Monthly Archives: September 2011

Malware for Mac OS X and security concerns for any PC user


Please note: If you use a PC (Personal Computer) – be it an Apple running Mac OS X or a Windows-based computer, and you live in the Pioneer Valley or Western MA and have reason to believe your computer is compromised (be it Mac OS X malware or a Windows virus or malware), please contact us to make an appointment to have your computer checked by our techs
.

 Update, 9/27/2011, 1:30 PM: Apple has updated their XProtect mechanism to cover the PDF exploit. See http://www.h-online.com/security/news/item/Apple-updates-malware-definition-list-to-defend-against-PDF-trojan-1350430.html

There are two new security concerns worthy of note for Apple’s Mac OS X, which may come as a surprise to some, but really shouldn’t.

First, it’s important to understand that no operating system is invulnerable, including Mac OS X.
There are in fact a growing number of pieces of malware targeting Mac OS X: Malicious software in the form of “Trojans”, ie: items that appear to be harmless while posing as something they’re not, and if installed, can put in place software that you don’t want that can take up resources and cause unapproved (and undesirable) changes to your computer’s operating system. This has been seen previously in the form of malware for Mac OS X posing as a installer for various kinds of software, some of which frankly would have to have been obtained illegally and that may still be floating about P2P (peer-to-peer) networks and dark corners of the Internet (websites that one should know full well are not trustworthy sources of software).

Two more recent items of concern are (very) recent malware (“Trojans”) that you should know about,
if you don’t already: A fake Flash installer, and a malicious PDF file. More information about them
is given a little further below.

You may be wondering what you can and should do to help keep your computer safe from malware.
Whether you’re using a Mac or a PC, one very good step you can take, is to create a non-administrator account and log in to that account for your everyday use. In OS X it’s easy enough to authenticate as a non-admin with the credentials of your admin account (username and password),and by running under a limited account, you can help to limit the damage that malware can accomplish.

However, migrating your data properly from an existing admin account to a non-admin account is beyond the scope of this post. Also, be advised that some software is written with the assumption that you are running as/under and administrator account, and – if not – either won’t install, or won’t run properly in part or in whole.

Another important security practice you should take – and I wish Apple would set as the default – is to disable
Safari’s ‘Open “safe” files after downloading’: Launch Safari and open Safari’s Preferences settings from the Safari menu, and in the first section, un-check the option at the bottom to Open “Safe” files after downloading.

Disable Safe downloads in the Safari preferences settings

 

 

 

 

 

 

 

If you want to feel fancy about it (or you’re already comfortable using the Terminal), another way to do this is to quit Safari and simply enter the following in a Terminal window (you can copy-paste if you like):

defaults write com.apple.Safari AutoOpenSafeDownloads -bool FALSE

(executed by pressing the Enter or Return key on your keyboard).

However, even prior to the above steps, the most important thing you can do is be careful and actively think about your online activities. Consider the site(s) you’re going to, whether you should even waste any time on software installers that you might find there, or any claims that a questionable site makes that you “need” something that they want you to download and install. Stop, and think about it. And where commercial software is concerned, if you didn’t obtain it legally, then you don’t know what else you might be getting when you unquestioningly supply your username and password to the installer you just got from obviouslyshadysite.sketch. At that point all bets are off, and this is where social-engineering will get you, if you’re not applying intelligence to how you use the Internet: Web, email, and especially P2P which can be used for legal purposes, but is very often used to distribute – or attempt to acquire – content illegally.

Adobe installers should only be obtained directly from Adobe (or purchased from reputable vendors – be it a store or online vendor), Apple software from Apple, and Microsoft (eg, Office) from Microsoft or from an established and trustworthy vendor.

Also know that Apple is taking steps to help counteract malware, with a brief explanation given at their support site, http://support.apple.com/kb/HT3662 (and the same mechanism exists in 10.7 as well)

More information about the fake-Flash installer/trojan can be found at arstechnica:
http://arstechnica.com/apple/news/2011/09/mac-trojan-pretends-to-be-flash-player-installer-to-get-in-the-door.ars

And there is more info about the malicious PDF file at f-secure.com. Note that while this
and the above fake installer might not yet have been seen extensively “in the wild” (meaning
it’s not wide-spread – yet) as always, be cautious.
http://www.f-secure.com/weblog/archives/00002241.html

There are manual removal instructions are available at F-Secure’s site, http://www.f-secure.com/v-descs/backdoor_osx_imuler_a.shtml BUT they miss a key detail where Lion/10.7 is concerned (see below):

Quoting and slightly modifying from the f-secure article:

Open Activity Monitor
Select checkvir then click Quit Process
Delete the following files:

/Users/<your_user_homefolder>/Library/LaunchAgents/checkvir
/Users/<your_user_homefolder/Library/LaunchAgents/checkvir.plist

Additional info you might need: Bear in mind that in Lion, your Library folder
is hidden by default, if you don’t see the Library folder within your home folder (In the Finder use the Go menu > Home)
you can get to it by instead choosing “Go to Folder…” (the second last item) in the Finder’s Go menu,
and typing in: ~/Library and then pressing the (highlighted in blue) Go button.

 

Printing from Lion to a Windows server print queue with a client NOT bound to Active Directory

The following describes working with 10.7.1 (“Lion”) client and adding a setup for a printer that’s hosted by a Windows server, in an environment where Mac workstations are not bound to Active Directory (ie, no single-sign-on via Kerberos, no Kerberos auth for printing).

In the Add Printer dialog, choose Windows, select the domain in question,
locate the print server desired, and when asked to authenticate,
use: domain\username and the associated password.
Save to your keychain if desired (This may well be unacceptable in some settings due to security policies).
Choose the printer queue desired, and configure appropriately (pinter name, options).

When first printing to the printer, if asked to authenticate, do so again using the same
credentials as above (domain\username – and associated password).

If you skip the 2nd authentication request, the job will get spooled but fail to print (check the list for the printer in question and you’ll see a message relating to authentication failed/needed).