A Mac Virus?!?!?

[Shrikey]

Wasnt there something simular to this with the release of 10.4, I remember a virus/trojan spreading through a widget??

Yeah, but the proof-of-concept has been around for ages.
I remember seeing a similar trojan back during 10.2

 

[generik]

There can be no patch for human stupidity. Simple security tip, don't open funny programs! 😀

 

[3fingersalute]

Virus, Trojan, whichever it gets classified as, the bottom line is that mac's have been targeted and exploited. Mac users are getting all fired up over this, and that is what viruses and trojans are all about, so I bet OS X gets targeted hardcore now.

So if mac's are not immune to viruses anymore, that leaves zero reasons to own a mac. 😀

 

[yellow]

The First Mac Virus? (A New OS X Trojan)

Virus != Trojan
Trojan != Virus

Adjust your expectations accordingly.

So if mac's are not immune to viruses anymore, that leaves zero reasons to own a mac. 😀

No one ever said (or should have said) that Macs were immune to viruses. In this case the trojan has a vector that requires user interaction. Educate the user and the problem is reduced significantly. A lesson that should be learned in the Windows world as well.

 

[ambush]

Folks... the file "latestpics.tgz" is definitely up to no good, or at least wants to appear that it is up to no good. When unarchived, the file appears to be a JPEG file because someone pasted the image of a JPEG file onto the file.

The file is actually a Unix executable, with routines such as:

_infect:
_infectApps:
_installHooks:
_copySelf:

I have not looked at it in complete detail yet, but it does indeed appear to be opening files, changing file attributes, and potentially doing damage.

DO NOT DOWNLOAD OR RUN THIS FILE

I will be looking into it further; if you are a programmer, attached is the disassembly of the executable (it's just a plain text file) for your reading pleasure.

It XOR's the static string data stored in it, which is why it doesn't appear to have any string constants. It's definitely trying to mask what it is doing. More later.

I will post updates here:

http://www.ambrosiasw.com/forums/index.php?showtopic=102379

I think it'd have used other symbol (method) names if it was trying to be subtle.

 

[jtalerico]

Looks like macrumors made it onto /.

 

[SpookTheHamster]

Can we stop with the hysteria, people?

There have been OS X trojans available for quite some time, and I'm amazed that it's taken so long for someone to post one like this, that lures other people into downloading it. It's just like the many that try to spread via MSN (you know, the "I know who's blocking me!!!!" one).

I'm assuming it started on these forums, so most of the people who are infected should know better than to trust someone claiming to have pictures of 'Leopard'. I mean, would you trust someone you'd never met when they offered you something for free? I'd expect that sort of behavior from a 12 year old girl, not people on a Mac forum with a reputation for being well knowledged.

I don't know about most of you, but one of the first things I did was set file extensions to 'on' when I got my Mac (I got fed up with different files having the same icon), and I'd be extremely wary of opening any 'pictures' without a .jpg extension.

Many of us have come from Windows backgrounds, and we shouldn't let the fact we're on a more secure OS go to our heads and change how we act, no matter how secure an operating system is, it's worth nothing if the system operator is a moron.

We've established what it does, now let's get rid of it. Nobody has a good reason for wanting to look at it, there's an in-depth post about it on ambrosia software. I recommend that everyone who's been infected reinstalls OS X, and we all get on with our lives (with more common sense)

 

[Mr. Mister]

Seeing as it requires user authentication, it's just as much of a virus as somebody formatting their own damned hard drive.

 

[macrumors12345]

Well I'm using Netscape and didn't recieve a warning, but would you really expect to? It wasn't a direct download to an application, it was an app that was compressed (tar), so your browser wouldn't know an app is inside, for all a browser knows a picture was inside.

So to answer my own question, I tarred up an app and some other stuff into a .tgz file, uploaded it to my website, and then downloaded it with Safari.

Answer: Safari WILL give you a warning, but because of the tarring it won't be the standard "File X is an application, are you sure you want to finish the download?" Instead, Safari will say "File X.tgz is a TAR archive and its SAFETY CANNOT BE DETERMINED (my emphasis added). Are you sure you want to download it?"

So the moral of the story is to listen to Safari's warnings.

