First Mac OS X Virus? 577
bubba451 writes "MacRumors reports on what may be the first virus to affect Mac OS X, disguised as screenshots for the upcoming Mac OS X 10.5 Leopard. From the report: 'The resultant file decompresses into what appears to be a standard JPEG icon in Mac OS X but was actually a compiled Unix executable in disguise. An initial disassembly reveals evidence that the application is a virus or was designed to give that impression.' The virus is said to also spread via Bonjour instant messaging." Update: 02/17 00:09 GMT by P : This is not a virus, it is a simple Trojan Horse: it requires manual user interaction to launch the executable. See Andrew Welch's dissection.
It's not a virus... (Score:5, Informative)
You cannot be infected by this unless you do all of the following:
1) Are somehow sent (via email, iChat, etc.) or download the "latestpics.tgz" file
2) Double-click on the file to decompress it
3) Double-click on the resulting file to "open" it
You cannot simply "catch" the virus. Even if someone does send you the "latestpics.tgz" file, you cannot be infected unless you unarchive the file, and then open it.
Re:Trojan Man? (Score:5, Informative)
Re:Trojan Man? (Score:5, Informative)
It's a "JPEG" because the author was clever enough to paste the icon of a JPEG onto the executable.
If the user is root, or possibly admin, the script writes files in
No kit, just a prompt.
http://www.ambrosiasw.com/forums/index.php?showto
Re:Trojan Man? (Score:5, Informative)
It doesn't really disguise as an image. It just uses the OS X standard icon for images as its own icon. However, it does not have a jpeg extension and if you select it in the finder, you will not get a preview thumbnail, thus you would know that opening in the Preview application (which you would do by double clicking) cannot work. Maybe, if you have set your Finder not to display extensions, or just didn't pay attention, you would try to open it in another image viewer, which would fail and not do any harm.
Further (Score:3, Informative)
Re:Trojan? (Score:2, Informative)
Re:Trojan Man? (Score:2, Informative)
You raise valid points here. This is a single instance, but undoubtedly more will come and we need to view these developments agnostically.
Unfortunately, despite all best efforts to dissuade the novices, folks still tend to run as root or admin on their systems. A large percentage of Windows virii won't infect unless the user has admin privs, and unfortunately, M$ doesn't do a good enough job of dissuading this in their earlier platforms. Vista supposedly (I haven't hacked on it yet) does a better job of pushing least privilege and a *nix-like SU model (but since at least the 2000 platform, the RUN AS option existed) -- don't know how this'll work with the clueless crowd yet.
The advantage of *nix is that it at least (in most cases) makes the user think twice about running as root.
My point is - if we get novices (and some lazy experienced types) using OS X or RedHat or whatever, some will undoubtedly run as root, admin etc because they are too lazy or too clueless to run as least privileges. Ergo, the existance OS X virii & trojans should not be taken lightly.
Re:It's not a virus... (Score:5, Informative)
In the windows scenario you have a real
In the Mac scenario you have an executable which is made to look like an image because its icon was changed. The computer itself knows that it isn't an image so it doesn't try to load it automatically from e-mail or web. This 'virus' is designed to trick the user. The user needs to double click and run the executable. It will then try to write into a protected directory and the OS will prompt the user for the admin password. If the user is dumb enough to click on a executable *and* enter the admin password there really isn't much else you can do. The executable never actually crashes any part of the OS to gain control of the OS and do something that the user doesn't authorize.
Re:nitpick, panther=10.3 (Score:3, Informative)
Really new? (Score:2, Informative)
Re:Trojan Man? (Score:5, Informative)
Actually running/logging-in as root requires either some non-trivial Terminal work, or going in through NetInfo Manager (a fairly intimidating config utility) and enabling the root account (which at least the time I did it, a few years ago, gave you some pretty stern warnings).
