Slashdot Mirror
First Mac OS X Virus?
bubba451 writes "MacRumors reports on what may be the first virus to affect Mac OS X, disguised as screenshots for the upcoming Mac OS X 10.5 Leopard. From the report: 'The resultant file decompresses into what appears to be a standard JPEG icon in Mac OS X but was actually a compiled Unix executable in disguise. An initial disassembly reveals evidence that the application is a virus or was designed to give that impression.' The virus is said to also spread via Bonjour instant messaging." Update: 02/17 00:09 GMT by P : This is not a virus, it is a simple Trojan Horse: it requires manual user interaction to launch the executable. See Andrew Welch's dissection.
How can it be a virus if it is a Trojan?
You have to execute it yourself, and that is why it is _not_ a virus.
But, I don't think OS X users have too much to worry about yet.
Might be good in a way - to shake some people out of the complacent "OS X is invulnerable" mindset.
Uhm, how are proposing to "fix" this? You can give your application any icon you want, and as long as it looks even remotely like the native JPEG-icon, 95% of users won't notice.
The only way would be some sort of flag that shows up on any icon that represents something executable, and that wouldn't be a fix but a completely new approach.
Come on. MacOSRumors.com on a forum post. Let's not loose our heads and start spreading FUD because of something someone's brother's first cousins next-door neighbor read in a forum post. If you're smart enough not to accept random files and put your admin password in for anything that pops up - this won't be much of an issue.
If I have to type in my System Admin password to intall it, then I don't consider it a threat. This seems like a rather lame attempt at a vulnerability. The folks who would be interested in screenshots of 10.5 are the kind of folks who know an archive of photos does not require an admin password.
I don't think the underlying CPU architecture is much of an issue.
Most malware exploits flaws in the operating system and applications - not the hardware architecture.
I have heard this FUD from various Mac-heads (pissed at the change from PPC) that they are suddenly going to be swimming in malware due to a chip change. It's nonsense.
Before this "Virus" Can do anything on macOS X it should ask for the users password. So if the user is dumb enough to put in his/her password to OPEN a JPEG!! Then his/her password should be posted on /. with the ip of their computer.
Can you explain to me where the security flaw in OSX is in this case?
There is no double standard here.
John Gruber on daringfireball.net wrote at length recently about problems with OS X, mainly relating to how the Smart Crash library adds itself to applications through the Input Manager system hook. His current article "Smart Crash Reports Addenda" talks at length about the security implications of the input manager.
1. download it
2. double-click and decompress it.
3. double-click and execute it.
Everybody seems so certain that this is a non-starter on OSX because it requires some user intervention to propagate. I have bad news for you: there are clueless Mac users out there, too. These are probably the same folks who will click on a web popup to "see the lastest hollywood gaff" and then "accept" the untrusted executable when windows warns about the download to be executed. And they're the same ones who will dutifully click their bank url in an email and login to make sure their information is correct .
Never understimate the power of the incomptenece of 20% of your userbase.
Is it just my observation, or are there way too many stupid people in the world?
I tried to create an application that had a name of test.jpg.app and was pleased to find that, at least in Mac OS X 10.4.5, when you try to do this, the Finder displays the entire name, including the entire extension ".jpg.app", even though normally the ".app" portion is hidden. Take out the ".jpg" and the ".app" goes missing again. The "hide extension" option in the get info window is disabled when you have a name like ".jpg.app". So, it isn't quite so easy to disguise an application as a jpeg in Mac OS X. Of course not everyone is going to know what the .app means and so it being visible won't help them. Then again, if that's the case, they probably don't know what the .jpg means either!
.term file, which was set to hide the extension. When I made the name test.jpg.term, the full name was displayed including ".term", and the "hide extension" option was disabled.
I also tried doing this with a
--- What?
make your system idiot-proof, and the world will make a better idiot....
If I write:
/User/Home'....
#include
main()
{
(void) printf("Hello World\n");
return (0);
}
and also included a couple lines to 'rm -rf
Then I e-mailed or IM'd a person the executable, then asked them to decompress it, double-click on it, and laugh, that would be Mac OS X's first virus/trojan? Ohh wait, I need to associate a pretty icon to it too.....
As much as this author would like to claim they are the first, I think the programmers at Apple were the first ones to do this with their "Disk Utility" that a user has to click on to 'newfs' or your Windows users 'format' your hard drive.
I can not believe this made Slashdot....
Even better, I think is not to allow direct execution from the desktop shell. If you want to execute something make a 'desktop' file pointing to it. Also don't permit desktop files to have relative URLs, if this was possible an atacker could send the .desktop file with the executable in the same compressed file.
[]'s Victor Bogado da Silva Lins
^[:wq
When I download a dmg file with Safari, I get a warning if the dmg contains an executable. (Not sure if that's Safari doing the warning or the code that mounts the archive or what.) Something like this in the code that unpacks tar files would go a long way toward fixing it.
Devon
I was thinking about this. I can't imagine it would be all that hard -- there is already a visual flag applied to all "alias" (that's symlink) files, so it doesn't seem like it would be out of the question to do something similar for executables, based on the eXecute bit.
