Slashdot Mirror


Mac Trojan Horse Disguised as Word 2004

Espectr0 writes "Macworld is alerting of a malware program for the Mac. A Macworld reader alerted the magazine to the malware after he downloaded the file from Limewire. The reader told Macworld: 'I downloaded the file in the hope that perhaps Microsoft had released some sort of public beta. The file unzipped, and to my delight the Microsoft icon looked genuine and trustworthy.' However, he added: 'I clicked on the installer file, and to my horror in 10 seconds the attachment had wiped my entire Home folder!'" This sounds similar to the recent trojan horse proof-of-concept. There are many ways to make one file look like another, on any platform. This is 2004, you should know by now not to open a file from an untrusted source.

7 of 785 comments (clear)

  1. Fast User Switching Rules... by rthille · · Score: 4, Interesting


    This is a perfect use for Fast User Switching. Create an account with no perms and no data you care about losing. Test downloads in that account. You can do it without even logging out.

    Be careful though of the fact that there's no restriction on network access for a 'no perms' account. (This is a failing of UNIX in general, not MacOS in particular.) This would allow Microsoft/anyone to put out a trojan like this, and send back a 'this IP fell for it' packet, or even run a server on a 'high' port (depending on your firewall configuration).

    --
    Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
  2. Macosxhints take on it by Isbiten · · Score: 3, Interesting

    Evily stolen from robg Link

    After reading the article and the press release, I think it's pretty obvious what the program is doing -- I suspect it's nothing more than a one-line AppleScript. Although some (perhaps many) will disagree with me, I'm going to publish what I think the exploit to be, because it's not a huge secret. Basically, my guess is that the trojan horse is a one-line AppleScript that contains the following UNIX command (in the script, the command will be accessed via the AppleScript method for calling a shell command, but I'm not going to bother including that part here):

    rm -rf ~

    WARNING!! DO NOT USE THIS COMMAND! YOU WILL ERASE YOUR USER'S DIRECTORY!

    I feel it's important that everyone understand the above command, and know what it looks like -- the more people who know what this line does and how it works, hopefully the fewer who will be fooled by it. And to claim that this is some "deep dark secret" that needs to be hidden is, in my opinion, trying to hide from the truth -- more "security by obscurity," which we all know doesn't work well at all. rm -rf is a very standard, very useful Unix command. In fact, if you search macosxhints (using the advanced search page) for the 'exact phrase' rm -rf, you'll get fully three pages of matches.

    What makes it troublesome in this case is simply that it's called from a program where the typical user will not know what's happening, and will be shocked at the outcome. But listing the command is not like explaining how to write a self-replicating virus that spreads from machine to machine -- this is common knowledge to probably at least a couple of million OS X users who have some knowledge of Unix.

    For those that don't know Unix, rm is "move to and empty trash," -r is "do this for all items and folders within this folder," the f means "force removal without confirmation," and the ~ means "the user's directory." Spelled out, this means that the script will, without warning or user intervention, delete everything in the user's folder. Permanently.

    The Intego press release explains one way to test a program if you suspect it might be a trojan horse -- select it, do a Get Info, and try to delete the icon. Here's another safety check that I often use myself: drag and drop the program onto Script Editor (or control-click on a package and select Show Package Contents to explore the package contents if it's a package installer). If you're lucky, and the script writer was somewhat lazy (by not making the script uneditable), the script itself will open for editing.

    So now that you know about this trojan horse, the question is, what should be done about them on OS X? My first thought on reading the article was "Cool, Darwin at work on the peer to peer networks!" But then, I considered some additional scenarios which may have more applicability in the real world. The current example is likely to remain on Gnutella, given that it's a program that purports to install the currently 'hot' application, the new Office suite. However, think about this version: A useful AppleScript that does something cool (change type/creator codes, backs up your directory, etc.). However, buried in the code is a timer that counts the number of times you've used the program. On the 50th run, it deletes your entire user's folder. Or worse, it pops up a dialog that says "In order to backup the Foo_bar file, we need your admin password." It may then be possible (I'm not quite sure how) for the app to delete the entire hard drive, instead of just your user's folder. If the script were useful enough, it could be very widely distributed, and then go blam! at some non-specified time in the future.

    What, if anything, should Apple do about this? Note that this is not specific to OS X; it's really a 'social engineering' exploit. I think it would be just as easy to write a similar 'exploit' for Linux or even Windows, given that it's a simple script that relies

    --
    I fought the corporate America, and the corporate America bought the law.
  3. "This being 2004..." by ChiralSoftware · · Score: 4, Interesting
    "This being 2004, you should know not to open a file from an untrusted source." WRONG! This is exactly the mindset that has resulted in the security problems that plague computers today. Operating environments should have the ability to fully contain and isolate any process. Operating environments should have the ability to run hostile code with complete safety. The smart thing to do is to start regarding ALL code as hostile. One side effect of that is that failures of non-hostile code will be contained, too, making for a more reliable system.

    How can such a goal be attained? There are many ways available now. The most obvious one is a VM system with security policies, such as the JVM. That's not the only one, though. Another method is a capabilities-based system, so when a process starts, it has only a defined set of capabilities to work with. OpenBSD has a similar, but more limited system called systrace. The TrustedBSD project and SELinux have similar aims, and SELinux is being integrated into mainstream Linux distros. Another way to run untrusted things is with user-mode Linux, which I believe is integrated with Linux 2.6

    The editor is right, though, that on currently-used systems like OSX and MS Windows, you have to be careful what you click on. But the problem is that we have come to accept that as "the way things are", when there is no reason for that to be the case. You should be able to run hostile code, see what it does, laugh at it, and delete it without any harm. The technology to do that exists, and has existed for years, but we have come to accept broken products and systems that don't allow that.

    ---------
    WAP news

  4. Re:The Icon Looked Trustworthy! by urmensch · · Score: 3, Interesting

    To be fair, a lot of windows users don't understand the difference either.

    A client I worked for couldn't deal with two mdb files on her desktop. It confused her that she could work with two databases independently, because to her, they were both just "Access".

    Cheers to the lusers!

  5. Re:"Darwin" - style award winner by 0x0d0a · · Score: 3, Interesting

    This was a person who based a choice on whether or not to run an app based on how the ICON looked. They will repeat over and over and over again and wonder why the hell their shit keeps breaking.

    And what methodology do you use to ensure that your software is safe, I have to ask? Really, there are no good generally-available methods of avoiding such trojans.

    I think I'm reasonably competent at determining whether something's a trojan, compared to most folks. I've been known to strings binaries, to disassemble and do raw code analysis, to use various debugging tools, and to run things chrooted. I generally stick with free open source software only. However, in all honesty, there are no real strong protection mechanisms available. It's not very difficult to produce a trojan that will get past these barriers.

    The problem is that people look at the statement "the icon looked legitimate" and think "hey, that isn't a good method to use to check the legitimacy of something" and immediately (and illogically) jump to "and I could do better".

    There's no real reason to ridicule the guy.

  6. Re:"Darwin" - style award winner by cyril3 · · Score: 3, Interesting
    there are no good generally-available methods of avoiding such trojans.

    But even the bad ones are better than 'Gee, the Icon looks pretty. Virus writers are nortoriously bad artists so this program I downloaded from some unknown person that claims to be a secret beta of a Microsoft product should be fine to run'

    Hows this for a logical jump.

    Hey, that isn't a good method to use to check the legitimacy of something

    so

    I'll ring my aged grandmother and ask her should I run it and she'll say "Don't be stupid, running software like that you could catch one of those virus thingys that are running around these days" (She has a 50% chance of being right)

    and that would be better than looking at the freaking ICON.

  7. Easy Pie... by firew0lfz · · Score: 3, Interesting

    On the note about the whole making the Icon look like the real thing... uhm guys, can't you do this just as easy as in Windows?

    Here is a link to get you guys started on tricking your friends into formatting their hard drives:
    http://lockdowncorp.com/hackertricks.html

    From that page:
    "Dangerous Commands That Can Be Embedded

    PIF Shortcut Extensions

    Some hidden file extensions can easily be programmed with hidden commands that could do damage to your system. Following is a simple test:

    1.

    Right click your mouse on your desktop and select New
    and then ShortCut
    2.

    In the command line type: format a: /autotest
    3.

    Click Next
    4.

    In the "Select a name for the shortcut" area type: readme.txt
    5.

    Click Next
    6.

    Select a notepad icon and click Finish

    You now have a file on your desktop called readme.txt with a notepad icon. Make sure there is a disk in your drive that you do not mind being wiped and click on the icon. The file that you click on will do a format on the disk in the A: drive. Of course, the hacker's icon would target another drive, or maybe have a name such as 'game.exe' and with a command to delete your Windows directory or (deltree /y c:\*.*) your entire C drive!

    If the PIF extension were not hidden, this would not be able to fool you."

    Or, you could also do the following:

    "SHS Extensions

    Scrap files can also hide embedded commands. Following is a simple test:

    1.

    Make a copy of notepad.exe and put it on your desktop.
    2.

    Open Wordpad
    3.

    Click and drag notepad.exe into the open wordpad document.
    4.

    Click on Edit and select Package Object, then select Edit Package
    5.

    Click on Edit and then Command Line
    6.

    Type a command in the box such as format a: /autotest and click on Ok
    7.

    The Icon can also be changed from this edit window
    8.

    Exit from the edit window and it will update the document
    9.

    Click and drag notepad back to the desktop
    10.

    Rename the file that it created (Scrap) to Readme.txt

    You now have what will look like a text file. If it is run it will format the disk in the A: drive. As seen in the example above for PIF Shortcut Extensions, the hacker could use more dangerous commands."

    Various other types of info available there. Enjoy.

    --
    Try not to let life get in the way of living.