That's not to say that you can't have root-like privs -- the default first user on a Mac is an "Administrator," which just means that they can sudo -s and become root temporarily. However to do this you have to authenticate for every action. (Or every 5 minutes or so.) The MacOS "Administrator" level user is not as powerful as the WinXP type of Administrator (which is effectively a root account). Macs have three levels of users: root, Admins (who can sudo), and everyone else (who can't).
So yes, there are definitely ways that a clueless person could damage themselves with a trojan, if they just mindlessly type in their password into any box that comes up, regardless of the context in which they're being asked, but there is at least one more step stopping you from doing it compared to running on a Windows system.
Re:Bad article title (Score:2, Informative)
Re:It's not a virus... (Score:2, Informative)
Another thing of note is that if this file was downloaded through safari, safari would attempt to uncompress the file and then warn the user that there are executable files in the compressed file, asking if the user wants to continue (uncompressing the file). So if it was downloaded through safari, the user would be notified of the file's applicationess vs. normal jpegness. Also, safari does not ever execute downloaded files for the user. I am not certain, but I would guess that using iChat would do the same with a downloaded/transfered file. Also, apple has a finder option to always display the file extension of every file (off by default) which would make this file be titled something like "newOSpreview.jpeg.app" which would hopefully catch the user's attention. One other thing to note is that if the user downloaded the file using safari, the default save location is the desktop which would mean the user wouldn't get the aforementioned preview of the file if they clicked on it (or double clicked).
The trade off here is that with customizable icons, the applications (which are often executed from the dock or the finder) are more identifiable to users vs. the way kde does it. Under Mac OS X the user would only have the application name to find a file, which is far more difficult then identifing an icon of the application wanted. However kde uses a "launch" button much like windows so identifing an application (or executable script or whatnot) by icon is not needed.
Re:It's not a virus... (Score:3, Informative)
Re:Trojan Man? (Score:5, Informative)
Um, why is my /Library chmod 775? It's that way on all four OS X machines that I can reach via SSH right now, two 10.4.x and two 10.3.x. Because there is no /Library/InputManagers in my /Library, so any program running under an admin account on my machine could create one. Admittedly, /Library/StartupItems being group-writable would be a much worse security violation (stuff in there runs as root at startup), and I have seen cases where installers will create one chmod 775 or 777, but I don't see any reason why a program that isn't setuid root (in other words, requiring the security dialog first) should be able to create new directories or drop files into /Library.
Anyhow, this is not a virus, it's a trojan. A virus attaches itself to existing executables (boot blocks included in the definition of "executables"). This is a trojan, and if it replicates, then it's a file-propagating worm (as opposed to the e-mail- and network- propagating worms that plague Windows). So far there is still no malware for OS X that doesn't depend upon human stupidity for propagation. Whether that be saving an e-mail attachment to disk and then double-clicking on its icon on the desktop (this thing won't auto-open while reading e-mail), or simply using bad username/password combinations allowing a brute-force break-in over SSH, there is still no sign of any kind of fully-automated malware for OS X.
In the meantime, I'm going to be doing a lot of "sudo chmod 755 /Library".
Re:Trojan Man? (Score:3, Informative)
The MP3Concept trojan didn't disguise itself because the Finder was hiding the ".app" extension, anyway. It's filename really was "MP3Concept.mp3". If you had gone in and looked at it via the Terminal, that's what you would have seen.
It was an executable because of the way its metadata was set: it had a "type" of APPL, for application, thus it would execute when double-clicked. The icon came because the creator had simply given the iTunes MP3 file icon as the application bundle's custom icon resource (this is the same way a legitimage application sets itself to a custom icon). It wasn't being assigned automatically by the Finder or anything else. This type of exploit isn't really new, it would have worked just as well on MacOS9 (and probably even better); back in the day there were lots of dumb little tricks that you could do to take advantage of the same thing (you could make small applications that put up rude dialog boxes, for instance, and disguise them as documents).
