First Mac OS X Virus? 577
bubba451 writes "MacRumors reports on what may be the first virus to affect Mac OS X, disguised as screenshots for the upcoming Mac OS X 10.5 Leopard. From the report: 'The resultant file decompresses into what appears to be a standard JPEG icon in Mac OS X but was actually a compiled Unix executable in disguise. An initial disassembly reveals evidence that the application is a virus or was designed to give that impression.' The virus is said to also spread via Bonjour instant messaging." Update: 02/17 00:09 GMT by P : This is not a virus, it is a simple Trojan Horse: it requires manual user interaction to launch the executable. See Andrew Welch's dissection.
Trojan? (Score:5, Insightful)
You have to execute it yourself, and that is why it is _not_ a virus.
Had to happen really (Score:2, Insightful)
Might be good in a way - to shake some people out of the complacent "OS X is invulnerable" mindset.
Re:Trojan Man? (Score:5, Insightful)
The only way would be some sort of flag that shows up on any icon that represents something executable, and that wouldn't be a fix but a completely new approach.
Consider the source... (Score:4, Insightful)
Re:It's not a virus... (Score:3, Insightful)
Re:Hardware (Score:3, Insightful)
Most malware exploits flaws in the operating system and applications - not the hardware architecture.
I have heard this FUD from various Mac-heads (pissed at the change from PPC) that they are suddenly going to be swimming in malware due to a chip change. It's nonsense.
Hmmm, First Virus to ask for your password? (Score:2, Insightful)
Re:Hmmm, First Virus to ask for your password? (Score:3, Insightful)
Or just install a keylogger and sit in the background waiting till you enter your root password thorough normal use.
Such a virus would be pretty hard on Linux, because icons are assigned to files by content, not by extension. It would have
Re:It's not a virus... (Score:5, Insightful)
There is no double standard here.
Input Manager as an infection vector (Score:2, Insightful)
Re:It's not a virus... (Score:4, Insightful)
1. download it
2. double-click and decompress it.
3. double-click and execute it.
The vulnerability isn't always plugged in (Score:5, Insightful)
Never understimate the power of the incomptenece of 20% of your userbase.
You can't man a .app look like a .jpg in OS X (Score:3, Insightful)
I also tried doing this with a
Re:Trojan Man? (Score:2, Insightful)
Re:The vulnerability isn't always plugged in (Score:5, Insightful)
There is no way to compensate for an Administator who is computer illiterate. It's simply not possible. You can lower the bar as much as you like, however, there is a certain minimum level of knowledge which is required to safely administer a computer.
Like don't run every application you get your hand on. This is similar to don't delete all your files.
Let me get this straight... (Score:3, Insightful)
#include
main()
{
(void) printf("Hello World\n");
return (0);
}
and also included a couple lines to 'rm -rf
Then I e-mailed or IM'd a person the executable, then asked them to decompress it, double-click on it, and laugh, that would be Mac OS X's first virus/trojan? Ohh wait, I need to associate a pretty icon to it too.....
As much as this author would like to claim they are the first, I think the programmers at Apple were the first ones to do this with their "Disk Utility" that a user has to click on to 'newfs' or your Windows users 'format' your hard drive.
I can not believe this made Slashdot....
Re:It's not a virus... (Score:3, Insightful)
Re:Trojan Man? (Score:5, Insightful)
When I download a dmg file with Safari, I get a warning if the dmg contains an executable. (Not sure if that's Safari doing the warning or the code that mounts the archive or what.) Something like this in the code that unpacks tar files would go a long way toward fixing it.
Devon
Re:Trojan Man? (Score:5, Insightful)
However what I'm not sure about is how you'd make this work for MacOS bundles -- unlike UNIX applications they're not just single files; the thing that you click on in the Finder to launch a MacOS app (at least a Cocoa one) is actually a directory if you look at it in the Terminal, it just has the hidden suffix of ".app" (so for instance the program Mail in the finder is actually the directory/folder Mail.app). The actual executable file is normally buried somewhere within the folder -- usually like (appname).app/Contents/MacOS/executablefile.
I suppose what you'd have to do is put the visual flag on if a file was either a directory ending in ".app", or if the regular eXecute bit was set on a file itself.
Re:You can't man a .app look like a .jpg in OS X (Score:1, Insightful)
Pasting refers to fixing up the icon.
OT - never got that (Score:3, Insightful)
And a whole bunch of other file display changes; icons don't help me as much as created date, file type, etc.
