Mac OS X Virus/Trojan Summary

MacRumors · Feb 16, 2006, 11:42 PM

http://www.macrumors.com/images/macrumorsthreadlogo.gif

The announcement of the release of a Mac OS X trojan/virus/worm yesterday has drawn a lot of attention, confusion and significant misinterpretation. While much of the attention was aimed at the "virus vs trojan" distinction, this energy was misguided.

On the one hand, some users were quick to dismiss it as a simple "trojan" that anyone could easily script in minutes. While the application was setup to trick the end-user into launching it, the resultant actions it took were far more sophisticated as it was designed to inject itself into other applications on the users' hard drive. Despite much confusion on this detail, most users were not prompted for the administrator password before the file modifications took place. (The Application directory is writable by the Admin accounts which most Mac OS X user accounts are established as, by default.)

On the other hand, several saw this as a much more ominous sign for the Mac platform. However, this application itself is of a rather limited threat by the nature of its propogation -- and no particular Mac OS X vulnerability exists which allows the unimpeded transmission of a virus. Unless you specifically downloaded and launched this file, there is no way your Mac could have been infected.

The signficance of this event is simply the intention behind the release of such malware under Mac OS X.

For additional reading, Symantec provides a step-by-step guide on what happens when the application launches and what modifications it makes to the users applications, while Andrew Welch of Ambrosia SW finished a detailed technical summary of the application.

iGary · Feb 16, 2006, 11:47 PM

Scary. For real - this is the first time ever I have doubted the security of my Mac.

Daveway · Feb 16, 2006, 11:50 PM

Now we just have to see how Apple compares to Microsoft on turn around updates.
I find it amusing that the first possible malicious code to attack the mac platform was released here at our nice forum.

X5-452 · Feb 16, 2006, 11:53 PM

I read the whole thing on the Symantec website, but I'm still a little confused. What would the end-user see? I know what the malware technically did, but what did it visually do? What was it's purpose?

iBlue · Feb 16, 2006, 11:54 PM

Quote:

Originally Posted by X5-452

What was it's purpose?

to piss us off, that's my guess. and in a roundabout way, it worked.

p0intblank · Feb 16, 2006, 11:54 PM

Quote:

Originally Posted by iGary

Scary. For real - this is the first time ever I have doubted the security of my Mac.

Same here. I feel a lot better now, though. This exploit definitely did open my eyes to security flaws and how to protect myself from them. While there is no real Mac "virus", this trojan certainly had a lot of Mac users on the edges of their seats. To tell you the truth, I can see another trojan like this one happening, but in a more serious fashion. The instructions were practically unveiled to the public... no offense to MacRumors.

But hey, this isn't scary. If you have common sense and take precaution, a future trojan can be easily avoidable. I'm sure Apple will release some sort of patch to aid users in the future.

I'm still relieved it isn't an actual virus... if it was, then I'd scared.

Counterfit · Feb 16, 2006, 11:57 PM

Quote:

Originally Posted by Daveway

Now we just have to see how Apple compares to Microsoft on turn around updates.

I think they have to figure out just what to do first. Change all applications to be owned by root? Or tell users not to double-click on unknown files (which I stopped doing altogether after the MP3 proof-of-concept)

risc · Feb 16, 2006, 11:57 PM

How do you patch against users downloading and running applications from people they don't know?

iGary · Feb 16, 2006, 11:58 PM

Quote:

Originally Posted by p0intblank

Same here. I feel a lot better now, though. This exploit definitely did open my eyes to security flaws and how to protect myself from them. While there is no real Mac "virus", this trojan certainly had a lot of Mac users on the edges of their seats. To tell you the truth, I can see another trojan like this one happening, but in a more serious fashion. The instructions were practically unveiled to the public... no offense to MacRumors.

But hey, this isn't scary. If you have common sense and take precaution, a future trojan can be easily avoidable. I'm sure Apple will release some sort of patch to aid users in the future.

I'm still relieved it isn't an actual virus... if it was, then I'd scared.

Well no more file transfers via iChat.

It will be interesting to see if Apple even responds to this.

My guess is....NOT.

2nyRiggz · Feb 17, 2006, 12:02 AM

That freaking Bas$$%^$ that posted that crap should be placed in the middle of a town and burn before all the mac heads......na just kidding

Bless

iBlue · Feb 17, 2006, 12:05 AM

Quote:

Originally Posted by 2nyRiggz

That freaking Bas$$%^$ that posted that crap should be placed in the middle of a town and burn before all the mac heads......na just kidding

Bless

naaah, but it would be nice to unzip and tar him

faintember · Feb 17, 2006, 12:06 AM

Quote:

Originally Posted by risc

How do you patch against users downloading and running applications from people they don't know?

You cant, but Apple could make the OS look at any downloaded file and see if it contains a executable, and notify the user of this, maybe as other posters have mentioned on another thread, by making the icon and text have a "glow" to them that is only visible on executable files. Sounds like it is a step in the right direction for those less-knowing Mac users.

