Mac Trojan Horse Disguised as Word 2004
Espectr0 writes "Macworld is alerting of a malware program for the Mac. A Macworld reader alerted the magazine to the malware after he downloaded the file from Limewire. The reader told Macworld: 'I downloaded the file in the hope that perhaps Microsoft had released some sort of public beta. The file unzipped, and to my delight the Microsoft icon looked genuine and trustworthy.' However, he added: 'I clicked on the installer file, and to my horror in 10 seconds the attachment had wiped my entire Home folder!'" This sounds similar to the recent trojan horse proof-of-concept. There are many ways to make one file look like another, on any platform. This is 2004, you should know by now not to open a file from an untrusted source.
The reader told Macworld: 'I downloaded the file in the hope that perhaps Microsoft had released some sort of public beta.
Using Limewire? A likely story.
The file unzipped, and to my delight the Microsoft icon looked genuine and trustworthy.' However, he added: 'I clicked on the installer file, and to my horror in 10 seconds the attachment had wiped my entire Home folder!'"
This is the risk you take when downloading stuff that you don't pay for. If you purchased Office 2004 from Microsoft (thus supporting the promotion and development of software for OS X), then you would have something to gripe about. As it stands, one might suggest you got what you paid for.....
This is 2004, you should know by now not to open a file from an untrusted source.
Well said. However, this does raise the possibility of other code that could be made to look like just about anything. So, once again, think about what you install on your computer just like you would think about what you eat or who you have sex with. If you don't know, trust or suspect that software/food/person, then either screen them or think twice.
Visit Jonesblog and say hello.
Every OS is vulernable to the ultimate virus: Stupidity.Virus.a Only one release was needed.
This should be filed under the "Humans" topic as this has nothing to do with apple or even computers.
Trojan Horses are social problems -- there isn't much apple or microsoft or anyone can do other than try to keep people on their toes.
I mean come on, limewire?
davidu
# Hack the planet, it's important.
Not really, no. The point of that was that it was a application that looked like an mp3. This is just a application with a misleading name/icon. Anyone write code that erases a users home folder and call it Microsoft Word.
Sure, that file came from an untrusted source. In fact, doesn't it serve them right to get bitten by illegally downloading software? Software that should cost money, and in fact does (quite a bit).
/tmp).
But forget that fact that this happened on an unethical download. The fact that this is malware, not a virus or a worm, not something that is exploiting the operating system by opening known bugs or attempting to hack into key parts of the system which normally would require keychain access, but that this is merely software that the user chose to install, and chose to authenticate (maybe? did it require keychain access to be able to delete files from the home directory? I think Apple probably allowed that to happen since programs *do* need to be able to write files to the Home directory, just not anywhere else, save for a temporary folder like
Just keep in mind that while the program itself was not ethical, nor were the actions of the user by downloading non-free software, this should come as no surprise to the user or to Apple, since this is not a compromise of the system nor something Apple can prevent, except through education (Don't open untrusted files and programs).
Do you think this would have happened if the user was downloading legit sourceforge or another self-produced program that claimed to do something else and just became malware or a random pop-up creator? Would we cry foul if the program was *not* downloaded illegally?
Don't eat your soul to fill your belly.
conesus.com
If it was a windows installed you could check to make sure that various files were signed and authenticated by MS, information which I don't believe can actually be faked (dlls, exe, cab files, etc.).
I don't know if Mac has a similar feature, and I don't know if some random moron like this guy would even have bothered to check. However, it would seem that MS' own security would indeed have offered a better chance of preventing such a Trojan.
-rt
A similar program om Windows could do far more than just hose someones Home folder, because most Windows users runs with high privileges.
Surrrrreeee they thought it was a beta. Uh huh. That's why they went to Limewire rather than the MS website. Sure. Yeah.
Open Office porters take note. At my last check, Mac users are still stuck with a sucky x11 version of OOO1.1 rather than the spiffy version available for Windows users.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
1) Create shell script with "rm -rf $home/*"
2) Package script with Microsoft Icon
3) Upload to P2P network
4) ???
5) Laugh as retarded Slashdot editors call it valid malware
Come on guys... lets get serious.
You have to wonder, word is a pretty hefty piece of software, did the attackers even bother padding the program? A really quick download time would be one of a multitude of clues that what you are downloading probably isn't legit.
Out in the professional world we do pay for everything. Why? In the last 6 months, two graphics designers in this town were busted for using warezed versions of Photoshop and black listed by other companies in the area including long time clients. And advertising/marketing being cut-throat as it is, there were glaring stories about it in the local business journal. Wow, probably $100k+ income lost to save $5k on software. Smart move there!
If there was such a thing, then download from a MS website or trusted mirror (like download.com) or else roll the dice and take your chances.
Personally I am waiting for the $10 for shipping beta from MS as I am classified as an "IT manager/decision maker" for our company (and several others as I also do consulting).
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
It is a non story even if it happened, and it is unlikely to have happened. Unless the guy is a 10-year old who fell for a trap his 11-year old sister set up for him.
There's nothing Apple can or should do. Aliasing 'rm' to 'rm -i' in your shell will only work if the person who writes the virus is kind enough to run your shell and let it load your aliases. They could write the commands in Applescript rather than using rm. They could write a C program to do it. This is all moot.
If you have the power to delete all of your own files, then any program you run has that power too. Nothing can change that. Trojan horses are nothing new, and nothing surprising. They are a problem on every platform, even Linux, and have nothing to do with the operating system or the computer.
There are companies that call people on the telephone and convince them to send them a check for $300 in return for a big-screen TV they'll never receive. This is made possible because (a) people can receive phone calls, and (b) people can give money to other people. No one suggests we remove telephones or checks from our lives to prevent such fraud.
Trojan horses are just the computer equivalent of fraud. They have been around for a very, very, very long time, and will be around until the end of time. Nothing can be done by Apple to prevent them, just as nothing can be done by Microsoft or any of the Linux distribution maintainers. It's just how life works: if you have a gun, and someone tricks you into shooting yourself in the foot, you've just shot yourself in the foot. It's not a flaw in the gun.
So how do you combat Trojan horses? Well, Trojan horses are not new. They date back to... yep! Troy!
Beware of Greeks bearing gifts.
The ancient adage still holds true today. Welcome a wooden horse full of soldiers into your city, and you're going to have a tough time blaming the manufacturer of the city wall for your city's subsequent downfall.
Now that at least some Windows users are starting to become aware of this sort of thing, are Mac users next?
Most Mac users I talk to do nothing but go on about how they never have to worry about this sort of thing. Seems like a group of users that's that overconfident in their systems are ripe for infection.
I just made a new user to run an rm -rf ~ on to see how it looks.
:)
I have to say I'm impressed with how Apple handles this situation. You actually have to do rm -rf ~/* but anyways, once your home directory is emptying there is no error message. No flood of missing files or application crashes. You just log out and log back in and hey you have the default's loaded again like a fresh user. Being a Windows/Linux switcher I have to say this is handled quite differently than I expected. At least in windows losing all your windows files is gonna cause some serious problems, may not be able to log back in again.
Maybe I'm odd but eh.
-Don.
Cwm, fjord-bank glyphs vext quiz
Remember, a good deal of the Mac users out there are clueless ex-Windows user friends that we instructed to purchase Macs after scrubbing their old PCs of viruses, adware, spyware and other such crap one too many times.
No matter how often we tell them otherwise, it is ingrained in them to use the icon as an indictor of a file's content. If it wasn't then a great deal fewer email viruses would make it into the wild.
I took the MacCentral website (which is now run by Macworld) to task for this, and I'll take Slashdot to task for the same thing. In some of the more reputable Mac-related news sites, this story was more accurately covered; the Trojan in question was downloaded from the Gnutella network. Limewire is not a network, it's a Gnutella client -- yet sites like MacCentral reported that the file was downloaded from the LimeWire network. Now on Slashdot, we're seeing much the same thing -- as if to imply that this Trojan is somehow only available with Limewire.
Since there are at least 3 other Gnutella clients available for Mac OS X (Phex, Acquisition, and XFactor are the ones I know of), there are many more potential vectors for this Trojan to find its way onto a Mac user's computer.
Yeah, I know, it's asinine to trade warez on any P2P network...
There's nothing to stop this Trojan from making it to other file sharing networks, except perhaps a dose of common sense, so this isn't even a Gnutella-specific problem. I'm just a little peeved with sloppy news reporting.
Strange that Microsoft has popped up in this one, huh? Hmm... if I were a conspiracy theorist....
The real issues is whether it can it replicate itself and whether it can use security holes in OS X to distribute itself to others. I've been round and round with people on this topic and the conclusion is that, at every point, OS X presents too great a hurdle to allow it to occur. You either have to rely on lots of Apple programs working together to do it (which is too unwieldy and too visible to the user) or you have to rely on the more stealthy Unix stuff, much of which is turned off by default (i.e., no using mail quietly in the background to distribute the trojan/virus because sendmail is off by default.)
It seems to me that Intego is looking to scare people into buying their products and in doing so, they have blown any credibility they have.
--Rick "If it isn't broken, take it apart and find out why."
This was a person who based a choice on whether or not to run an app based on how the ICON looked. They will repeat over and over and over again and wonder why the hell their shit keeps breaking.
Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
Holy crap, that has to be the most long drawn out boring explanation of rm -rf ~ I've ever read. I think this guy might have been one of my college professors. I imagine his explanation of DELTREE /Y C:\WINDOWS would put people into a coma.
Everyone else knows that they never release applications for public beta testing. They only release operating systems as public betas.
I think it would be a good idea to have a feature in OS X that could launch a program as "untrusted". It should be able to restrict the programs access to the file system, the network stack, etc. Kind of like what .Net does, except not as extreme.
Avoid Missing Ball for High Score
Like most companies selling security software for personal computers, they're basically in the business of marketing snake oil, and that means the creation of FUD. It's a new concept in the Mac world, but age-old for Windows.
From the Intego site:
WTF is that supposed to mean? And what is "infection" in the context of a Trojan horse?
Mac user pirates a 10kB OSX version of Word and gets all his stuff deleted.
Don't you think Slashdot is the last place where people need to be made aware of something like this?
Turning your boneheaded mistake into a security advisory isn't going to win you much respect here.