Mac OS X Virus/Trojan Summary

[Chris Grande]

Another choice: provide additional warnings when files have multiple recognized extensions, such as myfile.jpg.app.

The System already automatically shows the full extension if you try to add .jpg or .anything else to a .app. Go into your apps folder and add .jpg to chess and it will show Chess.jpg.app.

I'm guessing they should add the warning dialog also.

 

[great high wolf]

I've just downgraded my account to regular user and created an admin for when it's needed. This is not good.

I can't wait for the ribbing I'll get from Windows users who read BBC News and don't have a clue what actually has to be done to run this thing.

Although, I do see this as more of a proof of concept in terms of its prevalence... its not exactly widespread.

But still bad.

 

[mdavey]

Admin are NOT on by default... The only Admin user by default is the FIRST user to set up the computer.

That is the point that the author was trying to make. No guidance is provided saying that the first account is the admin user account and shouldn't be used for day-to-day work. Furthermore, users aren't told to set up a second account.

The result is that many Macs only have one account set up, the admin user account, and the owner uses that account for everything.

 

[paulwesley]

How do you patch against users downloading and running applications from people they don't know?

The problem is that people don't know they are running an app - since it looked like a file.

As with downloads in Safari, Apple could give a message (possibly requiring an admin login) the first time any new application was run, alerting the user that that is what they are doing, and asking whether they are sure they want to do it. (with a notice about the possibility that it could be mal, etc...)

This would be simple to do and would go a long way.

Edit: And I'd rather have a warning that appears once than have all my apps glowing...

 

[50548]

Then all will be quiet until the next security issue arises, when it too will be called "the first Mac OS X Trojan horse" by those with short memories.

Far from being the first, really...I got attacked by one back in 2004, when I was moderator of a Mac-forum and some hacker wannabes wanted to flood it with piracy links and the like...

1) Got a fake email from a fellow friend, which contained a script disguised as a PDF file named "new manual for moderators" or so;
2) Was working as a crazy man and didn't even stop to check the file correctly;
3) Double-clicked on it and the script ran, erasing my Home mail and some other config files; I had a fairly recent backup, so damage wasn't that great.

Another suggestion that I've read elsewhere: Go to your Home folder, Library, "InputManagers" folder, and change its permissions to System, as usually happens with the Applications folder...then the trojan won't be able to insert any code there without your authorization...

 

[50548]

That is the point that the author was trying to make. No guidance is provided saying that the first account is the admin user account and shouldn't be used for day-to-day work. Furthermore, users aren't told to set up a second account.

The result is that many Macs only have one account set up, the admin user account, and the owner uses that account for everything.

Sorry, but most use it as Admin, and SHOULD use it as Admin. I always change network/sharing configs and many other things, and am the only user of the machine...no point using it as Standard user.

 

[slb]

This is no different then if someone was found to be susceptible to cancer. It means you can get cancer but doesn’t mean you have it, or that there aren’t things you can’t do to avoid it.

Best analogy I've read so far.

If I read another news story today claiming this is the "first found to target Mac OS X," I'll scream. It's not the first, and it's based on ideas used in past trojans! At least the BBC was way more accurate than Reuters (who waited until the end of the article to mention that you have to download and execute the program yourself).

What's annoying me most of all are all the posters here acting like anything has changed or that Apple has to patch something! Nothing has changed; this proof-of-concept trojan is no different from the other dozens of proof-of-concept trojans that have been written for OS X. Where OS X shines is the lack of propagataion of such malicious software. There are enough safeguards that it's hard for it to go anywhere.

This has gotten blown way out of proportion. It should have been a Page 2 story on MacRumors telling people about this isolated little incident...it was just somebody's personally written executable that was run by some forum members. It's not anything that's spreading in the wild, nor is it the "first OS X trojan!" There will be certain elements in the press who will use this against Macs now.

Please stop acting like the sky is falling or that anything is different. You people changing system permissions on your InputManagers folder and whatnot are crazy. You can't just get randomly infected with anything; you have to download and run it yourselves! You don't need to change anything in OS X; it's as secure as it was before. And if someone convinces you to run a strange program and grant it admin privileges, your freakin' InputManagers folder is the least of your worries.

