Friday, September 26, 2008
Closure!
More than a year after the fact, I found the answer to the hacking of my PC: the article SubVirt: Implementing malware with virtual machines. Reading this article, I instantly recognized the symptoms in the proof-of-concept described in it as identical to what I had experienced. A virtual machine monitor (VMM), running on a system such as VMware or Virtual PC, had supplanted my existing operating system, making it the guest (virtual) operating system running virtually in a directory of my hard drive. This was done by changing the boot routine at startup. After an initial reboot upon infection, the VMM is run as the core operating system, with the virtual operating system loading directly afterwards. A barely noticeable lag results upon bootup. Small differences will be noticed by the observant user, however. When a user attempts to shut down their infected system, the virtual machine instead puts the computer into a hibernation mode, and makes it appear as if the computer has shut down. (It is only upon an actual reboot that a user can detect the virtual machine malware, reinstall the operating system, etc.) Since the machine is running a virtual operating system, any antivirus or antispyware utilities can be made to look like they are working, when they are in fact doing nothing. I urge anyone who has experienced any problems such as the ones I've described in this blog to check out the SubVirt article. It describes in detail how to circumvent and prevent these attacks. I'll say again for the record that for the last year and a half, running a MacBook, I've been rid of these problems. Windows computers seem to be extremely vulnerable to this difficult-to-diagnose and difficult-to-eradicate attack. Good luck.
Tuesday, September 23, 2008
3 Essential Mac OS X Security Software Programs for PC Converts (Part 2: Little Snitch)
Mac OS X Leopard has a fairly decent built-in firewall, but it's an incoming firewall, protecting you from the dangers from the outside (and it's turned off by default which blows my mind). It does not prevent trojans already installed on your computer from sending all your data to a zombie computer somewhere in the cloud. You'll remember that Windows XP had the same problem, leading to the proliferation of excellent third-party products like my favorite, ZoneAlarm. Microsoft claims that Vista now offers outbound firewall protection, but as I (and I am sure many users) can attest, it's virtually worthless. Don't just take my word for it, read the article at PC World). In all fairness, I should say that OS X does have the capability to turn on an outbound firewall using ipfw, but that requires Unix coding, much too advanced for me, and most of you I'd guess. So, what software can Mac users use to plug this security hole? While there are many out there, and I've tried a bunch, my favorite by far is Little Snitch.
In essence, Little Snitch complements the inbound firewall in the Mac OS X operating system. That firewall prevents hackers from getting in. Little Snitch, meanwhile, prevents applications to send data outside your computer without being authorized. Certainly, there are many applications that will want to access the internet at any time for a variety of legitimate reasons. Many applications perform automatic updates, for example, and many others "phone home" to its developer to verify that you don't have a pirated product. But suppose, God forbid, you were infected with malware from a torrent site, for instance, or something else that occurred before you figured out you were required to turn on the OS X firewall (it's turned off by default -- come on Apple, I just don't get that). Or even something more mundane: suppose your jealous significant other has installed keyloggers and other spyware on your system (of course, he'll surely burn in hell, but that won't help you right now). Without an outbound firewall, malware could be sending just about your whole computer's contents to someone in Kazakhstan and you'd never know it. Enter Little Snitch.
The main screen of little snitch is the Configuration panel, shown above. Little Snitch is rule-based, with several rules pre-made to keep you from screwing things up on your Mac. Those rules are locked. You can unlock or lock rules at any time. The lock key just prevents accidental changes to important rules. As a new program starts to access the internet, Little Snitch interrupts is, and a pop-up screen asked you if you want to allow or deny that access, and at what degree you want to allow or deny (specific ports, domains, types of connections, etc). The configuration panel shows in red text software that has been deleted so you can delete those rules if you want. Some programs will have multiple rules, leading you to perhaps give a higher level of clearance to that program (on my computer, for example, the constant jumping around of Skype to different domains every few seconds eventually forced me to set its rule at "Allow any connection". I just hope that doesn't come back to bite me on my butt. Other programs I use have twenty rules with as many domains or IP addresses. In such cases, perhaps allowing that program access to port 80 would be sufficient.
