AppleCare Support Rep: Mac Malware getting worse

[kirant]

An interesting cross-section of the Mac fanbase, as argued from a support staff's perspective. Interesting first few comments he has:

Quote:

I can tell you for a fact, many, many people are falling for this attack. Our call volume here at AppleCare is 4-5x higher than normal and [the overwhelming majority] of our calls are about this Mac Defender and its aliases. Many frustrated Mac users think their Mac is impervious to viruses and think this is a real warning from Apple. I really wish I could say not many people will fall for this, but in this last week, we have had nothing but Mac Defender and similar calls.

Full article can be read here:
http://www.zdnet.com/blog/bott/an-ap...42?tag=nl.e539

[Hemi-Cuda]

quite the catch 22. Apple fanboys have been trying to hype up the platform for years, espousing it's "virus and headache free" nature. and now that Macs are finally gaining some popularity in the mainstream market, malware makers have a new audience to target, eliminating the one pro that caused many people to switch to Mac in the first place

[MrMastodonFarm]

ha, that should knock down the smug a notch or two.

[kermitology]

But what's funny about this is that it's preying on people who don't understand the permission systems of OS X and those who have been trained that computers must always have virus protection.

Not being a fanboy, just making a comment.

[sclitheroe]

Quote:

Originally Posted by kermitology

But what's funny about this is that it's preying on people who don't understand the permission systems of OS X and those who have been trained that computers must always have virus protection.

Not being a fanboy, just making a comment.

OK, it's time to put this myth to rest - people who keep talking about permissions and how the Mac is different because users aren't root, etc, either haven't been told, or aren't telling the whole story

Look up setuid on wikipedia - these are binaries on Unix based systems that run with the permissions of the file owner. It's a mechanism Unix systems use to allow non-privileged users to run privileged applications via root or another elevated account. Your Mac has several setuid applications, including third party ones like Dropbox.

Last week, an exploit for Skype came out that allowed anyone to run an arbitrary command as your user account...this naturally includes setuid binaries.

So, if you found a buffer overflow in a setuid application, and could remotely trigger it in the security context of the non-privileged account being used at the time, you could very well, if not infect a machine, cause extensive damage.

Pwn2Own demonstrates every year that getting Safari to do your bidding remotely is trivially easy. The Skype vulnerability mentioned above was terrifying in this regard too. And I'm telling you right now that there are ways to elevate privilege levels from non-privileged accounts.


Still feel safe Mac users? You shouldn't.

[NiklasSundblad]

Quote:

Originally Posted by Hemi-Cuda

quite the catch 22. Apple fanboys have been trying to hype up the platform for years, espousing it's "virus and headache free" nature. and now that Macs are finally gaining some popularity in the mainstream market, malware makers have a new audience to target, eliminating the one pro that caused many people to switch to Mac in the first place

Well that and for many years Apple's primary strategy for avoiding virus and malware attacks against their platform was being 1/10th as popular as the competition.

[llama64]

Anyone who follows even the barest security news knows how vulnerable OS X is.

I use both platforms, I don't use an anti-virus on either because I follow a few guidelines.
- don't use the system native browser (not hard, both IE and Safari are awful)
- keep personal documents on an external drive, accessible only when you need them
- don't download random crap from dubious sources (ie, torrents, pirated software, etc)

Been about 6 years since I last got infected by crap. The most insecure part of a computer system exists in front of the keyboard. There is almost no way to guard against human gullibility or stupidity.

Apple being crappy at support - is anyone actually surprised?

[FlameOn]

Apparently Apple is telling their employees to neither confirm or deny there's a problem. On top of that they're telling their employees not to escalate the issue to any higher levels of support. So I guess Apple owners who get infected are SOL.

Quote:

Important:

• Do not confirm or deny that any such software has been installed.
• Do not attempt to remove or uninstall any malware software.
• Do not send any escalations or contact Tier 2 for support about removing the software, or provide impact data.
• Do not refer customers to the Apple Retail Store. The ARS does not provide any additional support for malware.

http://www.zdnet.com/blog/bott/apple...e-malware/3362

[llama64]

Apple is losing out here... They have the opportunity to dominate the home market by offering direct support for malware removal and cementing a relationship with their customers in a way that Microsoft could only dream of.

