As an aside: Everyone who read this article, please keep in mind that the process injection model used by these pieces of adware is exactly what your typical "keylogger" uses also.
No malware literally logs keys typed anymore. I cannot stress that point enough. Instead they log form submissions (e.g. POST requests) which give the malware author much more useful information they can data mine in an automated way (e.g. URL, named parameters, etc). This works even on a "secure" page (e.g. HTTPS with extended certificate).
I'm super tired of supposed power users or "geeks" telling others to copy/paste in their username/passwords to improve security. That's not how this works, it isn't how any of this works. Nobody reads raw key-streams, they're completely useless because they fail to contain CONTEXT (i.e. where you typed what).
Sorry, just a pet peeve of mine. The term "keylogger" is largely a misnomer. A more accurate name would be "credential hijacking" or "form submission theft." A lot of malware actually use standard injected JavaScript to add event hooks to a page, to fire the data back to a evil browser extensions.
This points out why I don't understand websites that force you do create the most obnoxious password that you won't ever remember. "Must be 16 characters with lowercase and uppercase and a number and a special character."
No one's account is getting broken into by password guessers. Your obnoxious 16 character password will be stolen just as well as a 1 character password.
If that provides security really depends on what the "bad guys" are hooking. If they're placing event triggers straight onto text box/button/form elements themselves (either through JavaScript or grabbing something akin to Win32 messages) then that wouldn't do anything at all.
Even if they did grab the raw POST request (which is somewhat common) a hash would only provide security if it was merged with an anti-forgery token sent from the server, otherwise the "bad guy" could just re-post the exact same hash and login anyway.
I think it really boils down to how popular your site is. If for example Facebook did that, because it is popular enough with the "bad guys" they're going to spend the time circumventing any JavaScript-based security you could implement.
Not a single company I worked for.
I guess it's simply because JS doesn't include hashing, whereas PHP it's simply a matter of calling sha1().
But it is pretty easy to include, I guess people just don't think about it.
>Mac OS X Isn’t Safe Anymore: The Crapware / Malware Epidemic Has Begun
Yeah, not really. Like it hadn't began all the other times in those last 14 years that such articles appeared.
I've used Windows for decades (still do ocassionally), and had lost count of malware, adware and viruses I had to battle. So, don't tell me about "malware epidemic" on OS X with a straight face...
See recent Lenovo issue. It isn't a user problem but an ecosystem problem starting with the OEMs and the general discovery and distribution of software.
I wouldn't be so confident. Most viruses now are pretty stable and silent. They don't crash your system and they don't eat up all your bandwidth. They'll get you when you log in to your banking website or they'll use you as part of an attack on someone else.
I've been using Windows for over 20 years and I've had very few (exactly 2) personal battles with malware and those were on Windows 95 and 98.
Why don't you try looking things up and scanning them before installing? Whatever you're doing doesn't seem to be working.
EDIT: A commenter below reminded me of another rule that I follow when I get a new machine: Always do a clean install with my own copy of Windows (usually from MSDN or an upgrade offer).
>I've been using Windows for over 20 years and I've had very few (exactly 2) personal battles with malware and those were on Windows 95 and 98.
Had tons on Windows XP, and several in 7.
>Why don't you try looking things up and scanning them before installing?
Can't and won't be bothered. What am I? The OS's servant?
I'd rather have an OS that doesn't get me viruses, either through enhanced security and sandboxes, or through scarcity of malware.
Plus, it's not even about "scanning" etc. Lots of adware for example comes in totally legitimate forms. Heck, even the base Windows install from some OEMs has ad- and spy-ware installed...
That's some interesting logic. Do you bother looking both ways before crossing a street or does that make you a servant to the highway system/common sense?
> I'd rather have an OS that doesn't get me viruses...
No problem. The OS isn't the one getting you viruses. It's you.
> Plus, it's not even about "scanning"...
Yes, that's why I said to do a quick search on the Internet, to see what other people are saying about a given piece of software. If you can't be bothered to do that, then you deserve every piece of malware that you get.
>That's some interesting logic. Do you bother looking both ways before crossing a street or does that make you a servant to the highway system/common sense?
