so it begins….

There is bad software out there, but we won’t tell you what it is. Buy our product to get rid of it.

Exactly.
Are they letting Apple know what this is? Are they letting the “variety of websites” know what this is? If not, this is just a rather crass marketing ploy until further evidence is released. Not that Mac Malware is impossible. It’s just that when the guy selling extinguishers is the one yelling ‘fire’ I’m a little suspicious.

most likely a “warez” website

Little Snitch will stop them. NEXT….

most likely a “warez” website

From what I read it can also come from some VersionTracker downloads.

Is this coming as a separate file or is it hidden in a host download?

Intego makes the anti-virus software, not the software the mal-ware was found in.  They are simply reporting a list of infected 3rd party software.  Same thing Pandasoft, or Norton, or McAfee would do.

“Intego makes the anti-virus software, not the software the mal-ware was found in.  They are simply reporting a list of infected 3rd party software.  Same thing Pandasoft, or Norton, or McAfee would do.”

IMO, Norton/Symantec & perhaps to a lesser degree McAfee are the most notorious “guy(s) selling extinguishers ... yelling ‘fire’ ...”  in the Mac OS house.  That’s why I think one would be very well advised to be more than “... a little suspicious…” of this Intego announcement/come-on, especially if they never name names of guilty apps other than trivial screensavers or some obscure utilty.

Still, it’s obviously good to know about this possible threat, so thank you, Intego.

Clock screensavers? That was one of the first things I created using the Quartz Composer, not too difficult.

Little Snitch lets me block port 8254, so a big thanks to Intego

If it runs with root privileges, doesn’t that mean that the user had to have input their admin password? Be careful where you get your downloads from, and who you tell your passwords to, because the floodgates from the windows world have been opened!

Mac OS X, by default, disables the UNIX root account.  Unless you have deliberately activated it and know the password, this malware cannot run as root.  It may be able to run as an admin privileged account, but NOT as root.

But the basic warning is still there, watch out when you try to run free or stolen software, you are getting what you pay for!

Basically this is “Amish” malware. You are on your honor to bypass your built in safeguards and install it yourself despite all the warnings. The only thing better would be to write the code yourself that sends your information to Russia.

Mac OS X, by default, disables the UNIX root account.  Unless you have deliberately activated it and know the password, this malware cannot run as root.  It may be able to run as an admin privileged account, but NOT as root.

This is not quite right. It’s true that the root account is disabled in OS X (as well as several Linux distros). However, this only means that you cannot log in directly as root. It DOES NOT STOP YOU from executing programs as root, or even in accessing a root shell. You simply need to be logged in with an administrator account to do so.

OS X runs many processes as root. This is what happens behind the scenes every time you install a software update or do just about anything that asks for your administrator password. OS X actually doesn’t ask for your administrator password to do things administrators can normally do—you don’t NEED it for that if you’re already logged in as an administrator. It asks for your password to do things only ROOT can do.

I understand this might seem backwards, and frankly I agree. Using an administrator password to gain greater-than-administrator privileges IS counterintuitive. It’s a design decision with pros and cons. If you want more information, read up on “sudo”, which is what Mac OS X uses to let administrator users run programs with root privileges.

Try opening Activity Monitor and selecting “all processes” from the menu in the toolbar. Look at all those processes running as root!

This really was only a matter of time. We all know (or should know) that no OS is, or ever will be, immune to trojan horses—malicious programs that pose as something harmless. If you can write programs for a system, you can write malware for a system, and you can make it look innocuous. The fact that Mac software distribution is completely decentralized is a bit of a problem. On Linux, many users never use apps that aren’t in their distro’s own repositories, which are all vigorously tested and vetted. Mac users have nothing like that.

The fact that these screensavers are listed on respectable sites like macupdate.com is especially problematic. How can you know what’s safe and what’s not? Really, you can’t.

Will sites like MacUpdate and VersionTracker need to start vigorously testing every application submission? Hmm. I’ve always been wary of video converters, since so many of them are clearly made by shysters. But then again, what’s clear to me may not be clear to everyone.

I’ve been using Little Snitch for quite some time, and will probably never stop. However, Little Snitch is not perfect, and I believe it can be bypassed by savvy programmers (but I’m not sure, since I haven’t read up on it recently).

Try opening Activity Monitor and selecting “all processes” from the menu in the toolbar. Look at all those processes running as root!

Yeah, because the SYSTEM is doing it.  If YOUR process tries to do so, it’ll get a request for a password.  That’s why this malware needs a password.  And that is why I question how extensively they have tested the malware, because if you have not enabled root, you can’t run root processes even if you are running as admin.  That is why you have to run root processes in the terminal, using the sudo command, which requires the root password.  If root hasn’t been enabled, you can’t run root through your own process.  But the system can.  If this process can run root without a root password, it is doing a privilege elevation of some kind, which I haven’t heard of on the Mac yet.

But you need a password to install an app, even if you are running as an admin.

Which is my question here.  If you provide an admin password to allow this to be installed, how does it obtain root privileges?  It isn’t running as system, it has to run under your process id, right?

Ah. Well, there are a few ways to make a process run as root consistently without requesting a password each time. Now, I haven’t installed any of these things, so I don’t know how they work. Everything I say here is just about general possibilities, nothing specific to these trojans.

The exact mechanisms have changed from version to version of OS X, and I haven’t done tests to see what still works. I seem to recall setuid being disabled in Leopard or Snow Leopard, but I think LaunchAgents, or at least LaunchDaemons, can execute as root. You can definitely still use the NOPASSWD option in the sudoers file to allow you to use sudo to execute certain commands with no password, so any script that asks for your password once could edit that file to allow it to run anything as root in the future without asking for a password. The good news there is that it’s easy to see if that’s been done: just run “sudo cat /etc/sudoers” and see if anything’s amiss. Specifically, if you see “NOPASSWD” anywhere in the file, something is probably wrong.

Remember that once you enter your password for installation, that installer suddenly has free reign of your system. It could edit your sudoers file. It could install LaunchDaemons. It could even install a kernel extension without your knowledge (that’s a level of power even beyond root!).