In the Mac Users Group (MUG) SIG meting today 5/4/17 a video was played. As a cyber security professional I agree with every point made in the video.
The issue in my mind is semantics. Word meanings. What is a computer virus? In a human analogy a computer virus "injects" or "infects" a running process or application. A virus is just one type of computer malware. Others include worms, trojans, denial of service, etc. A too long list. Most anti-virus products have morphed to anti-malware suites with anti-virus protections a part of the suite.
I could argue the first discovered virus had MACs as its target.
MacOS and Windows have different qualities for applications. MacOS is based on Linux/UNIX and has cheap process creation. To develop an application each function feeds its output to another function. Thus each function calls or creates a new process. Windows is more developer friendly. Applications inject code into other applications to make application development easier. In a human analogy: A police investigation application. MacOS the details of the investigation needed to be worked by another person/department is sent to that person/department. The results are sent back of or to the next person/department until the process is complete. In windows the person/department is asked to sit at the desk of the current investigator and use that desk/resource pool to process the investigation. Thus code injection is how Windows works. So virus on Windows in common and needs anti-virus. Anti-virus can be based on a "signature" or heuristics.
Another point made "There are currently no known MAC viruses". Again semantics. A more accurate statement "There are no known unpatched MAC viruses".
To prevent infections by any new MAC viruses the video advised to keep patches current (excellent) and to keep up with security news so you can take actions before the virus infects. The latter is almost impossible.
Are anti-virus only applications for MAC unnecessary? Probably if they cost money. Are anti-malware suites/applications unnecessary? In my opinion NO.
The recent security incident this week OSX/Dok worked by:
1) Clicking on a link in a phishing email or in a WEB page visited. Anti-malware suites can contain both white listed and black listed WEB sites and email addresses.
2) Dokument as an application was loaded. At first the application was signed by an Apple issued certificate. No defense in that regard.
3) Apple revoked the signing certificate for the application. Both anti-malware and MacOS warned the user of the signing certificate problem. If the used clicked the Open button the application was loaded. Please do not do that. The warning is there for a reason.
4) A zip archive then loaded a lot of Linux/UNIX utilities. Some anti-malware would have caught this and issued a warning.
4) the current logged in user was made an Administrator if they were not already. Again, some vendors will warn, others not.
5) the sudo file was modified to allow further infections to proceed. Some suites will alert.
6) An overlay page that is an exact copy of the Apple update page is displayed while the rest of the exploit is loaded.
7) The page asks for the administrator password. That password is sent to the attacker
8) A command line tool loads TOR and SOCAT. Some vendors may alert.
9) a rogue root level certificate is installed.
10) The system sets up a proxy so all WEB based traffic can be sent to the attacker's system. At his point all traffic/communications are able to be viewed AND modified by the attacker.
TO BE CLEAR all encrypted traffic to your bank, broker, shopping, etc can be captured and/or modified. Account names, passphrases, ALL Traffic.
Would anti-malware suites prevent this infection. Probably not at the time the infection was first deployed. Most suites might have alerted on several of the trip points, but the user would have to recognize and taken actions.
There are several ransomware strains that infect MacOS. One is very bad since it never gets to send the encryption key back to the attackers so users will never get the key even after paying the ransom.
Most ransomware signatures are in good anti-malware suites for MacOS.
No comments:
Post a Comment