PDA

View Full Version : OS.X Macarena 'virus' (#2): No viable threat posed; Not ex...


MacBytes
Nov 6, 2006, 10:52 PM
http://www.macbytes.com/images/bytessig.gif (http://www.macbytes.com)

Category: Mac OS X
Link: OS.X Macarena 'virus' (#2): No viable threat posed; Not exploiting a Mac OS X bug; not a 'warning' of more viruses to come (http://www.macbytes.com/link.php?sid=20061106235246)
Description:: none

Posted on MacBytes.com (http://www.macbytes.com)
Approved by Mudbug

MacIke
Nov 6, 2006, 11:38 PM
Okay Folks,

No story here . . . just move along.


Can this actually be called a virus?

Warbrain
Nov 6, 2006, 11:39 PM
Blah blah. Better things to worry about.

nagromme
Nov 7, 2006, 12:35 AM
I believed the last 3 cries of Wolf. My mistake.

Now, I will wait until I SEE a wolf.

I like that this one uses Windows though :D

...there is no reliable vector for the spread of OSX.Macarena, meaning that a user would have to locate the source file, download it, compile the source and run the virus in order for any effect to occur.

As a result of these considerations, the OSX.Macarena has served less as a "warning shot" across the bow of Mac OS X than as a re-iteration of just how difficult it is to write an effective virus for the operating system.

xsedrinam
Nov 7, 2006, 02:55 AM
I saw the article on this earlier yesterday. This one is certainly more benign and not likely to cause anything near as much fun as the First Mac OS X Virus (http://forums.macrumors.com/showthread.php?t=180579) thread did. I think there were even a couple of Demis who came to blows over all the speculation of it.

MacSA
Nov 7, 2006, 04:39 AM
I believed the last 3 cries of Wolf. My mistake.

Now, I will wait until I SEE a wolf.

I like that this one uses Windows though :D


Hmmm so it sounds like you have to willfully download, change and install this "virus" yourself, doesn't sound much like a virus to me.

FadeToBlack
Nov 7, 2006, 05:18 AM
Hmmm so it sounds like you have to willfully download, change and install this "virus" yourself, doesn't sound much like a virus to me.

Yeah, me either. Doesn't really seem like anything to worry about to me.

ntg
Nov 7, 2006, 06:40 AM
Hmmm so it sounds like you have to willfully download, change and install this "virus" yourself, doesn't sound much like a virus to me.

definitely another 'Irish' virus!!:D

nig.

Mord
Nov 7, 2006, 06:43 AM
If this is a virus then AOL is the root of all evil, oh wait.

nevermind.

mkrishnan
Nov 7, 2006, 07:10 AM
Running the script has a malicious outcome, but there would be no way to prevent its operation without changing the granularity of permissions in Mac OS X (assigning some applications tigher restrictions than the default user-level permissions allow) -- something Apple may or may not enact in Mac OS X 10.5 (Leopard).

I do wonder if it wouldn't be good to allow for a system preventing the execution of any application that does not reside in set locations, such as the systems folder, the /applications folder, and so on....

nagromme
Nov 7, 2006, 08:47 AM
I do wonder if it wouldn't be good to allow for a system preventing the execution of any application that does not reside in set locations, such as the systems folder, the /applications folder, and so on....
Doesn't sound like a bad idea for a checkbox in Prefs. (Let the user add to the allowed locations list of course.)

Swarmlord
Nov 7, 2006, 08:49 AM
If this is a virus then AOL is the root of all evil, oh wait.

nevermind.

People still use AOL?

mkrishnan
Nov 7, 2006, 09:16 AM
Doesn't sound like a bad idea for a checkbox in Prefs. (Let the user add to the allowed locations list of course.)

Mmm, it seems like it would be nice and simple. Right now there is an option that limits a user to a pre-specified set of applications. The way this is designed, it does seem like it basically lets you limit the user to apps in different logical locations (for instance, you can check all the apps in the applications folder and/or the utilities folder as a group, vs. all the Classic apps, or you can check individual applications). I haven't played around with this that much, but I guess that if this setting is turned on and I give my account blanket access to execute apps in the applications and utilities folder but nothing else, then apps located in the home directory will refuse to run....

I should actually try this and find out. It would seem to go a long way towards addressing these sorts of vulnerabilities.

miniConvert
Nov 7, 2006, 09:23 AM
My eyebrows almost met when I read about this 'virus' yesterday. Just where do people get off with spreading this sort of FUD?

mkrishnan
Nov 7, 2006, 09:42 AM
The behavior of that option doesn't seem straightforward...hmm....

With the option turned on and only the apps folder selected...

1) If I copy an app such as the chess game to a location outside of /applications, it runs, even if it is renamed, even from the external location

2) Disk images are not mountable with this option selected, which makes it a little too much to bear in the name of security.

I'd like to see Apple work on the way this option operates somewhat more carefully...

nagromme
Nov 7, 2006, 05:31 PM
Maybe it generates a list of allowed apps at login? Seems like a silly kludge, but I wonder if you moved Chess, then logged out and back in, would it then prevent you from launching it?

In any case, a limit like this only for ALL of us--not aimed at kids--would be great.

mkrishnan
Nov 7, 2006, 05:36 PM
Maybe it generates a list of allowed apps at login? Seems like a silly kludge, but I wonder if you moved Chess, then logged out and back in, would it then prevent you from launching it?

In any case, a limit like this only for ALL of us--not aimed at kids--would be great.

No, I tried that, and I don't think it had any impact. It's possible it's judging Chess against something other than the name of the .app container, like the executable inside the contents or the size or something. Or it's possible that there's no way to distinguish ~/applications from /applications (I should test that), which would be ludicrous. But the fact that disk images cannot be mounted if you do this makes it useless.

On the other hand, I have to say that I recently really restricted my standard account. It's already a managed user ... even though I'm not a kid. But the only reason I did it was to exploit the fact that you can freeze the dock for non-managed users... I wanted something like the "lock the toolbar" in Windows, so that I didn't accidentally drag things off the dock, etc.