Okay, Maybe This Mac Security Problem is Real

By  |  Monday, May 23, 2011 at 12:36 pm

“A conservative is a liberal who’s been mugged.” I thought of that old wisecrack this morning when I encountered something I’d never seen before: a serious trojan attack on my Mac.

The attack in question was an instance of Mac Protector, a variant of the Mac Defender attack that’s been in the news this month  (my friend Ed Bott has written about it repeatedly). I was browsing in Safari and suddenly got this window, looking a bit like OS X’s Finder and a bit like iTunes (click on it to see it at a larger size):

The “Apple security center” above was just a Web page trying to trick me into thinking it was part of the operating system, but I also found a bona-fide OS X installer app open on my computer:

I didn’t install the program–if I had, it would have apparently spawned porn sites on my desktop and attempted to swipe my credit-card info, much like the many similar fake antivirus trojans that have been a scourge of Windows users for years. And the program couldn’t have installed itself without my permission–if I’d clicked on Continue in the dialog box above, it wouldn’t have installed until I’d entered my OS X password. Which I wouldn’t have done. (A Mac security-issue denialist might even argue that my experience was evidence of the strength of OS X security–hey, the program didn’t get installed! Trojan attack foiled!)

Still, I’m not sure what I did that allowed Mac Protector to get as far as it did–I may have wandered onto a typosquatter site by mistake, or on a blog that’s a rogue operation or which has itself been compromised.

Things have been so quiet on the OS X security front for so long that even an unsuccessful, painfully obvious attempt to break into my Mac is jarring. And I confess that I didn’t realize until now that the default settings in Safari would permit an installer to run without any action on my part:

(Note Apple’s use of quote marks–”safe” files–in the last setting above. I just unticked the box, just in case.)

Of course, it’s always been wise for Mac users to keep their eyes and ears open on the security front even though attacks have been so uncommon. And it would be silly to take the recent hubbub over Mac Defender/Protector as proof that Mac users have now permanently descended into the security hell that PC types have had to deal with for eons. But I’ve been wondering when a Mac breach would come along that wasn’t merely theoretical and which bit Mac fans in meaningful numbers. This would seem to be it. Or at least that’s my instinctive reaction, having seen it for myself on my own computer.

Mac users, have you seen any variants of this attack? Are you any more inclined to run security software on your computer than you were before?

 
27 Comments


Read more: , ,

27 Comments For This Post

  1. joaopapa Says:

    i do already haver a antivirus installed on my mac.

  2. Dave Says:

    You'd be a fool to believe this will be the last, or the strongest of the attacks on Mac. They always test the waters first before jumping in, and seeing how easy this one was, be sure they will cannonball

  3. Daniel Vaughn Says:

    Reading this, it would seem pertinent to install a security program on my Macbook Pro, but it's still very hard to bring myself out of the "Macs are superior and don't need antivirus" mentality.

  4. Kevin Etter Says:

    Just a note: Open "safe" files default setting has been unchecked for a number of years now for this very reason.

  5. Sean Says:

    This happened to us last week but we didn't download it (thank god). Very sneaky. My wife was accessing her hotmail account and browsing the web and it appeared, but we really don't know what triggered it.

  6. Rip Says:

    It's only real if you're stupid.

  7. Harry McCracken Says:

    Interesting–it was checked on my computer, and not by me…

    –Harry

  8. Harry McCracken Says:

    Disagree, Rip: a large percentage of the evil that security attacks do has nothing to do with whether they’re successful or not. It’s the hassle of encountering them and dealing with them on a daily basis–and when it comes to that, the smartest computer users and the dumbest ones are pretty much in the same boat.

  9. Jasper Linsen Says:

    This does not count as a 'malware' attack like we've known on Windows for years. On windows, it's sufficient to open up an executable that changed extension to a regular file, like a JPEG or something. This is not so anymore in recent versions of Windows, but that was an example of how things went wrong. On mac, an application cannot install itself without permission of the user. Without his password. How is that an attack?

    For example, I'de be suspicious if one day an alarm-salesman would be at my door asking me to let him in in order to check out my alarm system and improve my home-security. Just slam the door closed, right?

    This is not a serious problem, and there are no serious threats on macs out there right now, and not in the forseeable future. Yes, as the platform grows in size there will be more attempts at sneaking into your computer, but Apple has a robust platform. And here's the catch that keeps coming back to Windows: they are supporting legacy. Apple decides to stop supporting legacy protocols. They close doors when they're not necessary anymore. Windows, however, focused on the business-world, has always tried to keep the door kind-of-open to anything that wanted to come in.

    So the situation is very different. On mac, malware is an annoyance. On windows, it's a plague. It's like the difference between twenty locusts in a bush and a full-on battle alliance of locusts attacking your crops, leaving no food for your precious first-borns. And yes, that indeed was a Biblical reference.

