The First Mac OS X Virus?

[dialectician]

Yes, it makes a difference! plinden got "permission denied" messages and the trojan failed because he wasn't using an admin account.

Thanks. I am asking because I am also in the dumb user category of those who use their admin account for everything and am wondering if it's worth creating another user account and then having to switch all the time. But it sounds like it is.

 

[danamania]

My point is, if the only way to "infect" a Mac is with an Administrator's permission, then is that really a big threat? It's a lot harder for a criminal to rob you if you don't give him the key.

It is a bit of a threat, yeah, cos most macs run with the default user as an administrator, who automatically has permission to go modifying /Applications. No password needed.

 

[LimeiBook86]

We all knew this day would come.

It's ok, although some of you are a bit shocked, this thing was eventually going to happen. I just hope that Apple will help stop these kinds of things from happening. Safari already tells us when we download a program, and even an .exe, maybe Apple just has to add what Safari looks for when we download it. That would hopefully prevent this from ever happening again. It's a good thing that there are already security features in place in Mac OS X. Although not asking for your password is something that worries me...

I wonder what Apple might do about this. Maybe create some sort of Anti-Virus propaganda?... Join Apple!...and together we can destroy viruses!

Oh and here's a little something to cheer you guys up. Although... maybe my sketch of Jobs would have made you laugh more...it ended up looking like a very angry Sean Connery...

 

[BakedBeans]

Oh god - please can we change the front page? this is a poorly attempted Trojan, not a virus. We need to let people know clearly that you

I know lots of people that could have done the same thing. Macs OS X hasnt got a virus, its a something that you have to run.
bloody overreaction and newbies jumping all over it.

 

[xsedrinam]

I mean MR is a great site, but if the news about a "virus" on Macs spread and it's linked to MR, isn't MR's traffic going to bust?

Depends what you mean by "bust". Traffic in MR has jumped from 600 to over 1400 in the last hour or so. I think most serious computer users will hang around to see what this little scare is about, while sifting through all the n00b's and "I told you so's" banter.

 

[Zmmyt]

Depends what you mean by "bust". Traffic in MR has jumped from 600 to over 1400 in the last hour or so. I think most serious computer users will hang around to see what this little scare is about, while sifting through all the n00b's and "I told you so's" banter.

Edited my post: I meant burst.

 

[blackpeter]

It is a bit of a threat, yeah, cos most macs run with the default user as an administrator, who automatically has permission to go modifying /Applications. No password needed.

Only *after* you've entered the Admin password to install the Trojan in the first place. Those OS X admin password requests are there for a reason.

 

[Attonine]

Here are two links to articles I read recently regarding OS X security and vulnerabilities. If they`ve been posted before...sorry.

http://www.theregister.co.uk/2005/12/01/secfoc_macos/

http://www.theregister.co.uk/2006/02/08/apple_vulnerability/

 

[PC Enthusiast]

We can right click...

View attachment 41020

... and yes, there are two buttons there! Our mice just look better than yours.

I don't see how you could use something that is not ergonomic or functional I also think it looks horrible but thats personal preference I guess.

If these malicious people that write viruses felt the need to write them for the small mac user base they could do it, and one coder already did.

I am a gamer so I would never go to Mac. I've never gotten a virus...ever. I can play all the games a want and still do everything you can do on a Mac. So...Why would I switch to a platform where it is hard to upgrade the hardware if not impossible?

Glad you guys finally got Intel chips...We've had them for years. Its to bad you have to go buy a new computer to get one.

 

[BakedBeans]

Only *after* you've entered the Admin password to install the Trojan in the first place. Those OS X admin password requests are there for a reason.

EXACTLY = we do have protection against this, this is a security feature of our "only better than windows because nobody uses it" OS.

 

[danielwsmithee]

Change them.

Your new separate admin account will help keep newly installed applications from being too easily accessed, but you do want to clean up after the stuff that is already there.

Thanks for the help from all of you. I changed all of the applications owned by dws to root. It is working great.

 

[iMeowbot]

Only *after* you've entered the Admin password to install the Trojan in the first place. Those OS X admin password requests are there for a reason.

That's the trouble, there is nothing to install and there is no password prompt. Mac users have been brainwashed into thinking that every executable file will use an installer, but that's simply not how things work.

 

[BakedBeans]

I don't see how you could use something that is not ergonomic or functional I also think it looks horrible but thats personal preference I guess.

If these malicious people that write viruses felt the need to write them for the small mac user base they could do it, and one coder already did.

I am a gamer so I would never go to Mac. I've never gotten a virus...ever. I can play all the games a want and still do everything you can do on a Mac. So...Why would I switch to a platform where it is hard to upgrade the hardware if not impossible?

Glad you guys finally got Intel chips...We've had them for years. Its to bad you have to go buy a new computer to get one.

you are clueless, you have no idea what you're talking about.

We dont have a virus, there is a file (that hardly anyone has) that you can run and give permission to run on your system - big deal. It isnt spreading, it isnt a virus - get over yourself and your ***** OS

That's the trouble, there is nothing to install and there is no password prompt. Mac users have been brainwashed into thinking that every executable file will use an installer, but that's simply not how things work.

So you're saying you dont have to enter a PW for it to run?

It doesnt work on my machine anyway - i have an intel imac and use a non admin account for my day to day stuff.

 

[LimeiBook86]

you are clueless, you have no idea what you're talking about.

We dont have a virus, there is a file (that hardly anyone has) that you can run and give permission to run on your system - big deal. It isnt spreading, it isnt a virus - get over yourself and your ***** OS

I couldn't of said it better myself!

Hardly anybody has this file, so it's not too much of a problem. Now if it were wide-spread and wrecking havoc on the world that would be another thing and I'd probably run for the hills.

 

[danamania]

EXACTLY = we do have protection against this, this is a security feature of our "only better than windows because nobody uses it" OS.

But we don't have that password protection against modifying EVERY part of the OS. The default user in OSX is an admin user, it's what >99% of OS X users run as, and admin users do NOT get permissions popups if they try to make changes to the majority of apps within /Applications.

Those popups that ask for authentication are for making changes to other parts of the system, but not most of /Applications.

That's why a default OSX user (who is Administrator) can for the most part just drop an app into /Applications or remove it to delete it without being asked for authentication through the popup. They can also modify it, as can any code running under that user ID - just like this trojan appears to do

 

[iMeowbot]

So you're saying you dont have to enter a PW for it to run?

Correct. Think of it as the equivalent to one of those programs that you simply drag out of a disk image, no installer or password prompt required.

It doesnt work on my machine anyway - i have an intel imac and use a non admin account for my day to day stuff.

Yay. Now all we need is for the OS X first-time setup to nudge users into setting up non-admin accounts.

 

[Peace]

That's the trouble, there is nothing to install and there is no password prompt. Mac users have been brainwashed into thinking that every executable file will use an installer, but that's simply not how things work.

This is exactly why this thing is a poor trojan.Any and all system level apps require a password to be changed.
And theres a simple way to disable it :

"According to the initial investigation, the application uses Spotlight to find the other applications on the infected machine and subsequently inserts a stub of code into each application executable."

Go into spotlight preferences and deselect applications in the searchable items.If this script uses spotlight to find apps it wont find any this way.

 

[BakedBeans]

Correct. Think of it as the equivalent to one of those programs that you simply drag out of a disk image, no installer or password prompt required.

Yay. Now all we need is for the OS X first-time setup to nudge users into setting up non-admin accounts.

It says different on the front page of MR? You cant change anything damaging without a PW anyway can you?

 

[Kelmon]

This is all very reminiscent of the old trick in Windows whose result was much the same. Basically, you used a double file extension, such as "BritneyNaked.jpg.exe" and then relied on the Windows "hide extension of know file types" feature that is enabled by default in the Explorer. The result of this is that you could quite happily disguise executables as images and the icon associated with the file would change to that of the first extension so it was pretty easy to con someone. The implementation of this trojan is different but the result is much the same.

I did wonder if Finder had a similar "Hide extension option" and indeed it does under the Advanced panel of the Finder preferences. I have now set Finder to show all extensions so at least I can see the .app extension of applications even if they are trying to masquerade as an image, audio or other document file.

 

[jacobj]

OK I am officially confused. Whenever I download a new App OSX asks me to verify it with my password. So I am assuming that this trojan cannot be a NEW appplication, merely a piece of code that runs in an existing app.

Someone with greater knowledge please put me straight.. How can I be a Mac evangelist if I don't know all the facts?

 

[iMeowbot]

It says different on the front page of MR?

Where? I'm looking at that page right now.

[edit: oh, I see what you mean, the "user activation" bit. That just means double-click.]

You cant change anything damaging without a PW anyway can you?

Application installers have a nasty tendency to assign ownership (and write privileges) to whatever user ran the installer, instead of root. That's the main issue.

 

[California]

you are clueless, you have no idea what you're talking about.

We dont have a virus, there is a file (that hardly anyone has) that you can run and give permission to run on your system - big deal. It isnt spreading, it isnt a virus - get over yourself and your ***** OS

You know, PC ENTHUSIAST is a little too enthusiastic about this Trojan, non virus, for me. Wonder if it's the criminal returning to the scene of the crime?

 

[xsedrinam]

It says different on the front page of MR? You cant change anything damaging without a PW anyway can you?

A few important points Andrew Welch's observations

"-- At this time, I would classify this as a Trojan, not a virus

-- It does not exploit any security holes; rather it uses "social engineering" to get the user to launch it on their system

-- It requires the admin password if you're not running as an admin user, otherwise it can't copy its payload into your applications

-- It is a PPC executable, and appears to fail on Intel executables

-- We don't yet know what the code does that executes when you launch an application after this trojan has done its thing"

 

[Mitthrawnuruodo]

Correct. Think of it as the equivalent to one of those programs that you simply drag out of a disk image, no installer or password prompt required.

You mean you don't get one of those "annoying" warnings that your about to run <insert application name here> for the first time and if that was what you meant to do, when you try to run an application for the first time...?

 

[Zmmyt]

Is there someone who can PM me a link to that file? I would like to know what exactly its behavior is. I joined the original thread a couple minutes after the posted link got deleted.