An­tivirus apps won’t save Mac from fu­ture at­tacks

A va­ri­ety of other pro­tec­tive soft­ware could pre­vent in­cur­sions by fu­ture ma­li­cious ac­cess at­tempts, writes Glenn Fleish­man

Macworld - - CONTENTS -

Along-run­ning de­bate be­tween Mac own­ers and those folks who use other plat­forms is whether or not mal­ware ex­ists for macOS. It does! Mac own­ers tend to be very de­fen­sive

(and, sadly, some­times of­fen­sive) about macOS,

be­cause of years of slights when Win­dows was in the as­cen­dance and virus rid­den.

These days, most mal­ware that at­tacks com­put­ers and mo­bile sys­tems in the wild comes from vis­it­ing a web­site, re­ceiv­ing and open­ing an at­tach­ment via email or a text mes­sage, or fol­low­ing a link in an email that mis­leads you into think­ing you’re at a le­git­i­mate site, into which you mis­tak­enly en­ter le­git­i­mate cre­den­tials.

And most of that mal­ware is old. On the desk­top, most at­tacks fo­cus on older ver­sions of Win­dows, some us­ing vari­ants of mal­ware that are sev­eral years old, ac­cord­ing to a re­cent up­date from the anal­y­sis firm Check Point. On the mo­bile side, 60 per­cent of at­tacks come a sin­gle 15-month old at­tack called Hum­ming­bad, which is of­ten de­liv­ered as a Tro­jan horse – mal­ware hid­den in­side what ap­pears to be a le­git­i­mate app.

Ap­ple has man­aged to avoid at­tacks that first ap­pear in the wild, usu­ally nip­ping them in the bud ei­ther through ad­vance dis­clo­sure from se­cu­rity re­searchers or the sheer dif­fi­culty of ex­ploit­ing a flaw that’s re­vealed be­fore a patch is avail­able. It’s also never had a lon­grun­ning ex­ploit that was known to ex­ist, wasn’t fully patched in old re­leases, and had a large num­ber of users still run­ning those old re­leases.

This makes Ap­ple’s OSes seem more in­vul­ner­a­ble than they are. But is an anti-virus pack­age the an­swer? In my view, and that of many se­cu­rity ex­perts, in­clud­ing those who have found vul­ner­a­bil­i­ties in macOS and iOS, no – in most cases, and I’ll de­scribe those that make sense later. Mac­world hasn’t re­viewed an­tivirus soft­ware for years, which may in­di­cate the larger edi­to­rial phi­los­o­phy as well.

The big­gest risk to Mac users is the ris­ing tide of a spe­cific kind of mal­ware, called ran­somware, which you can de­fend against us­ing tar­geted anti-mal­ware soft­ware that doesn’t rely on virus def­i­ni­tions.

Ran­somware lead­ing threat

We of­ten talk about mal­ware by the vec­tor by which it spreads – how does it in­sin­u­ate it­self into your com­puter? Mal­ware can dis­trib­ute it­self in sev­eral dif­fer­ent ways. You may see it:

■ As a ma­li­cious at­tach­ment, like a virus that runs when you open the file

■ As a Tro­jan horse, ex­plained above

■ Through phish­ing, or email or a text mes­sage that fools you into click­ing a link that sub­verts your sys­tem

■ Via spear-phish­ing, which uses tar­geted in­for­ma­tion about a vic­tim to ap­pear more gen­uine and likely to be clicked or acted on ■ Through a re­mote net­work at­tack, pop­u­lar right now with poorly se­cured In­ter­net of Things (IoT) de­vices. (For IoT, that means most of them, un­for­tu­nately)

These vec­tors all ex­ist for macOS, but the best re­cent path for in­fec­tion has been through a Tro­jan horse. That’s partly be­cause it’s eas­ier to con­vince some­one to in­stall soft­ware they think is le­git­i­mate than to find an­other path of ex­ploit. We saw this for Macs in 2016 with mal­ware in­serted into the BitTor­rent client Trans­mis­sion, and in Fe­bru­ary 2017 when a dif­fer­ent kind of macOS mal­ware ap­peared.

Both of those Tro­jan horses were ran­somware, which isn’t a new vec­tor of in­fec­tion. Rather, it can spread through any of the vec­tors noted above. But it’s proven a vi­cious prob­lem un­der Win­dows and some other desk­top OSes, be­cause un­like most pre­vi­ous mal­ware, it af­fects files only found in ‘userspace’: that is, our doc­u­ments and set­tings.

Ran­somware uses an en­cryp­tion key to scram­ble the con­tents of all of our user data, and puts an ex­e­cutable wrap­per around it, so that when you try to open a file, it runs and tells you how to pay a ran­som in Bit­coin to ob­tain the de­cryp­tion key. The price for in­di­vid­u­als is of­ten rel­a­tively mod­est and you can some­times ne­go­ti­ate a lower pay­ment. With­out the key, your files on the drive are lost for­ever un­less you have a backup or ar­chive prior to the en­cryp­tion. (Time Ma­chine and other back­ups will du­ti­fully copy the en­crypted ver­sion,

so you have to dis­cover the prob­lem be­fore your old­est good copies have been over­writ­ten.)

Be­cause ran­somware doesn’t need that high a level of per­mis­sion to run, it’s rel­a­tively easy to spread it. In mid-2016, re­searchers found JavaScrip­tonly Win­dows ran­somware that even runs out­side a browser. Be­cause it’s in­ex­pen­sive to make or mod­ify, a lot of peo­ple ap­par­ently dis­trib­ute it. Check Point es­ti­mates that 10 per­cent of in­fec­tions in the sec­ond half of 2016 across all sys­tems were ran­somware vari­ants, and the num­ber keeps climb­ing. At­tack­ers have many fam­i­lies of ran­somware code to choose from, and it’s easy to cus­tom­ize it.

