Slashdot Mirror

← Back to Stories (view on slashdot.org)

First Mac OS X Virus?

Posted by ryuzaki0 on from the is-nothing-sacred dept.

bubba451 writes "MacRumors reports on what may be the first virus to affect Mac OS X, disguised as screenshots for the upcoming Mac OS X 10.5 Leopard. From the report: 'The resultant file decompresses into what appears to be a standard JPEG icon in Mac OS X but was actually a compiled Unix executable in disguise. An initial disassembly reveals evidence that the application is a virus or was designed to give that impression.' The virus is said to also spread via Bonjour instant messaging." Update: 02/17 00:09 GMT by P : This is not a virus, it is a simple Trojan Horse: it requires manual user interaction to launch the executable. See Andrew Welch's dissection.

93 of 577 comments (clear)

  1. Phew! by Anonymous Coward · · Score: 5, Funny

    Glad I just 'switched' to windows ;-)

    (fp?)

    1. Re:Phew! by Anonymous Coward · · Score: 5, Funny

      Should have waited. Dvorak is predicting that Apple will adopt Windows.

      I wish I also got paid to be a crackhead.

    2. Re:Phew! by didit · · Score: 2, Funny
      Dvorak is predicting that Apple will adopt Windows.
      Too bad he wrote his article before knowing about this trojan, otherwise he would have seen the big picture: Microsoft is behind this trojan and is going to use it to install Windows on Intel Macs. That's how Apple will "adopt" Windows.
    3. Re:Phew! by sulam · · Score: 2, Insightful

      Reading the Dvorak piece, you're right, he's on crack!

      I guess he doesn't realize just how many people buy Macs specifically because of the OS. He says they'd like to compete on "even ground" with Dell, Sony, etc -- when in fact the OS gives him a high ground to fight from. If Macs shipped with Windows, I bet at least half their current userbase would go from being grudgingly accepting of the steep premium you pay for their hardware to being rightly pissed off. The hardware isn't _that_ much better than what you can buy in the Windows world. Why would I continue to pay 30-50% more and what would I be getting that justified that, and is it something that would be compelling for IT purchasing? Somehow I don't think so.

      I say this as someone who has spent over $20K on Apple hardware out of my own pocket in the last 5 years. If Apple shipped with Windows instead of MacOS, that number would be closer to $2K (ie, just the iPods).

  2. Trojan Man? by green+pizza · · Score: 4, Interesting

    Sounds more like a trojan to me. But the question is, how in the world did they get it to show up as a JPEG image and still be executable? And does this script do any damage beyond the user's home directory? I.E., does it have some sort of a rootkit? Or does it simply prompt the user for the root/admin/sudo password?

    Somebody better wake up Apple and fix this application-looks-like-a-pretty-JPEG icon bug!!

    1. Re:Trojan Man? by Epaminondas+Pantulis · · Score: 5, Informative

      I guess they put the standard JPEG icon in the app's bundle...

    2. Re:Trojan Man? by fracai · · Score: 5, Informative

      There's this thing called reading the article... oh, right.

      It's a "JPEG" because the author was clever enough to paste the icon of a JPEG onto the executable.
      If the user is root, or possibly admin, the script writes files in /Library/InputManagers. If you aren't it does the same in the user Library.
      No kit, just a prompt.

      http://www.ambrosiasw.com/forums/index.php?showtop ic=102379 as linked from MacRumors has a really good writeup on what is going on.

      --
      -- i am jack's amusing sig file
    3. Re:Trojan Man? by mstroeck · · Score: 5, Insightful

      Uhm, how are proposing to "fix" this? You can give your application any icon you want, and as long as it looks even remotely like the native JPEG-icon, 95% of users won't notice.

      The only way would be some sort of flag that shows up on any icon that represents something executable, and that wouldn't be a fix but a completely new approach.

    4. Re:Trojan Man? by n3k5 · · Score: 4, Informative
      Sounds more like a trojan to me. But the question is, how in the world did they get it to show up as a JPEG image and still be executable?
      It definitely is a trojan, and a harmless one at that. It seems that if you have configured your computer correctly, you would have to enter your admin password in order to allow it to do any harm.

      It doesn't really disguise as an image. It just uses the OS X standard icon for images as its own icon. However, it does not have a jpeg extension and if you select it in the finder, you will not get a preview thumbnail, thus you would know that opening in the Preview application (which you would do by double clicking) cannot work. Maybe, if you have set your Finder not to display extensions, or just didn't pay attention, you would try to open it in another image viewer, which would fail and not do any harm.
      --
      but what do i know, i'm just a model.
    5. Re:Trojan Man? by squidguy · · Score: 2, Informative

      It definitely is a trojan, and a harmless one at that. It seems that if you have configured your computer correctly, you would have to enter your admin password in order to allow it to do any harm.

      You raise valid points here. This is a single instance, but undoubtedly more will come and we need to view these developments agnostically.
      Unfortunately, despite all best efforts to dissuade the novices, folks still tend to run as root or admin on their systems. A large percentage of Windows virii won't infect unless the user has admin privs, and unfortunately, M$ doesn't do a good enough job of dissuading this in their earlier platforms. Vista supposedly (I haven't hacked on it yet) does a better job of pushing least privilege and a *nix-like SU model (but since at least the 2000 platform, the RUN AS option existed) -- don't know how this'll work with the clueless crowd yet.
      The advantage of *nix is that it at least (in most cases) makes the user think twice about running as root.
      My point is - if we get novices (and some lazy experienced types) using OS X or RedHat or whatever, some will undoubtedly run as root, admin etc because they are too lazy or too clueless to run as least privileges. Ergo, the existance OS X virii & trojans should not be taken lightly.

    6. Re:Trojan Man? by erwin · · Score: 2, Insightful

      make your system idiot-proof, and the world will make a better idiot....

