Slashdot Mirror

← Back to Stories (view on slashdot.org)

First Mac OS X Virus?

Posted by ryuzaki0 on from the is-nothing-sacred dept.

bubba451 writes "MacRumors reports on what may be the first virus to affect Mac OS X, disguised as screenshots for the upcoming Mac OS X 10.5 Leopard. From the report: 'The resultant file decompresses into what appears to be a standard JPEG icon in Mac OS X but was actually a compiled Unix executable in disguise. An initial disassembly reveals evidence that the application is a virus or was designed to give that impression.' The virus is said to also spread via Bonjour instant messaging." Update: 02/17 00:09 GMT by P : This is not a virus, it is a simple Trojan Horse: it requires manual user interaction to launch the executable. See Andrew Welch's dissection.

16 of 577 comments (clear)

  1. Phew! by Anonymous Coward · · Score: 5, Funny

    Glad I just 'switched' to windows ;-)

    (fp?)

    1. Re:Phew! by Anonymous Coward · · Score: 5, Funny

      Should have waited. Dvorak is predicting that Apple will adopt Windows.

      I wish I also got paid to be a crackhead.

  2. It's not a virus... by xwizbt · · Score: 5, Informative

    Note the following from http://www.ambrosiasw.com/forums/index.php?showtop ic=102379 :

    You cannot be infected by this unless you do all of the following:

    1) Are somehow sent (via email, iChat, etc.) or download the "latestpics.tgz" file

    2) Double-click on the file to decompress it

    3) Double-click on the resulting file to "open" it ...and then for most users, you must also enter your Admin password.

    You cannot simply "catch" the virus. Even if someone does send you the "latestpics.tgz" file, you cannot be infected unless you unarchive the file, and then open it.

    1. Re:It's not a virus... by pubjames · · Score: 5, Insightful

      Can you explain to me where the security flaw in OSX is in this case?

      There is no double standard here.

    2. Re:It's not a virus... by Shishak · · Score: 5, Informative

      Um.. no, completly different

      In the windows scenario you have a real .JPG image which contains code insdie of it that crashes the Windows JPG image library. The code in the image is then executed. In essence in windows a .JPG image file can become an executable running as user admin. This executable now has full access over your computer. This image can be embedded in an e-mail/web page and will execute, launch and own your machine with having you do anything but go to a website or read your e-mail

      In the Mac scenario you have an executable which is made to look like an image because its icon was changed. The computer itself knows that it isn't an image so it doesn't try to load it automatically from e-mail or web. This 'virus' is designed to trick the user. The user needs to double click and run the executable. It will then try to write into a protected directory and the OS will prompt the user for the admin password. If the user is dumb enough to click on a executable *and* enter the admin password there really isn't much else you can do. The executable never actually crashes any part of the OS to gain control of the OS and do something that the user doesn't authorize.

      --
      Now I hope and pray that I will But today I am still, just a bill
  3. Trojan? by __aambat2633 · · Score: 5, Insightful

    How can it be a virus if it is a Trojan?
    You have to execute it yourself, and that is why it is _not_ a virus.

  4. Re:Trojan Man? by Epaminondas+Pantulis · · Score: 5, Informative

    I guess they put the standard JPEG icon in the app's bundle...

  5. Re:Trojan Man? by fracai · · Score: 5, Informative

    There's this thing called reading the article... oh, right.

    It's a "JPEG" because the author was clever enough to paste the icon of a JPEG onto the executable.
    If the user is root, or possibly admin, the script writes files in /Library/InputManagers. If you aren't it does the same in the user Library.
    No kit, just a prompt.

    http://www.ambrosiasw.com/forums/index.php?showtop ic=102379 as linked from MacRumors has a really good writeup on what is going on.

    --
    -- i am jack's amusing sig file
  6. Re:Trojan Man? by mstroeck · · Score: 5, Insightful

    Uhm, how are proposing to "fix" this? You can give your application any icon you want, and as long as it looks even remotely like the native JPEG-icon, 95% of users won't notice.

    The only way would be some sort of flag that shows up on any icon that represents something executable, and that wouldn't be a fix but a completely new approach.

  7. Reminds me of old Applescript "hacks" by Anonymous Coward · · Score: 5, Interesting

    Back in high school we used to make little mean scripts in Applescript. Since there was no concept of security or multiple users in Mac OS 7 and 8, the script could do all sorts of nasty damage. All you had to do was compile/"save as" a standalone executable application from the Applescript Editor and paste an innocent icon on it. We liked to use the ClarisWorks icon to be extra mean.

