of God) [mailto:[EMAIL PROTECTED] 
Sent: Friday, November 02, 2007 1:19 AM
To: Roger A. Grimes; [EMAIL PROTECTED];
full-disclosure@lists.grok.org.uk
Cc: Alex Eckelberry; Gadi Evron
Subject: RE: mac trojan in-the-wild

That's an interesting figure (86% that is).  Can you give us some
insight into what you define as "user interaction"?

If it is clicking a link or reading an HTML email, then OK.  If it is
opening an .exe from an email, I'd like to see what client you are
talking about and what environment (meaning, what OS/email client and
what did they have to do to get it to run).  But specifically, how many
were exploits where a user had to visit an untrusted site, download an
executable, run it, and explicitly give it administrative credentials to
run?  Not just people running as administrator, but typing in the admin
account credentials to run it as administrator as one has to do on OSX?
My guess (and I'd really like to see details on your findings) is that
most "interactive" issues are the more "trivial" interactive issues
(like clicking a link and launching a vulnerable version of IE). 

But more importantly, let's look at things from the other side.  Let's
say I'm wrong, and that Gadi is right on target with his "hit hard"
prediction and that we should be very concerned with this.  Given the
requirements here, that again being flagrant ignorance where all the
above steps are executed (including the explicit admin part)-- what
exactly are we supposed to do?  If people are willing and able to go
through the motions above what can we as security people do to prevent
it?  Far too many people in this industry are far too quick to point out
how desperate the situation is at all turns, but I don't see many people
offering real solutions.  But you know, I have to say...  If we are
really going to consider this "serious," and we are really going to
define part of our jobs as being responsible for stopping people who
have absolutely no concerns for what they do and are willing to enter
their admin credentials into any box that asks for it, then I'd say that
there is a *serious* misunderstanding about what security is, and what
can be done about it-- either that, or I'm just in the wrong business.

t


> -Original Message-
> From: Roger A. Grimes [mailto:[EMAIL PROTECTED]
> Sent: Thursday, November 01, 2007 5:37 PM
> To: Alex Eckelberry; Thor (Hammer of God); Gadi Evron

Re: [Full-disclosure] mac trojan in-the-wild

[Nick FitzGerald]

Adam St. Onge wrote:

> So if i put a picture of a naked girl on a website and said to see more you
> must open a terminal and enter "rm -rf".
> Would we consider this a trojan...or just stupidity?

That would be "just stupidity", to use your terminology.

"Trojan functionality" is a feature of the code of interest.  Here 
there is no such code, just a user directly executing a (rather ill-
advised) system command.

The difference between what you describe and this new Mac trojan is 
that in the latter case the user accepts "the code of interest" as 
being "code to do something s/he wants" which turns out to also/instead 
be "code designed to do something s/he doesn't want" (there are no 
absolutely hard and fast definitions of "Trojan" in this context, so 
sorry if that seems a bit waffly, but generally "code of interest" will 
be some part of the fucntionality of an interpreted or executed 
program).

So, what you describe is _not_ a Trojan but _does_ involve social 
engineering.


Regards,

Nick FitzGerald

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[Jay Sulzberger]

On Thu, 1 Nov 2007, Paul Schmehl <[EMAIL PROTECTED]> wrote:

> --On November 1, 2007 10:14:50 PM -0400 Jay Sulzberger <[EMAIL PROTECTED]> 
> wrote:
>> 
>> On Thu, 1 Nov 2007, Paul Schmehl <[EMAIL PROTECTED]> wrote:
>> 
>>> --On November 1, 2007 6:31:39 PM -0400 "Adam St. Onge"
>>> <[EMAIL PROTECTED]> wrote:
>>> 
 So if i put a picture of a naked girl on a website and said to see more
 you must open a terminal and enter "rm -rf".
 
 
 Would we consider this a trojan...or just stupidity?
 
>>> I would consider it stupidity to think that that is comparable to a
>>> trojan.
>>> 
>>> Paul Schmehl ([EMAIL PROTECTED])
>> 
>> I think, under the standard Unix system of permissions, this is a
>> Trojan.  Under the standard Unix system of permissions, every
>> application running in my home directory can issue an
>> 'rm -rf /home/me' and, without proper near in time backup, cause
>> me much annoyance.  The defect lies in the system of permissions.
>> There exist systems of rolling off-machine backups and minimum
>> privilege permissions systems, but they are not yet standard.
>> 
> Perhaps you don't understand what a trojan is.  Its purpose is
> to take control of a machine to use it for purposes other than
> those to which its owner would put it and without the owners
> knowledge or permission. Destroying the machine is contrary to
> the design and purpose of a trojan.
>
> Paul Schmehl ([EMAIL PROTECTED])

If today, common usage of the word "trojan" in this context
requires that the system continue to operate without alerting the
legitimate user that the system has been compromised, then yes,
my use of the word was wrong.  But the Wikipedia article

http://en.wikipedia.org/wiki/Trojan_horse_(computing)

suggests that the "Do 'rm -rf .' to see the pretty picture."
Trojan satisfies the definition of Trojan:

http://en.wikipedia.org/wiki/Trojan_horse_(computing)">

  < ... />

  In the context of computing and software, a Trojan horse, often
  rendered without capitalization or simply as trojan, is a
  software which purports to do a certain type of action, but in
  fact, performs another.

  < ... />

  Types of Trojan horse payloads

  Trojan horse payloads are almost always designed to do various
  harmful things, but can also be harmless. They are broken down in
  classification based on how they breach and damage systems. The
  nine main types of Trojan horse payloads are:

  * Remote Access.
  * Email Sending
  * Data Destruction

  < ... />



The thing I call a "Trojan", and you do not, meets the first
condition of the quote.  And it seems to me to have a payload
which commits "Data Destruction".

If I have used the word in a way tending to confusion, I
apologize to all full-disclosurists.

oo--JS.


> Senior Information Security Analyst
> The University of Texas at Dallas
> http://www.utdallas.edu/ir/security/
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[Paul Schmehl]

--On November 1, 2007 4:53:12 PM -1000 Peter Besenbruch <[EMAIL PROTECTED]> 
wrote:


There is no need to do that.  In both Macs and Gnome or KDE on Unix, if
you try to run rpm -i (of whatever the install paradigm is on your
flavor of OS), you'll be *prompted* for the root password, not asked to
run it as root.  Big difference, and one that many users do not
appreciate at all.


Sadly, that doesn't seem to work on Debian. Yes, I have RPM installed.

Well, as with anything, YMMV.  The point is, this will work for some 
percentage of the population, particularly those who have recently moved 
from Windows to Linux because "it's more secure!"



When an internationally recognized Ph.D psychologist can lose $3 million
US to the 419 scam and be prepared to lose more, is it really a stretch
to think that a fake codec trojan will make inroads on the Mac?


The question is, HAS it made inroads?


Considering it was discovered just 48 hours ago, I think it's too early to 
tell.  I fully expect to see some Macs trojaned by this.  How many is 
anybody's guess, but it's merely a matter of time before we start seeing 
them show up in botnets.


OSes might be "secure" or "insecure" but people don't change.


From what I read, it hasn't. What are  the factors limiting the spread?


The number of naive users who have Macs.

Making inroads on the Mac would be analogous  to the Nigerians tricking 

many PhDs in psychology.


That wasn't my meaning.  In my opinion *any* trojaned Macs would be 
newsworthy simply because we haven't seen that before.



As I implied in my last post, the spread of malware is somewhat
proportional  to the level of interaction. Even on a Mac, you have to go
through a number  of steps to install this stuff.


There are (debatable) hundreds of thousands of bots trojaned with Storm. 
As I'm sure you are aware, you get a Storm trojan by clicking on the link 
in an email and then downloaded the "greeting card" that it suckers you 
into viewing.  Yes, it does take advantage of vulnerabilities in Windows 
**when those are available**, but it also takes advantage of fully patched 
machines when their owners are naive.  The same thing will happen with 
Macs or with any Unix system.


