The Author – Bart Busschots
Creative Commons
Unless otherwise stated, the content on this site is licensed under Creative Commons Attribution, Noncommercial, No Derivative Works 3.0 License
Jul
1
The Uncomfortable Truth About Trojans
Filed Under Computers & Tech, Security on July 1, 2008 at 1:18 pm
Although it is true that some Trojans use vulnerabilities like the current ARDAgent vulnerability to gain root access, they do not need to. The core message about Trojans is getting lost amidst all the talk about plugging this vulnerability. Even if there was not a single vulnerability in OS X we would be at the mercy of Trojans. That’s the whole point of Trojans. Any program you run can do anything you can do. Let’s think about that for a moment, what can you do on your system without needing a password? Here’s a short list for starters:
- You can run programs.
- You can read, edit, and delete files
- You can use the network
- You can set programs to auto-start each time you log in
Remember, a Trojan is just an ordinary program that pretends to do something you want, but actually does something else. It could delete all your files. It could run a key logger and phone home with your credit card number, user names and passwords, bank details etc.. It could use your machine to send spam. It can set itself to automatically run each time you log in and continue with it’s nefarious actions. It can do all this WITHOUT the need to exploit a single vulnerability in your OS or your software. If you can do it, a Trojan can. Think about that for a second, it’s not a comforting thought!
[tags]security, OS X, Mac, Trojan[/tags]
It’s fair to say that such a Trojan can completely destroy your machine and your life. It can destroy your files, and steal your identity and your money. Surely that’s enough to be getting on with. Sure, a Trojan can do all that a little more effectively as root, but preventing Trojans getting root is just stopping something disastrously bad becoming a little worse. This is why I worry so much about the amount of attention that is being focused on the ARDAgent vulnerability and protecting yourself from that vulnerability, rather that getting the core message out there that Trojans can strike WITHOUT the aid of any form of vulnerability. The impression being given is that if you work around the ARDAgent vulnerability in some way you are safe. That simply couldn’t be further from the truth.
As always the real security message is getting lost amid the panic. So what is the real security message? It’s simple, NEVER INSTALL ANYTHING FROM AN UN-TRUSTED SOURCE, EVER. The current Trojan is aimed at satisfying people’s need to Gamble. Rest assured we’ll see similar beasts to satisfy people’s need for pornography, or indeed anything. Gardening, knitting, you name it. The bad guys are after all of us, not just the gamblers and pornography lovers! We see this in the Windows world already. As Madeye Moody would bark “constant ever present vigilance!”.
The time for smugness is well and truly over. It has been for some time, but people have been reluctant to read the signs. The bad guys have taken notice of the Mac. It is a prime target for them. Mac users are unsuspecting, often complacent, and generally very naive about security. They simply don’t expect to be targeted so they make an exceptionally juicy target. It’s time to start acting like we’re in the cross-hairs of the bad guys, because we most certainly are.
Nicely Said. I have being saying things like that to a friend of mine for awhile. Just because there are no viruses on a Mac/*nix O/S does not mean that they are safe.
It also is no reason not to keep an eye out for them. Most of the reason that they are almopst non existant comes down to the fact that Mac and *nix do not make up the majority of computers. YOu get a better return for your effort on Window’s computers.
Of course “Constant Vigilance” is important in our dealings over computer networks, or well the real world.
Phishing will get your information, if you are not paying attention .
In the end it just comes down to staying awake and trusting no one, especially not if they claim to be from your bank or isp/porn provider!!!
[…] This article was first published on my personal blog. Share this item: These icons link to social bookmarking sites where readers can share and […]
[…] Kyle and I lunch with Crazy Listener James, Dumb Question Corner: what’s an m4a file? (link in the shownotes to the wikipedia entry) Is there a view-only Windows calendar? (jsiCalendar at pcworld.com) How do I mail an iTunes url? ( ScreenSteps tutorial) Can you extract vocals out of an mp3? Screensteps coupon is NOSILLA at screensteps.com. David Hill reviews Tape Deck from tapedeckapp.com. When is phishing not phishing? In Chit Chat Across the Pond Bart and I talk about how to protect yourself from trojans on OSX: bartbusschots.ie/blog. […]
On the nosillacast podacst you say that you would not trust another web site with your passwords.
What are you thoughts on the My1password.com website from the 1password people?
Their app is fantastic and I rely on it heavily – but I am very hesitant about placing all my passwords on a website I have no control over – even if the data is encrypted.
Hi Kevin,
I’ll be honest and say that I’ve never really looked into how my1password works. I use Password Vault on a USB thumb drive so that way I have control over my data. If you trust that they do what they say and that the data really is encrypted then it’s probably fine, but it does come down to trust. It’s easy to SAY you do stuff, that doesn’t mean you do it! In fact, that’s the whole point with Trojans, they say they’re codecs or games or what ever but are really key loggers etc.. It all comes down to trust. Ideally you should adopt what Steve Gibson of Security Now fame calls TNO, or Trust No One, but in reality that’s not really practical. Yet again it’s a trade off between security and practicality.
Bart.