|
|
| Are Mac's More Secure against Viruses, Hackers and less exploit
prone? |
Are Macs more secure against viruses and hackers, and less
prone to being exploited? It is true that Macs are targeted less than PCs by virus and worm authors. Macro viruses
and worms that could run in Microsoft Word under both Mac OS and Windows invariably don't because they use Windows
functionality in their implementations. To say Macs are immune, however, is misleading. It's just that the Mac
platform is less attractive, arguably more difficult, and probably more costly to authors of malicious code. This
could all change with the introduction of Mac OS X.
Mac OS X is based on UNIX, and is really a mix of a highly modified BSD UNIX (called Darwin), the old Mac 9.x GUI
style, and a great new interface called Aqua. Mac OS X version 10.1 has a built in firewall, which as a standalone
tool is not easy to configure. Norton Personal Firewall runs on Mac OS 8.1, 9.x, and in the native Mac OS X environment
using the built in IP firewall. It monitors all Internet connections to your Mac, logging and alerting you to attempted
intrusions.
Many hackers or crackers (bad hackers) are familiar with a variety of the old UNIX security exploits. That's why
Apple has spent a lot of time and effort making sure OS X is secure out of the box. While OS X has built in networking
as well as FTP and Web servers, they are turned off by default. UNIX style root access to the OS is not the default.
UNIX and Mac OS X are very similar when it comes to root access. OS X and UNIX are similar in that you should only
log in as root when absolutely necessary. With OS X, Apple has tried to make the security such that novice users
can set up and start using the machine without having to perform lots of administrator types of chores. UNIX users
normally run as Admin or just a user. Under OS X users may never know that they are admin, or what a root user
is because Apple has provided GUI setup aps that guide the user through making an admin password. Most users will
probably only know they have a password. They won't know it's an Admin password, nor will the know the difference
between Root, Admin and user. You shouldn't change the network or security settings unless you know what you are
doing.
In June 2001, Symantec notified Microsoft of a vulnerability in Microsoft Word and PowerPoint that applies to the
Windows and Mac versions. This is a good example of a vulnerability at the application level that is OS independent,
making Macs just as susceptible as PCs. There is more information about this on the Symantec Web site, and a Microsoft
patch is already available. Microsoft is also making available a beta version of Word for OS X that is probably
one of the most secure versions of Word. Visual Basic for Applications (VBA) is not included, so macro viruses
should not be an issue in this version of Word. The other basic, REALBasic, is also omitted. I'll be running it
until it expires in January 2002.
Hindsight tells us that once a hardware/software platform becomes widespread and development costs come down, or
the platform becomes substantially simpler, they attract virus authors. We saw this in the move from DOS to Windows
3.x, then to Windows 95, and now to Windows NT/2000.
We've also seen a couple of Palm viruses and Trojan horses, which is to be expected since the Palm OS is the dominant
handheld OS. We've seen no threats targeting the PocketPC OS or the various mobile telephone OSs because they aren't
that common. This will probably change when connectivity is always on, with wireless networks for example, and
the barriers to writing such programs come down.
So in one respect, given the popularity of the Mac platform and the new OS X, we could say that it has yet to have
its day in regard to hosting viruses and worms, or even that it never will. The advent of always on cable, ADSL,
and wireless networking in the home and home office exposes many Macs to denial of service attacks and worms. It
really depends on what becomes popular and grabs the attention of the authors of malicious code. If Macs (and OS
X in particular) become more popular, then they will attract hackers, crackers, and virus writers.
David Banes
Symantec Security Response, Asia Pacific |
| Thanks to John Mitzel(Global Marketing Manager, USA), Frank
Borraccino(Platinum Support Analyst, Sydney), Lee Gummerman(Sr. Principal Software Engineer, USA) and Robert Franklin
(Sr. Product Specialist, USA) for help with this article. |
|
| Viruses, Worms & Trojans |
There are 6 variants of this virus, including 4 polymorphic,
encrypted ones. The differences are described below. What they have in common is that they all infect applications
by modifying MDEF and MENU resources, and they can create a System Extension (with an invisible character at the
beginning of the name so it loads early) or add an INIT resource to the System file. The existence of the extension
is the easiest way of identifying its presence without using NAV.
http://www.symantec.com/avcenter/venc/data/mac-sevendust.html
Lee Gummerman
Symantec Security Response, USA |
| |
| Mac.Simpsons@mm |
Low [2]
|
Mac
|
|
Mac.Simpsons@mm is an AppleScript worm that targets the Macintosh platform.
