Rixstep
 About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Home » Industry Watch » The Technological

Apple and the War on Stupidity

Too many manic chicken littles make a mess of things.


Get It

Try It

WORLD OF MAC (Rixstep) — As many a guru predicted, the Flashback botnet of some 650,000 unpatched Macs has caused a panic, with more and more eejits coming out of the woodwork.

And there's no sign of the stupidity abating. On the contrary: things are only now getting up to speed. The obstinacy of the clueless to embarrass themselves and bring about utter destruction seems unstoppable.


Stupidity should be painful, suggests philosopher Dali of Tokyo. And he's right. But it should be painful only for those who willfully choose to be stupid - not for anyone else. The carnage the world is presently witnessing doesn't work that way. The Technological will see to righting that wrong as much as possible.

To recap for those who feel they may have come in harm's way.

  1. Fire up Terminal.app. If you don't know where it is, have your parent or guardian find it for you.

  2. Issue the following command from Terminal.app. This checks if your copy of Safari has been tainted.

    defaults read /Applications/Safari.app/Contents/Info LSEnvironment

  3. Issue the following command from Terminal.app. This checks if your entire login session has been tainted.

    defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

  4. You want to see a return of 'does not exist' in both the above cases. Any other reply means you got hit. Any other reply means you have to remove the infection on your own anyway.

    The domain/default pair of (Safari.app/Contents/Info, LSEnvironment) does not exist
    The domain/default pair of (~/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist

You want those pairs to not exist because the malware is trying to inject rogue 'shared libraries' in your working environment. Those libraries if loaded will route you to a botnet command and control server and essentially make your Mac a zombie.

The word is the Mac zombies are currently being used for 'clicks'. But of course they can be used for anything. Distributed denial of service attacks come immediately to mind.

Note that the 'excellent' removal instructions linked above do not show you how to actually remove the malware from your Mac, only how to disable it. But why worry? Most Mac users don't have a clue what they have on their HDDs anyway.

Further precautions.

  1. Protect Safari's Info.plist. This is probably done best once changing ownership to root. (There's also a pretty good chance this turkey only works on Safari.) The task is left as an exercise to the reader. Yes it's eminently simple.

  2. Protect your user root directory. Get rid of ~/.MacOSX first if it exists. This could be a major problem as odds are you're using 'Finder' and 'Finder' won't show you files like that without a settings fix. Then lock your user root with user and/or system flags and perhaps an ACL or two. This too is left as an exercise to the reader. And yes this too is eminently simple.

  3. Turn off Java you stupid bloody moron. Consider removing it entirely. Apple won't even ship the crap anymore by default. And remember Apple's stellar track record when it comes to open source components. The reason only Macs are getting hit by Flashback is all the other computers in the world were patched two months ago.

Two Days Ago

Joel Bruner dropped into the inbox right at the end of the egg holiday weekend.

Flashback, the word on every Mac-hater's / Mac-paranoiac's lips today... 'Do I have it? You heard? It's 600,000!'

Actually it's more by now. Joel sent along a magnificent link.

Anyway - wanted to share this:
http://news.cnet.com/8301-27076_3-57410654-248/web-tool-checks-if-your-mac-is-flashback-free/


And it is indeed a precious link.

Feeling a bit skittish about using a mostly-hidden Mac OS X utility and running lines of code to see if your Mac is one of the 650,000-some infected with the Flashback malware? There's a new tool that's much simpler.

Best to turn off your Cringe-O-Meter before visiting the link. It'll pin the needle and drive your cat crazy.

The 'mostly-hidden Mac OS X utility' this genius is talking about is of course Terminal. And it's hidden to the extent that it's in a folder - like all the other bloody applications on a Mac.

Joel comments.

You submit your Mac's UUID to Dr.Web and then they say they have mined the UUIDs from the botnet and see if you are on the list. If you are you get a Dr.Web light App store link, which is a free product. But is it just me or does that seem _stupid_? Hall of Monkeys? Or just good for a laugh? :D

Actually both. But Dr.Web haven't yet proven to be pure evil, so this is the most suitable place for now. Cheers Joel.

A Maze of Twisty Links All Alike

And the CNET link in turn leads to yet another link - back to 'Dr.Web' who refrained from customary up-sell tricks the other day when alerting the chicken littles about a bad bad program out there.

http://public.dev.Dr.Web.com/april/

Note the link goes to a directory index. So Dr.Web don't seem to be expecting too much else for the next few weeks.

Note the link doesn't use SSL. So whatever traffic you send to the site can be eavesdropped. From your provider, from their provider, from a man in the middle. Things like this happen, chicken littles. They happen to big grownup Mac users too.

