Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

The First Mac OS X Virus?

I just looked into package contents for where the virus should be and i got a unix script in one of my afffected apps. here is a transcipt, if anyone thinks this is something, it could help.

Applications/Google\ Earth.app/Contents/MacOS/Google\ Earth; exit
usage: cp [-R [-H | -L | -P]] [-f | -i | -n] [-pv] src target
cp [-R [-H | -L | -P]] [-f | -i | -n] [-pv] src1 ... srcN directory
cp: /tmp/latestpics/..namedfork/rsrc: No such file or directory
/usr/bin/tar: latestpics.tar: Cannot open: Permission denied
/usr/bin/tar: Error is not recoverable: exiting now
override rw-r--r-- virustes/wheel for latestpics.tgz? (y/n [n]) n
not overwritten
cp: /Applications/Google Earth.app/Contents/MacOS/Google Earth/..namedfork/rsrc and /Applications/Google Earth.app/Contents/MacOS/Google Earth are identical (not copied).
cp: /Applications/Google Earth.app/Contents/MacOS/Google Earth and /Applications/Google Earth.app/Contents/MacOS/Google Earth are identical (not copied).
logout
[Process completed]

EDIT: I checked what applications it was affecting and it is now ONE LESS. this might be the cure. I'll post updates.
 
billyboy said:
All the perfectly reasonable suggestions on this forum to id apps with italics, or icons which glow when moused over seem to be great ideas. Are they technically impossible, impractical, way beyond what Apple have thought about, or do Apple think, well, only a dumb user gives images permission to launch?
Click to expand...

In general the suggestions are possible. However, no visual changes to how a file is represented will prevent large numbers of people from double clicking on the file. People are so conditioned to double click on an icon and don't really understand the difference between an image and a word document and an application in many cases.

Ultimately, if you have the ability to run an application then this type of attack can still happen. The only way to avoid this type of attack is to treat all user created files as data files. Unfortuately this has the disadvantage of preventing users from installing new applications.

The trojan, like trojans on other systems before it, relies on the user triggering it to do something. As long as you allow a user to use the computer there are always new ways to introduce trojans into a system. (Unless you lock the computer system down to the level of say an ATM machine... you cannot install applications or documents onto an ATM, the ATM software severely limits what you can do on the system, etc.)
 
ok, tell me something.
why is this specific piece of application so interesting?
is it the damage it does?
or is it the disguise it uses?
tell me.
this is no different than my first-ever ill-written application that ends up shutting down my Mac, bringing it back on, and shutting it down again.
what a pointless, damaging post.

:mad:
 
On the last application left for me to try removing it, show package contents is NOT a choice, it may not be so easy.

What you seem to have to do is go into package contents, MacOS, and then there will be a script called the apps name. delete that and then the latestpics command script no longer shows those apps. It has worked for all but one, so…

EDIT: I just realized that it will show package contents and it is there. i was just clicking on a shortcut or something.
 
Mr. Mister said:
So, when do you think Apple will acknowledge this and fix it?
Click to expand...

fix what? the fact that double clicking an application launches it?

i thank the good folks here for their help in showing how to be a more careful computer user. ima set up a new admin and declaw and demote my regular acct as soon as i get home.

i think that is the key. just be careful or pay the consequences.

~kyle
 
Apple Fix

Mr. Mister said:
So, when do you think Apple will acknowledge this and fix it?
Click to expand...

Well the primary fix would be to have the OS X on installation create an 'admin' account AND the users first account so that 99% of OS X users aren't using an admin account as they are now by default.

Problem with that is the education factor of why they need to know 2 account names and 2 passwords just to run their computer...
 
First post, thought this would be a great topic.

First off - a trojan IS a virus if it replicates itself other than being self contained.

