Matasano Chargen - Latest Comments in The Silly New Mac OS X Trojan or HoHum.A

Re: The Silly New Mac OS X Trojan or HoHum.A

Hal B — Wed, 07 Nov 2007 20:58:26 -0000

This story was recently picked up by the Onion.

http://www.theonion.com/content/amvo/new_trojan...

Re: The Silly New Mac OS X Trojan or HoHum.A

Thomas Ptacek — Mon, 05 Nov 2007 08:38:24 -0000

It's not free. It takes effort to deploy and maintain it.

Re: The Silly New Mac OS X Trojan or HoHum.A

zazou — Mon, 05 Nov 2007 05:30:35 -0000

Gadi Evron being a fame whore again? BREAKING NEWS!

Re: The Silly New Mac OS X Trojan or HoHum.A

JP — Mon, 05 Nov 2007 04:43:47 -0000

well, I dont think the OP was talking AV, but since you asked..

why not "invest" in teh free clamXav?

Re: The Silly New Mac OS X Trojan or HoHum.A

Thomas Ptacek — Sun, 04 Nov 2007 20:45:49 -0000

Security and cost are two sides of the same coin. You have finite resources. There are more countermeasures available to you than you can afford.

What should you invest in? OS X antivirus? No? Then what point are you making?

Re: The Silly New Mac OS X Trojan or HoHum.A

JP — Sun, 04 Nov 2007 14:27:00 -0000

AV is pretty useless. I would say invest in making your browsers and mail clients secure, invest in hardening your OS, invest in training your end users, invest in blah, blah, yadda, yadda, etc, etc,....

Waiting until its "worth it" to invest in security means you have to be compromised many times over before you will get a good ROI. Of course a single compromise can lead to a string of misdeeds that can cost a company hundreds of millions. This was TJX's plan, and look where it got us.

-JP

Re: The Silly New Mac OS X Trojan or HoHum.A

Thomas Ptacek — Sun, 04 Nov 2007 12:13:29 -0000

By your logic, JP, we should all invest in Linux antivirus.

Re: The Silly New Mac OS X Trojan or HoHum.A

JP — Sun, 04 Nov 2007 12:03:16 -0000

You said something unbelievably stupid:

"To this day, I am not entirely convinced that it makes sense to invest in security before it costs you."

So you are saying you should wait until after blaster hits before investing in security?

sheesh

Re: The Silly New Mac OS X Trojan or HoHum.A

Lori — Fri, 02 Nov 2007 17:52:53 -0000

"What unpatched vulnerabilities is he referring to?"

The users who find it ok to run questionable files on their machines. We forgot to create a patch for them. Would this be like a nicotine patch?

Re: The Silly New Mac OS X Trojan or HoHum.A

sigsegv — Fri, 02 Nov 2007 16:05:02 -0000

Once again, Gadi Evron has shown himself to be quite the "expert" (read: Fat guy with a CISSP cert who gets beer cans thrown at him at DEFCON). While I am by no means a fan of Mac OS X, Gadi's claims are simply insane. While malware that requires user interaction can produce a decent yield (think Storm Worm), I don't see this one getting a +10,000 userbase anytime soon. It really all comes down to what type of people watch pr0n, and what percentage of those will be surfing on a Mac running OS X, as opposed to their parents' Windows XP Home Edition box. Don't quote me on that though, I don't run a pr0n site and can't conduct an analysis of useragents used by visitors, nor do I have the type of statistical data avalible to me that AV vendors and the HoneyNet research alliance do ("Hey, looks like the .br and .ro kiddies are ./sshbrute'ing again...).

Perhaps I'm missing something here, but Gadi's comment seems to be the work of a half-brained moron, rather than a BugTraq $uper$tar. Oh well... what can you do...

Oh, and for the record, I'm not saying that there will not be a yield for this trojan; I'm just saying we're not talking OpenSSH remote root 0day here. Or xnu remote root 0day. Whatever.

Re: The Silly New Mac OS X Trojan or HoHum.A

Thomas Ptacek — Fri, 02 Nov 2007 14:07:55 -0000

It's complete nonsense.

There is very little about the "Unix architecture" that makes Unix safer than Win32.

The distinction people are actually talking about is not "Unix vs. Win32". It's "single user environment" versus "server environment".

From a security perspective:

OS X has more in common with Windows XP SP 2 than it does with Solaris 10.

Windows Server 2007 has more in common with Solaris 10 than it does with Windows XP SP 2.

Re: The Silly New Mac OS X Trojan or HoHum.A

Just out of curiosity... — Fri, 02 Nov 2007 13:57:03 -0000

Whats your opinion about this ?

http://www.blackfriarsinc.com/blog/2007/11/mac-...

Re: The Silly New Mac OS X Trojan or HoHum.A

dragonfrog — Fri, 02 Nov 2007 02:19:17 -0000

One thing I find interesting is that the blogs are just writing about the behaviour of the preinstall and postinstall scripts. They don't mention anywhere that I've seen, what the plugin itself actually does put a plugin bundle in /Library/Internet Plugins/. But no one describes what this plugin does.

In general, this thing is the most well-behaved malware installer I've seen - nice clean well-indented perl scripts with explanatory variable names and all. So I can't imagine they'd have obfuscated the function of their plugin either.

Re: The Silly New Mac OS X Trojan or HoHum.A

jjarmoc — Thu, 01 Nov 2007 20:58:19 -0000

Thanks for bringing some sanity to the discussion of this trojan. From the way this is playing out elsewhere, you'd think we had a full blown self-replicating virus which required no user intervention.

The most secure systems in the world can't defend against user ignorance...

Re: The Silly New Mac OS X Trojan or HoHum.A

Alex — Thu, 01 Nov 2007 20:26:17 -0000

Well, he's a little better than SC Magazine's Dan Kaplan who originally wrote the following today:

"I just IM’d my buddy Ryan, who has a Mac, to determine whether he runs AV on his machine. His response: “I don’t think so.”

Mac users are so arrogant and clueless about security, they don’t even know if they have AV installed in the first place. I love it.”

So I suppose that makes us clueless about security, huh?

Re: The Silly New Mac OS X Trojan or HoHum.A

tim — Thu, 01 Nov 2007 20:12:36 -0000

What is it with Windows 98 anyways? Somebody compared the iPhone to it a few weeks ago. Why not 2000? Or Redhat 9? Two OSs that were more full of holes when released than 98.