The First Mac OS X Virus?

[MacRumors]

http://www.macrumors.com/images/macrumorsthreadlogo.gif

On the evening of the 13th, an unknown user posted a link to a file on MacRumors Forums claiming to be the latest Leopard Mac OS X 10.5 screenshots. The file was named "latestpics.tgz"

The resultant file decompresses into what appears to be a standard JPEG icon in Mac OS X but was actually a compiled Unix executable in disguise. An initial disassembly reveals evidence that the application is a virus or was designed to give that impression. Routines listed include:

_infect:
_infectApps:
_installHooks:
_copySelf:

The exact consequences of the application are unclear, but users who originally executed the application have noted that it appears to self propogate even after the original file has been deleted:

Quote:

If anyone remembers last night, when lasthope spread that picture that opened in terminal. I just turned on my other computer and it said it had an incoming file, from my computer, which was the latest pics file. Any help. I have already secure deleted it off of my harddrive, but how do i know that it will not come back.

Update: It appears that there is some debate about the classification of this application, and as it does require user activation, and a password if you are not already an administrator, it appears to fall into the Trojan classification, rather than self-propogating through any particular vulnerability in OS X.

Update #2: The most recent updates show that the file does send itself to other users in your AIM/iChat buddy list.

[Eluon]

hmmm. scary.

[Tha_Sylent1]

the sky is falling!!

[skinEman23]

Looks like I might be re-installing Norton...

[Steven1621]

Granted, this is just a script. It doesn't exploit a secruity flaw. Correct?

[Doctor Q]

Remember not to type your administrator password just because you get prompted for it. Always know why before you do so.

[mechcon]

well well well......

was bound to happen

[maxterpiece]

so does OS X warn you that it is an executable when you D/L it? how does it disguise itself? If you get info on it does it say "open with preview", or does it say it's a script ? What does it propagate besides itself - by that I mean, how does it damage you except by spreading?

[jsupetran]

OMG OMG OMG OMG OMG OMG OMG OMG

[snugja]

Hell Froze over... actually it just snowed today.

[ChoMomma]

I think it's important to ask a few questions.

1. if you Get Info on the file what does it say?
2. when you double-click the file does it ask for your Admin password?
3. when it's downloaded does Safari indicate it's a program and not a regular file?
4. what's the uploaders IP address and has his ISP been contacted about this?

[qtip919]

This is great...(I used to work for MS security)



Remember...that which does not kill us, only makes us stronger...

We all need to take a deep breath and think about what this means. If this is indeed a virus that can either corrupt the system or delete files, then someone has done what is made possible by the OS.

Also, this should be a wakeup call to all mac users. Opening any file without knowing the source is FOOLISH...I dont care what OS you are using. Just because you are using OS X, doesnt mean you should be opening any file someone TEMPTS you with....

The more I think about this, the more I laugh...

Pics of OS 10.5...brilliant...

Windows users are tempted by Brittney spears, mac users by a new GUI element in their operating system...

[Chappers]

Expect this to be all over the media.

I was smuggly thinking about 'no virus's for Mac OS X' last night.

[semaja2]

First off : THIS IS NO VIRUS

this is just a hoax reall i mean seriously its not like it just gets onto your computer from a security flaw all it is a smart person who notice you could use resource forks like that, if anyone was smart they would of noticed it a bit odd it had to be archived with the fork,

i mean sure its a virus in such the way it does the harm of a virus but its not breaking and flaws its like someone just giving you a bash script saying here its going to make your computer run faster when it actually just deletes everything

[Ja Di ksw]

Quote:

Originally Posted by Chappers

Expect this to be all over the media.

It already is. Here's a jpeg of a newspaper talking about it. Just download and open up the jpeg, don't bother wondering why you have to type in your password.

yes ... yes ... do it ...

[neut]

Quote:

Originally Posted by Doctor Q

Remember not to type your administrator password just because you get prompted for it. Always know why before you do so.

