Mac Trojan Horse Disguised as Word 2004

Espectr0 writes "Macworld is alerting of a malware program for the Mac. A Macworld reader alerted the magazine to the malware after he downloaded the file from Limewire. The reader told Macworld: 'I downloaded the file in the hope that perhaps Microsoft had released some sort of public beta. The file unzipped, and to my delight the Microsoft icon looked genuine and trustworthy.' However, he added: 'I clicked on the installer file, and to my horror in 10 seconds the attachment had wiped my entire Home folder!'" This sounds similar to the recent trojan horse proof-of-concept. There are many ways to make one file look like another, on any platform. This is 2004, you should know by now not to open a file from an untrusted source.

"Darwin" - style award winner

[ericspinder]

I downloaded the file [off Limewire] in the hope that perhaps Microsoft had released some sort of public beta...and to my delight the Microsoft icon looked genuine and trustworthy"

We have got to come up with a name for "someone who makes a good effort at removing themselves from the Internet".

Re:"Darwin" - style award winner

[Ieshan]

Already got one. Notice how "microsoft" came up, even in the story about the Trojan on a Mac?

Re:"Darwin" - style award winner

[Short+Circuit]

Ouch.

I was about to type a search for "spinder" in the google search in Firefox when I noticed the original poster's username.

Re:"Darwin" - style award winner

[rjamestaylor]

Why do you think they call it Apple Darwin, anyway?

Re:"Darwin" - style award winner

Trojan Horses do not wipe out Home folders... they only sit dormant and collect information. I think it was a virus that this guy downloaded, not a Trojan.

Maybe if you look on Limewire you can find a "dictionary"

Re:"Darwin" - style award winner

[bamf]

Actually I think you'll find that it fits the defintion of Trojan Horse perfectly.

Re:"Darwin" - style award winner

[SquadBoy]

This was a person who based a choice on whether or not to run an app based on how the ICON looked. They will repeat over and over and over again and wonder why the hell their shit keeps breaking.

Re:"Darwin" - style award winner

[anonymous+loser]

This man is luckier than he realizes. He might have actually installed a Microsoft product instead of a mere trojan horse!

Re:"Darwin" - style award winner

[0x0d0a]

This was a person who based a choice on whether or not to run an app based on how the ICON looked. They will repeat over and over and over again and wonder why the hell their shit keeps breaking.

And what methodology do you use to ensure that your software is safe, I have to ask? Really, there are no good generally-available methods of avoiding such trojans.

I think I'm reasonably competent at determining whether something's a trojan, compared to most folks. I've been known to strings binaries, to disassemble and do raw code analysis, to use various debugging tools, and to run things chrooted. I generally stick with free open source software only. However, in all honesty, there are no real strong protection mechanisms available. It's not very difficult to produce a trojan that will get past these barriers.

The problem is that people look at the statement "the icon looked legitimate" and think "hey, that isn't a good method to use to check the legitimacy of something" and immediately (and illogically) jump to "and I could do better".

There's no real reason to ridicule the guy.

Re:"Darwin" - style award winner

[cyril3]

there are no good generally-available methods of avoiding such trojans.

But even the bad ones are better than 'Gee, the Icon looks pretty. Virus writers are nortoriously bad artists so this program I downloaded from some unknown person that claims to be a secret beta of a Microsoft product should be fine to run'

Hows this for a logical jump.

Hey, that isn't a good method to use to check the legitimacy of something

so

I'll ring my aged grandmother and ask her should I run it and she'll say "Don't be stupid, running software like that you could catch one of those virus thingys that are running around these days" (She has a 50% chance of being right)

and that would be better than looking at the freaking ICON.

New paradigm?

[Suffering+Bastard]

I downloaded the file in the hope that perhaps Microsoft had released some sort of public beta...I clicked on the installer file, and to my horror in 10 seconds the attachment had wiped my entire Home folder!

Maybe this is Microsoft's new security paradigm. No one can steal your data, not even you!

Re:New paradigm?

[Bonker]

Surrrrreeee they thought it was a beta. Uh huh. That's why they went to Limewire rather than the MS website. Sure. Yeah.

Open Office porters take note. At my last check, Mac users are still stuck with a sucky x11 version of OOO1.1 rather than the spiffy version available for Windows users.

Think first

[BWJones]

The reader told Macworld: 'I downloaded the file in the hope that perhaps Microsoft had released some sort of public beta.

Using Limewire? A likely story.

The file unzipped, and to my delight the Microsoft icon looked genuine and trustworthy.' However, he added: 'I clicked on the installer file, and to my horror in 10 seconds the attachment had wiped my entire Home folder!'"

This is the risk you take when downloading stuff that you don't pay for. If you purchased Office 2004 from Microsoft (thus supporting the promotion and development of software for OS X), then you would have something to gripe about. As it stands, one might suggest you got what you paid for.....

This is 2004, you should know by now not to open a file from an untrusted source.

Well said. However, this does raise the possibility of other code that could be made to look like just about anything. So, once again, think about what you install on your computer just like you would think about what you eat or who you have sex with. If you don't know, trust or suspect that software/food/person, then either screen them or think twice.

Re:Think first

[lukewarmfusion]

"So, once again, think about what you install on your computer just like you would think about what you eat or who you have sex with. If you don't know, trust or suspect that software/food/person, then either screen them or think twice."

The Slashdot folks obviously think alot about what kinds of food they eat (everything) and who they have sex with (nobody).

Re:Think first

[John_Sauter]

So, once again, think about what you install on your computer just like you would think about what you eat or who you have sex with. If you don't know, trust or suspect that software/food/person, then either screen them or think twice.

Hmmm. I detect a market for a software condom. That's a much better term than "sandbox" in some markets.
John Sauter (J_Sauter@Empire.Net)

Re:Think first

[somethinghollow]

just like you would think about what you eat or who you have sex with

Or who you eat and what you have sex with.

Re:Think first

[nomadic]

Using Limewire? A likely story.

Yes, that's probably the least credible statement I've ever seen on slashdot. Just so you understand the impact of this statement, I'll highlight the important words: that's probably the least credible thing I've ever seen on SLASHDOT.

Re:Think first

[eatmadust]

So, once again, think about what you install on your computer just like you would think about what you eat or who you have sex with

I doubt many /.ers need to worry about that ...

Windows

[dicepackage]

This would never of happened if they were using a secure operating system like Windows.

Re:Windows

[aristotle-dude]

I know this is meant to be a joke but this would happen on any platform with a stupid user at the helm. This is nothing like the proof of concept Trojan. It is a classic trojan (malware program claiming to be some useful program). Fortunately, the OSX security model prevented the damage from spreading outside of the home folder. An admin account (default on Home and Pro XP) would have the ability to totally destroy a system whereas Admin accounts on OS X are not root accounts.

Re:Windows

[BlackHawk-666]

All except for the IE cookies file which appears to be indestructable.

beta

[pizza_milkshake]

in the hope that perhaps Microsoft had released some sort of public beta...

yeah.

Let the Liar Beware

[American+AC+in+Paris]

A Macworld reader alerted the magazine to the malware after he downloaded the file from Limewire. The reader told Macworld: 'I downloaded the file in the hope that perhaps Microsoft had released some sort of public beta.

Uh-huh.

Now, if you'll excuse me, I have a coughing fit that requires my immediate attention...

Re:Let the Liar Beware

[Forgotten]

My guess is that the person doesn't exist at all, and instead was created by someone from Intego. The correspondence Macworld received is fictional. This would be in keeping with Intego's manner of operation in the past. They didn't necessarily create the Trojan and inject it into Limewire, but they'd certainly want to make it known as quickly as possible.

Like most companies selling security software for personal computers, they're basically in the business of marketing snake oil, and that means the creation of FUD. It's a new concept in the Mac world, but age-old for Windows.

From the Intego site:

Intego VirusBarrier X eradicates this Trojan horse, using its virus definitions dated May 11, 2004, and Intego remains diligent to ensure that VirusBarrier X will also eradicate any future viruses that may try to exploit this same technique.

WTF is that supposed to mean? And what is "infection" in the context of a Trojan horse?

don't be dumb billy.

[SuperguyA1]

Let's see... You downloaded a microsoft public beta from a p2p net without checking ms's website for any existance of the beta. Then just because the icon looked like a m$ icon you figured it was safe with no virus scan? If you purchase this BEAUTIFUL florida swampland I have I bet your files will be restored and word 2004 will work fine

call me

The Icon Looked Trustworthy!

[Eagle5596]

Because everyone knows the icon is the best way to ascertain the security and authenticity of any piece of software. It's very secure and hard to change, uh huh.

Re:The Icon Looked Trustworthy!

[urmensch]

To be fair, a lot of windows users don't understand the difference either.

A client I worked for couldn't deal with two mdb files on her desktop. It confused her that she could work with two databases independently, because to her, they were both just "Access".

Cheers to the lusers!

Why Not?

[tarballedtux]

Every OS is vulernable to the ultimate virus: Stupidity.Virus.a Only one release was needed.

This has nothing to do with Apple?

[davidu]

This should be filed under the "Humans" topic as this has nothing to do with apple or even computers.

Trojan Horses are social problems -- there isn't much apple or microsoft or anyone can do other than try to keep people on their toes.

I mean come on, limewire?

davidu

Re:This has nothing to do with Apple?

[stratjakt]

No, I don't own a Mac, but I've worked with OSX a little, and more apps than should pop up that little sudo-dialog thing.

So if the trojan popped up the "you must enter your administrator password to continue" box, how many would without asking questions?

I mean the guy thought he was getting a beta release of word2k4 off of limewire?

How big was the package he downloaded? Hundred megs or so, like word would be, or some 50k zip?

UNIX doesnt magically protect you from stupidity, or from making mistakes.

Limewire Legal!

[MacWannabe]

Seriously, what a tard. The only things you can trust off Limewire is the quality porn!

Re:Limewire Legal!

[beatleadam]

Here is how the article should have read.

I downloaded this Phat slice of porn in the hope that perhaps Microsoft had released some sort of public beta porn. Well dude, I unzipped, and to my delight the Microsoft icon looked genuine and trustworthy...I clicked on the installer file, and to my horror 10 seconds later the attachment had wiped my entire Porn folder...now I need to figure out how to clean off this friggin' keyboard...

Stupid user in, virus sob tale out...

[LostCluster]

'I downloaded the file in the hope that perhaps Microsoft had released some sort of public beta'

That's a likely story...

Come on people. The only trustworthy source of any public beta software from Microsoft would be a website in the form of "http://*.microsoft.com/*" and there'd likely still be pretenders claiming to be that package floating on Limewire. Don't trust that it's Microsoft software unless you've seen Microsoft make an say that the distributor is legit.

Dear trojan writers.

[juuri]

Instead of deleting a person's files (I know you 0wn3r3d th3m!@#!) how about you do the rest of us a favour.

From this point on all trojans, such as this one, who invite idiots to test the lows of their computer skills should, instead of removing random files, disable a person's net connection. Think about the good you would suddenly be doing for the online world! You can make a positive difference! Your life isn't lost yet! Go you!

Who would have thought ?

[Jesrad]

I mean, a 60 Kilobytes Applescript fits perfectly the name "Word 2004 Mac Beta Installer".

D'uh.

Fast User Switching Rules...

[rthille]

This is a perfect use for Fast User Switching. Create an account with no perms and no data you care about losing. Test downloads in that account. You can do it without even logging out.

Be careful though of the fact that there's no restriction on network access for a 'no perms' account. (This is a failing of UNIX in general, not MacOS in particular.) This would allow Microsoft/anyone to put out a trojan like this, and send back a 'this IP fell for it' packet, or even run a server on a 'high' port (depending on your firewall configuration).

Re:Fast User Switching Rules...

[Bullet-Dodger]

Little Snitch is good for preventing anything from phoning home. Does have slightly annoying behavior unless it's registered, however. Anyone know of an OSS program to do this?

Re:Fast User Switching Rules...

[ducomputergeek]

Here is a better idea: don't try beating the system. 90%+ of all computer problems are really not lack of secure code, its the idiot sitting in front of the screen. While getting Office and other programs from p2p may be trendy and even "cool" to some, you run the risk that it might not be as advertised.

Out in the professional world we do pay for everything. Why? In the last 6 months, two graphics designers in this town were busted for using warezed versions of Photoshop and black listed by other companies in the area including long time clients. And advertising/marketing being cut-throat as it is, there were glaring stories about it in the local business journal. Wow, probably $100k+ income lost to save $5k on software. Smart move there!

If there was such a thing, then download from a MS website or trusted mirror (like download.com) or else roll the dice and take your chances.

Personally I am waiting for the $10 for shipping beta from MS as I am classified as an "IT manager/decision maker" for our company (and several others as I also do consulting).

Hmm

[Bullet-Dodger]

This sounds similar to the recent trojan horse proof-of-concept.

Not really, no. The point of that was that it was a application that looked like an mp3. This is just a application with a misleading name/icon. Anyone write code that erases a users home folder and call it Microsoft Word.

Untrusted source, maybe...

[Conesus]

Sure, that file came from an untrusted source. In fact, doesn't it serve them right to get bitten by illegally downloading software? Software that should cost money, and in fact does (quite a bit).

But forget that fact that this happened on an unethical download. The fact that this is malware, not a virus or a worm, not something that is exploiting the operating system by opening known bugs or attempting to hack into key parts of the system which normally would require keychain access, but that this is merely software that the user chose to install, and chose to authenticate (maybe? did it require keychain access to be able to delete files from the home directory? I think Apple probably allowed that to happen since programs *do* need to be able to write files to the Home directory, just not anywhere else, save for a temporary folder like /tmp).

Just keep in mind that while the program itself was not ethical, nor were the actions of the user by downloading non-free software, this should come as no surprise to the user or to Apple, since this is not a compromise of the system nor something Apple can prevent, except through education (Don't open untrusted files and programs).

Do you think this would have happened if the user was downloading legit sourceforge or another self-produced program that claimed to do something else and just became malware or a random pop-up creator? Would we cry foul if the program was *not* downloaded illegally?

Actually...

[rtilghman]

If it was a windows installed you could check to make sure that various files were signed and authenticated by MS, information which I don't believe can actually be faked (dlls, exe, cab files, etc.).

I don't know if Mac has a similar feature, and I don't know if some random moron like this guy would even have bothered to check. However, it would seem that MS' own security would indeed have offered a better chance of preventing such a Trojan. :)

-rt

Only home folder was hosed by trojan....

[Homology]

'I clicked on the installer file, and to my horror in 10 seconds the attachment had wiped my entire Home folder!'"

A similar program om Windows could do far more than just hose someones Home folder, because most Windows users runs with high privileges.

Re:Only home folder was hosed by trojan....

[HeghmoH]

Yes, but the home folder is all that matters. The way UNIX protects system files is very nice, but the reality is that for most users, the stuff in /home or /Users or /users or whatever your flavor of UNIX uses is what counts. If you trashed my entire computer but left /Users alone, I'd be annoyed and reinstall. If you trashed /Users, I'd be annoyed and restore from backup... but most people don't keep anything resembling decent backups. Especially on a Mac, where it takes twenty minutes to reinstall the OS, the difference between trashing /Users or trashing the entire system is miniscule. Of course, if it's a multi-user Mac, a trojan can only trash the current user's files.

Not like the recent warning

[Anixamander]

This sounds similar to the recent trojan horse proof-of-concept

This is nothing of the sort. The recent warning was for mp3 or other non-executable looking files carrying a trojan horse payload...that is far sneakier than this. This is simply a program that doesn't do what it claims to do. He expected an executable, he got an executable. An if he really thought that Microsoft would relase a public beta through limewire...well, caveat emptor and all.

Since it only deleted his home directory, it probably wasn't that sophisticated. I'm surprised it didn't attempt to escalate privilieges under the guise of an installer and do even more damage.

I suppose I should make a clippy joke here (I'm really tempted), but I actually like office X and am looking forward to the next version.

Macosxhints take on it

[Isbiten]

Evily stolen from robg Link

After reading the article and the press release, I think it's pretty obvious what the program is doing -- I suspect it's nothing more than a one-line AppleScript. Although some (perhaps many) will disagree with me, I'm going to publish what I think the exploit to be, because it's not a huge secret. Basically, my guess is that the trojan horse is a one-line AppleScript that contains the following UNIX command (in the script, the command will be accessed via the AppleScript method for calling a shell command, but I'm not going to bother including that part here):

rm -rf ~

WARNING!! DO NOT USE THIS COMMAND! YOU WILL ERASE YOUR USER'S DIRECTORY!

I feel it's important that everyone understand the above command, and know what it looks like -- the more people who know what this line does and how it works, hopefully the fewer who will be fooled by it. And to claim that this is some "deep dark secret" that needs to be hidden is, in my opinion, trying to hide from the truth -- more "security by obscurity," which we all know doesn't work well at all. rm -rf is a very standard, very useful Unix command. In fact, if you search macosxhints (using the advanced search page) for the 'exact phrase' rm -rf, you'll get fully three pages of matches.

What makes it troublesome in this case is simply that it's called from a program where the typical user will not know what's happening, and will be shocked at the outcome. But listing the command is not like explaining how to write a self-replicating virus that spreads from machine to machine -- this is common knowledge to probably at least a couple of million OS X users who have some knowledge of Unix.

For those that don't know Unix, rm is "move to and empty trash," -r is "do this for all items and folders within this folder," the f means "force removal without confirmation," and the ~ means "the user's directory." Spelled out, this means that the script will, without warning or user intervention, delete everything in the user's folder. Permanently.

The Intego press release explains one way to test a program if you suspect it might be a trojan horse -- select it, do a Get Info, and try to delete the icon. Here's another safety check that I often use myself: drag and drop the program onto Script Editor (or control-click on a package and select Show Package Contents to explore the package contents if it's a package installer). If you're lucky, and the script writer was somewhat lazy (by not making the script uneditable), the script itself will open for editing.

So now that you know about this trojan horse, the question is, what should be done about them on OS X? My first thought on reading the article was "Cool, Darwin at work on the peer to peer networks!" But then, I considered some additional scenarios which may have more applicability in the real world. The current example is likely to remain on Gnutella, given that it's a program that purports to install the currently 'hot' application, the new Office suite. However, think about this version: A useful AppleScript that does something cool (change type/creator codes, backs up your directory, etc.). However, buried in the code is a timer that counts the number of times you've used the program. On the 50th run, it deletes your entire user's folder. Or worse, it pops up a dialog that says "In order to backup the Foo_bar file, we need your admin password." It may then be possible (I'm not quite sure how) for the app to delete the entire hard drive, instead of just your user's folder. If the script were useful enough, it could be very widely distributed, and then go blam! at some non-specified time in the future.

What, if anything, should Apple do about this? Note that this is not specific to OS X; it's really a 'social engineering' exploit. I think it would be just as easy to write a similar 'exploit' for Linux or even Windows, given that it's a simple script that relies

Re:Macosxhints take on it

There's nothing Apple can or should do. Aliasing 'rm' to 'rm -i' in your shell will only work if the person who writes the virus is kind enough to run your shell and let it load your aliases. They could write the commands in Applescript rather than using rm. They could write a C program to do it. This is all moot.

If you have the power to delete all of your own files, then any program you run has that power too. Nothing can change that. Trojan horses are nothing new, and nothing surprising. They are a problem on every platform, even Linux, and have nothing to do with the operating system or the computer.

There are companies that call people on the telephone and convince them to send them a check for $300 in return for a big-screen TV they'll never receive. This is made possible because (a) people can receive phone calls, and (b) people can give money to other people. No one suggests we remove telephones or checks from our lives to prevent such fraud.

Trojan horses are just the computer equivalent of fraud. They have been around for a very, very, very long time, and will be around until the end of time. Nothing can be done by Apple to prevent them, just as nothing can be done by Microsoft or any of the Linux distribution maintainers. It's just how life works: if you have a gun, and someone tricks you into shooting yourself in the foot, you've just shot yourself in the foot. It's not a flaw in the gun.

So how do you combat Trojan horses? Well, Trojan horses are not new. They date back to... yep! Troy!

Beware of Greeks bearing gifts.

The ancient adage still holds true today. Welcome a wooden horse full of soldiers into your city, and you're going to have a tough time blaming the manufacturer of the city wall for your city's subsequent downfall.

Re:Macosxhints take on it

[archen]

Holy crap, that has to be the most long drawn out boring explanation of rm -rf ~ I've ever read. I think this guy might have been one of my college professors. I imagine his explanation of DELTREE /Y C:\WINDOWS would put people into a coma.

How to write a OS X Trojan

[heyitsme]

1) Create shell script with "rm -rf $home/*"
2) Package script with Microsoft Icon
3) Upload to P2P network
4) ???
5) Laugh as retarded Slashdot editors call it valid malware

Come on guys... lets get serious.

"This being 2004..."

[ChiralSoftware]

"This being 2004, you should know not to open a file from an untrusted source." WRONG! This is exactly the mindset that has resulted in the security problems that plague computers today. Operating environments should have the ability to fully contain and isolate any process. Operating environments should have the ability to run hostile code with complete safety. The smart thing to do is to start regarding ALL code as hostile. One side effect of that is that failures of non-hostile code will be contained, too, making for a more reliable system.

How can such a goal be attained? There are many ways available now. The most obvious one is a VM system with security policies, such as the JVM. That's not the only one, though. Another method is a capabilities-based system, so when a process starts, it has only a defined set of capabilities to work with. OpenBSD has a similar, but more limited system called systrace. The TrustedBSD project and SELinux have similar aims, and SELinux is being integrated into mainstream Linux distros. Another way to run untrusted things is with user-mode Linux, which I believe is integrated with Linux 2.6

The editor is right, though, that on currently-used systems like OSX and MS Windows, you have to be careful what you click on. But the problem is that we have come to accept that as "the way things are", when there is no reason for that to be the case. You should be able to run hostile code, see what it does, laugh at it, and delete it without any harm. The technology to do that exists, and has existed for years, but we have come to accept broken products and systems that don't allow that.

---------
WAP news

Re:I'm lost

[justMichael]

I think you are thinking of a worm.

This is exactly what a trojan is.

Just one of the many definitoins:
A destructive program that masquerades as a benign application. Unlike a virus, Trojan horses do not replicate themselves but they can be just as destructive.

How big was the file?

[foidulus]

You have to wonder, word is a pretty hefty piece of software, did the attackers even bother padding the program? A really quick download time would be one of a multitude of clues that what you are downloading probably isn't legit.

Trojan was reverse-engineered !

[Jesrad]

Newsflash, the source code of the trojan has been obtained. It's thought to be something like this:
----------
tell application "Finder"
move home to trash
empy trash
end tell
----------

The 404 Award

[Gudlyf]

In case it's not obvious, from here:

"404: Someone who's clueless. From the World Wide Web message> "404, URL Not Found," meaning that the document you've tried to access can't be located. "Don't bother asking him...he's 404, man.""

Re:The 404 Award

Going OT here, but here's the whole list of HTTPanties:

100 Continue (she's accepting you)
200 OK (go for it!)
202 Accepted (see 200)
300 Multiple Choices (pick a hole, any hole)
400 Bad Request (explain what you mean)
401 Unauthorized (she doesn't know you yet, but if she does, she'll let you)
402 Payment Required (self-explanatory)
403 Forbidden (I guess she's just not in that kind of mood)
404 Not Found (she may be back)
405 Method Not Allowed (guess the any hole part of 300 was wrong)
406 Not Acceptable (she doesn't like you)
408 Request Timeout (you were too slow - try again)
409 Conflict (got some 3-way there?)
410 Gone (damn, you got dumped)
411 Length Required (she wants to know that first)
413 Request Entity Too Large (stop buying penis pills)
414 Request-URI Too Long (see 413)
415 Unsupported Media Type (wait, this is a LESBIAN HTTP/1.1 error code thing?)
416 Requested Range Not Satisfiable (she knows she's not good enough for you)
417 Expectation Failed (self-explanatory)
500 Internal Server Error (she should be checked out)
501 Not Implemented (well, teach her!)
503 Service Unavailable (wait a while, and watch)

This is 2004...

[Vrallis]

This is 2004, you should know by now not to open a file from an untrusted source.

This is 2004, you should know by now that Microsoft can't possibly have released Office 2004 this year.

Word 2004

[Pac]

Had Microsoft released it, wouldn't it be a trojan horse anyway? It will slow down your computer, transmit personal data to Microsoft and, if past versions history serves as comparison, open your computer wide to all sorts of attacks. Thinking of it, perhaps the version he downloaded is an alpha including only the "slow down, transmit and open" subsystems.

Is there any reason to believe this at all?

[bw5353]

There seems to have been one really silly user who fell for about the oldest trick in the book - calling a bad executable something nice. Why do Macworld even bother reporting it?

It is a non story even if it happened, and it is unlikely to have happened. Unless the guy is a 10-year old who fell for a trap his 11-year old sister set up for him.

Mac trojan/viruses: the next big thing?

[jridley]

Now that at least some Windows users are starting to become aware of this sort of thing, are Mac users next?
Most Mac users I talk to do nothing but go on about how they never have to worry about this sort of thing. Seems like a group of users that's that overconfident in their systems are ripe for infection.

Nice handling of it...

[CODiNE]

I just made a new user to run an rm -rf ~ on to see how it looks.

I have to say I'm impressed with how Apple handles this situation. You actually have to do rm -rf ~/* but anyways, once your home directory is emptying there is no error message. No flood of missing files or application crashes. You just log out and log back in and hey you have the default's loaded again like a fresh user. Being a Windows/Linux switcher I have to say this is handled quite differently than I expected. At least in windows losing all your windows files is gonna cause some serious problems, may not be able to log back in again.

Maybe I'm odd but eh. :)

-Don.

Us Slashdot-geeks have created a monster!

[WebCowboy]

Remember, a good deal of the Mac users out there are clueless ex-Windows user friends that we instructed to purchase Macs after scrubbing their old PCs of viruses, adware, spyware and other such crap one too many times.

No matter how often we tell them otherwise, it is ingrained in them to use the icon as an indictor of a file's content. If it wasn't then a great deal fewer email viruses would make it into the wild.

Slight mis-reporting of facts

[LionMage]

I took the MacCentral website (which is now run by Macworld) to task for this, and I'll take Slashdot to task for the same thing. In some of the more reputable Mac-related news sites, this story was more accurately covered; the Trojan in question was downloaded from the Gnutella network. Limewire is not a network, it's a Gnutella client -- yet sites like MacCentral reported that the file was downloaded from the LimeWire network. Now on Slashdot, we're seeing much the same thing -- as if to imply that this Trojan is somehow only available with Limewire.

Since there are at least 3 other Gnutella clients available for Mac OS X (Phex, Acquisition, and XFactor are the ones I know of), there are many more potential vectors for this Trojan to find its way onto a Mac user's computer.

Yeah, I know, it's asinine to trade warez on any P2P network...

There's nothing to stop this Trojan from making it to other file sharing networks, except perhaps a dose of common sense, so this isn't even a Gnutella-specific problem. I'm just a little peeved with sloppy news reporting.

Re:Slight mis-reporting of facts

[LionMage]

I see no misreporting of the facts. The fact is that the person in question downloaded it via limewire. I see no statement that excludes other gnutella clients.

It's nice to see that reading comprehension has dwindled to nothing these days. The article does not say that the file was downloaded "via" Limewire. And I never said that there was a statement excluding other Gnutella clients, but as you know, sometimes what goes unsaid is just as important as what is actually said. It might not occur to less technically inclined people that there is a distinction between Limewire (the client) and Gnutella (the P2P network).

To prove my point, here's a quote from the Slashdot article.

A Macworld reader alerted the magazine to the malware after he downloaded the file from Limewire.

(Emphasis mine.)
You don't download things from Limewire. You download software from the Gnutella network with (or using) Limewire. The distinction is subtle but important.

For comparison, here's how the MacCentral article read:

The latest advisory, posted to the company's Web site on Wednesday, warns of a Trojan Horse downloaded from the LimeWire peer-to-peer network[...]

By contrast, here's how the incident was reported on Macintouch:

The reader in question downloaded the file from the Gnutella peer-to-peer network, thinking that it was a public beta of Microsoft Word 2004.

This is taken almost verbatim from Intego's own web page detailing the Trojan. Interestingly enough, "Limewire" isn't mentioned once on that page.

The real questions...

[inkswamp]

Intego is really starting to get on my nerves with this, and their previous, alerts. You could do this little stunt way back in OS 9. Cutting and pasting icons is easy.

Strange that Microsoft has popped up in this one, huh? Hmm... if I were a conspiracy theorist....

The real issues is whether it can it replicate itself and whether it can use security holes in OS X to distribute itself to others. I've been round and round with people on this topic and the conclusion is that, at every point, OS X presents too great a hurdle to allow it to occur. You either have to rely on lots of Apple programs working together to do it (which is too unwieldy and too visible to the user) or you have to rely on the more stealthy Unix stuff, much of which is turned off by default (i.e., no using mail quietly in the background to distribute the trojan/virus because sendmail is off by default.)

It seems to me that Intego is looking to scare people into buying their products and in doing so, they have blown any credibility they have.

The files are not gone

[Nom+du+Keyboard]

The files are not gone. MSWord 2004 is just converting them all to its native format. Even on a G5 however this will take another 6 days, so simply remain calm and trust to Microsoft.

Like in biology, viruses have hosts

[Theatetus]

Just to clear things up for you:

• A virus is a program that runs in the memory space of another executable and replicates itself to other instances of that executable; essentially, it's an unwanted plug-in.
• A worm is a program that replicates itself against the user's wishes without requiring another executable as a host.
• A Trojan horse is a program that masquerades as a desired program in order to gain access to the user's system. Trojan horses may or may not replicate themselves.

This is pretty clearly a Trojan horse: it advertised itself to the lUser as a copy of Microsoft Word in order to gain access to his system. The payload of the unwanted software (be it virus, worm, Trojan, or something else) is irrelevant to its classification.

Re:Like in biology, viruses have hosts

[darco]

You are pretty close about the trojan, but your virus/worm definition is a bit off.

The ONLY difference between a worm and a virus is that a worm actively spreads over a network. A virus needs a human to spread it, either by downloading infected files or swapping disks containing infected files. A worm can spread automaticly, requiring zero (or very little, in the case of viewing your mail) human contact. This is why they are so much more dangerous.

Re:Like in biology, viruses have hosts

[AbRASiON]

Only on slashdot could the primary discussion on a topic end up discussing the terminology itself rather than the issue at hand :)

Props to the adult movie studios for public betas

[sjf]

If all those adult video companies seed betas of their movies on LimeWire, why is it unreasonable to believe that Microsoft wouldn't do the same with software ?

Just make sure you help them out by providing feedback...

trojans

[tgibbs]

This sounds similar to the recent trojan horse proof-of-concept.

No, that involved an application pretending to be a document. This is a case of an application pretending to be a different application. There is no security regarding the identity of applications, and an application can have any icon it chooses--the burden is on users to obtain their applications from trusted sources, not Limewire. Of course, if he really thought it was a "public beta," as he claims, he probably would have gone looking for it at the Microsoft web site.

Aha!

[karnifex]

to my delight the Microsoft icon looked genuine and trustworthy

This is where everything started to go wrong.

Re:I think of the old yarn

[3dr]

This guy deserved it. "I downloaded it thinking Microsoft may have released a public beta." Oh come on, the attempt at piracy is entirely clear.

Everyone else knows that they never release applications for public beta testing. They only release operating systems as public betas.

Well, you're close...

[Theatetus]

I'll quote wikipedia...

A computer worm is a self-replicating computer program, similar to a computer virus. A virus attaches itself to, and becomes part of, another executable program; a worm is self-contained and does not need to be part of another program to propagate itself.

So, to reiterate: a virus requires another executable as a host, a worm does not. That is the difference between the two.

The concept of a "trojan horse" is somewhat orthogonal to that of "virus" or "worm", though I think it is a distinct enough phenomenon to warrant its own designation.

Re:Well, you're close...

[Drooling+Iguana]

Windows 95?

I think...

[Cyno01]

That if i refered to someone as being "404", even my geekier friends would slap me. Almost as bad as the time i heard someone using the future slang from tom clancy's net force books...

Feature Suggestion - launch as untrusted

[soft_guy]

I think it would be a good idea to have a feature in OS X that could launch a program as "untrusted". It should be able to restrict the programs access to the file system, the network stack, etc. Kind of like what .Net does, except not as extreme.

7 levels of conspiracy theories

[Warlock48]

1- Some guy made a bad joke
2- A Mac zealot did it coz' he doesn't like Microsoft stuff running on Macs
3- Microsoft did it to teach pirates a lesson
4- A Linux zealot did it to discredit Microsoft
5- A BSD zealot did it to discredit Linux
6- SCO did it because they own the IP of all Unix-based systems, so there
7- Kevin Bacon did it

... Obviously, any of the above was controlled by NSA's orbital mind-controlling ''lasers''.

Re:I think of the old yarn

[BlackHawk-666]

Heh, Limewire is a well known app for getting warez^H^H^H^H^Hbetas from. He was probably also getting a beta of some albums he liked too.

Old news? 10 years ago we had this problem

[Foo2rama]

Isn't this old news?? Back in the BBS days alot of files floated around that purported to be installers. But when run they would trash your system folder, drop alot of viruses, and then install joke extensions. I know many of the So Cal mac BBS's had to clean out alot of files due to installers like these. So 10-11 years ago we had the same problem.

pirate who found something odd

[Agile+Monkey]

Ok, let's see here. He's poking around on limeware looking to get some free software. I'll call it piracy, you can call it "unauthorized downloading of a copyrighted work".

So anyway, this guy downloaded something, and *GASP* his ignorance of what software is out there made him get something he didn't want.

This might be kind of funny if its a friend of yours, but seriously folks, is this really front page material for slashdot? I love this site, I truly do, but please editors at least have some standards for what gets on the front page.

the best part

[SQLz]

The file unzipped, and to my delight the Microsoft icon looked genuine and trustworthy.

Its all about the icon baby, all about the icon. As long as that *looks* legit, you know the warez are genuine. bahahaha.

A note from Intego

[theolein]

Q&A from Intego regarding Trojan Horse

Where did Intego first find out about this Trojan horse?
Intego, after writing and releasing the first mp3 trojan for the Mac OSX platform in order to improve our business, decided to write a dangerous Applescript, give it an installer icon and release it in order to further generate sales for our otherwise uselss AV products that no one wants. Even though this is not a real trojan and this approach involves social engineering that has been known about for years (We initially considered simply writing a readme file that instructed the user to type "rm -rf ~/" in the terminal, but thought that that would be too complex) we know thta our approach, known as the SCO school of IT business, is guaranteed to raise revenue.

Have you informed Apple, Microsoft and the CERT about this Trojan horse?
Yes, we informed Apple, Microsoft and the CERT as soon as had done our first working Applescript. They were very proud of us. Especially the people at Microsoft.

Has Microsoft made any comments about this Trojan horse?
Microsoft made the following comments: "Microsoft has verified that it does not write or encourage others to write trojans for the Macintosh platform. Microsoft, however, certainly is not above offering the occasional tip when it comes to torpedoing other company's platforms"

TEN Seconds?

[bfg9000]

'I clicked on the installer file, and to my horror in 10 seconds the attachment had wiped my entire Home folder!'

Whaaaat? TEN FRICKIN' SECONDS!!! Dude, you need to upgrade. My G5 smoked my home directory in TWO.

Newsflash!

[mabu]

Mac user pirates a 10kB OSX version of Word and gets all his stuff deleted.

Don't you think Slashdot is the last place where people need to be made aware of something like this?

Turning your boneheaded mistake into a security advisory isn't going to win you much respect here.

Easy Pie...

[firew0lfz]

On the note about the whole making the Icon look like the real thing... uhm guys, can't you do this just as easy as in Windows?

Here is a link to get you guys started on tricking your friends into formatting their hard drives:
http://lockdowncorp.com/hackertricks.html

From that page:
"Dangerous Commands That Can Be Embedded

PIF Shortcut Extensions

Some hidden file extensions can easily be programmed with hidden commands that could do damage to your system. Following is a simple test:

1.

Right click your mouse on your desktop and select New
and then ShortCut
2.

In the command line type: format a: /autotest
3.

Click Next
4.

In the "Select a name for the shortcut" area type: readme.txt
5.

Click Next
6.

Select a notepad icon and click Finish

You now have a file on your desktop called readme.txt with a notepad icon. Make sure there is a disk in your drive that you do not mind being wiped and click on the icon. The file that you click on will do a format on the disk in the A: drive. Of course, the hacker's icon would target another drive, or maybe have a name such as 'game.exe' and with a command to delete your Windows directory or (deltree /y c:\*.*) your entire C drive!

If the PIF extension were not hidden, this would not be able to fool you."

Or, you could also do the following:

"SHS Extensions

Scrap files can also hide embedded commands. Following is a simple test:

1.

Make a copy of notepad.exe and put it on your desktop.
2.

Open Wordpad
3.

Click and drag notepad.exe into the open wordpad document.
4.

Click on Edit and select Package Object, then select Edit Package
5.

Click on Edit and then Command Line
6.

Type a command in the box such as format a: /autotest and click on Ok
7.

The Icon can also be changed from this edit window
8.

Exit from the edit window and it will update the document
9.

Click and drag notepad back to the desktop
10.

Rename the file that it created (Scrap) to Readme.txt

You now have what will look like a text file. If it is run it will format the disk in the A: drive. As seen in the example above for PIF Shortcut Extensions, the hacker could use more dangerous commands."

Various other types of info available there. Enjoy.