January 27th, 2009

Posted by David Morgenstern

With the arrival of yet another trojan targeting the Mac, antispyware vendor MacScan on Tuesday updated and renamed its trojan removal tool.

The previous version was called the iWorkServices Trojan Removal Tool, and SecureMac changed the program’s name to the iServices Trojan Removal Tool.  The company said the updated tool is also a free download and detects and removes the new variant trojan found on pirated versions of Adobe Photoshop CS 4 for Mac OS X.

This trojan is working its way around various P2P networks and with various packages as the vector for infections. The first version was discovered in copies of iWork 09, which was introduced at Macworld Expo earlier this month.

According to MacScan:

Like its predecessor, variant B obtains root privileges, and notifies the remote host of the infected computer’s location on the Internet. It is recommended users avoid downloading pirated copies of these programs. What’s more, it is anticipated that new variants will be discovered in the coming months in other software cialis weekend pill packages distributed by third parties over the Internet.

January 26th, 2009

Posted by Adam O'Donnell

Two Mac trojan outbreaks were spotted in the past week leaving several people, including myself, to wonder if the tipping point for the Mac malware epidemic has arrived. Frankly, I don’t know, but I tend not to think so. I do think, however, that Mac malware will now become endemic amongst the high-risk groups such as file-swappers.

This past week a trojan claiming to be the latest iWork release was spotted on file sharing networks. Shortly thereafter, a similar trojan was sighted that masquerading as a crack for Photoshop CS4. Both events are making some people question whether or not the Mac’s long tenure as being a malware-free system is coming to a close and to face facts and install AV software.

The short answer is if you are a relatively well-behaved computer user, probably not. Mac malware is not endemic amongst the general population due to these events. The trojans of the past week is not self-propagating beyond the high-risk population, namely file swappers, and is relatively easy to find, analyze, and remediate. This is in stark contrast to PC users who have been hit with the Downadup/Conficker worm, which propagates via three orthogonal vectors and includes one remote exploit, and actively prevents you from visiting websites that contain remediation tools.

I do think cialis vs generic cialis the relative halcyon days of malware-free Macs are coming to an end. Anyone who is currently infected by the new malware will remain infected without direct human interaction due to the lack of any automatic mechanism for the identification and removal of malware. That means there is a non-zero population of Mac users who are now compromised and will remain compromised unless they either clean their machine or they buy a new system. Sounds familiar, right?

The question I want answered is whether or not the monetization rate of compromised Macs is sufficient for the malware authors to continue to pursue the platform. If not, these events will be a blip on the radar; otherwise, Mac owners better keep their Time Machine backups up to date.

December 2nd, 2008

Posted by Adam O'Donnell

People seemed to get into a tizzy about Apple posting an announcement recommending Anti-Virus software for Macs. Even though it was retracted, I do think that Apple priming Mac users for the eventuality of widespread malware is a good idea. People who believe that the fundamental design of Macs will prevent them from being an attractive target for viruses are dead wrong.

Several reporters and bloggers jumped on the apparition that graced Apple’s knowledge base stating that Mac users needed to run multiple anti-virus packages. While the KB article turned out to be bogus, it does not mean that Apple users are safe from malware forever. I have said many times before and I will say it again: given the constant of end-user gullibility and a monetized malware underground, the emergence of Mac malware is a function of market share and anti-virus effectiveness on the dominant platform. You don’t even have to depend upon verbal arguments, as I provide a game theory analysis as well.

The fact that the announcement was made and pulled seemed to give some bloggers, including Joe Wilcox, fuel for their argument that Macs don’t have malware because they are fundamentally more secure.

The reality is that mass market malware writers don’t care about novel attack code anymore. They also don’t care about who is running the most vulnerable services. They do care about writing programs that look like legitimate applications that will trick the end user into voluntarily installing them. When the bad guy’s target is the human being at the console, then his only decision becomes what is the size of the target to go after.

The fundamental fallacy in Joe’s argument is that operating system security is equivalent to malware security. It isn’t. No level of system architecture can prevent users from harming themselves. Malware writers are just cialis professional generic waiting until there are enough victims to make their switch profitable.

September 10th, 2008

Posted by Ed Bott

Update, 12-September, 5:45AM PDT: Apple has issued a revised download for iTunes 8 intended to correct this problem. My analysis is in this follow-up post.

I’m reading lots of complaints about the new iTunes 8 update causing horrific problems on Windows machines, including widespread reports of STOP errors, aka the Blue Screen of Death. My colleague Adrian Kingsley-Hughes has asked readers for reports and Gizmodo has a sketchy post as well. How can this be happening? Assuming that the underlying hardware is working correctly, STOP errors can only be caused by kernel-level drivers or system services. A poorly written program can crash itself but not the entire system. So how can a supposedly simple software update cause a fatal crash?