The other thing to note is that if the files had just been zipped into an archive (e.g., using the Finder's "Create Archive" function), then Safari WOULD correctly display a warning that an executable was being downloaded. So you should be VERY suspicious if something like that Trojan is tarred - it's much easier for an OS X user to create a gzip archive than a tar file, and anyone posting leaked 10.5 shots is going to be an OS X user. So if it's tarred, it may well be because the file's creator is trying to hide something. Safari is warning you about the weird tar file you're downloading for good reason!

That being said, I think the OS X warning of "You are running a new app for the first time" should arguably be extended to the case of new apps that are opened directly, not just those that are opened indirectly.

 

[WildCowboy]

Seeing as it requires user authentication, it's just as much of a virus as somebody formatting their own damned hard drive.

It doesn't require any sort of authentication if the user has admin privileges...it just goes.

 

[yeshua1984]

I think you noobs should just display file extensions in finder.

Been there done that on Windows, pfft, old trick.

🙂 I completely agree, file extensions are good. What as a teen you never tried to send your pc friends viruses claiming to be something else?

It's just common sense people, glad im not working at the university computer store anymore, would be fun telling people to think about what they are clicking on 😀

 

[yeshua1984]

try this command if you have been infected recently

/usr/bin/find '/' -mmin -'60' -ls 2>/dev/null | grep -v -e"sec_qip" -e"proc"

This will locate all changed files at the root level of your harddrive in the last 60 minutes. If you have been recently infected you can run this and catch anything it has changed.

thanks to the guys at ambrosiasw.com 🙂

 

[Mr. Mister]

It doesn't require any sort of authentication if the user has admin privileges...it just goes.

Well, that's no good then.

 

[GITANAJAVA]

MAC VIRUS/iCHAT FILES

I've read most of the posts here today and yesterday (and at Macnn.com) and I still need an FYI, if anyone's available.

I'd already deleted the iChat app 2 weeks ago when doing an archive and install and general cleanup; I've never used it and don't expect to. After the "latestpics"/Trojan news, I decided to make sure I'd trashed all the iChat files. Found these (see attachment) and when I attempted to empty the trash I received a message saying "iChat Agent is in use" and cannot be trashed.

I'm Panther, BTW, not Tiger: why can't I empty trash of the remaining iChat files? Should I be concerned? And no, I only read the "latestpics" posts, haven't dl'd anything in 4-5 days that wasn't from Apple. Thanks NE1 for feedback ;-)

 

[GITANAJAVA]

A Mac Virus/iChat Files

oops, here's the attachment I mentioned :-0

 

[WildCowboy]

iChat Agent is the app that stays running when iChat is closed to monitor things like incoming chat requests, etc. You should be able to open Activity Monitor, find iChat Agent, and quit the process. You should then be able to get rid of the files.

 

[MrMacMan]

i have to agree with this. th last thing apple needs right now is for all this wild fire about viruses coming out during the intel transition. Tomorrow Steve jobs is going to yell at a lot of engineers to get this fixed fast cause thier jobs depend on. I see mac patch in 5 days

Patch what?
Stupidity?

Look I suppose mac users are usually careless about downloads and open files they don't and open the enclosed files because the worst thing they believe could happen is they install a windows virus... which wouldn't affect them but people need to watch out legitimately about everything.
You don't double click a script file just because -- heck it might actually be a unix command to delete your hard drive (forget admin password needed anyway)

So far we know it uses AIM to propagate itself (slowly) and since it doesn't really exploit any 'holes' in the OS (besides I suppose allowing to open executables... oh wait modern OS have to allow programs and scripts to run).

Since we haven't found out what the 'payload' of this Trojan has...
[If you say this is a virus you don't know how viruses work on windows computers... exploiting system holes, ect.
Can you classify as a virus? Yes I suppose since it tries to get across using AIM but still it uses AIM as a medium which is exactly what trojans try to do -- find a back door]
We can't find or create a solution to fix it.

Does it have a keylogger?
Is your computer a zombie waiting for instructions?
Is it used on a DDoS/DoS attack?

