Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

The First Mac OS X Virus?

MacRumors

macrumors bot
Original poster
Apr 12, 2001
50,971
12,483
https://www.macrumors.com/images/macrumorsthreadlogodarkd.png

On the evening of the 13th, an unknown user posted a link to a file on MacRumors Forums claiming to be the latest Leopard Mac OS X 10.5 screenshots. The file was named "latestpics.tgz"

The resultant file decompresses into what appears to be a standard JPEG icon in Mac OS X but was actually a compiled Unix executable in disguise. An initial disassembly reveals evidence that the application is a virus or was designed to give that impression. Routines listed include:

_infect:
_infectApps:
_installHooks:
_copySelf:

The exact consequences of the application are unclear, but users who originally executed the application have noted that it appears to self propogate even after the original file has been deleted:

If anyone remembers last night, when lasthope spread that picture that opened in terminal. I just turned on my other computer and it said it had an incoming file, from my computer, which was the latest pics file. Any help. I have already secure deleted it off of my harddrive, but how do i know that it will not come back.

Update: It appears that there is some debate about the classification of this application, and as it does require user activation, and a password if you are not already an administrator, it appears to fall into the Trojan classification, rather than self-propogating through any particular vulnerability in OS X.

Update #2: The most recent updates show that the file does send itself to other users in your AIM/iChat buddy list.
 

Doctor Q

Administrator
Staff member
Sep 19, 2002
38,352
4,845
Los Angeles
A general rule

Remember not to type your administrator password just because you get prompted for it. Always know why before you do so.
 
Comment

maxterpiece

macrumors 6502a
Mar 5, 2003
729
0
so does OS X warn you that it is an executable when you D/L it? how does it disguise itself? If you get info on it does it say "open with preview", or does it say it's a script ? What does it propagate besides itself - by that I mean, how does it damage you except by spreading?
 
Comment
I think it's important to ask a few questions.

1. if you Get Info on the file what does it say?
2. when you double-click the file does it ask for your Admin password?
3. when it's downloaded does Safari indicate it's a program and not a regular file?
4. what's the uploaders IP address and has his ISP been contacted about this?
 
Comment

qtip919

macrumors 6502
Jul 24, 2002
279
0
This is great...(I used to work for MS security)

;)

Remember...that which does not kill us, only makes us stronger...

We all need to take a deep breath and think about what this means. If this is indeed a virus that can either corrupt the system or delete files, then someone has done what is made possible by the OS.

Also, this should be a wakeup call to all mac users. Opening any file without knowing the source is FOOLISH...I dont care what OS you are using. Just because you are using OS X, doesnt mean you should be opening any file someone TEMPTS you with....

The more I think about this, the more I laugh...

Pics of OS 10.5...brilliant...

Windows users are tempted by Brittney spears, mac users by a new GUI element in their operating system...
 
Comment

Chappers

macrumors 68020
Aug 12, 2003
2,247
1
At home
Expect this to be all over the media.

I was smuggly thinking about 'no virus's for Mac OS X' last night.
 
Comment

semaja2

macrumors 6502a
Dec 12, 2005
574
0
Adelaide
First off : THIS IS NO VIRUS

this is just a hoax reall i mean seriously its not like it just gets onto your computer from a security flaw all it is a smart person who notice you could use resource forks like that, if anyone was smart they would of noticed it a bit odd it had to be archived with the fork,

i mean sure its a virus in such the way it does the harm of a virus but its not breaking and flaws its like someone just giving you a bash script saying here its going to make your computer run faster when it actually just deletes everything
 
Comment

Ja Di ksw

macrumors 65816
Apr 9, 2003
1,310
6
Chappers said:
Expect this to be all over the media.

It already is. Here's a jpeg of a newspaper talking about it. Just download and open up the jpeg, don't bother wondering why you have to type in your password.

yes ... yes ... do it ...
 
Comment

neut

macrumors 68000
Nov 27, 2001
1,843
0
here (for now)
Doctor Q said:
Remember not to type your administrator password just because you get prompted for it. Always know why before you do so.