    7. Re:Trojan Man? by CastrTroy · · Score: 4, Interesting

      Maybe we should be able to override the OS so that no matter what icon the executable file says it wants to display, the OS always shows an icon clearly depicting the fact that the file is an executable.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    8. Re:Trojan Man? by hunterx11 · · Score: 2, Interesting

      Actually, there was a similar trojan before disguised as an mp3. Apple responded to this in Tiger by making the .app extension of an application always appear at the end of its filename, ignoring any options to hide extensions. Unless this really has found some exploit, it is just a file.jpg.app.

      --
      English is easier said than done.
    9. Re:Trojan Man? by devonbowen · · Score: 4, Insightful
      Uhm, how are proposing to "fix" this?

      When I download a dmg file with Safari, I get a warning if the dmg contains an executable. (Not sure if that's Safari doing the warning or the code that mounts the archive or what.) Something like this in the code that unpacks tar files would go a long way toward fixing it.

      Devon

    10. Re:Trojan Man? by Kadin2048 · · Score: 4, Informative

      It's almost impossible for a clueless user to run as root on an OS X box.

      Actually running/logging-in as root requires either some non-trivial Terminal work, or going in through NetInfo Manager (a fairly intimidating config utility) and enabling the root account (which at least the time I did it, a few years ago, gave you some pretty stern warnings).

      That's not to say that you can't have root-like privs -- the default first user on a Mac is an "Administrator," which just means that they can sudo -s and become root temporarily. However to do this you have to authenticate for every action. (Or every 5 minutes or so.) The MacOS "Administrator" level user is not as powerful as the WinXP type of Administrator (which is effectively a root account). Macs have three levels of users: root, Admins (who can sudo), and everyone else (who can't).

      So yes, there are definitely ways that a clueless person could damage themselves with a trojan, if they just mindlessly type in their password into any box that comes up, regardless of the context in which they're being asked, but there is at least one more step stopping you from doing it compared to running on a Windows system.

      --
      "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
    11. Re:Trojan Man? by Vicsun · · Score: 4, Interesting

      An honest question (I'm pretty ignorant):

      How can a user differentiate between an executable file with a pretty icon and a jpeg in OSX (or Linux for that matter)? In Windows there are file extensions so a trojan with an icon will still have to be called something.exe in order to do any damage. How can I tell the difference between a binary file with an icon and a file that doesn't execute any code with the absense of extensions?

      Please don't laugh :(

    12. Re:Trojan Man? by Kadin2048 · · Score: 5, Insightful

      I was thinking about this. I can't imagine it would be all that hard -- there is already a visual flag applied to all "alias" (that's symlink) files, so it doesn't seem like it would be out of the question to do something similar for executables, based on the eXecute bit.

      However what I'm not sure about is how you'd make this work for MacOS bundles -- unlike UNIX applications they're not just single files; the thing that you click on in the Finder to launch a MacOS app (at least a Cocoa one) is actually a directory if you look at it in the Terminal, it just has the hidden suffix of ".app" (so for instance the program Mail in the finder is actually the directory/folder Mail.app). The actual executable file is normally buried somewhere within the folder -- usually like (appname).app/Contents/MacOS/executablefile.

      I suppose what you'd have to do is put the visual flag on if a file was either a directory ending in ".app", or if the regular eXecute bit was set on a file itself.

      --
      "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
    13. Re:Trojan Man? by Ortega-Starfire · · Score: 5, Funny

      All you have to do is right click... oh, nm

      --
      ---- Liquid was a patriot ----
    14. Re:Trojan Man? by cortana · · Score: 2, Interesting

      On Linux (and other traditional Unixes) you must deliberatly set the execute permission on a file before you can execute it.

    15. Re:Trojan Man? by Megane · · Score: 4, Informative
      If the user is root, or possibly admin, the script writes files in /Library/InputManagers.

      Um, why is my /Library chmod 775? It's that way on all four OS X machines that I can reach via SSH right now, two 10.4.x and two 10.3.x. Because there is no /Library/InputManagers in my /Library, so any program running under an admin account on my machine could create one. Admittedly, /Library/StartupItems being group-writable would be a much worse security violation (stuff in there runs as root at startup), and I have seen cases where installers will create one chmod 775 or 777, but I don't see any reason why a program that isn't setuid root (in other words, requiring the security dialog first) should be able to create new directories or drop files into /Library.

      Anyhow, this is not a virus, it's a trojan. A virus attaches itself to existing executables (boot blocks included in the definition of "executables"). This is a trojan, and if it replicates, then it's a file-propagating worm (as opposed to the e-mail- and network- propagating worms that plague Windows). So far there is still no malware for OS X that doesn't depend upon human stupidity for propagation. Whether that be saving an e-mail attachment to disk and then double-clicking on its icon on the desktop (this thing won't auto-open while reading e-mail), or simply using bad username/password combinations allowing a brute-force break-in over SSH, there is still no sign of any kind of fully-automated malware for OS X.

      In the meantime, I'm going to be doing a lot of "sudo chmod 755 /Library".

      --
      #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
    16. Re:Trojan Man? by Kadin2048 · · Score: 2, Informative

      Um, I'm admittedly not looking at my OS X box right now, but unless this change was made in the 10.4.4 update (the one released just in the past few days via Software Update), the ".app" extension is hidden on most Applications, at least with the general "hide extensions" preference turned on in the Finder.

      The MP3Concept trojan didn't disguise itself because the Finder was hiding the ".app" extension, anyway. It's filename really was "MP3Concept.mp3". If you had gone in and looked at it via the Terminal, that's what you would have seen.

      It was an executable because of the way its metadata was set: it had a "type" of APPL, for application, thus it would execute when double-clicked. The icon came because the creator had simply given the iTunes MP3 file icon as the application bundle's custom icon resource (this is the same way a legitimage application sets itself to a custom icon). It wasn't being assigned automatically by the Finder or anything else. This type of exploit isn't really new, it would have worked just as well on MacOS9 (and probably even better); back in the day there were lots of dumb little tricks that you could do to take advantage of the same thing (you could make small applications that put up rude dialog boxes, for instance, and disguise them as documents).

      And (as screenshots on the link below show), if you had looked at the MP3Concept.mp3 file in the Finder's list view, it would be correctly reported as an Application, not a Document. (Because the Finder looks at the file metadata in addition to the filename, when determining what it is.)

      Without appending ".app" to the end of every Carbon application out there still in use, which in some cases might cause problems, and then not letting the user turn off the displaying of extensions (which would piss off a lot of longtime Mac users), I don't think there's really any way to prevent this. I find the change you're saying Apple made somewhat doubtful, although I'm open to any evidence you have.

      More info on the MP3Concept trojan:
      http://daringfireball.net/2004/04/crying_wolf

      --
      "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
    17. Re:Trojan Man? by Shanep · · Score: 2, Informative

      All you have to do is right click... oh, nm

      Humour aside, that is actually correct. Right click if you have a two or more button mouse and choose Get Info. Notice "Kind" will state "Application". If you have a single button mouse you can Control click in place of right clicking. If it is a JPG then it should say "JPEG image".

      --
      War crimes, torture, lies, illegal spying... Would someone give Bush a blowjob, already, so he can be impeached?
    18. Re:Trojan Man? by ioErr · · Score: 3, Informative

      In the old days Mac OS used to distinguish aliases from normal files and folders by showing their names in italics. That was a very good thing, but unfortunately it has been replaced by a tiny Windows-style arrow in the icon's bottom left corner instead. On the other hand, there was never an easy way to tell applications from documents or folders at a glance which always bothered me, not so much because of the threat of trojans as because you don't want to accidentally launch another program which just happened to look like a text document (curse those readmes) when you only have 10 MB of RAM.

      Anyway, back to the present. A simple, welcome solution, would be to just show the names of applications in bold text. That would be helpful to power user and novice alike, and it would probably also look good.

    19. Re:Trojan Man? by Syberghost · · Score: 2, Interesting

      I can't figure out how this qualifies as a virus and this doesn't.

      Either this isn't a virus, or the "first" was two years ago.

    20. Re:Trojan Man? by Kadin2048 · · Score: 4, Insightful

      Anyway, back to the present. A simple, welcome solution, would be to just show the names of applications in bold text. That would be helpful to power user and novice alike, and it would probably also look good.

      I like it. Good idea.

      While we're at it, maybe they can give us back our aliases in italics at the same time; that was a nice 'no brainer' feature if I ever saw one.

      That will probably go over better with application developers than some sort of visual indicator on the application's icon that would mess up their pretty custom look. Bolded text is definitely the better way to go.

      --
      "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
    21. Re:Trojan Man? by Eccles · · Score: 2, Informative

      Unfortunately, despite all best efforts to dissuade the novices, folks still tend to run as root or admin on their systems.

      That's true on Windows, because it's a PITA otherwise. There are plenty of apps that won't run except as admin, or unless you've somehow fixed some set of permissions that is not identified when you try (and fail) to run the app.

      I try to run not as admin on Windows. I installed an app called, I believe, FileTweak recently. Now every time I try to get a file's properties, I get a half-dozen alerts about not having the proper permissions before the properties pane. Woo hoo!

      Macs are much more usable without being admin, which is one reason I'm about to get an iMac.

      --
      Ooh, a sarcasm detector. Oh, that's a real useful invention.
    22. Re:Trojan Man? by Gropo · · Score: 3, Insightful

      An even more novel solution: Apply a big fat red exclamation point to the bottom-right of the icon if the executable has never been run before--alongside prompting the user before running the executable for the first time (as is currently the case).

      --
      I hate Grammar Nazi's
    23. Re:Trojan Man? by JWW · · Score: 2, Informative

      I agree its a trojan, not a virus. If you turn on file extentions, you'd see that its a .app with a jpeg icon. They're just being sneaky, not really using a flaw in the OS.

    24. Re:Trojan Man? by Vladimus · · Score: 3, Insightful
      So far there is still no malware for OS X that doesn't depend upon human stupidity for propagation.

      I've said it before, I'll say it again: Never underestimate the power of human stupidity.

      --

      A rolling stone is worth two in the bush!

    25. Re:Trojan Man? by dfgchgfxrjtdhgh.jjhv · · Score: 2, Informative

      a virus is actually an executable that attaches itself to other executables & runs whenever they run.

      this is a trojan/worm, just like most malware that matches your incorrect description of a virus.

      computer virus n. A computer program that is designed to replicate itself by copying itself into the other programs stored in a computer. It may be benign or have a negative effect, such as causing a program to operate incorrectly or corrupting a computer's memory.
      http://www.answers.com/topic/computer-virus
      --
      Web Design
    26. Re:Trojan Man? by cortana · · Score: 2, Informative

      In which case, the program that created the file is broken.

    27. Re:Trojan Man? by Raffaello · · Score: 2, Interesting

      By default Mac OS X does not show file extensions of applications. If, like many more computer literate users, you elect to "show all file extensions" (Finder:Preferences:Advanced), this "virus" (which is actually a trojan of course) will show up as YaddaYadda.jpg.app and you'll see that it's just a lame attempt at a trojan.

      That said, it will definitely bite many naive mac users who think they are invulnerable, and don't realize that the Finder's default behavior, though a convenience for the computer illiterate, is very dangerous precisely because it allows executable trojans to masquerade as data files such as graphics, etc.

    28. Re:Trojan Man? by Overly+Critical+Guy · · Score: 3, Informative

      My file extensions show by default in all the OS X Tiger installations I've handled.

      Regardless, this "virus" pops up an admin password prompt, like every other proof-of-concept OS X trojan that's been written in the past, which effectively stops it in its tracks. This isn't really news except to Apple-haters who can go "SEE NOW U'VE GOT VIRUSES LOLZ."

