Slashdot Mirror
Demo Virus For Mac OS X Released
Juha-Matti Laurio writes "Heise Security has a report about new Proof of Concept virus for Mac entitled as OSX.Macarena by AV vendor Symantec. Symantec suffered from a slight lapse when it recommended in the first version of the virus description that users clean the system by deactivating the system restoration (Windows ME/XP). It is known that the virus infects other data in the folder in which it is started, regardless of extension, says Heise."
So, this is a "virus" that is nothing more than something that programmatically attaches/appends itself to other files that are in the same directory as itself when executed (which is easy to do and doesn't rely on any deficiency in the system), isn't in the wild and therefore doesn't have any real impact on users, is a proof-of-concept, and still has no vector or mechanism for propagation, much less mass-propagation?
Wow. Um. Raise the alarm. One if by land, two of by sea, and all that.
Oh, and here's my new piece of nasty Mac OS X malware:
Place this in a text file and name it ElectricSlide.command:
rm -rf ~/*
Double click it. Voilà. A piece of malware that can't actually spread that deletes the contents of your home directory with no warning!
Maybe we can see a Symantec warning about OSX.ElectricSlide!
I realize Symantec or any AV vendor has to catalog known malware, but come on: the coverage this is getting is ridiculous, and now the front page of slashdot?
Mac OS X certainly has vulnerabilities. The people saying it doesn't are morons. But the problem is that any vulnerability discovered in any Apple product gets amplified in the press massively disproportionately. For example, the iPod Windows virus issue:
By all accounts, there was likely a Windows PC used for QA at a non-Apple contractor that was infected with a virus that was infecting iPods with the virus when they were plugged in to that machine. (If anything, this is a problem in the QA process at Apple's manufacturing contractors, not ANY indication that "Macs" or Apple are any more susceptible to viruses or attacks, in any way, shape, or form - I'm surprised at the level of shoddy journalism on this. This is a Windows worm copying itself to a locally attached Windows disk (that happens to be an iPod), nothing more. Yes, it's really bad for any manufacturer to ship something with a virus on it, but this doesn't indicate the susceptibility of Apple or Macs in general. If anything, it indicates the iPod is effective as a USB-attached disk. Which it is. Again, no excuse for the processes to let something like this happen, but still.)
Then, the coverage of this goes on to rehash the (incorrect) assumption that someday there will be a huge worm outbreak on Macs, an assertion that is completely unrelated to iPods being infected with a Windows (or even Mac) virus.
I'm not going to rehash why it's literally impossible for the type of devastating mass-propagating worms that we've seen on Windows happen on Macs; marketshare/presense alone is enough to make that argument, but marketshare is only one of many factors.
I predict that we'll continue seeing these sky-is-falling and "WAKEUP CALL FOR APPLE" articles month after month and year after year, with nothing actually happening of any consequence to the installed Mac OS X base. Will there be new viruses, worms, malware, and proofs of concept of malicious items for Mac OS X? Yep. Absolutely. Just as there have been. Will there be something that can mass-propagate to the point where it costs the tens/hundreds of billions of dollars and hundreds of thousands of manhours in recovery and lost productivity like we do on Windows? Nope. The architectural, use, marketshare, and security differences on the Apple platform versus Windows ensures that.
The coverage of this will likely be further classic examples of press jumping on any negative or security-related story that has to do with Apple.
Maybe this will even be the sixth or seventh, by my count, "FIRST MAC OS X VIRUS" story that can be trumpeted around on CNN, AP, and Reuters! One can only hope!
Also, before anyone says "There's also a Bluetooth 0day for OS X," that would actually be the same, months-old, single Bluetooth issue that has already been reported on months ago, and that was patched in all versions of Mac OS X for a year even at the time that the worm,
DEAR RECEIVER,
/'
You have just received a Mac OS X virus. Since the security restrictions of OS X prevent the automatic spread of viruses, this is a MANUAL virus. Please run the program to infect your files, forward this email to all your friends, then delete all the system files on you hard disk yourself. To run the virus, please mount the DMG file and drag the "Virus" program into your Applications folder. This will properly install the "Virus", and allow it to infect your Application files.
