MacDailyNews - Where Mac news comes first

 MacDailyNews Poll

5 Day Most Commented

Opinion Archive

Current Headlines

Latest Joy of Tech

  • Latest Joy of Tech!

MacNN

AppleInsider

Macworld UK

TUAW

MacRumors

Yahoo! Finance AAPL

iTunes Top 10 Albums

Mac OS X Downloads

Wed, Jan 07, 2009 - 06:27 PM EST  —  AAPL: 91.01 (-2.01, -2.16%)  |  NASDAQ: 1599.06 (-53.32, -3.23%)

Proof of concept Mac OS X adware debuts
Friday, November 24, 2006 - 10:57 AM EST

Hackers have created a proof-of-concept sample of adware that targets Apple Mac OS X users called "iAdware" by anti-virus firm F-Secure.

Kamil writes for F-Secure:
We recently received a proof-of-concept sample of an adware program. Normally that wouldn't be worth blogging about, but in this case it's for Mac OS X. In theory, this program could be silently installed to your User account and hooked to each application you use… and it doesn't require Administrator rights to do so. We won't disclose the exact technique used here, it's a feature not a bug, but let's just say that installing a System Library shouldn't be allowed without prompting the user. Especially as it only requires Copy permissions. An Admin could install this globally to all users.

The result: This particular sample successfully launched the Mac's Web browser when we used any of a number of applications.

This is easier to do than with Windows. After all, it's a Mac.


"The malware is notable for its rarity rather than its threat value, which remains minimal. There's hundreds if not thousands of ad-ware packages floating around that are capable of infecting Windows users with intrusive pop-up software that impairs system performance," John Leyden reports for The Inquirer. "iAdware is the first such application for Macs that we've come across."

Full article here.

[Thanks to MacDailyNews Reader "Dirty Pierre le Punk," "RadDoc," and "Fred Mertz" for the heads ups.]

Send us links! Email: webmaster@macdailynews.com

MacDailyNews and iPodDailyNews are Apple Store affiliates and if you buy something from the Apple Store within 24-hours after clicking any one of our Apple Store ads, we will receive an affiliate percentage from Apple. There is no extra cost to you. Canadians please use this link: Apple Store Canada. Thank you in advance for helping to support MacDailyNews and iPodDailyNews.

Apple Store Advertisements:
The all-new 13-inch MacBook. The next generation of notebooks starts at $1299.
The all-new 15-inch Macbook Pro. New design. New features. New technologies. From $1999.
The all-in-one iMac. Now at speeds up to 3.06GHz. Free shipping. From $1199.
iPod touch. The funnest iPod ever. Starting at $229. Free Shipping.
iPod nano. New design. New features. Starting at $149. Free shipping.
Visit the Apple Store today. Free ground shipping on all orders over $50.

MacDailyNews on Twitter

  • Social Web
  • E-mail






Always -- Free ground shipping with orders over $50 at the Apple Store.

Reader Feedback: ( = registered)

Nov 24, 06 - 11:01 am Comment from: librium

pppffffffttt.

Nov 24, 06 - 11:08 am Comment from: macaholic

"installing a System Library shouldn't be allowed without prompting the user."

should be easily fixed!

Nov 24, 06 - 11:09 am Comment from: theloniousMac

Calling it specifically adware doesn't seem accurate. That sounds like a security hole that should generally be closed. While it could be used to launch a browser, and PRESUMABLY direct that browser to a specific sight, calling it Adware diminishes the threat.

Apple should take steps to control this ASAP and not do their typical silent act in relation to this one.

Nov 24, 06 - 11:13 am Comment from: eMax

Well thanks to these morons, and other morons like them I am sure they will release how this occurred, and instead of TELLING APPLE they will tell some idiot spammer.

It should be illegal to release malware information to ANYONE but the manufacturers of the software.

These people think they are doing something good for the world? The only thing they should do is tell apple directly and not ever tell the public.