Furthermore, I think it's naive to say "you have to go through a number of 
steps to install this stuff" when you go through *exactly* the same number 
of steps to install something that someone you know recommends to you. 
For example, a friend emails you and say he/she found this fantastic 
utility that allows you to quickly determine all the running processes on 
your machine.  Curious, you click on the link, download the software and 
start the install.  Your Mac prompts you for the root password (which is 
also *your* password for most Mac users) and you type it in.  The program 
installs and you start it, eager to see what your friend is raving about.


You just completed *all* the same steps that the trojan compels you to do.

How many people do this sort of thing *every* day, without giving a 
second's thought because their friend sent the email and recommended it? 
Enough, apparently, to make it worthwhile for criminals to target Macs.


That should give a thinking person pause.  It's certainly one more thing 
that I will have to worry about at work.


Paul Schmehl ([EMAIL PROTECTED])
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/


p7sPExxNsO0IG.p7s
Description: S/MIME cryptographic signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[Steven Adair]

> --On November 1, 2007 10:14:50 PM -0400 Jay Sulzberger <[EMAIL PROTECTED]>
> wrote:
>>
>> On Thu, 1 Nov 2007, Paul Schmehl <[EMAIL PROTECTED]> wrote:
>>
>>> --On November 1, 2007 6:31:39 PM -0400 "Adam St. Onge"
>>> <[EMAIL PROTECTED]> wrote:
>>>
 So if i put a picture of a naked girl on a website and said to see
 more
 you must open a terminal and enter "rm -rf".


 Would we consider this a trojan...or just stupidity?

>>> I would consider it stupidity to think that that is comparable to a
>>> trojan.
>>>
>>> Paul Schmehl ([EMAIL PROTECTED])
>>
>> I think, under the standard Unix system of permissions, this is a
>> Trojan.  Under the standard Unix system of permissions, every
>> application running in my home directory can issue an
>> 'rm -rf /home/me' and, without proper near in time backup, cause
>> me much annoyance.  The defect lies in the system of permissions.
>> There exist systems of rolling off-machine backups and minimum
>> privilege permissions systems, but they are not yet standard.
>>
> Perhaps you don't understand what a trojan is.  Its purpose is to take
> control of a machine to use it for purposes other than those to which its
> owner would put it and without the owners knowledge or permission.
> Destroying the machine is contrary to the design and purpose of a trojan.
>

Not really.  Remember that the term trojan, as it applies to a computer
program, comes from the large horse from the trojan war.  The point of the
program as it that it appears to have a use/functionality other than what
its real purpose is.  You let your guard down thinking its something else.
 It will generally also remain stealthy to a degree but what it does is up
to the designer.  Install an IRC back door, echo funky text to your
win.ini, or rm your whole file system... well that's up to the _trojan_.




> Paul Schmehl ([EMAIL PROTECTED])
> Senior Information Security Analyst
> The University of Texas at Dallas
> http://www.utdallas.edu/ir/security/
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[Paul Schmehl]

--On November 1, 2007 10:14:50 PM -0400 Jay Sulzberger <[EMAIL PROTECTED]> 
wrote:


On Thu, 1 Nov 2007, Paul Schmehl <[EMAIL PROTECTED]> wrote:


--On November 1, 2007 6:31:39 PM -0400 "Adam St. Onge"
<[EMAIL PROTECTED]> wrote:


So if i put a picture of a naked girl on a website and said to see more
you must open a terminal and enter "rm -rf".


Would we consider this a trojan...or just stupidity?


I would consider it stupidity to think that that is comparable to a
trojan.

Paul Schmehl ([EMAIL PROTECTED])


I think, under the standard Unix system of permissions, this is a
Trojan.  Under the standard Unix system of permissions, every
application running in my home directory can issue an
'rm -rf /home/me' and, without proper near in time backup, cause
me much annoyance.  The defect lies in the system of permissions.
There exist systems of rolling off-machine backups and minimum
privilege permissions systems, but they are not yet standard.

Perhaps you don't understand what a trojan is.  Its purpose is to take 
control of a machine to use it for purposes other than those to which its 
owner would put it and without the owners knowledge or permission. 
Destroying the machine is contrary to the design and purpose of a trojan.


Paul Schmehl ([EMAIL PROTECTED])
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/


p7sZAPC4b5z1K.p7s
Description: S/MIME cryptographic signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[Peter Besenbruch]

On Thursday 01 November 2007 16:13:10 Paul Schmehl wrote:
> --On November 1, 2007 3:36:00 PM -1000 Peter Besenbruch <[EMAIL PROTECTED]>
>
> wrote:
> > Firefox throws up a download dialog, asking what I should do
> > with "prettyyoungthing.rpm," while a Javascript pop-up explains that to
> > see  these great images, I need to save the file, and type "rpm -i
> > prettyyoungthing.rpm," and that I need to do it as root.
>
> There is no need to do that.  In both Macs and Gnome or KDE on Unix, if
> you try to run rpm -i (of whatever the install paradigm is on your flavor
> of OS), you'll be *prompted* for the root password, not asked to run it as
> root.  Big difference, and one that many users do not appreciate at all.

Sadly, that doesn't seem to work on Debian. Yes, I have RPM installed.

> When an internationally recognized Ph.D psychologist can lose $3 million
> US to the 419 scam and be prepared to lose more, is it really a stretch to
> think that a fake codec trojan will make inroads on the Mac?

The question is, HAS it made inroads? From what I read, it hasn't. What are 
the factors limiting the spread? Making inroads on the Mac would be analogous 
to the Nigerians tricking many PhDs in psychology.

As I implied in my last post, the spread of malware is somewhat proportional 
to the level of interaction. Even on a Mac, you have to go through a number 
of steps to install this stuff.

-- 
Hawaiian Astronomical Society: http://www.hawastsoc.org
HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[Jay Sulzberger]

On Thu, 1 Nov 2007, Thor (Hammer of God) <[EMAIL PROTECTED]> wrote:

> That's an interesting figure (86% that is).  Can you give us some
> insight into what you define as "user interaction"?
>
> If it is clicking a link or reading an HTML email, then OK.  If it is
> opening an .exe from an email, I'd like to see what client you are
> talking about and what environment (meaning, what OS/email client and
> what did they have to do to get it to run).  But specifically, how many
> were exploits where a user had to visit an untrusted site, download an
> executable, run it, and explicitly give it administrative credentials to
> run?  Not just people running as administrator, but typing in the admin
> account credentials to run it as administrator as one has to do on OSX?
> My guess (and I'd really like to see details on your findings) is that
> most "interactive" issues are the more "trivial" interactive issues
> (like clicking a link and launching a vulnerable version of IE).
>
> But more importantly, let's look at things from the other side.  Let's
> say I'm wrong, and that Gadi is right on target with his "hit hard"
> prediction and that we should be very concerned with this.  Given the
> requirements here, that again being flagrant ignorance where all the
> above steps are executed (including the explicit admin part)-- what
> exactly are we supposed to do?  If people are willing and able to go
> through the motions above what can we as security people do to prevent
> it?  Far too many people in this industry are far too quick to point out
> how desperate the situation is at all turns, but I don't see many people
> offering real solutions.  But you know, I have to say...  If we are
> really going to consider this "serious," and we are really going to
> define part of our jobs as being responsible for stopping people who
> have absolutely no concerns for what they do and are willing to enter
> their admin credentials into any box that asks for it, then I'd say that
> there is a *serious* misunderstanding about what security is, and what
> can be done about it-- either that, or I'm just in the wrong business.
>
> t

Put in a better system of permissions.  Use rolling backup.  Have
independent system activity watchers.  These measures are just
the first moves.