Walking wasn't created to automate tedious tasks. Computers were.
Your "common sense" is of those who accepted as a law of nature that you have to defragment your hard disk, clean your registry every now and then, and re-install your OS when it gets bogged down to get a clean start.
Some other stuff that was also "prevalent wisdom" among Windows folks...
>Yes, that's why I said to do a quick search on the Internet, to see what other people are saying about a given piece of software. If you can't be bothered to do that, then you deserve every piece of malware that you get.
Or you know, use a proper sanboxed OS and matching software, like it's 2015...
It's not like permissions, sandboxes, chroot jails and containment is some hot-new fringe research topic...
The OS you want doesn't exist. If you think it does, I welcome you to please just go and use it or invent one yourself instead of wasting your time trying to convince little old me.
TempleOS is probably a good fit for someone like you. Enjoy that!
Part of the problem is that a lot of legitimate freeware / open source software is not signed. I assume because people don't want to pay the $100 a year just to support OS X. So people get used to installing unsigned software, and then end up installing malware.
CNet's downloader app looks like it's signed. It warns that it was downloaded from a website (which it was), but you don't have to do the right-click-open song and dance.
I'd love to see Apple take a stand and revoke their certificate. Usually I strongly support developer freedom / openness, but these apps are straight-up malware. Having a decline option somewhere doesn't matter if essentially all users who accept do so unintentionally.
The official Silverlight installer from Microsoft wasn't signed, leading me to a half hour search to make sure my browser wasn't hijacked before reluctantly installing it. Kind of defeats the point of signing when it's that untrustworthy.
How about a non-Apple App Store: something like homebrew with a friendly GUI that's easy to navigate? I started using Homebrew Cask recently, and it seems like a perfect workflow for the average user who just wants to download VLC or whatever.
I'm imagining Grandma pulling up the "Application Warehouse", let's say, and clicking a download button under a VLC icon. It gets downloaded from a trusted source over HTTPS, gets checked against a hash, symlinked and Gran's ready to go, all without the hassle of shady installers from the search engine shitpile.
They are/have. In Windows 10 it is called "OneGet." It is a Linux-like package manager to complement their Windows Store (app store) which isn't going away.
Brew integration would be nice. There used to be a couple of non-Apple app stores, but most of them were killed off when the actual App Store came along.
https://www.cakebrew.com is an open source GUI that makes homebrew easy to navigate. Though homebrew has no flashy screenshots or customer-oriented product description so I don't think it's a contender as a Mac App Store replacement for your average user.
Sure but using macports implies a level of technical understanding to evaluate trustworthiness. Most end users don't have that, and so they could just as easily be convinced to trust the CNET App Store.
I cleaned some crapware off an acquintances computer. She is around 70 and didn't know why the computer was not behaving correctly. It was really easy compared to windows crapware. When my dad's Windows computer had malware I had to reformat . But with OSX I deleted a plist or two and it was done.
I have to disagree with this. At my current job I deal with a lot of Mac malware/adware, and fully removing it is complicated process. After clearing the applications folder and removing browser extensions, you have to check a lot of folders, and you kind of have to know what you're looking for. In /Library/ for example, you have to check Application Support, Extensions, Frameworks, LaunchAgents, LaunchDaemons, PreferencePanes, and StartupItems. I like OSX, but it definitely needs a MalwareBytes equivalent.
Now that Mac OS X has hit about 7% of internet users, it's profitable enough for adware/malware folks to target.
Most of the infections on Windows aren't due to some huge security issue on Windows that Macs are magically immune to. They are due to the users themselves installing adware or malware-infected software from sites online. Now that there are more Macs out there, the reward is greater. So, there is more revenue to be made form adware-laden software and a better return for the time investment/risk of creating malware for Macs (to send out spam, be used in DDoS attacks, sniff for and steal financial info and passwords, etc).
This is a common (and tired) response but it's really not entirely true - Windows does in fact have a lot of potentially catastrophic holes that are innately tied to higher privileges for users.
Most of what Windows has implemented since 7 with UAC, MSSE and now integrated with Defender is a layer on top that introduces some failsafes. I won't argue that it's been a massive and much-needed improvement to Windows, but Java and Flash still provide viable vectors to bypass it and infect a Windows machine.