[FlameOn]

Quote:

Originally Posted by llama64

Apple is losing out here... They have the opportunity to dominate the home market by offering direct support for malware removal and cementing a relationship with their customers in a way that Microsoft could only dream of.

You're right... but will Apple actually do it? I don't think direct support for malware removal would make sense for Apple from a business perspective, it'll cost huge amounts of money and staff for potentially nothing more than just customer loyalty (which does not always translate into increased sales). Unless top management is willing to invest heavily into this I don't think it'll happen. Like you said Apple isn't great for its support. So while Apple may build a great product, the aftercare, support and corporate arrogance will probably continue to put off a lot of people that have issues.

Microsoft isn't much better, but at least they admit there are problems and vulnerabilities that they try to fix (although do a crappy job of most of the time).

[llama64]

With the Apple stores, Apple Care, and the Genius Bar, you'd think Apple is in a great position to lock up most of the home market. Just think about it - computer gets infected (or has issue), take it to the Genius Bar for service. The perfect excuse to upsell to a new product, indoctrinate their user base and generally cement loyalty.

But instead they will turn people away and treat them like garbage because they are afraid of the costs of malware removal.

My parents are willing to pay $200 to remove malware from their Dell laptops - Apple could make a crap ton off the support costs alone.

[Torture]

Not really surprising. Apple was really only safe before because they didn't have the same numbers that Windows did.

As they become more popular they're targeted more often.

[SebC]

I was always a bit surprised that there isn't more Mac malware. You'd think some hardcore PC fans or Microsoft or someone would be out there wanting to bring Apple down a notch or two.

[sclitheroe]

I'm not defending Apple here, but I'm surprised how big a deal people are making about the current directives in place around the genius bar staff and Apple telephone support. This current uptick in malware is a very recent event, and they are no doubt working to standardize their support response.

This particular malware is easy to remove, but when you have hundreds (thousands?) of support staff across hundreds of stores, you need to make sure your staff are doing maintenance that is reliable, 100% effective and comprehensive, and consistent from location to location. You can't have some "geniuses" being the malware gurus while others struggle to remove the same malware, at the same store or the one on the other side of town.

I bet Apple is working the issue on several fronts, including determining the extent to which AppleCare and the 1 year warranty support covers remediation, a consistent communication strategy for customers, and probably even in-house tools similar to Microsoft's MRT, which allow support staff to deal with the infection in an automated way.

This doesn't absolve Apple for not having these kinds of plans and strategies in place in advance, nor do I think its 100% out of the realm of possibility that their support ends at the OS, and Apple will leave people dangling (their security and security management track record is not anything to brag about, despite the reputation) but I do think its a little unreasonable to expect the company to be able to respond at the drop of a hat.

On another tangent, although I bet overall self-infection rates are probably quite low, I saw the popup for this malware for the first time ever today, via a poisoned google image search for simple background textures I could use for an iPad wallpaper - it's clearly in the wild quite a bit more than the naysayers are claiming.

It's also interesting that ESET's Mac product product picked up on it immediately. I tested running the payload on my wife's computer (heh...I had a SuperDuper image, not to worry), and ESET correctly identified and quarantined the payload, so at least we know that there are security products out there that are up to the task at this point in time.

I've been running ESET on my Macs for about 2 months now, mostly to ensure my Macbook, which I use at home and at work, is a good corporate citizen. It's a common theme actually at work - as an example, we'll debate the merits of installing antivirus/malware software on Linux servers, and we always come down to the same conclusion - it's too inexpensive, and too simple a step, and too beneficial from a policy and liability perspective, to not use the tools available.

[Hack&Lube]

Quote:

Originally Posted by SebC

I was always a bit surprised that there isn't more Mac malware. You'd think some hardcore PC fans or Microsoft or someone would be out there wanting to bring Apple down a notch or two.

