First Mac OS X Virus?

bubba451 writes "MacRumors reports on what may be the first virus to affect Mac OS X, disguised as screenshots for the upcoming Mac OS X 10.5 Leopard. From the report: 'The resultant file decompresses into what appears to be a standard JPEG icon in Mac OS X but was actually a compiled Unix executable in disguise. An initial disassembly reveals evidence that the application is a virus or was designed to give that impression.' The virus is said to also spread via Bonjour instant messaging." Update: 02/17 00:09 GMT by P : This is not a virus, it is a simple Trojan Horse: it requires manual user interaction to launch the executable. See Andrew Welch's dissection.

Trojan?

[__aambat2633]

How can it be a virus if it is a Trojan?
You have to execute it yourself, and that is why it is _not_ a virus.

Had to happen really

[iBod]

But, I don't think OS X users have too much to worry about yet.

Might be good in a way - to shake some people out of the complacent "OS X is invulnerable" mindset.

Re:Trojan Man?

[mstroeck]

Uhm, how are proposing to "fix" this? You can give your application any icon you want, and as long as it looks even remotely like the native JPEG-icon, 95% of users won't notice.

The only way would be some sort of flag that shows up on any icon that represents something executable, and that wouldn't be a fix but a completely new approach.

Consider the source...

[k3vmo]

Come on. MacOSRumors.com on a forum post. Let's not loose our heads and start spreading FUD because of something someone's brother's first cousins next-door neighbor read in a forum post. If you're smart enough not to accept random files and put your admin password in for anything that pops up - this won't be much of an issue.

Re:It's not a virus...

[slungsolow]

If I have to type in my System Admin password to intall it, then I don't consider it a threat. This seems like a rather lame attempt at a vulnerability. The folks who would be interested in screenshots of 10.5 are the kind of folks who know an archive of photos does not require an admin password.

Re:Hardware

[iBod]

I don't think the underlying CPU architecture is much of an issue.

Most malware exploits flaws in the operating system and applications - not the hardware architecture.

I have heard this FUD from various Mac-heads (pissed at the change from PPC) that they are suddenly going to be swimming in malware due to a chip change. It's nonsense.

Hmmm, First Virus to ask for your password?

[jtalerico]

Before this "Virus" Can do anything on macOS X it should ask for the users password. So if the user is dumb enough to put in his/her password to OPEN a JPEG!! Then his/her password should be posted on /. with the ip of their computer.

Re:Hmmm, First Virus to ask for your password?

[Vo0k]

The virus can still delete your personal files without root password, it can access your IM contact list and send itself to all people on the list. You still have fully functional OS but all your work you didn't backup is gone. Fun?
Or just install a keylogger and sit in the background waiting till you enter your root password thorough normal use.

Such a virus would be pretty hard on Linux, because icons are assigned to files by content, not by extension. It would have .jpg extension but the icon would be one of a binary. And of course variety of instant messenging software would make it way harder to spread. (still possible though, and despite what some would like to think, there ARE enough dumb Linux user to click on a file with .jpg extension even if it doesn't look like jpg)

Re:It's not a virus...

[pubjames]

Can you explain to me where the security flaw in OSX is in this case?

There is no double standard here.

Input Manager as an infection vector

[mrob2002]

John Gruber on daringfireball.net wrote at length recently about problems with OS X, mainly relating to how the Smart Crash library adds itself to applications through the Input Manager system hook. His current article "Smart Crash Reports Addenda" talks at length about the security implications of the input manager.

Re:It's not a virus...

[confused one]

Yes... Unfortunately the Windows user world has shown that more than enough people will

1. download it

2. double-click and decompress it.

3. double-click and execute it.

The vulnerability isn't always plugged in

[Overzeetop]

Everybody seems so certain that this is a non-starter on OSX because it requires some user intervention to propagate. I have bad news for you: there are clueless Mac users out there, too. These are probably the same folks who will click on a web popup to "see the lastest hollywood gaff" and then "accept" the untrusted executable when windows warns about the download to be executed. And they're the same ones who will dutifully click their bank url in an email and login to make sure their information is correct .

Never understimate the power of the incomptenece of 20% of your userbase.

You can't man a .app look like a .jpg in OS X

[sjonke]

I tried to create an application that had a name of test.jpg.app and was pleased to find that, at least in Mac OS X 10.4.5, when you try to do this, the Finder displays the entire name, including the entire extension ".jpg.app", even though normally the ".app" portion is hidden. Take out the ".jpg" and the ".app" goes missing again. The "hide extension" option in the get info window is disabled when you have a name like ".jpg.app". So, it isn't quite so easy to disguise an application as a jpeg in Mac OS X. Of course not everyone is going to know what the .app means and so it being visible won't help them. Then again, if that's the case, they probably don't know what the .jpg means either!

