| Archive for Downsizer For an ethical approach to consumption |
| dougal |
Mac OS X First Trojan/Virus/Worm
There now exists the first ever real Mac OS X nasty. It spreads via iChat. An infected machine sends out a file to everyone on the Buddy list. *IF* the user decompresses and opens this file, their machine can be infected. So it could be called a Trojan Horse. (Dunno yet what happens if you are a non-Admin user). The file -- latestpics.tgz -- should just be binned if you see it. *Don't* open it! Even though it has come from someone you know! It infects other programs (like a virus), and when iChat is next run it sends itself to everyone on your Buddy list (its a worm). It uses Spotlight (a 10.4 feature). No info yet on what happens with earlier versions. I expect there will be variants with other filenames 
|
||||
| dpack |
well thats ugly . hows the immune system of mac os .
im xp and use protection 
is it smallpox to the new world ? |
||||
| mrutty |
Well the first virus apart from http://software.silicon.com/malware/0,3800003100,39125245,00.htm
or any of these ones http://www.sophos.com/virusinfo/analyses/search-results/?search=mac&search_type=virus_search&action=search&submit.x=61&submit.y=9 |
||||
| jema |
Is any system anywhere immune if someone actually is darn fool enough to open an arbitary executable file? | ||||
| mrutty |
Nope, even VMS will kill it's self if you are login as FP an open a dumb file. | ||||
| dougal |
I'm sorry, mrutty, but you are plain wrong. It *is* the first virus or worm for Mac OS X as I clearly titled the thread. Opener (aka Renepo) (mrutty's silicon.com reference) is a rootkit, and had no means of self-installation. It actually required an admin password to install it. Sophos says this of it "Note that any attacker trying to plant this worm in your network would need to get root access on one of your boxes first, meaning that you would already be "owned". Nevertheless, SH/Renepo-A collects into a single script a wide range of anti-security attacks." That ain't a virus. Sophos lists a trojan, Amphimix. But - "Mac OS X MP3 Trojan horse threat overhyped, says Sophos"... "Mac/Amphimix-A first appeared as a 'proof-of-concept' on the internet (even though the concept of Mac programs under disguise is not a new one), and was widely reported by the media as a "new form of Mac OS X virus". But it is neither specific to Mac OS X, nor is it a virus." http://www.sophos.com/pressoffice/news/articles/2004/04/va_macmp3.html Strangely, their list includes several Windows-only viruses... And they list a few of the 90 or so viruses that emerged for the Mac OS since 1984. It was quite nostalgic to see some of the old names! nVIR was 1989 'Scores' was Christmas 1991. Autostart was as recent as 1998. It could be defeated by turning off (checkbox) the 'autorun from cd' feature... mmm, tough! Most of these won't even function under OS9... Far less X. Todays 'lastpics' thing is known to Sophos as OSX/Leap-A. And it IS the very first such exploit for, as I said, Mac OS X. {Being wrongly 'corrected' is one of those things that I do find annoying...  )
Until now, users opening ports (such as for SSH) while having insecure passwords, or even open guest access, has been the major security risk. And yes, M$ Office users do have to watch out for Macro malware under OS X.  Interestingly, this virus has not yet been released as a Universal Binary, and does not affect the new Intel Macs.
I would suspect that, being Spotlight-dependant, it won't spread under 10.3 and earlier, but I don't know yet what happens when it fails... (It was only reported today!) |
||||
| dougal |
I gather that the "lastpics" thing, aka Oompa-Loompa or Leap.A, installs something called an 'Input Manager'.
I learn from a post on another matter in http://www.toxicsoftware.com/blog/ that "Input Managers are stored in “~/Library/Input Managers” and “/Library/Input Managers” and once an Input Manager has been installed, every application the user runs after installing the Input Manager will have the Input Manager inserted and executed within the application." Yeah, that really does sound powerful... and powerfully attractive to those of a certain disposition. In fact, it does sound rather like a system *provided* virus attachment facility.
Something of a catastrophically gigantic BooBoo to have permissions for such folders so wide open that these things can somehow be installed without an Admin password... So - we have - a trojan requiring the victim to first decompress then open what appears to be a document, but also contains an executable - which copies code into a powerful folder (whose permissions have been mis-set by Apple), and the System itself does the tricky viral stuff of incorporating the wicked stuff (temporarily and non-destructively) into every application as it runs {if the user is Admin, it'd go into the folder in the Root Library, otherwise it just goes in the user's home folder library folder} - and that presumably runs a fairly simple script which mails out stuff to everyone on the Buddies list (the worm stuff) - and so while there may be other aspects of the payload, doing untold wickedness, the mystery of how the exploit works appears to be horribly simple... Hence *my* suggestion is that any worried 10.4 users should lock those "Input Managers" folders unless they are deliberately installing software. |
||||
| mrutty |
If you want to use the correct defination of virus then most of the Windows ones don't fit either. Had you have said first MAC X in the wild then I'd have agreed with you.
I like to see these MAC users run to justify their toys. Go on Dougal join in the IT revolution and get a real machine and have an old Spectrum you can start with.
|
||||
| dougal |
|
||||
| dpack |
ok a bit of common sense and it isnt too bad then .
is the population of macs great enough for an epidemic ? |
||||
| mrutty |
Yes it could be an epidemic if both of them get it
|
||||
| mrutty |
In all seriousness, any OS if targetted can be brought down. Most systems are lucky in that Windows is the biggest target out there and so an easy target yet the first worm was a 'UNIX' worm (AMI if memory serves correctly but almost UNIX). |
||||
| dougal |
Facts -
- this thing CAN ONLY spread to your iChat 'Buddies' on your own network, it actually cannot self-propagate over the Internet (It goes only to Bonjour! Buddies.) - and it cannot install unless you deliberately decompress it and then try to Open it *while* you are logged in as an *Admin* user and you are running OS X v10.4 - it doesn't try and do anything other than install itself, spread itself, and try to permanently install itself in any programs that the user runs. - BUT as a result of a bug in the malicious program, it corrupts rather than infects those programs that are run by the user (logged in with Admin priviliges). Consequently, it looks more like a publicity stunt than anything else. It doesn't spread itself from network to network. It requires an Admin user to run it. And it doesn't actually *do* much... It provides a reminder that its a very good idea to do your daily computer usage as an 'ordinary' user, and only to log in as an Admin when actually necessary. |
||||
| jema |
I'd only half agree with you there. As systems with proper file system permissions prohibiting damage being done by non admin users are far less vulnerable. The buffer overrun exploits are also a function of the chip artictecture and so some chips are far less vulnerable as well. |
||||
| mrutty |
If configured correctly and you know what's really out there. Most system have all the defaults still loaded, but heck pays my wages each month
|
||||
| mrutty |
Bit like the Irish virus then were you delete half the file system yourself Mind you I've had System Admins run virus infected files 'to see what they did' at FP with network connections open to critical systems  Paid for a new car after all the overtime.
|