Hackers have created a proof-of-concept sample of adware that targets Apple Mac OS X users called “iAdware” by anti-virus firm F-Secure.
Kamil writes for F-Secure:
We recently received a proof-of-concept sample of an adware program. Normally that wouldn’t be worth blogging about, but in this case it’s for Mac OS X. In theory, this program could be silently installed to your User account and hooked to each application you use… and it doesn’t require Administrator rights to do so. We won’t disclose the exact technique used here, it’s a feature not a bug, but let’s just say that installing a System Library shouldn’t be allowed without prompting the user. Especially as it only requires Copy permissions. An Admin could install this globally to all users.
The result: This particular sample successfully launched the Mac’s Web browser when we used any of a number of applications.
This is easier to do than with Windows. After all, it’s a Mac.
“The malware is notable for its rarity rather than its threat value, which remains minimal. There’s hundreds if not thousands of ad-ware packages floating around that are capable of infecting Windows users with intrusive pop-up software that impairs system performance,” John Leyden reports for The Inquirer. “iAdware is the first such application for Macs that we’ve come across.”
Full article here.
[Thanks to MacDailyNews Reader “Dirty Pierre le Punk,” “RadDoc,” and “Fred Mertz” for the heads ups.]
pppffffffttt.
“installing a System Library shouldn’t be allowed without prompting the user.”
should be easily fixed!
Calling it specifically adware doesn’t seem accurate. That sounds like a security hole that should generally be closed. While it could be used to launch a browser, and PRESUMABLY direct that browser to a specific sight, calling it Adware diminishes the threat.
Apple should take steps to control this ASAP and not do their typical silent act in relation to this one.
Well thanks to these morons, and other morons like them I am sure they will release how this occurred, and instead of TELLING APPLE they will tell some idiot spammer.
It should be illegal to release malware information to ANYONE but the manufacturers of the software.
These people think they are doing something good for the world? The only thing they should do is tell apple directly and not ever tell the public.
Fools…
I still don’t see the fun in all this Adware and Virus stuff..
Can ANYONE explain what the use of it is???
I agree with theloniousMac. Apple should be very open about these issues, recognise them and even give a timetable or actual status of the solution proces. Secrecy is this area will certainly harm Apple and does not make sense.
The only threat to Mac users are the security companies who are desperate to get something out that will put pressure on us to buy their software.
well folks, if I am reading right what was blogged this is not a real threat, not at all.
one needs Admin privileges to install a System Library (the iadware) and THEN it can do its damage. They are not saying that the System Library itself can get installed without a warning or asking for admin password. All they say is that AFTER it is installed it can go about doing its thing behind your back.
easy then, do not install anything coming from an unknown source.
(mw:rest) as in rest assured they’ll keep posting alarming headlines on OS X malware, maybe someday they’ll hit one, but it is not this one
I still don’t see the fun in all this Adware and Virus stuff..
Can ANYONE explain what the use of it is???
It’s like the nice people who key your car & slice its tires.
They do it because it’s easy, and to just be general assholes.
Since real Mac OS X malware has been impossible so far, we get this crap.
It can only affect one user. if you log out and log in as another user , that user is unaffected.
It doens’t install a “system library” it installs only in the users home directory.
And without a registry to manually redownload it can’t reinstall itself. so once you delete it it’s gone.
The wost case is if it changes it’s own owner to root or admin, and then all it takes is to
su rm dumb/adware/filepath/name and enter the admin password.
it won’t take special tools that only sometimes work.
So how many ‘real’ adware / spyware / viruses are out there for OSX again? < 0 ?
sounds like BS to me.
Gee, if I were an administrator on a network, or already logged onto a Mac, I could do PLENTY of damage. Maybe their proof is that if you’re an idiot, you can mess up you computer. Windows users have been proving that little factoid by the MILLIONS… EVERY day… for YEARS!
Don’t these Virus Protection Rackets get enough business and make enough business from the Windows market?
Why do they keep on announcing “proof-of-concept” malware things, if only to frighten people into buying their software.
