Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

The First Mac OS X Virus?

Mitthrawnuruodo said:
You mean you don't get one of those "annoying" warnings that your about to run <insert application name here> for the first time and if that was what you meant to do, when you try to run an application for the first time...? :confused:
Click to expand...
Only if I try to run it indirectly by opening a document.
 
BakedBeans said:
You cant change anything damaging without a PW anyway can you?
Click to expand...
Of course you can... you can wipe the entire home folder of whatever user iis running, and probably a large portion of the /Application and /Library, too, all of it if you're an admin... but you still have to start it yourself (for now, anyway)... ;)
 
Could somebody please provide a literal step-by-step (screenshots included, if possible...) process for those who either aren't currently on a Mac (like me) and can't follow previous directions accurately or who are a bit confused by some of the previous directions?

I know that the generals have been covered, but specifics would be nice to have in one, consolidated post, covering creating a new admin user, changing admin->regular user, changing permissions for applications, etc., repairing permissions, showing file extensions, checking for .app downloads, and/or anything else I may have forgotten to help Mac users completely prevent themselves from this Trojan as much as we can with the knowledge that we have of it right now.

Thanks!
 
Mitthrawnuruodo said:
You mean you don't get one of those "annoying" warnings that your about to run <insert application name here> for the first time and if that was what you meant to do, when you try to run an application for the first time...? :confused:
Click to expand...

As I understand it, you only get those if you double click on a data file (say an image) that has an application (let's call it "PhotoEdit") set as its default app.

Double clicking the image will then try to open the "PhotoEdit" app, and if it's the first time "PhotoEdit" has been opened from that image, it'll give you that warning. In other words, they appear for when you run a data file that then forces an application to load.

It appears this file hiding as a .jpg is an application itself, so those warnings don't apply.

dana
 
iMeowbot said:
Only if I try to run it indirectly by opening a document.
Click to expand...
Ok... I thought it was all the time... but then I rarely run new and unknown executables (especially not those posted by unknown newbies and masked as an image)... ;)
danamania said:
As I understand it, you only get those if you double click on a data file (say an image) that has an application (let's call it "PhotoEdit") set as its default app.

Double clicking the image will then try to open the "PhotoEdit" app, and if it's the first time "PhotoEdit" has been opened from that image, it'll give you that warning. In other words, they appear for when you run a data file that then forces an application to load.
Click to expand...
Yeah, I got it...

danamania said:
It appears this file hiding as a .jpg is an application itself, so those warnings don't apply.
Click to expand...
...still don't know how you can mistake an application and an image file, though... :rolleyes:
 
As far as I read the different threats, I cannot discover if this Trojan effects anything on the OS X system?
Can someone plz tell it does/doesn't?

Thanks!
 
If you're a new (or soon-to-be) Mac user, things are much less complicated. Simply don't use the main account for regular stuff. Create a second account and go to town -- if you just take the defaults on secondary accounts, you'll already be safe from the stuff under discussion here.

the only reason that I gave the more complicated steps was so that people who have been using their admin accounts for a while wouldn't run into weird access problems with their existing files.
 
California said:
You know, PC ENTHUSIAST is a little too enthusiastic about this Trojan, non virus, for me. Wonder if it's the criminal returning to the scene of the crime?
Click to expand...

Nah, if he'd spent enough time on a Mac to learn how to make one of these he wouldn't say such things. and he would know you can plug in just about any mouse to a Mac...
 
iMeowbot said:
If you're a new (or soon-to-be) Mac user, things are much less complicated. Simply don't use the main account for regular stuff. Create a second account and go to town -- if you just take the defaults on secondary accounts, you'll already be safe from the stuff under discussion here.

the only reason that I gave the more complicated steps was so that people who have been using their admin accounts for a while wouldn't run into weird access problems with their existing files.
Click to expand...

That's completely understandable, however, I'm hoping to undertake all these steps, complicated included, on my brother's computer, and, since I happen to be restricted to be using a PC right now, I'd really like some consolidated directions as to what he should do, or I should do for him when I would do this.

If anybody can provide these detailed directions, and is willing to, feel free to take some time, and if you could either post 'em or PM them to me, that would be great.

Thanks!
 
xsedrinam said:
A few important points Andrew Welch's observations

"-- At this time, I would classify this as a Trojan, not a virus

-- It does not exploit any security holes; rather it uses "social engineering" to get the user to launch it on their system

-- It requires the admin password if you're not running as an admin user, otherwise it can't copy its payload into your applications

-- It is a PPC executable, and appears to fail on Intel executables

-- We don't yet know what the code does that executes when you launch an application after this trojan has done its thing"
Click to expand...

The reason it only works for PPC is because it was compiled with gcc 3.3 instead of 4.01
gcc 3.3 does PPC and gcc 4.01 does Intel..

This leads me to believe the person lacks the expertise to compile with 4.01 and is using a PPC.
 
PC Enthusiast said:
Noob Alert, Noob Alert...<red light flashing> beep beep beep beep beep.

<The noob can't right click>
Click to expand...

PC Enthusiast said:
I don't see how you could use something that is not ergonomic or functional I also think it looks horrible but thats personal preference I guess.

If these malicious people that write viruses felt the need to write them for the small mac user base they could do it, and one coder already did.

I am a gamer so I would never go to Mac. I've never gotten a virus...ever. I can play all the games a want and still do everything you can do on a Mac. So...Why would I switch to a platform where it is hard to upgrade the hardware if not impossible?

Glad you guys finally got Intel chips...We've had them for years. Its to bad you have to go buy a new computer to get one. ;)
Click to expand...



Why are you here on Mac Rumors anyhow? I mean, why in the world would a Windows fanboy visit our domain? The answer is to waste time trolling, huh? At least get your facts straight about the Mac platform first. ;)

I'm not worried of this trojan. I've always been cautious about downloading suspicious files, as everyone should no matter which platform you're using.
 
i think apple should really force any user to setup 2 accounts with ever new install of OSX, and inform the user why he should not make the admin account the main one, + a popup that asks if you trust the source every time you ran an app for the first time.
 
mad jew said:
This is an OS-level vulnerability, not a CPU-level one. :)
Click to expand...
How do you mean 'vulnerability'. Is installing a program a 'vulnarebility'? This isn't a virus, it doesn't install itself in the core system. This is just a program that you install like other programs. That someone just renamed the freakin' application, is all what is different from say iTunes. Just don't install something when you expect it to be a jpg. JPG does not ask for admin password, application does.
 
MarcelV said:
How do you mean 'vulnerability'. Is installing a program a 'vulnarebility'? This isn't a virus, it doesn't install itself in the core system. This is just a program that you install like other programs. That someone just renamed the freakin' application, is all what is different from say iTunes. Just don't install something when you expect it to be a jpg. JPG does not ask for admin password, application does.
Click to expand...

Not all applications do, and this application doesn't.
 
Mitthrawnuruodo said:
...still don't know how you can mistake an application and an image file, though... :rolleyes:
Click to expand...

By manually setting its icon to look like a standard Preview .jpg - that'll be enough to fool most people most of the time :)

(especially if they're expecting the archive they just downloaded to contain images & all)
 
danamania said:
By manually setting its icon to look like a standard Preview .jpg - that'll be enough to fool most people most of the time :)

(especially if they're expecting the archive they just downloaded to contain images & all)
Click to expand...
Why...? Even if you've turned off the "Show all file extentions" (which in it self is a bad idea), then Finder is designed to show the .app suffix anyway, if you have an application with a period in it's name followed by a valid file suffix, like jpg, asp, html or whatever.

Try it. Turn off file extentions, copy an application to your desktop (or wherever), i.e. Preview.app. That will then show up as Preview. But if you rename it to Preview.jpg it will suddenly show as Preview.jpg.app, even showing file extentions are off...

This is not a new trick, people... :rolleyes:
 
Mitthrawnuruodo said:
Why...? Even if you've turned off the "Show all file extentions" (which in it self is a bad idea), then Finder is designed to show the .app suffix anyway, if you have an application with a period in it's name.

Try it. Turn off file extentions, copy an application to your desktop (or wherever), i.e. Preview.app. That will then show up as Preview. But if you rename it to Preview.jpg it will suddenly show as Preview.jpg.app, even showing file extentions are off...

This is not a new trick, people... :rolleyes:
Click to expand...

*but* not all executables are .apps - .apps are one specific kind of bundle that's executable.

Other executables are just files with the x (execute) bit set, so they won't appear as .app because there is no extension on the filename to begin with. The program in this case (according to http://www.ambrosiasw.com/forums/index.php?showtopic=102379 ) is one of these kind of non .app executables just called "latestpics" with nothing else in the filename.

On top of that, file extensions are turned off by default in Tiger so default users are used to using those default settings on their default desktops - they'll see a default preview jpeg icon with the default no extensions, just like all other jpegs that have passed by their desktop with no extensions and a default preview jpeg icon
 
Mitthrawnuruodo said:
No .jpg...? Well that doesn't seem suspicious... :rolleyes:
Click to expand...

Since OSX doesn't show .jpg (or any other extensions) by default, to most people it'll look exactly like all the other valid jpegs.

It won't catch out people who're alert and who have modified their settings to show extensions, or to give images preview icons, or who have set a few other non-default settings - but that's not most of us!

Even then plenty of valid jpegs can be saved with no file extension, especially if you're an old-world mac user who's come to OSX from os9 or before where nothing needed a file extension and creator/type codes in the resource fork handled all the file ID for you :)
 
No virus, guys...

Just to let you know, I used to be moderator of a Mac-related forum in Brazil, and we were always trying to enforce strict policies regarding pirated files and piracy links in the forum.

This caused great "commotion" among some users that pretended to be hacker wannabes or piracy supporters...in reaction, they sent to all moderators (under fake email addresses, of course) a UNIX script disguised under PDF format, saying that it was a new "manual for moderators" or so...

At that time I was working like crazy, and just opened the file on my iBook without checking anything...if I recall correctly, it did not ask for my password because I was probably in that 5-min grant period after logging in with my username...bottomline? The script worked and erased some of my Home files (mainly my email account and user configs)...this was annoying, of course, but fortunately I had a fairly recent backup of my messages.

What I wanna say is that this is NOT a virus, but simply a case of social engineering trojan...this can happen to any OS, because it's simply working on the grounds of a user's action (and authorization). Just be careful as you normally are, guys...
 
danamania said:
Since OSX doesn't show .jpg (or any other extensions) by default, to most people it'll look exactly like all the other valid jpegs.
Click to expand...

And here's a fun trick:

cp /bin/ls ~/'thingy.jpg '

(white space is intentional)

Then get info, give yourself write permission, and paste on your favorite icon.
 
iMeowbot said:
And here's a fun trick:

cp /bin/ls ~/'thingy.jpg '

(white space is intentional)

Then get info, give yourself write permission, and paste on your favorite icon.
Click to expand...

Oooh. icky. looks perfectly .jpg-like unless you're REALLY looking hard for that particular trick

Always something to catch you out...

dana
 
Tymmz said:
Is it a virus?
Click to expand...

Yes. It is a self-replicating program that spreads by inserting copies of itself into other executable code or documents. It is also a worm - it sends itself to other hosts (via iChat and possibly via email and other IM).

It remains to be seen whether it is benign or destructive (malignant - with a delayed 'bomb' payload).

Fortunately, the virus doesn't currently* seem to exploit an OS vulnerability and so requires a social trick (disguising itself as a picture) or a recently-authorised computer in order to affect its host. It probably isn't coincidence that it was posted at the same time people were updating to 10.4.5.

*I say currently as it is now only a matter of time before the original author or another cracker exploits an OS vulnerability to bypass the reliance on social trickery.
 
danamania said:
Since OSX doesn't show .jpg (or any other extensions) by default, to most people it'll look exactly like all the other valid jpegs.

It won't catch out people who're alert and who have modified their settings to show extensions, or to give images preview icons, or who have set a few other non-default settings - but that's not most of us!

Even then plenty of valid jpegs can be saved with no file extension, especially if you're an old-world mac user who's come to OSX from os9 or before where nothing needed a file extension and creator/type codes in the resource fork handled all the file ID for you :)
Click to expand...
Yes, but they wouldn't necessarily show up with a jpeg icon, now, would they...? Most of those old school files show up with a "blank sheet" icon, until you tell them what application they should be assosiated with... ;) So I would be suspicious when I saw a file from the net without suffix, and even more so if it appeared to be assosiated with an application...

But again... even if you are oblivious to all the little modifications you can do to make your system even more secure, and run from an admin account, without a firewall, no file extentions showing, etc, if you download anything from an unknown source, unzip and untar it and then continue to double-click to open it, without at least examine it to see what it actually is, then you really shoudn't be operating any computer, at least not on-line, should you...?

You cannot protect people from their own stupidity... no matter how hard you try... that's what social engineering is all about... ;)
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back