Mac-Security Column for November 2007

Mac-Security Column
2007-11-11
© Derek Currie

Until the beginning of November, Macintosh security has been a mute subject. Suddenly it is entirely relevant thanks the very first piece of Mac malware loose in the wild. This has inspired me to fill the Mac security niche with a regular column on the subject.

A quick introduction: I became interested in knowing the facts about Macintosh security in August of 2005 when Symantec where having trouble selling their Norton Anti-Virus for Mac. The program had proven to be very buggy as well as irrelevant. In response Symantec perpetrated a FUD attack against the Mac community, attempting to scare people into buying their software. (FUD is an extremely popular form of propaganda. It is an abbreviation for "Fear, Uncertainty and Doubt.") In response to Symantec I got to work understanding the entire subject of computer security. I point out my favorite sources of knowledge at the bottom of the article. For now, suffice it to say I began writing about the subject in the Macintosh Usenet Newsgroups in order to help other folks understand reality versus FUD. My column here is an expansion of my writing on the subject over the last two years.

Today's column is going to be a crash course relevant to the malware at hand. It is a Trojan horse called OSX.RSPlug.A.

Malware is the overall term for ANY software that is malicious toward a computer. The word 'mal' means 'sick' in French. Trojan horses are applications that have to be hand installed onto a computer to do their dirty work. They are NOT viruses or worms in that by definition they have no ability to self-propagate. Typically they pretend to be something useful and harmless, but they are not. They have what I call a 'Squink' factor. This is a personal term that refers to anything that looks good but is not. In the case of OSX.RSPlug.A it disguises itself as the installer of a QuickTime component codec. Once you provide your administrative password to allow the installation, your goose is cooked and the thing can do whatever it likes on your computer. The current version sets itself up as a replacement of any DNS server you may have running. Anyone accessing your DNS server is NOT sent to the correct IP address they need. Instead they are sent to fraudulent phishing sites that pretend to be what they are not. They have what I call a 'Zunipus' factor. This made up word refers to anything that purports to be honest and true but is not. At the phishing site you are fooled into providing personal information, resulting in identity theft.

OSX.RSPlug.A was at first only available at particular pornography sites on the Internet. Recently it has been found at a variety of other web sites as well. There has been a lot of spam around the Internet enticing readers to these sites. Once you get there and try to play the videos, you are told you need a codec to access them. You are then provided with a link to download the installer. You install it, and the deed is done. This method of lying to you in order to trick you into some sort of detrimental behavior is called 'Social Engineering.' It has been a developing and popular craze in the field of malware for years. Windows users are all too familiar with it. Undoubtedly you have yourself received email enticing you to a fraudulent version of a trusted website where you are asked to provide personal information, such as an ID and password to access the site. This form of social engineering is phishing. In the case of OSX.RSPlug.A, social engineering is expanded to fool you into installing malware.

So, now that the rat is out of the bag, what can you do? As our Mac friend Douglas Adams said: "Don't Panic!" It is remarkably unlikely you are going to fall for the Squink factor of this malware. But this is an occasion to start becoming familiar with Macintosh security strategies. Below is a quickie list of useful tools:

1) Self-education: What you can teach yourself is to never take software for granted. Always download software from reliable sources, such as VersionTracker or MacUpdate. If you download from somewhere other than the proven source site of the developer of the software be very suspicious and do some homework to learn about what exactly this software is. Google is a great tool. Just type in the name of the software and dig around.

2) Anti-Malware application: In the case of OSX.RSPlug.A the only way an anti-malware (incorrectly called 'anti-virus') program would catch this Trojan would be if it scanned everything you downloaded as you download it. That means paying bucks for a professional application. I'll review the options in a later article. For now I believe the consensus is that no, you still don't need to buy anything.

There is a way to seek and destroy this Trojan after it has already been installed. This is through the use of the freeware program Clam. It is an Open Source project that, to be honest, is not perfect. Clam regularly has security issues of its own and must be updated, as an application, on a regular basis. Clam is also slow running and slow to provide malware definitions. But that's what you get for free, and it works. The only thing you can do with it is turn it loose on a regular basis on your hard drive. It has no ability to live scan anything except designated folders. As with any anti-malware program, you must update its malware definitions at least weekly.

There are a couple ways to get the Mac OS X version of Clam. The first is the free way. It is called ClamXav for Mac OS X:
http://www.clamxav.com/

The site has a nice set of documentation as well as a forum where you can talk with other folks about Mac security. Note: Versions of ClamXav are available all the way back to Mac OS X 10.2. You will find them at the site. Malware definition updates are made from within the program. If you like ClamXav, by all means donate some money to the cause.

My preferred way to get Clam is via Leopard Cache Cleaner (which actually works on all versions of Mac OS X back to 10.2). For $9 this is a brilliant program I highly recommend. But even if you don't want to pay for it, yet, the free options it provides are very good. This includes a full integration of ClamXav in a very simple GUI.

A new and niffy kewl feature in Leopard Cache Cleaner is the ability to scan for rootkits. What are they?! Stay tuned. It is quite a nasty subject. For now, let's just hope this form of malware never becomes an important issue on Macs.

3) The Mac OS X firewall: Apple provide it, so use it. Access Apple's Help in Mac OS X if you have questions. The version in Leopard is not-ready-for-prime-time I am sad to say. Apple is working on it. Leopard actually has a second, brilliant, but user-hostile firewall built-in as well. We will discuss it in a future article.

4) Little Snitch: This is what I call a 'reverse firewall.' It stops absolutely everything from contacting your LAN or the Internet without your permission. You have to be a bit of a geek to appreciate it as it pops up little windows asking for your permission to allow network access. But once you understand what it does and are willing to put in the effort to work with it properly, you can't do with out it. In the case of our Trojan OSX.RSPlug.A, it literally would be stopped dead in its tracks without your deliberately approving of it grabbing phishing URLs off the Internet, then sending out those URLs to suckers accessing its fake DNS service. In fact, Little Snitch can be used by malware warriors to find out from where the phishing URLs are being grabbed. Versions capable of running all the way back to Mac OS X 10.2 are available on the site. $25.

http://www.obdev.at/products/littlesnitch/

We have only touched the tip of the iceberg here regarding Mac security. Rather than overwhelm, I am simply going to point you to some other useful sources of information:

A) Apple have a dedicated support site for product security:

http://www.apple.com/support/security/

You can also subscribe to their highly recommended Security-Announce mailing list via their website or RSS:

http://lists.apple.com/mailman/listinfo/security-announce
feed://rss.lists.apple.com/security-announce.rss

B) Secunia: These folks are hyper-Apple critical. But they get results. They helped inspire the recent security improvements in QuickTime. Their website is stunning. I subscribe to their Weekly Summary mailing list.

http://secunia.com/
http://secunia.com/mailing_lists/

C) SANS Institute: These folks are outright anti-Mac bigots. Their editors are snide and anything but objective in their comments. Their underlying motivation is to FUD you into paying for their computer security courses. Big yawn. Nonetheless I find their newsletters to be very useful. I subscribe to NewsBites, @Risk and Ouch!

http://www.sans.org/newsletters/

That's it for this month.

Share and Enjoy! :-Derek