Time to go Anti-viral?

[Dan Millar]

I hate to say I told you so, but it's time for Mac owners to start seriously considering an anti-virus product.

I know NONE of you have downloaded the infected iWork 09 demo (www.intego.com/news/ism0901.asp) that is out there on the P2P networks, but this appears to be the first full-on attempt to infect Macs, and so far 20-30,000 Macs have been affected. Well, good on them - you shouldn't download pirated software.

The main reason PCs are so often affected, I would hazard to guess, is because of the plethora of downloaded pirate software for that platform. Its an unfortunate, unspoken and under-reported aspect of the PC culture. So much software on PCs is illegitimate, it's embarrassing to talk about. Mac users/licenses still make up half of Adobe's sales - even though when you look at the user stats, there are three to four times as many Windows users! (?). We all know and can point to instances of this behaviour. Mac users are much more likely to purchase their software, but now, with so many switchers, the culture is changing.

The current "head in the sand" stance Apple has adopted is not helping. Most Macs are completely unprotected, which makes them that much more vulnerable. Macs are not "immune" to viruses.

There are now more alternatives for Mac AV than ever before, but as with PC anti-malware, often the cure is worse than the disease. I haven't reviewed the latest crop of Mac AV sotware - AVAST, MacScan or iAntiVirus, but I have tested and reviewed all the others (see www.eskimo.com/~pristine/virus.html or a complete list), and I still recommend Intego above all other commercial products. However, the venerable ClamXav is still my favourite - not pretty, but it does the job with less fuss or bother than any other, is now very fast - and it's FREE!!!

As someone once said - if not now, when? if not you - who?

Happy virus-free Mac'ing!

Dan

[z-mac]

I hate to say I told you so, but it's time for Mac owners to start seriously considering an anti-virus product.

I know NONE of you have downloaded the infected iWork 09 demo (www.intego.com/news/ism0901.asp) that is out there on the P2P networks, but this appears to be the first full-on attempt to infect Macs, and so far 20-30,000 Macs have been affected. Well, good on them - you shouldn't download pirated software.

"Good on them" -- no, what the infecters are doing is not right, and not everyone "deserves" the result.

It's a good idea to warn people of such dangers. A firewall, Little Snitch, and anti-virus software will all help Mac users monitor a computer. I second the vote for the Clam.

However, once evil software gains root access (as it does when installing), it's all over for a user's security. Downloads are one source of danger. There have been cases of respectable businesses (Sony, Asus) distributing malware unwittingly on legitimate product media. Trust nothing. Save your data on non-volatile media and think of your computer as expendable. Hard disks are cheap -- but your data is your time and work.

People must not just have tools, they must have education and safe computing habits.

Google and Yahoo mail services scan attachments for their users. It's a good idea to use such a mail service as your first line of defence against virus-bearing attachments.

Install software from trusted sources. If you are going to experiment with something, use a virtual machine. I would personally recommend that people avoid Microsoft products. Demand PDFs or a safe interchange format such as XML, not source-formats such as MS Excel and MS Word. If you must use MS products, run them in a virtual machine, too.

[Dan Millar]

As you may have noticed, computer security, or the lack thereof, is one of my pet peeves. I must say off the top that I am biased on this subject. Having been by turn a musician, a programmer, a graphic artist and a writer, I tend to see the issue only from the point of view of the producer and not the consumer.

I don't think I said anyone "deserves" to get infected, and what I meant by "good on them" is that this brings a very important issue into the daylight - the complete lack of the very habits you are talking about in the Mac environment. Having said that - downloading what you know to be pirate software is not right. Cracking software is not right. Stealing someone else's property is not right. Putting a trojan inside what is already illegal software is not right... but is it wrong?

"I bought this Rolex for $50 on eBay. It stopped working, and when I took it in for repair - they said it was a fake!"

Do we have any sympathy for this boob? Why is it any different on the internet?

In fact, while making the pirate software available is in itself, illegal, it is only one side of the equation - until someone, motivated by greed and the promise of something-for-nothing, downloads it and installs it, it is harmless.

The malware in question relies on the user to install it with admin permissions before it can begin doing damage, i.e. it is a trojan. However, most AV products would warn you that the package is infected before you could install it. ClamXav does just that when presented with the pirated/altered iWork '09/CS4 Photoshop.dmg file. I would bet a lot of those 30,000 people would have been completely UNaffected had they been using any kind of AV product.

Firewalls and things like Little Snitch are great, but far from user-friendly. They require a good deal of knowledge on the part of the user, more than most are willing to learn. In fact, Little Snitch is one of the tools most often used by app-hackers for circumventing the "phone-home" features software makers use to verify their software.