Unix was not designed to be resistant to one million hostile
actions per day by thousands of unknown attacking entities.  But
if you run standard Unix and you have a Net connection, that is
what your Unix instance is exposed to.

oo--JS.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[Thor (Hammer of God)]

That's an interesting figure (86% that is).  Can you give us some
insight into what you define as "user interaction"?

If it is clicking a link or reading an HTML email, then OK.  If it is
opening an .exe from an email, I'd like to see what client you are
talking about and what environment (meaning, what OS/email client and
what did they have to do to get it to run).  But specifically, how many
were exploits where a user had to visit an untrusted site, download an
executable, run it, and explicitly give it administrative credentials to
run?  Not just people running as administrator, but typing in the admin
account credentials to run it as administrator as one has to do on OSX?
My guess (and I'd really like to see details on your findings) is that
most "interactive" issues are the more "trivial" interactive issues
(like clicking a link and launching a vulnerable version of IE). 

But more importantly, let's look at things from the other side.  Let's
say I'm wrong, and that Gadi is right on target with his "hit hard"
prediction and that we should be very concerned with this.  Given the
requirements here, that again being flagrant ignorance where all the
above steps are executed (including the explicit admin part)-- what
exactly are we supposed to do?  If people are willing and able to go
through the motions above what can we as security people do to prevent
it?  Far too many people in this industry are far too quick to point out
how desperate the situation is at all turns, but I don't see many people
offering real solutions.  But you know, I have to say...  If we are
really going to consider this "serious," and we are really going to
define part of our jobs as being responsible for stopping people who
have absolutely no concerns for what they do and are willing to enter
their admin credentials into any box that asks for it, then I'd say that
there is a *serious* misunderstanding about what security is, and what
can be done about it-- either that, or I'm just in the wrong business.

t


> -Original Message-
> From: Roger A. Grimes [mailto:[EMAIL PROTECTED]
> Sent: Thursday, November 01, 2007 5:37 PM
> To: Alex Eckelberry; Thor (Hammer of God); Gadi Evron;
> [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk
> Subject: RE: mac trojan in-the-wild
> 
> Actually, on that same note, I recently did an analysis of the last
> three years of published Windows vulnerabilities.
> 
> 86% required local end-user interaction (i.e. social engineering) to
be
> pulled off.
> http://www.infoworld.com/article/07/10/19/42OPsecadvise-insider-
> threats_
> 1.html
> 
> I didn't analyze Linux or BSD threats, but my gut feeling puts them at
> the same level or even higher.
> 
> With 86% or more of the past threats requiring social engineering to
> pull off, we can safely say the "future" you state below is here now.
> 
> Now, what is interesting is that any exploit requiring social
> engineering to work has so far been less of a problem than the vast
> majority of "remote buffer overflow" exploits like the Blaster and SQL
> worms.  Social engineering-required malware still works, and works
> well,
> but not with the same success of remote buffer overflow malware. There
> is very little we in the security space can point to as a
success...but
> the overall decrease in remote buffer overflows is one.
Unfortunately,
> the social engineering malware is getting better day-by-day. We can no
> longer count on mispellings (sic) and bad grammar to be malware
> indicators. Our users, regardless of the OS, are ready as ever to
click
> on interesting content, malicious or not. We've got to design our
> defenses to pay more attention to client-side attacks, but it is the
> weak point now, not in the future.
> 
> Roger
> 
> *
> *Roger A. Grimes, InfoWorld, Security Columnist
> *CPA, CISSP, CISA, MCSE: Security (2000/2003), CEH, yada...yada...
> *email: [EMAIL PROTECTED] or [EMAIL PROTECTED]
> *Author of Windows Vista Security: Securing Vista Against Malicious
> Attacks (Wiley)
> *http://www.amazon.com/Windows-Vista-Security-Securing-
> Malicious/dp/0470
> 101555
> *
> 
> 
> -Original Message-
> From: Alex Eckelberry [mailto:[EMAIL PROTECTED]
> Sent: Thursday, November 01, 2007 5:49 PM
> To: Thor (Hammer of God); Gadi Evron; [EMAIL PROTECTED];
> full-disclosure@lists.grok.org.uk
> Subject: RE: mac trojan in-the-wild
> 
> The future of malware is going to be largely through social
> engineering.
> Does that mean we ignore every threat that comes out because it
> requires
> user interaction?  Seems like whistling past the graveyard to me.
> 
> Alex

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[Jay Sulzberger]

On Thu, 1 Nov 2007, Paul Schmehl <[EMAIL PROTECTED]> wrote:

> --On November 1, 2007 6:31:39 PM -0400 "Adam St. Onge" 
> <[EMAIL PROTECTED]> wrote:
>
>> So if i put a picture of a naked girl on a website and said to see more
>> you must open a terminal and enter "rm -rf".
>> 
>> 
>> Would we consider this a trojan...or just stupidity?
>> 
> I would consider it stupidity to think that that is comparable to a trojan.
>
> Paul Schmehl ([EMAIL PROTECTED])

I think, under the standard Unix system of permissions, this is a
Trojan.  Under the standard Unix system of permissions, every
application running in my home directory can issue an
'rm -rf /home/me' and, without proper near in time backup, cause
me much annoyance.  The defect lies in the system of permissions.
There exist systems of rolling off-machine backups and minimum
privilege permissions systems, but they are not yet standard.

oo--JS.


> Senior Information Security Analyst
> The University of Texas at Dallas
> http://www.utdallas.edu/ir/security/
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[Paul Schmehl]

--On November 1, 2007 3:36:00 PM -1000 Peter Besenbruch <[EMAIL PROTECTED]> 
wrote:


Firefox throws up a download dialog, asking what I should do
with "prettyyoungthing.rpm," while a Javascript pop-up explains that to
see  these great images, I need to save the file, and type "rpm -i
prettyyoungthing.rpm," and that I need to do it as root.


There is no need to do that.  In both Macs and Gnome or KDE on Unix, if 
you try to run rpm -i (of whatever the install paradigm is on your flavor 
of OS), you'll be *prompted* for the root password, not asked to run it as 
root.  Big difference, and one that many users do not appreciate at all.


The direction computing is heading is toward ease of use and obscuration 
of details.  Given that, and the human tendency to act without thinking, 
socially engineered exploits will continue to enjoy success.  No, they 
won't be as successful as self-propagating code that takes advantage of 
flaws in OSes and applications, but as the Storm bot creators if social 
engineering can successfully build a botnet of several hundred thousand 
machines.


When an internationally recognized Ph.D psychologist can lose $3 million 
US to the 419 scam and be prepared to lose more, is it really a stretch to 
think that a fake codec trojan will make inroads on the Mac?


Paul Schmehl ([EMAIL PROTECTED])
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/


p7sIdkT8exQqL.p7s
Description: S/MIME cryptographic signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[Jay Sulzberger]

On Thu, 1 Nov 2007, Adam St. Onge <[EMAIL PROTECTED]> wrote:

> So if i put a picture of a naked girl on a website and said to see more you
> must open a terminal and enter "rm -rf".
> Would we consider this a trojan...or just stupidity?

Yes, a Trojan.  Yes, stupidity on the part of the designer of the
home system.  There should be no way to destroy so much user data
by the user just typing six characters into a terminal window.

oo--JS.


