Mac OS X Virus/Trojan Summary

[bigfib]

Hey, what about this folks???

What about, "This is an application. You are about to run this Application DumbTrojan for the first time. Are you sure?"

Exactly the same as the dialog box when you click on a previous unused file type and the OS asks you to confirm which application you want to open?

EDIT: It could even be followed by "please type your administrator password".

[slb]

Quote:

Originally Posted by bigfib

Hey, what about this folks???

What about, "This is an application. You are about to run this Application DumbTrojan for the first time. Are you sure?"

Exactly the same as the dialog box when you click on a previous unused file type and the OS asks you to confirm which application you want to open?

EDIT: It could even be followed by "please type your administrator password".

OS X usually already does that for .app bundles.

[digitol]

All mac users should pitch this guy some "donations" for such wonderful, Anti-Virus, FREEWARE called Clamavx you can download it here: http://www.clamxav.com/

This is an excellent virus scanner, you can set it to "monitor" folders like your desktop folder and alert you of any virus(s) you may have downloaded. It will also auto update virus defs, one day after the reports of this leap.a or umpaloompa trojan made news, this program had a definition ready to go for it to detect it. Excellent for free!! You should all have a look, it could save you big time!!!

[eva01]

and people wonder why your not supposed to double click everything on the planet.

[ke2000]

It has got me very sensitive to double click icons. We must find a way to prevent unintentional opening exc file. Maybe making any files always show file extension is good idea.

[ezekielrage_99]

Quote:

Originally Posted by Stewie

I have zero tolerance policy on stupidity.

My $0.02

I hate stupid people as well, sometimes I feel that I am surrounded by morons and I'm just here to point that out to them

That's why I bought this T-Shirt, support the shirt.

http://www.tshirthell.com/store/prod...?productid=287

Check it out

[ke2000]

Come on people, the roof is not falling yet, it is just someone send a mal exc in disguise. As long as someone/apple figure out how caution user any files is executable regardless its icon. Such like warning user a excutable files is about to launch outside of application folders.

Quote:

Originally Posted by Eidorian

Yeah, but everything looks so ugly with extensions on.

that probably right.

[UberMac]

The BBC has now got this article on the front page of their technology news section as their main item!

Good job they don't do this for every Windows virus/trojan thingy-ma-jig-er-oo that comes along!

Uber

EDIT: It's actually on their News Front Page too!

[ke2000]

Quote:

Originally Posted by Doctor Q

that's worthy of a warning ("first time execution of this program - OK?") because it makes sense to warn users when the user first runs other applications.

the same idea as I thought

Quote:

Originally Posted by Doctor Q

Another choice: provide additional warnings when files have multiple recognized extensions, such as myfile.jpg.app.

unnecessary, but it give out annoyance.

[MeatBiProduct]

Quote:

Originally Posted by faintember

You cant, but Apple could make the OS look at any downloaded file and see if it contains a executable, and notify the user of this, maybe as other posters have mentioned on another thread, by making the icon and text have a "glow" to them that is only visible on executable files. Sounds like it is a step in the right direction for those less-knowing Mac users.

i home mac users know that darwin is capable of executing things that aren't executables - its the nature of BSD and any developer based O/S.

i guess this wasn't in the mac manual. shellscripts ftw. here's an example:

set of scripts and hidden sourcepackage get transfered to your PC. (maybe you want to see a picture of new buttons), the initial running of anything, wether it be from exploiting an actual image to execute code (I.E. read over past examples like .tga buffer underruns in image viewers), the code executed sets off a ./make & ./install & in a hidden console, the O/S thinks this is normal since you compile software like apache, mysql, etc. in this fashion. Now you have a compiled executable, or set of scripts (the scripts can be in langs. as crappy as perl or python). These scripts start inserting things into files to cloak itself and run under and as a operating system service, say like ipchains, squid, or whatever the most common network service is. (after all if the script is executed by a root account it has root privs. and its parade day on the O/S.)

Now these scripts can masquerade as a system service if left unverified (I.E. hashed out and checked for validity.)

These are all the things that have happened to BSD/*nix. Your shell is not your O/S, the real O/S is in the terminal. Apples best approach should be to have 2 versions of OS X, one for all the novice users that don't understand much of anything about the O/S, they should remove all Unix aspects from this version, then a server/enterprise/professional edition that has the full BSD backend. Giving all these mac users a Boeing 747 when they can't even operate a crop duster properly is a very bad idea.

