how-to block ads
|
Sandman5
Premium
join:2002-07-10
Brookline, MO
clubs: | Security through obscurity So do you believe in security through obscurity or are those just your tools and you're pointing out that they are more secure?
Not sure if you knew, but just recently the first worm for OSX was released. | |
|  
ThunderCorp
join:2002-03-11
Chula Vista, CA
| Re: Security through obscurity i never believe in security by obscurity. i believe in security by inherent secure default settings (well written software + a good admin behind them).
Oh, and to let you know, the OSX trojan isn't out in the wild and even if it was, it has an huge achilles heel that makes its existence a joke. Once you send it over the 'Net over any protocol its resource fork is stripped off, thereby making it useless. I guess you should know better than to trust an antivirus company about virus announcements (they're out to make money if they're losing it).
Even if the trojan got onto an OS X system intact, it can only affect the files in the current user's directory, since it cannot elevate to sudo permissions with a password. And, as you know, OS X ships with root OFF so even the admin users can't affect system files without sudo. | |
| | 
wolfox
Gentle Wolfox
join:2002-11-27
Dunnellon, FL
| Re: Security through obscurity said by ThunderCorp  :
i never believe in security by obscurity. i believe in security by inherent secure default settings (well written software + a good admin behind them).
Exactly. I run Outlook and MSIE and have never gotten an infection/system compromise via that vector. The *default* security settings are laughable at best. With a few well placed tweaks - problem solved. However, I did run one system overnight via a DMZ'd internal IP and it got whacked to shreds, it was running IIS FTP and some script kiddie tore it apart. That is another matter altogether, and a failed experiment.
--
Nothwest Arkansas' ONLY all Techno Radio Webcast, powered by SBC DSL! | |
|
ThunderCorp
join:2002-03-11
Chula Vista, CA
| McAfee's analysis of this so-called OS X Trojan:
The only mildly non-trivial discovery associated with this malware is that its author managed to combine a valid MP3 file and a PowerPC application in one file without violating any of the two file formats. That means the trojan is playable within iTunes as MP3 sound file and it can also be launched as a program by Finder. This works under MacOS 9 and OS X.
However, dual personality of a file has little relevance to the malicious function. If a user is convinced to double click on an icon representing a file the program will run regardless of being a simple disguised application or dual-format file. Thus, the discovery of dual-format files does not really introduce any new penetration or propagation vector. It can only obfuscate a little the function of the disguised program, which will appear as a valid sound file and it can be played from iTunes.
To achieve this dual personality of the file the PowerPC application (Type 'APPL', Creator = 'vMP3') is registered in the resource fork as 'cfrg' (code fragment) within the data fork. At the same time this data fork (with an ID3 record at the beginning of the MP3 file that holds the binary code) is a valid MP3 file image. That, plus the fact that this "trojan" is easily killed just by sending it over the internet, which strips its executable code fork and renders it useless. | |
| | | | | | |
|