I also tried doing this with a .term file, which was set to hide the extension. When I made the name test.jpg.term, the full name was displayed including ".term", and the "hide extension" option was disabled.

Re:Trojan Man?

[erwin]

make your system idiot-proof, and the world will make a better idiot....

Re:The vulnerability isn't always plugged in

[WhiteWolf666]

That's why we don't consider it a vulnerability. There is no way to "fix" this without totally locking out the user.

There is no way to compensate for an Administator who is computer illiterate. It's simply not possible. You can lower the bar as much as you like, however, there is a certain minimum level of knowledge which is required to safely administer a computer.

Like don't run every application you get your hand on. This is similar to don't delete all your files.

Let me get this straight...

[ShadowDawn]

If I write:

#include
main()
{
        (void) printf("Hello World\n");
        return (0);
}

and also included a couple lines to 'rm -rf /User/Home'....

Then I e-mailed or IM'd a person the executable, then asked them to decompress it, double-click on it, and laugh, that would be Mac OS X's first virus/trojan? Ohh wait, I need to associate a pretty icon to it too.....

As much as this author would like to claim they are the first, I think the programmers at Apple were the first ones to do this with their "Disk Utility" that a user has to click on to 'newfs' or your Windows users 'format' your hard drive.

I can not believe this made Slashdot....

Re:It's not a virus...

[bogado]

Even better, I think is not to allow direct execution from the desktop shell. If you want to execute something make a 'desktop' file pointing to it. Also don't permit desktop files to have relative URLs, if this was possible an atacker could send the .desktop file with the executable in the same compressed file.

Re:Trojan Man?

[devonbowen]

Uhm, how are proposing to "fix" this?

When I download a dmg file with Safari, I get a warning if the dmg contains an executable. (Not sure if that's Safari doing the warning or the code that mounts the archive or what.) Something like this in the code that unpacks tar files would go a long way toward fixing it.

Devon

Re:Trojan Man?

[Kadin2048]

I was thinking about this. I can't imagine it would be all that hard -- there is already a visual flag applied to all "alias" (that's symlink) files, so it doesn't seem like it would be out of the question to do something similar for executables, based on the eXecute bit.

However what I'm not sure about is how you'd make this work for MacOS bundles -- unlike UNIX applications they're not just single files; the thing that you click on in the Finder to launch a MacOS app (at least a Cocoa one) is actually a directory if you look at it in the Terminal, it just has the hidden suffix of ".app" (so for instance the program Mail in the finder is actually the directory/folder Mail.app). The actual executable file is normally buried somewhere within the folder -- usually like (appname).app/Contents/MacOS/executablefile.

I suppose what you'd have to do is put the visual flag on if a file was either a directory ending in ".app", or if the regular eXecute bit was set on a file itself.

Re:You can't man a .app look like a .jpg in OS X

[Anonymous Coward]

You didn't understand what I wrote. You need to include a space at the end of the file name, use quotes if you use the shell. In Finder the name will look like it has a .jpg extension, even though it really has ".jpg " as its extension.

Pasting refers to fixing up the icon.

OT - never got that

[BitterAndDrunk]

I never really got the whole "look we'll hide the file type for you! So convenient!" thing in Windows. The first thing I do on a new Windows box is unhide system files and unhide known extensions.

And a whole bunch of other file display changes; icons don't help me as much as created date, file type, etc.

Anyway. This was a useful post.

Re:MOD PARENT UP - IT IS A VIRUS

[DrLex]

Face it fanboys: your god has a virus. And even worse, you are so technically incompetent you don't even know what a virus is. You aren't qualified to be taking part in this discussion.

Face it trollboy: if you would have done some more effort to see how it works, you would see from your own quoted definitions that this is not a virus. A virus spreads between different computers without any user interaction. However, this thing is only able to send the fake JPEG file to other computers via a few IM programs. The users on those other computers still need to be online, accept the file, and open it themselves to 'install' it. Therefore it is a trojan. Only within the limits of a single computer it could be considered a virus, because it can copy itself automatically to other programs upon opening an infected one (provided that the user who opens it has enough privileges to modify programs).

Re:Trojan Man?

[Kadin2048]

Anyway, back to the present. A simple, welcome solution, would be to just show the names of applications in bold text. That would be helpful to power user and novice alike, and it would probably also look good.

I like it. Good idea.

While we're at it, maybe they can give us back our aliases in italics at the same time; that was a nice 'no brainer' feature if I ever saw one.

