Re: [botnets] re MAC trojan (fwd)

From: Gadi Evron <>
Subject: Re: [botnets] re MAC trojan (fwd)

There have been many threads on this subject, but I believe this post 
below covers what some of us are trying to say on why this issue is 

Obviously some people are far more articulate than me.

---------- Forwarded message ----------
Date: Thu, 1 Nov 2007 16:47:17 -0400
From: PinkFreud <>
To: Gary Flynn <>
Subject: Re: [botnets] re MAC trojan

To report a botnet PRIVATELY please email:
[My apologies if this has already been covered - I started this email a
few hours ago, and haven't had a chance to finish it until now.]

I think the point Gadi (and Alex of Sunbelt Software, in his original
blog entry) is trying to make is that professional malware authors have
begun to take notice of Apple.  As a piece of malware goes, this trojan
is nothing remarkable in itself, other than the fact that it's aimed at
Mac users.

As Gadi mentioned, there are a number of known issues that Apple has
yet to address.  If the professional malware authors are now taking aim
at Mac users, Apple appears to be making it easy for them.

There are a few comments that I've seen in this thread that are rather

::: Interspace System Department
> Relax. MAC users are not that stupid as MS users...

Are you a Mac user?  If so, you just proved yourself wrong with that
statement.  :)</flame>

Users are users, and their knowledge of computers varies greatly from
one to the next.  I've supported a number of Mac users who tend to be
clueless when it comes to computers, and I've supported Mac users who
know quite a bit about the machines they use.  Like any Windows or *nix
user, Mac users can - and will - fall prey to this kind of scheme.

Again, the trojan is not what's important here.  The fact that it was
written for Macs is particularly noteworthy, however.

::: Jeremy Chatfield
> InfoSec is there to make sure that I can run my business, not as an end in
> itself. It *prevents* profit making activity by having effort expended on
> internal needs. So if the Mac hasn't *needed* higher level of security
> hoops, previously, that's good. So long as weaknesses are fixed *when
> needed*, I'm a happy bunny. If there's a Day Zero attack that hits a Mac,
> I'll be disappointed, but it's not a uniquely Mac situation to be in... If
> the failure was an obvious weakness, I'm actually still pretty sanguine,
> because it hasn't yet been exploited, despite being "well known".

Security issues should be fixed as soon as feasable, not 'when needed'.
If all security vulnerabilities were fixed 'when needed', the malware
authors would be having a field day (which, of course, implies they're
not already... hmmmm.).

Apple has a history of badly-written software.  As far as recent
examples go, take a look at tar and rsync on Tiger (10.4) - they've
been modified to support extended attributes like ACLs and resource
forks, and they're quite broken - extended attribute support introduces
a serious memory leak.

If that doesn't quite hit home, you can get a further idea of how their
software is written by taking a look at the man page for sharing(1), on
OS X Server (for those of you without access to OS X Server, take a
look at
).  Pay particular attention to the description for the -s, -g, and -i
options - do their developers (or tech writers) know the difference
between AND and OR?  :)

On Thu, Nov 01, 2007 at 08:56:22AM -0400, Gary Flynn babbled thus:
> This is nothing more than simple downloadable malware exacerbated
> somewhat by permissive configuration settings. It exploits no
> security defects.
> As I understand it, the operator is given multiple opportunities
> to refuse the program:
> (I'm only subscribed to the archive so I apologize if this
>   has been already pointed out or already proven incorrect
>   today)
> --
> Gary Flynn
> Security Engineer
> James Madison University

Chief of Security, Nightstar IRC network |
Server Administrator - Blargh.CA.US.Nightstar.Net
Unsolicited advertisements sent to this address are NOT welcome.
To report a botnet PRIVATELY please email:
All list and server information are public and available to law enforcement upon request.

Copyright © 1995-2020 All rights reserved.