Danksi · 12:22 AM

Quote:

Originally Posted by Macrumors

Despite much confusion on this detail, most users were not prompted for the administrator password before the file modifications took place. (The Application directory is writable by the Admin accounts which most Mac OS X user accounts are established as, by default.)

Isn't this the key issue here? - I assumed Windows was the only OS that allowed this kind of access by default. Could provide Apple with a little usability challenge.

(I've since created a new admin account and demoted my day-to-day account to 'standard')

Counterfit · Feb 17, 2006, 12:16 AM

Quote:

Originally Posted by iBlue

naaah, but it would be nice to unzip and tar him

You are such a geek.

So am I, I laughed

p0intblank · Feb 17, 2006, 12:21 AM

Quote:

Originally Posted by faintember

You cant, but Apple could make the OS look at any downloaded file and see if it contains a executable, and notify the user of this, maybe as other posters have mentioned on another thread, by making the icon and text have a "glow" to them that is only visible on executable files. Sounds like it is a step in the right direction for those less-knowing Mac users.

This sounds like a good idea. Patch it in a stealthy manner, but nothing over bloated like separate software running in the background taking up resources. The average user probably wouldn't recognize a "glow" as hazardous, however. Perhaps a small red ! icon can appear in front of the file that may be dangerous to open.

I just hope Apple does something about this... I think they would. They seem to care about their OS being the best one on the market. I don't think they would let some trojan knock them off that path.

Felldownthewell · Feb 17, 2006, 12:22 AM

Quote:

Originally Posted by risc

How do you patch against users downloading and running applications from people they don't know?

True, there is no patch for stupidity, but apple could publish the writer's address and phone number.

iBlue · Feb 17, 2006, 12:24 AM

here's an idea...

http://forums.macrumors.com/attachme...1&d=1140153849

faintember · Feb 17, 2006, 12:24 AM

p0intblank, I cant take credit for the idea, it was posted by another MR member on a separate thread about the new trojan. This seems like an easy enough thing to stop, but then again i am not a programmer, so what do i know.

All i know is a executable, at some level, has to look like an executable to the OS, so why not visually distinguish them from other file types for the user?

Edit: Good point iBlue, but why not make that, and say the "red text" or "exclamation" all on by default with no way of turning them off? No harm in that....

dejo · Feb 17, 2006, 12:25 AM

Quote:

Originally Posted by p0intblank

I just hope Apple does something about this... I think they would. They seem to care about their OS being the best one on the market. I don't think they would let some trojan knock them off that path.

Unless, as John Dvorak is suggesting, they really are just planning on adopting Windows anyways...

nagromme · Feb 17, 2006, 12:26 AM

If you want to side-step definitions of what a virus is (some would call this a very weak virus, others wouldn't), you're best bet is to tell people there's never been an OS X virus that could function without the user's help. (Several steps of help, in fact.)

Felldownthewell · Feb 17, 2006, 12:30 AM

Quote:

Originally Posted by dejo

Unless, as John Dvorak is suggesting, they really are just planning on adopting Windows anyways...

I saw that on mac addict, had a spasm of terror, then started laughing and couldn't stop.

Stewie · Feb 17, 2006, 12:31 AM

The best thing that apple can do to fix this problem is require any person buying a Apple computer to pass an intelligence test. If you fail you don't get to own one of their computers. The problem is stupidity and I don't think that it is the job of Apple to protect us from ourselves. My feeling is that if you are dumb enough to open a file from a source you are not sure of then you get what you deserve. Kinda like the idiot that puts his hot fast-food coffee between his legs and then burns himself when it spills. With any luck those idiots will sterilize themselves and we won't have to worry about them dumbing down the gene pool any more then it already is.

I have zero tolerance policy on stupidity.

My $0.02

p0intblank · Feb 17, 2006, 12:32 AM

Quote:

Originally Posted by dejo

Unless, as John Dvorak is suggesting, they really are just planning on adopting Windows anyways...

Is he serious? How can he listen to himself when talking? This will never happen...

nagromme · Feb 17, 2006, 12:32 AM

Quote:

Originally Posted by faintember

p0intblank, I cant take credit for the idea, it was posted by another MR member on a separate thread about the new trojan. This seems like an easy enough thing to stop, but then again i am not a programmer, so what do i know.

At first I suggested a mouseover glow effect... but now I think the glow on executables should be a permanent throb. More noticeable, and it wouldn't waste much CPU power since how often do you have to have Finder windows open and showing apps anyway?

Apps in folder pop-up menus from the Dock should throb as well. And in Column view if you have icons turned off, a symbol should throb next to executables.

ssteve · Feb 17, 2006, 12:32 AM

Quote:

Originally Posted by risc

How do you patch against users downloading and running applications from people they don't know?

Answer: You don't.