It may open Microsoft Outlook Express or Entourage, and send a copy of itself with the original message to everyone
in your address book. The name of the script is "Simpsons Episodes." This worm does not appear to be
particularly malicious, and is similar to other mass-mailing worms that affect Window's computers such as VBS.LoveLetter.
SARC has received very few submissions of this worm.
http://www.symantec.com/avcenter/venc/data/mac.simpsons@mm.html
Symantec Security Response, USA |
| |
This virus spreads from application to application. When an
infected application is launched, it searches for another application to infect and copies itself into that application.
The contents of the original file are copied to an invisible file in the same folder whose name is composed of
arbitrary upper case letters. The infected application also attempts to delete anti-virus software it finds in
the default volume's root folder, or in the System, Control Panels, or Extensions folders.
When launched on a Monday, there is a 25% chance that the payload will be triggered. If so, the virus draws "worms"
(meandering lines with small round "heads") on the screen. Lighter colored worms toward the center draw
the symbol for pi, and the message "You have been hacked by the Praetorians" flashes above the pi symbol.
If the user presses the command key, the machine will be shutdown.
http://www.symantec.com/avcenter/venc/data/code.9811.html
Lee Gummerman
Symantec Security Response, USA |
| |
| AutoStart 9805 |
Low [2]
|
Mac
|
|
AutoStart 9805 is a Macintosh worm which executes only in native PowerPC
mode. It was first discovered in Hong Kong in May 1998. It utilizes the CD-ROM AutoPlay feature in QuickTime 2.5
or later. This feature, if enabled, allows the invisible AutoStart 9805 application to automatically launch when
an infected volume is mounted. This program will replicate itself to any mounted volumes, as well as to an invisible
background application (file type 'appe') in any Extensions folder, which allows it to further replicate upon reboot
to other mounted volumes.
Since it does not spread outside of the startup or background applications, SAM and NAV for Mac effectively repair
the worm by deleting either of these files wherever they are detected
http://www.symantec.com/avcenter/venc/data/autostart.9805.html
Lee Gummerman
Symantec Security Response, USA |
| |
MBDF is a virus that first appeared in 1992. The MBDF A strain originated
from a trojan horse virus named Tetracycle. Additionally, MBDF A was found to be distributed in versions of Obnoxious
Tetris and Ten Tile Puzzle.
In November 1993, a second strain, MBDF B, was discovered. The A and B strains of MBDF infect applications as well
as system files and spread rapidly. Both strains cause occasional crashes, particularly if commands are selected
from menus when running System 7.0.1
http://www.symantec.com/avcenter/venc/data/mbdf.html |
| |
INIT 1984 is a destructive virus first discovered in March 1992. INIT 1984
infects system extensions (INITs) when users start up Macintosh computers. When triggered, INIT 1984 renames and
changes the type and creator of files, or even deletes them from disks. Although INIT 1984 can actively reproduce
at any time, the virus only triggers if the user happens to start up the infected Macintosh computer on Friday
the 13th (1991 or later).When the virus is active, files are renamed with random strings, type and creator information
can be overwritten with random values, and files on any mounted disks can be deleted.
http://www.symantec.com/avcenter/venc/data/init1984.html |
| |
nVIR is probably the most prolific and highly infectious of all Macintosh
viruses. nVIR has two basic strains, A and B, and nine known variants (clones). It first appeared in Europe in
1987.
When nVIR finds its way into a Macintosh computer through an infected application, it normally infects the System
file first. Once the computer is infected, nVIR becomes memory-resident every time the computer starts up, infecting
any applications it comes in contact with.
