Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
New Mac Virus?
- Thread starter Poeben
- Start date
- Sort by reaction score
What you are describing is a classic Windows exploit. On the victim's computer, it begins with autoexecuting email attachments. However, MacOS X has no autoexecuting email attachments. Neither does it have autoexecuting downloads. Therefore, any social engineering required to get the ignorant administrator to install MacOS X malware has to be external to the malware itself. As for installing an SMTP server and the other things, well MacOS X ships with an SMTP server installed. It's called sendmail. You hypothetical malware would simply have to trick sendmail to do its bidding. The fact that it has not happened should be a strong hint that it is much harder to exploit vulnerabilities in MacOS X than talking about them.SiliconAddict said:
Off topic: I recently discovered a major new vector for possible Windows exploits. It's called Windows Media Player 10.
Ahh!!
*gets scared, unplugs ethernt port...internet connection lost*
I think it will be fine if Apple acts quickly to update these things. They are usually good with these sorta things.
*gets scared, unplugs ethernt port...internet connection lost*
I think it will be fine if Apple acts quickly to update these things. They are usually good with these sorta things.
a virus is a self-propagating script or program, that requires no user intervention to spread to other computers. this, on the other hand, requires the user to a) download the program, b) run it, and c) enter their root password.
Malware, yes. Virus, no. You'll never truly be able to truly protect against this, as it's not a security issue, per se. Users just need to be more careful when installing and downloading software.
Malware, yes. Virus, no. You'll never truly be able to truly protect against this, as it's not a security issue, per se. Users just need to be more careful when installing and downloading software.
Admin password required...
Exactly! You have to give the malware application your admin password to allow it to install these applications. In addition, each part of the installation may require the admin password to be re-entered.
If that doesn't raise some red flags in your book, then you deserve to have your system destroyed by this malware application.
I am going to cry "bulls--t" on the entire article, though. It sounds like FUD that some user posted. There is no proof, evidence, or furthering information that would lend to the validity of this story.
-Aaron-
Blue Velvet said:
Exactly! You have to give the malware application your admin password to allow it to install these applications. In addition, each part of the installation may require the admin password to be re-entered.
If that doesn't raise some red flags in your book, then you deserve to have your system destroyed by this malware application.
I am going to cry "bulls--t" on the entire article, though. It sounds like FUD that some user posted. There is no proof, evidence, or furthering information that would lend to the validity of this story.
-Aaron-
It seems like a useful shell script for someone to run once they have broken in to a system. To help them gather all the good stuff such as email addresses etc.
It won't actually help them break in in the first place.
It won't actually help them break in in the first place.
Rower_CPU: Since our server is based in Dallas, and we do not have physical access to it, the people who actually OWN the server (we lease) simply throw out harddrives instead of formatting them. The harddrives are cheap enough for this to be the easiest solution.
As for my statement about root paths/old kernel, my only justification for this is that it's the #1 reason why Linux servers are exploited via a rootkit. What this hacker did was fairly typical. Using an exploit in the OS, the hacker can place an executable file such as a rootkit (incorrect CHMOD permissions in root paths) and be able to launch it. I myself have little knowledge of how this works, as I have never tried it out, but I have suffered the consequences from it, and it is a common occurence. While one could place a malicious executable file on a computer that is exploitable, one would NOT know the passwords for the root account. That is why your friend here used John the ripper to brute-force password hashes (once again, I don't know much about Mac OS X, but I assume it encrypts passwords in a similar fashion as Linux).
As for my comment about Mac users, that was based on the comments I've read in this thread prior to my post, as well as posts I've found elsewhere regarding this subject.
As for my statement about root paths/old kernel, my only justification for this is that it's the #1 reason why Linux servers are exploited via a rootkit. What this hacker did was fairly typical. Using an exploit in the OS, the hacker can place an executable file such as a rootkit (incorrect CHMOD permissions in root paths) and be able to launch it. I myself have little knowledge of how this works, as I have never tried it out, but I have suffered the consequences from it, and it is a common occurence. While one could place a malicious executable file on a computer that is exploitable, one would NOT know the passwords for the root account. That is why your friend here used John the ripper to brute-force password hashes (once again, I don't know much about Mac OS X, but I assume it encrypts passwords in a similar fashion as Linux).
As for my comment about Mac users, that was based on the comments I've read in this thread prior to my post, as well as posts I've found elsewhere regarding this subject.
Axeon said:
I still doubt they simply throw hard drives away. It's much more likely that they swap in a new hard drive with the OS clean and ready to go and then rebuild the old hard drive. Hard drives aren't that disposable, unless you're paying a ton for that lease, and in which case you're over paying, since it seems they did a horrible job on your security.
The number one thing I do as a Mac owner to deal with security:
When I want to download an app, unless it's from a very trusted source like Macromedia that I already have bookmarked, I do NOT click the link from where I heard about it. I go to VersionTracker or MacUpdate or MacGameFiles and find it there. Then I download IF and WHEN it has already been downloaded and tested by a lot of other people first Which is usually the case by the time I get around to checking a program out.
That way I'm not installing programs that are unknowns.
I use nonsense passwords that nobody knows, and I do Software Update as needed (again, after guinea pigs go first). I keep my OS X firewall on. Guests at my computer don't get admin access--I have a Guest User account.
And I check Mac news often enough that when a REAL virus comes along one day, I'll know. And then I'll get antivirus software. It doesn't seem worth the money ahead of time, since the virus definitions for Mac viruses don't exist yet anyway... by "definition"
As for not passing on Windows viruses to other Windows users... yes, Windows folks send me their viruses all the time. But I have no reason to forward those emails on to anyone else, so no need to do anything but delete them. (If I was the "go between" for a lot of Windows email users, then I'd get a virus-checker as a courtesy maybe.)
