Forgot your password?
typodupeerror

First Mac OS X Virus? 577

Posted by Zonk
from the is-nothing-sacred dept.
bubba451 writes "MacRumors reports on what may be the first virus to affect Mac OS X, disguised as screenshots for the upcoming Mac OS X 10.5 Leopard. From the report: 'The resultant file decompresses into what appears to be a standard JPEG icon in Mac OS X but was actually a compiled Unix executable in disguise. An initial disassembly reveals evidence that the application is a virus or was designed to give that impression.' The virus is said to also spread via Bonjour instant messaging." Update: 02/17 00:09 GMT by P : This is not a virus, it is a simple Trojan Horse: it requires manual user interaction to launch the executable. See Andrew Welch's dissection.
This discussion has been archived. No new comments can be posted.

First Mac OS X Virus?

Comments Filter:
  • Trojan Man? (Score:4, Interesting)

    by green pizza (159161) on Thursday February 16, 2006 @09:44AM (#14731957) Homepage
    Sounds more like a trojan to me. But the question is, how in the world did they get it to show up as a JPEG image and still be executable? And does this script do any damage beyond the user's home directory? I.E., does it have some sort of a rootkit? Or does it simply prompt the user for the root/admin/sudo password?

    Somebody better wake up Apple and fix this application-looks-like-a-pretty-JPEG icon bug!!
  • by Anonymous Coward on Thursday February 16, 2006 @09:49AM (#14732002)
    Back in high school we used to make little mean scripts in Applescript. Since there was no concept of security or multiple users in Mac OS 7 and 8, the script could do all sorts of nasty damage. All you had to do was compile/"save as" a standalone executable application from the Applescript Editor and paste an innocent icon on it. We liked to use the ClarisWorks icon to be extra mean.

    Another variant was useful on computers that were proteted with OnGuard or AtEase. Simply make a script that would pop up a dialog box asking for the password. An unknowning teacher would enter the password and the script would exit... leaving behind a log file with the password in it for later use.

    Nothing magical about these. Very basic trojan horses.
  • by strider44 (650833) on Thursday February 16, 2006 @10:03AM (#14732139)
    Hmm reading the article and the forum threads it seems that the trojan wrecks the user account should it be run, so you don't have to enter the Admin password.

    In other words MacOSX is giving *some* protection in that it can only attack the user that runs it, but that protection is shallow comfort. KDE has the best approach I think in this in that every executable, no matter what the extension etc, has the same executable icon. It also doesn't have automatic autoplay (possibly the worst "feature" of Windows). The icon of course in this case is what the trojan is exploiting.

    I'm not sure about this though, but don't Macs like KDE instead of showing an icon for JPEGs show a preview of the picture instead of a standard icon?
  • Re:Trojan Man? (Score:5, Interesting)

    by CastrTroy (595695) on Thursday February 16, 2006 @10:24AM (#14732314) Homepage
    Maybe we should be able to override the OS so that no matter what icon the executable file says it wants to display, the OS always shows an icon clearly depicting the fact that the file is an executable.
  • Re:Trojan Man? (Score:3, Interesting)

    by hunterx11 (778171) <hunterx11&gmail,com> on Thursday February 16, 2006 @10:26AM (#14732344) Homepage Journal
    Actually, there was a similar trojan before disguised as an mp3. Apple responded to this in Tiger by making the .app extension of an application always appear at the end of its filename, ignoring any options to hide extensions. Unless this really has found some exploit, it is just a file.jpg.app.
  • Re:Trojan Man? (Score:1, Interesting)

    by Anonymous Coward on Thursday February 16, 2006 @10:34AM (#14732433)
    The question is will this sort of exploit work with Linux?

    The main security problem that I can see it that the OS allows executables to reside anywhere. This can be stopped on Linux by using the noexec flag on the home and tmp drives, I assume the same is possible with OSX.

    Personally I think that exe files should only be allowed in either operating sytem folders or on the /usr partition, any hardcore users who want scripts in their home dir should change the settings themselves.

    If people want to install applications, they should be self contained files which are not executable but need a system buinary to run. I think klix or klik is this theory for KDE. The sooner users unlearn clicking exe files to install programs the better.

    Apple and KDE/Gnome should set this as default for Linux now before the Linux monoculture grows too big and we see stuff like this affecting our Grandmas on Linux.

