The First Mac OS X Virus?

[billyboy]

As a wake up call it has been good. Long overdue, I just changed my first account from admin to standard account and created a new admin account.

I am careful with what I open so I dont think in general I would infect myself, but I realise that working continuously as Admin is not that smart. In that respect I am guilty of user stupidity I guess

I dont remember what the splash screens are like when you get your new Mac, but certainly within accounts in System Preferences how much more clear can Apple be by giving you the option of standard and admin account!

However what i would say is that Apple dont explain certain things very clearly to the layman/first time user when it comes to the advantages of Mac OS X security. They should assume we are all very dumb and by default you should be obliged to set up two accounts when you first take possession of your Mac. The average Joe will go all weak at the prospect of electing to work daily within an administrator account (where you can break things totally) so they would use the standard account no problem and just have to accept that to be safe they have to input their passwords a lot at the start, but less as they get in the swing with their favourite apps. On the other hand, power users will know what they are letting themselves in for as admins, and good power users would still work daily in a standard account anyway. So that obligatory two accounts setup would cut out loads of backtracking switching accounts mid stream like what I and my work colleagues just did.

Also not being sanctimonious, although it does come easy, Apple should make a carefully worded splash screen that says they do everything possible to secure the system, but they cannot legislate for dumbasses who work from an admin account and willy nilly download and open potentially malicious applications hidden in ***** from kazaa or complete strangers etc.

And also slightly off topic, but still on security, I wonder what it is with people saying Apple are better than MS because Macs are more secure out the box. I have had to activate the firewall each time i installed a new system. Equating the average user to my mother, the average user really needs to turn on their Mac and not have to even think where to look for the firewall button. If power users are offended by this hand-holding, sorry, but I think Apple can do lots still to secure the system for the masses with minimal inconvenience to all.

 

[generik]

Well, strictly speaking it is a trojan.. which basically exploits some old tricks that Windows users had many years ago (exe files with special icons to fool you).

It can do a nasty bit of damage but at the very least it is nothing like what we used to have over the dark side, what with stuff like Backorfice and Subseven. Now those are some wicked trojans.

 

[mdavey]

So what exactly is it? what does it do? I think about the most pathetic virus in history is one that just does nothing. like you'd go up to it... "excuse me, what are you doing here?" "well. um.. I was told to sit here but I can go if you want?" "really? well its just I've got some friends coming ov..." "oh no mate its cool its cool" *toddles off*

Excellent analogy!

Well that was a fun welcome to the new day!
"OSX has a virus!!!"
"...its not virulent or malicious"
"........its not a virus"

There seems to be a reluctance among the Mac fanboys to call this a virus. The definition [1,2,3] seems to be quite clear.

I'm not sure whether Andrew has completed his analysis or not, but if he has then it would seem that this malware doesn't contain a bomb and thus is benign (with the exception of unintentionally breaking any application it infects).

One of Andrew's comments is a little unclear - I'm not sure whether the malware tries to replicate and succeeds or tries to and fails. If the former, it is a 'virus', if the later it is an 'intended virus'.

There is nothing in the definition of virus which requres automatic propagation without user interaction (indeed, before it was common to have computers networked together, manual activation was a pre-requsite for propagation of any virus).

It isn't just a trojan - it replicates
It isn't a worm - a worm doesn't need manual interaction to propagate whereas a virus does (in this sense, a worm is more serious than a virus).

[1] http://en.wikipedia.org/wiki/Computer_virus#Definition
[2] http://dictionary.reference.com/search?q=computer virus
[3] http://www.google.com/search?client=safari&rls=en&q=define:+computer+virus&ie=UTF-8&oe=UTF-8

 

[johnadurcan]

Virus Wars: Episode I, The Phantom virus

Steve-won Kenobi and compatriot Bill Skywalker (son of Darth Vadar) are riding through the dunes of Tatooine and arrive at Mos Eisley.

The speeder is stopped on a crowded street by several
combat-hardend MacRumors troopers who look over the two viruses. A
Trooper questions Bill.

TROOPER: How long have you had these viruses?

Bill: About three or four versions.

Steve: You can have a copy too if you like.

TROOPER: Let me see your identification. (demands the trooper holding a JPEG clip folder).

Bill becomes very nervous as he fumbles to find his ID
while Steve speaks to the Trooper in a very controlled voice.

