The First Mac OS X Virus?

[chinajon]

Here is a very helpful guide for locking down OS X straight from The National Security Agency.

http://www.nsa.gov/snac/downloads_macX.cfm

pxlmvr

NOTE: Only for OSX 10.3.?

There are warnings in the document that say not to use these commands on other systems.

Also, these commands can totally screw up the system - requiring a system install if you don't know what you are doing or make a typo.

 

[shambolic]

visudo... *shivers*

visudo doesn't have to use vi:

bash$ export EDITOR=emacs (or pico, or whatever)
bash$ sudo visudo

and you can edit the sudoers file in your chosen command-line editor.

[ exits, before vi vs emacs flamewar erupts ]

 

[VanNess]

So, for the time being, why couldn't one just set up a spotlight smart folder to search for any unix executable (at least for me, I would never expect to d/l such a thing, and I doubt most regular users do) from your regular download location (the desktop or a downloads folder, etc.). Then, set up a folder action to notify via dialog that something has been added to that smart folder.

That way, even if something tries to masquerade itself onto your computer using a jpeg icon (or any icon) the Spotlight smart folder would still smell it and you would be notified instantly (via the attached folder action) as to it's presence. Sort of trojan horse detector. My understanding of this thing is that there is basically a 2-step process: First, you have to unarchive it, but that exposes the unix executable (with the misleading icon). You would then have to double click the an exposed unix executable in order for the worm/virus to take effect.

 

[maya]

Didn't the user find it odd that you require a password to open up an image file.

Me thinks someone was trigger happy in regards to the future and got they comeuppance.

 

[ChildOL]

Total easy fix for Apple

I am very disappointed in Apple that this is even possible given the easy fix...but this is what they can do to completely fix this problem...

Show the user (regardles of the icon) that the file is an executable, a glow would be very good... Require admin password if an application/process/script is trying to modify ANY FILE OR FOLDER on the system that is not allready known to be modifiable by it. (maybe a database where every user that is created is added and ANY known processes/programs/scripts... Any NEW processes/programs/scripts(ANYTHING executable) should be able to modify the given files/folders AFTER you give it the authority to do so via admin password and then it is added to the database and it can THEN modify THOSE files etc.)

Should be simple for Apple to do and should have been done LONG ago.

 

[Warbrain]

I am very disappointed in Apple that this is even possible given the easy fix...but this is what they can do to completely fix this problem...

Show the user (regardles of the icon) that the file is an executable, a glow would be very good... Require admin password if an application/process/script is trying to modify ANY FILE OR FOLDER on the system that is not allready known to be modifiable by it. (maybe a database where every user that is created is added and ANY known processes/programs/scripts... Any NEW processes/programs/scripts(ANYTHING executable) should be able to modify the given files/folders AFTER you give it the authority to do so via admin password and then it is added to the database and it can THEN modify THOSE files etc.)

Should be simple for Apple to do and should have been done LONG ago.

I'm sure they're working on it. They're probably following all the forums that are buzzing with this news and getting a fix ready. When will it be available? Who knows.

 

[Daveway]

Yahoo! frontpage is reporting yours truely.

 

[manu chao]

So, for the time being, why couldn't one just set up a spotlight smart folder to search for any unix executable (at least for me, I would never expect to d/l such a thing, and I doubt most regular users do) from your regular download location (the desktop or a downloads folder, etc.). Then, set up a folder action to notify via dialog that something has been added to that smart folder.

Smart idea, I just tried it out. Unfortunately, Folder Actions do not work on Smart Folders.

 

[MeatBiProduct]

well, it's not a virus, but something that has been a friend of the Mac for a long time: Trojan Horse.

Cluley said that some Apple users were claiming that Leap-A was somehow not a real virus because it required the victim to click on the link, an objection he branded as ridiculous. Many PC viruses needed user interaction to set off infection, he pointed out, and this was no different.

http://www.techworld.com/security/news/index.cfm?newsid=5392&inkc=0

so, everyone who bought an x86 Mactel, welcome to thunderdome b****.

Funny this virus seemed to be compiled GCC and affects PowerPC. The x86 platform isn't the place to put blame for this issue. The isn't going to be 2 seperate operating systems, only 2 kernels. One compiled for x86 one for powerpc. It doesn't work to develop your O/S in two seperate code trees, but one tree with two kernel interpreters (alla powerpc/x86). However it is always cool to point the blame anywhere but apple's developers. The bottom line is that they've been bested. It was awful nice of this virus's author to not deliver a payload. Then again it's only been a few days, who says these things happen right off the bat.