Now the true problem will be when apple users need to repair their own machines through console. I imagine anyone not from a *nix environment will be clueless as to whats going on in the console/terminal. However I am sure every mac store from LA to NYC will have improved repair sales since 90% of their users don't even understand the operating system they cherish so much.

[Carl Spackler]

Hey, I really like all the ideas about having all these warnings that pop up before you open just about anything! I think it's a totally great idea! It would be like a force field over your total OS! Sure, it'd zap some of your memory, but who cares! A really sweet name would iWindowsOSX, except without the i or the OSX!

[SiliconAddict]

God people. This isn't a big deal. OS X is susceptible to viruses. Virus protection has always been about one thing. Using your brain.
-Download software from a credible source.
-Never execute attachments that are suspicious
-Always treat vague e-mails from friends as potential hazards.
-Keep your system updated with patches.
-Optionally have a virus scanner.

This is no different then if someone was found to be susceptible to cancer. It means you can get cancer but doesn’t mean you have it, or that there aren’t things you can’t do to avoid it.

PS- Goodbye Macrumors.

[PCMacUser]

Quote:

Originally Posted by SiliconAddict

God people. This isn't a big deal. OS X is susceptible to viruses. Virus protection has always been about one thing. Using your brain.
-Download software from a credible source.
-Never execute attachments that are suspicious
-Always treat vague e-mails from friends as potential hazards.
-Keep your system updated with patches.
-Optionally have a virus scanner.

This is no different then if someone was found to be susceptible to cancer. It means you can get cancer but doesn’t mean you have it, or that there aren’t things you can’t do to avoid it.

PS- Goodbye Macrumors.

Yeah someone had to say it. These are the same basic principles that malware-free PC owners have been sticking by for years. It is possible, people!

[mrgreen4242]

Quote:

You cant, but Apple could make the OS look at any downloaded file and see if it contains a executable, and notify the user of this, maybe as other posters have mentioned on another thread, by making the icon and text have a "glow" to them that is only visible on executable files. Sounds like it is a step in the right direction for those less-knowing Mac users.

Safari already does this when you download something, doesn't it? I always get a warning that "This file contains an executable, are you sure you want to download it?". I do like the idea of some kind of icon effect for executable, though. Would at least make fooling us more difficult. As to the comment that BSD can execute non-executables, well, it must be flagged as executable still, correct? Otherwise how would the system know execute it, rather than just open it? Seems like this would be doable.

Quote:

Also, there's should be a digital signature included in every executable file, which says who is the author and what's the purpose of the application. All authors should first distribute their apps to Apple, receive a digital signature back and then integrate it in their app.

I'm sorry, but this is one of the worst ideas I've ever heard. Not only would it make a lot of unnecessary work for Apple (thereby either increasing prices, or taking money from development programs), but it will make people needlessly suspicious of good, clean, open source software packages (which likely would get "validated" until they hit a relatively near finished level; in some cases this takes years).

Quote:

I've always said that Apple made a big mistake making the first account that's created (and usually the only one that's ever used) an admin. They should have made the installer create a normal account, but then ask for a separate, "administration" password. The installer would then create a special, hidden "admin" user behind the scenes, and novice users would never have to know it was technically a separate account. Then installers and other programs needing admin rights would just ask for the admin password, rather than an admin name/password pair. This would have been just as easy for the user, and far more secure.

My intention was to post something like this after I read the thread. Not only should the first account created (as far as the user can tell) a non-admin account, with the admin account created in the background, but it should give you a visual cue anytime you are either logged in as an admin or have elevated your privileges temporarily. A few Linux distro's do this, often by having a non (easily) changeable background image that is bright red and says "you are logged in a root, foo" on it. The menu bar should get an icon if your privileges have been elevated as well, which you can click on to de-elevate yourself.

For me, using a Mac seems to be about 95% secure. If you don't run as an admin all the time then you've taken away another 4%. THe other 1% is left open for being stupid.

[Super Dave]

Quote:

Originally Posted by bigfib

Hey, what about this folks???

What about, "This is an application. You are about to run this Application DumbTrojan for the first time. Are you sure?"

Exactly the same as the dialog box when you click on a previous unused file type and the OS asks you to confirm which application you want to open?