Apple has been very quick to plug security holes in Mac OS X.
Some of these “concepts” have appeared AFTER Apple has already plugged holes.
From what I’ve seen Symantec’s Mac anti-virus software IS a virus.
Duh,,
that should have read:
Don’t these Virus Protection Rackets get enough business and make enough MONEY from the Windows market?
How come no MDN take on this??
Sum Jung Gai needs to upgrade to the latest version of the OS/Safari as I never see a pop up on MDN.
“This is easier to do than with Windows. After all, it’s a Mac.”
These people are so fucking bitter. So insecure about their INFERIORITY.
As others have pointed out here, this is such a minimal and easily removable “threat” that it’s a joke.
Julio,
Agreed. This just looks like another form of trojan.
Are there any good countermeasures besides user awareness?
Few people would allow uninvited strangers into their homes, esp. ones offering to install or fix something. Why let unknown software into your Mac?
Ya know we Mac proponents are very proud of Apple’s security record but we need to face some facts.
While MDN likes to claim that “security through obscurity” is a myth, I beg to differ. There have been and there will continue to be holes in the Mac OS. Mac OS X may be more difficult to exploit than Windows, but not impossible.
And Apple… well I’m still fuming at their willingness to buy off on the no virus hype. Instead Apple should simply say, “While we are proud of the Mac’s security record to date, we still advise all Mac users to take prudent measures with regard to computer security.”
Sooner or later we’re going to get hit with something and it’s going to come from some place we trust, like Apple.
We should be careful, not smug. Constantly touting the 150,000 viruses for Windows and none for the Mac stat is asking for trouble. If I were a virus writer, at this point I’d be working on it.
I just wish ONE person who does viruses and stuff would step up to the plate and just explain: “Why I do this dorky thing”.
It would be a whole lot easier to understand is all.
I just created a proof of concept technique for destroying all files on my hard drive
I opened my hard drive, dragged all my files to the trash, and clicked Empty Trash.
Pay me money or else.
Well, all the politics aside, I’d be curious to know the technical details.
The term “system library” is extremely vague. The closest thing to the correct meaning of this term would a malicious framework installed into /System/Library/Frameworks or /Library/Frameworks. However, this most definitely cannot happen without an admin prompt, and furthermore it would not do anything unless it replaced another framework that an app was already designed to call, without losing any of the correct functionality. Unlikely.
More likely this is a malicious Input Method, which is a type of plug-in that can load into Cocoa applications and modify they way they handle data (for example, there’s one called IceCoffee that adds the Services menu to every right-click menu. There are also Input Methods for gesture-based input or expansion of abbreviations). These can be installed on a per-user basis without additional authentication, under ~/Library/InputMethods. They can also be installed globally, in /Library/InputMethods, but this might require authentication (can anyone confirm?)
While a potential issue, this is a limited attack vector because it would only affect the logged in user, affects only Cocoa applications, and does not modify (infect) any apps on disk, only at runtime. Removal would constitute removing the plug-in and logging out and back in.
Generally, I’m surprised that there haven’t been more exploits of Cocoa runtime extensibility, given the relative renown of Objective-C for being dynamically modifiable.
Try this command in Terminal:
open http://walmart.com
Instant adware! Replace an application with a script to run this command and then launch the original application, and you’ve accomplished the same thing.
Haven’t you noticed something…
Now that Microsoft says NO to anti-virus companies, there are all kinds of Mac virusses (proof-of-concept) popping up!!!
And the anti-virus companies are the only one that are finding these things.
Don’t you think that THEY are actually behind all these things because they are trying to get a new market…the Mac users.
Lo and Behold! Its another MS “payoff” to a Anti Virus company to spread FUD among the newcoming mac users of intel macs!
“Jealousy makes the bones brittle”
“Releasing” this vaguely described adware FUD during a U.S. extra-long weekend ensures few Mac sites will run it into the ground quickly, giving it time to gain whatever traction it can (MDN has no one on hand to denigrate the story, either). So the story has until late Monday or even Tuesday before it’s shot down, by which time it’s catch-up.