The menu bar on the Mac OS X screen shows a Little Snitch icon that displays a popup of activity when an application tries to access the internet. It can be somewhat disconcerting to the average Mac user, since may of the program names are operating system components that could mean anything and scare people who don't know better, and because the nagging popup is nearly constantly appearing. You can, however, turn that feature off, which I have.
It's a program that can really be learned through trial and error. Rules can be changed at any time or reset to the original initial rules to start over. For the sake or privacy, and based on my knowledge and personal history with the real danger of malware and hackers, Little Snitch is worth every penny.
VirusTotal Report: Trojan.ByteVerify
VirusTotal's report on my uploaded virus was instantaneous and presented me with the following report on the virus that Symantec.com dubbed Trojan.ByteVerify (each antivirus vendor has slightly different names for the universe of viruses):
Symantec says the virus infects only computers using Microsoft's operation system (no surprise there), but my philosophy is that viruses are like cockroaches: kill them just because.
| File ms03011.jar-3847f8dc-50961bb6.zip received on 06.30.2008 14:04:16 (CET) | |||
| Antivirus | Version | Last Update | Result |
| AhnLab-V3 | - | - | - |
| AntiVir | - | - | EXP/Java.Bytver.5.B |
| Authentium | - | - | Java/Trojan!8746 |
| Avast | - | - | JS:ClassLoader-7 |
| AVG | - | - | Java/ByteVerify |
| BitDefender | - | - | Trojan.Exploit.Byteverify.V |
| CAT-QuickHeal | - | - | - |
| ClamAV | - | - | Java.Openconnection |
| DrWeb | - | - | VBS.Siggen.1989 |
| eSafe | - | - | Trojan-Downloader.Ja |
| eTrust-Vet | - | - | Java/ByteVerify!exploit |
| Ewido | - | - | - |
| F-Prot | - | - | Java/Trojan!8746 |
| F-Secure | - | - | Trojan-Downloader.Java.OpenConnection.ao |
| Fortinet | - | - | Java/ClassLoader.AU!tr |
| GData | - | - | Trojan-Downloader.Java.OpenConnection.ao |
| Ikarus | - | - | - |
| Kaspersky | - | - | Trojan-Downloader.Java.OpenConnection.ao |
| McAfee | - | - | Exploit-ByteVerify |
| Microsoft | - | - | Exploit:Java/ByteVerify.C |
| NOD32v2 | - | - | Java/TrojanDownloader.OpenConnection |
| Norman | - | - | - |
| Panda | - | - | Exploit/ByteVerify |
| Prevx1 | - | - | Cloaked Malware |
| Rising | - | - | Trojan.DL.Java.Jadoler.a |
| Sophos | - | - | Troj/ByteVeri-X |
| Sunbelt | - | - | - |
| Symantec | - | - | Trojan.ByteVerify |
| TheHacker | - | - | - |
| TrendMicro | - | - | JAVA_BYTEVER.BJ |
| VBA32 | - | - | Trojan-Downloader.Java.Agent.a |
| VirusBuster | - | - | Java.DL.OpenConn.C |
| Webwasher-Gateway | - | - | Exploit.Java.Bytver.5.B |
Symantec says the virus infects only computers using Microsoft's operation system (no surprise there), but my philosophy is that viruses are like cockroaches: kill them just because.
3 Essential Mac OS X Security Software Programs for PC Converts (Part 1: Clam Xav 1.1)
Coming from a PC background, I'm a bit paranoid when it comes to computer security. It was a bit disconcerting for me to find not only the dearth of security products for Macs, and the lack of marquee names (McAfee VirusScan and Webroot's SpySweeper, for instance) that even produce security products for Macs, but also the prevailing attitude among longtime Mac users that security products, specifically antivirus programs, are basically unnecessary in a Mac environment. (I personally believe this is a false sense of security, although there is some truth in that assertion, but that will be the subject of another article.
