Partial Blame Should Fall on Adobe

I like to consider myself a long time Apple user, but that would be an insult to those who have been using Mac products since before my birth. However, in the last ten years, I have used Apple products, almost exclusively. I spent three years working at an Apple Authorized Service Provider, repairing Apple products, primarily working on computer hardware and software (I dabbled in iOS devices for about a year). That being said, I have repaired many Macs that are infected with malware, trying to rid them of issues. One commonly recurring problem has been one threat vector, that I would say was the cause to over 75% of malware-infected machines was the utilization of a fake Adobe Flash Player installer.

fake.png

I don’t have enough fingers and toes to count the number of times I have talked to someone who has a Mac infected with malware, and it occurred when they “received a notification for an Adobe Flash update” while perusing a website. They then click on the update link. Suddenly, they have a malware problem.

Screen Shot 2019-03-21 at 7.01.46 PM.png

Attackers have made their fake Adobe Flash Player downloaders look more and more like the real thing. Now when I say “the real thing," I don’t necessarily mean that it looks just like Adobe’s installation webpage, but they do make it look legitimate. Take a look at the image to the right. It is a piece of malware that is wrapped to look like a downloader for an Adobe Flash Player update. Now typically these pop-ups occur on websites that aren’t secure. One common theme I would see frequently is a pop-up after pirating media, whether it be ripping YouTube videos, or on well known torrenting sites. I have typically placed 99% of the blame directly on Apple for multiple reasons. The first and foremost is that they have been known to spread the rumor that “Macs don’t get viruses.” Again, this is an all-out falsehood. Apple tried very hard to make that phrase popular, but the truth is that Mac malware has been skyrocketing.

You see a large amount of the malicious software installed on users that are under 25 years of age and over 55. I think the reason for this depends on the group. For the older generation, they are typically more trustworthy. They can’t rationalize why someone would want to infect their computer, and their thought process is understanding.

I thought that there had to be more to this issue than simply Apple’s issue of not cracking down hard enough of malware. The Macs built-in protection, in the form of MRT (Malware Removal Tool) and XProtect, simply don’t work well enough. You need supplemental software to protect your machine. A follow-up issue to that is that these malware removal apps are not available in the App Store. Actually, let me clarify - there are apps in the App Store, but they are not good. To host your app in the App Store, there has to be very specific things it can and can’t do. Some of the things that Apple restricts in their App Store are necessary for a good A/V (antivirus) to have. I’ll give you some great malware-removal tools and AVs at the bottom of this post.

So where does Adobe fit into all of this?

It’s obvious that this threat vector is extremely common. But why? I started digging through Adobe’s webpages, and I started looking into their release notes. Typically, when a piece of software is provided an update by the developer, the developer also includes “Release Notes,” which is, usually, a short summary or itemized list of bugs that were fixed, glitches that were resolved, security issues patched, and on and on. When you look at the release notes for Adobe Flash Player, the list is incredibly long. Not just the list of release notes, but the number of releases.


adobeUpdates.png

It’s not unlike Adobe to push out more than one update/release per month. This is a lot of releases. They’re averaging one/month so far in 2019, and averaged above that throughout 2018. What this does is shows that Adobe’s Flash Player truly does need to be updated regularly, and as users, we have become so accustomed to this software’s need for updates that since Adobe Flash Player’s inception in 1996, users constantly blindly trust that Adobe does need to update its software. Why? Because we’re used to it actually needing to be updated. When Adobe is typically giving you monthly notifications that you need to update their software to navigate to certain websites or to watch videos on specific webpages, we don’t get surprised when we navigate to a certain website, get a pop-up saying the software needs to be updated, and click Accept. Now we definitely shouldn’t just be clicking Accept on random websites just because we see a pop-up saying that Adobe Flash Player needs to be updated, however, how come we’ve never criticized Adobe for pushing these monthly releases or for not being more forthcoming about how malware uses their logo and name to mask themselves. The only place you’ll see this type of comment on an Adobe website is on their forums, where users are asking about how to get rid of malware after installing a fake Adobe Flash Player. So I’m calling for Adobe to step up to the plate and address this issue that has be plaguing Mac users for years now.

defense.jpg

Since it’s unlikely this issue will be resolved any time soon, let’s play a little defense. There are many pieces of software that can help prevent malware and can detect these fake Adobe installers the second they hit your machine. There are also additional tools for more advanced users that can help you do a little digging.

