The First Mac OS X Virus?

[annk]

File Vault only encrypts the user's home directory, so the contents of the shared /Applications and /Library folders would not be affected by that.

You can probably skip using File Vault on a dedicated admin account, because you're not supposed to be doing regular work in there anyway.


Go into your Applications folder, and try Get Info on a few applications. On at least some of those applications, you will probably see "you can read and write". The "write" part is the kind of thing we are trying to avoid. "can write" means that you don't need a password to change those programs.

Ah, okay, if you've checked ownership then you have already made the write problem go away.

Not really.

Great, thanks. Really appreciate all the patient answers!

 

[furryrabidbunny]

Suck at terminal...

Sorry, I'm still on page 7, so this may be covered already.

So after reading http://www.ambrosiasw.com/forums/index.php?showtopic=102379 it seems to be that the way to check if you're infected is:

1. Open Terminal

   cd /tmp
   ls -la

If latestpics.tgz is present, you're infected. Remove the file and return to your home Library subdirectory.

   rm latestpics.tgz
   cd ~/Library
   ls -la

If InputManagers is present, remove it and go to the Applications folder:

   rm -R InputManagers
   cd /Applications
   ls -lat

Check the date in the directory listing. If it appears off, e.g. in the past two days but you've installed the app much earlier, delete the app and reinstall.

Does this seem comprehensive?

So if you enter that first line of code and nothing shows up as latestpics.tgz your clean? I am only scared because I remember going to a thread about leopard pics a few days ago, but I swear it was closed by the time I hit it. Can anyone confirm that... that it was an invalid link or something like that at some point?

 

[The Red Wolf]

Lame

Requires user interaction? Non-issue, save for the stupid.

~The Red Wolf~

 

[nagromme]

Could File Vault give my personal files (MP3s, vCards, etc.) additional security? So it's less likely that a trojan or virus deletes them.

Yes. File Vault is one big file, though, so if malware ever got root access it could in theory delete that file. So the benefit is more one of privacy: malware can't READ or SHARE your private data. (And putting vital things like credit card info in an encrypted disk image has the same benefit, if you don't want everything to be Vaulted.) Now, for true deletion-prevention, backing up is your friend

 

[dejo]

...and the next trojan/virus is likely to be more successful.

Likely? On what grounds?

 

[Fabio_gsilva]

Alright, a more accurate (but less funny..) example:

If you buy a car which doesn't start, is it not a car because it doesn't work?

And again:

If a tree falls in the middle of a rain forest, and there is not a single human being close, does it make sound???

 

[nagromme]

A relevant question--maybe already discussed but I'm not a speed reader...

Did Mac antivirus software catch this automatically, before any need to download new definitions?

If not, then whatever hype antivirus makers want to generate, you still may as well skip their software (and skip paying for it) until after the fact. If you have to download definitions anyway, you may as well download the app AND the definitions.

(And what's the final consensus, can you trigger this without seeing a "first time you've run this app" warning and without any request for your password?)

 

[Zmmyt]

Yes. File Vault is one big file, though, so if malware ever got root access it could in theory delete that file. So the benefit is more one of privacy: malware can't READ or SHARE your private data. (And putting vital things like credit card info in an encrypted disk image has the same benefit, if you don't want everything to be Vaulted.) Now, for true deletion-prevention, backing up is your friend

Backup is one of my best friends! Privacy is not my concern. I'm more concerned about deleting files especially system files.

I guess I skip the File Vault thing.

 

[mdavey]

Likely? On what grounds?

On the grounds that:

1. to be as successful all a cracker has to do is modify the signature of the virus enough that none of the antivirus programs recognise it

2. there are at least two stupid bugs in the current code that if fixed would cause the virus to be more effective

 

[Diatribe]

And again:

If a tree falls in the middle of a rain forest, and there is not a single human being close, does it make sound???

My recording equipment would say yes.

 

[Project]

Pardon my ignorance, but regarding my apps ownerships and permissions - should I set these to read only and not write?

 

[~Shard~]

My recording equipment would say yes.

Precisely - although I would argue that without some sort of device (recorder, human ear, etc.), there would be no sound - only the vibration of air molecules which would not be processed as sound.

 

[Peace]

People are getting into dangerous territory by arbitrarily changing permissions.
I would suggest a comprehensive "how-to" in the guides section eh?

 

[hcuar]

Hmm... at least we know how helpful spotlight can be... It's a friendly API to trojan horses as well as users.