The basic security built into most home routers and computer firewalls is adequate, and with the addition of a good AV program and SAFE SURFING HABITS, you should be quite safe using a Mac on the internet. So, here are three good rules to remember:

• Watch where you surf. By sticking with safe, well-known websites, you will be less likely to visit a site that will attempt to infect you.
• Watch what you download. Download files only from trusted sources and safe sites.
• Use the security features in OS X. Turn on the built-in Firewall, and consider security software, especially when a computer is shared by multiple users.

Source: www.SecureMac.com

Sorry for the rant, but this IS my pet peeve, still...

Happy Mac'ing!

Dan

[z-mac]

As you may have noticed, computer security, or the lack thereof, is one of my pet peeves. I must say off the top that I am biased on this subject. Having been by turn a musician, a programmer, a graphic artist and a writer, I tend to see the issue only from the point of view of the producer and not the consumer.

You and I have a similar professional history. (Or, as my dear old father used to say, "Can't you hold down a job?!") I sincerely hope that you have been more successful than I. (o:

downloading what you know to be pirate software is not right. Cracking software is not right. Stealing someone else's property is not right. Putting a trojan inside what is already illegal software is not right... but is it wrong?

Stealing isn't right. And trojans aren't right. If a thing isn't right, isn't it wrong? Or is it a grey area?

Say, aren't you the chap who likes what Psystar is doing? (o:

"I bought this Rolex for $50 on eBay. It stopped working, and when I took it in for repair - they said it was a fake!"

Do we have any sympathy for this boob? Why is it any different on the internet?

I might indeed have sympathy for someone in this situation.

Firewalls and things like Little Snitch are great, but far from user-friendly. They require a good deal of knowledge on the part of the user, more than most are willing to learn. In fact, Little Snitch is one of the tools most often used by app-hackers for circumventing the "phone-home" features software makers use to verify their software.

Little Snitch is a legitimate tool. A user may have a legitimate reason for using it. I myself do not like software that calls out without my permission... especially if it delivers private information. I buy all my software, by the way.

• Watch where you surf. By sticking with safe, well-known websites, you will be less likely to visit a site that will attempt to infect you.
• Watch what you download. Download files only from trusted sources and safe sites.
• Use the security features in OS X. Turn on the built-in Firewall, and consider security software, especially when a computer is shared by multiple users.

If you don't add "Learn!" to your list, it is as incomplete as telling people to never shop at EBay.

Sorry for the rant, but this IS my pet peeve, still...

Keeps the site interesting. (o:

[Dan Millar]

Yes, that's me, I am the chap who likes what Psystar is doing. I don't like what they are doing in particular - I think EFI-X (www.efi-x.com) is doing what Psystar is trying to do the right way. Psystar is breaking the law on purpose. They believe they can win this in a court of law - I wish them luck. I must say I am impressed by their audacity. However, neither of these bushwackers ask you to steal a copy of Leopard, you must still pay for it, at least in the case of Psystar.

I have no such affections for the scum who write and distribute malware. I have no such affections for those who steal software either. How can you have sympathy for the boob who buys a Rolex for $50 and gets stung? Western law has given us the concept of "buyer beware", caveat emptor if you prefer. I'd love to see what Judge Judy would have to say to our boob, I know what she'd say to Psystar...

And, I admit, education is the best prevention against this threat. However - look at the Windows world. Are you saying the problem is that they are a bunch of ignorant boobs, that the reason malware is so prevalent in that world is because they just haven't bothered to learn a few simple rules? Or, is it because they have an incomplete understanding of TCP/IP, system software, routers, firewalls, etc.? The average computer user does not need this knowledge, or want it. Hell, I wish I didn't need to know it!

I did leave a link to what I believe is the best source of info on Mac security issues - SecureMac. I think people just have to be aware of the threat, and take appropriate measures to protect themselves - you can't ask for much more than that from your average user.

I'd also like to point out an error in my previous post. Last time I checked, Clam does not yet detect the iWorkService trojan, but several other AV products do, see the list here:

www.virustotal.com/analisis/4a1caa7b25e9a5ca65ff3f8132a76059

I notice Intego is not listed, but they are the "discoverers" (read "possible source") of this trojan. Whatever, AV software makers don't give Trojans much priority as they are not viral, i.e. don't spread without users permission - viruses get much higher priority.

I am old enough to remember when Macs did get viruses, and it wasn't fun. However, a few simple rules and a piece of software called Disinfectant kept all my Macs clean, even the ones I used for virus detection and removal at highly infected sites.

