First Mac OS X Virus?

bubba451 writes "MacRumors reports on what may be the first virus to affect Mac OS X, disguised as screenshots for the upcoming Mac OS X 10.5 Leopard. From the report: 'The resultant file decompresses into what appears to be a standard JPEG icon in Mac OS X but was actually a compiled Unix executable in disguise. An initial disassembly reveals evidence that the application is a virus or was designed to give that impression.' The virus is said to also spread via Bonjour instant messaging." Update: 02/17 00:09 GMT by P : This is not a virus, it is a simple Trojan Horse: it requires manual user interaction to launch the executable. See Andrew Welch's dissection.

It's not a virus...

[xwizbt]

Note the following from http://www.ambrosiasw.com/forums/index.php?showtop ic=102379 :

You cannot be infected by this unless you do all of the following:

1) Are somehow sent (via email, iChat, etc.) or download the "latestpics.tgz" file

2) Double-click on the file to decompress it

3) Double-click on the resulting file to "open" it ...and then for most users, you must also enter your Admin password.

You cannot simply "catch" the virus. Even if someone does send you the "latestpics.tgz" file, you cannot be infected unless you unarchive the file, and then open it.

Re:It's not a virus...

[Shishak]

Um.. no, completly different

In the windows scenario you have a real .JPG image which contains code insdie of it that crashes the Windows JPG image library. The code in the image is then executed. In essence in windows a .JPG image file can become an executable running as user admin. This executable now has full access over your computer. This image can be embedded in an e-mail/web page and will execute, launch and own your machine with having you do anything but go to a website or read your e-mail

In the Mac scenario you have an executable which is made to look like an image because its icon was changed. The computer itself knows that it isn't an image so it doesn't try to load it automatically from e-mail or web. This 'virus' is designed to trick the user. The user needs to double click and run the executable. It will then try to write into a protected directory and the OS will prompt the user for the admin password. If the user is dumb enough to click on a executable *and* enter the admin password there really isn't much else you can do. The executable never actually crashes any part of the OS to gain control of the OS and do something that the user doesn't authorize.

Re:Trojan Man?

[Epaminondas+Pantulis]

I guess they put the standard JPEG icon in the app's bundle...

Re:Trojan Man?

[fracai]

There's this thing called reading the article... oh, right.

It's a "JPEG" because the author was clever enough to paste the icon of a JPEG onto the executable.
If the user is root, or possibly admin, the script writes files in /Library/InputManagers. If you aren't it does the same in the user Library.
No kit, just a prompt.

http://www.ambrosiasw.com/forums/index.php?showtop ic=102379 as linked from MacRumors has a really good writeup on what is going on.

Re:Trojan Man?

[n3k5]

Sounds more like a trojan to me. But the question is, how in the world did they get it to show up as a JPEG image and still be executable?

It definitely is a trojan, and a harmless one at that. It seems that if you have configured your computer correctly, you would have to enter your admin password in order to allow it to do any harm.

It doesn't really disguise as an image. It just uses the OS X standard icon for images as its own icon. However, it does not have a jpeg extension and if you select it in the finder, you will not get a preview thumbnail, thus you would know that opening in the Preview application (which you would do by double clicking) cannot work. Maybe, if you have set your Finder not to display extensions, or just didn't pay attention, you would try to open it in another image viewer, which would fail and not do any harm.

Further

[ktappe]

In all the latest releases of OS X, the user will also receive the prompt "You are running for the first time. Are you sure you want to continue?" so that's *four* levels of security the user would have to specifically circumvent to be affected. At some point the responsibility has to reasonably be shifted from Apple to the user... -Kurt

Re:Trojan Man?

[Kadin2048]

It's almost impossible for a clueless user to run as root on an OS X box.

Actually running/logging-in as root requires either some non-trivial Terminal work, or going in through NetInfo Manager (a fairly intimidating config utility) and enabling the root account (which at least the time I did it, a few years ago, gave you some pretty stern warnings).

That's not to say that you can't have root-like privs -- the default first user on a Mac is an "Administrator," which just means that they can sudo -s and become root temporarily. However to do this you have to authenticate for every action. (Or every 5 minutes or so.) The MacOS "Administrator" level user is not as powerful as the WinXP type of Administrator (which is effectively a root account). Macs have three levels of users: root, Admins (who can sudo), and everyone else (who can't).

So yes, there are definitely ways that a clueless person could damage themselves with a trojan, if they just mindlessly type in their password into any box that comes up, regardless of the context in which they're being asked, but there is at least one more step stopping you from doing it compared to running on a Windows system.

Re:Trojan Man?

[Megane]

If the user is root, or possibly admin, the script writes files in /Library/InputManagers.

Um, why is my /Library chmod 775? It's that way on all four OS X machines that I can reach via SSH right now, two 10.4.x and two 10.3.x. Because there is no /Library/InputManagers in my /Library, so any program running under an admin account on my machine could create one. Admittedly, /Library/StartupItems being group-writable would be a much worse security violation (stuff in there runs as root at startup), and I have seen cases where installers will create one chmod 775 or 777, but I don't see any reason why a program that isn't setuid root (in other words, requiring the security dialog first) should be able to create new directories or drop files into /Library.

