Wednesday, 18 May 2011

Mac Defender is malware but not a virus

You're walking along a dark alley.
"Psst, wanna try some of this?" The stranger is holding a hypodermic needle and you can see some green fluid in the vial. "It's real good."
"Oh, sure, why not." You hold out your arm.

With just a little more social engineering this is what people are doing to get the latest Mac 'virus'. Of course it is called a computer virus but it isn't. If you got ill after accepting the shot of green fluid you couldn't say you caught something 'accidentally' which is how you'd catch a cold. You did something really dumb and suffer the consequences.

Strictly speaking the 'Mac Defender' (it goes by other names as well) is a Trojan that relies on social engineering. This is a fancy way of saying that the bad guys convince you to install it by pretending it is something else and then you are screwed. Trojan is from Trojan horse, which was a horse statue the Greeks gave to the Trojans, but they filled it with soldiers first. When the Trojans took it inside their gates the soldiers jumped out of the statue and attacked. The rest is history.

Mac Defender pretends it is from Apple, which is certainly not Apple's fault. I'm not a fan of Apple but they are squeaky clean here. People download this thing, install it, give it their root password and then find it insists on showing porn images at random moments (inevitably the worst moments, of course) and claiming there is a virus on the system. They then ask for money to remove it. There's a suggestion that if you actually give them a credit card they always say it didn't work and ask for another, taking the details though.

But this is very, very different from the other ways you can get malware.
  1. Worm. This is when something out on the internet finds an open port on your machine and slips in. You didn't do anything, other than leave a port open, it just crept in when you weren't looking.
  2. Dumb Trojan. When you think you're just opening an email attachment or browsing to a URL and in behind evil stuff happens.
In both of those cases you could reasonably assume the computer would protect itself. In the Mac Defender case you actively overrode all possibility of the machine protecting itself, which is quite different.

Operating systems like Mac and Linux are based on Unix which have some inbuilt protections that make it very, very hard for malware to break in as Worms or Dumb Trojans. We have to accept that the odd security bug in the operating system will arise (and will be quickly fixed) but it is generally true that Unix based operating systems do not see this kind of malware.

It is not the case with Windows which is lacking three advantages Unix has.
  1. The execute bit. To be executable a program file must have the execute bit set. This is not set by default on, say, attachment files that you save. This means that malware code has to figure out a way to get you to set the bit, usually manually, so you have to know.
  2. Root access. Unix has a strong separation between the privileges of the admin or root user and the rest. People don't normally run as root unless they really have to because, say, they are installing software. So just running some program either from a network port or from your desktop is limited in the amount of damage it can do. Malware writers find these limitations boring. They want to trick you into giving them root access. Again, that's going to be a manual thing you know about.
  3. The distros. Unix software typically comes from packages distributed by distros rather than downloaded from random sites. It is unlikely that malware gets into these distros, but if it did it would be cleaned out very quickly. For Windows users: the distros work a lot like Windows Updates but they update everything and install new software. Unix can do this because the software is generally free so it doesn't have to figure out how to charge you. I'm not sure what Mac's distro arrangements are.
But the only way to guard against malware like Mac Defender is to deny users root access to their own machines. This is why a lot of cell phones don't come 'rooted' by default, they don't allow you to be the root user. We already see this trend moving into tablets and maybe it will be found in laptops and desktops soon too.

No comments: