The First Mac OS X Virus?

[johnadurcan]

MacRumors the real source of a virus

The fact is that MacRumors have done nothing but damage the Mac community by creating a story out of thin air. This isn't a virus, it's just a program that tries to do damage and fails when run. If the user was using Safari, it would have notified them that it was an app.

What annoys me is that Mac Rumours should be in support for the Mac community but seems to want to help spread a smear campaign against it.

Get the facts straight first before blindly making a news article for this. People use you as a trusted source of information, yet what you have done is go 'this one will bring in the numbers'.

I think Mac Rumours is actually harmful to the mac community as a whole. I like the rumours when they come in, but articles like this are nothing but sensational news rants intended to bring in hits.

Your article doesn't even suggest any amount of proof other than a mild attempt at viewing the hooks it tries to do and the fact that it is a unix executable.

Now if the news had come from Apple themselves or an anti-virus company of a real dissection of the program, then that would be news. But MacRumors saying that a post was made to their site to a program that runs when clicked on is not news.

 

[jiv3turkey748]

mabye i missing something (i havent read the whole thread) but from what have seen this "virus" doesnt even do anything to your computer.. so whats the big deal

 

[DTphonehome]

The fact is that MacRumors have done nothing but damage the Mac community by creating a story out of thin air. This isn't a virus, it's just a program that tries to do damage and fails when run. If the user was using Safari, it would have notified them that it was an app.

What annoys me is that Mac Rumours should be in support for the Mac community but seems to want to help spread a smear campaign against it.

Get the facts straight first before blindly making a news article for this. People use you as a trusted source of information, yet what you have done is go 'this one will bring in the numbers'.

I think Mac Rumours is actually harmful to the mac community as a whole. I like the rumours when they come in, but articles like this are nothing but sensational news rants intended to bring in hits.

Your article doesn't even suggest any amount of proof other than a mild attempt at viewing the hooks it tries to do and the fact that it is a unix executable.

Now if the news had come from Apple themselves or an anti-virus company of a real dissection of the program, then that would be news. But MacRumors saying that a post was made to their site to a program that runs when clicked on is not news.

Sheesh, man, lighten up. This is a legitimate piece of news that Macrumors has every right to report. They weren't the only ones to publish it, and even if they were the first (the virus/trojan/malware did originate here), it was only a matter of time before some other outlet published it.

I know it's an uncomfortable fact to face, but the Mac OS is not immune to attacks, and we can come to expect more of this in the future. It's what comes with greater visibility and market share. So maybe this isn't exactly a virus, but it is something that most Mac users have not encountered before, and it performs undesired behavior and spreads itself around. Call it what you will, but Macrumors SHOULD report this stuff and let it be spread around as widely as possible. This is what makes software secure! Flaws need to be patched, and making a stink about it is what gets it done. Sticking your head in the sand and pretending this is nothing is foolish. And lashing out at simple journalism for reporting the facts is equally foolish.

 

[DaftUnion]

Just think, in a week or so (maybe two) the code will probably be figured out, maybe a security update from apple?, and this probably won't even be a big deal...here's hoping

 

[nagromme]

The fact is that MacRumors have done nothing but damage the Mac community by creating a story out of thin air. This isn't a virus, it's just a program that tries to do damage and fails when run. If the user was using Safari, it would have notified them that it was an app.

By some definitions it IS a virus, or a worm, although it's not what most users would think of as one. MacRumors uses a question mark on the term, and Trojan in parentheses. Makes sense to me.

mabye i missing something (i havent read the whole thread) but from what have seen this "virus" doesnt even do anything to your computer.. so whats the big deal

It's not, it's a small deal out of which a big deal is being made BUT a small deal is still more than nothing, and still worthy of attention.

 

[BobVB]

Ok Done!

made a new admin account

demoted my regular account.

Switched to new admin

run terminal

go to Applications folder cd /Applications

run 'sudo chown -R <adminname>:admin *.app'

then run disk utility which switches all the Apple apps back to being owned by 'system'.

Switch back to regular account.

Was much easier than I thought.

 

[eme jota ce]

how can i tell if i have this trojan/worm/virus or whatever it is? ....

Check out plinden's earlier post:
https://forums.macrumors.com/posts/2147251/

Of course, I don't know enough about what he said or who he is... might just be another way of tricking noobs and Leopard geeks into doing something bad to their machines.

 

[Zmmyt]

It's not, it's a small deal out of which a big deal is being made BUT a small deal is still more than nothing, and still worthy of attention.

And that's good about Macs! BECAUSE small incidences like this have such big influence.

I hope Apple remains observant of these kind of problems and tries to keep the community untroubled of any harm to there loved OS.

I wonder what MS does with Vista to keep trojans and viruses out. I'm more than curious.

 

[theBB]

I don't know if anyone has said something like this but I'm not going read all 400 some odd posts. By posting this thread and article in the first place, macrumors.com has made a HUGE mistake. This person was obviously just doing this so he could be the "first" to do it and get a bunch of attention. Now we've given him exactly what he wants. The proper response should have been to delete the thread he posted, ban that user and never speak of it, NOT tell the world about it. We've only encouraged this kind of behavior. Very bad move macrumors!

I disagree. This was a good wake up call for me, a recent switcher. I was under the impression that never activating the root account would keep my system safe, so I was merrily using my initial admin account for everyday computing, thinking I will be prompted for admin passwords for anything serious. Well, I never thought of /Applications folder and such. Now when I get home, I know what to do.

BTW, knowledge is power. I don't think any kind of censorship is a good idea whether it is government enforced or self-censorship kind, even if publicty does encourage some bad behaviour.

 

[ITASOR]

Wow, although this isn't a virus (like everyone else said, it's a Trojan), this should be a wake up call to apple that they've got to do something about the icon changing.

A few days ago while I was making an applescript, I wanted to change the icons so I didn't get confused and changed one to a folder icon...no way to quickly tell it wasn't an app (besides get info) but looked just like a folder. Scary.

 

[xsedrinam]

In all fairness, my understanding is that this looks like a JPEG unless you do a Get Info on it. I think it's a bit much to call it "user stupidity" to click on it.

If it doesn't look like any other downloaded JPEG file, then I retract my comments.

Ya, "social engineering" seems to be the kinder, gentler expression of choice. That does give it more latitude with less attitude.

 

[picaman]

made a new admin account

demoted my regular account.

Switched to new admin

run terminal

go to Applications folder

run 'sudo chown -R <adminname> *.app'

then run disk utility which switches all the Apple apps back to being owned by 'system'.

Switch back to regular account.

Was much easier than I thought.

Ah. Here's the global solution I was after for changing owners. So I'm assuming that this also answers the question of what happens when you repair disk permissions after changing owners. It looks like that non-Apple apps keep the new owner you've specified, and that Apple apps have their owner "repaired" to the correct state. Correct?

Also, for us non-Terminal types, could you specify the command for "go to Applications folder"?

Thanks to everyone for the valuable info.



Jamie

 

[dejo]

Also, for us non-Terminal types, could you specify the command for "go to Applications folder"?

'cd /Applications'

Edit: Maybe I can write a Unix executable to automate this for everyone. I will call it 'latestfix.tgz'.

 

[woodgie]

Also, for us non-Terminal types, could you specify the command for "go to Applications folder"?

Thanks to everyone for the valuable info.



Jamie

$ cd /Applications

cd being the command for 'change directory' and /Applications being the directory you want to change to (remember it's case sensitive, but you can type a couple of characters and use the TAB key to autocomplete the path)

 

[woodgie]

'cd /Applications'

Edit: Maybe I can write a Unix executable to automate this for everyone. I will call it 'latestfix.tgz'.

That's just cruel!

 

[mrichmon]

For anyone using the first account they created when they installed OS X, it's time to put a stop to that right now, because you have the rights to change a whole bunch of important stuff like your applications that don't require becoming root. You're in the admin group, and that's a lot of power all by itself.

Good tips.

Ultimately, applications should not be installed as group writable. Apple should change their default permissions list so that applications stored under /Applications are not expected to be group writable. The /Applications directory can be writable by the admin group but applications themselves should not be writable.

 

[nagromme]

A few days ago while I was making an applescript, I wanted to change the icons so I didn't get confused and changed one to a folder icon...no way to quickly tell it wasn't an app (besides get info) but looked just like a folder. Scary.