And then I sit back and watch with horror what my Windows friends have to go through--even the ones who DO have the time and knowledge to protect themselves. Worse yet the ones who don't.
When I want to download an app, unless it's from a very trusted source like Macromedia that I already have bookmarked, I do NOT click the link from where I heard about it. I go to VersionTracker or MacUpdate or MacGameFiles and find it there. Then I download IF and WHEN it has already been downloaded and tested by a lot of other people first
Which is usually the case by the time I get around to checking a program out.That way I'm not installing programs that are unknowns.
I use nonsense passwords that nobody knows, and I do Software Update as needed (again, after guinea pigs go first). I keep my OS X firewall on. Guests at my computer don't get admin access--I have a Guest User account.
And I check Mac news often enough that when a REAL virus comes along one day, I'll know. And then I'll get antivirus software. It doesn't seem worth the money ahead of time, since the virus definitions for Mac viruses don't exist yet anyway... by "definition"
As for not passing on Windows viruses to other Windows users... yes, Windows folks send me their viruses all the time. But I have no reason to forward those emails on to anyone else, so no need to do anything but delete them. (If I was the "go between" for a lot of Windows email users, then I'd get a virus-checker as a courtesy maybe.)
And then I sit back and watch with horror what my Windows friends have to go through--even the ones who DO have the time and knowledge to protect themselves. Worse yet the ones who don't.
As others have said, not a virus. Trojan maybe, but actually it just sounds like a "dial home" program. Like spyware. But you have to install it first.
Not saying it's not a problem overall, but not something you can't already do on any computer. It's not the fact that you can do something like this, it's getting on to the computer in the first place. Then self executing or propagating. If the program can't get on the computer and run, it can't do any harm. The only part that really worries me is the fact that it disables or goes under the radar of programs like Little Snitch. That's scary. Hopefully a patch for that is coming soon. Though I'm not sure exactly what more Apple could do for future problems like this.
Not saying it's not a problem overall, but not something you can't already do on any computer. It's not the fact that you can do something like this, it's getting on to the computer in the first place. Then self executing or propagating. If the program can't get on the computer and run, it can't do any harm. The only part that really worries me is the fact that it disables or goes under the radar of programs like Little Snitch. That's scary. Hopefully a patch for that is coming soon. Though I'm not sure exactly what more Apple could do for future problems like this.
Axeon said:
Then you are a fool or at least woefully ignorant. Simply re-writing the boot sector and re-partitioning will erase any and all remnants of malicious code from a drive. There is nothing a hacker can do to a drive with code that will permanently alter the drive so as to allow a re-infection after the drive is cleaned. Period.
In most cases, simply removing any "infected" files will eliminate the problem.
If you are running a Linux based server and are using ext2/3 filesystems, then I strongly suggest you learn about the lsattr and chattr commands which allow you to make file immutable (they can't be changed). While immutable files are not 100% guaranteed safe, the method of removing the immutable flag is quite restricted.
A little off-topic...
Speaking of that... why hasn't Apple or Micro$oft or anyone else put the CORE of their operating system on a read-only partition? It only makes sense. If viruses cannot get into the core of the operating system (Apple = Mach Kernel; Windows = Ring Zero) then they cannot do so much damage.
Funny thing is, when Windows 95 came out, they initially blocked access to Ring Zero-level access (as they did in Windows NT 3.51 and 4.0). However, Micro$oft succumbed to pressure from device driver authors and allowed access to Ring Zero. This opened the floodgates for virii.
-Aaron-
gerardrj said:
Speaking of that... why hasn't Apple or Micro$oft or anyone else put the CORE of their operating system on a read-only partition? It only makes sense. If viruses cannot get into the core of the operating system (Apple = Mach Kernel; Windows = Ring Zero) then they cannot do so much damage.
Funny thing is, when Windows 95 came out, they initially blocked access to Ring Zero-level access (as they did in Windows NT 3.51 and 4.0). However, Micro$oft succumbed to pressure from device driver authors and allowed access to Ring Zero. This opened the floodgates for virii.
-Aaron-
gerardrj said:
Oh, okay. So if the malicious hacker gained root access, rewrote every single system file on the harddrive, and then setup scripts to store login passwords, we should've just used these two commands? I guess the linux experts we consulted, as well as the staff at EV1 disagree. But I guess they are all "woefully ignorant," but then again, what does this have to do with the topic?
Oh. Right. Nothing.
aarond12 said:Speaking of that... why hasn't Apple or Micro$oft or anyone else put the CORE of their operating system on a read-only partition?
-Aaron-
You mean like a boot rom?
Operating system arent 100% bugfree, never changing. Even if they put more of the operating system on rom you need some method of patching it and if apple can patch it then theoritically a third party can patch it. Microsoft has hinted about heading this way with encryption but then you dont really own your computer any more. Ie if the operating system is set to allways use Internet explorer and you are prevented from changing that because of read only/encryption whatever then its not yours.
Having said that in a way that is how it works now. The operating system is root and wheel. You the user can not write to this as User unless you type your password!
hey yellow thanks for that linky to Tripwire. looks interesting, i'll check it out.
LOL. this whole things is kinda funny... here it goes again, people overstating the problem...
but reading about what that script does, it seems it would be useful to certain corporations...
but nothing to be scared about, leave your ethernet cables where they are, leave your AirPort turned on. best just to educate yourself about these things, which of course is a continueing process, then you'll have nothing to worry about.
LOL. this whole things is kinda funny... here it goes again, people overstating the problem...
but reading about what that script does, it seems it would be useful to certain corporations...
but nothing to be scared about, leave your ethernet cables where they are, leave your AirPort turned on.
best just to educate yourself about these things, which of course is a continueing process, then you'll have nothing to worry about.