The problem is that people don't know they are running an app - since it looked like a file.

Safari should have brought up its standard prompt telling you you're downloading an executable.

Once again--this is not news, it's not the "first OS X virus," and the trojan itself is based on earlier OS X trojans written in the past few years that have always been around. The point in saying OS X has no viruses or trojans is to mention that none spread in the wild to any notable degree, because OS X lacks the mechanisms or exploitable security flaws for that.

Somebody tricked some MacRumors posters into running his app on the forums before his post was deleted, and now it's international news from Reuters to the BBC. I really, really don't get this at all. None of the big news reports are mentioning that this was a minor forum incident on a Mac site, not a big trojan spreading around in the wild. Again, I blame MacRumors for not clarifying the nature of things in their original announcement. Even their claim that this event is significant because of the intention behind the executable is wrong, since malicious OS X trojans have existed since the operating system's first release five years ago.

 

[Dalriada]

Everyone seems to focus on downgrading accounts to a standard user and running a separate non-daily admin account. That's fine to avoid write access to apps but personaly I'd be more concerned about a disguised Unix executable wiping out a home folder/personal files/pics rather than having to reinstall infected apps. I'd say then focus is more on how to identify/block hidden executables.

EDIT second thoughts...downgrading right now....

- Dal

 

[nagromme]

The System already automatically shows the full extension if you try to add .jpg or .anything else to a .app. Go into your apps folder and add .jpg to chess and it will show Chess.jpg.app.

Never noticed that before!

It won't let you (not in Prefs, not in Get Info) hide the extension of an app that has a second extension, and it won't let you delete the .app part either. Does this Oomp-A work around that in some way?

And I'd rather have a warning that appears once than have all my apps glowing...

How much time do you spend viewing your apps in Finder? Once in a blue moon for me. Seeing a glow where none should be would be a great reminder to me. But the glow indication could be optional (like Dock bouncing). And I agree the warning is a good move too.

 

[Datazoid]

Inqtana.A?

One was a fluke....two is a problem:

http://securityresponse.symantec.com/avcenter/venc/data/osx.inqtana.a.html



Edit: ok, the post below is entirely deserved. I searched google, thought that was enough. Didn't think to search the forum directly. Apologies to all offended.

*Walks off, wearing his dunce cap*

 

[eva01]

One was a fluke....two is a problem:

http://securityresponse.symantec.com/avcenter/venc/data/osx.inqtana.a.html

this particular vulnerabilty was patched in 10.4.2

 

[excalibur313]

PS- Goodbye Macrumors.

Are you giving up on the mac experiment? How long did they say that the wait for the macbook would be?

 

[nagromme]

It won't let you (not in Prefs, not in Get Info) hide the extension of an app that has a second extension, and it won't let you delete the .app part either. Does this Oomp-A work around that in some way?

Does anyone have a screenshot showing what the Oomp-A app icon you're supposed to double-click looks like?

What does it show if you have All Extensions visible?

What does it look like if (like me) you don't?

 

[iMeowbot]

Does anyone have a screenshot showing what the Oomp-A app icon you're supposed to double-click looks like?

Attached.

What does it show if you have All Extensions visible?

No change. It's a bare Unix executable, not a bundle.

 

[Doctor Q]

I'm very annoyed at and disappointed with MacRumors announcing this as the first OS X trojan without referencing past proof-of-concept trojans like MP3Concept that use the exact same icon trick!

That's incorrect. MacRumors did not announce this as "the first OS X trojan".

The MR story said "The First Mac OS X Virus?", which is a question, not a statement, for which the answer partly depends on how people choose to define "virus". The added suffix, "A New OS X Trojan", correctly said "new" instead of "first" because of the previous Trojan horses for Mac OS X.

The MacRumors followup story provided even more clarification.

The mainstream press sometimes gets details wrong or blows minor stories out of proportion. That's to be expected when a story is quickly making the rounds. If and when a Mac OS X virus or worm does real damage to a large number of users' Macs, which has yet to happen, it will be much more newsworthy. Let's just hope that that virus doesn't start in these forums.

