[G4] Virus and Spy Ware detectors

[Alex]

On Jun 21, 2005, at 15:33, Paul Moortgat wrote:

> Tha answer from Randy B. Singer (from iomug) is:
>
> The only spyware for the Macintosh has to be physically installed and 
> the
> person installing it has to know the user's password to do so. [...]

On Jun 21, 2005, at 15:47, Ron Steinke wrote:

> Shouldn't you have indicated that the spyware has to be physically 
> installed from the CD and by the user him/herself with the use of the 
> admin password?

(1) The statement quoted by Paul is wrong. With physical access, it is 
perfectly possible to install anything without any password. All you 
have to do is boot the Mac from a CD (which even a novice can make with 
BootCD) or a FireWire drive. It's more difficult if the Open Firmware 
password is enabled, but even that can be bypassed. Basically, if 
someone has physical access to a Mac, you can consider the machine 
compromised.

(2) The notion that spyware or malware can only be installed "from the 
CD" is wrong. The most serious Mac malware so far is Renepo, and it can 
install itself over the LAN. Moreover, it is possible to install 
malware without a password, by piggy-backing on sudo (this is a feature 
common to all Unix systems). Moreover, the Zaptastic exploit has shown 
that, in Tiger, is possible to install malware without a password and 
even without the user being aware.

Having said that, the threat on the Mac is minimal. With a few basic 
steps (such as unchecking the "Open safe files" option), you can be 
reasonably secure -- the stress being on "reasonably".

Finally, there is a common misperception about malware. As soon as 
something goes wrong, many users immediately think, "I have a virus!". 
In fact, even on Win, a bug or configuration problem is much more 
likely than a virus. On Mac, at this point, having a virus or malware 
is like being hit by a meteorite on the head -- it's not impossible, 
but the likelihood is not worth talking about.

<0x0192>