Mac OS is basically a shell over Unix which is pretty secure. It's not as easy for malware to get in without super user root access but as we can see here, it's doable. The higher the marketshare Mac has, the more it makes economic sense to start introducing more malware.

[sclitheroe]

Quote:

Originally Posted by Hack&Lube

Mac OS is basically a shell over Unix which is pretty secure. It's not as easy for malware to get in without super user root access but as we can see here, it's doable. The higher the marketshare Mac has, the more it makes economic sense to start introducing more malware.

Except that it's not as secure as you'd think. There are third party, as well as native pieces, that run processes setuid. There are root level vectors exposed in non-admin accounts, mostly out of convenience (whether they could be rewritten to run in unix jails or other sandbox tech and still be useful, I don't know)

Dropbox is a great example - it has setuid components and either interfaces or actually injects kernel code. VMware and Patallels do the same, as do numerous audio and miscellaneous system utils. All of these expose API's and interfaces to root privileged code.

It also seems to me that there are lots of ways for rogue code to hide in user space where passwords and such can be stolen - not all code needs to run as root, if it's only targeting end user data and activity. Look at all the Finder hacks, for example, that inject themselves into user space apps. That's not even beginning to touch on the fact that nearly any end-user installed app can be opened up, and various executable code resources can be replaced. Right click on any app bundle and do a show package contents - all the internals are right there.

Finally, the Finder itself hides and obfuscates the true filesystem layout. It would be difficult for a casual user who's never used the terminal to even find where rogue code could be hiding on their system.

[Hemi-Cuda]

Quote:

Originally Posted by Hack&Lube

Mac OS is basically a shell over Unix which is pretty secure. It's not as easy for malware to get in without super user root access but as we can see here, it's doable. The higher the marketshare Mac has, the more it makes economic sense to start introducing more malware.

i'd argue that with Windows 7 and the User Account Control center, they may be just as secure as a base Unix build such as MacOS. from all the Windows 7 installations i've rolled out at work, home, and for family, not once have i run into a malware infection. we still deal with a ton of Windows XP malware infections at work though, but we've been rolling out 7 more and more and it seems quite secure even with the mouth breathers that use it

and if the rumors are true about making Windows 8 run everything in a virtualization layer, it would easily take the crown of most secure OS away from Unix

[sclitheroe]

Regardless of OS, the social engineering possibilities make it fairly easy to get the root password. If a malicious app dropped a look-alike version of the Software Update app, and had it pop up with the same icon, same interface, etc, identifying an update, I bet 80% or more of Mac users would go through the same old routine of hitting update, entering their password, and away you go....

And really, who is to blame? How can you tell that the Software Update app, when it randomly pops up (assuming you have your mac configured to automatically check for updates) is legit? There's nothing to distinguish it from any other app on the system.

[nik-]

Quote:

Originally Posted by llama64

With the Apple stores, Apple Care, and the Genius Bar, you'd think Apple is in a great position to lock up most of the home market. Just think about it - computer gets infected (or has issue), take it to the Genius Bar for service. The perfect excuse to upsell to a new product, indoctrinate their user base and generally cement loyalty.

But instead they will turn people away and treat them like garbage because they are afraid of the costs of malware removal.

My parents are willing to pay $200 to remove malware from their Dell laptops - Apple could make a crap ton off the support costs alone.

Yes, but Apple has allowed the myth of immunity to viruses and malware to propagate as a selling feature to their product. Do they now turn around and try to make money on this service and thus completely shatter that myth or do they prefer to hook people into buying their product thinking they will never have to deal with the software issues they did on an MS product.

[CaramonLS]

Quote:

Originally Posted by llama64

My parents are willing to pay $200 to remove malware from their Dell laptops - Apple could make a crap ton off the support costs alone.

I've always found this astounding. My parents were in the process of dropping off their computer for 200$ to get some virus removed - something fixed after downloading a couple of anti-mal progs and running trend micro.

The markup on this is just plain silly.