Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

The First Mac OS X Virus?

Steven1621 said:
Granted, this is just a script. It doesn't exploit a secruity flaw. Correct?
Click to expand...
It's not a script, it's an executable, ie. an application.
 
snugja said:
Hell Froze over... actually it just snowed today.
Click to expand...
I knew it was gonna be a bad day when I woke up and it was cold and overcast here in sunny california.
Crap.

qtip919 said:
Also, this should be a wakeup call to all mac users. Opening any file without knowing the source is FOOLISH...I dont care what OS you are using. Just because you are using OS X, doesnt mean you should be opening any file someone TEMPTS you with....

The more I think about this, the more I laugh...

Pics of OS 10.5...brilliant...

Windows users are tempted by Brittney spears, mac users by a new GUI element in their operating system...
Click to expand...

I agree with you 101%
 
This is very bad news. Obviously people shouldn't just open random files, but I disagree with those who think the first OS X virus is a good thing or something to joke about. Mac users WERE too smug about viruses, but that doesn't mean it's good now that they have a reason not to be.

Is there any way to tell if the virus came from an Intel-based machine or a PowerPC-based one? People have been wondering if the move to Intel would open OS X up to viruses. I don't know if there's any relation or not, or just a coincidence that Intel Macs are just coming onto the market and OS X has its first virus now.

EDIT:
plinden said:
Get Info shows it as a PPC executable.
Click to expand...
Thanks for the info. I guess there goes that theory, right?

Do you think this will get Apple to finally do something about .Mac's virus protection?? They don't even link to Virex anymore and there's no announcement of a replacement.
 
autrefois said:
I don't know if there's any relation or not, or just a coincidence that Intel Macs are just coming onto the market and OS X has its first virus now.
Click to expand...


The only effect Intel has on this situation is that potential viruses can now be written twice as fast.

This is an OS-level vulnerability, not a CPU-level one. :)
 
iMeowbot said:
A good idea, right now, would be to go into your system Preferences, into Accounts, and create a new user. Turn on the "Allow user to administer this computer" check box, then log into that account and make sure it works. Once you're satisfied that the new account works and that you've remembered the password, turn off the "Allow user to administer this computer" check box for your own regular account. From then on, use the new account to install software, run System Update, etc. Use your now-demoted regular account for your regular daily computing.
Click to expand...
Sound advice. Just done it.
 
Besides... by the time viruses become common for the Mac, Steve will have an integrated virus scanner in OS X and send out updated definitions via software update. So who cares, although it is not a Virus by definition, malware was bound to happen.
 
kjs862 said:
Apple's switch to intel... trojans on OSX, whats next M$ buys Apple :p
Click to expand...
Actually, it's a PPC executable, and when I doubleclicked it from a managed account, I got the following (yes, I did this in the name of science, knowing the risks):
XXXX-iMac:~ testaccount$ /Users/testaccount/Desktop/latestpics; exit
oah - setxattr did _not_ handle oompa, errno: 13
cp: /Applications/Camino.app/Contents/MacOS/Camino: Permission denied
oah - setxattr did _not_ handle oompa, errno: 13
cp: /Applications/Google Earth.app/Contents/MacOS/Google Earth: Permission denied
oah - setxattr did _not_ handle oompa, errno: 13
cp: /Applications/Monolingual.app/Contents/MacOS/Monolingual: Permission denied
oah - setxattr did _not_ handle oompa, errno: 13
cp: /Applications/Adium.app/Contents/MacOS/Adium: Permission denied
oah - setxattr did _not_ handle oompa, errno: 13
cp: /Applications/Skype.app/Contents/MacOS/Skype: Permission denied
logout
Click to expand...

These are all the PPC apps I have on my Intel Mac.

Edit: By the way, I checked and my Universal apps haven't been touched, so it's not that the PPC apps are more secure.

Edit 2: Damn, my Camino and Monolingual are universal apps. Bang goes that theory.
 
I am curious about the original poster who post this link onto macrumors. I think obviously his email has been abandoned, probably his ip address can yield some insight.
 
iMeowbot said:
A good idea, right now, would be to go into your system Preferences, into Accounts, and create a new user. Turn on the "Allow user to administer this computer" check box, then log into that account and make sure it works. Once you're satisfied that the new account works and that you've remembered the password, turn off the "Allow user to administer this computer" check box for your own regular account. From then on, use the new account to install software, run System Update, etc. Use your now-demoted regular account for your regular daily computing.
Click to expand...

done. I gave it a 20 character password too... can't be too careful, now ;)
 
autrefois said:
Mac users WERE too smug about viruses...
Click to expand...
Still am... its not a virus.

generik said:
OH YES!

No more smug comments from Mac fanbois about virii and spyware. Like their OS is SOOOO immune
Click to expand...
Hey, I'm not searching for AV software to install! There are STILL no viruses for Mac OS X.
 
Welch is continuing the dissassembly...

it appears when launched the app infects all other apps on the computer and inserts an executable stub and code into the resource forks of all the applications. When those apps launch, it runs this code. unknown what the subsequent code dose.

arn
 
plinden said:
Actually, it's a PPC executable, and when I doubleclicked it from a managed account, I got the following (yes, I did this in the name of science, knowing the risks):


These are all the PPC apps I have on my Intel Mac.

Edit: By the way, I checked and my Universal apps haven't been touched, so it's not that the PPC apps are more secure.

Edit 2: Damn, my Camino and Monolingual are universal apps. Bang goes that theory.
Click to expand...

Whatever it is doing it seems like they all failed!
 
by the way, anybody notice that the readme files on one of the Apple install disks... Tiger maybe... is actually an app in disguise? could well be this is where the author got the idea.

edit: yep, see screenshot. which, it should be noted, is not inside a tgz file.

under Panther and below these would've shown up without the extension, but Tiger now puts .app on the end of all application filenames (except those defined by metadata apparently). so Apple is obviously aware of the trojan problem.

maybe they should force applications defined with metadata to use the default app icon and have a "warning: you are opening an application" message. click OK and it saves a note to a system folder so you don't keep getting asked. that should go a long way to clearing up this security hole.
 

Attachments

  • Picture 1.png
    Picture 1.png
    40.7 KB · Views: 428
I think Apple made the virus.

Apple realized this was the one thing that Microsoft had that they didn't.

I expect Apple's market share to double by tomorrow.
 
Heb1228 said:
Still am... its not a virus.
Click to expand...
Now now, let's not bicker over this, let's try to do some damage control about this file and do some public service announcement to those we know, I think the creator won't be foolish enough to just post in macrumors. It might come up somewhere else and we are still not sure what it can do yet.
 
generik said:
Whatever it is doing it seems like they all failed!
Click to expand...
Yes, because I ran latestpics from a managed account, it didn't have admin privileges. I did that deliberately, in case you're wondering.
 
angelneo said:
Now now, let's not bicker over this, let's try to do some damage control about this file and do some public service announcement to those we know, I think the creator won't be foolish enough to just post in macrumors. It might come up somewhere else and we are still not sure what it can do yet.
Click to expand...
No doubt... continue the good work.
 
mad jew said:
The only effect Intel has on this situation is that potential viruses can now be written twice as fast.

This is an OS-level vulnerability, not a CPU-level one. :)
Click to expand...

Thanks for the clarification. Guess after all these years of using Macs, it's about time for me to learn more about the innards of the OS and the hardware, and the difference between the two. The sweet days of innocence are over...
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back