[MERGED] OS X Malware?
It appears that someone has finally created a somewhat successful piece of malware for os X. It seems that it may actually be able to self propagate but it does need a password unless you are running as the admin.Check out the link below to read about it over on Mac Rumors. It has also shown up on Digg.
http://www.macrumors.com/pages/2006/...16005401.shtml
http://www.macrumors.com/pages/2006/...16005401.shtml
Comments
- Originally posted by Alcimedes at 'Nova -
http://www.ambrosiasw.com/forums/ind...owtopic=102379
Moki is informative, as usual.
Definitely a case of "user intervention/social engineering required" and not a pure virus.
You must willfully choose to click, expand, and open the suspect "latestpics.tgz" file.
It is neither independently self-propagating, or auto-infecting... you must click it into action.
Hopefully the Apple security team takes this shot across the bow seriously and starts battening down any potentially leaky hatches.
Honestly, I'm surprised MSFT hasn't covertly paid some cabal of offshore hackers to drum up some OS X malware, just to balance the media focus re: Windows security issues.
[i]Originally posted by imiloa
Honestly, I'm surprised MSFT hasn't covertly paid some cabal of offshore hackers to drum up some OS X malware, just to balance the media focus re: Windows security issues. [/B]
What makes you think they aren't? I also suspect that most of these things come from anti-virus companies trying to get a foothold in the Mac market.
This type of news just pisses me off. This is not a virus! Anyone who opens up packages that claim to be illegal advance photos of a non-existant product deserve to have something happen to their system. This thing doesn't qualify. It is just that the media is so eager for a Virus On The Mac story, that they will latch on to anything. If this is the best they can do, then we are still safe for the foreseeable future. Move along. Nothing to see hear.
It is classified as a worm and is spreading through iChat.
Do not open a file called "latestpics.tgz" forwarded form iChat!
See this for more info:
SOPHOS
Symantic
News confirmation from:
MacWorld
WashingtonPost
Of course eventually one would come. It seems weak but a good reminder to always be careful when online.
edit: if it matters i am running 10.3.9 with an eMAc 1.42Ghz
the "virus" was deleted(hopefully) without 12 hours
no screen shots, i didn't think of that
Originally posted by imiloa
Honestly, I'm surprised MSFT hasn't covertly paid some cabal of offshore hackers to drum up some OS X malware, just to balance the media focus re: Windows security issues.
There is a company which has allegedly funded a cabal of hackers to drum up some OS X malware...
Their name is INTEGO... (what a coincidence they sell OS X antivirus tools of heretofore questionable use).
Search for "renepo" to read some of the allegations.
It's not a virus.
It's a trojan, and the user must actively choose to unpack the zip, then run the app disguised as a jpeg.
Two sets of double-clicking are required. It does not auto-infect or self-propagate without users choosing to run it.
As long as you don't willfully run questionable downloads, you're still safe.
User error can and always has been a means to screw yourself... doesn't make it a virus.
Originally posted by curiousuburb
It's a trojan, and the user must actively choose to unpack the zip, then run the app disguised as a jpeg.
Doesn't Safari open archives by default?
Did I understand correctly that the malicious code is stored in the resource fork or does it only contain the information used to disguise the "virus" as an JPEG image? If the code is in the resource fork, why is it possible to place executable code there?
Why is it possible that software is to make securtiy relevant changes without user permission - you are asked for permission only when unpacking the archive, not when "opening" the image.
Originally posted by curiousuburb
As long as you don't willfully run questionable downloads, you're still safe.
User error can and always has been a means to screw yourself... doesn't make it a virus.
What if the "questionable" download comes from a trusted source under a "harmless", "trustworthy" file name? One of the most common ways of distribution in the Windows/Outlook world.
IMO, software from whatever source should be executed in a sandbox only unless it comes from a trusted source verified by certificates or explicit permission form the user - similar to the way SSL connections are established.
Originally posted by i-am-an-elf
ya, i downloaded the virus and didn't think anything of it when it asked for my permission and typed in my password. there was an error message that said permission denied. I searched for every file created today and secrue deleted the trash. I've had no problems. It's my own fault if anything happens. looking back, how dumb was I to enter my password for an image file?
edit: if it matters i am running 10.3.9 with an eMAc 1.42Ghz
the "virus" was deleted(hopefully) without 12 hours
no screen shots, i didn't think of that
According to Intego's Q&A, the Trojan only effects OS 10.4.
Originally posted by gobble gobble
According to Intego's Q&A, the Trojan only effects OS 10.4.
thats why when i downloaded it and opened it nothing happened. but come on, you gotta be pretty dumb (or curious since i didn't even think of a virus) to double click twice on an icon and enter an admin password on something you thought was a set of pictures
edit: how come appleinsider hasn't posted anything offical on this, it's kinda big. any thoughts?
Originally posted by RolandG
Doesn't Safari open archives by default?
No, there's a tickbox in the Safari prefs for "automatically open 'safe files' after downloading"...
IIRC, it has been unticked by default for a few versions now (as it should be for security conscious folks)
And IIRC, tar/gzip files aren't in the automatic open list... user must double-click to open them.
Did I understand correctly that the malicious code is stored in the resource fork or does it only contain the information used to disguise the "virus" as an JPEG image? If the code is in the resource fork, why is it possible to place executable code there?
If you read the ambrosiasw link above, Andrew/Moki seems to confirm that the resource fork is purely the camouflage jpeg icon... the actual package is in the data fork.
Why is it possible that software is to make securtiy relevant changes without user permission - you are asked for permission only when unpacking the archive, not when "opening" the image.
It depends on the user being admin/root (it actually performs a UID check).
Security conscious users should never be admin while browsing.
If you're not logged in as admin, double clicking the jpeg containing the malware will ask for authentication (or merely try to bork the /InputManager subdir (which won't do much for non-admin users))
It depends (like Win malware does) on users either being admin or blindly authenticating downloads... (and who authenticates a .jpg anyway)
What if the "questionable" download comes from a trusted source under a "harmless", "trustworthy" file name? One of the most common ways of distribution in the Windows/Outlook world.
Caveat downloador
This malware purports to be leaked Leopard screencaps... as if.
They're social engineering the suckers who are jonesing for a leak... how is that "trustworthy"?
IMO, software from whatever source should be executed in a sandbox only unless it comes from a trusted source verified by certificates or explicit permission form the user - similar to the way SSL connections are established. [/B]
Smart advice...
An alternative sandbox is provided by the multiple users framework where you can be a non-admin user (but always enter admin logon/pw for legitimate installs).
Originally posted by curiousuburb
If it seems too good to be true, it probably is.
This malware purports to be leaked Leopard screencaps... as if.
They're social engineering the suckers who are jonesing for a leak... how is that "trustworthy"?
What I meant by "trustworthy" source and name is that for example the mail comes from someone you correspond with regularly and that the malicious name and form of the file attached fit into the context of your correspondence.
Will we from hereon be forced to use resource consuming virus scanners in order to get our e-mails scanned to prevent just that?
Originally posted by curiousuburb
Smart advice...
An alternative sandbox is provided by the multiple users framework where you can be a non-admin user (but always enter admin logon/pw for legitimate installs).
I like the way OS X asks for your PW even when working as admin everytime you install software or change system preferences. But this is obviously not enough...
Even if you work as a regular user, how can you tell that you just executed malicious code (even if it just affects your user account)?
And from an ease of use standpoint, a user should not be forced to switch between accounts when there are other and more convenient ways to ensure security.
Originally posted by RolandG
What I meant by "trustworthy" source and name is that for example the mail comes from someone you correspond with regularly and that the malicious name and form of the file attached fit into the context of your correspondence.
Someday these attacks will become smart enough to make these things fit into the context of people's regular correspondence but so far I have never seen anything that comes close. I have gotten a reasonable number of emails purporting to be from friends that contain viruses or spam. But I have never gotten such an email that came close to matching the purported sender's writing style (e.g., my dad just isn't going to pop me a quick note to show me the latest Leopard screen shots). It may become hard to tell something is fraudulent but right now it really isn't.
Originally posted by JBL
Someday these attacks will become smart enough to make these things fit into the context of people's regular correspondence but so far I have never seen anything that comes close. I have gotten a reasonable number of emails purporting to be from friends that contain viruses or spam. But I have never gotten such an email that came close to matching the purported sender's writing style (e.g., my dad just isn't going to pop me a quick note to show me the latest Leopard screen shots). It may become hard to tell something is fraudulent but right now it really isn't.
I guess most people are smart enough not to open every attachment from every mail they get no matter how suspicious the circumstances may be. But quite a few are not: it is quite common in office environments to send/recieve "funny" movies, presentations and pictures to/from virtually everybody on the planet. And they do get opened...
Mac OS X Mail.app will warn you if an attachment is an executable. I tested it with a shell script that I mailed to myself.
Safari will do the same.
So iChat must not check transferred files, I suppose? Anybody want to send me an executable on AIM via iChat to find out? [email protected]
If that is the case, the fix is simple.
This thing is a Trojan after all, although I got one guy at DSLR who insists that it is a worm because it tries to spread itself.
I reviewed Input Methods in Cocoa and Carbon, and it seems that those could use a bit of protection in terms of what can install them. The ~/Library/InputManagers folder isn't protected, and Launch Services checks that for an input method linked to an app before it launches the app. That's a vector for executing arbitrary code.
Originally posted by Xool
I think its funny that the latest threat took the guise of Leopard screenshots.