Fake Word 2004 demo file causes irradication of a mac's Hom...

[MacBytes]

Category: 3rd Party Software
Link: Fake Word 2004 demo file causes irradication of a mac\'s Home folder
Posted on MacBytes.com

Approved by Mudbug

[MacBandit]

I love it. If you Pirate software you have to be ready for the consequences. A malicious file on the other hand should be the least of your worries.

[FosterKanig]

Now THAT"S funny.

I love his explanation: "I downloaded the file in the hope that perhaps Microsoft had released some sort of public beta."

Yes, and we all know that downloading off Limewire would be much quicker than downloading from Microsoft's servers. Geez.

[Flowbee]

Just out of curiosity, is there any way to tell, just by examining the file itself, that it is not actually MS Word 2004?

(And before I get a lecture about pirating software, I own a copy of Office X, which I paid for, and have no intention of upgrading to 2004.)

[iMeowbot]

Quote:

Originally Posted by Flowbee

Just out of curiosity, is there any way to tell, just by examining the file itself, that it is not actually MS Word 2004?

Nah, it's the whole problem of proving a negative.

When software gets released online, the real distributors will offer downloads directly, provide an official list of mirror locations, and/or supply checksums (usually MD5 hashes). Anonymous distribution channels like p2p networks are a really bad place to get executables or sources, unlless you can also get that checksum (and preferably size too) information from a trusted source.

[Doctor Q]

Quote:

Originally Posted by Flowbee

Just out of curiosity, is there any way to tell, just by examining the file itself, that it is not actually MS Word 2004?

I assumed your comment was a joke, i.e., you were pretending that it might have been MS Word 2004 itself that he downloaded, and that it had a small bug that wipes out your home folder.

If that's what you meant, good joke!
If that's not what you meant, then I claim that joke as my own!

[Mr. Anderson]

wow, now that's just got to suck

Unfortunately, this might just be the beginning - I'm sure more will be showing up soon...



D

[Flowbee]

Quote:

Originally Posted by Doctor Q

I assumed your comment was a joke

No joke intended (rare for me, I know). Just wondering if there are any obvious (or not so obvious) give-aways that the file you've downloaded is not what it claims to be.

[Lancetx]

Quote:

Originally Posted by Flowbee

No joke intended (rare for me, I know). Just wondering if there are any obvious (or not so obvious) give-aways that the file you've downloaded is not what it claims to be.

Well, in the case of this particular trojan it's easy, it's only 108KB, so there is no way it could be a demo of Word 2004.

[Flowbee]

Ha! And here I thought it was more sophisticated than that. Talk about an obvious clue...

[Awimoway]

There's a pretty good discussion of the issue here (MacOSXHints).

And I believe I read there that checking the file size will not necessarily work because this Unix command could also be inserted into the ID tags of, say, a song file (remember last month's proof of concept trojan?), although it seems to me that Apple already did what they could to patch that exploit.

For this particular trojan, one particular protection would be to create a dummy user to open all suspect files, but if the Unix command deleted more than just your user folder, that wouldn't help much.

Essentially, it sounds like the only protection is not to open a file that you don't trust. Call it an MPAA conspiracy, but it sure makes P2P seem like a lot less fun.

[eyeluvmyimac]

dont you have to enter an admin password to delete the home directory? who wants to test the idea? hehe

[arn]

I only posted this on MacRumors because it has gotten so much attention on various sites.

But my opinion is "no **** sherlock". I don't actually think the person here was an "innocent victim". You search for "Word 2004" on Limewire, then you take your risks.

arn

[Marble]

You have to enter a password, don't you?

[Hattig]

Quote:

Originally Posted by Marble

You have to enter a password, don't you?

Not for your own home directory.

This is just a case of user stupidity and greed. Nothing to do with MacOS X. It is equally doable on Linux, FreeBSD, Windows ...

You have to take and pass a test to drive a car. I wish the same were true of using computers and the internet.

[Jetson]

Quote:

This is just a case of user stupidity and greed. Nothing to do with MacOS X. It is equally doable on Linux, FreeBSD, Windows ...

You have to take and pass a test to drive a car. I wish the same were true of using computers and the internet.

Why oh why do people feel the need to insult and put others down? The guy did us a favor by reporting some malicious software and he gets attacked from the people who should be thanking him. Sheesh!

[rotorblade]

Quote:

Originally Posted by Flowbee

Just out of curiosity, is there any way to tell, just by examining the file itself, that it is not actually MS Word 2004?

Sure. In this guys case, all he needed to do was use Get-Info. Once the Finder's Get Info window displays, he could have clicked on the icon at the top of this window, then pressed the Delete key. Being that this was an AppleScript, it would have displayed the generic AppleScript applet icon.

I don't use Word, so I can't check the installer icon, but I'd assume you could use the same approach.

[dontmakemehurtu]

Counting this one, there are now two viruses for Mac OS X. One thing that I find interesting is: Isn't it interesting that Intego has announced both of them?

[xtbfx]

Quote:

Originally Posted by Jetson

Why oh why do people feel the need to insult and put others down? The guy did us a favor by reporting some malicious software and he gets attacked from the people who should be thanking him. Sheesh!

hahah. This guy told us that he was going to pirate Microsoft Word 2004.

He didn't do us a favor. If you're going to pirate software, you should get a virus (let's just call it a slap on the wrist).

Download a demo version. haha, I wonder how long it took him to come up with that excuse.

[CrackedButter]

Quote:

Originally Posted by dontmakemehurtu

Counting this one, there are now two viruses for Mac OS X. One thing that I find interesting is: Isn't it interesting that Intego has announced both of them?

Interesting moreso that one of those is a concept and the other is a trojan, not a virus.

[idkew]

Quote:

Originally Posted by dontmakemehurtu

Counting this one, there are now two viruses for Mac OS X. One thing that I find interesting is: Isn't it interesting that Intego has announced both of them?

i would no call it a virus though. i could make an applescript that would do this in 5 lines.

it is just a way to have some ignorant fool (purposefully) delete their home directory. no root files can be touched with this, without a password.

[dizastor]

Quote:

...some sort of public beta...

Released exclusively on Limewire.

I'm sure that's where everyone goes when looking for public betas of software.

[nagromme]

The app deleted the user's home folder... so that includes the app itself, right? So how did this get reported to Macworld?

I'm suspicious that the original reporter didn't truly "fall victim" at all.

[Frisco]

So the lesson of the story is Always Back Up your Home Folder before downloading software off P2P

[davecuse]

Later this month it comes out that Microsoft released this, not as malware but as a feature specific only to software pirates. This would definitely be an effective tactic towards steering people away from piracy over P2P networks.