      --
      "Sufferin' succotash."
    29. Re:Trojan Man? by PitaBred · · Score: 2

      The problem is that so many people think that their macs are unassailable, so they don't think twice about typing in their password. This wouldn't be seen in the wild if they didn't.

      --
      My blog. Good stuff (when I remember to update it). Read it.
    30. Re:Trojan Man? by Ford+Prefect · · Score: 4, Informative
      If, like many more computer literate users, you elect to "show all file extensions" (Finder:Preferences:Advanced), this "virus" (which is actually a trojan of course) will show up as YaddaYadda.jpg.app and you'll see that it's just a lame attempt at a trojan.

      Actually, it seems that (as of 10.4.5, anyway) it'll show as 'YaddaYadda.jpg.app' even if you have the 'Show all file extensions' switched off - a bit of experimentation shows that if the first extension (in this case '.jpg') is a recognised file-type, then the '.app' gets shown as well.

      So, from a display point of view:

      • YaddaYadda.app -> YaddaYadda
      • YaddaYadda.foo.app -> YaddaYadda.foo
      • YaddaYadda.jpg.app -> YaddaYadda.jpg.app
      • YaddaYadda.pdf.app -> YaddaYadda.pdf.app
      ... and so on.

      Basically, if it's trying to impersonate another existing file-type, it'll tell you.

      --
      Tedious Bloggy Stuff - hooray?
  3. It's not a virus... by xwizbt · · Score: 5, Informative

    Note the following from http://www.ambrosiasw.com/forums/index.php?showtop ic=102379 :

    You cannot be infected by this unless you do all of the following:

    1) Are somehow sent (via email, iChat, etc.) or download the "latestpics.tgz" file

    2) Double-click on the file to decompress it

    3) Double-click on the resulting file to "open" it ...and then for most users, you must also enter your Admin password.

    You cannot simply "catch" the virus. Even if someone does send you the "latestpics.tgz" file, you cannot be infected unless you unarchive the file, and then open it.

    1. Re:It's not a virus... by slungsolow · · Score: 3, Insightful

      If I have to type in my System Admin password to intall it, then I don't consider it a threat. This seems like a rather lame attempt at a vulnerability. The folks who would be interested in screenshots of 10.5 are the kind of folks who know an archive of photos does not require an admin password.

    2. Re:It's not a virus... by strider44 · · Score: 2, Interesting

      Hmm reading the article and the forum threads it seems that the trojan wrecks the user account should it be run, so you don't have to enter the Admin password.

      In other words MacOSX is giving *some* protection in that it can only attack the user that runs it, but that protection is shallow comfort. KDE has the best approach I think in this in that every executable, no matter what the extension etc, has the same executable icon. It also doesn't have automatic autoplay (possibly the worst "feature" of Windows). The icon of course in this case is what the trojan is exploiting.

      I'm not sure about this though, but don't Macs like KDE instead of showing an icon for JPEGs show a preview of the picture instead of a standard icon?

    3. Re:It's not a virus... by pubjames · · Score: 5, Insightful

      Can you explain to me where the security flaw in OSX is in this case?

      There is no double standard here.

    4. Re:It's not a virus... by confused+one · · Score: 3, Insightful
      Yes... Unfortunately the Windows user world has shown that more than enough people will

      1. download it

      2. double-click and decompress it.

      3. double-click and execute it.

    5. Re:It's not a virus... by WhiteWolf666 · · Score: 2

      It's not a malicious graphic flaw. It's an executable file, for christ sake.

      It does not use the Operating System's JPEG handling code. Its an executable, like any other. Running this program is no different than dragging your home directory to the trash; both require user stupidity.

      --
      WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
    6. Re:It's not a virus... by Shishak · · Score: 5, Informative

      Um.. no, completly different

      In the windows scenario you have a real .JPG image which contains code insdie of it that crashes the Windows JPG image library. The code in the image is then executed. In essence in windows a .JPG image file can become an executable running as user admin. This executable now has full access over your computer. This image can be embedded in an e-mail/web page and will execute, launch and own your machine with having you do anything but go to a website or read your e-mail

      In the Mac scenario you have an executable which is made to look like an image because its icon was changed. The computer itself knows that it isn't an image so it doesn't try to load it automatically from e-mail or web. This 'virus' is designed to trick the user. The user needs to double click and run the executable. It will then try to write into a protected directory and the OS will prompt the user for the admin password. If the user is dumb enough to click on a executable *and* enter the admin password there really isn't much else you can do. The executable never actually crashes any part of the OS to gain control of the OS and do something that the user doesn't authorize.

      --
      Now I hope and pray that I will But today I am still, just a bill
    7. Re:It's not a virus... by bogado · · Score: 2, Insightful

      Even better, I think is not to allow direct execution from the desktop shell. If you want to execute something make a 'desktop' file pointing to it. Also don't permit desktop files to have relative URLs, if this was possible an atacker could send the .desktop file with the executable in the same compressed file.

      --
      []'s Victor Bogado da Silva Lins

      ^[:wq

    8. Re:It's not a virus... by lenhap · · Score: 2, Informative

      Macs do show a preview of the picture instead of the icon for JPEGs IF the user has clicked on the file in the finder window (the three panel view), in which case it also will have text telling the user the type of file. In this it would continue to display the JPEG icon instead of showing a preview of the picture and the text would tell you it was an "application (powerpc)" or something like that.

      Another thing of note is that if this file was downloaded through safari, safari would attempt to uncompress the file and then warn the user that there are executable files in the compressed file, asking if the user wants to continue (uncompressing the file). So if it was downloaded through safari, the user would be notified of the file's applicationess vs. normal jpegness. Also, safari does not ever execute downloaded files for the user. I am not certain, but I would guess that using iChat would do the same with a downloaded/transfered file. Also, apple has a finder option to always display the file extension of every file (off by default) which would make this file be titled something like "newOSpreview.jpeg.app" which would hopefully catch the user's attention. One other thing to note is that if the user downloaded the file using safari, the default save location is the desktop which would mean the user wouldn't get the aforementioned preview of the file if they clicked on it (or double clicked).

      The trade off here is that with customizable icons, the applications (which are often executed from the dock or the finder) are more identifiable to users vs. the way kde does it. Under Mac OS X the user would only have the application name to find a file, which is far more difficult then identifing an icon of the application wanted. However kde uses a "launch" button much like windows so identifing an application (or executable script or whatnot) by icon is not needed.

    9. Re:It's not a virus... by Steve+Cowan · · Score: 2, Informative
      The folks who would be interested in screenshots of 10.5 are the kind of folks who know an archive of photos does not require an admin password.
      I wanted to believe that too, until I saw the thread that this file was initially posted in.
    10. Re:It's not a virus... by IamTheRealMike · · Score: 2, Informative
      The flaw is that a file of one type is able to present itself as a file of another. This flaw was widely exploited in Windows a few years ago with the notorious "britney.jpg .vbs" type attacks, in which even though the icon was wrong (!!) people saw the file extension and opened it.

      On Linux MIME scanning is used to make this type of attack significantly harder. A files icon is assigned by the operating system according to what type of file it actually appears to be, and executables cannot choose their own icons.

      The fact that the virus then injects itself into other processes and takes control of them is nothing we haven't seen before on Windows.

      I do not see in the Ambrosia writeup where the administrator password is required. If you aren't root it simply places the app hook in a different (but equally effective) location.

    11. Re:It's not a virus... by Overly+Critical+Guy · · Score: 2, Insightful

      Precisely.

      1.) This isn't the "first OS X virus." Several other proof-of-concept attempts have been written over the users, notably MP3Concept.

      2.) This doesn't quality as a virus, it's more of a trojan.

      3.) The fact it prompts for your password immediately renders it useless and ineffective as a trojan. I could write an AppleScript that deleted all of your system files but required your password to be entered for it to run--that doesn't mean I've written the "first OS X virus." It just means I've written a goofy program that relies on stupidity, which would be the same as any other password-based system in the world and not an OS flaw.

      I was expecting a bunch of rampant Apple-bashing in the comments here, but it seems a lot of people are recognizing that this is non-news. Another password-required proof-of-concept that doesn't really do anything.

      --
      "Sufferin' succotash."
    12. Re:It's not a virus... by Overly+Critical+Guy · · Score: 3, Insightful

      The flaw is that a file of one type is able to present itself as a file of another. This flaw was widely exploited in Windows a few years ago with the notorious "britney.jpg .vbs" type attacks, in which even though the icon was wrong (!!) people saw the file extension and opened it.

      I think people are misunderstanding how OS X handles file type icons. The file isn't presenting itself as a file of another type. If you did a Get Info, it would still say Application. On OS X, you can copy and paste any icon into file in the Get Info window. I have cool Mario icons for my various external USB drives. Someone just copied and pasted the JPEG icon in this case.

      The fact that clicking this thing prompts for a password means OS X is correctly protecting you from this kind of an attack. Beyond that, anyone entering the password and enabling admin access for this program is at fault, not OS X.

      --
      "Sufferin' succotash."
    13. Re:It's not a virus... by IamTheRealMike · · Score: 2, Insightful
      I think people are misunderstanding how OS X handles file type icons. The file isn't presenting itself as a file of another type. If you did a Get Info, it would still say Application.

      I understand just fine what's going on here. The problem is that humans go by icon to determine file type, whereas the machine goes via some other mechanism. The fact that you can find out what the machine thinks it is via some other route isn't relevant - the same was true of Windows yet the exploit still worked on significant numbers of people. It's for this reason that Outlook refuses to let you open or save executable file types these days.

  4. Hardware by levik · · Score: 4, Funny

    Well, of course there's a mac virus now - virus writers have been comfortably writing to the intel platform for years, and now with the processor switch, all the viruses will be very easy to port over :)

    --
    Ñ'
    1. Re:Hardware by iBod · · Score: 2, Insightful

      I don't think the underlying CPU architecture is much of an issue.

      Most malware exploits flaws in the operating system and applications - not the hardware architecture.

      I have heard this FUD from various Mac-heads (pissed at the change from PPC) that they are suddenly going to be swimming in malware due to a chip change. It's nonsense.

  5. Trojan? by __aambat2633 · · Score: 5, Insightful

    How can it be a virus if it is a Trojan?
    You have to execute it yourself, and that is why it is _not_ a virus.

    1. Re:Trojan? by Emetophobe · · Score: 2, Informative

      Also, it's masking itself as something that it is not, which would make it a trojan.

    2. Re:Trojan? by 99BottlesOfBeerInMyF · · Score: 4, Informative

      How can it be a virus if it is a Trojan?

      OK, welcome to malware nomenclature 101. Will everyone please take their seats. Thank you. There are three basic classifications for malware:

      • trojan - malicious application disguised as either a benign application or data.
      • virus - a malicious application that copies itself into other locations infecting data or applications in an attempt to spread. Viruses often attempt to e-mail, IM, FTP, etc. themselves to other machines.
      • worm - a worm is a virus that auto-propagates. That is to say it sends copies of itself automatically and traditionally without any user intervention.

      This particular malware is a trojan (partly disguised as a jpg) which them copies itself to a new location on your drive and modifies a few commonly used applications in order to spread itself via they Bonjour discovery and file transfer mechanism in OS X. It requires human intervention to extract itself run, spread, and for download. I'd call this a virus to be clear about its functionality.

  6. Had to happen really by iBod · · Score: 2, Insightful

    But, I don't think OS X users have too much to worry about yet.

    Might be good in a way - to shake some people out of the complacent "OS X is invulnerable" mindset.

  7. Eh? by TimeTrav · · Score: 3, Funny

    Wouldn't shock me if it was written by a software company whose name rhymes with 'pedantic'.