 

[arn]

None of the big news reports are mentioning that this was a minor forum incident on a Mac site, not a big trojan spreading around in the wild. Again, I blame MacRumors for not clarifying the nature of things in their original announcement. Even their claim that this event is significant because of the intention behind the executable is wrong, since malicious OS X trojans have existed since the operating system's first release five years ago.

I still disagree.

Here's the distinction I see... and why its of significance.

a) someone writes a script that erases your hard drive and tricks some users into running it. => This is not news or even particularly interesting, even though it might be considered a trojan.

vs.

b) someone writes a program that is designed to modify applications on the users hard drive to propogate itself to other applications. when those applications are later launched, it repeats this cycle to infect other applications on the computer. it also tries to send itself to other users over IM. Oh... and someone tricks some people into running it. The implications/scope of this is much different and much more significant. The trojan / tricking someone into running the app is not the interesting part of the story.

arn

 

[Mitch1984]

Who thinks that this virus was probably made by or had something to do with these software security firms??????

Example:
No market for anti virus software on a mac.
Make one and then everyone buys anti virus software.

It's gonna pee me off if we're gonna have to slow our computers down by running anti virus software constantly.

 

[jaw04005]

I just saw the Trojan flash across CNN's ticker as "The first Mac OS X VIRUS."

GRRRRR.

It's a Trojan, not an actual virus.

 

[Peace]

I just saw the Trojan flash across CNN's ticker as "The first Mac OS X VIRUS."

GRRRRR.

It's a Trojan, not an actual virus.

I guess there should be more stories like this..The stock market is down while AAPL was up a few minutes ago

 

[nagromme]

Attached.

No change. It's a bare Unix executable, not a bundle.

I see. No file extension. (And OS X doesn't demand file extensions on JPEGs, either.)

Out of curiosity, what happens if you take a UNIX executable and try to add .jpg to the end of the name?

 

[Peace]

I see. No file extension. (And OS X doesn't demand file extensions on JPEGs, either.)

Out of curiosity, what happens if you take a UNIX executable and try to add .jpg to the end of the name?

Great question..

I took a unix executable.did the get info and added .jpg to it and it asked if I wanted to add the extension and allowed it.

[edit] here's a screen capture of the info :[/edit]
[edit-edit] screen capture removed DO'H! [/edit-edit]

edited for self-preservation..

 

[mdavey]

Out of curiosity, what happens if you take a UNIX executable and try to add .jpg to the end of the name?

You get a Unix executable with a name that ends in .jpg

Unix and Linux don't use filename extensions at all (with a few exceptions). Unix and Linux use a system called magic strings (or simply 'magic'), whereby the kernel looks for a specific sequence of characters in a specific place in the file (eg "GIF8" as the first four characters for a GIF file).

If you want to play about with it, go to Terminal and type 'man magic' to learn more about the mechanism and config file, then 'file filename' to determine the file type from its contents.

 

[iMeowbot]

You get a Unix executable with a name that ends in .jpg

Yes, the shell will treat it that way, but the Finder will try to open it as a JPEG file.

 

[vallette]

Throbbing icons?

How would a throbbing icon possibly make someone think a file is an executable? Why not simply do the following:
If a file is an executable and has two or more periods in the name (possibly indicating an attempt to hide the real extension) or no extension the user is prompted. Simple. No fancy graphics.

 

[nagromme]

So one defense (if for instance you really want to view an image downloaded from an unknown site) is: don't double-click unknown files that lack an extension.

Am I right to think this?

* It's possible for a real JPEG to lack an extension, but unlikely. If this DOES happen, drop the file into Preview instead.

* Any file you download has its extension visible even if you do NOT have that option checked in Finder prefs. (If there are exceptions, you can check the extension with Get Info.)

* An app bundle will always show either .app in Finder or no extension at all (without Get Info)--it can never show just .jpg.

* A UNIX executable can't show .jpg or it won't run from Finder.

* So if a downloaded file shows as .jpg, it CAN'T execute when double-clicked.

Is that a practical rule of thumb?