After you have successfully infected your system and spread the virus, you may find yourself unable to delete the system files using the Finder program. In this case, you must open a terminal and follow the instructions below:
1. Type 'sudo su -l' and hit ENTER.
2. Enter your password and hit ENTER.
3. Type 'rm -rf
This process will take several minutes, so please be patient.
Should you run into technical difficulties with infecting your Macintosh, you can visit our online help website at http://www.infectmymacwithanastyvirus.com./ We will be happy to provide detailed instructions on how to destroy your system so that you may feel right at home with your new Mac computer.
Thank you very much for your assistance.
--Mac OS X Hackerz
Attachment: Virus.DMG
P.S. If you don't get the joke, please read the article and virus report.
Javascript + Nintendo DSi = DSiCade
I always suspected it was an artificial arms race, it would seem this proves it to a certain extent.
It can't be, Steve told me it would never happen!
A number of years ago, IBM Canada ordered some parts from a new supplier in Japan. The company noted in its order that acceptable quality allowed for 1.5 per cent defects (a fairly high standard in North America at the time).
The Japanese sent the order, with a few parts packaged separately in plastic. The accompanying letter said: "We don't know why you want 1.5 per cent defective parts, but for your convenience, we've packed them separately."
Here is your Mac OS X virus, in this box over here.
And here is my more accurate re-write:
I do not believe OSX is invulnerable but come on. Even I could come up with a "proof of concept" virus. I guess they have to do something to sell their product.
In other news, Symantec said that it will release an edition of Norton Anti-Virus for OSX which detects viruses for Windows. Just for kicks to see how many people can be fooled.
Help a man when he is in trouble and he will remember you when he is in trouble again.
In case you're keeping score, here are the latest standings:
In Theory/In the Wild
Windows: 114,000/114,000
Linux: 863/0
OS X: 1/0
source
What I said has nothing to do with whether something needs privilege escalation or not. At all.
In fact, my own little "rm -rf ~/*" joke doesn't require any privilege escalation at all and can delete the contents of your home directory with no further warning. Something as simple as that can be bundled up with Platypus by anyone who can click a mouse as a little trojan that looks like any other Mac OS X application.
Think that's "stupid"? It's just as stupid as this "virus" proof-of-concept that does nothing more than show that it can be appended to a file. It doesn't spread, and has no vector for propagation. Before you say "well, all someone has to do is find a vector!"
Um, yeah. That's the hard part, "nitwit".
Anybody can create a virus for OS X, and it can run perfectly. The biggest problem would be how it can be able to spread to other machines.
On Windows, it isn't viruses that plague Windows, but it is worms, spyware, and adware that affects that platform. All it takes to be infected with a computer virus on any platform is to not be vigilant about the data that you download. Being infected by spyware and adware, however, relies on the security of the browser, and being infected with a worm relies on the security of the operating system's Internet connectivity.
OS X remains relatively secure because its browser does not have hooks to the shell (unlike older versions of Internet Explorer, although I've read that Internet Explorer 7 has been decoupled from the shell), and because its Unix core isn't susceptible to worms (Unix has come a long way since the worm of 1988). OS X also has a firewall, although I just learned that it isn't enabled by default (but turning it on is easy; they should change the default in OS X 10.5).
A demo virus for OS X or Linux isn't news. No operating system can block the execution of a virus unless the operating system has a list of trusted applications that it knows are virus-free. An operating system can prevent worms with better security, and spyware can be prevented by using a secure browser, but viruses cannot be blocked from execution.
MOD parent up! Troll? are you kidding me?
So they create virii to sell their product. Sounds like they are the problem. Maybe M$ isn't wrong to cut them out of the picture.
I have many millons of dolars US from untimely death of ambasador.
Pleese go to your local hardware store and purkhase a hammer or mallot.
Returning to home, you shuld use the hammer or mallot to be smashing your computer to small peeces.
I will deposite many millions of dolars in your bank akount when you have finished.
Sincerely,
Nigerian roolaty.
Symantec to Mac users: "Pretty little Operating System ya gots there. Be a shame if somethin' unfortunate happened to it. Maybe you should hire a little protection..."