And (as screenshots on the link below show), if you had looked at the MP3Concept.mp3 file in the Finder's list view, it would be correctly reported as an Application, not a Document. (Because the Finder looks at the file metadata in addition to the filename, when determining what it is.)
Without appending ".app" to the end of every Carbon application out there still in use, which in some cases might cause problems, and then not letting the user turn off the displaying of extensions (which would piss off a lot of longtime Mac users), I don't think there's really any way to prevent this. I find the change you're saying Apple made somewhat doubtful, although I'm open to any evidence you have.
More info on the MP3Concept trojan:
http://daringfireball.net/2004/04/crying_wolf [daringfireball.net]
Re:Trojan Man? (Score:3, Informative)
Humour aside, that is actually correct. Right click if you have a two or more button mouse and choose Get Info. Notice "Kind" will state "Application". If you have a single button mouse you can Control click in place of right clicking. If it is a JPG then it should say "JPEG image".
Re:Trojan Man? (Score:3, Informative)
Anyway, back to the present. A simple, welcome solution, would be to just show the names of applications in bold text. That would be helpful to power user and novice alike, and it would probably also look good.
Re:Trojan? (Score:5, Informative)
How can it be a virus if it is a Trojan?
OK, welcome to malware nomenclature 101. Will everyone please take their seats. Thank you. There are three basic classifications for malware:
This particular malware is a trojan (partly disguised as a jpg) which them copies itself to a new location on your drive and modifies a few commonly used applications in order to spread itself via they Bonjour discovery and file transfer mechanism in OS X. It requires human intervention to extract itself run, spread, and for download. I'd call this a virus to be clear about its functionality.
List View (Score:5, Informative)
If you choose "View as List" in the finder (equivalent to the Detail view in Windows), and then expand the window so that you can see the "Kind" column, the Finder will tell you the kind of file you're looking at. For example, Application, Picture, Document, etc.
The Finder looks at some stuff which is not visible to the user in determining this -- in addition to the ".app" file extension on Cocoa bundles, there are also the traditional Mac 'Type' and 'Creator' codes, stored in the file metadata in the resource fork. By setting a file's Type to "APPL," it becomes an executable. This is the traditional Macintosh analog to the UNIX eXecute bit (but arguably more flexible, since it also handles file typing), and is totally independent of the file name. But anything that you set this way will be clearly marked as an Application in List View, regardless of what you name it, or what kind of custom icon it has.
This is how the MP3Concept trojan worked, and how many old-school ResEdit tricks worked. You can have something that's legitimately named "Mp3Concept.mp3" and looks like an MP3 but is really an executable, by setting the Type and custom icons correctly. It's nothing new, people have been doing it for years. (There were a lot of ResEdit "hacks" that worked off of this principle -- for example, creating a dummy Excel document that gave a rude dialog when double-clicked.) I think it's because we've migrated away from OS 9 and the metadata concepts that people have forgotten how easy it is to do, and that the Mac still supports it.
Re:It's not a virus... (Score:3, Informative)
On Linux MIME scanning is used to make this type of attack significantly harder. A files icon is assigned by the operating system according to what type of file it actually appears to be, and executables cannot choose their own icons.
The fact that the virus then injects itself into other processes and takes control of them is nothing we haven't seen before on Windows.
I do not see in the Ambrosia writeup where the administrator password is required. If you aren't root it simply places the app hook in a different (but equally effective) location.
Re:Trojan Man? (Score:3, Informative)
That's true on Windows, because it's a PITA otherwise. There are plenty of apps that won't run except as admin, or unless you've somehow fixed some set of permissions that is not identified when you try (and fail) to run the app.
I try to run not as admin on Windows. I installed an app called, I believe, FileTweak recently. Now every time I try to get a file's properties, I get a half-dozen alerts about not having the proper permissions before the properties pane. Woo hoo!
Macs are much more usable without being admin, which is one reason I'm about to get an iMac.