EDIT: It could even be followed by "please type your administrator password".

My thoughts precisely. Another user suggests this already happens with .apps. It doesn't. It only happens when you click documents related to a previously unopened .App. Also they could add a download warning to iChat and Mail just like they have in Safari that warns that a download may contain an Application.

Secondly, I have to agree with the guy who said that Apple should never have encouraged users to log in with an administrator password. Having said that, I think the answer is changing the Application folder write permissions to be root only rather than changing admin users to regular users. It essentially does the same thing and can be administered by a software update.

David

[immaculate]

Quote:

Originally Posted by UberMac

The BBC has now got this article on the front page of their technology news section as their main item!

Good job they don't do this for every Windows virus/trojan thingy-ma-jig-er-oo that comes along!

Uber

EDIT: It's actually on their News Front Page too!

Yes, but look at the way they report it. "Little threat...no threat...isn't a significant threat...play down...helpful reminder..." The caption under the photo reads "To fall victim, users have to install the code themselves" - which isn't that scary.

It seems a pretty positive way of reporting it to me. I think they ran it for the headline as much as anything else.

Malicious worm aims to bite Apple
Mac users are being warned to be on the lookout for what is being called one of the first viruses for Apple computers.

The malicious program, known as Leap-A, tries to spread via Apple's iChat instant messaging program. The worm disguises itself as images of Apple's forthcoming version of its operating system, called Leopard, and plunders buddy lists if installed.

Security firms said Leap-A was not widespread and was unlikely to catch out many Apple users.

No threat
The malicious program tries to trick users into installing it and does not exploit any security holes in Apple's OS X operating system. It travels in a file called "latestpics.tgz" and only version 10.4 of OS X is vulnerable to it. Installing and running the worm requires users to go through several stages and this, along with bugs in Leap-A's code, have led security firms to play down the threat it poses.

"The important piece of advice for any iChat users running OS X 10.4 is not to accept file transfers, even if they come from someone on a buddy list," said Kevin Hogan, Symantec security response manager. Symantec said Leap-A was a level 1 threat on its ranking system - the lowest level. Computer security firms McAfee and F-Secure also said it posed little threat.

The worm is interesting as it is one of the few written for Apple computers. The vast majority of viruses are written to attack Microsoft's Windows operating system. "The Leap-A worm isn't in itself a significant threat, but it should act as a helpful reminder that malware can be written for any computer," said Graham Cluley, senior technology consultant for anti-virus firm Sophos. "Mac users cannot keep thinking that they are invulnerable to these threats."

Security firms said Leap-A should more properly be described as a worm or trojan rather than a virus because of the way it tries to spread. In a statement released to the Wall Street Journal, Apple said Leap-A was not a virus but was "malicious software". It urged users to only accept files from vendors and websites they know and trust.

Story from BBC NEWS:
http://news.bbc.co.uk/go/pr/fr/-/1/h...gy/4723390.stm
Published: 2006/02/17 11:20:28 GMT © BBC MMVI

[Harthansen]

Quote:

Originally Posted by Daveway

Now we just have to see how Apple compares to Microsoft on turn around updates.
I find it amusing that the first possible malicious code to attack the mac platform was released here at our nice forum.

OK who else thinks this virus/trojan was written by Microsoft? I mean what the virus does is totally out of the norm for normal virus creators. This bad press for apple is just what microsoft needs right now, proof that OS-X can be just as vulnerable as Windows. Of course the problem with Windows is not it's Vulnerability but the fact the it is basically a bad copy of OS-9, completely unstable, but most of the population doesn't know that. But this will be all over the news and Miscrosoft could spend billions of dollars in advertising and never get this much good press out of it.

