The whole Symantec “fear-factor” article/stunt has brought the Mac world up-in-arms. I find it sad that most of the negative feedback come from people who are merely over-confident, or complacent… and do not know the real danger that may happen. It’s one thing to be confident in your system – hell even I am confident in my systems (both Windows and Mac), but quite another to expect them to be bullet-proof.

While again, the security architecture of the Unix framework is a formidable barrier for the most part, it still doesn’t mean that it cannot be cracked.

A post I read on a messageboard should put things into perspective:

Complacency will get you 0wn3d.. we should remember there are some fairly serious unpatched vulns still out there in the default install (e.g. iSync), and rootkits in development.

(For an explanation of the vuln, see: http://secunia.com/advisories/13965/. For a fix, see: http://www.drunkenblog.com/drunkenblog-archives/000411.html)

Are you sure that update/game/photoshop filter you just got from p2p is not a trojan that will rootkit your box and turn it into a spambot/kiddiepornserver etc ?

Do you know how to check ? Could you find out if it had happened ?

Since it is a local vulnerability, this is the type of thing someone exploits to completely own your box once they’ve gotten onto your system another way. Meaning if they have direct access to your system (i.e. using the machine themselves, or you running something that allows them access)

In the scenarios mentioned above, this is nothing different from running an infected program from a download, email, etc. The number of incidents involving these types of exploits may be rare, but they are out there. And Symantec’s argument would actually be valid if taken in such context.

Of course that doesn’t mean that we all should lose faith in our OS(es), believe Symantec at face value, and pony-up some cash for their AV software. A good (not to mention free) first-line of defense, aside from good internet habits, would be applications such as Checkmate.

Checkmate basically “inoculates” your system by fingerprinting specific files (which you can add to) via matching their MD5 checksums periodically. If that checksum changes, it mean’s the file has been changed and checkmate will alert you for your approval. I’ve set mine to check once a day.

The trouble with the current version is while the concept is sound, the built in interface of the pref pane only allows you to add files which are visible, and that you can navigate to. Also, it will allow you to add cocoa Applications, but as they are bundles/packages, it won’t caculate the hash – ergo cannot compare checksums.

There is however a trick/hack that can workaround this problem. Quoted and edited from one of the forums I frequent:

First, download Checkmate

Download an updated plist from: http://members.lycos.co.uk/hardapple/txt/com.brianhill.checkmate

Replace the exisiting Checkmate plist (/Library/Preferences/SystemConfiguration/com.brianhill.checkmate)

If you know vi, or are comfortable editing plists, you can add more.. but there is an easier way. Here’s how to add Cocoa binaries via the Aqua gui:

Navigate to the app you want to protect.

Option-click (ctrl-click, or right mouse button) “show package contents”

Option click on the xxx.app/contents/ folder, and select “copy path to clipboard”

Go to System Preferences, open the Checkmate pane.

Click “Files”

Click “Add..”

Press command-shift-g (this allows you to enter a path name)

Press command-v (paste)

You will now be able to browse the package contents from within Checkmate.

Select any Unix executables you wish to hash. For example, the full path to the Keychain access binary is: /Applications/Utilities/Keychain Access.app/Contents/MacOS/Keychain Access

To fingerprint files inside invisible directories (e.g. /usr/sbin/) navigate there via the terminal, copy the path, and use the command-shift-g trick above.

Another problem is that Checkmate doesn’t seem to be updated any longer, but still is pretty darn good at what it does. So I’m following the idea other people have: Please write to Brian Hill, thank him for his excellent work, and ask him to release the source code under the GNU/GPL license