Designing actual viruses - stuff that has the ability to read and modify the filesystem - is still harder to pull off undetected on OSX. This article intimates as much. Most of what's included here is either bundled applications you don't want - but you still have to actively find and then agree to - or browser modifications. Neither of those is within 500 sqmi of, say, CryptoLocker.
I never claimed that Windows or Mac OS X are more or less secure than the other. I very specifically said the following:
"Most of the infections on Windows aren't due to some huge security issue on Windows that Macs are magically immune to. They are due to the users themselves installing adware or malware-infected software from sites online."
This is 100% accurate and what most home users have to deal with in terms of issues on Windows. The vast majority of Windows issues that end users experience and get frustrated over have nothing to do with Java or Flash flaws or needing to compromise a system. The users themselves give the apps permission to install and do their thing.
It's also worth noting that Java and Flash don't provide much of an attack vector for the majority of Windows users you and I know anymore either. Firefox won't permit outdated versions of the Java or Flash plugins with security issues to run and will direct you to update. Chrome has its own version of Flash built in and automatically updated with the browser and disables Java by default. Even Internet Explorer blocks outdated ActiveX plugins like old and insecure versions of Flash and Java these days.
I still don't think that's true - visiting a malicious site without any action still provides far more of a risk on Windows than it does on OSX.
Are there improvements on the browser and OS side that are helping? Sure. Do those impact the vast majority of Windows users? Probably not. Look at browser & OS version usage and you'll see that the "users you and I know" are probably not indicative of the majority of users in general. At least not yet.
All major browsers on Windows block outdated Flash and Java by default. All major browsers on Windows are automatically updated to the latest version by default. So, for the vast majority of Windows users, the attack vectors you're mentioning simply don't apply anymore. That means users you and I know and most users we don't.
What I'd meant by that line was that this doesn't apply to users in other countries where the majority of users are still using hacked (and completely insecure) versions of Windows XP. Sadly, Windows XP still represents about 19% of online users. Thankfully, most of those users are using a 3rd party browser as IE 6 is down around 1%.
This is a commonly held misconception among OS X fans, but it's in no way true. It hasn't been since Windows 98. The claim doesn't even make sense - if your user, privileged or not, can read or write files, that means malware can modify the filesystem. The OS has no mechanism for making this easy to detect relative to any other OS. CryptoLocker would run with absolutely no problems on OS X if someone ported it.
Remember, you don't need administrative privileges to destroy everything belonging to the user, which is most things you care about. And even if you do, elevating is trivial on both Windows and OS X.
Java and Flash behave no differently on OS X than Windows. They are no more or less of a hole in either OS. In fact, there are more protections against Java and Flash bugs on Windows. There just also happens to be more attacker investment in those platforms as well.
>Now that Mac OS X has hit about 7% of internet users, it's profitable enough for adware/malware folks to target.
I keep hearing this stats, and it's not true that a platform is hit based on how much share it has.
Share does affect the volume of the available malware, but not whether it exists or not. And for 10+ years on Mac it was unexisting -- all such cases touted by the media were proven to be trojan horses, not viruses and such.
Contrast with Mac OS classic that was plagued by lots of viruses, despite having 2% market share at best at the time. Or even platforms like the Amiga and Atari -- viruses were prevalent.
Most of the issues Windows users encounter aren't viruses and the like that you're thinking of in the Mac OS classic, DOS and Windows 9x days of old. Those could self-propogate, infect apps, and be carried from user to user.
Most of the issues today are about money or reputation.
Adware and spyware makes money for the publisher, so they target areas where they can do that. It's actually legal and semi-legitimate. It's an annoyance for the end user, of course. A freeware publisher doesn't make any money from their app but they can make money from bundling an ad replacer, search engine replacer, browser extension, etc with their free software. So, they do.
Malware follows the same trail. You can distribute cracked software online over torrents like Photoshop and the like but sneak your remote-controllable malware into it. Then you get more installs you can use to direct a DDoS bot attack or to watch for and steal financial details from the local machine. Maybe look for the default install of a cryptocurrency client and grab the local wallet, for instance. Note that this is more difficult on both modern Windows and modern Mac than it was back in the days of Mac classic.