    --
    [sig]you really dont want the answers, trust me[/sig]
  8. Reminds me of old Applescript "hacks" by Anonymous Coward · · Score: 5, Interesting

    Back in high school we used to make little mean scripts in Applescript. Since there was no concept of security or multiple users in Mac OS 7 and 8, the script could do all sorts of nasty damage. All you had to do was compile/"save as" a standalone executable application from the Applescript Editor and paste an innocent icon on it. We liked to use the ClarisWorks icon to be extra mean.

    Another variant was useful on computers that were proteted with OnGuard or AtEase. Simply make a script that would pop up a dialog box asking for the password. An unknowning teacher would enter the password and the script would exit... leaving behind a log file with the password in it for later use.

    Nothing magical about these. Very basic trojan horses.

    1. Re:Reminds me of old Applescript "hacks" by tinkerghost · · Score: 2, Funny

      Ahh the days of pasting hard drive icons on a shutdown link .... I remember them well :)

  9. Consider the source... by k3vmo · · Score: 4, Insightful

    Come on. MacOSRumors.com on a forum post. Let's not loose our heads and start spreading FUD because of something someone's brother's first cousins next-door neighbor read in a forum post. If you're smart enough not to accept random files and put your admin password in for anything that pops up - this won't be much of an issue.

  10. Hmmm, First Virus to ask for your password? by jtalerico · · Score: 2, Insightful

    Before this "Virus" Can do anything on macOS X it should ask for the users password. So if the user is dumb enough to put in his/her password to OPEN a JPEG!! Then his/her password should be posted on /. with the ip of their computer.

    1. Re:Hmmm, First Virus to ask for your password? by Vo0k · · Score: 2, Insightful

      The virus can still delete your personal files without root password, it can access your IM contact list and send itself to all people on the list. You still have fully functional OS but all your work you didn't backup is gone. Fun?
      Or just install a keylogger and sit in the background waiting till you enter your root password thorough normal use.

      Such a virus would be pretty hard on Linux, because icons are assigned to files by content, not by extension. It would have .jpg extension but the icon would be one of a binary. And of course variety of instant messenging software would make it way harder to spread. (still possible though, and despite what some would like to think, there ARE enough dumb Linux user to click on a file with .jpg extension even if it doesn't look like jpg)

      --
      Anagram("United States of America") == "Dine out, taste a Mac, fries"
  11. 10.5 Screenshots?! by fightzombies · · Score: 5, Funny

    Where? I want to see!

  12. Further by ktappe · · Score: 3, Informative

    In all the latest releases of OS X, the user will also receive the prompt "You are running for the first time. Are you sure you want to continue?" so that's *four* levels of security the user would have to specifically circumvent to be affected. At some point the responsibility has to reasonably be shifted from Apple to the user... -Kurt

    --
    "We can categorically state we have not released man-eating badgers into the area." - UK military spokesman, July 2007
    1. Re:Further by thatkeith · · Score: 2, Informative

      That only happens when you double-click a document which opens an app for the first time, not when the app is launched *directly* for the first time. This is a well-considered security step, but it doesn't come into play here. Still - three levels of security is a fair bit, eh?

    2. Re:Further by AnalystX · · Score: 2, Informative

      I beg to differ. Although I'm not sure why Apple did it, and I was a bit surprised last night when it happened, I ran an application "directly" and it prompted me about running it for the first time. If Apple intended to have this prompt show its face only when a document opens an application, there may be a flaw in the latest version (10.4.5).

  13. I Like The Trojan Horse That Was Used by RobotRunAmok · · Score: 4, Funny

    The first Mac virus hidden cleverly inside a picture of desktop eyecandy. No doubt it will spread like wildfire. Insidious.

    What wrapper will the first Linux widespread virus take? "Hey, download this PDF -- it's a transcript of a big IRC shouting match about which is better, emacs or vi! You gotta read this!"

    We won't know what hit us...

  14. Re:Phew! Thanks! by platypibri · · Score: 2, Funny

    That may be THE funniest slashdot post ever! I, for one, welcome our executable jpeg masters.

    --
    Yeah, I guess I'm funny like that.
  15. Need a Universal Binary by WhiteWolf666 · · Score: 4, Funny

    Anyone know when the Universal Binary will be avaliable? Plus, we need a "no password" crack.

    When will Mac viruses get to the level of Windows when? For godsakes, this one still requires user intervention, and it doesn't even work on all OS X platforms!

    Come on Apple! Microsoft has you soundly beaten in this regard :(

    --
    WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
    1. Re:Need a Universal Binary by Gryle · · Score: 2, Funny

      Oh I see how it is. Leave out the open source software. I demand equality for all operating systems! Linux and BSD users should enjoy the same threat level as Windows or Mac!

      --
      Only two things are infinite, the universe and human stupidity, and I'm not entirely sure about the universe - Einstein
  16. Input Manager as an infection vector by mrob2002 · · Score: 2, Insightful

    John Gruber on daringfireball.net wrote at length recently about problems with OS X, mainly relating to how the Smart Crash library adds itself to applications through the Input Manager system hook. His current article "Smart Crash Reports Addenda" talks at length about the security implications of the input manager.

  17. There is some good news in all this by Anonymous Coward · · Score: 3, Funny

    It means at least one person at Microsoft still knows how to code.

  18. Re:Hehehe by Meostro · · Score: 2, Funny
    There is a Mac God?
    They've got one coming out in six months, it's called the iGod.
  19. The vulnerability isn't always plugged in by Overzeetop · · Score: 4, Insightful

    Everybody seems so certain that this is a non-starter on OSX because it requires some user intervention to propagate. I have bad news for you: there are clueless Mac users out there, too. These are probably the same folks who will click on a web popup to "see the lastest hollywood gaff" and then "accept" the untrusted executable when windows warns about the download to be executed. And they're the same ones who will dutifully click their bank url in an email and login to make sure their information is correct .

    Never understimate the power of the incomptenece of 20% of your userbase.

