Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Mac OS X Virus/Trojan Summary

nagromme said:
* So if a downloaded file shows as .jpg, it CAN'T execute when double-clicked.
Click to expand...
Unfortunately, no. Unix filenames can contain whitespace, so a file with the extension ".jpg " is valid. The icon and list views in the Finder won't show this to you, you'll only notice if you try to edit the name. Worse, a file with an unknown extension like that will work as an executable.

The only reliable thing to do is Get Info on the file.
 
vallette said:
How would a throbbing icon possibly make someone think a file is an executable?
Click to expand...
The same way a bouncing icon makes you think an app is loading: that's what the effect means, and it's documented as such, and we're used to it.

A popup message also is a good idea--and it could explain the glow to new users--but an effect added to the icon would be a warning even BEFORE you launch an app. A disguised app you accidentally download today might be first launched by someone else (or you) tomorrow. A glowing indication would remove all ambiguity. (Whether the glow/halo does or does not animate isn't the point.)

iMeowbot said:
Unfortunately, no. Unix filenames can contain whitespace, so a file with the extension ".jpg " is valid. The icon and list views in the Finder won't show this to you, you'll only notice if you try to edit the name. Worse, a file with an unknown extension like that will work as an executable.

The only reliable thing to do is Get Info on the file.
Click to expand...
I see. Sounds like Finder should underline trailing whitespace. (Leading too.) That would be useful in other ways too--like when you accidentally leave a space.

Highlighting an icon already shows trailing whitespace by making the oval longer. But it's too subtle--you could easily miss a single space.
 
nagromme said:
Highlighting an icon already shows trailing whitespace by making the oval longer. But it's too subtle--you could easily miss a single space.
Click to expand...
That would be a big help, but it's potentially even trickier, thanks to all the look-alike characters hiding in Unicode. It's probably best not to rely too much on the appearance of filenames, period.
 
iMeowbot said:
That would be a big help, but it's potentially even trickier, thanks to all the look-alike characters hiding in Unicode. It's probably best not to rely too much on the appearance of filenames, period.
Click to expand...
No, Apple shouldn't rely on that alone, but it's one gimmick they could stop.

As for Unicode characters, Finder could do what Safari does for phishing scams: translate non-latin file extensions into visible gibberish code.

I'm thinking a "Trojan reduction system" would have the following at least:

1. A warning any time ANY new app is first launched. (Annoying, but only happens once.)

2. A warning any time ANY archive is extracted that contains an executable. (Ditto.)

3. A visible glow (animated or not) around every executable and app bundle icon in Finder AND in Dock folder popup menus. (And ideally also for iChat and Mail attachments even before they are downloaded to desktop.) Every "first-launch" dialog would explain that the glow means a program, and that running unknown programs isn't recommended.

4. Leading and trailing whitespace underlined in Finder names, and non-latin extensions translated to code.

5. Some system by which every new Mac gets an admin password separate from the default account that gets daily use. But done in a way that causes as little confusion to new users as possible. Three possible methods:

* Every new Mac has TWO accounts, and asks for (and simply explains) two usernames and passwords. A non-admin account for primary use AND an admin account that most people would never actually log into. This is what people do "by hand" now, but the presence of two accounts could confuse some people. So I'd suggest...

* The admin account be concealed by default--both in the login window and in the Users folder in Finder. So basic users wouldn't have to think of it as a separate user space or be confused by it--they'd use the password as needed but never actually log in as that user. (And with one click in System Preferences, it could be revealed as a full account able to be logged in, for power users like us.) Or...

* If the dual accounts is still too confusing during the new machine setup phase, then Apple could simplify it further by NOT prompting at setup for two names/passwords. They could use the name Admin (maybe plus the date) for the extra username, and use your same password again. (Using a password twice isn't ideal, and savvy users would want to change it, but even with the same password, permissions would be different, and that would hamper a Trojan.)
 
nagromme said:
* It's possible for a real JPEG to lack an extension, but unlikely. If this DOES happen, drop the file into Preview instead.
...
* So if a downloaded file shows as .jpg, it CAN'T execute when double-clicked.

Is that a practical rule of thumb?
Click to expand...

Possibly, but remember in this particular case it was an executable that didn't have an extension but did have an icon that made it look like a jpeg. How would the OS know that the icon has been made to look like a file?

A visual clue like you suggested would be the best solution.
 
Default new account are NOT admin

When setting up new accounts, you have to check a box to "Allow user to administer this computer". Out of the box, Tiger makes you give the admin password to install anything, so unless you are really asleep at the wheel, there shouldn't really be any real fear.
 
nagromme said:
No, Apple shouldn't rely on that alone, but it's one gimmick they could stop.

As for Unicode characters, Finder could do what Safari does for phishing scams: translate non-latin file extensions into visible gibberish code.

I'm thinking a "Trojan reduction system" would have the following at least:

1. A warning any time ANY new app is first launched.

2. A warning any time ANY archive is extracted that contains an executable.

3. A visible glow (animated or not) around every executable and app bundle icon in Finder AND in Dock folder popup menus.

4. Leading and trailing whitespace underlined in Finder names, and non-latin extensions translated to code.

5. Some system by which every new Mac gets an admin password separate from the default account that gets daily use. But done in a way that causes as little confusion to new users as possible. Three possible methods:

* Every new Mac has TWO accounts, and asks for (and simply explains) two usernames and passwords. A non-admin account for primary use AND an admin account that most people would never actually log into. This is what people do "by hand" now, but the presence of two accounts could confuse some people. So I'd suggest...