>
> On 11/1/07, Alex Eckelberry <[EMAIL PROTECTED]> wrote:
>>
>>> Let's not over-hype this-- while "Apple's day" has been coming, saying
>> that users will be "hit hard" on something the user has to
>>> manually download, manually execute, and explicitly grant
>> administrative privileges to is *way* over the top.
>>
>> The future of malware is going to be largely through social engineering.
>> Does that mean we ignore every threat that comes out because it requires
>> user interaction?  Seems like whistling past the graveyard to me.
>>
>> Alex
>>
>>
>> -Original Message-
>> From: Thor (Hammer of God) [mailto:[EMAIL PROTECTED]
>> Sent: Thursday, November 01, 2007 8:15 PM
>> To: Gadi Evron; [EMAIL PROTECTED];
>> full-disclosure@lists.grok.org.uk
>> Subject: RE: mac trojan in-the-wild
>>
>>> For whoever didn't hear, there is a Macintosh trojan in-the-wild being
>>
>>> dropped, infecting mac users.
>>> Yes, it is being done by a regular online gang--itw--it is not yet
>>> another proof of concept. The same gang infects Windows machines as
>>> well, just that now they also target macs.
>>>
>>> http://sunbeltblog.blogspot.com/2007/10/screenshot-of-new-mac-
>>> trojan.html
>>> http://sunbeltblog.blogspot.com/2007/10/mackanapes-can-now-can-feel-
>>> pain-of.html
>>>
>>> This means one thing: Apple's day has finally come and Apple users are
>>
>>> going to get hit hard. All those unpatched vulnerabilities from years
>>> past are going to bite them in the behind.
>>
>> Let's not over-hype this-- while "Apple's day" has been coming, saying
>> that users will be "hit hard" on something the user has to manually
>> download, manually execute, and explicitly grant administrative
>> privileges to is *way* over the top.
>>
>>
>>
>>> I can sum it up in one sentence: OS X is the new Windows 98. Investing
>>
>>> in security ONLY as a last resort losses money, but everyone has to
>>> learn it for themselves.
>>
>> Not "the new Windows 98" by a long shot - saying that is just
>> irresponsible.  While Apple is not used to dealing with security in the
>> same way that other companies are, comparing OSX to Windows 98 is not
>> only a huge technical inaccuracy, but you also insult MAC users out
>> there.  OSX had "UAC-like unprivileged user controls" way before Vista
>> did - let's not try to start some holy-war on this like people have
>> tried to do with Windows vs Linux in the past.
>>
>> If you want to report this, then report it-- but say what it is, a
>> totally lame user-must-be-drunk "exploit" that requires that all manner
>> of things go wrong before it works -- otherwise people will think that
>> you've dressed up as Steve Gibson for Halloween.
>>
>> t
>>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[Paul Schmehl]

--On November 1, 2007 6:31:39 PM -0400 "Adam St. Onge" 
<[EMAIL PROTECTED]> wrote:



So if i put a picture of a naked girl on a website and said to see more
you must open a terminal and enter "rm -rf".


Would we consider this a trojan...or just stupidity?


I would consider it stupidity to think that that is comparable to a trojan.

Paul Schmehl ([EMAIL PROTECTED])
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/


p7sMHA9Kfj3tc.p7s
Description: S/MIME cryptographic signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[Peter Besenbruch]

On Thursday 01 November 2007 11:49:09 Alex Eckelberry wrote:

> The future of malware is going to be largely through social engineering.
> Does that mean we ignore every threat that comes out because it requires
> user interaction?  Seems like whistling past the graveyard to me.

Alex, no-one is saying we should ignore it. I would say we downgrade the level 
of threat if it requires user interaction. If it requires a lot of 
interaction to launch the threat, we downgrade it some more.

Apple is faced with a significant design flaw in OS-X: You can have trusted 
file types auto-execute when downloaded in Safari. This is an old problem, 
partially mitigated by Apple in later versions of the OS. This has been 
coupled with the ancient scam of the fake CODEC.

The one unique aspect of this attack is the target, Apple users. I suppose 
Linux users are next. When they get targeted, I will be ready. I don't 
typically browse porn sites, so I see a greater danger in targeted attacks 
from third party advertisers. Of course, these tend to target drive by 
download flaws in Windows, but I'll be ready. I suppose, though, that other 
Linux users browse porn. I can see it now...

Firefox throws up a download dialog, asking what I should do 
with "prettyyoungthing.rpm," while a Javascript pop-up explains that to see 
these great images, I need to save the file, and type "rpm -i 
prettyyoungthing.rpm," and that I need to do it as root. If running Suse or 
Mandriva, this may not work. If I run Debian or Ubuntu, I should 
run "alien -dci prettyyoungthing.rpm" as root. If this doesn't quite work, 
please find a Deb file with "prettyyoungthing" in its name, using "find 
prettyyoungthing*.deb" and issue the command "dpkg -i prettyyoungthing*.deb. 
Regardless of installation method, please have the following dependencies 
installed...

Oh yes, I'll be ready.
-- 
Hawaiian Astronomical Society: http://www.hawastsoc.org
HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[Gadi Evron]

On Thu, 1 Nov 2007, Jim Harrison wrote:
> While Apple-oriented threats may not get either the validation or the 
> publicity (on hardly equals the other) that Windows attacks do, it's hardly 
> accurate (much less fair) to make those comparisons.
> For all those comparative points, my Kaypro-4 running ZCPR is more secure 
> than any Apple OS.
>

The comparison is of the Microsoft eco-system in the security realm when 
Windows 98 was out. Whether by lack of visibility, unpatched exploits or 
organized criminal interest.

That is the significant part.

Gadi.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[Jim Harrison]

Heh-heh; he said "Steve Gibson"; heh-heh-heh

Seriously; Tim is right.
While Apple-oriented threats may not get either the validation or the publicity 
(on hardly equals the other) that Windows attacks do, it's hardly accurate 
(much less fair) to make those comparisons.
For all those comparative points, my Kaypro-4 running ZCPR is more secure than 
any Apple OS.

Jim

-Original Message-
From: Thor (Hammer of God) [mailto:[EMAIL PROTECTED]
Sent: Thursday, November 01, 2007 5:15 PM
To: Gadi Evron; [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk
Subject: RE: mac trojan in-the-wild

> For whoever didn't hear, there is a Macintosh trojan in-the-wild being
> dropped, infecting mac users.
> Yes, it is being done by a regular online gang--itw--it is not yet
> another
> proof of concept. The same gang infects Windows machines as well, just
> that now they also target macs.
>
> http://sunbeltblog.blogspot.com/2007/10/screenshot-of-new-mac-
> trojan.html
> http://sunbeltblog.blogspot.com/2007/10/mackanapes-can-now-can-feel-
> pain-of.html
>
> This means one thing: Apple's day has finally come and Apple users are
> going to get hit hard. All those unpatched vulnerabilities from years
> past
> are going to bite them in the behind.

Let's not over-hype this-- while "Apple's day" has been coming, saying
that users
will be "hit hard" on something the user has to manually download,
manually execute,
and explicitly grant administrative privileges to is *way* over the top.



> I can sum it up in one sentence: OS X is the new Windows 98. Investing
> in
> security ONLY as a last resort losses money, but everyone has to learn
> it
> for themselves.

Not "the new Windows 98" by a long shot - saying that is just
irresponsible.  While Apple is not used to dealing with security in the
same way that other companies are, comparing OSX to Windows 98 is not
only a huge technical inaccuracy, but you also insult MAC users out
there.  OSX had "UAC-like unprivileged user controls" way before Vista
did - let's not try to start some holy-war on this like people have
tried to do with Windows vs Linux in the past.

If you want to report this, then report it-- but say what it is, a
totally lame user-must-be-drunk "exploit" that requires that all manner
of things go wrong before it works -- otherwise people will think that
you've dressed up as Steve Gibson for Halloween.

t

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[Roger A. Grimes]

Actually, on that same note, I recently did an analysis of the last
three years of published Windows vulnerabilities.

86% required local end-user interaction (i.e. social engineering) to be
pulled off.
http://www.infoworld.com/article/07/10/19/42OPsecadvise-insider-threats_
1.html

I didn't analyze Linux or BSD threats, but my gut feeling puts them at
the same level or even higher.

With 86% or more of the past threats requiring social engineering to
pull off, we can safely say the "future" you state below is here now.

