Slashdot Mirror
Mac Trojan Horse Disguised as Word 2004
Espectr0 writes "Macworld is alerting of a malware program for the Mac. A Macworld reader alerted the magazine to the malware after he downloaded the file from Limewire. The reader told Macworld: 'I downloaded the file in the hope that perhaps Microsoft had released some sort of public beta. The file unzipped, and to my delight the Microsoft icon looked genuine and trustworthy.' However, he added: 'I clicked on the installer file, and to my horror in 10 seconds the attachment had wiped my entire Home folder!'" This sounds similar to the recent trojan horse proof-of-concept. There are many ways to make one file look like another, on any platform. This is 2004, you should know by now not to open a file from an untrusted source.
Microsoft releases betas. You can download the 64bit version of Windows XP, and it's good for a year.
click here for the beta
The earlier article dealt with a document file showing the wrong file type because of extension VS resource fork issues.
This is just a case of assigning a different icon to an application. Could be as simple as an rm -rf / shell script with a word icon.
'I downloaded the file in the hope that perhaps Microsoft had released some sort of public beta'
That's a likely story...
Come on people. The only trustworthy source of any public beta software from Microsoft would be a website in the form of "http://*.microsoft.com/*" and there'd likely still be pretenders claiming to be that package floating on Limewire. Don't trust that it's Microsoft software unless you've seen Microsoft make an say that the distributor is legit.
Yep. It's there. (Though it may be part of the developer bundle, which I have installed also. Of course, the developer bundle comes standard, it just isn't installed standard.)
'Sensible' is a curse word.
This sounds similar to the recent trojan horse proof-of-concept
This is nothing of the sort. The recent warning was for mp3 or other non-executable looking files carrying a trojan horse payload...that is far sneakier than this. This is simply a program that doesn't do what it claims to do. He expected an executable, he got an executable. An if he really thought that Microsoft would relase a public beta through limewire...well, caveat emptor and all.
Since it only deleted his home directory, it probably wasn't that sophisticated. I'm surprised it didn't attempt to escalate privilieges under the guise of an installer and do even more damage.
I suppose I should make a clippy joke here (I'm really tempted), but I actually like office X and am looking forward to the next version.
Do not taunt Happy Fun Ball(TM)
I think you are thinking of a worm.
This is exactly what a trojan is.
Just one of the many definitoins:
A destructive program that masquerades as a benign application. Unlike a virus, Trojan horses do not replicate themselves but they can be just as destructive.
Little Snitch is good for preventing anything from phoning home. Does have slightly annoying behavior unless it's registered, however. Anyone know of an OSS program to do this?
No it doesn't only if the program would want to do something that requires root privliges.
ANY user can execute an rm -rf / it would just fail on all the files the Unix user does not have permissions on.
M.
If you want to e-mail me, use my PGP Key.
If it sounds too good to be true, it probably is.
Dogma - "let's just say we'd like to avoid any empirical entanglements."
I know this is meant to be a joke but this would happen on any platform with a stupid user at the helm. This is nothing like the proof of concept Trojan. It is a classic trojan (malware program claiming to be some useful program). Fortunately, the OSX security model prevented the damage from spreading outside of the home folder. An admin account (default on Home and Pro XP) would have the ability to totally destroy a system whereas Admin accounts on OS X are not root accounts.
Jesus was a compassionate social conservative who called individuals to sin no more.
I don't think your average Windows user would either. Not all Mac users want to "get dirty" with the terminal.
I fought the corporate America, and the corporate America bought the law.
I've been using NeoOffice/J for a little while, and it's far better than the "Official" X11 version. The only down side is that it's an older version that lacks PDF export support. :-( (Of course, the X11 version doesn't have that either.)
Javascript + Nintendo DSi = DSiCade
Yes, but the home folder is all that matters. The way UNIX protects system files is very nice, but the reality is that for most users, the stuff in /home or /Users or /users or whatever your flavor of UNIX uses is what counts. If you trashed my entire computer but left /Users alone, I'd be annoyed and reinstall. If you trashed /Users, I'd be annoyed and restore from backup... but most people don't keep anything resembling decent backups. Especially on a Mac, where it takes twenty minutes to reinstall the OS, the difference between trashing /Users or trashing the entire system is miniscule. Of course, if it's a multi-user Mac, a trojan can only trash the current user's files.
Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
Actually I think you'll find that it fits the defintion of Trojan Horse perfectly.
Just to clear things up for you:
This is pretty clearly a Trojan horse: it advertised itself to the lUser as a copy of Microsoft Word in order to gain access to his system. The payload of the unwanted software (be it virus, worm, Trojan, or something else) is irrelevant to its classification.
All's true that is mistrusted
This trojan runs everyone's favorite command:
rm -rf ~
I'd advise protecting yourself and alias rm to 'rm -i'. Either that or choose to not run applications with fruity MS icons that you download from p2p =)
"My mother never saw the irony in calling me a son-of-a-bitch." - Jack Nicholson
This sounds similar to the recent trojan horse proof-of-concept.
No, that involved an application pretending to be a document. This is a case of an application pretending to be a different application. There is no security regarding the identity of applications, and an application can have any icon it chooses--the burden is on users to obtain their applications from trusted sources, not Limewire. Of course, if he really thought it was a "public beta," as he claims, he probably would have gone looking for it at the Microsoft web site.
Since the permissions on a Unix-stle system are to allow the user to control over what they 'own ' (mainly the home directory) there's little to prevent a program run by the user from doing whatever it wants with user data. This applies to Linux, *BSD, and the commercial *nixes as well, not just OSX.
In the short term there are technical 'fixes' that can help but they are not perfect. Libtrash under Linux or using a backup tool that does *not* have the same rights as the user are good CYA in the short run, though an isolated sandbox or similar tools should really be available. How to pull this off, I don't know...if you've heard of end-user tools that can pass the pointy-haired-boss test, let me know!
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
The reader told Macworld: 'I downloaded the file in the hope that perhaps Microsoft had released some sort of public beta.
.. The idiot tried to get warez. If you try and download warez off a p2p network and get screwed in the process, you deserve it.
.. if it was a public beta, wouldnt it be on the MICROSOFT site?
Lies
C'mon
I'll quote wikipedia...
So, to reiterate: a virus requires another executable as a host, a worm does not. That is the difference between the two.
The concept of a "trojan horse" is somewhat orthogonal to that of "virus" or "worm", though I think it is a distinct enough phenomenon to warrant its own designation.
All's true that is mistrusted
Two things there, chief: You don't know what a trojan horse is and you don't know what a virus is. Lemme enlighten youse:
A Trojan Horse is something that appears benign, but has evil lurking inside. Ya see, there supposedly was this war, and Greece was having a tough time of it, so after a long siege they rolled up to the gates of Troy a huge wooden horse - a "gift" to their worthy adversary. After having put up this tremendous defense, the Trojans see this horse outside and say to themselves "Hey, we ARE great! And now even the great Greece is acknowledging it with this beautiful gift!" After some debate about what to do, they said "Let's being it inside! Yeah!" And so they did. That night the Greeks hiding inside the horse slipped out and opened the gates. It was curtains for the Trojans, and a metaphor was born.
So you can see that a Trojan Horse does not "sit there and collect information." It does whatever bad things the creator wants it to, and the disguise is what gets it inside your gates..er, firewall.
A virus is a piece of code that attaches itself to other programs, replicates, and may or may not do other bad things. It does not masquerade as something good, it tries to go unnoticed, at least at first.
Isn't this old news?? Back in the BBS days alot of files floated around that purported to be installers. But when run they would trash your system folder, drop alot of viruses, and then install joke extensions. I know many of the So Cal mac BBS's had to clean out alot of files due to installers like these. So 10-11 years ago we had the same problem.
---In a time of Chimpanzees I was a Monkey.
I did, but instead of deleting the file, it asked me for my password! :-)
Seriously, with sudo, you still have to enter your password. You might as well call the standard admin security authorization dialog at that point. But "rm -rf ~/" on your home directory is still fair game to a cheap trojan.
--
"Open source is good." - Steve Jobs
"Open source is evil." - Microsoft
Basically you hit command-option-k in any app and it brings up a window showing all the current connections to or from your computer. And you can kill any of them (by adding a rule to IPFW) right then and there.
Oh. Macs don't get viruses. I didn't know that. Thanks. http://www.faqs.org/faqs/computer-virus/macintosh- faq/
http://antivirus.about.com/cs/allabout/tp/aamacvir .htm
http://www.icsalabs.com/html/communities/antivirus /macintosh/archives/macvirus/reference/viruses.htm l
Still stupid because he could of downloaded it from OpenOffice's website, or any of the mirrors. Most everything in p2p networks are slower than any of the mirrors would be.
Heh. it's called 'Print-to-PDF' and it's for Classic mode or OS 9 only. Under OS X just choose File->Print and then choose 'Save as PDF..' instead of printing.
That's for any app in OS X. Instant multipage PDFs from any program that can print.
It's nice to see that reading comprehension has dwindled to nothing these days. The article does not say that the file was downloaded "via" Limewire. And I never said that there was a statement excluding other Gnutella clients, but as you know, sometimes what goes unsaid is just as important as what is actually said. It might not occur to less technically inclined people that there is a distinction between Limewire (the client) and Gnutella (the P2P network).
To prove my point, here's a quote from the Slashdot article. (Emphasis mine.)
You don't download things from Limewire. You download software from the Gnutella network with (or using) Limewire. The distinction is subtle but important.
For comparison, here's how the MacCentral article read:
By contrast, here's how the incident was reported on Macintouch: This is taken almost verbatim from Intego's own web page detailing the Trojan. Interestingly enough, "Limewire" isn't mentioned once on that page.
Either that or you were dumb enough to run the installer as root.
No, he wasn't. The command issued by the trojan was crafted to attempt to delete the current user's home folder. If that user's account was admin-level, the command would succeed. If it wasn't, the command would fail due to insufficient permissions. If he had been logged in as root, it would have merely deleted the home directory for 'root.'
This is not an inadequacy of OS X, the system is doing what it's being commanded to do, by the currently-logged-in, authorized, local user-- no more, no less. If the currently-logged-in, authorized, local user is a twit who runs apps he downloads from p2p networks without due care, them's the breaks.
To be totally accurate, it wasn't a gift to the Trojans, that would make no sense. The Greeks pretended to have gone back to their respective kingdoms (Ithaca, Mycenae, etc.) and to have left the horse as an offering to the gods as atonement for Odysseus' theft of the Palladium from the temple of Athena in Troy.
Starting with XP you can use Software Restriction Plocy (SRP) which can do exactly this kind of things. Open up Local Security Settings under Administrative Tools and you'll find it.
With SRP you can allow or disallow execution based on certificates, hashes, paths, or internet URLs.
SRPs are probably not something that end users can be expected to configure but in a managed environment all these settings can be pushed to clients using group policy, and this is actually a very effective way to prevent trojans.
The standard meaning of "delete" on a Mac would be "move to trash". This is because, by default, selecting a file and "apple-delete"ing it moves it to the trash, it doesn't permanently remove it.
However, rm doesn't have the intermediate trash step, which might confuse Mac users who rm something expecting it to land in the trash.
---
Mod me down, you fucking twits. Go ahead. I dare you.
(I read with sigs off.)