Virus
In computer security technology, a virus is a self-replicating program that spreads by inserting copies of itself into other executable code or documents. A computer virus behaves in a way similar to a biological virus, which spreads by inserting itself into living cells. Extending the analogy, the insertion of a virus into the program is termed as an infection, and the infected file (or executable code that is not part of a file) is called a host. Viruses are one of the several types of malicious software or malware. In a common parlance, the term virus is often extended to refer to worms, trojan horses and other sorts of malware; however, this can confuse computer users, since viruses in the narrow sense of the word are less common than they used to be, compared to other forms of malware. This confusion can have serious consequences, because it may lead to a focus on preventing one genre of malware over another, potentially leaving computers vulnerable to future damage. However, a basic rule is that computer viruses cannot directly damage hardware, but only software.
Click to expand...

Trojan
Trojan horse programs cannot replicate themselves, in contrast to some other types of malware, like viruses or worms. A Trojan horse can be deliberately attached to otherwise useful software by a cracker, or it can be spread by tricking users into believing that it is a useful program.
Click to expand...

I just wanted to say that this is most likely the tip of the iceberg. Apple opened a new can of worms using BSD as the core of darwin. Read over security analyst that talk about the 'secure by default' nature of OS X, and how its really just myth. The operating system has the inherent flaws of the materials it was duplicated from (BSD/*Nix). If Apple ever becomes a serious contender in the server sector, be sure it's going to be rootkit heaven. Not to mention x86 coming into the picture and now I can compile all my security/sniffer tools for the right processor.

In short, virus's will come - but these are really the least of the worries overall. If OS X gains populartiy (when PC owners begin running it on real x86 equipment), Apple will truely begin to show its inexperience in the security realm and will potentially be the next Winblows security disaster. All of the x86's platforms problems, BSD's problems, and the nature of Apple's secretive approach to the lowest level workings of the O/S will be the true flaws.

Regardless, this is the first of things to come and mac users should wise up and stop thinking they are bullet proof. Just think in 2005 alone, apple reported 139 vulnerabilites in its O/S to the National Vulnerability Database. http://nvd.nist.gov/ - vendor - apple.

Btw Windows had 158 in 2005, Redhat 34 total.

Learn 2 compute.
 
So after creating a new Admin account and demoting my account to Standard, what do I do with the permissions of my apps? Leave them be? Theyre all still owned by me.
 
plinden said:
Although, I wouldn't actually have done it like this since some of the apps would have been owned by root previously. I would have changed just the non-root owned apps. But you'll find out soon enough if it's ok.
Click to expand...

What sort of thing might occur that would make me wish I only had changed the non-root apps?

What's done is done, but it would be good to know what problems might arise (and what sort of command to enter if I ever should want to change a permission on an app back to root).

You all who've posted terminal commands and given feedback, one of you ought to write the guide to declawing motulist suggested, you've been great :D
 
macdong said:
ok, tell me something.
why is this specific piece of application so interesting?
is it the damage it does?
or is it the disguise it uses?
tell me.
this is no different than my first-ever ill-written application that ends up shutting down my Mac, bringing it back on, and shutting it down again.
what a pointless, damaging post.

:mad:
Click to expand...

its best swept under the table right? :eek: :eek: :eek:
 
I BELIEVE THAT I HAVE REMOVED THE VIRUS FROM ALL INFECTED APPS. It may still live on, but it is an improvement.

To get rid of it, go to an infected app, then control click, show package content, MacOS, and then there will be a script as the apps name. remove that and it is no longer infecting the application.

-yankeefan24
 
Project said:
So after creating a new Admin account and demoting my account to Standard, what do I do with the permissions of my apps? Leave them be? Theyre all still owned by me.
Click to expand...

if i understand things correctly, you need to change the permission/ownership of you apps to the new admin acct. this makes it so that only the admin account can make changes to your apps. your standard acct will be able to run and use the apps, just not change them.

but if you leave the permissions as is (owned by the standard acct.) then you will still be vulnerable to malware apps like this one.

am i right?

~kyle
 
Mr. Mister said:
Does it go through every single app and place that script?
Click to expand...

no, you can tell which apps are infected by opening the file again, it will ask to override something, type n, and then it will list infected apps. go into those apps and files.
 
