Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Fake Word 2004 demo file causes irradication of a mac's Hom...

well... this just proves one thing human stupidity is the cause of everything bad from disasters like Chernobyl to things like this.

but thanks to the person who reported it after it whipped out his data! when i get a second computer when i finish college I'm going to use the older one to test all the porn and stuff I download from P2P :p that way if it crashed something my newer one will be safe and all i will lose is a few gigs of porn :p
 
picture of the trojan horse -- badness confirmed

I wanted to check out this script to confirm what everybody is talking about, so I did a search for 2004 and Word in limewire, and lo and behold there it was. Of course I did this in an empty user account that I have on my computer, just in case. It is set up as a .sit file -- which in fact it is. After unstuffing it, then a nice and pretty Microsoft Icon pops up on the desktop. After examining the Get Info window, nothing mentioned anything about an apple script. I did not run it, because I don't even want to see what happens in a dummy account, in case it somehow messes with my main account. I opened it in the apple script editor, and it is simply one line of scary looking text. I will post a screenshot, only because macosxhints already has the code pasted for the world to see. as stated there, DO NOT USE THAT UNIX CODE!!! (unless you want to delete your user's directory).

This concerns me greatly for a couple different reasons:
1) There is no easy way to tell this is not what it says (i.e. get info)
2) Now I am going to have to be concerned about every file I open up, which I previously was not. There has got to be a way for Apple to provide some protection to this
3) I know there are a lot of people out there who are stating that, "users should know better, that's what users get for downloading from limewire, etc", but the vast majority of mac users know very little about computers, and nothing about unix. This is going to make their life more difficult, when one line of applescript can delete your user folder!
 

Attachments

  • trojan horse pic.jpg
    trojan horse pic.jpg
    63.7 KB · Views: 1,054
If Rotoblade is correct, and this is just an applescript with the MS Word icon, can it really be considered a "Virus" ?
If it truly can be called a virus, than I just have one thought:
"Hell, I could have done THAT! I could have gone down in OSX history as the first virus writer for OSX..."

Tyler
Earendil
 
Sky is falling... OS X has no viruses but being killed by "trojan horses!"

In other news:

* Mac OS X suffers from a new and highly destructive "virus" transmitted by conventional HTML pages, primarily online forum systems. All browsers are vulnerable. The "virus" takes the form of a forum posting suggesting that the user "Pull the power plug out of the wall to speed up your Mac," and is spread whenever a user quotes or repeats this damaging text. This text transmission may persuade the user to perform actions which compromise their computer, including such serious consequences as sudden loss of power and potential lost data. This flaw has not been acknowledged by Apple but is considered a serious risk. Intego recommends purchasing their software which will filter the damaging text and prevent serious damage.

* And something about Microsoft and a new flaw-of-the-week?
 
What's so 'virus' about this? The guy ran an app that was written to empty the user's home directory and - guess what - it emptied his home directory. But hey! I've got a great idea to boost OS X security. Why not take away the user's rights to create or delete documents, that should make virus writers' lives real hard. :rolleyes:
 
Not a virus, nor a flaw

twalkabout said:
This concerns me greatly for a couple different reasons:
1) There is no easy way to tell this is not what it says (i.e. get info)
2) Now I am going to have to be concerned about every file I open up, which I previously was not
Click to expand...

1) There is an easy way: in Get Info, click and delete the icon. The true icon--an AppleScript--will be revealed.

2) You always should have been concerned about files from strangers--or pirated programs that claim to be MS Office and are only 100k! Sad to say, but no OS is ever 100% secure so you have to be safe.

Not that THIS is an example of a security hole anyway :)

Applications CAN delete files--so don't run unknown applications. There's no OS in the world that stops people from lying to each other, and that's what a Trojan Horse is. An app that the author says does one thing, when in fact it does another.

And AppleScript is just one of many easy ways people can make their own apps to solve whatever need they may have. Put this same script on VersionTracker with a fancy name and it would have a USEFUL purpose: "This simple app easily clears out your personal data while leaving your system intact. Perfect for passing your Mac on to a friend or family member."

