The end of innocence for Mac users

Great BBC column by Bill Thompson on the first Mac trojan.

The first serious threat to Mac users has been observed “in the wild”.

It’s a Trojan Horse, a piece of code that pretends to do one thing but actually compromises your computer.

This one spreads through online video sites, taking advantage of the fact that there are many different ways to display video, each requiring slightly different software to encode and decode moving images.

That puts my son right in the middle of the vulnerable population because he likes to watch video clips via sites like YouTube and Flixster.

Although Quicktime, the Apple media player that comes bundles with every Mac, makes a good shot of dealing with most common formats, if it can’t figure out what to do with a particular file type it can go online to find the right “codec”.

The Trojan sits behind an online video and when you try to play it you get a message from Quicktime telling you to get a new codec, and if you follow the link you’ll be sent to a site that hosts the malicious software.

Click “ok” and enter your systems adminstrator’s password and it will be installed on your computer with full system access after which you are, to use the jargon, “pwned”, or scuppered.

And you don’t even get to see the video you were after.

At the moment the fake codec is being spread via porn sites, but it will quickly spread to more mainstream sites, and that’s when it will get dangerous and could affect a lot of Mac users who believe that they don’t need to worry about system security…

Richard Earney emails:

It’s unfortunate, because this Trojan is an actual attempt by Ukrainian criminals to hijack Macs, but it’s not exploiting any sort of security hole in any version of Mac OS X. To get hit by it, you must (a) be the sort of moron who downloads “video codecs” from porno sites; (b) mount the disk image and launch the installer; and (c) grant the installer administrator privileges to install whatever it wants, wherever it wants on your system. No system can prevent that.

If anything, the fact that you have to manually install the software and supply your administrator password is a sign that Mac OS X security works.

Hmmm…. I’ve just looked at Safari Preferences, which has a check-box for “Open ‘safe’ files after downloading” which some users might leave checked in their innocence.

Later: Charles Arthur emailed to point out that ” it’s not strictly the first; but it does seem to be the first *commercial* one, where the professional malware writers have gotten into the game”.

In millions of Windows, the perfect Storm is gathering | Business | The Observer

This morning’s Observer column

Storm has been spreading steadily since last January, gradually constructing a huge botnet. It affects only computers running Microsoft Windows, but that means that more than 90 per cent of the world’s PCs are vulnerable. Nobody knows how big the Storm botnet has become, but reputable security professionals cite estimates of between one million and 50 million computers worldwide. To date, the botnet has been used only intermittently, which is disquieting: what it means is that someone, somewhere, is quietly building a doomsday machine that can be rented out to the highest bidder, or used for purposes that we cannot yet predict…

The Storm ‘worm’

Bruce Schneier has a sobering briefing on what he calls “the future of malware”.

Although it’s most commonly called a worm, Storm is really more: a worm, a Trojan horse and a bot all rolled into one. It’s also the most successful example we have of a new breed of worm, and I’ve seen estimates that between 1 million and 50 million computers have been infected worldwide.

Old-style worms — Sasser, Slammer, Nimda — were written by hackers looking for fame. They spread as quickly as possible (Slammer infected 75,000 computers in 10 minutes) and garnered a lot of notice in the process. The onslaught made it easier for security experts to detect the attack, but required a quick response by antivirus companies, sysadmins, and users hoping to contain it. Think of this type of worm as an infectious disease that shows immediate symptoms.

Worms like Storm are written by hackers looking for profit, and they’re different. These worms spread more subtly, without making noise. Symptoms don’t appear immediately, and an infected computer can sit dormant for a long time. If it were a disease, it would be more like syphilis, whose symptoms may be mild or disappear altogether, but which will eventually come back years later and eat your brain.

Storm represents the future of malware. Let’s look at its behavior:

1. Storm is patient. A worm that attacks all the time is much easier to detect; a worm that attacks and then shuts off for a while hides much more easily.

2. Storm is designed like an ant colony, with separation of duties. Only a small fraction of infected hosts spread the worm. A much smaller fraction are C2: command-and-control servers. The rest stand by to receive orders. By only allowing a small number of hosts to propagate the virus and act as command-and-control servers, Storm is resilient against attack. Even if those hosts shut down, the network remains largely intact, and other hosts can take over those duties.

3. Storm doesn’t cause any damage, or noticeable performance impact, to the hosts. Like a parasite, it needs its host to be intact and healthy for its own survival. This makes it harder to detect, because users and network administrators won’t notice any abnormal behavior most of the time.

4. Rather than having all hosts communicate to a central server or set of servers, Storm uses a peer-to-peer network for C2. This makes the Storm botnet much harder to disable. The most common way to disable a botnet is to shut down the centralized control point. Storm doesn’t have a centralized control point, and thus can’t be shut down that way…

There’s more, and none of it is pretty.

Not that we really have any idea how to mess with Storm. Storm has been around for almost a year, and the antivirus companies are pretty much powerless to do anything about it. Inoculating infected machines individually is simply not going to work, and I can’t imagine forcing ISPs to quarantine infected hosts. A quarantine wouldn’t work in any case: Storm’s creators could easily design another worm — and we know that users can’t keep themselves from clicking on enticing attachments and links.