Re:Further (Score:2, Informative)
Re:Trojan Man? (Score:3, Informative)
Re:Trojan Man? (Score:2, Informative)
a virus is actually an executable that attaches itself to other executables & runs whenever they run.
this is a trojan/worm, just like most malware that matches your incorrect description of a virus.
http://www.answers.com/topic/computer-virus [answers.com]/Library permissions (Score:3, Informative)
Disclaimer: I write network management software for Mac OS X; I have therefore seen a fair bit of what can happen with mis-configured system folders
I'd advise you not to change permissions on /Library, or at least please don't do it recursively. You're asking for pain there. /Library/Application Services, /Library/Caches, /Library/Frameworks are supposed to be writable by administrators.
The reason your root library folder is writable by members of the Admin group is because that's what it's for. There's /System/Library, which is owned by root/wheel. There's /Library, which is where the machine's administrator can install things for all other users, and there's ~/Library where any user can write their own things into their own personal space.
The reason the root one is writable by admins is simply because that's the place where admins (which are, you know, admins for a reason) can write things. Things like all the fonts installed by Macromedia Flash. Things like all the project templates, SCM, Design, WebObjectsGUI plugins for Xcode. Things like InterfaceBuilder palettes. Things like Adobe fonts, SVG viewer resources, color profiles. You know, thing used by all users of the machine. But which a machine administrator can change or remove. That's kinda the point of the Admin group.
Also, please take note that the sticky bit is set on the Library folder. So you'll need to chmod 1775 /Library. Oh, and I hope you're prepared for some stuff to stop working, because it quite likely will. I've seen whata happens when people decide to arbitrarily make most of the system writable only by their One True User (whoever that may be). I then get many tech support calls where we try to figure out why my software is making all their software stop working. It then transpires that their software just doesn't have permission to access the disk, and just can't install things, use caches, etc. Or it's using a home folder -- mounted from a remote server -- for all that, and is therefore taking *ages* since another fifty people are doing the same thing.
At the end of the day, there probably is an argument for not letting Admin account create folders within the /Library folder, so for example only root can create the InputManagers folder. That would be the same as the StartupItems thing, and it's likely what Apple will do. But don't apply those rules to Application Support and suchlike. It'll hurt, believe me.
-Q
Re:Trojan Man? (Score:3, Informative)
Re:Trojan Man? (Score:4, Informative)
Regardless, this "virus" pops up an admin password prompt, like every other proof-of-concept OS X trojan that's been written in the past, which effectively stops it in its tracks. This isn't really news except to Apple-haters who can go "SEE NOW U'VE GOT VIRUSES LOLZ."
Re:Further (Score:2, Informative)
Re:FUD of the day (Score:5, Informative)
What are you talking about? Admin accounts normally get password popups to do anything like this (system updates, system-wide installers, etc.). Are you saying in this specific instance it doesn't?
Re:FUD of the day (Score:4, Informative)
Re:Trojan Man? (Score:1, Informative)
1) Finder -> Preferences -> check "Show all file extensions"
or
2) Select file in Finder window and "Get Information" (cmd-i)
or
3) Select file in Finder window, set to view "Column" (cmd-3), and select file. (File info appears in next column)
etc.
Re:Trojan Man? (Score:5, Informative)
Actually, it seems that (as of 10.4.5, anyway) it'll show as 'YaddaYadda.jpg.app' even if you have the 'Show all file extensions' switched off - a bit of experimentation shows that if the first extension (in this case '.jpg') is a recognised file-type, then the '.app' gets shown as well.
So, from a display point of view:
Basically, if it's trying to impersonate another existing file-type, it'll tell you.
Admin accounts modify /Applications with no popups (Score:2, Informative)
If you are running as an admin-level user, there are things that a trojan like this will wipe have access to ( i.e. everything in your Applications folder ) that would be protected if you were running as a regular, non-admin-group user.
Reading the article, or better yet, the Ambrosia Software write-up of the worm, will give you a clear idea of how an admin-group use is more susceptable to this attack than other users.