What does the good doctor want you to do? Ferret out your universally unique identifier and send it along.

There's a CAPTCHA in the form but that hardly helps you. It helps Dr.Web thwart spammers and other evil people.

What's the point? Dr.Web have a hopefully updated database of all the Flashback zombies, all 650,000 of them. Give them your universally unique identifier and they'll tell you if your beautiful Mac is part of the botnet.

Let's review that again.

You're going to an unknown site to submit your universally unique identifier. This identifier (UUID) will uniquely identify your computer on the entire planet. Anyone want to find you later on? A subversive at Dr.Web? Someone eavesdropping on Dr.Web? Someone eavesdropping on you? Someone eavesdropping anywhere along the line between you and Dr.Web?

Here's a traceroute from St Petersburg to Dr.Web. That's close by and so it's only seven hops.

1 rtc-sw1.neva.ru (195.208.113.126) 36 bytes to 195.208.113.71 0.824 ms 0.56 ms 0.51 ms
2 rtc-gw2.neva.ru (194.85.4.9) 48 bytes to 195.208.113.71 0.402 ms 0.337 ms 0.286 ms
3 m120-1-321-spb-ru.xe-5-0-0-56.nw.synterra.ru (194.226.100.51) 36 bytes to 195.208.113.71 1.359 ms 1.372 ms 1.362 ms
4 MX480-1-232-SPB-RU.xe-5-0-0-7.peterstar.net (82.196.95.234) 36 bytes to 195.208.113.71 1.197 ms 1.432 ms 1.252 ms
5 gw.dev.drweb.com (84.204.76.98) 36 bytes to 195.208.113.71 2.09 ms 2.254 ms 1.928 ms
6 195.88.253.2 (195.88.253.2) 36 bytes to 195.208.113.71 2.698 ms 2.711 ms 3.134 ms
7 public.dev.drweb.com (195.88.252.44) 48 bytes to 195.208.113.71 3.89 ms 2.208 ms 1.629 ms

Anyone (or anything) at any point along that line could be listening in.

Now of course Dr.Web could have solved this quite easily - by using secure sockets layer (SSL/TLS). HTTPS. Port 443. But no. They reckon it's OK for you to send your universally unique identifier in the clear.

Back to Josh Lowensohn, the IT guru at CNET who found this gem.

'Jeremiah Grossman, chief technology officer at White Hat Security, told CNET via email that in normal situations it's not a good idea to share your Mac's unique hardware identifier, but in this case it's safe.'

O RLY? Why is it safe in this case, Jeremiah Grossman? And what exactly are people like Josh Lowensohn and the other 80,000+ chicken littles so afraid of anyway that they're prepared to turn over their identities to people they don't even know?

Not much error checking either in what Dr.Web termed a 'beautiful' user interface. The UUID 'GGGGGGGG-GGGG-GGGG-GGGG-GGGGGGGGGGGG' is of course illegal as 'G' is not a valid hex digit. But submit it if you want.

Sean Collins of Core IT Pro writes.

I don't know how freely available the list of [infected] UUIDs is. I'm tempted to give them the benefit of the doubt - but they should release the data for other researchers.

It could be worse, they could demand money for their app in the App Store.


Which is just about what they do. Albeit mildly. The product they want you to download and install is a 'free' AV tool from them. As George Kurtz said the other day:

'If AV is your only APT defence you are toast.'

As Rixstep say today and tomorrow:

'AV won't help you on Windows and it won't help you on OS X. For two very different reasons.'

The Mac Bogeyman

So back on track: what are all the chicken littles so afraid of?

THE COMMAND LINE.

The command line has become something the demented living in swampy backwater areas use to scare the shit out of their children. 'Be good for goodness sake or else the command line will come and haunt you in your sleep and drop syntax errors in your Xmas stockings!' And so forth. Terrible thing that command line.

There's even a Cocoa application under development and stored at GitHub that will perform the equivalent of those two daunting commands for you. And no it won't remove an infection - that's above the expertise of the author who's already wasted nearly 300 lines of code to replace two defaults commands. And no we won't reveal the URL either for the simple reason that enough is enough.

PostScript: Come Back Steve All is Forgiven

Steve Jobs had to give in to the eejits at times but he mostly kept Apple intelligence on even keel. The Flashback incident is the first sign of how much the Apple founder is missed.

As even now the shadows are darkening and more eejit hysteria envelops the earth.

If Apple updated Java for OS X as fast as the stock goes up, we'd all be in great shape.
 - George Kurtz

See Also
The Technological: Apple's Achilles Heel
Industry Watch: Flashback Botnet Recruits 550,000 Macs

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.