Redesigning the Microsoft Windows operating system would work, but that’s ridiculous to even suggest. Creating a counterworm would make a great piece of fiction, but it’s a really bad idea in real life. We simply don’t know how to stop Storm, except to find the people controlling it and arrest them.

This is the other side of the end-to-end coin.

The new malware

The Storm Worm has since continued unabated, most recently in the form of Web-based attacks. E-mails, socially engineered to look like electronic greeting cards and linked to a Web site containing malware, completely avoided traditional e-mail antivirus gateways. The Storm Worm’s course change to the Web reflects a growing trend of malware Web-based attacks launched through e-mail.

The simple logic behind these e-mail-based blended threats is astoundingly effective: no attachment means no antivirus block. And when combined with a user-friendly invitation, it creates the opportunity for a high infection rate.

Blended threats easily lead people to Web sites where malware gets downloaded–often without user interaction or knowledge. The industry is just now realizing the severity of the problem,

Researchers at Google recently published a paper concluding that approximately 10 percent of reviewed URLs contained “drive-by downloads” of malware binaries (PDF) and many more that were flagged as suspicious.

[Source]

Economist: cyberwar reassessed

Good piece pondering the implications of the assault on Estonia.

Even at their crudest, the assaults broke new ground. For the first time, a state faced a frontal, anonymous attack that swamped the websites of banks, ministries, newspapers and broadcasters; that hobbled Estonia’s efforts to make its case abroad. Previous bouts of cyberwarfare have been far more limited by comparison: probing another country’s internet defences, rather as a reconnaissance plane tests air defences.

At full tilt, the onslaught on Estonia was also of a sophistication not seen before, with tactics shifting as weaknesses emerged. “Particular ‘ports’ of particular mission-critical computers in, for example, the telephone exchanges were targeted. Packet ‘bombs’ of hundreds of megabytes in size would be sent first to one address, then another,” says Linnar Viik, Estonia’s top internet guru. Such efforts exceed the skills of individual activists or even organised crime; they require the co-operation of a state and a large telecoms firm, he says. The effects could have been life-threatening. The emergency number used to call ambulances and the fire service was out of action for more than an hour.

For many countries, the events of the past weeks have been a loud wake-up call. Estonia, one of the most wired nations in Europe, actually survived pretty well. Other countries would have fared worse, NATO specialists reckon…

IMHO, this is a really big deal. I can’t understand why governments appear to be paying so little attention to it. And I’m astonished that it has taken so long for an attack to materialise. Years ago I wrote that Saddam Hussein should stop wasting his efforts on WMD and hire some hackers instead. I guess he didn’t read the Observer. Just as well, maybe.

What the attacks on Estonia have taught us about online combat

Good piece in Slate by Cyrus Farivar…

The Estonia case also shows how easy it is to cause massive panic on a shoestring budget. All you need to deploy a cyberattack is some malicious software, a bunch of zombie computers distributed around the world, and an Internet connection. Sure, you may need to pay for a “professional-grade” botnet—a network of computers that have been surreptitiously infected to run nefarious software. But surely that costs orders of magnitude less than the price of heavy artillery, battleships, and nuclear submarines.

Perhaps the most telling lesson here is how difficult it is to catch the perpetrators of online terrorism. Covering one’s fingerprints and footprints online is relatively simple, compared with getting rid of physical evidence. IP addresses can be spoofed, and an attack that appears to come from one place may actually originate somewhere else. As such, the Kremlin (or anyone else) can plausibly deny that they had anything to do with the attacks, even if the Estonians’ server logs show that the attacks first originated from Moscow. If the Russians don’t want to hand over data or documents—or even pick up the phone, for that matter—there’s not much that Estonia, or anyone else, can do to figure out the real story…

Spam still increasing, but users are less bothered by it

That just about sums up the latest Pew survey.

The volume of spam is growing in Americans’ personal and workplace email accounts, but email users are less bothered by it.

Spam continues to plague the internet as more Americans than ever say they are getting more spam than in the past. But while American internet users report increasing volumes of spam, they also indicate that they are less bothered by it than before. Users have become more sophisticated about dealing with spam; fully 71% of email users use filters offered by their email provider or employer to block spam. Users also report less exposure to pornographic spam, which to many people is the most offensive type of unsolicited email. Spam has not become a significant deterrent to the use of email, as some observers speculated it might when unsolicited email first began flooding users’ inboxes
several years ago. But it continues to degrade the integrity of email. Some 55% of email users say they have lost trust in email because of spam.

Full report here.

The dark side

BBC NEWS | Technology | Google searches web’s dark side

One in 10 web pages scrutinised by search giant Google contained malicious code that could infect a user’s PC.

Researchers from the firm surveyed billions of sites, subjecting 4.5 million pages to “in-depth analysis”.

About 450,000 were capable of launching so-called “drive-by downloads”, sites that install malicious code, such as spyware, without a user’s knowledge.

A further 700,000 pages were thought to contain code that could compromise a user’s computer, the team report.