Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mac Trojan Horse Disguised as Word 2004

Posted by pudge on from the caveat-pirator dept.

Espectr0 writes "Macworld is alerting of a malware program for the Mac. A Macworld reader alerted the magazine to the malware after he downloaded the file from Limewire. The reader told Macworld: 'I downloaded the file in the hope that perhaps Microsoft had released some sort of public beta. The file unzipped, and to my delight the Microsoft icon looked genuine and trustworthy.' However, he added: 'I clicked on the installer file, and to my horror in 10 seconds the attachment had wiped my entire Home folder!'" This sounds similar to the recent trojan horse proof-of-concept. There are many ways to make one file look like another, on any platform. This is 2004, you should know by now not to open a file from an untrusted source.

13 of 785 comments (clear)

  1. Stupid user in, virus sob tale out... by LostCluster · · Score: 3, Informative

    'I downloaded the file in the hope that perhaps Microsoft had released some sort of public beta'

    That's a likely story...

    Come on people. The only trustworthy source of any public beta software from Microsoft would be a website in the form of "http://*.microsoft.com/*" and there'd likely still be pretenders claiming to be that package floating on Limewire. Don't trust that it's Microsoft software unless you've seen Microsoft make an say that the distributor is legit.

  2. Not like the recent warning by Anixamander · · Score: 5, Informative

    This sounds similar to the recent trojan horse proof-of-concept

    This is nothing of the sort. The recent warning was for mp3 or other non-executable looking files carrying a trojan horse payload...that is far sneakier than this. This is simply a program that doesn't do what it claims to do. He expected an executable, he got an executable. An if he really thought that Microsoft would relase a public beta through limewire...well, caveat emptor and all.

    Since it only deleted his home directory, it probably wasn't that sophisticated. I'm surprised it didn't attempt to escalate privilieges under the guise of an installer and do even more damage.

    I suppose I should make a clippy joke here (I'm really tempted), but I actually like office X and am looking forward to the next version.

    --
    Do not taunt Happy Fun Ball(TM)
  3. Re:I'm lost by justMichael · · Score: 3, Informative

    I think you are thinking of a worm.

    This is exactly what a trojan is.

    Just one of the many definitoins:
    A destructive program that masquerades as a benign application. Unlike a virus, Trojan horses do not replicate themselves but they can be just as destructive.

  4. Re:Fast User Switching Rules... by Bullet-Dodger · · Score: 5, Informative

    Little Snitch is good for preventing anything from phoning home. Does have slightly annoying behavior unless it's registered, however. Anyone know of an OSS program to do this?

  5. Re:Windows by aristotle-dude · · Score: 4, Informative

    I know this is meant to be a joke but this would happen on any platform with a stupid user at the helm. This is nothing like the proof of concept Trojan. It is a classic trojan (malware program claiming to be some useful program). Fortunately, the OSX security model prevented the damage from spreading outside of the home folder. An admin account (default on Home and Pro XP) would have the ability to totally destroy a system whereas Admin accounts on OS X are not root accounts.

    --
    Jesus was a compassionate social conservative who called individuals to sin no more.
  6. Re:Only home folder was hosed by trojan.... by HeghmoH · · Score: 4, Informative

    Yes, but the home folder is all that matters. The way UNIX protects system files is very nice, but the reality is that for most users, the stuff in /home or /Users or /users or whatever your flavor of UNIX uses is what counts. If you trashed my entire computer but left /Users alone, I'd be annoyed and reinstall. If you trashed /Users, I'd be annoyed and restore from backup... but most people don't keep anything resembling decent backups. Especially on a Mac, where it takes twenty minutes to reinstall the OS, the difference between trashing /Users or trashing the entire system is miniscule. Of course, if it's a multi-user Mac, a trojan can only trash the current user's files.

    --
    Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
  7. Re:"Darwin" - style award winner by bamf · · Score: 5, Informative

    Actually I think you'll find that it fits the defintion of Trojan Horse perfectly.

  8. Like in biology, viruses have hosts by Theatetus · · Score: 5, Informative

    Just to clear things up for you:

    • A virus is a program that runs in the memory space of another executable and replicates itself to other instances of that executable; essentially, it's an unwanted plug-in.
    • A worm is a program that replicates itself against the user's wishes without requiring another executable as a host.
    • A Trojan horse is a program that masquerades as a desired program in order to gain access to the user's system. Trojan horses may or may not replicate themselves.

    This is pretty clearly a Trojan horse: it advertised itself to the lUser as a copy of Microsoft Word in order to gain access to his system. The payload of the unwanted software (be it virus, worm, Trojan, or something else) is irrelevant to its classification.

    --
    All's true that is mistrusted
    1. Re:Like in biology, viruses have hosts by darco · · Score: 4, Informative

      You are pretty close about the trojan, but your virus/worm definition is a bit off.

      The ONLY difference between a worm and a virus is that a worm actively spreads over a network. A virus needs a human to spread it, either by downloading infected files or swapping disks containing infected files. A worm can spread automaticly, requiring zero (or very little, in the case of viewing your mail) human contact. This is why they are so much more dangerous.

      --
      — darco
  9. trojans by tgibbs · · Score: 3, Informative

    This sounds similar to the recent trojan horse proof-of-concept.

    No, that involved an application pretending to be a document. This is a case of an application pretending to be a different application. There is no security regarding the identity of applications, and an application can have any icon it chooses--the burden is on users to obtain their applications from trusted sources, not Limewire. Of course, if he really thought it was a "public beta," as he claims, he probably would have gone looking for it at the Microsoft web site.

  10. Well, you're close... by Theatetus · · Score: 4, Informative

    I'll quote wikipedia...

    A computer worm is a self-replicating computer program, similar to a computer virus. A virus attaches itself to, and becomes part of, another executable program; a worm is self-contained and does not need to be part of another program to propagate itself.

    So, to reiterate: a virus requires another executable as a host, a worm does not. That is the difference between the two.

    The concept of a "trojan horse" is somewhat orthogonal to that of "virus" or "worm", though I think it is a distinct enough phenomenon to warrant its own designation.

    --
    All's true that is mistrusted
  11. Old news? 10 years ago we had this problem by Foo2rama · · Score: 3, Informative

    Isn't this old news?? Back in the BBS days alot of files floated around that purported to be installers. But when run they would trash your system folder, drop alot of viruses, and then install joke extensions. I know many of the So Cal mac BBS's had to clean out alot of files due to installers like these. So 10-11 years ago we had the same problem.

    --


    ---In a time of Chimpanzees I was a Monkey.
  12. Re:Slight mis-reporting of facts by LionMage · · Score: 3, Informative
    I see no misreporting of the facts. The fact is that the person in question downloaded it via limewire. I see no statement that excludes other gnutella clients.

    It's nice to see that reading comprehension has dwindled to nothing these days. The article does not say that the file was downloaded "via" Limewire. And I never said that there was a statement excluding other Gnutella clients, but as you know, sometimes what goes unsaid is just as important as what is actually said. It might not occur to less technically inclined people that there is a distinction between Limewire (the client) and Gnutella (the P2P network).

    To prove my point, here's a quote from the Slashdot article.
    A Macworld reader alerted the magazine to the malware after he downloaded the file from Limewire.
    (Emphasis mine.)
    You don't download things from Limewire. You download software from the Gnutella network with (or using) Limewire. The distinction is subtle but important.

    For comparison, here's how the MacCentral article read:
    The latest advisory, posted to the company's Web site on Wednesday, warns of a Trojan Horse downloaded from the LimeWire peer-to-peer network[...]


    By contrast, here's how the incident was reported on Macintouch:
    The reader in question downloaded the file from the Gnutella peer-to-peer network, thinking that it was a public beta of Microsoft Word 2004.
    This is taken almost verbatim from Intego's own web page detailing the Trojan. Interestingly enough, "Limewire" isn't mentioned once on that page.