All that happens is that businesses such as Data Doctors open and charge lot's of money to fix people's computers. Data Doctors is making huge amounts of money from stupid users who do stupid things with their computers (mostly PC's). This is good by the way because when I go by a Data Doctors location, I get the opportunity for a laugh. Mostly at the stupid users inside getting repairs. lol

Feb 16, 2006, 11:42 PM	#1
MacRumors macrumors bot Join Date: Apr 2001	Mac OS X Virus/Trojan Summary http://www.macrumors.com/images/macrumorsthreadlogo.gif The announcement of the release of a Mac OS X trojan/virus/worm yesterday has drawn a lot of attention, confusion and significant misinterpretation. While much of the attention was aimed at the "virus vs trojan" distinction, this energy was misguided. On the one hand, some users were quick to dismiss it as a simple "trojan" that anyone could easily script in minutes. While the application was setup to trick the end-user into launching it, the resultant actions it took were far more sophisticated as it was designed to inject itself into other applications on the users' hard drive. Despite much confusion on this detail, most users were not prompted for the administrator password before the file modifications took place. (The Application directory is writable by the Admin accounts which most Mac OS X user accounts are established as, by default.) On the other hand, several saw this as a much more ominous sign for the Mac platform. However, this application itself is of a rather limited threat by the nature of its propogation -- and no particular Mac OS X vulnerability exists which allows the unimpeded transmission of a virus. Unless you specifically downloaded and launched this file, there is no way your Mac could have been infected. The signficance of this event is simply the intention behind the release of such malware under Mac OS X. For additional reading, Symantec provides a step-by-step guide on what happens when the application launches and what modifications it makes to the users applications, while Andrew Welch of Ambrosia SW finished a detailed technical summary of the application.

Feb 16, 2006, 11:47 PM	#2
iGary macrumors Demi-God Join Date: May 2004 Location: La Villa Strangiato	Scary. For real - this is the first time ever I have doubted the security of my Mac. __________________ Mac Pro Octophallus 2.8 \| 13" UMBP 2.26

Feb 16, 2006, 11:50 PM	#3
Daveway macrumors 68040 Join Date: Jul 2004 Location: New Orleans / Lafayette, La	Now we just have to see how Apple compares to Microsoft on turn around updates. I find it amusing that the first possible malicious code to attack the mac platform was released here at our nice forum. __________________ Spare me my life. MBP 2.2 glossy, Alu Macbook 2.4, iMac G5, iPhone3GS 32gb white, iPodz

Feb 16, 2006, 11:57 PM	#8
risc macrumors 68030 Join Date: Jul 2004 Location: Melbourne, Australia	How do you patch against users downloading and running applications from people they don't know? __________________ A penny saved is ridiculous.

Feb 17, 2006, 12:02 AM	#10
2nyRiggz macrumors 601 Join Date: Aug 2005 Location: Thank you Jah...I'm so Blessed	That freaking Bas$$%^$ that posted that crap should be placed in the middle of a town and burn before all the mac heads......na just kidding Bless __________________ I take everything to Jah in prayer 2ny, do something righteous with your life..

Feb 16, 2006, 11:53 PM	#4
X5-452 macrumors 6502 Join Date: Feb 2006 Location: Calgary, Canada	I read the whole thing on the Symantec website, but I'm still a little confused. What would the end-user see? I know what the malware technically did, but what did it visually do? What was it's purpose?

Feb 17, 2006, 12:24 AM	#17
iBlue macrumors Demi-Goddess Join Date: Mar 2005 Location: Londrizzle, UK	here's an idea... http://forums.macrumors.com/attachme...1&d=1140153849 Attached Thumbnails __________________ After I have travelled so far, we'd set the fire to the third bar We'd share each other like an island ,until exhausted, close our eyelids ... MRoogle

Feb 17, 2006, 12:24 AM	#18
faintember macrumors 65816 Join Date: Jun 2005 Location: the ruins of the Cherokee nation	p0intblank, I cant take credit for the idea, it was posted by another MR member on a separate thread about the new trojan. This seems like an easy enough thing to stop, but then again i am not a programmer, so what do i know. All i know is a executable, at some level, has to look like an executable to the OS, so why not visually distinguish them from other file types for the user? Edit: Good point iBlue, but why not make that, and say the "red text" or "exclamation" all on by default with no way of turning them off? No harm in that.... __________________ creation through destruction

Feb 17, 2006, 12:26 AM	#20
nagromme macrumors 601 Join Date: May 2002 Location: Blinking blue dot	If you want to side-step definitions of what a virus is (some would call this a very weak virus, others wouldn't), you're best bet is to tell people there's never been an OS X virus that could function without the user's help. (Several steps of help, in fact.) __________________ nagromme Would you like a treatment?

Feb 17, 2006, 12:31 AM	#22
Stewie macrumors regular Join Date: Jan 2004 Location: Arlington, Va	Best Fix The best thing that apple can do to fix this problem is require any person buying a Apple computer to pass an intelligence test. If you fail you don't get to own one of their computers. The problem is stupidity and I don't think that it is the job of Apple to protect us from ourselves. My feeling is that if you are dumb enough to open a file from a source you are not sure of then you get what you deserve. Kinda like the idiot that puts his hot fast-food coffee between his legs and then burns himself when it spills. With any luck those idiots will sterilize themselves and we won't have to worry about them dumbing down the gene pool any more then it already is. I have zero tolerance policy on stupidity. My $0.02 __________________ "I gotta tell ya, at this point, the length of this conversation is way out of proportion to my interest in it.”

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode