A new set of Mac malware threats have emerged in the Mac world, albeit without causing more than some annoyances and tedium on the part of the victims.
I’m not going to get into the details of the various implementations of these attacks, as that takes up a fair bit of space, and there already are some great articles that you can read to get solid information about the various attacks. Check out this eSecurityPlanet article, along with this article and this this one
So with a plethora of information available on the malware itself, there’s little need for me to go and detail that. Instead, I thought I should talk about how to protect yourself from these and other threats. Up front, neither Leap-A nor Inqtana are particularly evil.
Leap-A seems to have some bugs in it that keeps it from being worse than it is. However, its existance should be taken as motivation to examine how you protect your Macs from malware.
For Windows administrators, malware is a (very annoying) constant part of their day. Mac administrators have been, to date, lucky in that Mac OS X does not lend itself to perversion as easily as Windows XP and earlier versions. Add to that the fact that for any number of factors, including small population size and less venom towards Apple than Microsoft, Mac OS X just hasn’t been a target.
I’m not going to say the world has changed and now it’s a war zone in Macland, but Mac administrators, in general, should, if they aren’t already, take malware prevention more seriously.
There are two aspects to this: technical and human.
The technical side is, as usual, much simpler.
First, disable Safari’s Open ”safe” files after downloadingsetting. It’s on by default, which is extremely silly of Apple. In fact, that setting shouldn’t exist, as there is no such thing as a safe file. The shell script that will wipe your home directory or your hard drive out is a text file. There’s no safe files.
If you are in an Open Directory environment, you can use Workgroup Manager’s ”Managed Preferences” feature to push out that setting to all your Macs so it can’t be overridden. If you are using Apple’s Mail, I’d consider switching to another mail program, at least temporarily. The problem with Mail is that it allows you to open a file with a single click, and there’s no warning from the application to give you a second chance to cancel that action. Neither Thunderbird nor Microsoft Entourageallow for this, so you might want to think about switching until Apple fixes that. Yes, you may lose intgration with the Mac OS X Address Book and iCal, (well, temporarily in the case of Entourage, since Microsoft announced that Sync Services support will be available in March of this year), but there are ways to deal with that. Mail’s attachment behavior here is simply not wise, even on a Mac.
Another obvious method to dealing with these problems is with anti-virus (AV) software.
While a lot of Mac administrators eschew AV software, the fact is, that while it will never be perfect, it is a valid tool for creating another layer of protection for your network. Using AV software on both servers and desktops will help decrease the ability of malware to spread unchecked.
For servers, especially email servers, ClamAV, included with Mac OS X 10.4 Server, is an excellent choice. (It’s less useful on the desktop, as it doesn’t handle macro virii well, at all.) On the desktop, depending on the number of desktops you have to protect, things like Intego VirusBarrier, Sophos Anti-Virus, or McAfee’s Virexare excellent choices.
Yes, I know Symantec makes AV software for the Mac. However, while their Windows products are still reliable and solid, the same simply cannot be said about their Mac OS X line. I’ve yet to see a release of Norton Anti-Virus for Mac OS X that was simply not a creator of more problems than it prevented, so I can’t recommend its use on the Mac.
One potential problem with most AV software for the Mac is the lack of a good central management console. However, if you use the Apple Remote Desktop, then you can take care of most of the duties you’d use a management console for anyway, and gain a lot of additional tools, as well.
Education is a Must
Those are, however, purely techincal solutions. They’re good, but you’re going to have to deal with user education, as well.
This is always the worst part of a sysadmin’s job, but without it, the technical protections you implement stand a good chance of being somewhat useless. In this case, I would recommend one clear message: There are no safe files, no matter who they are from.
Even if a file is coming in from your Aunt Petunia on iChat, don’t assume it’s safe. Don’t assume that she meant to send it to you. If she’s infected, she may not really be sending you that file. A file from Grandma in email? Scan it anyway. Check it out. Never, ever, ever assume any file is inherently safe. This is a hard-learned lesson from the Windows world. Let’s try to not go through what they did in the process. If you can get ”There are no safe files” to become a mantra on your network, you’re doing well.
Another issue is more slippery, and it’s concerning this request: ”Please enter your administrator password”. This is something that every Mac user does on a regular basis, and as a result, we’ve been trained to almost blindly do this whenever asked. It’s time to untrain ourselves.
If you can, just bypass the issue entirely: Don’t make anyone on a network an admin user without a clear need. On a corporate network, this is easy to justify. In a small business, this is harder to deal with. But the truth is that limiting administrator access on a Mac is a very effective way to prevent infection. If you have to run, or allow others to run as admin users, then make sure everyone with that access is familiar with what a legitimate passworld request dialog looks like. You can bring one up for yourself with a single line of AppleScript: do shell script ”/bin/ls” with administrator privileges.
This will bring up the authentication dialog. Expand the details section so you can see the right being requested and the full path to the application requesting that right. Make sure you’re familiar with legitemate uses of this so you can more easily spot the illicit uses. Only download software from known good sources. If available, use MD5 or SHA checksums to be sure what you’re running is what you think it is.
While some folks may think the sky is falling, they’re overplaying this a little. However, the ”this isn’t a real problem” crowd is being unrealistic, as well. This isn’t a problem this time.
But waiting for it to be a real problem before you start taking good, sensible steps to prevent similar problems is just not good sense. Neither panic nor denial are useful reactions here. This was simply a warning that no OS or platform is bullet proof against malware.
If a trojan does you real damage, does it really matter that it wasn’t a ‘traditional’ virus? Nope. Just take the common-sense steps that we all should be taking anyway, and you’ll be fine.