Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mac Trojan Horse Disguised as Word 2004

Posted by pudge on from the caveat-pirator dept.

Espectr0 writes "Macworld is alerting of a malware program for the Mac. A Macworld reader alerted the magazine to the malware after he downloaded the file from Limewire. The reader told Macworld: 'I downloaded the file in the hope that perhaps Microsoft had released some sort of public beta. The file unzipped, and to my delight the Microsoft icon looked genuine and trustworthy.' However, he added: 'I clicked on the installer file, and to my horror in 10 seconds the attachment had wiped my entire Home folder!'" This sounds similar to the recent trojan horse proof-of-concept. There are many ways to make one file look like another, on any platform. This is 2004, you should know by now not to open a file from an untrusted source.

30 of 785 comments (clear)

  1. "Darwin" - style award winner by ericspinder · · Score: 5, Funny
    I downloaded the file [off Limewire] in the hope that perhaps Microsoft had released some sort of public beta...and to my delight the Microsoft icon looked genuine and trustworthy"
    We have got to come up with a name for "someone who makes a good effort at removing themselves from the Internet".
    --
    The grass is only greener, if you don't take care of your own lawn.
    1. Re:"Darwin" - style award winner by Ieshan · · Score: 5, Funny

      Already got one. Notice how "microsoft" came up, even in the story about the Trojan on a Mac?

    2. Re:"Darwin" - style award winner by rjamestaylor · · Score: 5, Funny

      Why do you think they call it Apple Darwin, anyway?

      --
      -- @rjamestaylor on Ello
    3. Re:"Darwin" - style award winner by Anonymous Coward · · Score: 5, Funny
      Trojan Horses do not wipe out Home folders... they only sit dormant and collect information. I think it was a virus that this guy downloaded, not a Trojan.

      Maybe if you look on Limewire you can find a "dictionary"

    4. Re:"Darwin" - style award winner by bamf · · Score: 5, Informative

      Actually I think you'll find that it fits the defintion of Trojan Horse perfectly.

    5. Re:"Darwin" - style award winner by SquadBoy · · Score: 5, Insightful

      This was a person who based a choice on whether or not to run an app based on how the ICON looked. They will repeat over and over and over again and wonder why the hell their shit keeps breaking.

      --

      Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
    6. Re:"Darwin" - style award winner by anonymous+loser · · Score: 5, Funny

      This man is luckier than he realizes. He might have actually installed a Microsoft product instead of a mere trojan horse!

  2. New paradigm? by Suffering+Bastard · · Score: 5, Funny

    I downloaded the file in the hope that perhaps Microsoft had released some sort of public beta...I clicked on the installer file, and to my horror in 10 seconds the attachment had wiped my entire Home folder!

    Maybe this is Microsoft's new security paradigm. No one can steal your data, not even you!

    --
    "Molest me not with this pocket calculator stuff."
    - Deep Thought
    1. Re:New paradigm? by Bonker · · Score: 5, Insightful

      Surrrrreeee they thought it was a beta. Uh huh. That's why they went to Limewire rather than the MS website. Sure. Yeah.

      Open Office porters take note. At my last check, Mac users are still stuck with a sucky x11 version of OOO1.1 rather than the spiffy version available for Windows users.

      --
      The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
  3. Think first by BWJones · · Score: 5, Insightful

    The reader told Macworld: 'I downloaded the file in the hope that perhaps Microsoft had released some sort of public beta.

    Using Limewire? A likely story.

    The file unzipped, and to my delight the Microsoft icon looked genuine and trustworthy.' However, he added: 'I clicked on the installer file, and to my horror in 10 seconds the attachment had wiped my entire Home folder!'"

    This is the risk you take when downloading stuff that you don't pay for. If you purchased Office 2004 from Microsoft (thus supporting the promotion and development of software for OS X), then you would have something to gripe about. As it stands, one might suggest you got what you paid for.....

    This is 2004, you should know by now not to open a file from an untrusted source.

    Well said. However, this does raise the possibility of other code that could be made to look like just about anything. So, once again, think about what you install on your computer just like you would think about what you eat or who you have sex with. If you don't know, trust or suspect that software/food/person, then either screen them or think twice.