I guess this answers the question about whether Symantec can continue to sink to new lows of sleazy business practices after suing Microsoft for securing their kernel.
0 1 - just my two bits
Of course the first responses are die hard mac cultists... just the simple fact that this was released.. i think thats deserves a bit more attention then just blowing it off.
I really like the part where they say its a "secure" system, well.. its running bsd... hello.. buffer overflow?
If you really think you're totally secure.. you'll be the first to go.
OSX.Macarena is a proof of concept virus that infects files in the current folder on the compromised computer.
News: An anti-virus software vendor decided to have a Mac OS virus created in order to improve the sale of Anti-Virus software.
Related news: A tire changing shop decided to dump a box of roofing nails on the road approaching their shop in order to sell tires.
What's the difference?
I want to see a real virus
The anti-virus companies *ARE* responsible for all the viruses that are made!
Seriously, it's just flat out fear mongering trying to MAKE a market for them selves.
Maybe they need to engineer some viruses for QNX too? There's a market they haven't tapped yet, all those bank machines and robots in factories are running with out virus protection!
I for one welcome our virus laden QNX based robot overloads.
The wording implies that the virus itself was written by "AV vendor Symantec," where I'm bloody sure that the intent was to say that the report was by Symantec.
Many commenters have fallen into this trap and have lambasted Symantec for authoring proof-of-concept viruses in order to boost sales of their AV product.
That's not to say that they don't engage in FUD, or that it's not possible that they have gone further. But a poorly worded story summary is certainly not proof.
I'm going to rush right out and buy Symantec Antivirus for my Mac, because I'm scared now! Proof of concept means it actually works in the real world, right???
</sarcasm>
Those of us following malware in general and OS X malware in particular already heard about the new metasploit module for OS X exploit released recently that supposedly exploit an unpatched hole in the wireless drivers that shipped with some powerbooks an imacs. It has a lot more potential as a real security issue than this reported proof of concept, since this one has no automated mechanism to spread and no remote vulnerability or any vulnerability for that matter. It is simply code running as it is supposed to with the privileges it is supposed to have. It is no more the result of a flaw in the system than "rm" is.
As for this "virus" it is a demonstration of a problem, but one that is so widespread and common it will be dismissed by the majority of the security community out of hand. The problem is, this code (when run) has permission, by default, to do too much and the user is not notified by the OS of what it is doing. The same can be said of most any desktop OS these days. The granularity of permission is basically: none, everything the user can do, or anything. That is insufficient to deal with software that may or may not be trusted.
Interestingly enough, Apple has announced the inclusion of application signing and Mandatory Access Controls in OS X 10.5. Theoretically, unsigned applications like this could be placed in a very limited trust level by default and as such, would not have permission to edit random user files because the MAC ACL would stop it. Viruses and trojans would have a big roadblock. Imagine downloading some random program like this, double clicking it, and OS X informing you not only that it is a new application, but also pulling up a dialogue that says something like "The application 'macarena.sh' wants to modify 122 applications in your Applications folder. This behavior is characteristic of a virus. (stop it from changing them)(let it change them)(view advanced options/details)."
I'm keeping my fingers crossed that Apple is the first to bring SELinux's granularity of security to grandmother's everywhere in a usable way.
Seems like Apple packages by default contain all the libraries and things they need to run -- an offshoot of the NeXT packaging system. Shared libraries don't seem to be as heavily used on OSX. So why not by default chroot installed applications and possibly setuid them to "nobody"? Possibly even drop a strong capability model in there so that the application has to request permission to do stuff like open network connections or listen on sockets. The regular end user might still just blindly accept everything but it'd make it a lot harder for an executable to do any damage in the default sandbox.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
http://www.clamxav.com/
I personally use this with the Folder Sentry to scan all incoming files and mounted disks. Is it because I'm afraid of a 0day OSX uber exploit? No, it's because I also have windows machines on the network sharing files and would rather not help spread the joy in case something did manage to get through. So, thank you Symantec for showing a proof of concept to us all. Release it out to the community and I'll be just fine with ClamAV. But even if you don't, I'm not losing sleep.