When I first purchased my MacBook, as a PC convert, I asked the salesman what I've since learned to be the most common question PC users ask when switching over to Macs: What security products should I use? The only product name given to me by the helpful Mac store sales rep was MacScan, an anti-spyware program (currently $29.99 for a single license from http://macscan.securemac.com/buy/). No antivirus program was recommended at all, and my initial research indicated that, at the time, the commercial programs for Macs (specifically Norton) had a bad ratings and were used by very few people.
Welcome to the Mac Paradigm! I was also a bit shocked that my favorite financial software, Quicken, was essentially useless (at the time at least) on the Mac platform. Reviews were dismall. In the Mac Universe, most of the quality software in any given area are produced by names you've never heard of. Finding what's worth the money is a little bit of a challenge. Of course, these programs for the Mac by smaller developers also tend to cost less, so there's an upside to this phenomenon. But I digress.
After spending a while with my Mac, I settled on the following three security programs that I find indispensible, especially if you're a worrywart (as most of us who had PCs tended to be): the afforementioned MacScan; a free antivirus application called ClamXav (you'll forgive the naming of this little gem. That's what you get when your marketing budget is $0), and Little Snitch ($29.95 for one license), an outbound firewall program whose closest analogous PC program is probably ZoneAlarm (also free for the PC). This posting focuses on ClamXav.
ClamXav 1.1 Review (Mac OS X)
The user interface of ClamXav is very utilitarian, and the initial warning when loading the program each time is a bit jarring. If I can paraphrase, it basically says "Back up all your data before using me. You got this for free, so don't expect tech support, or any kind of restitution if things go wrong"). The program preferences deserve tweaking in order to get the program to actually do anything. The default settings at the very least will not harm your system.
ClamXav's icon displays in the OS X menu bar, so u can easily access the program to perform occassional real time searches, or see the progress bar scanning files that have been added to or changed in your watch folders. This is pretty cool and definitely helpful.
ClamXav has some limitations. Chief among them, and mentioned in several popular websites, is the speed at which scans are performed compared to commercial programs in this field. But its virus definitions are updated daily, and the reports I've read say that its ability to find viruses rivals or betters those you'd spend $60 on [citation needed]. Unlike antivirus solutions in the PC universe that I was used to, ClamXav does not have real-time scanning capabilities, except for the folders you select in what the program terms "Folder Sentry". I have my Downloads folder set to be scanned as items are put there, and that's about it. There is an option to delete or quarantine viruses upon detection, but that option is turned off by default, and is not recommended if you plan to scan e-mail (also turned off by default). Indeed, a quick google search of ClamXav technical issues will lead to some quite disturbing issues people have had with the program deleting their entire inbox. So conservative settings of the system preferences has the end result that emails are not scanned upon arrival for infected messages. I have mine set to Not Scan Email, and to Quarantine (versus Delete) any found viruses. That is what I recommend, especially because false positives do happen.
Once a virus is found and moved to the quarantine folder, what does that mean exactly? Generally speaking, any or most found viruses will only be able to infect PC Users (or so I've been told by complacent Mac users), but does that mean I can just delete the file with impunity? Or, for that matter, leave them on my computer with impunity? I am still trying to figure that out. For my own edification, I'm going to submit the virus I recently found (the first in a year), a little ditty called "ms03011.jar-3847f8dc-50961bb6.zip" to a site I just discovered called Virus Total for analysis. Results of the analysis will be forthcoming.
You'll want to perform full system scans regularly (I scan the directory "/Users/[myusername]".) That's how I found the potentially harmful file above. Somehow it appeared in the Java system files without my knowledge. (Maybe it was that pirated version of Sim City 4 I downloaded. I guess I'll never learn my lesson.) Full scans do take quite a long time, but affect the performance of my MacBook only modestly.
For now I see no reason to spend a lot of money on commercial antivirus programs for my Mac when ClamXav does just about everything I need, for the right price.
