I came across this story and was wondering what everyones take was. So far there have been no viruses, and I don't know if this will actually make it easier to get a virus on OSX or not, but still an interesting read. It seems like as long a a system and programs are patched it will not work since the technique needs a vulnerability, but I guess all attacks need some vulnerability.
Story here:
http://www.securityfocus.com/news/11543
Full Version: Mac OS X research warns of stealthier attacks
One word - trust. How much do you trust your system and the data on it? How much do you trust yourself to monitor its behaviour? Sometimes it can be useful to just have a brief lack of trust or episode of paranoia and create some trusted backups and have a disaster recovery exercise. Its nice to know you completely trust your ability to return to a secure environment...
A good firewall or IDS should highlight trusted processes connecting to untrusted hosts or using untrusted protocols or ports.
One way to try and protect from in-process attacks would be live kernel-level process monitoring, to check and see if any trusted system-level executable processes don't match their trusted default values (or if any priveliged processes are trying to hide or otherwise access network resources). The problem is that once any system of trust is broken, it may also become possible to break or bypass any checking mechanisms (assuming you can break and escalate to the highest level of trust/privelige, thereby forcing all other processes beneath and so fully controlling them). For a truly secure system, try this simple approach -
Most default installations of Mac OSX Leopard 10.5.6 with the latest patches should all have the same hashable (i.e. checkable) values for all default trusted executable processes. For instance, the common trusted network applications like Safari, iTunes and Mail should always match the hash value which Apple could provide. This would be a good starting point no?
Simple but effective network security approach: Monitor which network destinations (IP addresses) and which target UDP/TCP ports are being used by which applications (aka application firewall rules). If you are not running any networked processes then you shouldn't see any traffic. If you are only running standard clients with fairly standard servers then your trusted connections list should also be fairly small. The only way to knowingly reveal and remove a clever rootkit once one is suspected, is to return to a known, trusted, non-network platform and gradually reintroduce trusted network processes until the one with the suspicious traffic (and probable vulnerability) is found. Of course by that time any data on your entire network is untrusted though .....
Hmmm maybe my once-a-year paranoia trip is starting to kick in
A good firewall or IDS should highlight trusted processes connecting to untrusted hosts or using untrusted protocols or ports.
One way to try and protect from in-process attacks would be live kernel-level process monitoring, to check and see if any trusted system-level executable processes don't match their trusted default values (or if any priveliged processes are trying to hide or otherwise access network resources). The problem is that once any system of trust is broken, it may also become possible to break or bypass any checking mechanisms (assuming you can break and escalate to the highest level of trust/privelige, thereby forcing all other processes beneath and so fully controlling them). For a truly secure system, try this simple approach -
- Use only trusted hardware and wetware (people!) from trusted sources
- Install in a trusted, clean environment using only trusted installation files (usually from read-only trusted/genuine media)
- Create a rootkit level sandbox of the initial running non-networked filesystem, before allowing ANY network processes
- Carefully allow access to only the minimum required and fully trusted networked processes (i.e. for updates)
- Update the trusted rootkit sandbox hash table for trusted processes once fully patched
- Monitor all trusted network processes for change from original rootkit level sandbox
- Update trusted network processes ONLY where absolutely necessary
- Perform a suite of penetration tests against any running server processes from another host
- Routinely check and refresh your firewall ruleset, IDS logs, sandbox and rapid disaster recovery backups
Most default installations of Mac OSX Leopard 10.5.6 with the latest patches should all have the same hashable (i.e. checkable) values for all default trusted executable processes. For instance, the common trusted network applications like Safari, iTunes and Mail should always match the hash value which Apple could provide. This would be a good starting point no?
Simple but effective network security approach: Monitor which network destinations (IP addresses) and which target UDP/TCP ports are being used by which applications (aka application firewall rules). If you are not running any networked processes then you shouldn't see any traffic. If you are only running standard clients with fairly standard servers then your trusted connections list should also be fairly small. The only way to knowingly reveal and remove a clever rootkit once one is suspected, is to return to a known, trusted, non-network platform and gradually reintroduce trusted network processes until the one with the suspicious traffic (and probable vulnerability) is found. Of course by that time any data on your entire network is untrusted though .....
Hmmm maybe my once-a-year paranoia trip is starting to kick in
QUOTE
The injection method doesn't make it any easier to pierce a Mac's defenses. It only makes it easier for attackers to cover their tracks once they have.
That about sums it all up. Until there is an exploit, there is only a small need to worry about this.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.