Anyhow, this is not a virus, it's a trojan. A virus attaches itself to existing executables (boot blocks included in the definition of "executables"). This is a trojan, and if it replicates, then it's a file-propagating worm (as opposed to the e-mail- and network- propagating worms that plague Windows). So far there is still no malware for OS X that doesn't depend upon human stupidity for propagation. Whether that be saving an e-mail attachment to disk and then double-clicking on its icon on the desktop (this thing won't auto-open while reading e-mail), or simply using bad username/password combinations allowing a brute-force break-in over SSH, there is still no sign of any kind of fully-automated malware for OS X.

In the meantime, I'm going to be doing a lot of "sudo chmod 755 /Library".

Re:Trojan Man?

[ioErr]

In the old days Mac OS used to distinguish aliases from normal files and folders by showing their names in italics. That was a very good thing, but unfortunately it has been replaced by a tiny Windows-style arrow in the icon's bottom left corner instead. On the other hand, there was never an easy way to tell applications from documents or folders at a glance which always bothered me, not so much because of the threat of trojans as because you don't want to accidentally launch another program which just happened to look like a text document (curse those readmes) when you only have 10 MB of RAM.

Anyway, back to the present. A simple, welcome solution, would be to just show the names of applications in bold text. That would be helpful to power user and novice alike, and it would probably also look good.

Re:Trojan?

[99BottlesOfBeerInMyF]

How can it be a virus if it is a Trojan?

OK, welcome to malware nomenclature 101. Will everyone please take their seats. Thank you. There are three basic classifications for malware:

• trojan - malicious application disguised as either a benign application or data.
• virus - a malicious application that copies itself into other locations infecting data or applications in an attempt to spread. Viruses often attempt to e-mail, IM, FTP, etc. themselves to other machines.
• worm - a worm is a virus that auto-propagates. That is to say it sends copies of itself automatically and traditionally without any user intervention.

This particular malware is a trojan (partly disguised as a jpg) which them copies itself to a new location on your drive and modifies a few commonly used applications in order to spread itself via they Bonjour discovery and file transfer mechanism in OS X. It requires human intervention to extract itself run, spread, and for download. I'd call this a virus to be clear about its functionality.

List View

[Kadin2048]

That's a totally legitimate question.

If you choose "View as List" in the finder (equivalent to the Detail view in Windows), and then expand the window so that you can see the "Kind" column, the Finder will tell you the kind of file you're looking at. For example, Application, Picture, Document, etc.

The Finder looks at some stuff which is not visible to the user in determining this -- in addition to the ".app" file extension on Cocoa bundles, there are also the traditional Mac 'Type' and 'Creator' codes, stored in the file metadata in the resource fork. By setting a file's Type to "APPL," it becomes an executable. This is the traditional Macintosh analog to the UNIX eXecute bit (but arguably more flexible, since it also handles file typing), and is totally independent of the file name. But anything that you set this way will be clearly marked as an Application in List View, regardless of what you name it, or what kind of custom icon it has.

This is how the MP3Concept trojan worked, and how many old-school ResEdit tricks worked. You can have something that's legitimately named "Mp3Concept.mp3" and looks like an MP3 but is really an executable, by setting the Type and custom icons correctly. It's nothing new, people have been doing it for years. (There were a lot of ResEdit "hacks" that worked off of this principle -- for example, creating a dummy Excel document that gave a rude dialog when double-clicked.) I think it's because we've migrated away from OS 9 and the metadata concepts that people have forgotten how easy it is to do, and that the Mac still supports it.

Re:Trojan Man?

[Overly+Critical+Guy]

My file extensions show by default in all the OS X Tiger installations I've handled.

Regardless, this "virus" pops up an admin password prompt, like every other proof-of-concept OS X trojan that's been written in the past, which effectively stops it in its tracks. This isn't really news except to Apple-haters who can go "SEE NOW U'VE GOT VIRUSES LOLZ."

Re:FUD of the day

[MattHaffner]

... with the important exception of when you're running as an Admin user, in which case you don't get this important opportunity to prevent the program from modifying files it shouldn't.

What are you talking about? Admin accounts normally get password popups to do anything like this (system updates, system-wide installers, etc.). Are you saying in this specific instance it doesn't?

Re:FUD of the day

[Arandir]

Mac admin accounts are not like Windows admin accounts. They are not root accounts. You still have to sudo to do any root-level administration.

Re:Trojan Man?

[Ford+Prefect]

If, like many more computer literate users, you elect to "show all file extensions" (Finder:Preferences:Advanced), this "virus" (which is actually a trojan of course) will show up as YaddaYadda.jpg.app and you'll see that it's just a lame attempt at a trojan.

Actually, it seems that (as of 10.4.5, anyway) it'll show as 'YaddaYadda.jpg.app' even if you have the 'Show all file extensions' switched off - a bit of experimentation shows that if the first extension (in this case '.jpg') is a recognised file-type, then the '.app' gets shown as well.

So, from a display point of view:

• YaddaYadda.app -> YaddaYadda
  
• YaddaYadda.foo.app -> YaddaYadda.foo
  
• YaddaYadda.jpg.app -> YaddaYadda.jpg.app
  
• YaddaYadda.pdf.app -> YaddaYadda.pdf.app
  

... and so on.

Basically, if it's trying to impersonate another existing file-type, it'll tell you.