Steve: You don't need to see his identification on windows. Just log-in as guest.

TROOPER: We don't need to see his identification. We'll log-in as guest.

Steve: These are not the viruses your looking for.

TROOPER: These are not the viruses we're looking for.

Steve: He can go about his business with Vista.

TROOPER: You can go about your business with Vista.

Steve: (to Bill) Move along. Nothing to see here.

TROOPER: Move along. Move along.

 

[generik]

As a wake up call it has been good. Long overdue, I just changed my first account from admin to standard account and created a new admin account.

Is it possible to elevate your privileges as a standard user to an admin user by running a process as admin?

I don't know, personally I'd prefer to just stay logged in as one user always and only run apps using the more privileged account as needed.

 

[jsw]

I've tried to read most of the posts, but I haven't read all of them, so forgive me if these things have been said:

(1) Apple should ask users to enter a password for an admin account upon initial setup of their Macs - note that 'admin' is already a reserved account, and simply creating one with that name automatically makes it an administrator. Apple could simply make the creation of that account easy - just tell it the password - and then go on to allow the creation of a normal, non-admin account. Software update could launch an app to do just that for current Macs. Most users would experience only minor inconvenience. (Edit: forgot to say: and make the standard initial account not have admin privs)

(2) Anything which is an executable should be identified as such graphically, regardless of the extension. Clearly, the Mac knew it was an executable, but showed it as an image.

Simple stuff, really.

And exploits like this have been around forever - on any UNIX platform. Why do people act like it's new? What the script did, exactly, is new, but the concept is old, and I suspect most Apple developers or people using Xcode or even Terminal could replicate this "virus" and could have done something similar ever since OS X came out.

This isn't the news it'll end up seeming to be.

 

[andysmith]

How do I check to see if my mac is infected? Should I do a spotlight search for a latestpics.tgz file?

Did you download, untar and run the file posted here? If you didn't, there's absolutely no chance you could be infected.

 

[uncle_sam_ie]

Did you download, untar and run the file posted here? If you didn't, there's absolutely no chance you could be infected.

Well, I remember seeing something about screen shots for leopard. I don't know if it was here or on digg.When I click the link there was nothing. I think I went off line after that. I certainly did not download and give my password to run a file. But for peace of mind, is there a way to know for sure if it's on my mac? Also, I was running in Admin and using Safari.

 

[Stella]

LOL.

Now I see paranoid people "How do I know if I have this 'virus'", "I'm installing Norton Anti Virus asap"....

Just like windows users - something odd happens to their machine and they automatically think "virus".

Its unlikely you have this virus / trojan.

 

[whooleytoo]

I think what this trojan and/or virus illustrates is that relatively obvious trojans like this one can fool people. I don't believe "Be careful what you download" cuts the mustard as a security policy - anyone can be fooled, if the programmer takes the time and effort.

If the trojan appears to be a genuine product, people WILL enter their admin passwords.

 

[Eraserhead]

Is it possible to elevate your privileges as a standard user to an admin user by running a process as admin?

I don't know, personally I'd prefer to just stay logged in as one user always and only run apps using the more privileged account as needed.

Yes I believe so...

To me it seems Apple needs to do a few things to improve security on OS X... i mean you can't expect most users not just to type their password etc. but also most users won't want 10.5 pics so we're safe with this one!

#1 switch on the firewall by default (if this isn't already done)

#2 make it clear that if the password box is unexpected (eg you're not installing anything) that you should *NOT* type in your password.

#3 Make admin privalages only for the app that asks for them, and end them when it closes.

#4 make it compulsary to have a secure password (eg one that passes a password checker thing and isn't blank) on the admin account

#5 display a dialog the first time a non document file (eg script/app/executable/unix app/whatever etc.) is opened for the first time make it clear to cancel if it is unexpected (and possibly add a submit to Apple option), to stop annoying people too much things should be whitelistable by Apple and possibly trusted third party's such as Microsoft/Adobe/Mozilla etc...

#6 let Anti Virus software (eg Virus barrier/norton) use Software Update

 

[Eraserhead]

(1) Apple should ask users to enter a password for an admin account upon initial setup of their Macs - note that 'admin' is already a reserved account, and simply creating one with that name automatically makes it an administrator. Apple could simply make the creation of that account easy - just tell it the password - and then go on to allow the creation of a normal, non-admin account. Software update could launch an app to do just that for current Macs. Most users would experience only minor inconvenience. (Edit: forgot to say: and make the standard initial account not have admin privs)

(2) Anything which is an executable should be identified as such graphically, regardless of the extension. Clearly, the Mac knew it was an executable, but showed it as an image.

I didn't see these but I agree with (1)
Though with (2) how do you identify an app, they all have different icons and work out that it was using the JPEG image??

 

[iMeowbot]

Though with (2) how do you identify an app, they all have different icons and work out that it was using the JPEG image??

Perhaps the Finder could draw a little A symbol or something over an icon's corner, much as it now draws a little arrow for aliases/symlinks.

 

[whooleytoo]

What I would find very useful is a built-in utility to show which applications and processes are reading/writing to the network at any time. It always freaks me out when my network switch's lights are blinking like crazy yet I don't have any applications launched.

 

[scottlinux]

It's NOT a virus.

This is a Trojan script. Not a virus.

You have to execute it yourself, and that is why this is NOT A VIRUS.

 

[Zmmyt]

As a wake up call it has been good. Long overdue, I just changed my first account from admin to standard account and created a new admin account.

So, if I change my current user account (admin) to a standard account it will prevent me of being infected by any kind of "known" trojan or virus?

 

[ejgisbert]

Steve-won Kenobi and compatriot Bill Skywalker (son of Darth Vadar) are riding through the dunes of Tatooine and arrive at Mos Eisley...

LMFAO!!!

That was a very good one johnadurcan!

I really liked it a lot!

 

[mdavey]

Perhaps the Finder could draw a little A symbol or something over an icon's corner, much as it now draws a little arrow for aliases/symlinks.

Files should be "file shaped". Folders should be "folder shaped". Aplications should have an irregular shape. It should be possible to prevent applications having an icon with an outline (mask) that resembles that of a file or directory.

 

[flyfish29]

I guess mac is really hitting mainstream now...

yeah, that is what happens when you gain 1% in marke share- huh!

 

[Photorun]

There seems to be a reluctance among the Mac fanboys to call this a virus. The definition [1,2,3] seems to be quite clear.

Site all the M$ apologetic net sources you want regarding what YOU define as a virus, but as this thing can't propegate on it's own, it is, sorry to break it to you, not a virus. Think of the cold or the flu, it doesn't ask for permissions before you become sick, hence, it's a virus. When there's a Windoze thing going around (which is practically weekly) that attacks the computer without any interaction other than opening up email or in some cases through the IP address... virus. As far as things on a peecee you have to click on to infect there's tons of those out there, a person could practically get one every day by turning off security, but by no means is that a virus... not even a peecee luser would call it such... it's a trojan.

 

[whooleytoo]

It's NOT a virus.

This is a Trojan script. Not a virus.

You have to execute it yourself, and that is why this is NOT A VIRUS.

It's initial "installation" method means it's a Trojan, as it's a executable masquerading as something else so as to get the user to download and execute it.

Once run, it attempts to propagate itself, hence it's a virus.

It's not a Trojan, or a virus. It's both.

 

[AppleMatt]

Has anyone actually reported this to Apple via BugReporter? And attached the file?

It's no good saying Apple should do this, Apple should do that if Apple don't even know what's going on.

AppleMatt

 

[PlayUltimate]

Exactly...

If the details are correct, we're still not talking about a virus, but a trojan horse. You still have to open it yourself so that it can run.

This doesn't mean it isn't a bad thing.

Probably anyone of us here could have writen something similar and have it do more bad things. It would probably even work if we gave it the title, "Watch your computer die." Somebody would open it and have it execute.

 

[mdavey]

Site all the M$ apologetic net sources you want

Wikipedia
American Heritage® Dictionary of the English Language
Free On-line Dictionary of Computing
Jargon File 4.2.0

Hardly M$ fans.

it's a trojan.

Trojan horse: a malicious program that is disguised as legitimate software. Trojan horse programs cannot replicate themselves.

Whatever.

 

[p0intblank]

This stuff is kind of scary... I'm always bragging about how the Mac has no viruses or spyware. Am I still able to say this without having to hide something? I've seen a few posters mention that something like this has been done before and it is nothing new. Is this true? I sure hope it is, because well quite frankly, I like not having to run virus/trojan/worm/spyware software regularly.

Thanks!