Back then, the vectors (the agents by which a virus is transmitted) were floppy disks, not the internet. I had an entire building "locked down" in quarantine while we went through every floppy disk in the building removing the NVIR virus that was causing the infection. There was no internet, but all the Macs were connected to an internal network, and within ten seconds of the insertion of an infected disk, the entire network could be re-infected. After that incident, employees were required to bring ANY floppy disk from outside to an isolated "washing machine" Mac that would clean and scrub the disk before being used on the network. NVIR never came back for them, but still ran rampant in may places. This only really stopped with the switch to OS X.

I highly recommend anyone who is interested to find out more about the different kinds of malware and their characteristics. I also highly recommend users learn more about the tools at hand - most ADSL modems/routers now have excellent SPI (stateful packet inspection - a highly secure doorstop) firewalls (well, my Linksys does anyway) - and the software is, well, approachable. The Mac's internall firewalls are also not too difficult to learn, and work the same way, almost.

Still, to tell the average user they must learn this is, well, a bit much to ask. Not to mention the old adage, "a little knowledge is a dangerous thing". Awareness, acknowledging there is a threat, following a few basic rules and using the right security tools will get most people out of danger's way.

None of this works if you wait until the boat is under water before yelling for help.

Happy Mac'ing

Dan

[Dan Millar]

Just thought that, in the spirit of this thread, I would add some more links. Here's a good rundown of the security techniques built-in to Leopard:

http://images.apple.com/macosx/pdf/MacOSX_Leopard_Security_TB.pdf

And here's a very rational discussion of many security-related issues as they relate to the Mac:

http://www.securemac.com/macosxsecurity.php

"A little learning is a dangerous thing; drink deep, or taste not the Pierian spring: there shallow draughts intoxicate the brain, and drinking largely sobers us again."
Alexander Pope

Happy Mac'ing

Dan

[z-mac]

Psystar is breaking the law on purpose. They believe they can win this in a court of law - I wish them luck. I must say I am impressed by their audacity. However, neither of these bushwackers ask you to steal a copy of Leopard, you must still pay for it, at least in the case of Psystar.

And Psystar is doing its utmost to ensure that the user's OS X is not pirated? If not, the bushwhackers impressing you with their chutzpah are abetting criminals.

How can you have sympathy for the boob who buys a Rolex for $50 and gets stung? Western law has given us the concept of "buyer beware", caveat emptor if you prefer. I'd love to see what Judge Judy would have to say to our boob, I know what she'd say to Psystar...

Maybe he wasn't very smart, but his intentions were good. How far will you go in this thinking? Is there no sympathy for the "boob" who is dying of lung cancer because he smoked before the health research and warnings were common? No sympathy for people who died in unsafe cars but thought they got a good price? No sympathy for the old folks who get swindled by Nigerian e-mail scams? No sympathy for people who buy food that is in fact bad for them and their children? No sympathy for the consumer raised in your Caveat Sucker world who has been conditioned to look for the Deal and the Sale, to buy lottery tickets, and to throw away and replace what he might have easily fixed? I have sympathy for people who didn't know better and weren't shown better. If all we can say is that suckers deserve what they get, then it's a world full of suckers and the people whom you call scum are just doing what comes naturally. So yes, I sympathize. 

And, I admit, education is the best prevention against this threat. However - look at the Windows world. Are you saying the problem is that they are a bunch of ignorant boobs, that the reason malware is so prevalent in that world is because they just haven't bothered to learn a few simple rules?

It's part that they haven't learned what the risks were, and part that Microsoft is inept. The big botnets are being build on Windows boxes, after all. I've always felt that Windows is "unsafe at Internet speed", to paraphrase Nader. Events continue to support my thesis.

Awareness, acknowledging there is a threat, following a few basic rules and using the right security tools will get most people out of danger's way.

Where Awareness=Education, agreed. There is also the matter of Privacy.

[Dan Millar]

Psystar only lets you buy an Open System with Leopard pre-installed, so, yes, Psystar is doing its utmost. You can't do it yourself, if you could, you would just build a Hackintosh. EFI-X, on the other hand, only sells you their "device", how you get Leopard is up to you.

How far will you go in this thinking?

Your examples are ... a little exaggerated, and I think your attack is getting personal. What's your beef? I was pretty specific, the Rolex boob thought he was getting something for nothing. How are is his intentions "good"? People downloading software off of torrents that they know is illegal are doing the same thing. Feeding kids bad food? Buying an unsafe car? Cancer? Every case you mention has a legal remedy - as they should. Come on, let's not turn this into something it isn't.