Isn't that wonderful!

It puts the security right where it should be ... in the hands of the user.


peace | neut

[mad jew]

I wonder what Apple's move will be. At least scenarios like this keep Apple on their toes. There would be nothing worse than Apple being caught short by a sudden flaw in their OS.

[danamania]

Quote:

Originally Posted by Doctor Q

Remember not to type your administrator password just because you get prompted for it. Always know why before you do so.

And remember that a process running without administrator access, one that doesn't ask for an administrator password, can still do some pretty nasty stuff to your user account.

dana

[plinden]

Quote:

Originally Posted by ChoMomma

I think it's important to ask a few questions.

1. if you Get Info on the file what does it say?
2. when you double-click the file does it ask for your Admin password?
3. when it's downloaded does Safari indicate it's a program and not a regular file?
4. what's the uploaders IP address and has his ISP been contacted about this?

I got a link to somewhere where this is stored and downloaded it. Assuming the file is in its natural state, Safari gives you the warning that it may contain an application and the safety cannot be determined. Deerpark and Camino do not.

Safari downloads this as a tar of latestpics.tgz, ie. latestpics.tgz.tar, but Deerpark and Camino download it as latestpics.tgz.

In terminal, tar does not successfully open the file downloaded using Safari. But double clicking the icon does open it. The tgz files downloaded using Deerpark and Camino can be opened by double clicking on the tgz file or using gunzip from terminal. Both latestpics and ._latestpics are extracted, but the initial . means that Mac OS hides ._latestpics.

Get Info shows it as a PPC executable.

Although I'm using a managed account for this, I don't feel secure enough to double click the latestpics file.

[Windowlicker]

If the details are correct, we're still not talking about a virus, but a trojan horse. You still have to open it yourself so that it can run.

This doesn't mean it isn't a bad thing.

[syklee26]

I guess mac is really hitting mainstream now...

[FaasNat]

Quote:

Originally Posted by Ja Di ksw

It already is. Here's a jpeg of a newspaper talking about it. Just download and open up the jpeg, don't bother wondering why you have to type in your password.

yes ... yes ... do it ...

I think you forgot to post the link to the newsclippingpic.tgz file.

[Nermal]

Quote:

Originally Posted by danamania

And remember that a process running without administrator access, one that doesn't ask for an administrator password, can still do some pretty nasty stuff to your user account.

Indeed. Anyone remember "Word 2004 Web Installer"?

[iMeowbot]

Quote:

Originally Posted by Doctor Q

Remember not to type your administrator password just because you get prompted for it. Always know why before you do so.

Yep, but it should be noted that the users reporting problems also report that they were not asked for their passwords.

For anyone using the first account they created when they installed OS X, it's time to put a stop to that right now, because you have the rights to change a whole bunch of important stuff like your applications that don't require becoming root. You're in the admin group, and that's a lot of power all by itself.

A good idea, right now, would be to go into your system Preferences, into Accounts, and create a new user. Turn on the "Allow user to administer this computer" check box, then log into that account and make sure it works. Once you're satisfied that the new account works and that you've remembered the password, turn off the "Allow user to administer this computer" check box for your own regular account. From then on, use the new account to install software, run System Update, etc. Use your now-demoted regular account for your regular daily computing.

A declawed account can still do some things that don't require special privs, like delete your own user files or send malware out to other computers. It will, however, keep your system reasonably safe from unintended modification.

edit: One last bit: Check the files in your Applications folder, even after declawing, and see if you are listed as the owner of any files. If you are, log in with your new admin account (fast user switching is a help here) and change the ownership to the system or that admin user.

[Diatribe]

Quote:

Originally Posted by Windowlicker

If the details are correct, we're still not talking about a virus, but a trojan horse. You still have to open it yourself so that it can run.

This doesn't mean it isn't a bad thing.

And it cannot propagate itself either...

Apple just needs to find a way to warn people of apps/scripts in disguise. Problem solved.