Isn't that wonderful! :D

It puts the security right where it should be ... in the hands of the user. :)


peace | neut
 
Comment

mad jew

Moderator emeritus
Apr 3, 2004
32,191
5
Adelaide, Australia
I wonder what Apple's move will be. At least scenarios like this keep Apple on their toes. There would be nothing worse than Apple being caught short by a sudden flaw in their OS.
 
Comment

danamania

macrumors member
Jul 27, 2004
40
4
Central West NSW
Doctor Q said:
Remember not to type your administrator password just because you get prompted for it. Always know why before you do so.

And remember that a process running without administrator access, one that doesn't ask for an administrator password, can still do some pretty nasty stuff to your user account.

dana
 
Comment

plinden

macrumors 68040
Apr 8, 2004
3,974
16
ChoMomma said:
I think it's important to ask a few questions.

1. if you Get Info on the file what does it say?
2. when you double-click the file does it ask for your Admin password?
3. when it's downloaded does Safari indicate it's a program and not a regular file?
4. what's the uploaders IP address and has his ISP been contacted about this?

I got a link to somewhere where this is stored and downloaded it. Assuming the file is in its natural state, Safari gives you the warning that it may contain an application and the safety cannot be determined. Deerpark and Camino do not.

Safari downloads this as a tar of latestpics.tgz, ie. latestpics.tgz.tar, but Deerpark and Camino download it as latestpics.tgz.

In terminal, tar does not successfully open the file downloaded using Safari. But double clicking the icon does open it. The tgz files downloaded using Deerpark and Camino can be opened by double clicking on the tgz file or using gunzip from terminal. Both latestpics and ._latestpics are extracted, but the initial . means that Mac OS hides ._latestpics.

Get Info shows it as a PPC executable.

Although I'm using a managed account for this, I don't feel secure enough to double click the latestpics file.
 
Comment

Windowlicker

macrumors 6502a
Feb 17, 2003
713
1
Finland
It's a Trojan

If the details are correct, we're still not talking about a virus, but a trojan horse. You still have to open it yourself so that it can run.

This doesn't mean it isn't a bad thing.
 
Comment

FaasNat

macrumors regular
Aug 30, 2002
156
59
Home
Ja Di ksw said:
It already is. Here's a jpeg of a newspaper talking about it. Just download and open up the jpeg, don't bother wondering why you have to type in your password.

yes ... yes ... do it ...
I think you forgot to post the link to the newsclippingpic.tgz file.

:D :p
 
Comment

Nermal

Moderator
Staff member
Dec 7, 2002
18,992
1,462
New Zealand
danamania said:
And remember that a process running without administrator access, one that doesn't ask for an administrator password, can still do some pretty nasty stuff to your user account.

Indeed. Anyone remember "Word 2004 Web Installer"?
 
Comment

iMeowbot

macrumors G3
Aug 30, 2003
8,634
0
Doctor Q said:
Remember not to type your administrator password just because you get prompted for it. Always know why before you do so.
Yep, but it should be noted that the users reporting problems also report that they were not asked for their passwords.

For anyone using the first account they created when they installed OS X, it's time to put a stop to that right now, because you have the rights to change a whole bunch of important stuff like your applications that don't require becoming root. You're in the admin group, and that's a lot of power all by itself.

A good idea, right now, would be to go into your system Preferences, into Accounts, and create a new user. Turn on the "Allow user to administer this computer" check box, then log into that account and make sure it works. Once you're satisfied that the new account works and that you've remembered the password, turn off the "Allow user to administer this computer" check box for your own regular account. From then on, use the new account to install software, run System Update, etc. Use your now-demoted regular account for your regular daily computing.

A declawed account can still do some things that don't require special privs, like delete your own user files or send malware out to other computers. It will, however, keep your system reasonably safe from unintended modification.

edit: One last bit: Check the files in your Applications folder, even after declawing, and see if you are listed as the owner of any files. If you are, log in with your new admin account (fast user switching is a help here) and change the ownership to the system or that admin user.
 
Comment

Diatribe

macrumors 601
Jan 8, 2004
4,230
24
Back in the motherland
Windowlicker said:
If the details are correct, we're still not talking about a virus, but a trojan horse. You still have to open it yourself so that it can run.

This doesn't mean it isn't a bad thing.

And it cannot propagate itself either...

Apple just needs to find a way to warn people of apps/scripts in disguise. Problem solved.
 
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.