Are you trying to say the people d'loading all this stuff don't know what they are doing is illegal, or that they have been swindled into doing it, that they don't know it is probably bad for them, that the lack of a warning excuses them somehow? Because that's what I'm reading in your attempt to equate stealing software/counterfeiting products with dying from cancer, Nigerian gangsters, unsafe vehicles and bad nutrition?

Do you think, seriously, that people are "conditioned" to behave like morons? How did you escape this?

Take a deep breath, build a bridge, and get over it - stealing software is wrong, if you steal a car, and it is one of those cheap unsafe cars and it crashes - you think the thief should get our sympathy? Just answer that question so I know where you are coming from.

Happy Mac'ing

Dan

[z-mac]

Certainly nothing personal.

A thief who steals a car deserves to be caught and punished. He doesn't deserve to be mutiliated. I'm sure we could add still more ethical subtlety to your example.

I'm concerned about privacy and rights. I have said that I buy my software. It appears that I buy some software that you don't like (Little Snitch). I highly recommend Little Snitch to people who are concerned about security and privacy. One reason for this is that I do not entirely trust the anti-virus industry. Another reason is that I don't entirely trust the companies that make OS X and Windows.

For advanced users, I recommend learning how to use OS X's firewall. MS Windows Vista (which you may not know) has an *outbound* firewall. It's the same idea as Little Snitch, but less well implemented.

I've said that stealing is wrong. Read above: "Stealing isn't right. And trojans aren't right. If a thing isn't right, isn't it wrong?"

There are many kinds of wrong. Theft, intent to injure, faulty or lethal products knowingly sold to people. I sympathize with the victims. That was my point. How far will you take your Caveat Emptor?

Originally, you said your "Rolex Boob" paid money for his watch. Now you say he's getting something for nothing. For me, *if* he was genuinely looking for a good deal, he's like a billion other people. He's not knowledgeable about what he's doing, but I don't agree that he is contemptible. Unless you make it clear that his motives are bad and that they are somehow different from the motives of every consumer in Capitalism.

BitTorrent is a legal, clever file-sharing protocol. Not all BitTorrents are illegal. People may do illegal things with it, but I think "trusted" sources are also a significant danger. Not so long ago, Apple itself infected the computers of some iPod customers with a virus.

For the sake of debate, I see something paradoxical in your public opinions. Psystar's fate will be decided in court. Apple evidently believes Psystar is in the wrong. You don't.

EFI-X, as you describe the company, is enabling crackers and pirates. Do you believe they don't know that it is as easy to find a copy of OS X as it is to download Ubuntu? If they know it, shouldn't you be censuring EFI-X instead of praising them?

[GNV]

This doesn't seem to work.  I'm interested in reading what you recommend for us.

http://images.apple.com/macosx/pdf/MacOSX_Leopard_Security_TB.pdf

Thanks

[z-mac]

From the document: "A new application-based firewall makes it easier for nonexperts to get the benefits
of firewall protection. The new firewall allows or blocks incoming connections on a
per-application basis rather than on a per-port basis."

This is only for "incoming" or "inbound" connections.

Noodling with Apache's configuration is not for non-technical users. The OS X product Little Snitch will monitor *outbound* connections.

The traditional virus just tries to destroy your data. The goal of modern viruses is lucrative: their creators want to gain remote control of your computer. To do this, these viral applications need to make an outside call. An outbound detection tool enables you to monitor whether the applications on your computer that are trying to communicate with the outside world are doing so with your permission.

[Dan Millar]

First, to GNV, the link in your reply works for me, and the result should be a PDF file. Can you read other PDFs? Right-click or control-click on your link and ask to "Download linked file", you should end up with a PDF file in your downloads area called: MacOSX_Leopard_Security_TB.pdf, which you should be able to read in Preview or Acrobat Reader.

Again, Macs are virus-free at this point in time. What we are dealing with are trojans, and trojans rely on user-interaction to be successful. In other words, AV software, port blocking, etc., are not 100% effective for blocking trojans. The only thing that will stop a trojan dead in its tracks is user awareness - and Apple's OS X gives you at least two opportunities to stop a trojan before it can begin its evil machinations. First, a warning appears telling you that the package you are about to install came from the internet, and second, the user will be asked for an admin password before proceeding.

And, again, by the time Little Snitch tells you something is trying to "call home", it's too late. You're infected. Not to mention, clever trojans will appear to be calling legitimate addresses, this is called "spoofing", and its something the "phishing" guys have become very good at. So how would the casual user know when to block outgoing calls - several of which are quite legitimate - NTP, Adobe, Microsoft, etc, use outgoing calls to verify software, to check for updates, to set the time on your computer, etc., etc., etc.