    By the way, I notice that the new low permission model in Vista is very flawed because the default action is just to prompt with yes/no when the user wants to escalate their privs. The box uses very weak language like 'are you sure you want to run this' there is nothing about entering a password which makes a user stop and think. The Vista popup is useless since it will be clicked without thinking (Like the stupid 'are you sure you want to send this to the recycle bin' dialog)

  • Re:Trojan Man? (Score:5, Interesting)

    by Vicsun (812730) on Thursday February 16, 2006 @10:40AM (#14732492)
    An honest question (I'm pretty ignorant):

    How can a user differentiate between an executable file with a pretty icon and a jpeg in OSX (or Linux for that matter)? In Windows there are file extensions so a trojan with an icon will still have to be called something.exe in order to do any damage. How can I tell the difference between a binary file with an icon and a file that doesn't execute any code with the absense of extensions?

    Please don't laugh :(
  • Re:Trojan Man? (Score:3, Interesting)

    by cortana (588495) <sam@NOSPaM.robots.org.uk> on Thursday February 16, 2006 @10:51AM (#14732590) Homepage
    On Linux (and other traditional Unixes) you must deliberatly set the execute permission on a file before you can execute it.
  • Re:Trojan Man? (Score:3, Interesting)

    by Syberghost (10557) <syberghost@nOspAM.syberghost.com> on Thursday February 16, 2006 @11:14AM (#14732825) Homepage
    I can't figure out how this qualifies as a virus and this [macintouch.com] doesn't.

    Either this isn't a virus, or the "first" was two years ago.
  • Re:Trojan Man? (Score:2, Interesting)

    by NutscrapeSucks (446616) on Thursday February 16, 2006 @11:17AM (#14732868)
    Apart from that, executables are either folder bundles with the (hidden?) .app extension or any other file set to be executable via the standard Unix/Posix way.

    Actually, I get the impression that this is an old-style Mac executable, which does not use the .app extention. Instead it uses a hidden "APPL" file type which is not normally visiable to the user. This is a fundemental issue that goes back to the original MacOS in 1984 -- there's just no easy way to distingish an executable from a non executable file on Mac systems.

    Furthermore, it appears that the default perms on OSX provide +X access to everyone, everywhere so traditional *nix-style "chmod" is never needed.

  • by JasonKChapman (842766) on Thursday February 16, 2006 @11:30AM (#14733008) Homepage
    never really got the whole "look we'll hide the file type for you! So convenient!" thing in Windows. The first thing I do on a new Windows box is unhide system files and unhide known extensions.

    Oddly, it was intended to make Windows more Mac-like. The Mac GUI was heralded as being simpler and easier to use precisely because it didn't bog users down with techno-jargon like ".exe", ".com", etc. Windows decided to follow suit, while leaving the option available. The problem is, they were hiding the *one bloody thing* that determined whether or not the entity would execute with a double-click. OSs with execute bits don't need no stinkin' extensions for that.

  • Re:Trojan Man? (Score:3, Interesting)

    by Raffaello (230287) on Thursday February 16, 2006 @12:13PM (#14733543)
    By default Mac OS X does not show file extensions of applications. If, like many more computer literate users, you elect to "show all file extensions" (Finder:Preferences:Advanced), this "virus" (which is actually a trojan of course) will show up as YaddaYadda.jpg.app and you'll see that it's just a lame attempt at a trojan.

    That said, it will definitely bite many naive mac users who think they are invulnerable, and don't realize that the Finder's default behavior, though a convenience for the computer illiterate, is very dangerous precisely because it allows executable trojans to masquerade as data files such as graphics, etc.
  • by SuperKendall (25149) * on Thursday February 16, 2006 @01:44PM (#14734527)
    I just realized how amrt it is of Apple to ship iPhoto with new consumer macs.

    See, if a trojoan like this comes along with something unpleasant really novice users will try to move it into iPhoto - which will just say "sorry, that's not an image".

    More advanced users that would just try and open an image in Preview would say "Opening an image file and it asks for my password? No thank you sir!".

    Which is why this trojan has not really spread, or really affected many computers.
  • Re:FUD of the day (Score:2, Interesting)

    by TheNumberless (650099) on Thursday February 16, 2006 @05:17PM (#14736728)
    That's why the first thing I do on a new OS X system is to set timestamps_timeout to 0 in sudoers. It eliminates this grace period, requiring a password prompt for every Admin action. With this change, I think running as Admin can be pretty safe.

    I could be overlooking some other security flaws, though...

"Never ascribe to malice that which is caused by greed and ignorance." -- Cal Keegan

Working...