Fools...

Nov 24, 06 - 11:15 am Comment from: Eddy

I still don't see the fun in all this Adware and Virus stuff..

Can ANYONE explain what the use of it is???

Nov 24, 06 - 11:16 am Comment from: Silly

I agree with theloniousMac. Apple should be very open about these issues, recognise them and even give a timetable or actual status of the solution proces. Secrecy is this area will certainly harm Apple and does not make sense.

Nov 24, 06 - 11:21 am Comment from: Macaday

The only threat to Mac users are the security companies who are desperate to get something out that will put pressure on us to buy their software.

Nov 24, 06 - 11:27 am Comment from: julio

well folks, if I am reading right what was blogged this is not a real threat, not at all.
one needs Admin privileges to install a System Library (the iadware) and THEN it can do its damage. They are not saying that the System Library itself can get installed without a warning or asking for admin password. All they say is that AFTER it is installed it can go about doing its thing behind your back.

easy then, do not install anything coming from an unknown source.

(mw:rest) as in rest assured they'll keep posting alarming headlines on OS X malware, maybe someday they'll hit one, but it is not this one

Nov 24, 06 - 11:27 am Comment from: oh joy

I still don't see the fun in all this Adware and Virus stuff..

Can ANYONE explain what the use of it is???


It's like the nice people who key your car & slice its tires.

They do it because it's easy, and to just be general assholes.

Since real Mac OS X malware has been impossible so far, we get this crap.

Nov 24, 06 - 11:30 am Comment from: peragrin

It can only affect one user. if you log out and log in as another user , that user is unaffected.

It doens't install a "system library" it installs only in the users home directory.

And without a registry to manually redownload it can't reinstall itself. so once you delete it it's gone.

The wost case is if it changes it's own owner to root or admin, and then all it takes is to

su rm dumb/adware/filepath/name and enter the admin password.

it won't take special tools that only sometimes work.

Nov 24, 06 - 11:33 am Comment from: tt

So how many 'real' adware / spyware / viruses are out there for OSX again? < 0 ?

sounds like BS to me.

Nov 24, 06 - 11:38 am Comment from: Mr. Reeee

Gee, if I were an administrator on a network, or already logged onto a Mac, I could do PLENTY of damage. Maybe their proof is that if you're an idiot, you can mess up you computer. Windows users have been proving that little factoid by the MILLIONS... EVERY day... for YEARS!

Don't these Virus Protection Rackets get enough business and make enough business from the Windows market?

Why do they keep on announcing "proof-of-concept" malware things, if only to frighten people into buying their software.

Apple has been very quick to plug security holes in Mac OS X.
Some of these "concepts" have appeared AFTER Apple has already plugged holes.

From what I've seen Symantec's Mac anti-virus software IS a virus.

Nov 24, 06 - 11:40 am Comment from: Mr. Reeee

Duh,,
that should have read:

Don't these Virus Protection Rackets get enough business and make enough MONEY from the Windows market?

Nov 24, 06 - 11:41 am Comment from: plasticmd

How come no MDN take on this??

Nov 24, 06 - 11:42 am Comment from: Tommy Boy

Sum Jung Gai needs to upgrade to the latest version of the OS/Safari as I never see a pop up on MDN.

Nov 24, 06 - 11:43 am Comment from: nuflux

"This is easier to do than with Windows. After all, it's a Mac."

These people are so fucking bitter. So insecure about their INFERIORITY.

As others have pointed out here, this is such a minimal and easily removable "threat" that it's a joke.

Nov 24, 06 - 11:54 am Comment from: Yo er phone repair man, mind if I look around?

Julio,

Agreed. This just looks like another form of trojan.

Are there any good countermeasures besides user awareness?

Few people would allow uninvited strangers into their homes, esp. ones offering to install or fix something. Why let unknown software into your Mac?

Nov 24, 06 - 11:54 am Comment from: theloniousMac

Ya know we Mac proponents are very proud of Apple's security record but we need to face some facts.