However what I'm not sure about is how you'd make this work for MacOS bundles -- unlike UNIX applications they're not just single files; the thing that you click on in the Finder to launch a MacOS app (at least a Cocoa one) is actually a directory if you look at it in the Terminal, it just has the hidden suffix of ".app" (so for instance the program Mail in the finder is actually the directory/folder Mail.app). The actual executable file is normally buried somewhere within the folder -- usually like (appname).app/Contents/MacOS/executablefile.
I suppose what you'd have to do is put the visual flag on if a file was either a directory ending in ".app", or if the regular eXecute bit was set on a file itself.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
And a whole bunch of other file display changes; icons don't help me as much as created date, file type, etc.
Anyway. This was a useful post.
You better watch out, there may be dogs about . .
Face it trollboy: if you would have done some more effort to see how it works, you would see from your own quoted definitions that this is not a virus. A virus spreads between different computers without any user interaction. However, this thing is only able to send the fake JPEG file to other computers via a few IM programs. The users on those other computers still need to be online, accept the file, and open it themselves to 'install' it. Therefore it is a trojan. Only within the limits of a single computer it could be considered a virus, because it can copy itself automatically to other programs upon opening an infected one (provided that the user who opens it has enough privileges to modify programs).
Anyway, back to the present. A simple, welcome solution, would be to just show the names of applications in bold text. That would be helpful to power user and novice alike, and it would probably also look good.
I like it. Good idea.
While we're at it, maybe they can give us back our aliases in italics at the same time; that was a nice 'no brainer' feature if I ever saw one.
That will probably go over better with application developers than some sort of visual indicator on the application's icon that would mess up their pretty custom look. Bolded text is definitely the better way to go.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
An even more novel solution: Apply a big fat red exclamation point to the bottom-right of the icon if the executable has never been run before--alongside prompting the user before running the executable for the first time (as is currently the case).
I hate Grammar Nazi's
I've said it before, I'll say it again: Never underestimate the power of human stupidity.
A rolling stone is worth two in the bush!
Precisely.
1.) This isn't the "first OS X virus." Several other proof-of-concept attempts have been written over the users, notably MP3Concept.
2.) This doesn't quality as a virus, it's more of a trojan.
3.) The fact it prompts for your password immediately renders it useless and ineffective as a trojan. I could write an AppleScript that deleted all of your system files but required your password to be entered for it to run--that doesn't mean I've written the "first OS X virus." It just means I've written a goofy program that relies on stupidity, which would be the same as any other password-based system in the world and not an OS flaw.
I was expecting a bunch of rampant Apple-bashing in the comments here, but it seems a lot of people are recognizing that this is non-news. Another password-required proof-of-concept that doesn't really do anything.
"Sufferin' succotash."
The flaw is that a file of one type is able to present itself as a file of another. This flaw was widely exploited in Windows a few years ago with the notorious "britney.jpg .vbs" type attacks, in which even though the icon was wrong (!!) people saw the file extension and opened it.
I think people are misunderstanding how OS X handles file type icons. The file isn't presenting itself as a file of another type. If you did a Get Info, it would still say Application. On OS X, you can copy and paste any icon into file in the Get Info window. I have cool Mario icons for my various external USB drives. Someone just copied and pasted the JPEG icon in this case.
The fact that clicking this thing prompts for a password means OS X is correctly protecting you from this kind of an attack. Beyond that, anyone entering the password and enabling admin access for this program is at fault, not OS X.
"Sufferin' succotash."
I understand just fine what's going on here. The problem is that humans go by icon to determine file type, whereas the machine goes via some other mechanism. The fact that you can find out what the machine thinks it is via some other route isn't relevant - the same was true of Windows yet the exploit still worked on significant numbers of people. It's for this reason that Outlook refuses to let you open or save executable file types these days.
This story is the biggest FUD of the day.
.tgz file in Safari, Safari warns you that it's an application, and you have to click to continue.
1.) Several proof-of-concept viruses have been written for OS X in the past, so this isn't the "first." They never propagate.
2.) When you download this
3.) When you run it, an admin password prompt is displayed by OS X, and you have to enter it to continue.
Like I said--FUD of the day.
"Sufferin' succotash."
Reading the Dvorak piece, you're right, he's on crack!
I guess he doesn't realize just how many people buy Macs specifically because of the OS. He says they'd like to compete on "even ground" with Dell, Sony, etc -- when in fact the OS gives him a high ground to fight from. If Macs shipped with Windows, I bet at least half their current userbase would go from being grudgingly accepting of the steep premium you pay for their hardware to being rightly pissed off. The hardware isn't _that_ much better than what you can buy in the Windows world. Why would I continue to pay 30-50% more and what would I be getting that justified that, and is it something that would be compelling for IT purchasing? Somehow I don't think so.
I say this as someone who has spent over $20K on Apple hardware out of my own pocket in the last 5 years. If Apple shipped with Windows instead of MacOS, that number would be closer to $2K (ie, just the iPods).