For me, the best piece of software you have have is Malwarebytes for Mac. Malwarebytes for Mac, which used to be a piece of software called Adware Medic, was created by Thomas Reed and was used to search a computer for malware, adware, and potentially unwanted software. The software used to be free, but now it is a mostly paid software that is subscription-based. If you’re frustrated that you can’t necessarily just buy the software outright, I will explain right now that everything is going the way of subscriptions. There’s no way to get around it. For developers, subscriptions is a more effective way to get and keep subscribers. Malwarebytes still has a limited free version that will clean your Mac, but it’s preventative features will disable after the 14-day trial expires. I highly, highly recommend buying the Premium subscription, that runs at only $39.99/year for one device. You won’t find a better deal than that or a better product. (By the way, this is in no way a sponsored post, this is simply my opinion). Another great part of Malwarebytes is that now they offer an iOS app, which will help you recognize spam calls, provide web protection, and ad blocking. Again, I can’t recommend it enough.

signed.png

Another piece of software is brought to you by the incredible folks over at Objective See. All of the software you find over at Objective See is both open source and free. They offer something called What’s Your Sign. This small program, once installed, allows you to right-click on software and see if it is “signed.” All software is signed. This means that the developer has digitally signed it to show that it is authentic. When you right-click the Signing Info option, you get a small window that shows if it is signed. We see in the image to the right that the signing authority is Objective See LLC, who is the creator of What’s Your Sign. So with something like Adobe, we should see that the software is assigned by Adobe proper, similarly to how apps coming from Apple’s App Store need to be signed by Apple proper. We also see in the above photo, the lock is locked.

signed2.png

Now let’s look at this fake Adobe Flash Player. Notice how the lock is unlocked, and it says that the signing authority is unsigned.

Objective See and the app’s creator, Patrick Wardle, make fantastic tools that you should check out. Check them out at Objective-See.com.

As per usual, let me know if you have questions regarding your machine. See something suspicious, don’t hesitate to tell me.

Best Mac Security Tools of 2017

Computer_virus_illustration.jpg

As we round out another year, I look back at everything that has happened this year with computer security, especially in the Apple sector.

We can look back at WannaCry, the ransomware attack that ravaged Microsoft systems across the world in May. It infected around 300,000 computers and over 200,000 victims. This was quickly followed by another piece of ransomware called Petya. In March, a data trove of 8,761 documents were posted to Wikileaks, which was entitled "Vault 7," a collection of stolen documents containing documentation of alleged spying operations and different hacking tools. This doesn't even take into account the massive amount of DDoS (Distributed Denial of Service) attacks against companies and individuals. Last but not least, we cannot forget the massive data leaks in the past few years, which includes but is not limited to Equifax, Target, Sony, Yahoo, Ashley Madison, Adult Friend Finder, and last but not least, Stuxnet.

With all of that being said, although not all of these attacks were done specifically to the Mac operating system, some of them did. Because of that, we have compiled a list of the top security tools of this year. They weren't all produced this year, but they are the security tools that I use daily and trust whole-heartedly. We will also recount some of the biggest tricksters and liars of the year as well in our next blog post.

If you are interested or have questions about any of this years top security tools, please let me know. Send me an email at stuart@crashsecurity.com.


Top 5 Mac Security Tools of 2017:

 

Honorable Mention

nordvpnlogo-100726095-large.jpg

NordVPN

NordVPN is my favorite VPN (virtual private network) I've used thus far, and I have tried quite a few. I've tried quite a few, and after being disatistfied with the price of the last one I used, ExpressVPN, I moved to NordVPN. 

I learned of a great comparison site called That One Privacy Site that provides a breakdown for tons and tons of VPNs. To sum up VPNs, they encrypt your IP address, so you can remain relatively anonymous while browsing the internet. With how many different things I research, I have to use a VPN. NordVPN is one of the top rated, and it also has great reviews. You can choose where you want your IP address routed through, whether it be Canada, Europe, Asia, or anywhere in between.

Sign up for the two-year plan for $3.29/month.

Follow NordVPN on Twitter: @NordVPN


No. 5

Screen Shot 2017-12-22 at 2.27.29 PM.png

GPG Tools

This suite of tools allows you to send encrypted emails using the program, GPG Suite. Although it may seem as if your email is impenetrable, it isn't. This tool can be tough to configure, but once completed, it is an amazing application. It allows you to give your public key to others, in which they can send you encrypted messages. The only way to see those messages is by decrypting them with your private key. It uses an encryption called OpenPGP, PGP standing for Pretty Good Privacy (no joke). Using a server, you can access your friend's public keys to send them emails when you need or want to do it. It is a plug-in for Mac Mail, so if you use a different email client, you may have to download a different tool. This is available for macOS 10.9 and higher. Read more at their website which is linked in their title.

To send me an encrypted email, my public key is: BB387DBD

Follow GPG Tools on Twitter: @GPGTools


No. 4

littlesnitch_256.png

Little Snitch

Little Snitch is a network monitoring tool that makes your connections visible. You can allow or block certain connections, as well as set parameters about the connection. Say I want to do an Adobe update, but I only want my computer reaching out to Adobe's server address for 30 minutes, I can set the parameter to allow the connection for 30 minutes. After that time expires, the connection will be blocked. You can also block a site for a certain amount of time or "Forever." Same goes with allowing websites. I allow my computer to connect to the iCloud server "Forever," as I constantly have things syncing with my iCloud account. 

microsnitch_340.png

Little Snitch also now has a companion piece of software called Micro Snitch, that monitors your computers camera and microphone and will alert you when they go active. This piece of software, I have found not as useful, and I will explain why a little further down this article.

Follow Little Snitch on Twitter: @LittleSnitch


No. 3

infected-files.jpg

ClamXAV

ClamXAV has, for years, been my favorite antivirus on the market for multiple reasons. One common issue with running antivirus on a Mac is live-monitoring. For quite some time, ClamXAV did not support live-monitoring, and it was instead a simple, powerhouse antivirus scanner. If you run this program as just an antivirus scan, it will bog your machine down, but I would simply set it up at night, and allow the scan to run while I slept. When I woke up, it had a list of all of the issues it may have found. I could then immediately put them in my Trash. 

What ClamXAV has released more recently is ClamXAV Sentry. It is a live-monitoring piece of software that I set up to monitor specific folders. Obviously, the folder most likely to get infected on your computer is your ~/Downloads folder. Anything downloaded from the internet will typically download here. I have it monitor my Downloads and my Desktop, as well as a few hidden folders. Most every-day users would not need to worry about the hidden folders, but because of how much I play with malware, I set it up to scan that anyway. 

So why do I like ClamXAV over Norton or Sophos or McAfee? Well, those programs live-monitoring are extremely CPU-consuming. I find myself getting angry with how slow it makes my machine run. With ClamXAV, I've never had that problem. ClamXAV is also one of the quickest AV engines to find new malware in the wild, so I cannot recommend it enough. 

There is a free trial, but it is now a paid program, and I think it is well worth the $29.95.

Follow ClamXAV on Twitter: @ClamXAV


No. 2

Malware-Bytes.png

Malwarebytes for Mac

Another amazing malware remover and antivirus, Malwarebytes. For many years, Malwarebytes stuck pretty specifically with malware and something referred to as PUPs (Potentially Unwanted Programs). More recently, they have begin diving into the AV community, and with each update, Malwarebytes and ClamXAV get more and more similar as far as what they do. Malwarebytes for Mac was a program that I used often to help rid people of unwanted programs and adware. We will dive into some of these PUPs in our next blog post, but Malwarebytes was always there, and it would always remove the program fully, not leaving behind any files, no matter how deep they were buried in your system. 

Malwarebytes recently released Malwarebytes Premium 3.0, which is not only a malware scanner, but an antivirus software with "Real-Time Protection," which is like their version of live-monitoring. I got this upgrade immediately, and although there were some bugs early on with the program utilizing large amounts of memory, sometimes even when the program wasn't running, those bugs have since been resolved. Malwarebytes is also touted as one of the top antivirus scanners.

Take the image below. This shows live threats that Malwarebytes, for Windows and Mac), is catching. It also shows threats that it caught that other antivirus softwares did not. This was a screenshot I took less than two minutes into this map populating in real-time. I can't imagine what it would look like if I allowed it to run for hours on end.

Screen Shot 2017-12-21 at 11.58.55 AM.png

Malwarebytes is now the company to beat when it comes to antivirus. They are also one of the first companies to catch new threats, and they keep very busy on social media platforms for support and tips. You can download the free or paid version.

They also frequently blog about security issues, which I highly recommend reading. They are very up to date on everything that has to deal with computer security.

Follow Malwarebytes on Twitter: @Malwarebytes

Follow Malwarebytes for Mac specialist Thomas Reed on Twitter: @ThomasAReed


No. 1

CaY75aNi_400x400.png

Objective-See

Objective-See and creator Patrick Wardle has been pumping out free application after free application for years now. No, they don't have one app, they have OVER 10!

First, Oversight, one of their newer applications, does the live-monitoring of your computer camera and microphone. As I mentioned earlier, Micro Snitch does it as well, but anything produced by Patrick Wardle is going to be some of the best software out there. It is easy to run, is easy to set up, and it just runs in the background, using virtually no CPU or memory. It is fantastic. You can allow or block connections when they are coming in, so you will instantly know if someone is using your camera without your permission.

In addition to this, they've added another application called BlockBlock, which monitors common persistence locations on your computer. This would be the locations malware may install.

Another application, Ransomwhere?, helps stop ransomware from making you a victim. It notices when something is encrypting your files, and you can either approve or terminate the process that is doing so. This is such a fantastic tool seeing as how ransomware has constantly been on the rise, especially over this past year.

Wardle has also released multiple open-source tools, encouraging users to download the programs through a Git website like GitHub. One of the more recent open source tools called ProcInfo is a tool that allows you to find a specific process and analyze it. This allows you to trace what a specific process is doing to see if it is malicious or not.

They have also produced an open-source program called LuLu that is a firewall. It will block any outgoing connection until it is approved by the user. I just recently started using LuLu, and I love it so far.

Again, all of these applications are FREE.

These are just four of the many tools that Objective-See has produced. I would highly suggest using them, and if you need help installing any of them, don't hesitate to let me know.

Follow Objective-See on Twitter: @Objective-See

Follow Patrick Wardle on Twitter: @PatrickWardle


In conclusion...

These are applications that I LOVE. I don't get paid to promote any of these. In fact, the free tools by Patrick Wardle and Objective-See are on Patreon, and I donate to them monthly because I believe so much in the power of the products. To show you how much I like these, I took a screenshot of my toolbar, where you can see many of these currently running.

(From left to right): MicroSnitch, BlockBlock, LuLu, ClamXAV Sentry, Little Snitch, Malwarebytes Premium 3.0, Oversight, NordVPN

(From left to right): MicroSnitch, BlockBlock, LuLu, ClamXAV Sentry, Little Snitch, Malwarebytes Premium 3.0, Oversight, NordVPN

Don't take Mac security for granted. All Macs are susceptible to malware. It's not to late to download applications. Again, if you need any assistance installing these programs or how to operate these programs, please don't hesitate to contact me either for a home visit through my House-Call page or a general questions through my Contact page.