Maybe because this isn’t a simple software update. Once again, Apple is using its automatic update process to deliver massive amounts of new software to users, including a device driver that has a long and buying cialis checkered history of causing the Blue Screen Of Death to appear. And it’s delivering this massive payload without even a pretense of proper disclosure and without asking consent from its users.

I was able to reproduce a crash using an iPod and iTunes 8 and fixed it by removing the suspicious driver. I’ve dissected the process and put together a gallery that shows how extensive the infiltration is and where you can find the likely culprit.

To see what software is sneaking along with the upgrade,
see my image gallery: Apple’s sneaky iTunes 8 install

Here’s a blow-by-blow analysis of what happens when you allow Apple Software Update to install iTunes 8:

The first thing you see is a notice from Apple Software Update. It promises an update to iTunes+QuickTime and says nothing about any other software.

Next, you accept a license agreement, which also makes no mention of anything other than iTunes. According to a code at the end of the license agreement, it has not been updated since October 2007.

After you enter your administrator’s credentials in a dialog box, the download and installation proceed automatically. The downloader dialog box notes that the complete install package is nearly 80MB in size, but the size shown in its progress bar changes several times.

Opening the folder where Apple Software Update stores its temporary files reveals what’s really going on. The download consists of five installer packages and a master setup program. In addition to iTunes and QuickTime, the package includes the Bonjour service (which has been a part of iTunes for a long time), plus Apple Mobile Device Support and MobileMe. The latter two packages appeared for the first time, according to Ars Technica and other sources, in the July update to iTunes. And a look inside Control Panel shows that this time around, Apple is giving Windows users an opportunity to uninstall MobileMe, which they didn’t do in the previous update.

When I used an antispyware tool (Sunbelt Software’s VIPRE), it detected that a new Apple program was loading at startup. Although it went by the prosaic name AppleSyncNotifier, its icon reveals that it’s actually MobileMe.

But in addition to all that software, Apple is also sneaking a couple of driver updates onto the system. One is a USB controller update, which is apparently used when connecting an iPod or iPhone to the system. On my system, this driver file was copied to the system but was not installed until I connected an iPod Mini via a USB port. Most of the trouble reports on the Apple forum indicate that this driver is identifying itself in the text that appears on the STOP error page. The only clue that this driver is being installed is in the System Restore dialog box.

In addition to this driver, the system also updates the GEARAspiWDM.sys driver (in Windows\System32\Drivers). I had to dig deep to discover this change, which is not documented anywhere. This driver is typically used with third-party programs that write to CD and DVD drives. The old iTunes versions of this driver is dated January 29, 2008. The new one is from April 17, 2008. This driver has a long and colorful history of causing Windows crashes. [Update 17-Sep: After looking deeper, I can confirm that Apple’s driver is the culprit and that Gear’s driver is unrelated to these crashes. In fact, Gear’s signed driver might even be an innocent bystander in a separate iTunes support issue. See my follow-up post “Apple, not Gear, deserves the blame for iTunes crashes” for details.] I remember dealing with it back in Windows 2000 days. And sure enough, a search for GEARAspiWDM.sys BSOD turns up thousands of hits. I’ve also found anecdotal reports of this driver causing iTunes to crash, including this one from the Gear Software forum last May. The image below shows the Previous Versions dialog box, which I used to determine that the file had been updated.

When I plugged an iPod Nano into my Windows Vista system for the first time, it offered to install a driver and then asked me to reboot. When I restarted, I plugged in the iPod again and the machine locked up solid. No blue screen, just a black screen that didn’t respond to any input. After a restart, I tried again and got the same result when I attempted to open iTunes.

For the third try, I decided to replace the GEARAspiWDM.sys driver file with its earlier version. I used the Previous Versions feature of Windows Vista Ultimate to find the older version, copied it to my desktop, deleted the newer driver, and then copied the January version to the Drivers folder. This time iTunes opened just fine, displaying the contents of the iPod. (When I simply deleted the driver file, I got an error upon starting iTunes warning me that my installation was incomplete and that I might not be able to burn CDs or DVDs until I completed it.)

I can’t say my tests are conclusive, but my long history with this file suggests that it might well be at the root of the problem for others as well.

An even bigger problem is Apple’s attitude toward its Windows customers. These additional software packages and drivers are being installed with no disclosure and no consent. A pile of software, including the troubled MobileMe service, is also being installed and enabled at startup on Windows machines, even where the user has no MobileMe account and, for that matter, no mobile device.

Apple’s Get a Mac ads love to tweak Microsoft for its frequent crashes. Someone from Apple needs to look in the mirror and realize that they’re the problem in this case.