  10. Lazlow St. Pierre Says:

    Actually, rereading Harry's post, my issue was slightly different because it didn't try to launch an installer on my Mac, it just gave me the fake security center and a message about removing trojans. There obviously is an issue with Safari if it's possible to make a webpage launch an installer without the user's permission.

  11. @ahow628 Says:

    Here is the problem: In my family anyway, all the non-techies just love to enter their password all willy-nilly. I've tried to instill some fear in them, but it really doesn't do much good.

  12. Chip Says:

    I'd be interested to know how you think anti-virus software of security software would work on such a situation as this? This is malware, which I don't think can be combatted that easily.

  13. ContraMundum Says:

    I think this shows a larger issue with computer users at large, be they Windows or OSX, they don't like paying attention. People just want to look at the computer, click the mouse, and get their interwebs. If there is a program which requires them to put their password in to install a security system, then they will do it. Heck, some would probably even do it even if the program presented no good reason, other than, "Password needed to continue" Until we fix the problem with humans, no computer will be safe/

  14. The_Heraclitus Says:

    Until Macs obtain ~20% market share, these attacks will be very rare.

  15. john Says:

    I just got this virus and totally installed it on my computer. fml. this is my first mac i just got it like 1 month ago so im not familiar with them at all. how do i resolve this problem?? please help!

  16. Lazlow St. Pierre Says:

    What?

    Dealing with malware is exactly what anti-virus software is meant to do.

    If you have anti-virus software that can't combat "malware", then you might as well dump it (you [i]do know[/i] that viruses are a form of malware, right?). Viruses, trojans, worms, etc. are all different forms of "malware" that your AV software is meant to keep off your computer.

  17. cold Says:

    Go to Apple’s support website:

    https://discussions.apple.com/index.jspa

    and search for Mac Defender, you should get a posting from other users about what to do.

  18. Reece Tarbert Says:

    I did a fresh install of Snow Leopard one week ago and I can guarantee that Safari has the "open safe files" option on by default.

    RT.

  19. Reece Tarbert Says:

    "On mac, an application cannot install itself without permission of the user. Without his password. How is that an attack?"

    You don't need to type a password to add apps to the /Applications folder or to add them to your "Login Items", therefore the risk might be low but is still very real — and nothing's more dangerous than a false sense of security.

    RT.

  20. Kevin Etter Says:

    Hmm, you're right. Maybe it's been so long that I've had it turned off. It was one of the first settings I changed when I got my Mac.

  21. Brandon Backlin Says:

    At least the OS was programmed from the start to NOT run anything at top privileges by default; unlike a certain "modern" OS (ahem Windows XP…). If it was; the security scene would equal that of Windows.

  22. Ameli@EthicalHacking Says:

    This incident just proves that no system is completely malware-free. I always thought that Apple computers are not susceptible to viruses, trojans, and the likes. Moreover, just last week, Apple confirmed reports that its iChat was attacked. It was then patched up with the latest iChat update.

    My point is, Mac (Apple in general) is deliberately targeted.

    Hackers and virus-makers are becoming more creative and sophisticated these days. The attack on Mac computers was a great success for them. I think this is just their launching pad. A more sinister move will be on its way.

  23. Jasper Linsen Says:

    Even if you add an app to the application folder, MacOS asks you if you want to open it if it's downloaded from the internet. It only doesn't ask it when you copy it from somewhere else that isn't the internet, but since there isn't an autorun command for inserting USBsticks on mac, theres no way a secret application could be copied. Also, an application can only work if the user launched it on MacOS X, and to run background services it needs an administrator password (since an application cannot just install things without the users permission). Just adding apps to /Application is neither harmfull, noticeable by users or even doing anything. It isn't a false sense of security – it is security. Now, if there was a way to install a virus without the user knowing (like opening an EXE masked to look like a JPEG on Windows), then we're talking about a 'false sense' of security. Right now, the user always has to click something, be it a warning, an installer or a weird application icon in their /Applications folder.

  24. iPhone gloves Says:

    personally know nothing about mac OS,just thanks for sharing

    best touch screen gloves

  25. Hamranhansenhansen Says:

    Do you have to ask if the Windows security problem is real?

  26. fernando castro Says:

    This incident just happened to me on Firefox. What worries is that a zip so called "anti-malware" file did go into the download folder. I cannot find it there though. Does anyone know where it went? Secondly, what anti-viral program should I get?

  27. kristen Says:

    Same thing happened to me on Safari. Don't know how it was triggered. I didn't download anything, but an "anti-malware" file went into my download folder. Couldn't find the file later when I tried to trash it.