    --
    Is it just my observation, or are there way too many stupid people in the world?
    1. Re:The vulnerability isn't always plugged in by WhiteWolf666 · · Score: 4, Insightful

      That's why we don't consider it a vulnerability. There is no way to "fix" this without totally locking out the user.

      There is no way to compensate for an Administator who is computer illiterate. It's simply not possible. You can lower the bar as much as you like, however, there is a certain minimum level of knowledge which is required to safely administer a computer.

      Like don't run every application you get your hand on. This is similar to don't delete all your files.

      --
      WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
  20. You can't man a .app look like a .jpg in OS X by sjonke · · Score: 2, Insightful

    I tried to create an application that had a name of test.jpg.app and was pleased to find that, at least in Mac OS X 10.4.5, when you try to do this, the Finder displays the entire name, including the entire extension ".jpg.app", even though normally the ".app" portion is hidden. Take out the ".jpg" and the ".app" goes missing again. The "hide extension" option in the get info window is disabled when you have a name like ".jpg.app". So, it isn't quite so easy to disguise an application as a jpeg in Mac OS X. Of course not everyone is going to know what the .app means and so it being visible won't help them. Then again, if that's the case, they probably don't know what the .jpg means either!

    I also tried doing this with a .term file, which was set to hide the extension. When I made the name test.jpg.term, the full name was displayed including ".term", and the "hide extension" option was disabled.

    --
    --- What?
  21. Re:Hehehe by Jarlsberg · · Score: 4, Funny
    There is a Mac God?

    They've got one coming out in six months, it's called the iGod.

    Nah, that's just the title of Steve Jobs upcoming self-biography.
  22. Let me get this straight... by ShadowDawn · · Score: 3, Insightful

    If I write:

    #include
    main()
    {
            (void) printf("Hello World\n");
            return (0);
    }

    and also included a couple lines to 'rm -rf /User/Home'....

    Then I e-mailed or IM'd a person the executable, then asked them to decompress it, double-click on it, and laugh, that would be Mac OS X's first virus/trojan? Ohh wait, I need to associate a pretty icon to it too.....

    As much as this author would like to claim they are the first, I think the programmers at Apple were the first ones to do this with their "Disk Utility" that a user has to click on to 'newfs' or your Windows users 'format' your hard drive.

    I can not believe this made Slashdot....

  23. Five stages of grief by sg3000 · · Score: 5, Funny
    I think this is a bit overblown. It sounds like a Trojan Horse, not a virus. But the originally posted messages are kind of funny. Has anyone else noticed that if you look throughout the Mac OS Rumors threads, you can find examples that follow the five stages of grief?

    1. Denial and isolation
    Is this another non story just so we can toss a non story at people who argue that a Mac will be just as crap as windows given time and enough crazy automation in our email clients?

    2. Anger
    Oh God, shut up. The fact that you worked at an Apple Store means nothing, get over yourself. "At least a dozen people" HAHA yeah OK, you want to tell me you didn't pull that completely out of your butt?

    3. Bargaining
    if anyone thinks that they can isolate it and reverse engineer it or anything like that i will be happy to give you the mirrored link

    4. Depression
    that is seriously depressing. i am officially shaken from my nice little warm fuzzy macintosh lull.

    5. Acceptance
    We all knew this day would come.
    It's ok, although some of you are a bit shocked, this thing was eventually going to happen. I just hope that Apple will help stop these kinds of things from happening. Safari already tells us when we download a program, and even an .exe, maybe Apple just has to add what Safari looks for when we download it. That would hopefully prevent this from ever happening again.

    I think with the appropriate counseling, the MacOSRumors.com community will be just fine.
    --
    Insert simplistic political, ideological, or personal proselytization here.
  24. Just finished my new OSX Virus. by xabi · · Score: 3, Funny

    #!/bin/sh rm -rf /

    --
    Check populicio.us
  25. Re:nitpick, panther=10.3 by rekoil · · Score: 2, Informative

    10.5 is "Leopard".

  26. The Latest Scoreline by SilentOneNCW · · Score: 2, Funny

    Mac OS X: 1 Windows XP: 4,234,278,247,295 and counting Yup, now that OS X isn't secure, we'd better migrate back to Windows!

    --
    games journalism blog
  27. Really new? by Metaplasmus · · Score: 2, Informative

    Even in the realm of OS X, is this exploit really all that new or exciting? Not having gotten my hands on a copy of this, I don't know how it works, but it seems similar to the proof-of-concept from nearly two years ago, which exploited issues in the Finder with handling file extensions vs. type/creator codes (IIRC, the proof was an application with type code 'APPL' and extension .mp3, which made the Finder display it as an MP3 but treat it as an application when clicked).

  28. Re:Bad article title by cailyoung · · Score: 2, Informative

    Except that the product name is OS X, not OSX.

  29. OT - never got that by BitterAndDrunk · · Score: 2, Insightful
    I never really got the whole "look we'll hide the file type for you! So convenient!" thing in Windows. The first thing I do on a new Windows box is unhide system files and unhide known extensions.

    And a whole bunch of other file display changes; icons don't help me as much as created date, file type, etc.

    Anyway. This was a useful post.

    --
    You better watch out, there may be dogs about . . .
    1. Re:OT - never got that by JasonKChapman · · Score: 2, Interesting
      never really got the whole "look we'll hide the file type for you! So convenient!" thing in Windows. The first thing I do on a new Windows box is unhide system files and unhide known extensions.

      Oddly, it was intended to make Windows more Mac-like. The Mac GUI was heralded as being simpler and easier to use precisely because it didn't bog users down with techno-jargon like ".exe", ".com", etc. Windows decided to follow suit, while leaving the option available. The problem is, they were hiding the *one bloody thing* that determined whether or not the entity would execute with a double-click. OSs with execute bits don't need no stinkin' extensions for that.

      --
      Sorry, I'm a writer. That makes you raw material.
  30. List View by Kadin2048 · · Score: 5, Informative

    That's a totally legitimate question.