Not a virus--and not even a flaw. Apple COULD force a dialog any time an app performs a multiple deletion--but that would interfere with the desired process of legitimate apps we already use and love.

Simple protection: get your apps from a REAL source, not P2P and not mysterious emails. Buy them, or download shareware from a trusted source with feedback from users who have tried it first. And back up important data often! (And don't lump trojan horses in with real, propagating viruses and worms do real damage via holes in the OS... like Windows users face constantly.)

(My comments are discussion in general, not specifically targeted to the quoted poster.)
 
twalkabout said:
This concerns me greatly for a couple different reasons:
1) There is no easy way to tell this is not what it says (i.e. get info)
2) Now I am going to have to be concerned about every file I open up, which I previously was not. There has got to be a way for Apple to provide some protection to this
3) I know there are a lot of people out there who are stating that, "users should know better, that's what users get for downloading from limewire, etc", but the vast majority of mac users know very little about computers, and nothing about unix. This is going to make their life more difficult, when one line of applescript can delete your user folder!
Click to expand...

1) True, this is what all trojans strive for. But the fact that it is an apple script is an implementation detail. The very same thing could be done in any number of programming languages, and in nearly all of them it would probably also be a single scary line of text.

2) You should be concerned with every file you get off of a P2P network in the first place. If the user thought this was a demo, then he should have gone to M$s website to check to see if it was real. If he thought that it was an internet download, then he should have thought "Why would M$ distribute 100+MB software as an internet download??"

3) As I said before, you can do that in any language. Every application that you run on a regular basis can delete the entire contents of your user folder, and some could delete more than that. And it's really, REALLY not that hard. If your downloading applications from P2P, then you really need to make sure that you are getting what you think you are getting.
 
nagromme said:
In other news:

* Mac OS X suffers from a new and highly destructive "virus" transmitted by conventional HTML pages, primarily online forum systems....
Click to expand...
Now that's funny, and about the equivalent of this report.

Er, durh, I downloaded something labled "Microsoft Word 2004" off of a P2P filesharing network, and now I'm going to be upset because it deleted my home folder. Not to make fun of the misfortune of others, but if you're downloading executables off of P2P, particularly of things that look suspicioiusly like just-released pieces of $300 software, you don't have a whole lot of room to complain.

And if ANYBODY thinks Limewire is a legit place to download Microsoft demos, they either need a helmet to keep them from unintentionally injuring themselves while using the computer because of the constant urge to forcefully put their head through their CRT, or they are computer illiterate AND have a malicious friend who decided to do mean things to them (in which case it would've been easier to just tell them to type "rm -r ~/" and enter their password.


By the way, the difficulty of telling the difference between an app that deletes your home folder and one that lets you convert text files or view images, is an inherent flaw with the fundamental design of computers, not any kind of OS-specific program. The stuff in your home folder is fair game for any app to add to and delete without a password--otherwise, you'd need to type your password every time you saved a document or drug something to the trash. Any app--both intentionally malicious, or just ones with an unfortunate glitch (iTunes of a while back) can do these things. And the fact that this particular one was an Applescript is irrelevant--it could have just as well been a completelly valid complied application built using RealBasic or XCode, and they could've even bloated it to 50MB to make it look like it was actually a MS program.

Heck, it could've wiped the hard drive if it gave a convincing looking installer screen and asked for an admin password--most people type those in without a second thought when prompted.

Applications can do bad things to your computers. Apple makes it hard for them to damage the whole system without admin access, but when you run an untrusted app, this is the risk you take. And it't NOT a virus, since it only spreads through the stupidity of users.
 
Well, a few easy ways to tell that it is not the real thing, other than the file size and name, is that it could be opened in Classic. Big flag! Another thing is that isn't even the icon for installing Word 2004, but rather Office v.x (I think, correct me if I'm wrong). But why did this guy even download it? :confused:
–Chase
 
get info

it's true if you delete the icon, then the applescript icon will pop up, I hadn't realized that. I just tested that out, and it worked fine.

