The First Mac OS X Virus?

[itsa]

Well... lets just say .. IT WORKED!
I'm afraid to click on just about anything on this site.
I'll be back after this blows over.

 

[kdawg]

just wondering if it would do any good to submit this to any of the antivirus vendors for analysis?

 

[Diatribe]

just wondering if it would do any good to submit this to any of the antivirus vendors for analysis?

Sophos already knows about it and is not classifying this as a virus.

 

[Eraserhead]

I think they already know... Virus Barrier X just had an update of the definitions today, they normally update monthly until 2006, but they added an update on the 14th and then another on the 15th so i imagine they got it then...

 

[whooleytoo]

If I attempt to run for president, does that make me president?

If I shoot at you and miss, does that mean I'm not a criminal?

 

[hulugu]

This stuff is kind of scary... I'm always bragging about how the Mac has no viruses or spyware. Am I still able to say this without having to hide something? I've seen a few posters mention that something like this has been done before and it is nothing new. Is this true? I sure hope it is, because well quite frankly, I like not having to run virus/trojan/worm/spyware software regularly.

Thanks!

Do what I do when I talk to clients, there might be one, there might be one tomorrow, but that's still certaintly better than the thousands that exist for Windows right now.
Best practices will, as it does on Windows, mitigate the threat.

 

[iMeowbot]

Give us a proper virus.

I've got this great new idea for a shareware package, called Sparky the Friendly Virus. I'm thinking that Sparky would attach himself to all your programs just to live up to his name, but his only visible action would be a daily dialog box containing a random pleasant greeting like "Make love, not lemonade!" How much would people want to pay for that?

 

[manu chao]

To the majority here there are apparently only two types of malware:
(1) those which require user interaction, called Trojans
(2) those who do not, called Worms

A further distinction that can be made is that between
(1a) Trojans that cannot spread without user interaction
(1b) Trojans that once activated, spread themselves without user interaction

Clearly, categorie (2) is the most dangerous one and nothing like it exists for Mac OS X.

Categorie (1a) is the easiest to create, in fact most people here could make one but since they spread very slowly if at all, almost nobody bothers to create them and only a few have made it into the malware definitions for Mac OS X of the security firms, all of which are basically completely irrelevant for the general security of OS X.

Categorie (1b) is much more useful for malware authors but still easier to create than worms. The malware disscussed here belongs to this categorie and is the first of its kind for OS X. The novelty here is the use of the Input Manager, and possibly this is also were any malware of this vector could be stopped.

(BTW, most people call (1b) a virus but then again some people call (2) also viruses, so if you prefer to call it a type B trojan, go ahead.)

 

[gedto]

I wonder if theres ANYONE that got infected by this outside these forums. I bet not.

There's probably less than a hundred computers infected... This is nothing but a big buzz trojan-wannabie!

 

[eme jota ce]

Originally Posted by Diatribe
If I attempt to run for president, does that make me president?

If I shoot at you and miss, does that mean I'm not a criminal?

If you shoot and don't miss, it might make you the Vice-president ...

 

[jacobj]

I've got this great new idea for a shareware package, called Sparky the Friendly Virus. I'm thinking that Sparky would attach himself to all your programs just to live up to his name, but his only visible action would be a daily dialog box containing a random pleasant greeting like "Make love, not lemonade!" How much would people want to pay for that?

I'll pay to see you pull that one off... rules are that I can't know that it is happening and I musn't have to enter my password to activate it..

I think my money is safe

 

[~Shard~]

Well, being that you have to enter your Admin password to run this thing, there is your security right there - and that's the beauty of OS X. The user has to authorize this program to run - if it gets run, it's because the user wanted it to and allowed it to. This is no virus.

What's next? "A thief was trying to break into my house so I purposely unlocked the front door for him, and he stole my TV! Go figure!"

 

[whooleytoo]

Trojans are not so bad. I'll tell you what is worse:

1. Malware that targets files. Apps can be reinstalled, OSs can be too but files can not.

2. Malware that target the boot sector and other low level parts.

3. Worms that spread.

4. Spyware and Adware. Just plain annoying.

This malware does none of this. Give us a proper virus.

I believe worms are relatively rare - and the others you mention are most likely to be delivered as Trojans.

But as you say, this particular Trojan does sound fairly benign - so far. Deleting user files and spyware (in particular) are the more insidious threats.

 

[jsw]

If I shoot at you and miss, does that mean I'm not a criminal?

[off-topic]You could shoot him and not miss and still not be a criminal, as long as you're the VP of the US. [/off-topic]

 

[Diatribe]

If I shoot at you and miss, does that mean I'm not a criminal?

Wrong example

Right example:
If you attempt to shoot/kill me but don't, does that make you a killer?

Answer: No it doesn't.

 

[myshoeshurt]

You're giving the lame moron who's spreading this harmless "virus" exactly what he wanted by making him front page news. I don't think there's any story here until peoples' systems start crashing.

 

[annk]

Yep, but it should be noted that the users reporting problems also report that they were not asked for their passwords.

For anyone using the first account they created when they installed OS X, it's time to put a stop to that right now, because you have the rights to change a whole bunch of important stuff like your applications that don't require becoming root. You're in the admin group, and that's a lot of power all by itself.

A good idea, right now, would be to go into your system Preferences, into Accounts, and create a new user. Turn on the "Allow user to administer this computer" check box, then log into that account and make sure it works. Once you're satisfied that the new account works and that you've remembered the password, turn off the "Allow user to administer this computer" check box for your own regular account. From then on, use the new account to install software, run System Update, etc. Use your now-demoted regular account for your regular daily computing.

A declawed account can still do some things that don't require special privs, like delete your own user files or send malware out to other computers. It will, however, keep your system reasonably safe from unintended modification.

edit: One last bit: Check the files in your Applications folder, even after declawing, and see if you are listed as the owner of any files. If you are, log in with your new admin account (fast user switching is a help here) and change the ownership to the system or that admin user.

Thanks iMeowbot for this easy to understand instruction. But I have one question.

I have only one account, which is my admin account. Because of the trojan worries, I want to do something like what you suggest. But why can't I just leave the admin account as it is, and create a new, limited "user" account to use for everyday computing, and go back to the admin account when I need to install etc?

The declawing process seems unnecessary just to make a new account to separate admin privileges from a regular user account.

 

[whooleytoo]

Well, being that you have to enter your Admin password to run this thing, there is your security right there - and that's the beauty of OS X. The user has to authorize this program to run - if it gets run, it's because the user wanted it to and allowed it to. This is no virus.

It's been said before on this thread - virii require user interaction to propagate; otherwise, they're "just" worms.

Trojans make no attempt to propagate themselves, they simply rely on the user wanting to download them. Hence, this is both a Trojan (an executable disguised as screenshots) and a virus (it attempts to propagate itself to local executables and - supposedly - other Macs via iChat).

 

[eji]

This stuff is kind of scary... I'm always bragging about how the Mac has no viruses or spyware. Am I still able to say this without having to hide something? I've seen a few posters mention that something like this has been done before and it is nothing new. Is this true? I sure hope it is, because well quite frankly, I like not having to run virus/trojan/worm/spyware software regularly.

Thanks!

There may have been other finger-wagging responses to your post, but I haven't read that far down yet -- this thread's grown by several pages since I last checked.

At any rate, it's not a good idea to brag about the lack of viruses and spyware on the Mac. As we've seen today, it's not impossible for them to exist. Boasting just gives Windoze trolls reason to gloat about the inevitable, virus writers more impetus to write for the Mac, and yourself a false sense of security.

 

[whooleytoo]

Wrong example

Right example:
If you attempt to shoot/kill me but don't, does that make you a killer?

Answer: No it doesn't.

Alright, a more accurate (but less funny..) example:

If you buy a car which doesn't start, is it not a car because it doesn't work?

 

[mdavey]

^_^ "Antivirus Researchers". Is that referring to MacRumors?

No, it is refering to Sophos. Both Sophos and Symantec are claiming to have been the first to "discover" the virus and analyse what it does.

 

[Zmmyt]

Thanks iMeowbot for this easy to understand instruction. But I have one question.

I have only one account, which is my admin account. Because of the trojan worries, I want to do something like what you suggest. But why can't I just leave the admin account as it is, and create a new, limited "user" account to use for everyday computing, and go back to the admin account when I need to install etc?

The declawing process seems unnecessary just to make a new account to separate admin privileges from a regular user account.

I was thinking the same, but than I would have had to setup Adium and Mail again and the individual desktop and icons. I would have had to transfer all my individual MP3s and vCards. Do you get the point?

 

[Diatribe]

Alright, a more accurate (but less funny..) example:

If you buy a car which doesn't start, is it not a car because it doesn't work?

If it were only a car by definition when it drives/works, yes, then it wouldn't be a car.
The thing is that a virus by definition has to propagate itself (correct me if I am wrong here) if it doesn't for whatever reason, it isn't a virus but malware.

 

[gedto]

No, it is refering to Sophos. Both Sophos and Symantec are claiming to have "discovered" the virus and analysed what it does...

... which is nothing.

 

[mdavey]

What defines a virus then?

In computer security technology, a virus is a self-replicating program that spreads by inserting copies of itself into other executable code or documents.

A 'true virus' is one which requires user intervention in order to replicate or infect a new computer.

An 'intended virus' is one where none of the copies are able to make further copies of themselves.