Bill Gates is totally evil and he has and will do whatever it takes to keep control the PC market. ie. anyone know what happened to the Microsoft Anti-trust lawsuit?
No Matter what apple says they will release OS-X for PC's. No company is going to turn down the kind of money and power that would grant apple. Not to mention some else will come up with a way to do it if Apple won't. If Apple doesn't release it themselves they stand to lose alot of money in sales or rather the the lack of sales.
Steve just wants to keep Microsoft off balance, and unprepared for OS-X to compete directly with Windows, so Steve lies about not making OS-X available to PC users. This tactic obviously isn't working. Microsoft is scared to death about the thought that they would have to compete against a completely better OS (One they steal from every release, take look at Vista if you need proof!) These kind of underhanded attacks is basically all Microsoft has left in it's arsenal to compete with Apple. Except of course releasing a OS that works correctly, but why would they do that?
Creating a virus is much easier and cheaper. I am sure they have a workforce hidden away in some thrid world country working around the clock looking for ways to make Apple look bad before Apple can release OS-X for Pc's. Not to mention it is exactly what I would do if I was Bill Gates. Yeah so I might be evil to if I was facing the loss of billions, and incredibile power.
I mean you think Xbox would be anything more then a bad Saga release, if it were not for the popularity of Windows? This attack takes Apple down a peg, which with the power of iTunes and alot of the tech. industry rooting for Apple, since MS. has been such a controlling monoply. Bill gates is starting to realize that Apple can finally win this thing in the late third decade of PC's!

[milo]

Thanks for making the clarification about the app asking for a password. I was getting tired of all the idiots insisting that it did in the responses to the last article.

I still think this is a relatively low risk, the fact that this wasn't really able to spread does give me confidence in the security of the mac platform - security means nothing if people volutntarily leave their doors open and unlocked.

Hopefully Apple will take a couple basic measures like having a warning window EVERY time a new app launches instead of just ones opened from a document. Also, the OS should ask permission if an app tries to write to the Applications directory, seems like a careless omission on their part, and other than installers, I can't see why apps would need to do that.

[mdavey]

Quote:

Originally Posted by nagromme

At first I suggested a mouseover glow effect... but now I think the glow on executables should be a permanent throb. More noticeable, and it wouldn't waste much CPU power since how often do you have to have Finder windows open and showing apps anyway?

Apps in folder pop-up menus from the Dock should throb as well. And in Column view if you have icons turned off, a symbol should throb next to executables.

I like the permanent glow suggestion, not sure about the throb (I guess I'd have to see it).

Another possibility might be to have the application's perspective shadow throb (rather than a kinda ghost outline).

Anyone feel like doing a couple of mock-ups of a finder and desktop with these various suggestions implemented?

[crees!]

Don't know if this has already been mentioned but if this thing is able to access terminal and execute some scripts couldn't it have just erased all or most files under that user account?

[iMeowbot]

Quote:

Originally Posted by crees!

Don't know if this has already been mentioned but if this thing is able to access terminal and execute some scripts couldn't it have just erased all or most files under that user account?

Sure, but lots of programs can do that. The Finder and /bin/rm are pretty good at it.

[ejl10]

My first reaction was "That rat ba--ard!" But maybe its not so bad. If it drives Apple to be more vigilant in preventing malicious attacks, then it may do some good. Maybe the poster did it just to alert Apple to this mode of attack - a hacking martyr if you will.

This also gives Apple an opportunity to distinguish itself from Microsoft. If it reacts swiftly to help users protect themselves, it can spin this into a positive OSX support story.

The downside is hackers will see that even harmless proof-of-concept attacks can gain lots of press if they breach OSX, encouraging more activity. I'm frightened. Hold me.

[socokid]

Quote:

Originally Posted by Danksi

Isn't this the key issue here? - I assumed Windows was the only OS that allowed this kind of access by default. Could provide Apple with a little usability challenge.

(I've since created a new admin account and demoted my day-to-day account to 'standard')

The discussion article is completely incorrect. Users being Admin are NOT on by default. Every new user is a Standard user until you check "Allow user to administer this computer". The only Admin user by default is the FIRST user to set up the computer, obviously.

Again, Admin users is NOT the default. How he got that wrong is quite strange...

[socokid]

Quote:

Originally Posted by Macrumors

(The Application directory is writable by the Admin accounts which most Mac OS X user accounts are established as, by default.)

BZzzzzt. Wrong. First of how, how is it "most" when you claim it's also "by default". Logically doesn't make sense. Second of all, new users are certainly NOT Admins be default. You have to check "Allow user to administer computer" for every new account you want to make.

[iMeowbot]

Quote:

Originally Posted by socokid

BZzzzzt. Wrong. First of how, how is it "most" when you claim it's also "by default". Logically doesn't make sense. Second of all, new users are certainly NOT Admins be default. You have to check "Allow user to administer computer" for every new account you want to make.

The article is correct, because the reality is that most Macs are single user machines, and additional user accounts are never created on them.