I'm tired of people's condescending attitude about 'stupid' computer users. The fact of the matter is that the vast majority of people just want to use computers without having to understand anything about unix, code, etc. They want to be able to open a program without being fooled into it deleting your account. I also don't want somebody to be able to delete my user account within 5 seconds of using my computer.

The fact of life is that people will use P2P networks, people will open up files that they are not 100% sure of their validity, and people will never take the precautions that they should (e.g. daily backups, etc). Everyone can complain about how "stupid", etc that they are, or we can hope for a more secure OS from Apple. Here is one interesting possibility as posted over at mxh:

"A far reaching solution is for Apple to redesign its security model. The current file permission system we have in OS X has been around for a very long time and computers are much more capable now. For example the National Security Agency has designed a version of linux SELinux (I believe that is the name) that implements a very exciting new way of doing things. There is even a test server made publicly available to the world where any one can create a root account and encourages people to try and break things. They cannot because of the very advanced rights system that operating system uses."
 
Well then, i guess that does away the option of doing an archive and install for this guy. :eek:
 
These things have been around a long time...

Ever since Apple script was created people have been making trojans of one sort or another. I downloaded something years ago that looked like a stuffit .sit file (I think this was with Hotwire), but the thing was badly written so when I launched it, I got an AppleScript error and pretty much freaked out. Since it gave an error, whatever it was meant to do didn't happen. After that I'd delete the icon off anything that was under a few megs in size. Now I just stay off the pirate systems and buy my software. Heck of a lot safer that way.

What amazes me more is the frenzy over this new "Virus" that is nothing more than a rogue app downloaded off a pirate site. People can't read any more, and they can't think any more. If the news said it's a virus, it must be!!! Give me a break. To make it even funnier...a friend of mine who has a mac e-mailed me FIRST this news article and a message in ALL CAPS on this new "virus" then he asked what virus software to use since Norton is no longer being made...so he couldn't read enough to know this wasn't a virus, and he couldn't read enough to know that Symantec did NOT cancel NAV, only NUM. Man, what a world we live in.
 
A conspiracy theorist would suggest that MS was behind the release of this little "anti-pirate" app... ;)

Personally I think its likely to be a windoze user having some "fun"
 
viruses

are generally self replicating and retransmitted to other users.

distributing garbage like this over p2p hardly qualifies.

I could make a program in any language that does the exact same thing for any operating system.

not a flaw, not a virus, not newsworthy.

it's just poo. poo by a pooie company.
 
No really.... I beleive you.

Right, you "thought it was a public beta." I also thought all those songs on Napster/KaZaa/WinMX were for "research purposes" only. Seriously though, why on earth does this warrant negative feedback. If you are dumb enough to go around trying warez, you have no right to complain when it takes out your ~. I can't tell who is more foolish, people who are entirely too eager to download the latest (unreleased, illegal, incomplete, quasi-functional, and probably spyware laden) Microsoft software that you are probably just going to complain about on the message board for two years, or the people who think this is a problem worthy of a negative response.
 
Well it also says web installer... that might make up for the small file size, but it brings up another red flag issue: Why would you pirate something, and then run an installer that grabs installation files via the web? Wouldn't that be like turning yourself in to M$. I'll assume that the files would come from a M$ server if M$ offered a web installer. They could grab the pirates IP, and press charges.
 
he he. :) that's just funny. you'd think that people using LimeWire, BT, KDX etc would be especially careful after that proof-of-concept was 'uncovered'.

well now i've got the 'Info' window open in Finder all the time, checking everything that i download. i mean you've also got to use your head, there's a file on SuprNova now that's called something like 'WinXP 2000 98 Pro Gold' and it's 1MB. i wonder what that could possibly be? and example of some new compression? ;) :rolleyes: (BTW, i haven't got the file, so i haven't checked it so i could be wrong.)

well i've also got all my documents on a seperate partition, and download everything to another partition all together, then sort it out. i dont' know how safe i am from things like that trojan, but hopefully things like that help out a bit.
 
Doesn't surprise me

Jetson said:
Why oh why do people feel the need to insult and put others down? The guy did us a favor by reporting some malicious software and he gets attacked from the people who should be thanking him. Sheesh!
Click to expand...

"Schadenfreude" is what these people experience. It's a German term meaning "pleasure at someone else's pain/loss."

It doesn't surprise me that the RIAA, MPAA, et aliis have brainwashed many into thinking that acquiring software off P2P networks is analogous to murder. Most of the companies that support the RIAA initiatives are already making a premium on the right combination of 1's and 0's. It's time the people reaped the benefits of the Internet and the revolution of the cybernetic frontier.

Acquiring software/music off the Internet is NOT stealing. Stealing is legally defined as the permanent deprivation of property from a person. You cannot steal something if you leave it alone; nothing is removed; nothing is altered.

Wake up, and be realistic. P2P trades are here to stay. Even the government is vulnerable to network breaches; no network is perfect, no security measure is perfect. When the software companies stop selling so called "quality products" at a premium, P2P trades might diminish, but won't go away altogether.

Who has $1,000 to blow on Adobe CS? Anyone? Anyone?
 
It's totally an inside job by Intego designed to push their products. All the evidence is there, including the fact that someone found it on the 10th, but conveniently no mention of it until today - and with Intego's name plastered all over it.... read more:

http://www.eonblue.com/archives/000075.html

Heheheheheeeee.
 
aswitcher said:
A conspiracy theorist would suggest that MS was behind the release of this little "anti-pirate" app... ;)

Personally I think its likely to be a windoze user having some "fun"
Click to expand...

My money is on the "security" company that is now selling software to protect against these trojans.
 
Borg3of5 said:
"Schadenfreude" is what these people experience. It's a German term meaning "pleasure at someone else's pain/loss."
Click to expand...

Yup. That's right. It is fun to laugh at the stupidity of other people, especially people who lie about what they really did. If the user had said, "I was trying to pirate Word 2004 since I didn't want to pay for it when it came out, and look where that got me. I'm a dumb***." I, for one, would not now be pointing at him and laughing (well, not as hard anyway). I might even have some sympathy for him. But since he did something stupid and then tried to seem all innocent, then he's going to get laughed at.

Borg3of5 said:
Acquiring software/music off the Internet is NOT stealing. Stealing is legally defined as the permanent deprivation of property from a person. You cannot steal something if you leave it alone; nothing is removed; nothing is altered.

Wake up, and be realistic. P2P trades are here to stay. Even the government is vulnerable to network breaches; no network is perfect, no security measure is perfect. When the software companies stop selling so called "quality products" at a premium, P2P trades might diminish, but won't go away altogether.
Click to expand...

So what? No one here is condemning pirating software as "stealing" and I see few posts getting all moralistic about the fact that he was using P2P to get Word. You don't need to give us a lecture on your views of copyright law. That's not why we find this funny.

We are laughing at his stupidity in trusting that he could get stuff off of P2P without risks and not doing some basic due diligence to check out what he downloaded (the size of the thing, for starters).
 
Borg3of5 said:
Who has $1,000 to blow on Adobe CS? Anyone? Anyone?
Click to expand...

Graphic designers who actually use the software to make a living, maybe? I purchased Macromedia Studio recently for $900. Not only can I write the expense off my taxes, but I earned that money back, plus a nice profit, with the first simple website I designed.

Just because you can't afford something, doesn't entitle you to get it for free.
 
twalkabout said:
it's true if you delete the icon, then the applescript icon will pop up, I hadn't realized that. I just tested that out, and it worked fine.
Click to expand...
A program like that can be written and compiled as a real app in a matter of seconds. Don't trust this method, it's miseducation. Don't trust the size, look etc. either. Download official releases from official sites and you should be relatively safe. Either that, or don't complain, it's as simple as that.

Oh, and about the stupidity thing: Ever tried to use your computer under water? You might add that to your list of what people want.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back