* The admin account be concealed by default--both in the login window and in the Users folder in Finder. So basic users wouldn't have to think of it as a separate user space or be confused by it--they'd use the password as needed but never actually log in as that user. (And with one click in System Preferences, it could be revealed as a full account able to be logged in, for power users like us.) Or...

* If the dual accounts is still too confusing during the new machine setup phase, then Apple could simplify it further by NOT prompting at setup for two names/passwords. They could use the name Admin (maybe plus the date) for the extra username, and use your same password again. (Using a password twice isn't ideal, and savvy users would want to change it, but even with the same password, permissions would be different, and that would hamper a Trojan.)
Click to expand...

Good ideas and so wouldn't it be very upsetting if Apple didn't do any of those things in 10.5?
 
nagromme said:
The same way a bouncing icon makes you think an app is loading: that's what the effect means, and it's documented as such, and we're used to it.
Click to expand...

The difference is that the bouncing icon doesn't have to mean anything and you can learn what it means by performing an action. If you asked a new Mac user what a bouncing icon meant and they had no idea it wouldn't matter. The lack of knowledge wouldn't compromise their system or prevent the app from launching. A glowing, hilited icon would mean nothing and I wouldn't want to find out what it meant by experimenting. In fact I'd venture to guess it might encourage some people to open it--look at this pretty glowing thing, let's open it. And what about the visually impaired?

A simple dialog asking if you really want to open the app would do so much more.
 
vallette said:
If you asked a new Mac user what a bouncing icon meant and they had no idea it wouldn't matter. The lack of knowledge wouldn't compromise their system or prevent the app from launching. A glowing, hilited icon would mean nothing and I wouldn't want to find out what it meant by experimenting. In fact I'd venture to guess it might encourage some people to open it--look at this pretty glowing thing, let's open it. And what about the visually impaired?

A simple dialog asking if you really want to open the app would do so much more.
Click to expand...
Yes, as I proposed, a dialog is important too--but it doesn't do everything a visual icon effect would: remind you at a glance even for files you haven't clicked yet. That's why I suggest both.

The visually impaired would get an indication on mouseover I assume, just like the way filenames can be read aloud.
 
nagromme said:
At first I suggested a mouseover glow effect... but now I think the glow on executables should be a permanent throb. More noticeable, and it wouldn't waste much CPU power since how often do you have to have Finder windows open and showing apps anyway?

Apps in folder pop-up menus from the Dock should throb as well. And in Column view if you have icons turned off, a symbol should throb next to executables.
Click to expand...

I agree. However, it would probably need to be only on the filenames themselves. Italicizing the text would be sufficient in my view (with the option to turn it off, of course).

Making users more aware of having a separate admin account would also help.
 
Not Going to Work

Few of the suggestions about how to change how Apple and OS X does things and having pop up windows appear before running executable are going to work and stop the spread of these worms (or trojans or sudo virus programs. What ever you want to call them). The problem has nothing to do with the OS or Apple but it is all in the intelligence or actually the amount of common sense the user clicking away has. You can build layer after layer of protection and security and there will still be people who, for whatever reason, will click on any file they get and happily type in their password without ever thinking about why.

So my suggestion for stopping this type of thing has nothing to do with a fix from Apple, but from each of you. Everyone should educate their friends, their families, anyone who will listen about having common sense while using the computer. This will stop the spread of these things faster then anything else.
 
iGary said:
Scary. For real - this is the first time ever I have doubted the security of my Mac. :(
Click to expand...
Why? It doesn't do anything really harmful to your computer and you have to be a certifiable moron to activate it. Frankly I find this more funny then anything else.
 
:)

dejo said:
Sorry to be cynical but I should trust this Terminal script why? ;)
Click to expand...


GOOD POINT!!! :eek: I have not tried it, as I did not DL the original file. but just saw it on VT and thought it could help those who do not know how to use terminal. :confused:
 
p0intblank said:
While there is no real Mac "virus"
Click to expand...

If this is not a virus, what in your opinion constitutes a virus?

(And if you say a real virus does not require that a user opens it, what is the difference between a virus and a worm? To the me the definition of a worm is exactly this: that it infects a system without the user doing anything.)
 
Xephian said:
I hope this isn't the start for all viruses on the Mac...
Click to expand...
It's not even a virus. It's a minimally harmful trojan that really doesn't do anything. This was blown WAY out of proportion by the media (as they do with everything else). The bigger concern for mac users right now is ********s trying to hack the OS to run on PCs.
 
Why not Bill?

Why not attack one of the biggest advantages MAC OSX has over Windows? Billy could be financing this!
 
Trojan Part = The part where the user actually clicked download or execute program... or typed admin password

Virus/Worm Part = Sending through AIM... which still needs the other user to accept because thats how AIM works... if it were to bypass this, then its a worm.

Its slow moving.
It needs your input.

Don't click stuff you don't know what is.
Just like you don't open mail that says you have already won $1,000,000.
 
arn said:
I still disagree.

Here's the distinction I see... and why its of significance.

a) someone writes a script that erases your hard drive and tricks some users into running it. => This is not news or even particularly interesting, even though it might be considered a trojan.

vs.

b) someone writes a program that is designed to modify applications on the users hard drive to propogate itself to other applications. when those applications are later launched, it repeats this cycle to infect other applications on the computer. it also tries to send itself to other users over IM. Oh... and someone tricks some people into running it. The implications/scope of this is much different and much more significant. The trojan / tricking someone into running the app is not the interesting part of the story.

arn
Click to expand...

finally a sane voice
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back