Slashdot Mirror

← Back to Stories (view on slashdot.org)

First Mac OS X Virus?

Posted by ryuzaki0 on from the is-nothing-sacred dept.

bubba451 writes "MacRumors reports on what may be the first virus to affect Mac OS X, disguised as screenshots for the upcoming Mac OS X 10.5 Leopard. From the report: 'The resultant file decompresses into what appears to be a standard JPEG icon in Mac OS X but was actually a compiled Unix executable in disguise. An initial disassembly reveals evidence that the application is a virus or was designed to give that impression.' The virus is said to also spread via Bonjour instant messaging." Update: 02/17 00:09 GMT by P : This is not a virus, it is a simple Trojan Horse: it requires manual user interaction to launch the executable. See Andrew Welch's dissection.

12 of 577 comments (clear)

  1. Trojan Man? by green+pizza · · Score: 4, Interesting

    Sounds more like a trojan to me. But the question is, how in the world did they get it to show up as a JPEG image and still be executable? And does this script do any damage beyond the user's home directory? I.E., does it have some sort of a rootkit? Or does it simply prompt the user for the root/admin/sudo password?

    Somebody better wake up Apple and fix this application-looks-like-a-pretty-JPEG icon bug!!

    1. Re:Trojan Man? by CastrTroy · · Score: 4, Interesting

      Maybe we should be able to override the OS so that no matter what icon the executable file says it wants to display, the OS always shows an icon clearly depicting the fact that the file is an executable.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    2. Re:Trojan Man? by hunterx11 · · Score: 2, Interesting

      Actually, there was a similar trojan before disguised as an mp3. Apple responded to this in Tiger by making the .app extension of an application always appear at the end of its filename, ignoring any options to hide extensions. Unless this really has found some exploit, it is just a file.jpg.app.

      --
      English is easier said than done.
    3. Re:Trojan Man? by Vicsun · · Score: 4, Interesting

      An honest question (I'm pretty ignorant):

      How can a user differentiate between an executable file with a pretty icon and a jpeg in OSX (or Linux for that matter)? In Windows there are file extensions so a trojan with an icon will still have to be called something.exe in order to do any damage. How can I tell the difference between a binary file with an icon and a file that doesn't execute any code with the absense of extensions?

      Please don't laugh :(

    4. Re:Trojan Man? by cortana · · Score: 2, Interesting

      On Linux (and other traditional Unixes) you must deliberatly set the execute permission on a file before you can execute it.

    5. Re:Trojan Man? by Syberghost · · Score: 2, Interesting

      I can't figure out how this qualifies as a virus and this doesn't.

      Either this isn't a virus, or the "first" was two years ago.

    6. Re:Trojan Man? by Raffaello · · Score: 2, Interesting

      By default Mac OS X does not show file extensions of applications. If, like many more computer literate users, you elect to "show all file extensions" (Finder:Preferences:Advanced), this "virus" (which is actually a trojan of course) will show up as YaddaYadda.jpg.app and you'll see that it's just a lame attempt at a trojan.

      That said, it will definitely bite many naive mac users who think they are invulnerable, and don't realize that the Finder's default behavior, though a convenience for the computer illiterate, is very dangerous precisely because it allows executable trojans to masquerade as data files such as graphics, etc.

  2. Reminds me of old Applescript "hacks" by Anonymous Coward · · Score: 5, Interesting

    Back in high school we used to make little mean scripts in Applescript. Since there was no concept of security or multiple users in Mac OS 7 and 8, the script could do all sorts of nasty damage. All you had to do was compile/"save as" a standalone executable application from the Applescript Editor and paste an innocent icon on it. We liked to use the ClarisWorks icon to be extra mean.

    Another variant was useful on computers that were proteted with OnGuard or AtEase. Simply make a script that would pop up a dialog box asking for the password. An unknowning teacher would enter the password and the script would exit... leaving behind a log file with the password in it for later use.

    Nothing magical about these. Very basic trojan horses.

  3. Re:It's not a virus... by strider44 · · Score: 2, Interesting

    Hmm reading the article and the forum threads it seems that the trojan wrecks the user account should it be run, so you don't have to enter the Admin password.

    In other words MacOSX is giving *some* protection in that it can only attack the user that runs it, but that protection is shallow comfort. KDE has the best approach I think in this in that every executable, no matter what the extension etc, has the same executable icon. It also doesn't have automatic autoplay (possibly the worst "feature" of Windows). The icon of course in this case is what the trojan is exploiting.

    I'm not sure about this though, but don't Macs like KDE instead of showing an icon for JPEGs show a preview of the picture instead of a standard icon?

  4. Re:OT - never got that by JasonKChapman · · Score: 2, Interesting
    never really got the whole "look we'll hide the file type for you! So convenient!" thing in Windows. The first thing I do on a new Windows box is unhide system files and unhide known extensions.

    Oddly, it was intended to make Windows more Mac-like. The Mac GUI was heralded as being simpler and easier to use precisely because it didn't bog users down with techno-jargon like ".exe", ".com", etc. Windows decided to follow suit, while leaving the option available. The problem is, they were hiding the *one bloody thing* that determined whether or not the entity would execute with a double-click. OSs with execute bits don't need no stinkin' extensions for that.

    --
    Sorry, I'm a writer. That makes you raw material.
  5. The brilliance of shipping iPhoto with new Macs by SuperKendall · · Score: 2, Interesting

    I just realized how amrt it is of Apple to ship iPhoto with new consumer macs.

    See, if a trojoan like this comes along with something unpleasant really novice users will try to move it into iPhoto - which will just say "sorry, that's not an image".

    More advanced users that would just try and open an image in Preview would say "Opening an image file and it asks for my password? No thank you sir!".

    Which is why this trojan has not really spread, or really affected many computers.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  6. Re:FUD of the day by TheNumberless · · Score: 2, Interesting

    That's why the first thing I do on a new OS X system is to set timestamps_timeout to 0 in sudoers. It eliminates this grace period, requiring a password prompt for every Admin action. With this change, I think running as Admin can be pretty safe.

    I could be overlooking some other security flaws, though...