Proposed solution: show all apps in a different font style--maybe italic. So the icon they can mess with, but not the rendering of the text.

AND add a mouseover effect to all app icons. Some kind of glowing halo that tells you this is a program. They could add a perma-badge like aliases have, but an icon could fake that. A mouseover effect on the other hand would not be part of the icon, it would be dynamic.

And of course they should warn about ALL apps on first launch, not just ones launched by a document.

 

[mrichmon]

Your admin account should own the apps, but I'm not sure if repairing permissions changes it back to "default". Need to try that later.

EDIT: repaired permissions and didn't change the ownership back.

Repair permissions only "knows" about applications installed by Apple. Effectively, a list of the "correct" permissions for particular files is stored on your machine. Repair permissions traverses this list checking the permissions of each file on the list. Any file not on the list, i.e. not known about by Apple, is ignored.

Edit: As pointed out by another poster, Apple does not need to know about the file... rather, the "correct" permissions list is stored in the .bom file for applications installed via the Apple installer.

 

[mrichmon]

Ah. Here's the global solution I was after for changing owners. So I'm assuming that this also answers the question of what happens when you repair disk permissions after changing owners.

You are also far better off changing the appliction ownership using:

sudo chown -R adminaccountname:admin *.app

where "adminaccountname" is the short name for your new admin account.

The difference is the ":admin" in the command. This changes the group that owns the application to the admin group. (Note, the original poster of the list of commands got it right. In Jamie's response the quoted text omits this part.)

It is possible to drag and drop an application to install it and end up with the "normal" user owning the application and the "normal" user's group being the group owner. If this happens, then the type of attack used by this trojan will still infect the application if the trojan is launched from a "normal" user account. By setting the group owner to "admin" you can protect yourself from this.

 

[woodgie]

Repair permissions only "knows" about applications installed by Apple. Effectively, a list of the "correct" permissions for particular files is stored on your machine. Repair permissions traverses this list checking the permissions of each file on the list. Any file not on the list, i.e. not known about by Apple, is ignored.

Point of order. Repair permissions can know about anything installed by Apple's installer, which is not just Apple software, that leaves a receipt behind with a .bom file (Bill of Materials).

Though the point you're making is quite right, if there's no BOM file listing for a file for repair permissions to parse, there's no knowing what the 'proper' permissions for that file are.

Making sense am I? Not likely...

 

[mrichmon]

Proposed solution: show all apps in a different font style--maybe italic. So the icon they can mess with, but not the rendering of the text.

This doesn't prevent people from being stupid.

Ultimately the only way to eliminate trojans is to prevent any installation of Applications onto the computer. This includes eliminating the possibility of compiling programs. Treat all downloaded and user created files as data documents and make it impossible to create any executable file.

Of course, these restrictions effectively mean that the computer is far more constrained than the computers we have become used to.

 

[mrichmon]

Though the point you're making is quite right, if there's no BOM file listing for a file for repair permissions to parse, there's no knowing what the 'proper' permissions for that file are.

Thanks for the clarification. I wasn't certain where the list of permissions were stored and didn't want to claim they were in the .bom file for certain.

 

[winmacguy]

The new Mac Trojan might be making news on this forum but it doesn't seem to have been picked up by too many net news wire services as far as I can tell. Ars Technica has an article, MacWorld, MacDailynews, OS News, Slashdot but nothing in BusinessWeek, CNN, Cnet, Reuters, NeoWin, AppleInsider as far as I can tell at this stage. Maybe that is a good thing.

 

[Mr Skills]

made a new admin account

demoted my regular account.

Switched to new admin

run terminal

go to Applications folder

run 'sudo chown -R <adminname>:admin *.app'

then run disk utility which switches all the Apple apps back to being owned by 'system'.

Switch back to regular account.

Was much easier than I thought.

Will this result in my having to enter a password for every non-apple app I run? In which case I'd much rather they implemented a first-time-you-run dialog.

 

[iEdd]

Everyone should also remember that jpegs don't download unless you ctrl click and select that. They always open in safari when it's www.whatever.com/pics/macintosh.jpeg (That's just some made up link).