That will probably go over better with application developers than some sort of visual indicator on the application's icon that would mess up their pretty custom look. Bolded text is definitely the better way to go.

Re:Trojan Man?

[Gropo]

An even more novel solution: Apply a big fat red exclamation point to the bottom-right of the icon if the executable has never been run before--alongside prompting the user before running the executable for the first time (as is currently the case).

Re:Trojan Man?

[Vladimus]

So far there is still no malware for OS X that doesn't depend upon human stupidity for propagation.

I've said it before, I'll say it again: Never underestimate the power of human stupidity.

Re:It's not a virus...

[Overly Critical Guy]

Precisely.

1.) This isn't the "first OS X virus." Several other proof-of-concept attempts have been written over the users, notably MP3Concept.

2.) This doesn't quality as a virus, it's more of a trojan.

3.) The fact it prompts for your password immediately renders it useless and ineffective as a trojan. I could write an AppleScript that deleted all of your system files but required your password to be entered for it to run--that doesn't mean I've written the "first OS X virus." It just means I've written a goofy program that relies on stupidity, which would be the same as any other password-based system in the world and not an OS flaw.

I was expecting a bunch of rampant Apple-bashing in the comments here, but it seems a lot of people are recognizing that this is non-news. Another password-required proof-of-concept that doesn't really do anything.

Re:It's not a virus...

[Overly Critical Guy]

The flaw is that a file of one type is able to present itself as a file of another. This flaw was widely exploited in Windows a few years ago with the notorious "britney.jpg .vbs" type attacks, in which even though the icon was wrong (!!) people saw the file extension and opened it.

I think people are misunderstanding how OS X handles file type icons. The file isn't presenting itself as a file of another type. If you did a Get Info, it would still say Application. On OS X, you can copy and paste any icon into file in the Get Info window. I have cool Mario icons for my various external USB drives. Someone just copied and pasted the JPEG icon in this case.

The fact that clicking this thing prompts for a password means OS X is correctly protecting you from this kind of an attack. Beyond that, anyone entering the password and enabling admin access for this program is at fault, not OS X.

Re:It's not a virus...

[IamTheRealMike]

I think people are misunderstanding how OS X handles file type icons. The file isn't presenting itself as a file of another type. If you did a Get Info, it would still say Application.

I understand just fine what's going on here. The problem is that humans go by icon to determine file type, whereas the machine goes via some other mechanism. The fact that you can find out what the machine thinks it is via some other route isn't relevant - the same was true of Windows yet the exploit still worked on significant numbers of people. It's for this reason that Outlook refuses to let you open or save executable file types these days.

FUD of the day

[Overly Critical Guy]

This story is the biggest FUD of the day.

1.) Several proof-of-concept viruses have been written for OS X in the past, so this isn't the "first." They never propagate.

2.) When you download this .tgz file in Safari, Safari warns you that it's an application, and you have to click to continue.

3.) When you run it, an admin password prompt is displayed by OS X, and you have to enter it to continue.

Like I said--FUD of the day.

Re:Phew!

[sulam]

Reading the Dvorak piece, you're right, he's on crack!

I guess he doesn't realize just how many people buy Macs specifically because of the OS. He says they'd like to compete on "even ground" with Dell, Sony, etc -- when in fact the OS gives him a high ground to fight from. If Macs shipped with Windows, I bet at least half their current userbase would go from being grudgingly accepting of the steep premium you pay for their hardware to being rightly pissed off. The hardware isn't _that_ much better than what you can buy in the Windows world. Why would I continue to pay 30-50% more and what would I be getting that justified that, and is it something that would be compelling for IT purchasing? Somehow I don't think so.

I say this as someone who has spent over $20K on Apple hardware out of my own pocket in the last 5 years. If Apple shipped with Windows instead of MacOS, that number would be closer to $2K (ie, just the iPods).

Re:FUD of the day

[javaxman]

3.) When you run it, an admin password prompt is displayed by OS X, and you have to enter it to continue.

... with the important exception of when you're running as an Admin user, in which case you don't get this important opportunity to prevent the program from modifying files it shouldn't.

I don't know anyone stupid enough to use their OS X admin account all the time... OK, I lied. I really have to stop using this admin account... damn...

Of course, that whole file-extension thing should be a big tip-off, too. It's not like this is going to spread like wildfire. It's just a wake-up call to folks
(a) hiding file extensions... why do that? Show them, they're important.
(b) running as Admin. We have to not be so lazy. It's ok that we'll have to type our password.

But mostly (b). If some old-school OS 9 user can't grock file extensions, they sure as shoot shouldn't be using an Admin account...