Now, what is interesting is that any exploit requiring social
engineering to work has so far been less of a problem than the vast
majority of "remote buffer overflow" exploits like the Blaster and SQL
worms.  Social engineering-required malware still works, and works well,
but not with the same success of remote buffer overflow malware. There
is very little we in the security space can point to as a success...but
the overall decrease in remote buffer overflows is one.  Unfortunately,
the social engineering malware is getting better day-by-day. We can no
longer count on mispellings (sic) and bad grammar to be malware
indicators. Our users, regardless of the OS, are ready as ever to click
on interesting content, malicious or not. We've got to design our
defenses to pay more attention to client-side attacks, but it is the
weak point now, not in the future.

Roger

*
*Roger A. Grimes, InfoWorld, Security Columnist 
*CPA, CISSP, CISA, MCSE: Security (2000/2003), CEH, yada...yada...
*email: [EMAIL PROTECTED] or [EMAIL PROTECTED]
*Author of Windows Vista Security: Securing Vista Against Malicious
Attacks (Wiley)
*http://www.amazon.com/Windows-Vista-Security-Securing-Malicious/dp/0470
101555
*


-Original Message-
From: Alex Eckelberry [mailto:[EMAIL PROTECTED] 
Sent: Thursday, November 01, 2007 5:49 PM
To: Thor (Hammer of God); Gadi Evron; [EMAIL PROTECTED];
full-disclosure@lists.grok.org.uk
Subject: RE: mac trojan in-the-wild

The future of malware is going to be largely through social engineering.
Does that mean we ignore every threat that comes out because it requires
user interaction?  Seems like whistling past the graveyard to me. 

Alex

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[Adam St. Onge]

So if i put a picture of a naked girl on a website and said to see more you
must open a terminal and enter "rm -rf".
Would we consider this a trojan...or just stupidity?

On 11/1/07, Alex Eckelberry <[EMAIL PROTECTED]> wrote:
>
> > Let's not over-hype this-- while "Apple's day" has been coming, saying
> that users will be "hit hard" on something the user has to
> > manually download, manually execute, and explicitly grant
> administrative privileges to is *way* over the top.
>
> The future of malware is going to be largely through social engineering.
> Does that mean we ignore every threat that comes out because it requires
> user interaction?  Seems like whistling past the graveyard to me.
>
> Alex
>
>
> -Original Message-
> From: Thor (Hammer of God) [mailto:[EMAIL PROTECTED]
> Sent: Thursday, November 01, 2007 8:15 PM
> To: Gadi Evron; [EMAIL PROTECTED];
> full-disclosure@lists.grok.org.uk
> Subject: RE: mac trojan in-the-wild
>
> > For whoever didn't hear, there is a Macintosh trojan in-the-wild being
>
> > dropped, infecting mac users.
> > Yes, it is being done by a regular online gang--itw--it is not yet
> > another proof of concept. The same gang infects Windows machines as
> > well, just that now they also target macs.
> >
> > http://sunbeltblog.blogspot.com/2007/10/screenshot-of-new-mac-
> > trojan.html
> > http://sunbeltblog.blogspot.com/2007/10/mackanapes-can-now-can-feel-
> > pain-of.html
> >
> > This means one thing: Apple's day has finally come and Apple users are
>
> > going to get hit hard. All those unpatched vulnerabilities from years
> > past are going to bite them in the behind.
>
> Let's not over-hype this-- while "Apple's day" has been coming, saying
> that users will be "hit hard" on something the user has to manually
> download, manually execute, and explicitly grant administrative
> privileges to is *way* over the top.
>
>
>
> > I can sum it up in one sentence: OS X is the new Windows 98. Investing
>
> > in security ONLY as a last resort losses money, but everyone has to
> > learn it for themselves.
>
> Not "the new Windows 98" by a long shot - saying that is just
> irresponsible.  While Apple is not used to dealing with security in the
> same way that other companies are, comparing OSX to Windows 98 is not
> only a huge technical inaccuracy, but you also insult MAC users out
> there.  OSX had "UAC-like unprivileged user controls" way before Vista
> did - let's not try to start some holy-war on this like people have
> tried to do with Windows vs Linux in the past.
>
> If you want to report this, then report it-- but say what it is, a
> totally lame user-must-be-drunk "exploit" that requires that all manner
> of things go wrong before it works -- otherwise people will think that
> you've dressed up as Steve Gibson for Halloween.
>
> t
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[Alex Eckelberry]

> Let's not over-hype this-- while "Apple's day" has been coming, saying
that users will be "hit hard" on something the user has to 
> manually download, manually execute, and explicitly grant
administrative privileges to is *way* over the top. 

The future of malware is going to be largely through social engineering.
Does that mean we ignore every threat that comes out because it requires
user interaction?  Seems like whistling past the graveyard to me. 

Alex


-Original Message-
From: Thor (Hammer of God) [mailto:[EMAIL PROTECTED] 
Sent: Thursday, November 01, 2007 8:15 PM
To: Gadi Evron; [EMAIL PROTECTED];
full-disclosure@lists.grok.org.uk
Subject: RE: mac trojan in-the-wild

> For whoever didn't hear, there is a Macintosh trojan in-the-wild being

> dropped, infecting mac users.
> Yes, it is being done by a regular online gang--itw--it is not yet 
> another proof of concept. The same gang infects Windows machines as 
> well, just that now they also target macs.
> 
> http://sunbeltblog.blogspot.com/2007/10/screenshot-of-new-mac-
> trojan.html
> http://sunbeltblog.blogspot.com/2007/10/mackanapes-can-now-can-feel-
> pain-of.html
> 
> This means one thing: Apple's day has finally come and Apple users are

> going to get hit hard. All those unpatched vulnerabilities from years 
> past are going to bite them in the behind.

Let's not over-hype this-- while "Apple's day" has been coming, saying
that users will be "hit hard" on something the user has to manually
download, manually execute, and explicitly grant administrative
privileges to is *way* over the top.



> I can sum it up in one sentence: OS X is the new Windows 98. Investing

> in security ONLY as a last resort losses money, but everyone has to 
> learn it for themselves.

Not "the new Windows 98" by a long shot - saying that is just
irresponsible.  While Apple is not used to dealing with security in the
same way that other companies are, comparing OSX to Windows 98 is not
only a huge technical inaccuracy, but you also insult MAC users out
there.  OSX had "UAC-like unprivileged user controls" way before Vista
did - let's not try to start some holy-war on this like people have
tried to do with Windows vs Linux in the past.

If you want to report this, then report it-- but say what it is, a
totally lame user-must-be-drunk "exploit" that requires that all manner
of things go wrong before it works -- otherwise people will think that
you've dressed up as Steve Gibson for Halloween.

t

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[worried security]

On 10/31/07, Gadi Evron <[EMAIL PROTECTED]> wrote:
>
> For whoever didn't hear, there is a Macintosh trojan in-the-wild being
> dropped, infecting mac users.
> Yes, it is being done by a regular online gang--itw--it is not yet another
> proof of concept. The same gang infects Windows machines as well, just
> that now they also target macs.


Gadi you tit, haven't you got better things to do? I'm waiting for you to
come out on a night out with me and njan in Glasgow or Edinburgh you light
weight.

Get your priorities in check you dick and sort out a meeting time, my MI5
links shouldn't deter you since Glasgow and Edinburgh doesn't have a terror
threat.

In the mean time, haven't you got a name for this "gang"? Its very un
professional of you!!!

Btw Gadi, if you're coming to Scotland in the next few days by train watch
out!!!

You'll be arrested before you get off the train you fat fuck...
http://news.bbc.co.uk/1/hi/scotland/glasgow_and_west/7072882.stm

All the terrorists are scared to come to Scotland because its where n3td3v
hangs out and they know if they come near me they get their cunts kicked in.