I hate to keep beating the same rhythm on the same drum, but I think the cure should never be worse than the disease, and the response should be scaled to the threat - there are ONLY three known trojans "in the wild", no viruses, worms, etc., so simple AV (ClamXav anyone?) software and awareness are a good start. If you're inclined to the more technical side, Intego and Norton have complete security suites with port monitoring as well as AV software. Or, add Little Snitch to ClamXav for a low-cost, high-tech solution. There, zmac will be pleased!

Happy, virus-free, Mac'ing,

Dan

[Dan Millar]

Open System Preferences, choose the Security panel, then the Firewall tab from the Security panels tabs. You have three basic options, plus, for the second and third methods (see the additional "options" button that is available for methods 2 and 3) you may also turn on stealth mode (blocks the ident port at 113) so your Mac will not respond to anonymous requests, and firewall logging - to see if your firewall is, in fact, doing what it is supposed to so. There's a document on the Apple Support site that explains the application firewall a little more than I can explain it here. Here's a link to the page: http://support.apple.com/kb/HT1810.

If you are setting up a desktop for home use, and you are attached to the internet through a router, you may already have a very good firewall already - in your router! Check with your service provider or router manufacturer for more specifics on your router. Some routers have built-in firewalls with Stateful Packet Inspection (SPI) - a more advanced form of firewall than anything included with your Mac. If you manage to make friends with your routers management software - you can handle your entire network's firewall needs right in the router. In this case, you can use the application firewall as the "tech" suggested - wide open. The only threats reaching your machine will be from your own network.

If, on the other hand, you're dealing with a mobile computer that connects to networks other than your own, then you have no firewall in front of your Mac and therefore must use the built-in firewalls, and this is where products like Intego's Netbarrier or Security Barrier come into play. An excellent source of info on Mac security issues can be found at: http://www.securemac.com.

Happy virus-free Mac'ing!

Dan

[Dan Millar]

Well, it sure sounds like you have all the right tools. Your Airport Extreme includes a NAT firewall, so you are protected from most internet snoops already, and your Mac's firewall can be set to the most liberal setting - the first one - as your tech indicated. However, it sounds like you have fallen prey to an extremely common technique that most of the tools cannot detect called phishing. The best defense against phishing is to use spam filtering to block, or at least filter, questionable emails that are from sources you don't know. The most common phishing attempts look like "official" emails from a bank or insurance company or PayPal or other organization, informing you that your account has somehow been compromised, and insisting you login right away to correct the problem. No bank ever does this, neither does paypal, or anyone else. If you have ANY doubt, ALWAYS confirm this sort of email with the supposed source of the email before replying.

What the phishers do is copy the form and content of an actual email from the company being "spoofed". To the untrained eye, they appear exactly the same as a real email, sometimes even the URL is spoofed, so that the mail appears to come from your institution. The only way to detect one of these is to examine the outbound links/URLs and see if they are legitimate. ClamXav is one product that I know of that can detect phishing attempts, but usually doesn't report them until after you receive mail, so you still have to be careful, and I believe the mechanism being used to detect phishing is a "look-up", so if your particular "phish" is not in the database, it may not get flagged.

Its difficult to identify a "spoof" if you don't understand URIs and email-routing techniques. There's no need to look at the email headers, which are not easily deconstructed, just look at the links that the email is trying to send you to - the URLs will NOT match the REAL institution's address. Even so, sometimes the URL is made to look like a "real" address, but will vary in some small way from the real deal.

My service provider is now doing most of that gruntwork with their spam-blocking, and my Mail program filters any others that may slip through - from there its all up to us, the users, to decide which emails are REAL.

No, a professional scan will not turn up anything your software hasn't already flagged, because they use the same software you're using... you might want to check with Intego to see if they have phishing-detection. I would also run your complete system scans daily, and have your AV software set to scan all incoming data - downloads, emails, etc. - live, as it happens. ClamXav can detect some, but not all, phishing attempts, but it's not a good idea to run two AVs at the same time.

I know Clam works, because the ONLY thing it EVER reports to me is when I have received a phishing attempt, but Intego must have SOMETHING that can do that too... ?

Happy virus-free Mac'ing!

Dan

[Dan Millar]

Well, that still sounds like phishing - sort of. What program did this happen in if not your email? Was your web browser open when this happened - i.e. was it a pop-up window that appeared in your web browser - Safari or Firefox or whatever?

Dan