While MDN likes to claim that "security through obscurity" is a myth, I beg to differ. There have been and there will continue to be holes in the Mac OS. Mac OS X may be more difficult to exploit than Windows, but not impossible.

And Apple... well I'm still fuming at their willingness to buy off on the no virus hype. Instead Apple should simply say, "While we are proud of the Mac's security record to date, we still advise all Mac users to take prudent measures with regard to computer security."

Sooner or later we're going to get hit with something and it's going to come from some place we trust, like Apple.

We should be careful, not smug. Constantly touting the 150,000 viruses for Windows and none for the Mac stat is asking for trouble. If I were a virus writer, at this point I'd be working on it.

Nov 24, 06 - 12:05 pm Comment from: DJ

I just wish ONE person who does viruses and stuff would step up to the plate and just explain: "Why I do this dorky thing".

It would be a whole lot easier to understand is all.

Nov 24, 06 - 01:14 pm Comment from: macromancer

I just created a proof of concept technique for destroying all files on my hard drive

I opened my hard drive, dragged all my files to the trash, and clicked Empty Trash.

Pay me money or else.

Nov 24, 06 - 01:28 pm Comment from: Ryan

Well, all the politics aside, I'd be curious to know the technical details.

The term "system library" is extremely vague. The closest thing to the correct meaning of this term would a malicious framework installed into /System/Library/Frameworks or /Library/Frameworks. However, this most definitely cannot happen without an admin prompt, and furthermore it would not do anything unless it replaced another framework that an app was already designed to call, without losing any of the correct functionality. Unlikely.

More likely this is a malicious Input Method, which is a type of plug-in that can load into Cocoa applications and modify they way they handle data (for example, there's one called IceCoffee that adds the Services menu to every right-click menu. There are also Input Methods for gesture-based input or expansion of abbreviations). These can be installed on a per-user basis without additional authentication, under ~/Library/InputMethods. They can also be installed globally, in /Library/InputMethods, but this might require authentication (can anyone confirm?)

While a potential issue, this is a limited attack vector because it would only affect the logged in user, affects only Cocoa applications, and does not modify (infect) any apps on disk, only at runtime. Removal would constitute removing the plug-in and logging out and back in.

Generally, I'm surprised that there haven't been more exploits of Cocoa runtime extensibility, given the relative renown of Objective-C for being dynamically modifiable.

Nov 24, 06 - 02:51 pm Comment from: whatever

Try this command in Terminal:

open http://walmart.com


Instant adware! Replace an application with a script to run this command and then launch the original application, and you've accomplished the same thing.

Nov 24, 06 - 03:07 pm Comment from: 2Shae

Haven't you noticed something...
Now that Microsoft says NO to anti-virus companies, there are all kinds of Mac virusses (proof-of-concept) popping up!!!
And the anti-virus companies are the only one that are finding these things.

Don't you think that THEY are actually behind all these things because they are trying to get a new market...the Mac users.

Nov 24, 06 - 03:29 pm Comment from: Macdaddy

Lo and Behold! Its another MS "payoff" to a Anti Virus company to spread FUD among the newcoming mac users of intel macs!







"Jealousy makes the bones brittle"

Nov 24, 06 - 03:30 pm Comment from: Vacuous Couch Potato

"Releasing" this vaguely described adware FUD during a U.S. extra-long weekend ensures few Mac sites will run it into the ground quickly, giving it time to gain whatever traction it can (MDN has no one on hand to denigrate the story, either). So the story has until late Monday or even Tuesday before it's shot down, by which time it's catch-up.

Nov 24, 06 - 05:21 pm Comment from: Rainy Day

I suspect this “exploit,” if there is indeed one, is only able to operate on those who use admin accounts for everyday use. I doubt it could work against a regular user account.