BobVB said:
Well the primary fix would be to have the OS X on installation create an 'admin' account AND the users first account so that 99% of OS X users aren't using an admin account as they are now by default.

Problem with that is the education factor of why they need to know 2 account names and 2 passwords just to run their computer...
Click to expand...

You could name the one user 'admin' and keep the password the same as your regular user name.
 
johnadurcan said:
The fact is that MacRumors have done nothing but damage the Mac community by creating a story out of thin air. This isn't a virus, it's just a program that tries to do damage and fails when run. If the user was using Safari, it would have notified them that it was an app.

What annoys me is that Mac Rumours should be in support for the Mac community but seems to want to help spread a smear campaign against it.
Click to expand...

Have you actually read a single word of the Ambrosia description of this malware? You're so damn quick to talk about "smears" and "FUD" that you can't be bothered to read the facts. Yes, this program doesn't do any (deliberate) harm. But other programs built from the same code could.
 
annk said:
Please tell me this is how it was supposed to look when I ran the Terminal command to change all permissions on all my app. I am TERRIFIED of Terminal, but decided to give it a try. Am I really supposed to get a lecture about safe computer use in Terminal??? :eek:

Please tell me I did it right....:confused:
Click to expand...

OOPS!

I'm really, really sorry, when I said the command was '$ cd /Applications' I meant that the $ was the terminal prompt... I should have been more specific.
 
Question:

Question: If the file was double clicked on by a standard user, not an admin, what would have resulted in this particular case? Is the only difference that it would have asked for a password? I know that's a huge difference, but I want to understand the scope of protection that's offered by running as a standard user.
 
motulist said:
Question: If the file was double clicked on by a standard user, not an admin, what would have resulted in this particular case? Is the only difference that it would have asked for a password? I know that's a huge difference, but I want to understand the scope of protection that's offered by running as a standard user.
Click to expand...

It didn't ask me when i re-install, but i don't think it was ever not-installed since monday night.

unfortunatly, it still won't open google earth, one of the apps i wanted to save badly. Firefox opens after several dock bounces though.
 
kddpop said:
if i understand things correctly, you need to change the permission/ownership of you apps to the new admin acct. this makes it so that only the admin account can make changes to your apps. your standard acct will be able to run and use the apps, just not change them.

but if you leave the permissions as is (owned by the standard acct.) then you will still be vulnerable to malware apps like this one.

am i right?

~kyle
Click to expand...

Thanks..

I logged into my new admin account and ran that script in Terminal. Its changed every application owner to admin, which sounds much safer to me!

/me fast user switches to standard account
 
yankeefan24 said:
It didn't ask me when i re-install, but i don't think it was ever not-installed since monday night.

unfortunatly, it still won't open google earth, one of the apps i wanted to save badly. Firefox opens after several dock bounces though.
Click to expand...
Were you logged in as an admin or as a standard user?

Did it ask you anything the first time around? (and what were you logged in as)
 
Here is a cleaner way to change the ownership of your applications after you have "declawed" your regular account:

  • Set up a new admin account as mentioned in earlier posts. (These instructions assume the short name for this account is "bogo" without the quotes.)
  • Log out of your regular account and log into the new admin account.
  • Remove the administrator privileges from your regular user account. (These instructions assume that the short name for your regular user account is "ted" without the quotes.)
  • While still in the new admin account, open a Terminal window and enter the following commands one line at a time, replacing "bogo" and "ted" as appropriate:

    Move to the Applications directory:
    Code: 
    cd /Applications

    Find all files no owned by root and change their permissions to be owned by the new admin user (this will pick up applications in sub-folders as well):
    Code: 
    sudo find . -user ted -exec chown bogo:admin \{\} \;

    Now, lets list the files so we can check who owns them (all files should be owned by root or your new admin account):
    Code: 
    ls -la
  • Log out from the admin account.

One effect of removing the administrator privileges from your regular user account is that you will not be able to use "sudo" commands in your regular account.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back