 

[Zmmyt]

And again:

If a tree falls in the middle of a rain forest, and there is not a single human being close, does it make sound???

My recording equipment would say yes.

With more and more technical innovations philosophical questions become obsolete.

 

[whooleytoo]

Yeah, I was mostly pointing out a technicality. You're right though, it's still more than it should be. But there are 3 easy steps for Apple of which I am sure they will take some.

1. Find a way to let users know that a file disguises itself.

This I believe is very important, and should be done. It's far too easy with a custom icon and hidden file extensions to do a simple spoof to confuse a casual user. All executables (as a quick 'n' dirty guide, any file with the execute permissions bit set), should be in some way marked as an executable, regardless of whether they have a custom icon.

2. Reduce Admin priviledges for the admin account(require passwords to modify apps etc./alert people not to use an admin account as their regular account

Yup, I reckon the latter option is the better one.

3. Integrate an anti-virus software with automatically updated definitions via Software Update

Obviously, this still isn't ideal as much anti-viral detection tends to be reactive, and there's some delay between the virus' first attack, and its detection, and the relevant definition being released. It would at least be a step in the right direction.

Another possible measure would be the creation by the OS (by default) of a folder or partition to securely hold user files. Any files copied to it (or deleted/modified) require admin authorisation, irrespective of whether the user has administrative privileges. Hence, it would be impossible for any malware to read, delete or overwrite the user's most valuable files without the user's explicit consent.

(It may be possible to do this already, but the knowledge and necessity of such a measure doesn't seem to be common knowledge).

 

[plinden]

So if you enter that first line of code and nothing shows up as latestpics.tgz your clean? I am only scared because I remember going to a thread about leopard pics a few days ago, but I swear it was closed by the time I hit it. Can anyone confirm that... that it was an invalid link or something like that at some point?

Yep, you're clean. If you run latestpics even as a managed user, it creates the file in /tmp, even though it can't get any further.

This is the file it attempts to send to other users using iChat.

 

[whooleytoo]

Likely? On what grounds?

If you read Andrew Welch's comments, you'd see it fails because of a fairly rudimentary programming error; which a more competent coder would be pretty unlikely to make.

Ambrosia Thread

 

[whooleytoo]

Precisely - although I would argue that without some sort of device (recorder, human ear, etc.), there would be no sound - only the vibration of air molecules which would not be processed as sound.

Ah, now that's an interesting take.

Then again, what is sound, if not a vibration or compression of air molecules...?

Funny how a virus or trojan can make you look at things anew.. We really should thank this guy.

 

[whooleytoo]

Hmm... at least we know how helpful spotlight can be... It's a friendly API to trojan horses as well as users.

I guess it's one more reason I'm glad I've kept my work Mac on Panther!!

 

[~Shard~]

I guess it's one more reason I'm glad I've kept my work Mac on Panther!!

My Mac is still on Panther as well - not for this reason specifically (who would have known!) but because I haven't seen a real need to upgrade. As you say, one other little reason why I'm still satisfied with my decision and am just waiting for Leopard.

 

[Zmmyt]

If you read Andrew Welch's comments, you'd see it fails because of a fairly rudimentary programming error; which a more competent coder would be pretty unlikely to make.

Ambrosia Thread

Lasthope did this "bad programming" on purpose. He knows that Macs will hit mainstream soon and it's the last hope (last chance) to get Leopard secure before it gets released and a flood of viruses are released.

 

[swindmill]

Did this all start with that thread in the OS X section that claimed to have pictures of 10.5? I was of the impression that the script or whatever it was did absolutely nothing. I ran it and it opened terminal and failed to do anything successfully

Has anyone actually been "infected" by this thing? - other than those who would like to think OS X is vulnerable to viruses

 

[Zmmyt]

Did this all start with that thread in the OS X section that claimed to have pictures of 10.5? I was of the impression that the script or whatever it was did absolutely nothing. I ran it and it opened terminal and failed to do anything successfully

Has anyone actually been "infected" by this thing? - other than those who would like to think OS X is vulnerable to viruses

Could you send me that file?

 

[Project]

Did this all start with that thread in the OS X section that claimed to have pictures of 10.5? I was of the impression that the script or whatever it was did absolutely nothing. I ran it and it opened terminal and failed to do anything successfully

Has anyone actually been "infected" by this thing? - other than those who would like to think OS X is vulnerable to viruses

Yeah its from that thread. Kinda crazy when you think about it. The bait (pics of 10.5) was absolutely genius, I have to admit.