Mac OS X Virus/Trojan Summary

MacRumors

macrumors bot
Original poster
Apr 12, 2001
49,654
10,975
https://www.macrumors.com/images/macrumorsthreadlogodarkd.png

The announcement of the release of a Mac OS X trojan/virus/worm yesterday has drawn a lot of attention, confusion and significant misinterpretation. While much of the attention was aimed at the "virus vs trojan" distinction, this energy was misguided.

On the one hand, some users were quick to dismiss it as a simple "trojan" that anyone could easily script in minutes. While the application was setup to trick the end-user into launching it, the resultant actions it took were far more sophisticated as it was designed to inject itself into other applications on the users' hard drive. Despite much confusion on this detail, most users were not prompted for the administrator password before the file modifications took place. (The Application directory is writable by the Admin accounts which most Mac OS X user accounts are established as, by default.)

On the other hand, several saw this as a much more ominous sign for the Mac platform. However, this application itself is of a rather limited threat by the nature of its propogation -- and no particular Mac OS X vulnerability exists which allows the unimpeded transmission of a virus. Unless you specifically downloaded and launched this file, there is no way your Mac could have been infected.

The signficance of this event is simply the intention behind the release of such malware under Mac OS X.

For additional reading, Symantec provides a step-by-step guide on what happens when the application launches and what modifications it makes to the users applications, while Andrew Welch of Ambrosia SW finished a detailed technical summary of the application.

 

Daveway

macrumors 68040
Jul 10, 2004
3,370
0
New Orleans / Lafayette, La
Now we just have to see how Apple compares to Microsoft on turn around updates.
I find it amusing that the first possible malicious code to attack the mac platform was released here at our nice forum.:)
 

X5-452

macrumors 6502
Feb 16, 2006
478
40
Calgary, Canada
I read the whole thing on the Symantec website, but I'm still a little confused. What would the end-user see? I know what the malware technically did, but what did it visually do? What was it's purpose?
 

p0intblank

macrumors 68030
Sep 20, 2005
2,548
2
New Jersey
iGary said:
Scary. For real - this is the first time ever I have doubted the security of my Mac. :(
Same here. I feel a lot better now, though. This exploit definitely did open my eyes to security flaws and how to protect myself from them. While there is no real Mac "virus", this trojan certainly had a lot of Mac users on the edges of their seats. To tell you the truth, I can see another trojan like this one happening, but in a more serious fashion. The instructions were practically unveiled to the public... no offense to MacRumors.

But hey, this isn't scary. If you have common sense and take precaution, a future trojan can be easily avoidable. I'm sure Apple will release some sort of patch to aid users in the future.

I'm still relieved it isn't an actual virus... if it was, then I'd scared.
 

Counterfit

macrumors G3
Aug 20, 2003
8,201
0
sitting on your shoulder
Daveway said:
Now we just have to see how Apple compares to Microsoft on turn around updates.
I think they have to figure out just what to do first. Change all applications to be owned by root? Or tell users not to double-click on unknown files (which I stopped doing altogether after the MP3 proof-of-concept)
 

iGary

Guest
May 26, 2004
19,581
2
Randy's House
p0intblank said:
Same here. I feel a lot better now, though. This exploit definitely did open my eyes to security flaws and how to protect myself from them. While there is no real Mac "virus", this trojan certainly had a lot of Mac users on the edges of their seats. To tell you the truth, I can see another trojan like this one happening, but in a more serious fashion. The instructions were practically unveiled to the public... no offense to MacRumors.

But hey, this isn't scary. If you have common sense and take precaution, a future trojan can be easily avoidable. I'm sure Apple will release some sort of patch to aid users in the future.

I'm still relieved it isn't an actual virus... if it was, then I'd scared.
Well no more file transfers via iChat.

It will be interesting to see if Apple even responds to this.

My guess is....NOT.
 

iBlue

macrumors Core
Mar 17, 2005
19,182
15
London, England
2nyRiggz said:
That freaking Bas$$%^$ that posted that crap should be placed in the middle of a town and burn before all the mac heads......na just kidding


Bless
naaah, but it would be nice to unzip and tar him ;) :D
 

faintember

macrumors 65816
Jun 6, 2005
1,363
0
the ruins of the Cherokee nation
risc said:
How do you patch against users downloading and running applications from people they don't know?
You cant, but Apple could make the OS look at any downloaded file and see if it contains a executable, and notify the user of this, maybe as other posters have mentioned on another thread, by making the icon and text have a "glow" to them that is only visible on executable files. Sounds like it is a step in the right direction for those less-knowing Mac users.
 

Danksi

macrumors 68000
Oct 3, 2005
1,554
0
Nelson, BC. Canada
Macrumors said:
Despite much confusion on this detail, most users were not prompted for the administrator password before the file modifications took place. (The Application directory is writable by the Admin accounts which most Mac OS X user accounts are established as, by default.)
Isn't this the key issue here? - I assumed Windows was the only OS that allowed this kind of access by default. Could provide Apple with a little usability challenge.

(I've since created a new admin account and demoted my day-to-day account to 'standard')
 

p0intblank

macrumors 68030
Sep 20, 2005
2,548
2
New Jersey
faintember said:
You cant, but Apple could make the OS look at any downloaded file and see if it contains a executable, and notify the user of this, maybe as other posters have mentioned on another thread, by making the icon and text have a "glow" to them that is only visible on executable files. Sounds like it is a step in the right direction for those less-knowing Mac users.
This sounds like a good idea. Patch it in a stealthy manner, but nothing over bloated like separate software running in the background taking up resources. The average user probably wouldn't recognize a "glow" as hazardous, however. Perhaps a small red ! icon can appear in front of the file that may be dangerous to open.

I just hope Apple does something about this... I think they would. They seem to care about their OS being the best one on the market. I don't think they would let some trojan knock them off that path.
 

Felldownthewell

macrumors 65816
Feb 10, 2006
1,053
0
Portland
risc said:
How do you patch against users downloading and running applications from people they don't know?
True, there is no patch for stupidity, but apple could publish the writer's address and phone number. :)
 

faintember

macrumors 65816
Jun 6, 2005
1,363
0
the ruins of the Cherokee nation
p0intblank, I cant take credit for the idea, it was posted by another MR member on a separate thread about the new trojan. This seems like an easy enough thing to stop, but then again i am not a programmer, so what do i know.

All i know is a executable, at some level, has to look like an executable to the OS, so why not visually distinguish them from other file types for the user?

Edit: Good point iBlue, but why not make that, and say the "red text" or "exclamation" all on by default with no way of turning them off? No harm in that....
 

dejo

Moderator
Staff member
Sep 2, 2004
15,981
450
The Centennial State
p0intblank said:
I just hope Apple does something about this... I think they would. They seem to care about their OS being the best one on the market. I don't think they would let some trojan knock them off that path.
Unless, as John Dvorak is suggesting, they really are just planning on adopting Windows anyways... ;)
 

nagromme

macrumors G5
May 2, 2002
12,546
1,196
If you want to side-step definitions of what a virus is (some would call this a very weak virus, others wouldn't), you're best bet is to tell people there's never been an OS X virus that could function without the user's help. (Several steps of help, in fact.)
 

Stewie

macrumors 6502
Jan 6, 2004
440
208
Austin
Best Fix

The best thing that apple can do to fix this problem is require any person buying a Apple computer to pass an intelligence test. If you fail you don't get to own one of their computers. The problem is stupidity and I don't think that it is the job of Apple to protect us from ourselves. My feeling is that if you are dumb enough to open a file from a source you are not sure of then you get what you deserve. Kinda like the idiot that puts his hot fast-food coffee between his legs and then burns himself when it spills. With any luck those idiots will sterilize themselves and we won't have to worry about them dumbing down the gene pool any more then it already is.

I have zero tolerance policy on stupidity.

My $0.02
 

nagromme

macrumors G5
May 2, 2002
12,546
1,196
faintember said:
p0intblank, I cant take credit for the idea, it was posted by another MR member on a separate thread about the new trojan. This seems like an easy enough thing to stop, but then again i am not a programmer, so what do i know.
At first I suggested a mouseover glow effect... but now I think the glow on executables should be a permanent throb. More noticeable, and it wouldn't waste much CPU power since how often do you have to have Finder windows open and showing apps anyway?

Apps in folder pop-up menus from the Dock should throb as well. And in Column view if you have icons turned off, a symbol should throb next to executables.
 

ssteve

macrumors member
Jan 31, 2006
85
7
risc said:
How do you patch against users downloading and running applications from people they don't know?
Answer: You don't.

All that happens is that businesses such as Data Doctors open and charge lot's of money to fix people's computers. Data Doctors is making huge amounts of money from stupid users who do stupid things with their computers (mostly PC's). This is good by the way because when I go by a Data Doctors location, I get the opportunity for a laugh. Mostly at the stupid users inside getting repairs. lol
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.