    --
    Visit Jonesblog and say hello.
    1. Re:Think first by lukewarmfusion · · Score: 5, Funny

      "So, once again, think about what you install on your computer just like you would think about what you eat or who you have sex with. If you don't know, trust or suspect that software/food/person, then either screen them or think twice."

      The Slashdot folks obviously think alot about what kinds of food they eat (everything) and who they have sex with (nobody).

    2. Re:Think first by somethinghollow · · Score: 5, Funny

      just like you would think about what you eat or who you have sex with

      Or who you eat and what you have sex with.

    3. Re:Think first by nomadic · · Score: 5, Funny

      Using Limewire? A likely story.

      Yes, that's probably the least credible statement I've ever seen on slashdot. Just so you understand the impact of this statement, I'll highlight the important words: that's probably the least credible thing I've ever seen on SLASHDOT.

  4. beta by pizza_milkshake · · Score: 5, Funny
    in the hope that perhaps Microsoft had released some sort of public beta...

    yeah.

  5. Let the Liar Beware by American+AC+in+Paris · · Score: 5, Funny
    A Macworld reader alerted the magazine to the malware after he downloaded the file from Limewire. The reader told Macworld: 'I downloaded the file in the hope that perhaps Microsoft had released some sort of public beta.

    Uh-huh.

    Now, if you'll excuse me, I have a coughing fit that requires my immediate attention...

    --

    Obliteracy: Words with explosions

  6. don't be dumb billy. by SuperguyA1 · · Score: 5, Funny

    Let's see... You downloaded a microsoft public beta from a p2p net without checking ms's website for any existance of the beta. Then just because the icon looked like a m$ icon you figured it was safe with no virus scan? If you purchase this BEAUTIFUL florida swampland I have I bet your files will be restored and word 2004 will work fine

    call me

    --
    "as plurdled gabbleblotchits on a lurgid bee" - Prostetnic Vogon Jeltz. (One man's humorous is another mans flamebait)
  7. Limewire Legal! by MacWannabe · · Score: 5, Funny

    Seriously, what a tard. The only things you can trust off Limewire is the quality porn!

  8. Dear trojan writers. by juuri · · Score: 5, Funny

    Instead of deleting a person's files (I know you 0wn3r3d th3m!@#!) how about you do the rest of us a favour.

    From this point on all trojans, such as this one, who invite idiots to test the lows of their computer skills should, instead of removing random files, disable a person's net connection. Think about the good you would suddenly be doing for the online world! You can make a positive difference! Your life isn't lost yet! Go you!

    --
    --- I do not moderate.
  9. Who would have thought ? by Jesrad · · Score: 5, Funny

    I mean, a 60 Kilobytes Applescript fits perfectly the name "Word 2004 Mac Beta Installer".

    D'uh.

    --
    Maybe we deserve this world ?
  10. Actually... by rtilghman · · Score: 5, Insightful


    If it was a windows installed you could check to make sure that various files were signed and authenticated by MS, information which I don't believe can actually be faked (dlls, exe, cab files, etc.).

    I don't know if Mac has a similar feature, and I don't know if some random moron like this guy would even have bothered to check. However, it would seem that MS' own security would indeed have offered a better chance of preventing such a Trojan. :)

    -rt

  11. Not like the recent warning by Anixamander · · Score: 5, Informative

    This sounds similar to the recent trojan horse proof-of-concept

    This is nothing of the sort. The recent warning was for mp3 or other non-executable looking files carrying a trojan horse payload...that is far sneakier than this. This is simply a program that doesn't do what it claims to do. He expected an executable, he got an executable. An if he really thought that Microsoft would relase a public beta through limewire...well, caveat emptor and all.

    Since it only deleted his home directory, it probably wasn't that sophisticated. I'm surprised it didn't attempt to escalate privilieges under the guise of an installer and do even more damage.

    I suppose I should make a clippy joke here (I'm really tempted), but I actually like office X and am looking forward to the next version.

    --
    Do not taunt Happy Fun Ball(TM)
  12. How to write a OS X Trojan by heyitsme · · Score: 5, Insightful

    1) Create shell script with "rm -rf $home/*"
    2) Package script with Microsoft Icon
    3) Upload to P2P network
    4) ???
    5) Laugh as retarded Slashdot editors call it valid malware

    Come on guys... lets get serious.

  13. Re:Fast User Switching Rules... by Bullet-Dodger · · Score: 5, Informative

    Little Snitch is good for preventing anything from phoning home. Does have slightly annoying behavior unless it's registered, however. Anyone know of an OSS program to do this?

  14. Trojan was reverse-engineered ! by Jesrad · · Score: 5, Funny

    Newsflash, the source code of the trojan has been obtained. It's thought to be something like this:
    ----------
    tell application "Finder"
    move home to trash
    empy trash
    end tell
    ----------

    --
    Maybe we deserve this world ?
  15. Like in biology, viruses have hosts by Theatetus · · Score: 5, Informative

    Just to clear things up for you:

    • A virus is a program that runs in the memory space of another executable and replicates itself to other instances of that executable; essentially, it's an unwanted plug-in.
    • A worm is a program that replicates itself against the user's wishes without requiring another executable as a host.
    • A Trojan horse is a program that masquerades as a desired program in order to gain access to the user's system. Trojan horses may or may not replicate themselves.

    This is pretty clearly a Trojan horse: it advertised itself to the lUser as a copy of Microsoft Word in order to gain access to his system. The payload of the unwanted software (be it virus, worm, Trojan, or something else) is irrelevant to its classification.

    --
    All's true that is mistrusted
  16. Props to the adult movie studios for public betas by sjf · · Score: 5, Funny

    If all those adult video companies seed betas of their movies on LimeWire, why is it unreasonable to believe that Microsoft wouldn't do the same with software ?

    Just make sure you help them out by providing feedback...

  17. Aha! by karnifex · · Score: 5, Funny
    to my delight the Microsoft icon looked genuine and trustworthy

    This is where everything started to go wrong.

  18. 7 levels of conspiracy theories by Warlock48 · · Score: 5, Funny
    1- Some guy made a bad joke
    2- A Mac zealot did it coz' he doesn't like Microsoft stuff running on Macs
    3- Microsoft did it to teach pirates a lesson
    4- A Linux zealot did it to discredit Microsoft
    5- A BSD zealot did it to discredit Linux
    6- SCO did it because they own the IP of all Unix-based systems, so there
    7- Kevin Bacon did it

    ... Obviously, any of the above was controlled by NSA's orbital mind-controlling ''lasers''.

  19. pirate who found something odd by Agile+Monkey · · Score: 5, Funny
    Ok, let's see here. He's poking around on limeware looking to get some free software. I'll call it piracy, you can call it "unauthorized downloading of a copyrighted work".

    So anyway, this guy downloaded something, and *GASP* his ignorance of what software is out there made him get something he didn't want.

    This might be kind of funny if its a friend of yours, but seriously folks, is this really front page material for slashdot? I love this site, I truly do, but please editors at least have some standards for what gets on the front page.

    --
    It puts the lotion on its skin or else it gets the hose again.
  20. A note from Intego by theolein · · Score: 5, Funny

    Q&A from Intego regarding Trojan Horse

    Where did Intego first find out about this Trojan horse?
    Intego, after writing and releasing the first mp3 trojan for the Mac OSX platform in order to improve our business, decided to write a dangerous Applescript, give it an installer icon and release it in order to further generate sales for our otherwise uselss AV products that no one wants. Even though this is not a real trojan and this approach involves social engineering that has been known about for years (We initially considered simply writing a readme file that instructed the user to type "rm -rf ~/" in the terminal, but thought that that would be too complex) we know thta our approach, known as the SCO school of IT business, is guaranteed to raise revenue.

    Have you informed Apple, Microsoft and the CERT about this Trojan horse?
    Yes, we informed Apple, Microsoft and the CERT as soon as had done our first working Applescript. They were very proud of us. Especially the people at Microsoft.

    Has Microsoft made any comments about this Trojan horse?
    Microsoft made the following comments: "Microsoft has verified that it does not write or encourage others to write trojans for the Macintosh platform. Microsoft, however, certainly is not above offering the occasional tip when it comes to torpedoing other company's platforms"