Happy days.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[Peter Besenbruch]

On Wednesday 31 October 2007 13:21:00 Gadi Evron wrote:
> This means one thing: Apple's day has finally come and Apple users are
> going to get hit hard. All those unpatched vulnerabilities from years past
> are going to bite them in the behind.
>
> I can sum it up in one sentence: OS X is the new Windows 98.

Windows 98 has no way to isolate administrative functions. Everyone has full 
access to all aspects of the operating system. I should know, I still use it 
for certain functions. Windows 98 may benefit from security by obscurity, but 
I would still hesitate to take it out onto the big, bad Internet.

The Mac OS is far better designed, but the option automatically to execute 
trusted file formats on download should never have been put there. Other 
things I wish Apple would do better: Have their security updates approach the 
speed achieved in many Linux distributions. Share a bit more, heck, have them 
share anything at all when it comes serious, reported vulnerabilities. 
Finally, from a security perspective, they should banish Quicktime.

-- 
Hawaiian Astronomical Society: http://www.hawastsoc.org
HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[nnp]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I'm not sure if you accidentally quoted my reply or not there, because
if you did you're completely missing my point. My issue is with the
format and content (or lack thereof) of the first post, I don't think
I mentioned the iPhone, *BSD, MS or at any stage said anything at all
that would indicate I was taking any side in the 'which OS sucks more
balls than any other' debate.

Again, my issue is with the hyperbole, FUD and complete lack of use of
the initial post when posted to the type of lists that FD and Bugtraq
are supposed to be. It rings of the kind of thing you see in bold
letters and quotation marks beside some stupid tech magazines analysis
of an issue they know little about.

- --nnp
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (Darwin)
Comment: http://firegpg.tuxfamily.org

iD8DBQFHKsBCbP10WPHfgnQRAsrZAKCj4LxCQ6y7qZpKVno14kJGzsk5XQCgxQ3V
P9nPWcDpgbKfSdky+3TNhbw=
=3K5G
-END PGP SIGNATURE-

On 11/1/07, Dude VanWinkle <[EMAIL PROTECTED]> wrote:
> On 11/1/07, nnp <[EMAIL PROTECTED]> wrote:
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA1
> >
> > There's a difference between ignoring something and making a statement like
> >
> > 'OS X is the new Windows 98.'
>
> OK How about "iPhone is the new Win9x"? It is running a type of OSX,
> one that is configured to use root for everything.
>
> I repeatedly hear that OSX is secure because BSD is a well picked
> through OS. Developers have had 30 some odd years to work out the
> bugs/vulns. What people are not taking into consideration is that if
> you install a single insecure app, (I.E: IE for Mac or Safari) and
> then use it to update your myspace profile and browse pr0n; you have
> to take additional preventative measures or will no longer have a
> secure system.
>
> This will be compounded by the fact that most corporations don't see a
> need to shell out the bucks for AV/AS for Macs. AV/AS by itself is not
> a great defense, but at least its something.
>
> Anyhoo, to reiterate: OSX !BSD. Windows had a hell of a time securing
> its OS in part due to all the bells and whistles and also in part
> because they would release an insecure product with the semi-intention
> of patching later. The iPhone's configuration proves that Apple will
> release products that do not conform to well known security best
> practices as well (the least of which is don't run everything as
> root). This makes me think that Apple is 1990's-M$-like in its pursuit
> of functionality over security .
>
> BTW: Did anyone test out whether the Mac AV/AS products detected this trojan?
>
> -JP
>


-- 
http://www.smashthestack.org
http://www.unprotectedhex.com

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[Dude VanWinkle]

On 11/1/07, nnp <[EMAIL PROTECTED]> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> There's a difference between ignoring something and making a statement like
>
> 'OS X is the new Windows 98.'

OK How about "iPhone is the new Win9x"? It is running a type of OSX,
one that is configured to use root for everything.

I repeatedly hear that OSX is secure because BSD is a well picked
through OS. Developers have had 30 some odd years to work out the
bugs/vulns. What people are not taking into consideration is that if
you install a single insecure app, (I.E: IE for Mac or Safari) and
then use it to update your myspace profile and browse pr0n; you have
to take additional preventative measures or will no longer have a
secure system.

This will be compounded by the fact that most corporations don't see a
need to shell out the bucks for AV/AS for Macs. AV/AS by itself is not
a great defense, but at least its something.

Anyhoo, to reiterate: OSX !BSD. Windows had a hell of a time securing
its OS in part due to all the bells and whistles and also in part
because they would release an insecure product with the semi-intention
of patching later. The iPhone's configuration proves that Apple will
release products that do not conform to well known security best
practices as well (the least of which is don't run everything as
root). This makes me think that Apple is 1990's-M$-like in its pursuit
of functionality over security .

BTW: Did anyone test out whether the Mac AV/AS products detected this trojan?

-JP

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[Nick FitzGerald]

reepex to me:

> > Yes, today, the average level of clue among Mac users is probably a
> > shade higher than amongst Windows users,
> 
>   Is this a joke? The reason people switch to macs is because they cannot
> handle simple tasks. Isnt the main thing said by new mac users is 'it just
> works' meaning 'I couldnt figure out windows' . The main users of macs are
> liberal arts students and hippies .. and we all know the technical level of
> these people.

No, it's not a joke.

First, a lot of very clueful security folk, CompSci academics and so on 
will "only" (or, at least, "only for my real work") use Macs.  They may 
well just be heavy-duty-security-clueful enough to drag the average 
graphic artist, liberal arts, etc level above the Windows waterline.

Second, in fact, I don't even care if it is badly wrong.

I'm happy to concede to the Mac fanboyz that their buddies may, in 
fact, have a slight edge in the security clue arena _across the whole 
population of Mac users_.  I will quickly point out things just like 
what you said if they seriously try to claim they have a significant 
edge, but my point still holds up allowing them what they perceive as 
the "but we're smarter" high-ground.  The point is, as I thought I was 
making clear, even if it's true it doesn't actually help them because 
we are still talking about two seriously overlapping _population 
distributions_ (but if they continue to insist it does, all they do is 
show their "debate" is driven by ideology rather than facts and 
logic...).

You've just seen the redoubtable Dr Neal K messing this up big time, so 
even the seriously security clueful are not necessarily on top of this.


Regards,

Nick FitzGerald

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[nnp]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

There's a difference between ignoring something and making a statement like

'OS X is the new Windows 98.'

Its sensationalist and of no use, especially when posted to lists that
are supposedly populated with security experts. Everyone here is aware
of the consequences of malware and the manipulation of end users to
spread it. Of course its interesting that a criminal group has taken
to spreading this but hyping up the consequences of it do nobody any
good and is just spreading FUD. To me it seems like the original
poster is trying to get a quote in some tech/security/computer
magazine.

No one is suggesting that this the propogation of this malware amoung
macs isn't a threat and that its supposed mass spreading by a criminal
group is of course a cause for worry. What we have an issue with is
the manner in which it is reported and the hyberbole thats is becoming
more and more prevalent amoung security experts seeking to promote
themselves and their companies.

A useful post on this matter would be one that includes an analysis of
the malware itself, perhaps some statistics on its prevalence etc. i.e
hard facts

Some people would do well to remember that we are supposedly engineers
and scientists, not journalists and fiction writers.