When I first purchased my MacBook, as a PC convert, I asked the salesman what I've since learned to be the most common question PC users ask when switching over to Macs: What security products should I use? The only product name given to me by the helpful Mac store sales rep was MacScan, an anti-spyware program (currently $29.99 for a single license from http://macscan.securemac.com/buy/). No antivirus program was recommended at all, and my initial research indicated that, at the time, the commercial programs for Macs (specifically Norton) had a bad ratings and were used by very few people.
Welcome to the Mac Paradigm! I was also a bit shocked that my favorite financial software, Quicken, was essentially useless (at the time at least) on the Mac platform. Reviews were dismall. In the Mac Universe, most of the quality software in any given area are produced by names you've never heard of. Finding what's worth the money is a little bit of a challenge. Of course, these programs for the Mac by smaller developers also tend to cost less, so there's an upside to this phenomenon. But I digress.
After spending a while with my Mac, I settled on the following three security programs that I find indispensible, especially if you're a worrywart (as most of us who had PCs tended to be): the afforementioned MacScan; a free antivirus application called ClamXav (you'll forgive the naming of this little gem. That's what you get when your marketing budget is $0), and Little Snitch ($29.95 for one license), an outbound firewall program whose closest analogous PC program is probably ZoneAlarm (also free for the PC). This posting focuses on ClamXav.
ClamXav 1.1 Review (Mac OS X)
The user interface of ClamXav is very utilitarian, and the initial warning when loading the program each time is a bit jarring. If I can paraphrase, it basically says "Back up all your data before using me. You got this for free, so don't expect tech support, or any kind of restitution if things go wrong"). The program preferences deserve tweaking in order to get the program to actually do anything. The default settings at the very least will not harm your system.
ClamXav's icon displays in the OS X menu bar, so u can easily access the program to perform occassional real time searches, or see the progress bar scanning files that have been added to or changed in your watch folders. This is pretty cool and definitely helpful.
ClamXav has some limitations. Chief among them, and mentioned in several popular websites, is the speed at which scans are performed compared to commercial programs in this field. But its virus definitions are updated daily, and the reports I've read say that its ability to find viruses rivals or betters those you'd spend $60 on [citation needed]. Unlike antivirus solutions in the PC universe that I was used to, ClamXav does not have real-time scanning capabilities, except for the folders you select in what the program terms "Folder Sentry". I have my Downloads folder set to be scanned as items are put there, and that's about it. There is an option to delete or quarantine viruses upon detection, but that option is turned off by default, and is not recommended if you plan to scan e-mail (also turned off by default). Indeed, a quick google search of ClamXav technical issues will lead to some quite disturbing issues people have had with the program deleting their entire inbox. So conservative settings of the system preferences has the end result that emails are not scanned upon arrival for infected messages. I have mine set to Not Scan Email, and to Quarantine (versus Delete) any found viruses. That is what I recommend, especially because false positives do happen.
Once a virus is found and moved to the quarantine folder, what does that mean exactly? Generally speaking, any or most found viruses will only be able to infect PC Users (or so I've been told by complacent Mac users), but does that mean I can just delete the file with impunity? Or, for that matter, leave them on my computer with impunity? I am still trying to figure that out. For my own edification, I'm going to submit the virus I recently found (the first in a year), a little ditty called "ms03011.jar-3847f8dc-50961bb6.zip" to a site I just discovered called Virus Total for analysis. Results of the analysis will be forthcoming.
You'll want to perform full system scans regularly (I scan the directory "/Users/[myusername]".) That's how I found the potentially harmful file above. Somehow it appeared in the Java system files without my knowledge. (Maybe it was that pirated version of Sim City 4 I downloaded. I guess I'll never learn my lesson.) Full scans do take quite a long time, but affect the performance of my MacBook only modestly.
For now I see no reason to spend a lot of money on commercial antivirus programs for my Mac when ClamXav does just about everything I need, for the right price.
Subscribe to:
Posts (Atom)