Is it time limited or missing functionality? Where do I find the full version? Can I find it ac CompUSA?
it's a demo virus huh? well, i'll try it, but if i don't like it, i'm not paying the shareware fee for it.
Readable by root eh? As IF you can trust that guy!
Sometimes my arms bend back.
I'm so worried about OSX malware and viruses that I went out and bought my wife a brand new MacBook Pro, which is our third Mac. And I won't be running any AV software from Symantec on it either.
I guess they figure if they keep stirring the pot, eventually the "less technically savvy" OSX users will get scared and buy their Norton Antivirus for Macintosh.
No matter where you go... there you are.
Well, if you're foolish enough to give yourself privileges to your home directory, you deserve what you get. This is exactly why every file on my system is readable only by root.
/"
Please tell me your files aren't writable by root, too. Talk about a security hole. All that's needed for malicious code to screw up your system is root access! I don't know about Linux or other insecure operating systems, but OS X can be properly secured with a simple: "sudo schg -R
I can't imagine why anyone would ever need to modify files outside of single-user mode anyway.
how sadly pathetic (not)
with MS putting them out of the windows protection racket, could they trying to seed a new market in OS X ??
Switchback was not really noticed that much either. It only could infect 7 to 8 million OSX based Macs. Still it shows that AppleScript and Safari are weak links in the OSX armor that can be exploited by someone if they try really hard enough to make it work with newer versions of OSX.
Mac Users are like the old Amiga users, thinking that their platform is so secure that no virus is written for it, so there is no need for antivirus programs. The Amiga users figured this, because MS-DOS was targeted by virus after virus (they infected floppy disk boot sectors back then), and that AmigaDOS would not be targeted by virus writers. That was 1986-1989, and in the 1990's viruses were written for AmigaDOS and Amiga users got infected and didn't know it because they refused to run antivirus programs. Then it was on demo disks that people always spread around to show off what the Amiga could do, the viruses infected those disks and Amiga after Amiga.
Hackers should target Mac users, because chances are a Mac user has more money than a Windows user, and the Mac user is less likely to run an antivirus program. Just read this article with all of the comments from Mac users saying how a real virus won't infect their system.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
Of more concern are exploits in the UNIX level of the operating system.
For one, I can recall someone logged into my MacMini over ssh as root when I'd disabled root logins for ssh and had two user accounts. I informed the host provider of the hack (I used "lsof | grep TCP" to see the open sockets), rebooted the machine and switched the incoming ssh port to something that wasn't 22 and disabled ping to the router (HomePortal 100W). FWIW, root account is disabled (default behaviour) but sudo is enabled for both accounts.
The user accounts used keys for ssh to avoid passwords but I've switched them back to passwords since been told by a Linux guru that it was a good idea incase the client was hacked. Makes sense of course. As it happens, the clients were Windows and the other another Mac coming over here (Belgium) from the UK (svn+ssh specifically).
I only noticed as there was a lot of activity on the DSL modem lights. I was blown away that it had happened and installed "snort" (http://www.snort.org/) on the MacMini along with watching the security logs a bit more and "chkrootkit" (http://www.chkrootkit.org). Of course the system has software update enabled and I regularly update the installed Fink tools on it.
Whoever it was was very good, IMO. They did no damage mind, which I'm thankful for. I guess they were using it as a hop to their target site.
As a long term NeXTStep and Mac developer, I have a lot of UNIX level experience so I could solve the issue. 99% of Mac users wouldn't be able to but then again they wouldn't have sshd even running (default behaviour). I bet a lot of them enable ftp though.
Try again. Nothing released, nothing in the wild, proof-of-concept.
Nothing to see here. Move along...
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
that a demo virus for os x gets posted weeks after I read that Vista has locked out Symantec and NAI. Will Symantec start publishing more proof of concept viruses? Will NAI? If you thought the virus boom was bad when the USSR collapsed (out of work Russian programmers) think about Symantec laying off a few thousand employees because Vista wont play nice, we may get our first vista worm quicker than previously thought.
I read at -1 So you don't have to.
I mean, the story posting? Is it a cron job?