- --nnp
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (Darwin)
Comment: http://firegpg.tuxfamily.org

iD8DBQFHKrQ9bP10WPHfgnQRArr1AKDOCfTdsrq6X7HtkG7qTfmaqVoGpwCcDmtp
HvyAAKhouMDUKBe0VHAabMM=
=GzY/
-END PGP SIGNATURE-

On 11/1/07, Alex Eckelberry <[EMAIL PROTECTED]> wrote:
> > Let's not over-hype this-- while "Apple's day" has been coming, saying
> that users will be "hit hard" on something the user has to
> > manually download, manually execute, and explicitly grant
> administrative privileges to is *way* over the top.
>
> The future of malware is going to be largely through social engineering.
> Does that mean we ignore every threat that comes out because it requires
> user interaction?  Seems like whistling past the graveyard to me.
>
> Alex
>
>
> -Original Message-
> From: Thor (Hammer of God) [mailto:[EMAIL PROTECTED]
> Sent: Thursday, November 01, 2007 8:15 PM
> To: Gadi Evron; [EMAIL PROTECTED];
> full-disclosure@lists.grok.org.uk
> Subject: RE: mac trojan in-the-wild
>
> > For whoever didn't hear, there is a Macintosh trojan in-the-wild being
>
> > dropped, infecting mac users.
> > Yes, it is being done by a regular online gang--itw--it is not yet
> > another proof of concept. The same gang infects Windows machines as
> > well, just that now they also target macs.
> >
> > http://sunbeltblog.blogspot.com/2007/10/screenshot-of-new-mac-
> > trojan.html
> > http://sunbeltblog.blogspot.com/2007/10/mackanapes-can-now-can-feel-
> > pain-of.html
> >
> > This means one thing: Apple's day has finally come and Apple users are
>
> > going to get hit hard. All those unpatched vulnerabilities from years
> > past are going to bite them in the behind.
>
> Let's not over-hype this-- while "Apple's day" has been coming, saying
> that users will be "hit hard" on something the user has to manually
> download, manually execute, and explicitly grant administrative
> privileges to is *way* over the top.
>
>
>
> > I can sum it up in one sentence: OS X is the new Windows 98. Investing
>
> > in security ONLY as a last resort losses money, but everyone has to
> > learn it for themselves.
>
> Not "the new Windows 98" by a long shot - saying that is just
> irresponsible.  While Apple is not used to dealing with security in the
> same way that other companies are, comparing OSX to Windows 98 is not
> only a huge technical inaccuracy, but you also insult MAC users out
> there.  OSX had "UAC-like unprivileged user controls" way before Vista
> did - let's not try to start some holy-war on this like people have
> tried to do with Windows vs Linux in the past.
>
> If you want to report this, then report it-- but say what it is, a
> totally lame user-must-be-drunk "exploit" that requires that all manner
> of things go wrong before it works -- otherwise people will think that
> you've dressed up as Steve Gibson for Halloween.
>
> t
>


-- 
http://www.smashthestack.org
http://www.unprotectedhex.com

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[reepex]

I will take that pepsi challenge... what is at stake ;)


On Nov 1, 2007 4:50 PM, Paul Schmehl <[EMAIL PROTECTED]> wrote:

> --On Thursday, November 01, 2007 16:42:51 -0500 reepex <[EMAIL PROTECTED]>
> wrote:
>
> > On Nov 1, 2007 4:34 PM, Nick FitzGerald <[EMAIL PROTECTED]>
> wrote:
> >
> >
> > Yes, today, the average level of clue among Mac users is probably a
> > shade higher than amongst Windows users,
> >
> >
> >
> >   Is this a joke? The reason people switch to macs is because they
> cannot
> > handle simple tasks. Isnt the main thing said by new mac users is 'it
> > just works' meaning 'I couldnt figure out windows' . The main users of
> > macs are liberal arts students and hippies .. and we all know the
> > technical level of these people.
> >
> You apparently haven't been around Macs recently.  *Many* technical
> people,
> *especially* Unix and security admins, have started using Macs because
> they
> provide all the functionality of Unix with a beautiful GUI on top.
>
> Besides, I'll put the technical prowess of a liberal arts major up against
> the technical prowess of a computer science major *any* day, and spot them
> two full months to study.  CS majors can code like monkeys, but they don't
> have a clue how a computer works.  :-)
>
> --
> Paul Schmehl ([EMAIL PROTECTED])
> Senior Information Security Analyst
> The University of Texas at Dallas
> http://www.utdallas.edu/ir/security/
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[Paul Schmehl]

--On Thursday, November 01, 2007 16:42:51 -0500 reepex <[EMAIL PROTECTED]> 
wrote:

> On Nov 1, 2007 4:34 PM, Nick FitzGerald <[EMAIL PROTECTED]> wrote:
>
>
> Yes, today, the average level of clue among Mac users is probably a
> shade higher than amongst Windows users,
>
>
>
>   Is this a joke? The reason people switch to macs is because they cannot
> handle simple tasks. Isnt the main thing said by new mac users is 'it
> just works' meaning 'I couldnt figure out windows' . The main users of
> macs are liberal arts students and hippies .. and we all know the
> technical level of these people.
>
You apparently haven't been around Macs recently.  *Many* technical people, 
*especially* Unix and security admins, have started using Macs because they 
provide all the functionality of Unix with a beautiful GUI on top.

Besides, I'll put the technical prowess of a liberal arts major up against 
the technical prowess of a computer science major *any* day, and spot them 
two full months to study.  CS majors can code like monkeys, but they don't 
have a clue how a computer works.  :-)

-- 
Paul Schmehl ([EMAIL PROTECTED])
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[reepex]

On Nov 1, 2007 4:34 PM, Nick FitzGerald <[EMAIL PROTECTED]> wrote:

> Yes, today, the average level of clue among Mac users is probably a
> shade higher than amongst Windows users,


  Is this a joke? The reason people switch to macs is because they cannot
handle simple tasks. Isnt the main thing said by new mac users is 'it just
works' meaning 'I couldnt figure out windows' . The main users of macs are
liberal arts students and hippies .. and we all know the technical level of
these people.


>
> think we may agree about the advisability (or otherwise) of making such
> predictions as loudly and publicly as Gadi did,


this page [1] has been dedicated to gadi evron because of events like these

[1] http://www.encyclopediadramatica.com/index.php/Attention_whore
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[Paul Schmehl]

--On Thursday, November 01, 2007 13:27:07 -0600 Steven Block 
<[EMAIL PROTECTED]> wrote:

> You're an idiot.
>
> Save this as a script and run it, it will give you unlimited power:
>
># !/bin/sh
> sudo rm -rf /
>
> Enter your password if you are prompted.
>
> Oh look, malware.

If you don't think this is an issue, you're not very aware of what's going 
on these days.  The vast majority of present successful attacks on Windows 
are not exploiting vulnerabilities in Windows but taking advantage of the 
gullibility of users.

There is no reason to believe that Mac users will be any less gullible than 
Windows users and plenty of reason to believe they will be less aware of 
the potential pitfalls of social engineering, because, until now, they 
haven't been targeted.

This attack is real and will be successful to the degree that Mac users 
fall for the fake codec scam.  This same scam has worked quite well on 
Windows users and patch level, etc. is irrelevant.  The only chance a 
gullible person has is *if* they are running anti-virus software and *if* 
that software detects this malware and *if* they pay attention to the 
warnings and do not install the "codec".

How many people who own/use Macs even have anti-virus software installed, 
much less up to date?

Yes, *you* might not fall for it.  Plenty of people have and will continue 
to do so, just as they fall for 419 scams and all the other crap the bad 
guys inundate them with.

Judging by the reactions of Mac (and some security) "experts", this attack 
should be wildly successful.

-- 
Paul Schmehl ([EMAIL PROTECTED])
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[Nick FitzGerald]

Steven Block to Gadi Evron:

> You're an idiot.
> 
> Save this as a script and run it, it will give you unlimited power:
> 
> #!/bin/sh
> sudo rm -rf /
> 
> Enter your password if you are prompted.
> 
> Oh look, malware.

Were you looking in a mirror while writing that?

If you think there are not "roughly similar" proportions of Mac and 
Windows users who will do more or less that, then I know who the idiot 
is here and it's not Gadi...

Yes, today, the average level of clue among Mac users is probably a 
shade higher than amongst Windows users, and yes in its default or 
typical configurations Windows XP (and earlier) does make it a little 
easier for the terminally clueless to shoot themselves in the feet, but 
if you need an introduction to the basics of population statistics to 
understand the flaw in your "argument" I'm surprised you managed to get 
yourself subscribed to these lists in the first place.