    Another variant was useful on computers that were proteted with OnGuard or AtEase. Simply make a script that would pop up a dialog box asking for the password. An unknowning teacher would enter the password and the script would exit... leaving behind a log file with the password in it for later use.

    Nothing magical about these. Very basic trojan horses.

  8. 10.5 Screenshots?! by fightzombies · · Score: 5, Funny

    Where? I want to see!

  9. Five stages of grief by sg3000 · · Score: 5, Funny
    I think this is a bit overblown. It sounds like a Trojan Horse, not a virus. But the originally posted messages are kind of funny. Has anyone else noticed that if you look throughout the Mac OS Rumors threads, you can find examples that follow the five stages of grief?

    1. Denial and isolation
    Is this another non story just so we can toss a non story at people who argue that a Mac will be just as crap as windows given time and enough crazy automation in our email clients?

    2. Anger
    Oh God, shut up. The fact that you worked at an Apple Store means nothing, get over yourself. "At least a dozen people" HAHA yeah OK, you want to tell me you didn't pull that completely out of your butt?

    3. Bargaining
    if anyone thinks that they can isolate it and reverse engineer it or anything like that i will be happy to give you the mirrored link

    4. Depression
    that is seriously depressing. i am officially shaken from my nice little warm fuzzy macintosh lull.

    5. Acceptance
    We all knew this day would come.
    It's ok, although some of you are a bit shocked, this thing was eventually going to happen. I just hope that Apple will help stop these kinds of things from happening. Safari already tells us when we download a program, and even an .exe, maybe Apple just has to add what Safari looks for when we download it. That would hopefully prevent this from ever happening again.

    I think with the appropriate counseling, the MacOSRumors.com community will be just fine.
    --
    Insert simplistic political, ideological, or personal proselytization here.
  10. Re:Trojan Man? by Kadin2048 · · Score: 5, Insightful

    I was thinking about this. I can't imagine it would be all that hard -- there is already a visual flag applied to all "alias" (that's symlink) files, so it doesn't seem like it would be out of the question to do something similar for executables, based on the eXecute bit.

    However what I'm not sure about is how you'd make this work for MacOS bundles -- unlike UNIX applications they're not just single files; the thing that you click on in the Finder to launch a MacOS app (at least a Cocoa one) is actually a directory if you look at it in the Terminal, it just has the hidden suffix of ".app" (so for instance the program Mail in the finder is actually the directory/folder Mail.app). The actual executable file is normally buried somewhere within the folder -- usually like (appname).app/Contents/MacOS/executablefile.

    I suppose what you'd have to do is put the visual flag on if a file was either a directory ending in ".app", or if the regular eXecute bit was set on a file itself.

    --
    "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
  11. Re:Trojan Man? by Ortega-Starfire · · Score: 5, Funny

    All you have to do is right click... oh, nm

    --
    ---- Liquid was a patriot ----
  12. List View by Kadin2048 · · Score: 5, Informative

    That's a totally legitimate question.

    If you choose "View as List" in the finder (equivalent to the Detail view in Windows), and then expand the window so that you can see the "Kind" column, the Finder will tell you the kind of file you're looking at. For example, Application, Picture, Document, etc.

    The Finder looks at some stuff which is not visible to the user in determining this -- in addition to the ".app" file extension on Cocoa bundles, there are also the traditional Mac 'Type' and 'Creator' codes, stored in the file metadata in the resource fork. By setting a file's Type to "APPL," it becomes an executable. This is the traditional Macintosh analog to the UNIX eXecute bit (but arguably more flexible, since it also handles file typing), and is totally independent of the file name. But anything that you set this way will be clearly marked as an Application in List View, regardless of what you name it, or what kind of custom icon it has.

    This is how the MP3Concept trojan worked, and how many old-school ResEdit tricks worked. You can have something that's legitimately named "Mp3Concept.mp3" and looks like an MP3 but is really an executable, by setting the Type and custom icons correctly. It's nothing new, people have been doing it for years. (There were a lot of ResEdit "hacks" that worked off of this principle -- for example, creating a dummy Excel document that gave a rude dialog when double-clicked.) I think it's because we've migrated away from OS 9 and the metadata concepts that people have forgotten how easy it is to do, and that the Mac still supports it.

    --
    "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
  13. FUD of the day by Overly+Critical+Guy · · Score: 5, Insightful

    This story is the biggest FUD of the day.

    1.) Several proof-of-concept viruses have been written for OS X in the past, so this isn't the "first." They never propagate.

    2.) When you download this .tgz file in Safari, Safari warns you that it's an application, and you have to click to continue.

    3.) When you run it, an admin password prompt is displayed by OS X, and you have to enter it to continue.

    Like I said--FUD of the day.

    --
    "Sufferin' succotash."