To announce its presence, after every eight to sixteen restarts (or after four to eight infected application launches),
nVIR causes the system to beep. At least one known strain of nVIR can utilize the MacIntalk sound driver (MacInTalk
is a software-based speech synthesizer) and, instead of beeping, speak the words "Don't panic."
http://www.symantec.com/avcenter/venc/data/nvir.html |
| |
MacMag is a rare virus that originated in a HyperCard stack. It displays
a message of universal peace when triggered. After displaying the message, the virus deletes itself. Discovered
in December of 1987 in a HyperCard stack called "New Apple Products," MacMag infects System files only.
Although MacMag is apparently not designed to be malicious, infected systems can display a variety of problems.
Infection is spread either from the original HyperCard stack ("New Apple Products") or from contact with
an infected system.
http://www.symantec.com/avcenter/venc/data/autostart.9805.html |
| |
T4 is a virus with three known strains. The T4-A and T4-B strains were first
discovered in June 1992 in a public domain application called GoMoku. T4-C was discovered in February of 1993 at
the University of Illinois at Champaign-Urbana.
T4 infects applications and the Finder. T4 attempts to modify your System file startup (or boot) code. Modification
of this code could interfere with loading system extensions at startup.
The T4-C strain infects applications and System files on an infected startup volume. When activated under System
6, T4-C immediately attempts to alter the resident System file, resulting in damage that causes INIT problems at
load time (startup). Modifications of this code could even cause the infected Macintosh computer to crash during
startup.
http://www.symantec.com/avcenter/venc/data/t4.html |
| |
| WM.Xenixos - http://www.symantec.com/avcenter/venc/dyn/8122.html |
Minimal [1]
|
Mac
|
|
| Nuclear - http://www.symantec.com/avcenter/venc/dyn/2592.html |
Minimal [1]
|
Mac
|
|
| DMV - http://www.symantec.com/avcenter/venc/dyn/2594.html |
Minimal [1]
|
Mac
|
|
| Concept - http://www.symantec.com/avcenter/venc/dyn/2591.html |
Minimal [1]
|
Mac
|
|
| Colors - http://www.symantec.com/avcenter/venc/dyn/2593.html |
Minimal [1]
|
Mac
|
|
|
| Security News |
| Microsoft Excel and PowerPoint document macro security vunerability. |
High [4]
|
Mac/Win32
|
|
While investigating an MS Word vunerability in June of this year it was
discovered that unauthorised macro files, potentially containing malicious code, can run without warning in MS
Excel and MS Powerpoint, successfully bypassing Microsoft's security features. This means an attacker could run
arbitrary code with user privileges.
Microsoft Office applications, 2000 versions and later, have three security settings for macros. The "Low"
setting allows all macros to run. Setting the security to "Medium" displays a warning window stating
the dangers of opening documents containing Macros. This pop-up allows the user to make the decision whether to
enable or disable the macro. Under the "High" setting, unsigned macros are disabled automatically. Microsoft
Office applications prior to the 2000 version had much simpler macro security models but are still subject to the
same vunerability.
We have discovered that by specifically modifying the data stream in a document file containing a macro, the Microsoft
Office security settings for macros are completely bypassed in all versions of Microsoft PowerPoint and Excel products.
Microsoft has released a security bulletin, MS01-050, for this issue with links to individual product security
patches. Users of individual Microsoft Office products as well as bundled Microsoft Office suites should download
and install the appropriate security patches to secure their applications. A more detailed description is available
at the following location.
http://www.sarc.com/avcenter/security/Content/2001.10.04.html
Peter Ferrie
Symantec Security Response, Asia Pacific. |
| |
|
| Enterprise Security News Clips |
|
|
| |
Contacts and Subscriptions:
Correspondence by email to: securitynews@symantec.com, no unsubscribe or support emails please.
Follow this
link to unsubscribe or change
your subscription type. Newsletter Archive: http://www.symantec.com/avcenter/sarcnewsletters.html
Send virus samples
to: avsubmit@symantec.com |
| This is a Symantec Corporation publication, use of requires
permission in advance from Symantec. All information
contained in this newsletter is accurate and valid as of the date of issue. Copyright © 1996-2001 Symantec
Corporation. All rights reserved. |
|