I as­sume there will be mul­ti­ple suc­cess­ful ran­somware at­tacks against Mac users, though likely shut down quickly by Ap­ple through its Xpro­tect sys­tem, which au­to­mat­i­cally up­dates with known mal­ware sig­na­tures as they be­come avail­able. How­ever, be­fore these at­tacks hit, you can pro­tect your­self.

Tools against broad cat­e­gories of pop­u­lar at­tack

You can pro­tect your­self against ran­somware and net­work at­tacks, as well as some cat­e­gories of Tro­jan horse that aren’t ran­somware in na­ture, by in­stalling a few af­ford­able and in­ex­pen­sive tools.

Ran­somware’s harm led Jonathan Zdziarski to cre­ate Lit­tle Flocker ($20 for per­sonal use, up to five com­put­ers at­rmek), a macOS tool for de­tect­ing and ei­ther block­ing or per­mit­ting ac­cess by apps to spe­cific fold­ers. I’ve been us­ing Lit­tle Flocker for months, and Zdziarski made a

con­tin­u­ous se­ries of im­prove­ments that re­duces the amount of train­ing re­quired as you up­date soft­ware to new ver­sions. Once ran­somware gets its teeth in, it re­lies al­most en­tirely on not be­ing watched, and Lit­tle Flocker keeps its eyes peeled. It also mon­i­tors for apps that cap­ture key­strokes and use mics and cam­eras. (Zdziarski re­cently joined Ap­ple, and the fu­ture of Lit­tle Flocker isn’t cer­tain, but it’s so use­ful that I hope it finds a new home.)

Paired with Lit­tle Flocker is Block Block (tinyurl. com/jr2c6pa), free and still in beta, which mon­i­tors for soft­ware try­ing to in­stall files that al­low it to launch au­to­mat­i­cally af­ter a restart or when killed. That can help with ad­ware and other un­wanted soft­ware, too.

Should a macOS ran­somware pack­age find ef­fec­tive dis­tri­bu­tion, Lit­tle Flocker plus Block Block should pre­vent and alert you to some­thing bad hap­pen­ing, at which point you can check in with Mac­world and use so­cial net­work­ing to find out what’s hap­pen­ing – or be the first to re­port an out­break.

A par­al­lel and ef­fec­tive way to block ma­li­cious soft­ware from call­ing home and shar­ing your in­for­ma­tion is a fire­wall and net­work mon­i­tor. We like Lit­tle Snitch (€30,­p7wk), a ma­ture app that ex­am­ines ev­ery­thing com­ing in and leav­ing your Mac, and uses rules to per­mit au­tho­rized be­hav­iour but alert you to ev­ery­thing else. Mal­ware tries to talk back to cen­tral­ized servers, and while there are tricks to work around fire­walls, an app that isn’t sup­posed

to have a net­work con­nec­tion that sud­denly tries to sum­mon the in­ter­net gets no­ticed.

Rich Mogull, head of se­cu­rity anal­y­sis firm Se­curo­sis who has a deep ex­per­tise in Ap­ple-re­lated is­sues, says that he doesn’t use anti-virus soft­ware at all. He re­lies on Lit­tle Snitch, Lit­tle Flocker and Block Block for net­work, in­put, and file mon­i­tor­ing, and ex­pects his email host­ing com­pa­nies to staff the vi­ral bar­ri­cades.

But what about the re­ally bad stuff?

You might think the kind of things I’m men­tion­ing above seem very penny ante. If you read Ap­ple’s se­cu­rity up­dates that list of of­ten dozens of se­cu­rity holes patched in ev­ery OS re­lease and in built-in soft­ware, you might think there’s a churn­ing morass of flaws that could reach out and grab you via Sa­fari or your in­box.

And that’s partly true. A lot of vi­cious mal­ware for macOS and iOS does ex­ist. It’s just that it’s too valuable to use against the likes of you and me. The good stuff sells for £100,000s or mil­lions of pounds in grey and black mar­kets, and get used by firms that sell their ser­vices to gov­ern­ments, by crim­i­nal syn­di­cates, and other murky par­ties.

Those ex­ploits are held close to the vest, rather than pushed into the wild, be­cause of that eas­ily ob­tain value in ex­ist­ing mar­kets. When they’re used, it’s spar­ingly, and of­ten against prime tar­gets. For in­stance, last sum­mer, a hu­man-right ac­tivist in the United Arab Emi­rates, Ahmed Man­soor, had three sep­a­rate zero-day (pre­vi­ously un­known) ex­ploits at­tempted against him.

These were for iOS, which doesn’t al­low an­tivirus soft­ware the kind of per­mis­sion it needs to run,

but sim­i­lar weak­nesses were also found in macOS. Be­cause these were un­known and sub­tle, no Mac an­tivirus soft­ware would have de­tected and blocked them. Ap­ple im­me­di­ately patched the flaws in iOS and then shortly af­ter in macOS, ren­der­ing them use­less.

It’s not that no risk from a more gen­eral cat­e­gory of mal­ware ex­ists for Mac users. Rather, the high­est like­li­hood is that your files will be locked away, and, thank­fully, it’s also the eas­i­est at­tack you can pro­tect your­self against.

Given that Zdziarski has joined Ap­ple, fol­low­ing in the foot­steps in the past year or so of some other prom­i­nent re­searchers, we might hope that these kinds of tools find them­selves neatly and seam­lessly into fu­ture ver­sions of macOS.

Newspapers in English

Newspapers from UK

© PressReader. All rights reserved.