8 09604
Like, every two weeks we see, "$ASSHAT_ANTI_VIRUS_COMPANY sez there is something not entirely unlike an OSX worm in the wild, and uh, Mac users have been lulled into a false sense of security, and uh no Mac user has ever actually seen a real virus in the wild because they're not all that popular, and um, like, we should all go buy us some Anti-Virus software."
Stop posting PR crap, please. Don't be a PR tool.
http://slashdot.org/comments.pl?sid=178631&cid=14
Even if OSX is immune to all of the Windows viruses out there, a Mac that functions as a proxy or an SMB server (for example) could inadvertently pass those viruses on to Windows machines and infect them. If a naturally immune machine is actively stopping anything that could infect its client Windows machines, then it could save them from damage without itself being at risk to the damage.
/* No Comment */
I set the immutable flag on everything in my home directory. Not even root can screw with stuff now, never mind those nasty little Proof Of Concept bugs. Funny thing, though--I can't update that sales report I started last month. Weird.
* * * * *
It's only when you look at an ant through a magnifying glass on a sunny day that you realise how often they burst into flames.
--Harry Hill
Funny. But I seem to recall reading about 1 year ago an exploit in Symantec Anti-virus on the Mac. The exploit allowed remote access to a user's computer and was in the very program they're trying to promote to keep customer's computers secure. I believe it was patch 6 months after being reported.
Yeah. Um... hello Symantec??? No matter what press-releases you issue, I'm a long way away from buying your software.
There actually is a virus out there for MacOS X, its called Symantec AV.
It will make your machine so slow that you finally have to reinstall
the whole OS (as it paces files in 15 different places and don't use launcd)
For private use, I would never install it.
Symantec (if anyone at the company is reading this), your attempt to scare
people inte buying your lousy (actually total crap) product for the Mac is just
downright scary!
(I'm a sysadm for a bunch of Linux/Windows/MacOS machines and is very
unfortunate that the corporation need antivirus on all machines and that
they chose Symantec for the task. )
Symantec has released it into the wild. Here's how it works.
The computer receives the virus into RAM, usually via the processing of input received from it's visual sensors, interfacing with language banks. For the virus to take hold, the computer must be improperly "patched," in that it holds incomplete definitions of what a computer virus is.
Thusly imporperly patched, with an inadequate understanding of what is truly dangerous to its silicon counterpart, the incompletely educated human computer incorrectly processes the information, making the false decision that a financial invesment in Symantec products are in order.
The virus spreads itself to other human computers through the need-to-appear-smart subroutine.
In order to protect itself, the human computer should run the program http://www.microsoft.com/athome/security/viruses/i ntro_viruses_what.mspx, which is simply an educational program, designed to infuse into the human computer an understanding about computer viruses. It is a free program offered by the computer company most experienced in viruses.
Right! Maybe symantec just feels with Vista coming, it anticipates decrease of revenues. So the company has to diversify its portfolio of products.
Just think of all that untapped virgin market!
What a joke. I'm going to start an Anti-Anti-virus software campaign. Very cool virus name though, maybe that will give ideas for the new Apple commercial.
Apple has six percent of the market. Rather than thousands of people using Macs, I believe that there are millions of people using Macs.
Albuquerque PC
switcher \'swi`ch &r\, n.
A person who thinks that they are a Mac user but are really just trying to be. The mistake they make is to try to become a Mac user, when real Mac users are all about not trying to be anything and following your own rules. There is no fashion code to being a Mac user. There are no rules as to what applications you have to run.
Recent converts like you are ruining the old school Mac community because you are posers. Apple releases one OS that popularizes Fitts' law and the Genie effect, and suddenly people assume being a Mac user is all about owning a Mac. But a real Mac user is born, not made. You "switchers" are misrepresenting yourselves and the Mac platform. You're giving people the wrong idea of what Macintosh is.
switcher: shops at hot topic, thinks Firefox is a good Mac app, waiting for OS X port of PayrollPro 2000, follows any hint of a fashion trend (instead of setting them!), wouldn't know Clarus from Carl Sagan.
real Mac user: someone true to who they are, the misfits, the rebels, the troublemakers, the round pegs in the square holes. The ones who see things differently. They're not fond of rules and they have no respect for the status quo. The ones who are crazy enough to think that they can change the world.
