In the message "Re: [MAGNet] Spyware Detection Tools", dated 10/6/05,
Guy Vinson wrote:
>But what I am looking for is real experience with, not the
>possibility of, spyware/malware/keyloggers on Mac OSX. ... I am just
>trying remove one area of investigation.
As Charles James summarized:
>I gathered from my readings that the majority of spyware that is
>dangerous is directed towards the Windows world.
True. At least to date, there has been relatively little spyware
in the Mac OS X world: that is, in the classic sense of malicious
applications targeted at that OS which can be downloaded via ActiveX
controls or similar scripting mechanisms when a user visits a web
page, or performs certain actions on that page.
At 7:56 AM -0700 10/6/05, Guy Vinson wrote:
>Two other factors might enter into this [case where a faculty
>member's bank account] ... was cleared by someone who had access to
>their login info ... they use their computer wirelessly at times and
>they may have used a PC as well to conduct banking at some time in
>the not to distant past.
One more potential factor: phishing or some other 'social
engineering' technique by which your faculty member might
inadvertently have revealed their secret information. All three of
those "other" factors - wireless access, PC use, and phishing or the
like - seem more likely to have come into play than the fairly remote
possibility of malware having been installed on your faculty member's
Mac.
Nonetheless, here are three articles that are relevant to that
possibility, as well as to other possible compromises of their Mac:
1) Detecting whether this Mac has been compromised:
Joel Rennich
"Forensic Analysis of a Compromised Mac OS X (Client) Machine"
May 2002
http://www.afp548.com/Articles/security/postmortem.html
Notably, some of the compromises that SNS has seen on Mac OS X
machines have been truly mundane: the Remote Login service was turned
on (Apple menu, System Preferences, Sharing pane) and one or more
accounts on the system had a password that was easy for an intruder
to guess.
A simple tool to view a summary of log entries related to recent
logins on your faculty member's machine - assuming these haven't been
mucked with by an intruder - is Dave Yost's ProbeCheck script:
http://yost.com/computers/probecheck/
2) Dectecting and preventing malware on this Mac:
"Dr. Smoke" (the author's screen name as a helper in Apple discussions)
"Detecting and avoiding malware and spyware" [on Mac OS X]
http://www.thexlab.com/faqs/malspyware.html
As far as spyware detection tools go, in addition to Allume Systems
Internet Cleanup, mentioned in that article, you could also look into
MacScan <http://macscan.securemac.com/>, mentioned by Charles James.
These are the only two products I know of that purport to detect
Mac spyware. However, both have received somewhat negative user
reviews: check the usual sites, such as VersionTracker and MacUpdate,
to view some of these. MacScan's development was dormant for a very
long time, before a new beta just recently emerged.
Going forward, to help your faculty member have some peace of mind,
you or they might consider installing one of the products mentioned
in "Dr. Smoke's" article:
Little Snitch
http://www.obdev.at/products/littlesnitch/index.html
Little Snitch is a shareware "application supervisor" which
monitors outgoing network connections. When an application tries to
access the network, it displays a dialog permitting the user to allow
or deny the connection and asks whether to set up a permanent or
temporary access rule for future connections of that type. Rules can
also be edited via a System Preferences panel.
For what it's worth, the website for Allume's Internet Cleanup claims
that product also comes bundled with a similar tool.
3) 'Hardening' this Mac against future attack:
For excellent guides which cover many techniques for securing
Macintoshes running Mac OS X from attack, see Stephen de Vries' white
papers for Mac OS X 10.4 "Tiger" and 10.3 "Panther" at Corsaire's
website:
http://www.corsaire.com/white-papers/
A local guide to this same topic, from our neighbors up the hill at LBL, is:
Gene Schultz, et al.
"Mac OS X Security Checklists"
http://www.lbl.gov/ITSD/Security/systems/mac_guidelines.html
Aron Roberts
Workstation Software Support Group
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about MAGNet, its meetings and events, and its
mailing list, including information on subscribing and unsubscribing,
see the MAGNet Web site at <http://magnet.berkeley.edu/>.
Received on Thu Oct 6 14:02:40 2005
This archive was generated by hypermail 2.1.8 : Thu Oct 06 2005 - 14:02:41 PDT