Not to mention if the source code to this little diddy gets released in the right spots YOU WILL see variations and they WILL be destructive. If the script gains root priv. then virus > O/S.

 

[Warbrain]

So is anyone else feeling a bit mournful now that this has settled in a bit? I was more vigilant before and I've been trying to keep up with the news as much as possible while here at school, but I just feel like a bit of me has died inside.

We all knew that this would happen at some point, but still, it hurts a bit.

 

[mrichmon]

But how is it more secure? We have the typical setup of a single person using the mac - they ARE the administrator even if they are using a regular account. How does it make it more secure making them switch accounts to put something in the Applications folder over just confirming they are the administrator and doing the exact same thing from their regular account?

Warning: this explaination is a little long and a little technical but should be understandable to non experts.

Say this single user has two accounts on their computer: NaiveUserAccount and ScaryAdminAccount.

Now, if the user always logs into the ScaryAdminAccount to install applications then the application MyNewApplication.app will be saved with the file permissions rwxrwxr-x and will be owned by the user ScaryAdminAccount with the group owner as admin. These are permissions you typically end up with if you drag and drop the application to install it.

These file permissions mean that the user who owns the application (in this case ScaryAdminAccount) has read, write and execute permissions (the first three characters in the file permissions highlighted in blue). The any users in the group that owns the file (in this case admin) has read, write and execute permissions (the second three characters in the file permissions highlighted in red). And all other users have read and execute permissions (the final three characters in the file permissions highlighted in magenta).

These three groups of permissions control what different classes of user can perform. If the current user name matches the user name for the owner of the application, then the user permissions (the blue file permission characters) control what the current user can do with the application file. If the user names do not match then the "group" permissions come into play.

If the group name on the file matches a group that the current user is a member of, then the group permissions (the red file permission characters) control what the current user can do with the application file. If the group names do not match, then the "other" permissions come into play. The "other" permissions are defined by the final three (magenta) characters in the file permissions above.

So, assuming the user is currently logged in as the ScaryAdminAccount. Since MyNewApplication.app has user permissions of rwx this means that the current user has write access to the application. Therefore, any application the current user runs is able to write and modify MyNewApplication.app. This is not safe.

Assume the user is currently logged into another administrator account, say GroovyAdminAccount. Since the user name on MyNewApplication.app does not match the current user the user permissions are ignored. But, all administrator accounts are a member of the admin group. The application is owned by the admin group and the current user is in the admin group. Therefore, the group permissions are applied. The group permissions in the application are rwx so the current user can modify the application as much as they like. This is not safe.

If the user is currently logged into the NaiveUserAccount and this account is not an administrator so it is not a member of the admin group. The current user name does not match the owner of the application so the user permissions are not relevant. The current user is not in the admin group so the current user's group does not match the group owner of the application. Therefore the group permissions are not relevant. This leaves the "other" permissions as being relevant. The other permissions on this application are r-x meaning that the current user can read the application and execute the application but they cannot write to or modify the application. Since nothing the current user can do has the ability of changing the application then this is a safe situation.

Ultimately, it means that anything that will change applications on the system must be a deliberate act by the end user. The end user makes it a deliberate act by specifically logging in to the administrator account since that is the only account with the appropriate permissions to change the applications. Alternatively, the user can attempt to modify the application but will not have the correct permissions so the OS will prompt the user for administrator credentials in the form of a username and password.

Hope that helps answer your question.

 

[Fiveos22]

Looks like a few online news sites are starting to run the story although some of the reports are somewhat misleading

World's first OS X virus hits Apple The iChat malware has been dubbed Leap-A by antivirus firm Sophos
http://www.computerworld.com/securitytopics/security/story/0,10801,108784,00.html?source=x10

This one is by far the worst.

Leap-A is believed to have originally been posted on a Web site for Apple users, posing as a software update. Although the virus is benign and is not believed to be spreading in large numbers, it still marks a minor landmark for a system that has come to be seen in some quarters as immune to such mundane security issues.

I think we can confirm where the virus was posted...however I don't think the media wants to take the light off of themselves for a second.

The virus, dubbed Leap-A by antivirus company Sophos PLC...

WTF?! Why do they get to name it, expecially when they did not discover it? Personally I like Andrew Welch's discussion and his name, "OSX/Oompa-A" because it actually has a basis in reality.

 

[macEfan]

Great- A mac virus... that sucks. I guess my copy of norton will be more useful now... Wait, it didn't even find any virus . Poor Steve, he is probally pacing around his office now.... Hope apple gets updates ASAP!

 

[mrichmon]

visudo doesn't have to use vi:

bash$ export EDITOR=emacs (or pico, or whatever)
bash$ sudo visudo

and you can edit the sudoers file in your chosen command-line editor.

[ exits, before vi vs emacs flamewar erupts ]

On a default OS X install it does. You are missing the original point that getting into the details of editing sudoers was beyond the scope of my original post.

I only noted the change in the sudo behavior so that people who are not unix experts do not get caught unaware.

 

[Laser47]

I honestly think yankeefan24 should get to name it, after all he was the first person to get the "virus" or whatever.
How does the naming system for viruses work anyway?

 

[mrichmon]

Require admin password if an application/process/script is trying to modify ANY FILE OR FOLDER on the system that is not allready known to be modifiable by it. (maybe a database where every user that is created is added and ANY known processes/programs/scripts... Any NEW processes/programs/scripts(ANYTHING executable) should be able to modify the given files/folders AFTER you give it the authority to do so via admin password and then it is added to the database and it can THEN modify THOSE files etc.)

Should be simple for Apple to do and should have been done LONG ago.

You have just roughly described how unix file permissions work.

Apple did do this long time ago... to be accurate BSD did it a long time ago and Apple picked up the implementation as part of the BSD personality in NextStep. OS X is a direct descendant of NextStep.

BSD in turn copied the permissions system from AT&T Unix. Ultimately, this permissions scheme was originally developed in 1973 and has very much stood the test of time.

 

[Project]

Yup, there is no need to switch user to install apps, just click the authenticate button and put in the admin password. A nice, clean way of doing it, whilst remaining in the standard account

 

[abc123]

This one is by far the worst.



I think we can confirm where the virus was posted...however I don't think the media wants to take the light off of themselves for a second.



WTF?! Why do they get to name it, expecially when they did not discover it? Personally I like Andrew Welch's discussion and his name, "OSX/Oompa-A" because it actually has a basis in reality.

it was released here initially right?
i like the Oompa-A name too, we should all just start calling it that

 

[Elvicious]

This particular doohickey requires that one open a file from an unknown source and then execute the enclosed executable (granted, it's masquerading as a JPEG). It then can only spread to the local network, apparently, by using an OS feature that no one but Apple seems to care all that much for.

so does this mean that if those apps aren't in use on the networked machines the file won't propagate? or is it enough that it's sitting in the applications folder, waiting to be exploited in copying this...whatever it is?

 

[abc123]

another thought, this isn't the first nasty thing designed for os x.

i remember reading about one that started on a torrent site, not a virus but something that could be pretty disastrous depending on what you keep stored on your computer. it disguised itself as the password authorization window for an application installer and when you typed in your password it would record it, go in and collect your keychain, send it off to some guy's computer and then it would start the true installation process of the program you wanted. i don't know how convincing the duplicate window was because i never saw it but since i read that i use a different password for my key chain then i do my account.

 

[HiRez]

Shouldn't Apple be able to minimize this situation by now allowing files to misrepresent themselves on your desktop? For example, this Trojan is an executable UNIX file that appears as a JPEG. OS X should make sure anything that's an executable cannot appear as some other file type to the user.

 

[Doctor Q]

BSD in turn copied the permissions system from AT&T Unix. Ultimately, this permissions scheme was originally developed in 1973 and has very much stood the test of time.

The Unix permission system needed a few tweaks along the way, such as the so-called sticky bit. The system is not as flexible as access control lists (ACLs), which some Windows and Unix variants use, but it serves most purposes.

 

[ChildOL]

You have just roughly described how unix file permissions work.

Apple did do this long time ago... to be accurate BSD did it a long time ago and Apple picked up the implementation as part of the BSD personality in NextStep. OS X is a direct descendant of NextStep.

BSD in turn copied the permissions system from AT&T Unix. Ultimately, this permissions scheme was originally developed in 1973 and has very much stood the test of time.

Then why does OSX allow (when logged into an admin account) the script to modify your applications WITHOUT prompt?

 

[Omochao]

I would love it if an admin could give us lasthope's email address, so that we could send him threatning messages because he sent US a virus!

 

[50thVert]

Awesome, 1 trojan horse for OS X users...












and 1e99 trojan horses, viruses, worms for Windows users.

The odds are still significantly in our favor.