Many people are well aware of what platform the first virii originated on, since once you know, it's a bit of a no-brainer. To many others it comes as a huge surprise due to all the FUD that is spread about Apple by non-users who think that it's all very mysterious and full of voodoo.
As shown on this timeline http://www.infoplease.com/ipa/A0872842.html you can see that the first virii were written for the Apple I, II and III machines. It was a full FIVE YEARS later before the first virus to infect PC's was found in the wild. Why ? Because Apples were the only affordable personal computers of that time. No home user could afford a PC, and PC users in large corporations had better things to do with their time.
This to a large extent reinforces the theory that virii will be written for the most common, accessible platform of the time.
Forgetting for the moment the security model of OS X which makes virii rather more like a manually run trojan without any significant ability to spread, you could ask: "Why aren't more DECENT proof of concept virii written for OS X ?", and even more significantly; "Why weren't more real virii written for Mac OS 7-9, which didn't share this fantastic unix security model and therefore were ripe for virii ?"
The answer is in the first paragraph. The more expensive and inaccessible the hardware is to bored kids, the less likely they will write virii for it. Kids don't use Macs. They certainly don't buy them. Maybe their rich parents might give them a powerbook but the fact is: these kids probably have better things to do with their time than the bored PC tinkerers who assemble computers out of $5 components found in any bargain bin or even rubbish tip.
Is this the reason that there's no good virii for OS X ? No. Primarily the reason for that is it's security. Or is it ? Perhaps primarily it's that the people who use expensive Apple hardware have real jobs, they often work freelance and therefore have a stronger work ethic, and they just plain don't have the inclination to destroy things in the same way that PC users do. Apple users create. Windows users destroy.
Why ? This will be a contentious assertion, but here goes. Let's say that Apple users live in Beverley Hills and Windows users live in Compton, just for the sake of comparing their income and lifestyles. Kids in Beverley Hills aren't as likely to go vandalising things and getting involved in street thuggery as those from Compton. They find higher-class ways to act out. They do it with their rich parties and such, rather than just cruising the streets beating up on randoms.
The reason why this particular proof-of-concept "virus" is a bit of a joke, and why there are so few other proof of concept virii is that there's just not enough bored kids around who own Macs. This is changing, but not exactly snowballing. Ultimately, the fact is, Apple users already made a conscious choice to choose a platform designed for productivity and not games. Productivity and the creation of destructive viruses are just not a common marriage. Most Mac users are above that.
I don't see what the big deal about a "proof-of-concept" virus for the Mac is about. It's common knowledge that a virus can be written to infect any OS. The difference is that some operating systems are less likely to be infected by viruses than others because of both market share and the design of the OS itself. A dumb user can infect his/her system with a virus, and so can security holes and design flaws (such as automatically running an executable without the user's consent). So why is Symantec creating this "proof-of-concept" virus for the Mac? To scare people into buying their Macintosh anti-virus software. It all boils down to profit.
I've give you mod points if I had them.
The bits on the bus go on and off... on and off... on and off...
You mean like these people hired to write them?
l ?articleID=163702855
http://informationweek.com/story/showArticle.jhtm
-- Terry
What the hell are you going on about? Of course there are articles 'having a go' duh! that's what the interweb and slashdot are for?!? It is called the exchange of ideas - and we are much better-off for it. I really don't think slashdot or its readers are biased against apple (norton maybe lol) so maybe you should just grow up and learn to read things that you don't agree with. Just because things are written down - doesn't make it compulsory to believe them. (by the way - I am probably what you would call an apple fanboy)
Cached article
Comment removed based on user account deletion
Wow, the 90% Windows market was not enough,
now Symantec has to go on and develop a reason for
Mac owners to drop $79 in their laps?
Symantec - isn't these the guys who let the SONY Trojan install as 'normal software',
never mind the root kit and CD drive jack knifing...
After SONY - who could trust Symantec?
Um, there never was a Switchback virus. The Rumor Mill by "Anne Onymus" (get it) specializes in this kind of parody.