Most adware/malware are trojan horses... I don't think anyone is implying different... the fact of the matter is, it's annoying, and it's as effective against OSX users as it is with Windows users... or possibly more so.
I don't install too much outside a package manager in any OS... just the same, it is a pretty significant issue.
I've seen a few nasty browser trojans on OSX installs with friends/family... it's really weird to see them actually... one I noticed/found when I asked a friend to pull something up on amazon and saw extra ads...
A few on windows are doing transparent proxies, which are pretty nasty (not just the lenovo one).
We've heard for years that Macs are overpriced, that their owners overpay for style over substance. The "rich but stupid" demographic seems like an ideal target, even if they only made up 1% of Internet users. Banks make up less than 1% of businesses but people still specialize in robbing them.
I don't believe the "overpriced Mac sheeple" meme at all, but there always seemed to be an overlap between people who dismiss them as "safe because they're so rare" and "Apple tax LOL" critics. That always struck me as an interesting dichotomy.
> It wasn’t that long ago that you could install almost anything for OS X from almost any website, and you didn’t really have to worry about what you clicked on.
Full stop. That's a ridiculous statement to make. Are we really pining for a return to such an oblivious mentality? Good riddance.
But it was true; many years ago it was prevailing wisdom that Mac's were just virus and spyware free.
I'd like to think most technical people realized that Mac was simply not popular enough to be targeted. But most users were simply under the impression their choice of OS was magically protected. From article: "Since it is actually Unix under the hood, OS X has some native protection against the worst types of viruses." Hey look, it's got Unix, I'm totally safe.
That's a really damning Yahoo screenshot and it matches my experience pretty well. Yahoo is not an acceptable search platform and I'm really confused about why Mozilla thinks otherwise.
I've been a Mac developer since 1984 and the last time I ever saw a virus was 1988 I think. It's not impossible to get irritation-ware if you download random crap from these download sites but genuine malware is extremely difficult to produce. Saying "Mac OS X Isn’t Safe Anymore: The Crapware / Malware Epidemic Has Begun" is beyond stupid.
By "difficult to produce", do you mean difficult to find? If you mean difficult to develop, it's actually very straight forward, and no different from Windows.
As a Mac user who migrated from Windows, I had no doubt that it was only a matter of time before Macs became more lucrative targets. Anyone who thinks that their OS of choice is unassailable is fooling themselves.
"If you do stick to the App Store, you have nothing to worry about. We’d love to see Apple fix some of the App Store issues and make everybody use it."
That could just be the default, and the user could disable it. On Windows 8/8.1 the default is for the "SmartScreen Filter" to block "unrecognised" applications from being run or installed. See their FAQ [0]. It can be disabled however.
If someone is smart enough to be installing applications from third party sources themselves, then they're smart enough to flip a switch in a Preferences panel to enable it.
However this does protect the lowest common denominator who these malware are actually targeting (i.e. computer illiterate individuals who will click ads in search results).
If it can be disabled, I'm less bugged by it. It's still a lot of friction for the acceptance of open source apps and other "not really appstore-compatible" projects, though.
Recently was surprised to discover that the official uTorrent distribution, downloaded straight from utorrent.com, has some Spigot stuff in it. Was I tricked somehow or pre-hijacked already into downloading a non-authentic installer, or do they make money that way now—not yet completely sure.
No malware literally logs keys typed anymore. I cannot stress that point enough. Instead they log form submissions (e.g. POST requests) which give the malware author much more useful information they can data mine in an automated way (e.g. URL, named parameters, etc). This works even on a "secure" page (e.g. HTTPS with extended certificate).
I'm super tired of supposed power users or "geeks" telling others to copy/paste in their username/passwords to improve security. That's not how this works, it isn't how any of this works. Nobody reads raw key-streams, they're completely useless because they fail to contain CONTEXT (i.e. where you typed what).
Sorry, just a pet peeve of mine. The term "keylogger" is largely a misnomer. A more accurate name would be "credential hijacking" or "form submission theft." A lot of malware actually use standard injected JavaScript to add event hooks to a page, to fire the data back to a evil browser extensions.