The First Mac OS X Virus?

[flyfish29]

Apple's switch to intel... trojans on OSX, whats next M$ buys Apple

No, I am thinking...we get spyware...then M$ buys Apple...then Macs get inferior hardware...Macs would then get new GUI improvements three years after Macs get them (is that possible? )...then of course this would be followed of course by blue screens of death showing up on a Mac!

 

[jacobj]

No, I am thinking...we get spyware...then M$ buys Apple...then Macs get inferior hardware...Macs would then get new GUI improvements three years after Macs get them (is that possible? )...then of course this would be followed of course by blue screens of death showing up on a Mac!

I like the fact that M$ is never allowed to buy apple because of monopoly laws. In fact they invest in Apple for fear that it may sink

 

[mdavey]

I'm always bragging about how the Mac has no viruses or spyware. Am I still able to say this without having to hide something?

I'm not sure whether this malware can actually successfully replicate or not - it is certainly buggy. (If not, it is classified as an 'intended virus').

As far as I know, there has never been a malicious worm for Mac OS X, nor a virulent virus for Mac OS X. There certainly is spyware. There has never been an epidemic on Mac OS X.

I think it is fair to say that the risks from malware are very low on Mac OS X, at least a factor lower than Windows and about the same level as other Unix/Linux.

 

[danielwsmithee]

Yay. Now all we need is for the OS X first-time setup to nudge users into setting up non-admin accounts.

Agreed. We have been far to innocent computing in the garden of eden.

 

[jholzner]

Do you think this will get Apple to finally do something about .Mac's virus protection?? They don't even link to Virex anymore and there's no announcement of a replacement.

I would prefer they build the feature into the operating system itself. It kinda upsets me that OS vendors think you should have to pay more money to keep your system safe from things like this. Why isn't this a feature of windows as well?

 

[atari]

The only effect Intel has on this situation is that potential viruses can now be written twice as fast.

This is an OS-level vulnerability, not a CPU-level one.

It is NOT a vulnerability,it requires a dumb user.

 

[mdavey]

it requires a dumb user.

Ah, yes, the infamous user-level vulnerability

 

[jsw]

It is NOT a vulnerability,it requires a dumb user.

No, it requires a user who has set up their system in the default way. My understanding is that it didn't necessarily ask for a password.

It requires a trusting user, not a dumb one.

 

[motulist]

Slightly off topic

Slightly off topic, I just changed my normal user from an admin to standard.

1) What can a standard user not do that admin can?

2) How do I give a standard user sudo privileges?

 

[atari]

Wow this is really cool. Everyone thinks Macs are imune to viruses and I'm glad that someone proved that they are very wrong. The only reason Macs rarely get viruses is because such a small percentage of people use them. This is great...I'll finally be able to shut up my Mac loving friends.

By the way I don't support the making of viruses I think its bad. I just think its cool someone proved the Mac lovers wrong.

You might want to do some research regarding this thingie before you try "to shut up" anybody else.

 

[jsw]

Agreed. We have been far too innocent computing in the garden of eden.

Yes, true, but the view is nice.

I don't think we've been in the Garden of Eden (we took the apple, and so got kicked out, right?) but I do think we've been complacent to a greater extent than we should have been.

Now that OS X is in the hands of the script kiddies, I suspect this will happen more often.

Still, a few simple steps, nearly all of which could be implemented by Apple simply enough, could prevent most of this.

As always, though, the safest computing is via abstinence. Never allow your Mac to connect with another system. Remove the AirPort. Unplug the ethernet. Never insert CDs or DVDs except the ones to which your Mac is legally and morally attached - the install disks. Then you'll be fine. Bored as hell, but fine.

 

[fixyourthinking]

Macrumors ...

For the first time I'm disappointed in ARN

Not cool ... deceptive way to try to bump hit totals up in a slow news time.

Actually this is the 2nd time I've been upset with ARN and crew ... but my other gripe has to do with not posting newsworthy articles on MacBytes.

 

[jsw]

You might want to do some research regarding this thingie before you try "to shut up" anybody else.

Indeed. Apparently he thinks that's the only argument in favor of Macs.

Sort of like telling people that Aston Martins suck as bad as Chevrolets because they both can hit potholes.

 

[Project]

I do find the people talking about "dumb users" who open these files as quite arrogant and condesending. I mean, do you honestly expect say, a relative novice to computers or a mom who just wants to check her email as dumb because she would fall for a trick like this? Get real guys. The onus is on Apple to ensure every startup of OSX spells out exactly whats what - either that or ensure that the default is a standard user after explaining about the administrator account. The firewall should be on by default. Small things like this go a long way. But yeah, I find it kinda embarassing that we can quickly dismiss somebody not technically proficient as "dumb". Not everybody has the time to discover the ins and outs of computer security.

 

[bigjohn]

how about not publicizing what it's made of and how to build the next one?

 

[Peace]

I'll say it again..

This "trojan" uses spotlight..

Simply open spotlights preferences and unselect "applications".This way the trojan will use spotlight and find no apps then stop in it's tracks.

 

[fixyourthinking]

It begins.

Mac OS X virus sighted (at The Register)

From the linked article: "Mac viruses were relatively common at the dawn of personal computing, but these days the overwhelming majority of viruses are Windows specific."

Mac viruses were common?

And are they using their source as the macrumors forum and calling them "Antivirus researchers"?

 

[jsw]

Slightly off topic, I just changed my normal user from an admin to standard.

1) What can a standard user not do that admin can?

Things outside of their home directory, basically. Install system items. Install apps for other users. Run trojan horses/viruses.

2) How do I give a standard user sudo privileges?

Short answer: don't.

Have them 'su' to an admin account.

Longer answer: modify /private/etc/sudoers, add their name to it.

how about not publicizing what it's made of and how to build the next one?

As much as it might be nice to stick our heads back in the sand, perhaps it'd be better to light a fire under Apple and have them fix the few things that would make this particular sort of virus/trojan (trorus? virjan?) go away.

 

[Warbrain]

We knew this was going to happen at some point. We were living in a glass house - it's about time someone threw a rock.

There's no one to really blame for this spreading other than ourselves (at least for those who did download and enter their password, etc.). We've all become so complacent and not worried about things like this that almost all mac users will willingly type in their password for anything. We can tell Windows users all we want that since we have to type in our password for most installations and such, we aren't as vulnerable to viruses, but all that adds is just a few extra seconds before someone foolishly installs it.

And while people do need to panic about this and worry that maybe people are beginning to catch on and figure out that the Mac platform is out there, we just need to use more common sense like other people have said. Don't just download and enter your admin password. Play it safe. I won't go and type out everything that everyone has said because it's already been said.

But again, it's about time this happened.

 

[jsw]

I'll say it again..

This "trojan" uses spotlight..

Simply open spotlights preferences and unselect "applications".This way the trojan will use spotlight and find no apps then stop in it's tracks.

That's not going to stop much of anything beyond this particular one. Spotlight was merely a convenience. Any such executable could have searched the file system or just gone to /Applications, where 99% of apps end up.

Don't inconvenience yourself by disabling Spotlight just to avoid this particular attack. If you do, you'll become the federal government, making us all take off our shoes at airports because, well, terrorists are too dumb to think of any place other than shoes to stick explosives....

 

[EvilMole]

And it cannot propagate itself either...

Apple just needs to find a way to warn people of apps/scripts in disguise. Problem solved.

Note that this would also "solve" the problem of virtually all active Windows malware. What Mac users have failed to understand over and over again is that the vast majority of Windows malware depends on a user running an application, rather than on a specific Windows security flaw. Mac OS X is no more secure from this than Windows: the only additional protection is gives you is that it requests a password if you want to do anything that requires admin privs. You can create malware that causes all sorts of mayhem without admin privs.

This is great, as far as it goes. However, it doesn't mean you have some kind of uber-OS that's completely protected from the determined malware writer. First of all, lots of people will happily download stuff from (ahem) "not entirely legal sources" that look like installers for applications. They'll then happily put their admin password into the resulting "installer" and, when it doesn't work, put it down to dodgy software - not knowing they've just installed something much more malicious. There's nothing in Mac OS X that prevents a virus writer from creating malware which works this way, exploiting user-gullibility.

Secondly, an application can work all kinds of mayhem without ever needing admin privs. Such as, for example, reading every address in Address Book, sending a copy of itself to all your contacts, and then deleting every file in your Documents folder. No Admin privs required. There is nothing in OS X to stop someone writing something like this.

We Mac users have been incredibly lucky, in that we've not had a serious malware problem. But if this (relatively benign) piece of malware teaches us anything, it should be to take security serious and stop shouting down anyone who says there's the potential for a problem with cries of "FUD!" Taking security seriously NOW will ensure that we don't have a bad problem in the future.

 

[macrumors12345]

This can be classified as the first harmful OS X trojan. OS X has had trojans before, but they were pretty harmless and Apple had a patch out in a week. We can still claim no viruses for OS X.

I dunno, this trojan was arguably much, much more harmful to the users that actually executed it:

http://secunia.com/virus_information/9393/as.mw2004.trojan/

However, the current trojan is clearly better disguised (albeit still not very well disguised).

 

[Diatribe]

Note that this would also "solve" the problem of virtually all active Windows malware. What Mac users have failed to understand over and over again is that the vast majority of Windows malware depends on a user running an application, rather than on a specific Windows security flaw. Mac OS X is no more secure from this than Windows: the only additional protection is gives you is that it requests a password if you want to do anything that requires admin privs. You can create malware that causes all sorts of mayhem without admin privs.

This is great, as far as it goes. However, it doesn't mean you have some kind of uber-OS that's completely protected from the determined malware writer. First of all, lots of people will happily download stuff from (ahem) "not entirely legal sources" that look like installers for applications. They'll then happily put their admin password into the resulting "installer" and, when it doesn't work, put it down to dodgy software - not knowing they've just installed something much more malicious. There's nothing in Mac OS X that prevents a virus writer from creating malware which works this way, exploiting user-gullibility.

Secondly, an application can work all kinds of mayhem without ever needing admin privs. Such as, for example, reading every address in Address Book, sending a copy of itself to all your contacts, and then deleting every file in your Documents folder. No Admin privs required. There is nothing in OS X to stop someone writing something like this.

We Mac users have been incredibly lucky, in that we've not had a serious malware problem. But if this (relatively benign) piece of malware teaches us anything, it should be to take security serious and stop shouting down anyone who says there's the potential for a problem with cries of "FUD!" Taking security seriously NOW will ensure that we don't have a bad problem in the future.

The difference is though that you not only need to run an app like Safari to get a virus (like with Inet Explorer) but you have to start the virus itself by clicking on it.

 

[Diatribe]

Really, this is barely different from me writing a little app that just starts deleting files randomly, and then distributing it as "omgcoolapp.app". Just a little more sophisticated in what it attempts to do, and significantly more buggy

It's not a virus, but it is a nice wakeup call for people who think that their computer can magically determine what "harmful" is and disable anything "harmful".

Exactly. At least some people with common sense here.

If you have to click it for it to start it's nothing more than an app.

 

[motulist]

The news is out.

Well kiddies, the news is out. A quick search of google news shows the cat is out of the bag, whatever the truth actually is.

http://www.theinquirer.net/?article=29753

http://www.webuser.co.uk/news/news.php?id=80548

http://macdailynews.com/index.php/weblog/comments/8613/

and more...
http://news.google.com/news?hl=en&ned=&q=mac+virus&btnG=Search+News