...

Now, if you wish to discuss the wisdom of predicting that this specific 
instance of Mac malware will be the real "sky is falling" moment, I 
think we may agree about the advisability (or otherwise) of making such 
predictions as loudly and publicly as Gadi did, but to dismiss this 
kind of malware out of hand because of your ignorance of typical user 
behaviour is less than clever.


Regards,

Nick FitzGerald

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[Thor (Hammer of God)]

> For whoever didn't hear, there is a Macintosh trojan in-the-wild being
> dropped, infecting mac users.
> Yes, it is being done by a regular online gang--itw--it is not yet
> another
> proof of concept. The same gang infects Windows machines as well, just
> that now they also target macs.
> 
> http://sunbeltblog.blogspot.com/2007/10/screenshot-of-new-mac-
> trojan.html
> http://sunbeltblog.blogspot.com/2007/10/mackanapes-can-now-can-feel-
> pain-of.html
> 
> This means one thing: Apple's day has finally come and Apple users are
> going to get hit hard. All those unpatched vulnerabilities from years
> past
> are going to bite them in the behind.

Let's not over-hype this-- while "Apple's day" has been coming, saying
that users 
will be "hit hard" on something the user has to manually download,
manually execute, 
and explicitly grant administrative privileges to is *way* over the top.



> I can sum it up in one sentence: OS X is the new Windows 98. Investing
> in
> security ONLY as a last resort losses money, but everyone has to learn
> it
> for themselves.

Not "the new Windows 98" by a long shot - saying that is just
irresponsible.  While Apple is not used to dealing with security in the
same way that other companies are, comparing OSX to Windows 98 is not
only a huge technical inaccuracy, but you also insult MAC users out
there.  OSX had "UAC-like unprivileged user controls" way before Vista
did - let's not try to start some holy-war on this like people have
tried to do with Windows vs Linux in the past.

If you want to report this, then report it-- but say what it is, a
totally lame user-must-be-drunk "exploit" that requires that all manner
of things go wrong before it works -- otherwise people will think that
you've dressed up as Steve Gibson for Halloween.

t

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[Steven Block]

You're an idiot.

Save this as a script and run it, it will give you unlimited power:

#!/bin/sh
sudo rm -rf /

Enter your password if you are prompted.

Oh look, malware.

On Oct 31, 2007, at 5:21 PM, Gadi Evron wrote:

> For whoever didn't hear, there is a Macintosh trojan in-the-wild  
> being dropped, infecting mac users.
> Yes, it is being done by a regular online gang--itw--it is not yet  
> another proof of concept. The same gang infects Windows machines as  
> well, just that now they also target macs.
>
> http://sunbeltblog.blogspot.com/2007/10/screenshot-of-new-mac-trojan.html
> http://sunbeltblog.blogspot.com/2007/10/mackanapes-can-now-can-feel-pain-of.html
>
> This means one thing: Apple's day has finally come and Apple users  
> are going to get hit hard. All those unpatched vulnerabilities from  
> years past are going to bite them in the behind.
>
> I can sum it up in one sentence: OS X is the new Windows 98.  
> Investing in
> security ONLY as a last resort losses money, but everyone has to  
> learn it for themselves.
>
> Gadi Evron.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] mac trojan in-the-wild

[Gadi Evron]

For whoever didn't hear, there is a Macintosh trojan in-the-wild being 
dropped, infecting mac users.
Yes, it is being done by a regular online gang--itw--it is not yet another 
proof of concept. The same gang infects Windows machines as well, just 
that now they also target macs.

http://sunbeltblog.blogspot.com/2007/10/screenshot-of-new-mac-trojan.html
http://sunbeltblog.blogspot.com/2007/10/mackanapes-can-now-can-feel-pain-of.html

This means one thing: Apple's day has finally come and Apple users are 
going to get hit hard. All those unpatched vulnerabilities from years past 
are going to bite them in the behind.

I can sum it up in one sentence: OS X is the new Windows 98. Investing in
security ONLY as a last resort losses money, but everyone has to learn it 
for themselves.

Gadi Evron.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[reepex]

It is funny that gadi does not post to this list anymore.. maybe its because
he knows people here can actually express their opinion against his retarded
posts without being moderated?

anyway of course gadi is going to jump over stuff like this because it takes
no technical knowledge to write about. If you want another example of this
try "sun's /8" in google and you will find gadi's low level technical
research about the solaris telnet vulnerability or look up his crap about
the no auth vnc bugs.  These are the only bugs known to date that gadi evron
could comprehend so he has to make many posts about them to keep his name
high on google rankings for when he searches for his name daily [1].

[1] http://seclists.org/fulldisclosure/2007/Sep/0058.html

On Nov 1, 2007 3:10 PM, nnp <[EMAIL PROTECTED]> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Oh don't be so bloody sensationalist. You're worse than the
> journalists because you should know better.
>
> - -nnp
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.7 (Darwin)
> Comment: http://firegpg.tuxfamily.org
>
> iD8DBQFHKpQRbP10WPHfgnQRAtZ9AKDIydXWUjKGq4OboanGyxHXFMYdWACfUGvX
> hky9nDk4BKs4MdK+htgIGv0=
> =k7Xe
> -END PGP SIGNATURE-
>
> On 10/31/07, Gadi Evron <[EMAIL PROTECTED]> wrote:
> > For whoever didn't hear, there is a Macintosh trojan in-the-wild being
> > dropped, infecting mac users.
> > Yes, it is being done by a regular online gang--itw--it is not yet
> another
> > proof of concept. The same gang infects Windows machines as well, just
> > that now they also target macs.
> >
> >
> http://sunbeltblog.blogspot.com/2007/10/screenshot-of-new-mac-trojan.html
> >
> http://sunbeltblog.blogspot.com/2007/10/mackanapes-can-now-can-feel-pain-of.html
> >
> > This means one thing: Apple's day has finally come and Apple users are
> > going to get hit hard. All those unpatched vulnerabilities from years
> past
> > are going to bite them in the behind.
> >
> > I can sum it up in one sentence: OS X is the new Windows 98. Investing
> in
> > security ONLY as a last resort losses money, but everyone has to learn
> it
> > for themselves.
> >
> > Gadi Evron.
> >
>
>
> --
> http://www.smashthestack.org
> http://www.unprotectedhex.com
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan in-the-wild

[nnp]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Oh don't be so bloody sensationalist. You're worse than the
journalists because you should know better.

- -nnp
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (Darwin)
Comment: http://firegpg.tuxfamily.org

iD8DBQFHKpQRbP10WPHfgnQRAtZ9AKDIydXWUjKGq4OboanGyxHXFMYdWACfUGvX
hky9nDk4BKs4MdK+htgIGv0=
=k7Xe
-END PGP SIGNATURE-

On 10/31/07, Gadi Evron <[EMAIL PROTECTED]> wrote:
> For whoever didn't hear, there is a Macintosh trojan in-the-wild being
> dropped, infecting mac users.
> Yes, it is being done by a regular online gang--itw--it is not yet another
> proof of concept. The same gang infects Windows machines as well, just
> that now they also target macs.
>
> http://sunbeltblog.blogspot.com/2007/10/screenshot-of-new-mac-trojan.html
> http://sunbeltblog.blogspot.com/2007/10/mackanapes-can-now-can-feel-pain-of.html
>
> This means one thing: Apple's day has finally come and Apple users are
> going to get hit hard. All those unpatched vulnerabilities from years past
> are going to bite them in the behind.
>
> I can sum it up in one sentence: OS X is the new Windows 98. Investing in
> security ONLY as a last resort losses money, but everyone has to learn it
> for themselves.
>
> Gadi Evron.
>


-- 
http://www.smashthestack.org
http://www.unprotectedhex.com

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/