Anyway. This was a useful post.
Re:MOD PARENT UP - IT IS A VIRUS (Score:3, Insightful)
Face it trollboy: if you would have done some more effort to see how it works, you would see from your own quoted definitions that this is not a virus. A virus spreads between different computers without any user interaction. However, this thing is only able to send the fake JPEG file to other computers via a few IM programs. The users on those other computers still need to be online, accept the file, and open it themselves to 'install' it. Therefore it is a trojan. Only within the limits of a single computer it could be considered a virus, because it can copy itself automatically to other programs upon opening an infected one (provided that the user who opens it has enough privileges to modify programs).
Re:Trojan Man? (Score:5, Insightful)
I like it. Good idea.
While we're at it, maybe they can give us back our aliases in italics at the same time; that was a nice 'no brainer' feature if I ever saw one.
That will probably go over better with application developers than some sort of visual indicator on the application's icon that would mess up their pretty custom look. Bolded text is definitely the better way to go.
Re:Trojan Man? (Score:4, Insightful)
Re:Trojan Man? (Score:3, Insightful)
I've said it before, I'll say it again: Never underestimate the power of human stupidity.
Re:It's not a virus... (Score:3, Insightful)
1.) This isn't the "first OS X virus." Several other proof-of-concept attempts have been written over the users, notably MP3Concept.
2.) This doesn't quality as a virus, it's more of a trojan.
3.) The fact it prompts for your password immediately renders it useless and ineffective as a trojan. I could write an AppleScript that deleted all of your system files but required your password to be entered for it to run--that doesn't mean I've written the "first OS X virus." It just means I've written a goofy program that relies on stupidity, which would be the same as any other password-based system in the world and not an OS flaw.
I was expecting a bunch of rampant Apple-bashing in the comments here, but it seems a lot of people are recognizing that this is non-news. Another password-required proof-of-concept that doesn't really do anything.
Re:It's not a virus... (Score:4, Insightful)
I think people are misunderstanding how OS X handles file type icons. The file isn't presenting itself as a file of another type. If you did a Get Info, it would still say Application. On OS X, you can copy and paste any icon into file in the Get Info window. I have cool Mario icons for my various external USB drives. Someone just copied and pasted the JPEG icon in this case.
The fact that clicking this thing prompts for a password means OS X is correctly protecting you from this kind of an attack. Beyond that, anyone entering the password and enabling admin access for this program is at fault, not OS X.
Re:It's not a virus... (Score:3, Insightful)
I understand just fine what's going on here. The problem is that humans go by icon to determine file type, whereas the machine goes via some other mechanism. The fact that you can find out what the machine thinks it is via some other route isn't relevant - the same was true of Windows yet the exploit still worked on significant numbers of people. It's for this reason that Outlook refuses to let you open or save executable file types these days.
FUD of the day (Score:5, Insightful)
1.) Several proof-of-concept viruses have been written for OS X in the past, so this isn't the "first." They never propagate.
2.) When you download this
3.) When you run it, an admin password prompt is displayed by OS X, and you have to enter it to continue.
Like I said--FUD of the day.
Re:Phew! (Score:2, Insightful)
I guess he doesn't realize just how many people buy Macs specifically because of the OS. He says they'd like to compete on "even ground" with Dell, Sony, etc -- when in fact the OS gives him a high ground to fight from. If Macs shipped with Windows, I bet at least half their current userbase would go from being grudgingly accepting of the steep premium you pay for their hardware to being rightly pissed off. The hardware isn't _that_ much better than what you can buy in the Windows world. Why would I continue to pay 30-50% more and what would I be getting that justified that, and is it something that would be compelling for IT purchasing? Somehow I don't think so.
I say this as someone who has spent over $20K on Apple hardware out of my own pocket in the last 5 years. If Apple shipped with Windows instead of MacOS, that number would be closer to $2K (ie, just the iPods).
Re:FUD of the day (Score:2, Insightful)
I don't know anyone stupid enough to use their OS X admin account all the time... OK, I lied. I really have to stop using this admin account... damn...
Of course, that whole file-extension thing should be a big tip-off, too. It's not like this is going to spread like wildfire. It's just a wake-up call to folks
(a) hiding file extensions... why do that? Show them, they're important.
(b) running as Admin. We have to not be so lazy. It's ok that we'll have to type our password.
But mostly (b). If some old-school OS 9 user can't grock file extensions, they sure as shoot shouldn't be using an Admin account...