On 28 maj 2011, at 10:14, Michael Brian Bentley <[email protected]> wrote:
>> I would think and do:.../ >> >> Just press OK or Cancel and take it from there. This crap is aimed at >> Windows and it even says 'PC'. The stuff is likely a scam to fool some to >> cash up for some scam anti malware bogus. Since it is harmless to OS X if it >> is what I think it is, you can study it in any way you find interesting but >> never ever give away your admin password in a session like this. I'm sure >> you know this but I had to say it anyway. >> >> /... But you might not? >> >> It is all an estimation of how likely something can be and what are the >> stakes? I would guess highly unlikely to do any harm on an OS X machine. >> Most likely a Win then you loose thing. Some social engineering behind it >> and a few out of many Win users might cash up? >> >> // John Stalberg_______________________________________________ > > The thing it downloads does run on Mac OS X. This particular one may be a > variant of the original that does not need your password to install. > > It does appear to nevertheless require the installer. > > It installs a program that runs all the time and slows your machine. You can > kill the app and delete it; the current version installs in /Applications. > > There's apparently a switch in Safari that shouldn't be turned on, something > like "Run safe apps" or "open safe downloads" or some such in the Prefs. A > mere shade of IE, but nevertheless... > > The problem starts when someone's web site has been poisoned with additional > script that sends junk to your browser, which then insists that your whole > machine is having an epileptic siezure and requires immediate attention. I'm > sure we'll get all sorts of variations by next week. > > -m Ok, so I would be wrong about its target. Let's say I did click OK and it started a download. I have the auto open downloads off in any browser I run on my system. I acctually don't use Safari that much a bit because my browser of choise the OmniWeb let me set JavaScript, Java applets and any other relavent stuff on a per site basis. This let me strip the global sec level and turn on what is needed on any individual site. One can do the opposite and and have the globals set to allow the stuff and lower it per site but it is not as safe as the former, yet it is safer than Safari with no extensions since Safari only supports global preferences. Anyway Safari is used and when the download start it throws the download panel in my face as expected, I always set browsers to do this, but let's say it is a tiny bit of malware or if bigger it is on a fast connection and I just don't respond quickly enough and hit the stop button to late. Then I have a new citizen in my ~/Downloads. It is about here I don't understand what is reported. I have the auto open on for the sake of this hypothesis or I execute open (double click) and it copies its parts to /Applications (let's say I'm logged in as the default admin account, which happens every now and then when doing admin stuff, but let's say I forget who I am for the moment and surf to a prepared site) but use the installer. The installer is typically used when the ordinary application bundle copy to /Applications (or any other place that admin has wright access to) isn't enough. It is used to spread files to root wrightable places but if that's the case you would be halted to switch privileges for the moment and your admin creds lets you use super user jedi forces for the moment. However, as I said I never let my jedi force be real if I'm not the one who consiously started the task at hand. And I strongly recomend anyone follow this rule. I'm so hard headed on this I'm not even gonna do it in this hypothesis. So now what? The installer could have spread files to every and anywere that admin can wright to. That could surely be inconvinient. Use your fantasy and it is clear this would need a moment of cleaning. Preferably with search for the latest of the greatest malware files on your host but on the other hand, it is soon gone and we can go back to were we were. As a matter of fact, the installer isn't needed here as the bundle itself can with the executable spread its crap in the same way (we have a non super user doing the installer task). I don't mean to under estimate the burden of this stuff but I dont see how the installer fits the unattended attack vector, is the installer scripted? And why? Is the malware doing anything that compomise the machine in any more severe way. What is the process doing. Any traffic to remote locations? Anyone, is there a clear description that also looks to be correct in terms of how the operating system is done. One can't forget the built in BSD security paradigm since that is what the attacker has to deal with. A proof of concept would be great, just be clear it is malware. I belive we have heard about disasters just too many times now which in the end always need the admin password. As had been said many times before, no one can protect the system from a user with sys_admin powers. The systems isn't built that way. // John Stalberg_______________________________________________ MacOSX-talk mailing list [email protected] http://www.omnigroup.com/mailman/listinfo/macosx-talk