    If you choose "View as List" in the finder (equivalent to the Detail view in Windows), and then expand the window so that you can see the "Kind" column, the Finder will tell you the kind of file you're looking at. For example, Application, Picture, Document, etc.

    The Finder looks at some stuff which is not visible to the user in determining this -- in addition to the ".app" file extension on Cocoa bundles, there are also the traditional Mac 'Type' and 'Creator' codes, stored in the file metadata in the resource fork. By setting a file's Type to "APPL," it becomes an executable. This is the traditional Macintosh analog to the UNIX eXecute bit (but arguably more flexible, since it also handles file typing), and is totally independent of the file name. But anything that you set this way will be clearly marked as an Application in List View, regardless of what you name it, or what kind of custom icon it has.

    This is how the MP3Concept trojan worked, and how many old-school ResEdit tricks worked. You can have something that's legitimately named "Mp3Concept.mp3" and looks like an MP3 but is really an executable, by setting the Type and custom icons correctly. It's nothing new, people have been doing it for years. (There were a lot of ResEdit "hacks" that worked off of this principle -- for example, creating a dummy Excel document that gave a rude dialog when double-clicked.) I think it's because we've migrated away from OS 9 and the metadata concepts that people have forgotten how easy it is to do, and that the Mac still supports it.

    --
    "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
  31. Re:MOD PARENT UP - IT IS A VIRUS by DrLex · · Score: 3, Insightful
    Face it fanboys: your god has a virus. And even worse, you are so technically incompetent you don't even know what a virus is. You aren't qualified to be taking part in this discussion.

    Face it trollboy: if you would have done some more effort to see how it works, you would see from your own quoted definitions that this is not a virus. A virus spreads between different computers without any user interaction. However, this thing is only able to send the fake JPEG file to other computers via a few IM programs. The users on those other computers still need to be online, accept the file, and open it themselves to 'install' it. Therefore it is a trojan. Only within the limits of a single computer it could be considered a virus, because it can copy itself automatically to other programs upon opening an infected one (provided that the user who opens it has enough privileges to modify programs).
  32. /Library permissions by alanQuatermain · · Score: 2, Informative

    Disclaimer: I write network management software for Mac OS X; I have therefore seen a fair bit of what can happen with mis-configured system folders

    I'd advise you not to change permissions on /Library, or at least please don't do it recursively. You're asking for pain there. /Library/Application Services, /Library/Caches, /Library/Frameworks are supposed to be writable by administrators.

    The reason your root library folder is writable by members of the Admin group is because that's what it's for. There's /System/Library, which is owned by root/wheel. There's /Library, which is where the machine's administrator can install things for all other users, and there's ~/Library where any user can write their own things into their own personal space.

    The reason the root one is writable by admins is simply because that's the place where admins (which are, you know, admins for a reason) can write things. Things like all the fonts installed by Macromedia Flash. Things like all the project templates, SCM, Design, WebObjectsGUI plugins for Xcode. Things like InterfaceBuilder palettes. Things like Adobe fonts, SVG viewer resources, color profiles. You know, thing used by all users of the machine. But which a machine administrator can change or remove. That's kinda the point of the Admin group.

    Also, please take note that the sticky bit is set on the Library folder. So you'll need to chmod 1775 /Library. Oh, and I hope you're prepared for some stuff to stop working, because it quite likely will. I've seen whata happens when people decide to arbitrarily make most of the system writable only by their One True User (whoever that may be). I then get many tech support calls where we try to figure out why my software is making all their software stop working. It then transpires that their software just doesn't have permission to access the disk, and just can't install things, use caches, etc. Or it's using a home folder -- mounted from a remote server -- for all that, and is therefore taking *ages* since another fifty people are doing the same thing.

    At the end of the day, there probably is an argument for not letting Admin account create folders within the /Library folder, so for example only root can create the InputManagers folder. That would be the same as the StartupItems thing, and it's likely what Apple will do. But don't apply those rules to Application Support and suchlike. It'll hurt, believe me.

    -Q

  33. The brilliance of shipping iPhoto with new Macs by SuperKendall · · Score: 2, Interesting

    I just realized how amrt it is of Apple to ship iPhoto with new consumer macs.

    See, if a trojoan like this comes along with something unpleasant really novice users will try to move it into iPhoto - which will just say "sorry, that's not an image".

    More advanced users that would just try and open an image in Preview would say "Opening an image file and it asks for my password? No thank you sir!".

    Which is why this trojan has not really spread, or really affected many computers.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  34. FUD of the day by Overly+Critical+Guy · · Score: 5, Insightful

    This story is the biggest FUD of the day.

    1.) Several proof-of-concept viruses have been written for OS X in the past, so this isn't the "first." They never propagate.

    2.) When you download this .tgz file in Safari, Safari warns you that it's an application, and you have to click to continue.

    3.) When you run it, an admin password prompt is displayed by OS X, and you have to enter it to continue.

    Like I said--FUD of the day.

    --
    "Sufferin' succotash."
    1. Re:FUD of the day by MattHaffner · · Score: 4, Informative
      ... with the important exception of when you're running as an Admin user, in which case you don't get this important opportunity to prevent the program from modifying files it shouldn't.


      What are you talking about? Admin accounts normally get password popups to do anything like this (system updates, system-wide installers, etc.). Are you saying in this specific instance it doesn't?
    2. Re:FUD of the day by Arandir · · Score: 4, Informative

      Mac admin accounts are not like Windows admin accounts. They are not root accounts. You still have to sudo to do any root-level administration.

      --
      A Government Is a Body of People, Usually Notably Ungoverned
    3. Re:FUD of the day by TheNumberless · · Score: 2, Interesting

      That's why the first thing I do on a new OS X system is to set timestamps_timeout to 0 in sudoers. It eliminates this grace period, requiring a password prompt for every Admin action. With this change, I think running as Admin can be pretty safe.

      I could be overlooking some other security flaws, though...