The problem is, however, that Apple sort of encourages users to use admin accounts, as it is the default on installation of MacOS X. They should make an attempt to educate users, and discourage this practice.

peragrin writes: “The wost case is if it changes it's own owner to root or admin”

Actually, to do that requires root privileges.

@ theloniousMac: MDN is correct in their position on the security through obscurity myth. Any real security expert will tell you there is no such thing as “security through obscurity.” This has been proven through decades of experience. Anyone who thinks there is security through obscurity is either not well educated on computer security, or blowing smoke.

Nov 24, 06 - 10:29 pm Comment from: mac-fanboy

http://www.digitalmunition.com/dma.html claims to have the iAdware code.

Nov 25, 06 - 04:40 am Comment from: Ballmer

Welcome to the world.....the world of Windows, that is

Nov 25, 06 - 11:08 am Comment from: Freddy the Pig

It's a little thing really, but some days it bugs the hell out of me.

SIGHT is something your EYES give you.

SITE is a place to go on the web, like MDN webSITE

People do not go to webSIGHTS.



OK I got it off my chest.

Nov 25, 06 - 04:23 pm Comment from: AlienApple

HAHAHAHAHA

Nov 25, 06 - 05:42 pm Comment from: Reality

Pure BS and FUD

Nov 25, 06 - 11:07 pm Comment from: Dave

Theoloniusmac is wrong. Dead wrong and emac is right. When are we going to learn that blasting our weaknesses from the house tops only gets us killed? for some dumb reason we have decided that if we let "everybody know how and where to hack computers" that somehow you are doing me a favor? that's the kind of favor I don't need--dumbass! What I need is for you to apple and only apple or microsoft for that matter. Otherwise keep you big fat mouth closed! Thank you

Nov 26, 06 - 08:30 am Comment from: R

Security through obscurity is a myth. Acuras are no where near abundant in the wild, but they're the number one stolen car in a number of geographical areas. The degree to which something is targeted is based on human preference, not its sample size. Macs are a huge target and will continue to be. The small number of malware writers attack computers. Windows is easiest to attack.

If Apple wants to keep the OS relatively secure, they just need to be better than Windows. It's the same reason burglar alarms, The Club, and other ant-theft devices are used. They are not certainly going to help, but the perpetrator will rather move to the next target because it's easier.

Nov 26, 06 - 06:40 pm Comment from: Tom Ward

In other related news, " F-Secure have created a proof-of-concept sample of adware that targets Apple Mac OS X users called "iAdware" ..."

Isn't that the truth of it? - I thought they'd have too much time on their hands with Windows' problems to be writing adware for OS X.

Nov 27, 06 - 01:23 am Comment from: jerko

"Haven't you noticed something...
Now that Microsoft says NO to anti-virus companies, there are all kinds of Mac virusses (proof-of-concept) popping up!!!
And the anti-virus companies are the only one that are finding these things.

Don't you think that THEY are actually behind all these things because they are trying to get a new market...the Mac users.
"

Actually if they are vetting the MacOS for holes, thats not a bad thing. Lets hope that Apple will fix soon.

Nov 27, 06 - 05:16 am Comment from: repoman23

to Freddy the Pig

What a lovely comment! Makes such a change from the normal irrate comments about spelling and such on forums in general...

I can understand how it bugs someone to see native language abused that way.
However it is nice to see that someone can be sensative to the fact that not all of us are native English speakers/writers and do make mistakes....
cheers to the open mind

Nov 28, 06 - 12:23 am Comment from: Rudge

Finally, a Mac news web site that has come out with this new Mac OS X adware story. Thank you MacDailyNews. Good work. I bet the lights are still on at the Apple campus thinking up a fix.

Reader feedback page 1 of 1 pages:

Always -- Free ground shipping with orders over $50 at the Apple Store.

Add Your Feedback:

Register or Login

Name:

Email: (optional)

Emoticons | Allowed HTML Tags

Remember my info   Notify me of follow-up comments?

Please enter the "MDN Magic Word" you see in the image below: