Slashdot Mirror
Mac Trojan Horse Disguised as Word 2004
Espectr0 writes "Macworld is alerting of a malware program for the Mac. A Macworld reader alerted the magazine to the malware after he downloaded the file from Limewire. The reader told Macworld: 'I downloaded the file in the hope that perhaps Microsoft had released some sort of public beta. The file unzipped, and to my delight the Microsoft icon looked genuine and trustworthy.' However, he added: 'I clicked on the installer file, and to my horror in 10 seconds the attachment had wiped my entire Home folder!'" This sounds similar to the recent trojan horse proof-of-concept. There are many ways to make one file look like another, on any platform. This is 2004, you should know by now not to open a file from an untrusted source.
The grass is only greener, if you don't take care of your own lawn.
I downloaded the file in the hope that perhaps Microsoft had released some sort of public beta...I clicked on the installer file, and to my horror in 10 seconds the attachment had wiped my entire Home folder!
Maybe this is Microsoft's new security paradigm. No one can steal your data, not even you!
"Molest me not with this pocket calculator stuff."
- Deep Thought
The reader told Macworld: 'I downloaded the file in the hope that perhaps Microsoft had released some sort of public beta.
Using Limewire? A likely story.
The file unzipped, and to my delight the Microsoft icon looked genuine and trustworthy.' However, he added: 'I clicked on the installer file, and to my horror in 10 seconds the attachment had wiped my entire Home folder!'"
This is the risk you take when downloading stuff that you don't pay for. If you purchased Office 2004 from Microsoft (thus supporting the promotion and development of software for OS X), then you would have something to gripe about. As it stands, one might suggest you got what you paid for.....
This is 2004, you should know by now not to open a file from an untrusted source.
Well said. However, this does raise the possibility of other code that could be made to look like just about anything. So, once again, think about what you install on your computer just like you would think about what you eat or who you have sex with. If you don't know, trust or suspect that software/food/person, then either screen them or think twice.
Visit Jonesblog and say hello.
This would never of happened if they were using a secure operating system like Windows.
yeah.
Uh-huh.
Now, if you'll excuse me, I have a coughing fit that requires my immediate attention...
Obliteracy: Words with explosions
Let's see... You downloaded a microsoft public beta from a p2p net without checking ms's website for any existance of the beta. Then just because the icon looked like a m$ icon you figured it was safe with no virus scan? If you purchase this BEAUTIFUL florida swampland I have I bet your files will be restored and word 2004 will work fine
call me
"as plurdled gabbleblotchits on a lurgid bee" - Prostetnic Vogon Jeltz. (One man's humorous is another mans flamebait)
Because everyone knows the icon is the best way to ascertain the security and authenticity of any piece of software. It's very secure and hard to change, uh huh.
This should be filed under the "Humans" topic as this has nothing to do with apple or even computers.
Trojan Horses are social problems -- there isn't much apple or microsoft or anyone can do other than try to keep people on their toes.
I mean come on, limewire?
davidu
# Hack the planet, it's important.
Seriously, what a tard. The only things you can trust off Limewire is the quality porn!
Instead of deleting a person's files (I know you 0wn3r3d th3m!@#!) how about you do the rest of us a favour.
From this point on all trojans, such as this one, who invite idiots to test the lows of their computer skills should, instead of removing random files, disable a person's net connection. Think about the good you would suddenly be doing for the online world! You can make a positive difference! Your life isn't lost yet! Go you!
--- I do not moderate.
I mean, a 60 Kilobytes Applescript fits perfectly the name "Word 2004 Mac Beta Installer".
D'uh.
Maybe we deserve this world ?
This is a perfect use for Fast User Switching. Create an account with no perms and no data you care about losing. Test downloads in that account. You can do it without even logging out.
Be careful though of the fact that there's no restriction on network access for a 'no perms' account. (This is a failing of UNIX in general, not MacOS in particular.) This would allow Microsoft/anyone to put out a trojan like this, and send back a 'this IP fell for it' packet, or even run a server on a 'high' port (depending on your firewall configuration).
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
If it was a windows installed you could check to make sure that various files were signed and authenticated by MS, information which I don't believe can actually be faked (dlls, exe, cab files, etc.).
I don't know if Mac has a similar feature, and I don't know if some random moron like this guy would even have bothered to check. However, it would seem that MS' own security would indeed have offered a better chance of preventing such a Trojan.
-rt
A similar program om Windows could do far more than just hose someones Home folder, because most Windows users runs with high privileges.
This sounds similar to the recent trojan horse proof-of-concept
This is nothing of the sort. The recent warning was for mp3 or other non-executable looking files carrying a trojan horse payload...that is far sneakier than this. This is simply a program that doesn't do what it claims to do. He expected an executable, he got an executable. An if he really thought that Microsoft would relase a public beta through limewire...well, caveat emptor and all.
Since it only deleted his home directory, it probably wasn't that sophisticated. I'm surprised it didn't attempt to escalate privilieges under the guise of an installer and do even more damage.
I suppose I should make a clippy joke here (I'm really tempted), but I actually like office X and am looking forward to the next version.
Do not taunt Happy Fun Ball(TM)
1) Create shell script with "rm -rf $home/*"
2) Package script with Microsoft Icon
3) Upload to P2P network
4) ???
5) Laugh as retarded Slashdot editors call it valid malware
Come on guys... lets get serious.
How can such a goal be attained? There are many ways available now. The most obvious one is a VM system with security policies, such as the JVM. That's not the only one, though. Another method is a capabilities-based system, so when a process starts, it has only a defined set of capabilities to work with. OpenBSD has a similar, but more limited system called systrace. The TrustedBSD project and SELinux have similar aims, and SELinux is being integrated into mainstream Linux distros. Another way to run untrusted things is with user-mode Linux, which I believe is integrated with Linux 2.6
The editor is right, though, that on currently-used systems like OSX and MS Windows, you have to be careful what you click on. But the problem is that we have come to accept that as "the way things are", when there is no reason for that to be the case. You should be able to run hostile code, see what it does, laugh at it, and delete it without any harm. The technology to do that exists, and has existed for years, but we have come to accept broken products and systems that don't allow that.
---------
WAP news
You have to wonder, word is a pretty hefty piece of software, did the attackers even bother padding the program? A really quick download time would be one of a multitude of clues that what you are downloading probably isn't legit.
Newsflash, the source code of the trojan has been obtained. It's thought to be something like this:
----------
tell application "Finder"
move home to trash
empy trash
end tell
----------
Maybe we deserve this world ?
"404: Someone who's clueless. From the World Wide Web message> "404, URL Not Found," meaning that the document you've tried to access can't be located. "Don't bother asking him...he's 404, man.""
Trolls lurk everywhere. Mod them down.
This is 2004, you should know by now not to open a file from an untrusted source.
This is 2004, you should know by now that Microsoft can't possibly have released Office 2004 this year.
I just made a new user to run an rm -rf ~ on to see how it looks.
:)
I have to say I'm impressed with how Apple handles this situation. You actually have to do rm -rf ~/* but anyways, once your home directory is emptying there is no error message. No flood of missing files or application crashes. You just log out and log back in and hey you have the default's loaded again like a fresh user. Being a Windows/Linux switcher I have to say this is handled quite differently than I expected. At least in windows losing all your windows files is gonna cause some serious problems, may not be able to log back in again.
Maybe I'm odd but eh.
-Don.
Cwm, fjord-bank glyphs vext quiz
Remember, a good deal of the Mac users out there are clueless ex-Windows user friends that we instructed to purchase Macs after scrubbing their old PCs of viruses, adware, spyware and other such crap one too many times.
No matter how often we tell them otherwise, it is ingrained in them to use the icon as an indictor of a file's content. If it wasn't then a great deal fewer email viruses would make it into the wild.
Strange that Microsoft has popped up in this one, huh? Hmm... if I were a conspiracy theorist....
The real issues is whether it can it replicate itself and whether it can use security holes in OS X to distribute itself to others. I've been round and round with people on this topic and the conclusion is that, at every point, OS X presents too great a hurdle to allow it to occur. You either have to rely on lots of Apple programs working together to do it (which is too unwieldy and too visible to the user) or you have to rely on the more stealthy Unix stuff, much of which is turned off by default (i.e., no using mail quietly in the background to distribute the trojan/virus because sendmail is off by default.)
It seems to me that Intego is looking to scare people into buying their products and in doing so, they have blown any credibility they have.
--Rick "If it isn't broken, take it apart and find out why."
The files are not gone. MSWord 2004 is just converting them all to its native format. Even on a G5 however this will take another 6 days, so simply remain calm and trust to Microsoft.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Just to clear things up for you:
This is pretty clearly a Trojan horse: it advertised itself to the lUser as a copy of Microsoft Word in order to gain access to his system. The payload of the unwanted software (be it virus, worm, Trojan, or something else) is irrelevant to its classification.
All's true that is mistrusted
If all those adult video companies seed betas of their movies on LimeWire, why is it unreasonable to believe that Microsoft wouldn't do the same with software ?
Just make sure you help them out by providing feedback...
This is where everything started to go wrong.
Everyone else knows that they never release applications for public beta testing. They only release operating systems as public betas.
I'll quote wikipedia...
So, to reiterate: a virus requires another executable as a host, a worm does not. That is the difference between the two.
The concept of a "trojan horse" is somewhat orthogonal to that of "virus" or "worm", though I think it is a distinct enough phenomenon to warrant its own designation.
All's true that is mistrusted
That if i refered to someone as being "404", even my geekier friends would slap me. Almost as bad as the time i heard someone using the future slang from tom clancy's net force books...
"Sic Semper Tyrannosaurus Rex."
I think it would be a good idea to have a feature in OS X that could launch a program as "untrusted". It should be able to restrict the programs access to the file system, the network stack, etc. Kind of like what .Net does, except not as extreme.
Avoid Missing Ball for High Score
2- A Mac zealot did it coz' he doesn't like Microsoft stuff running on Macs
3- Microsoft did it to teach pirates a lesson
4- A Linux zealot did it to discredit Microsoft
5- A BSD zealot did it to discredit Linux
6- SCO did it because they own the IP of all Unix-based systems, so there
7- Kevin Bacon did it
Heh, Limewire is a well known app for getting warez^H^H^H^H^Hbetas from. He was probably also getting a beta of some albums he liked too.
All those moments will be lost in time, like tears in rain.
So anyway, this guy downloaded something, and *GASP* his ignorance of what software is out there made him get something he didn't want.
This might be kind of funny if its a friend of yours, but seriously folks, is this really front page material for slashdot? I love this site, I truly do, but please editors at least have some standards for what gets on the front page.
It puts the lotion on its skin or else it gets the hose again.
Its all about the icon baby, all about the icon. As long as that *looks* legit, you know the warez are genuine. bahahaha.
Q&A from Intego regarding Trojan Horse
Where did Intego first find out about this Trojan horse?
Intego, after writing and releasing the first mp3 trojan for the Mac OSX platform in order to improve our business, decided to write a dangerous Applescript, give it an installer icon and release it in order to further generate sales for our otherwise uselss AV products that no one wants. Even though this is not a real trojan and this approach involves social engineering that has been known about for years (We initially considered simply writing a readme file that instructed the user to type "rm -rf ~/" in the terminal, but thought that that would be too complex) we know thta our approach, known as the SCO school of IT business, is guaranteed to raise revenue.
Have you informed Apple, Microsoft and the CERT about this Trojan horse?
Yes, we informed Apple, Microsoft and the CERT as soon as had done our first working Applescript. They were very proud of us. Especially the people at Microsoft.
Has Microsoft made any comments about this Trojan horse?
Microsoft made the following comments: "Microsoft has verified that it does not write or encourage others to write trojans for the Macintosh platform. Microsoft, however, certainly is not above offering the occasional tip when it comes to torpedoing other company's platforms"
'I clicked on the installer file, and to my horror in 10 seconds the attachment had wiped my entire Home folder!'
Whaaaat? TEN FRICKIN' SECONDS!!! Dude, you need to upgrade. My G5 smoked my home directory in TWO.
I'm not normally an irrational zealous dickhead, but I figure "When in Rome..."