Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
The First Mac OS X Virus?
- Thread starter MacRumors
- Start date
- Sort by reaction score
Applespider said:
This is a classic example of the kind of misinformation about malware that has helped give many Mac users a wrong impression about security. The VAST majority of current Windows malware does NOT "install... without you doing anything". A quick look at the top ten current viruses will show that they are all trojans or worms that rely on the user running them in order to infect the machine. Like this piece of Mac malware, they rely on social engineering - because, unlike security holes, bad user behaviour isn't patchable by Microsoft or Apple.
Tymmz said:
Yes and no. "rm -rf ~" will still delete all your personal files with no need for password authentication, so if this "virus" were to do something as simple as that, you'd still be screwed. But "rm -rf /" wouldn't be able to delete the system files. Personally, if I find myself in a position where I have to restore all my personal files from a backup, I tend to go for a full reinstall while I'm at it.
What's the difference between a trojan and a regular application, anyhow? Only the user's perception of the software's "goodness" -- and there's no real way to quantify such.
Diatribe said:
According to the other virus thread here, it also attempts to propagate via iChat.
jsw said:
I have no idea how to write a virus, but YEARS ago, I wrote this stupid little HELLO program on my C64 as a test. When you would run it, it would:
a) disable the run/stop key so you couldn't stop the program without turning off the computer.
b) would IMMEDIATELY write garbage to the directory. Well, dead directory is essentially a dead disk.
c) would write garbage, randomly, to the remaining tracks & sectors of the disk.
What would the user see? Oh.... a friendly, color-changing HELLO in the middle of their TV screen/monitor.
Now... I had no internet access of any kind back in those days, so I only used it to destroy my own disks, but that could have been an ugly little program had someone sent it to the many BBS sites back then. Would it have been a virus? No. In fact, it didn't replicate anything. Did it require some to simply load it and go, "Gee? What's this program?" Yes. Perhaps a smart user would have listed the program. I even had that blocked with numerous methods (though, I think anyone with a printer could have seen it all).
EvilMole said:
Define "bad user behaviour"?
Downloading and running a program without having viewed and verified it's entire source code? If so, I'm guilty, and I guess most here too.
There's a great degree of trust involved when you download and run software from anyone/anywhere on the Internet. This trojan/virus is a pretty unsubtle trojan, and news of it is likely to spread around the Internet fairly quickly. A more subtle approach, such as a shareware game that had a virus as a payload which worked subtly in the background, could fool any one of us. Simply telling people "be careful what you run" isn't enough.
EvilMole said:
I beg to differ that there is a fair amount of Windows malware that works via portscanning for vulnerabilities and you can turn on your (pre SP2) XP machine and find yourself infected without clicking on anything other than Windows updates to try to patch your machine. I've seen it happen - thankfully not on my previous PC but on a colleague's. There are also the instances where you click on the wrong result in Google or miskey a URL and find a script coming down in the background, installing various pieces of malware. Quite a bit different from this - and admittedly more of a problem pre SP2
However, I'll accept that the most current top 10 might be social engineering 'want to see hot teenz' or 'Document attached'.
here is the real problem - so many people misuse the word virus.
I have been working as an IT consultant for many years now, doing work on PCs and Macs. The thing that i keep seeing more and more, as anytime something eratic goes wrong then the logical reasoning is "i must have a virus".
every computer problem is not a virus. i could tell story after story about how someone had a problem and was so confident that it was a virus.
From the PC side of computers, there is too much propaganda to educate - by this i mean that if you take a look at all the third party apps that exsist to fix problems, catch viruses and keep your computer safe, you would see that this is a huge percentage of programs made to run on windows. we are talking about an industry that makes a LOT of money.
but here is the interesting reality. most things that are pawned off to be viruses are not. there is an email that i remember getting that gave instructions to check if there is a "virus" in windows. it tells you to check for a file on your PC that looks like a little teddy bear, if you have it, delete it as it is a virus. turns out that this file is a windows component that lets the os deal with file with names longer then 8 characters. By deleting you just messed up your computer. if you clickon that link, notice that symantec calls this a hoax.
Was the email a virus? No, the message itself didn't actually do any thing. Was removing the file a virus? No, the user deleted a file that messed up windows. so what caused the problem? it occured somewhere between the chair and keyboard.
People like the concept of a virus though. It is easier to swallow that and explain computer problems to your friends as oppsed to this:
"what is wrong with your computer?"
"ahh, i got an email that told me to delete a file, and i didn't know better, so i did. Now my computer doesn't work"
basically, this falls into the same catagory as the little bear virus. so now going back to symantec notice that they are quick to put this up on their site. why would they do that....
....THEY WANT OUR MONEY. that is it. they want to profit based on the misinformation about this file.
i should add one thing, there are going to be jack*ss' all over who are going to want to do jack*ss things to people. everyone (pc, linux & mac users) need to think before doing things. The problem is how do you tell someone's grandma that when they barely understand how to use a computer? i suppose we need to all keep an eye out for each other.
I have been working as an IT consultant for many years now, doing work on PCs and Macs. The thing that i keep seeing more and more, as anytime something eratic goes wrong then the logical reasoning is "i must have a virus".
every computer problem is not a virus. i could tell story after story about how someone had a problem and was so confident that it was a virus.
From the PC side of computers, there is too much propaganda to educate - by this i mean that if you take a look at all the third party apps that exsist to fix problems, catch viruses and keep your computer safe, you would see that this is a huge percentage of programs made to run on windows. we are talking about an industry that makes a LOT of money.
but here is the interesting reality. most things that are pawned off to be viruses are not. there is an email that i remember getting that gave instructions to check if there is a "virus" in windows. it tells you to check for a file on your PC that looks like a little teddy bear, if you have it, delete it as it is a virus. turns out that this file is a windows component that lets the os deal with file with names longer then 8 characters. By deleting you just messed up your computer. if you clickon that link, notice that symantec calls this a hoax.
Was the email a virus? No, the message itself didn't actually do any thing. Was removing the file a virus? No, the user deleted a file that messed up windows. so what caused the problem? it occured somewhere between the chair and keyboard.
People like the concept of a virus though. It is easier to swallow that and explain computer problems to your friends as oppsed to this:
"what is wrong with your computer?"
"ahh, i got an email that told me to delete a file, and i didn't know better, so i did. Now my computer doesn't work"
basically, this falls into the same catagory as the little bear virus. so now going back to symantec notice that they are quick to put this up on their site. why would they do that....
....THEY WANT OUR MONEY. that is it. they want to profit based on the misinformation about this file.
i should add one thing, there are going to be jack*ss' all over who are going to want to do jack*ss things to people. everyone (pc, linux & mac users) need to think before doing things. The problem is how do you tell someone's grandma that when they barely understand how to use a computer? i suppose we need to all keep an eye out for each other.
NSA OSX Security Configuration PDF
Here is a very helpful guide for locking down OS X straight from The National Security Agency.
http://www.nsa.gov/snac/downloads_macX.cfm
pxlmvr
Here is a very helpful guide for locking down OS X straight from The National Security Agency.
http://www.nsa.gov/snac/downloads_macX.cfm
pxlmvr
Diatribe said:
The same is true on Windows. Take a look at the top ten current virus threats at F-Secure (http://www.f-secure.com/virus-info/statistics/). All of them require you to run an application to get infected. To get an infection from viewing a web page, for example via WMF, you'd have to be running a five year old verison of Windows, not be patched, and navigate your way to a site labelled something like "BRITNEY SPEERS LIVE NUDE PIXXXX"
That's why, despite the publicity, there were few actually reported cases of WMF - and that's why virus writers don't rely on vulnerabilities. They rely on user-stupidity instead.
I'm not sure what your point is - that anyone can write destructive apps, or that people run apps without inspecting them first?deputy_doofy said:
Both points are well accepted truths.
Diatribe said:
Which means that Netsky, Bagel, Mytob, and virtually all the other notable Windows malware of the past few years are "nothing more than apps". All of them require you to open them for them to start.
Seriously people, go to http://www.f-secure.com/virus-info/statistics, click on some of the virus descriptions, and find out how they work. ALL major virus outbreaks rely on users double-clicking on a file and running it in order to get infected.
It's an executable script that uses Spotlight to find apps to spread itself.motulist said:
I'm not sure what you mean by "the real deal" - as mentioned numerous times in this thread alone, a reasonably intelligent person could, in less than a day or two, create something that does what this did. The exact details of this particular file aren't relevant.
Then...
...everything is a virus. I write an app that does:
$rm -rf
and then it deletes your home directory. Woah, it's a virus!
I just cannot agree that this is a virus. It is a malware application that nobody-yet-knows-what-harm-it-produces...
...or tries to produce, since it NEEDS to be run with Administrator privileges to operate.
What defines a virus then?
...everything is a virus. I write an app that does:
$rm -rf
and then it deletes your home directory. Woah, it's a virus!
I just cannot agree that this is a virus. It is a malware application that nobody-yet-knows-what-harm-it-produces...
...or tries to produce, since it NEEDS to be run with Administrator privileges to operate.
What defines a virus then?
Which would make them trojans.EvilMole said:
Which is an important distinction.
BTW, nice use of a antivirus vendor's site to show how bad the virus situation is.
No hidden agenda there for them, right?
Safety is pretending someone is always out to get you. And acting accordingly. In cases like this, I am grateful for a little paranoia.
jsw said:
I mean does it require a double click? Does it require a password? How does it spread itself through spotlight? What action does it perform? Can it spread through iChat like one person said? There are a lot of questions that need answers. There's a lot of contradictory information in this thread. We need all the details and we need them asap.
New User Preparation
If you create a new account, it is a good idea before hand, to move (not copy) your iTunes Library to your shared folder. Then tell iTunes to LINK to the tracks there (Not copy)
You can link to the shared folder from either account. Husband and wife users can do this too.
This way you don't have duplicate files all over the place nor have to trouble yourself updating your personal Library.
iMeowbot said:
If you create a new account, it is a good idea before hand, to move (not copy) your iTunes Library to your shared folder. Then tell iTunes to LINK to the tracks there (Not copy)
You can link to the shared folder from either account. Husband and wife users can do this too.
This way you don't have duplicate files all over the place nor have to trouble yourself updating your personal Library.
What I want to know is who is stupid enough to run a Unix executable when the purpose of this was latest PICTURES?!?!?!
IF you ran this trying to see pictures, I'm sorry, but you get what you deserve. No one in their right mind would run something like this.
But this goes to prove what I've been telling everyone... There are such things as malicious shell and applescripts in OS X. They just don't self propagate.
As far as this one trying to propagate... Does it show up in the user's START UP ITEMS in the Sys Pref's? IF it does, just eliminating it from here would stop the app itself from launching on startup.
IF you ran this trying to see pictures, I'm sorry, but you get what you deserve. No one in their right mind would run something like this.
But this goes to prove what I've been telling everyone... There are such things as malicious shell and applescripts in OS X. They just don't self propagate.
As far as this one trying to propagate... Does it show up in the user's START UP ITEMS in the Sys Pref's? IF it does, just eliminating it from here would stop the app itself from launching on startup.
motulist said:
Did you read the thread before you asked this twice?
Look at moki's posts which are relatively early in the discussion where he links to his forum site where he's undertaken a fairly detailed explanation of what the file is, what downloads, what happens step by step afterwards. He's also provided updates on his progress at various points in the thread after that.
This is where the information about iChat and about it inadvertently stopping apps from launching came from.
While this works well for users sharing a library, as you mentioned, it's not important for the method Applespider mentioned - in that case, you'd only use the new admin account for admin-type activities. Assuming you can handle sitting through a software update without your music for a minute or two...chinajon said:
Edit: damn my excessive typing which allowed iMeowbot to say the same thing faster....