We don't know and until we do -- its a program that could be dangerous but thats really what it is, a malicious and deceptive script created by someone who tried to trick you (social engineering at its most basic)

--MrMacMan

P.S:
GITANAJAVA -- Check your active processes and kill any process that has iChat in it. Clearly the program installs it own stripped down version of iChat to try to propagate itself to others.
You can use the terminal command -top or activity monitor in your utilities folder to 'stop' or 'kill' the hidden programs this program may be trying to run to infect others.

 

[frankblundt]

iChat Agent is the app that stays running when iChat is closed to monitor things like incoming chat requests, etc. You should be able to open Activity Monitor, find iChat Agent, and quit the process. You should then be able to get rid of the files.

and check Prefs > Accounts > Start up items for "hidden" start up apps when you trash apps. iTunes uses a similar one to sit in background watching out for a connected iPod.

P.S:
GITANAJAVA -- Check your active processes and kill any process that has iChat in it. Clearly the program installs it own stripped down version of iChat to try to propagate itself to others.

I don't think there's any evidence for this. It seems to copy (something) into whatever apps it can find. The iChat Agent is not a creation of the trojan, just a hidden support app that wasn't deleted as part of trashing the main iChat app.

 

[GITANAJAVA]

Thanks, MrMacMan and Wild Cowboy, for the guidance. Two more questions -- be gentle, and keep it simple for me:

1) Have read other posts warning against double-clicking apps and recommending "right ?? clicking". I freely admit I need stick-figure diagrams for this, I've no idea what "right ?? clicking" is or how one does it OR why that's preferable to double-clicking.

2) Activity monitor? I'm blonde, I'm dumb, no clue.

 

[frankblundt]

control-click does the same thing on a one-button mouse. It opens the "contextual menu" for the item

Activity Monitor is an application in Utilities, which will monitor your machine's activity... telling you all the programs that are running, how much memory they're using etc. Quite handy sometimes for killing things.

 

[GITANAJAVA]

Huh?

Hey, Frankb, I'm blonde, remember?

 

[Shunnabunich]

I've read most of the posts here today and yesterday (and at Macnn.com) and I still need an FYI, if anyone's available.

I'd already deleted the iChat app 2 weeks ago when doing an archive and install and general cleanup; I've never used it and don't expect to. After the "latestpics"/Trojan news, I decided to make sure I'd trashed all the iChat files. Found these (see attachment) and when I attempted to empty the trash I received a message saying "iChat Agent is in use" and cannot be trashed.

I'm Panther, BTW, not Tiger: why can't I empty trash of the remaining iChat files? Should I be concerned? And no, I only read the "latestpics" posts, haven't dl'd anything in 4-5 days that wasn't from Apple. Thanks NE1 for feedback ;-)

Hi, GITANAJAVA. If OS X is telling you it can't delete an app because it's in use...well, that means it's in use, a.k.a. currently running. 🙂

What you probably want to do is go into your Applications folder, go into Utilities, and open Activity Monitor. On the list of processes (programs) that are running, find the one for iChat Agent and click the Quit Process button (stop sign) in the toolbar. A sheet will slide down asking you what you want to do; clicking Force Quit will probably get it done easier and more quickly than politely asking it to close.

Another thing you may want to check (although I'm not sure, because I don't use iChat either) is your Login Items. To see those, go into System Preferences, then the Accounts icon, then (making sure your account is the one that's selected) the Login Items tab. Just make sure iChat Agent isn't on there, and remove it if it is to avoid any future conflicts.

After doing those two things, you should be able to delete iChat Agent.

 

[Shunnabunich]

Huh?

Hey, Frankb, I'm blonde, remember?

If you have a one-button mouse (as most Mac users do), actually doing a "right-click" isn't possible. However, holding down the "ctrl" key on your keyboard momentarily, while you click, does the same thing: it brings up a menu of things you can to with the thing you've control-clicked on.

But of course, you can also use a two-or-more-button mouse with a Mac just like anyone else! ^_^

 

[GITANAJAVA]

'Ta, Shunna! Appreciate the simplicity of your answer.

Hoping MadJew or GlennWolsey will cruise by with the full set of stick-figure diagrams I need before I do anything more dangerous.....

 

[iBlue]

Huh?

Hey, Frankb, I'm blonde, remember?

open finder
click applications
click utilities
click activity monitor

it will show you all your tasks, disk activity, CPU etc. basically everything that's running.