Demo Virus For Mac OS X Released

Juha-Matti Laurio writes "Heise Security has a report about new Proof of Concept virus for Mac entitled as OSX.Macarena by AV vendor Symantec. Symantec suffered from a slight lapse when it recommended in the first version of the virus description that users clean the system by deactivating the system restoration (Windows ME/XP). It is known that the virus infects other data in the folder in which it is started, regardless of extension, says Heise."

This is on the front page of slashdot why?

[daveschroeder]

So, this is a "virus" that is nothing more than something that programmatically attaches/appends itself to other files that are in the same directory as itself when executed (which is easy to do and doesn't rely on any deficiency in the system), isn't in the wild and therefore doesn't have any real impact on users, is a proof-of-concept, and still has no vector or mechanism for propagation, much less mass-propagation?

Wow. Um. Raise the alarm. One if by land, two of by sea, and all that.

Oh, and here's my new piece of nasty Mac OS X malware:

Place this in a text file and name it ElectricSlide.command:

rm -rf ~/*

Double click it. Voilà. A piece of malware that can't actually spread that deletes the contents of your home directory with no warning!

Maybe we can see a Symantec warning about OSX.ElectricSlide!

I realize Symantec or any AV vendor has to catalog known malware, but come on: the coverage this is getting is ridiculous, and now the front page of slashdot?

Mac OS X certainly has vulnerabilities. The people saying it doesn't are morons. But the problem is that any vulnerability discovered in any Apple product gets amplified in the press massively disproportionately. For example, the iPod Windows virus issue:

By all accounts, there was likely a Windows PC used for QA at a non-Apple contractor that was infected with a virus that was infecting iPods with the virus when they were plugged in to that machine. (If anything, this is a problem in the QA process at Apple's manufacturing contractors, not ANY indication that "Macs" or Apple are any more susceptible to viruses or attacks, in any way, shape, or form - I'm surprised at the level of shoddy journalism on this. This is a Windows worm copying itself to a locally attached Windows disk (that happens to be an iPod), nothing more. Yes, it's really bad for any manufacturer to ship something with a virus on it, but this doesn't indicate the susceptibility of Apple or Macs in general. If anything, it indicates the iPod is effective as a USB-attached disk. Which it is. Again, no excuse for the processes to let something like this happen, but still.)

Then, the coverage of this goes on to rehash the (incorrect) assumption that someday there will be a huge worm outbreak on Macs, an assertion that is completely unrelated to iPods being infected with a Windows (or even Mac) virus.

I'm not going to rehash why it's literally impossible for the type of devastating mass-propagating worms that we've seen on Windows happen on Macs; marketshare/presense alone is enough to make that argument, but marketshare is only one of many factors.

I predict that we'll continue seeing these sky-is-falling and "WAKEUP CALL FOR APPLE" articles month after month and year after year, with nothing actually happening of any consequence to the installed Mac OS X base. Will there be new viruses, worms, malware, and proofs of concept of malicious items for Mac OS X? Yep. Absolutely. Just as there have been. Will there be something that can mass-propagate to the point where it costs the tens/hundreds of billions of dollars and hundreds of thousands of manhours in recovery and lost productivity like we do on Windows? Nope. The architectural, use, marketshare, and security differences on the Apple platform versus Windows ensures that.

The coverage of this will likely be further classic examples of press jumping on any negative or security-related story that has to do with Apple.

Maybe this will even be the sixth or seventh, by my count, "FIRST MAC OS X VIRUS" story that can be trumpeted around on CNN, AP, and Reuters! One can only hope!

Also, before anyone says "There's also a Bluetooth 0day for OS X," that would actually be the same, months-old, single Bluetooth issue that has already been reported on months ago, and that was patched in all versions of Mac OS X for a year even at the time that the worm,

Re:This is on the front page of slashdot why?

[517714]

Isn't it bad form for one's post to exceed the length of the cited article?

Re:This is on the front page of slashdot why?

[daveschroeder]

1. Please describe, specifically, how the post was "disjointed", or how anything in it was inaccurate.

2. "Page count increasing"? Huh? Nothing in that post links to any site that has anything to do with me.

Re:This is on the front page of slashdot why?

[noewun]

One if by land, two of by sea, and all that.

Three if by tubes?

Re:This is on the front page of slashdot why?

[daveschroeder]

Your rambling about iPods, perhaps?

Rambing? It was an example of how something utterly technically unrelated is used as an excuse to push Apple into the security spotlight again, claiming that because a QA machine infected with a *Windows* virus at one of its contractors means "Apple" is being targeted more by "hackers". (???)

Your turn, please describe, specifically, why you felt compelled to post such an enormous amount of text in the first place?

For accuracy and a comprehensive analysis of the situation, while also preemptively discrediting any incorrect posts about "Bluetooth 0days" and the like?

Is being an Apple weenie that much a part of your self-identity that you find the idea of a Mac virus toxic to the very heart of your being?

No. (And there have been previous Mac "viruses", trojans, rootkits, and other things that fall in the category of "malware". My question was: why is it on the front page of slashdot when nothing is remotely new, interesting, or novel, in any respect, about it?)

Thanks for asking!

Re:This is on the front page of slashdot why?

[HTTP+Error+403+403.9]

Or to post something almost 1,000 words long 1 minute after the story was put on the front page?

Subscribers get to see the article 10-20 before it goes "live".

Re:This is on the front page of slashdot why?

[Golias]

When are you nitwits going to get it through your head that there's no such word as "virii"?

Sure there is. It's a jargon word to refer to more than one computer virus (note: not more than one biological virus.)

And yes, it's incorrect Latin, but the word "television" was created by incorrectly mashing a Latin word together with a Greek word. Nobody cares that it's not a "real" word. Usage makes it real. That's English for you.

Re:This is on the front page of slashdot why?

[mstone]

Both viruses and worms require automatic propagation. The distinction lies in what code performs the propagation.

Viruses take advantage of weak spots in other executable code. Macro viruses exploit a word processor's macro system. Boot sector viruses exploit the computer's boot loader. In every case, though, the virus takes advantage of some piece of already-existing piece of software that executes code automatically, usually without direct control or knowledge from the user.

A worm OTOH, is its own executable. It's essentially a self-replicating daemon. It does exploit weaknesses in a system's remote-execution code to propagate, but it doesn't require an interpreter. All it has to do is write its executable text to a block of memory, then trigger a fault which causes that block of memory to be treated as an executable.

Automatic propagation is the hallmark of a worm or virus, though. If Macarena can propagate every time someone opens an infected file, it's a virus. If you have to run a specific infection program to attach the payload to other files, it's not a virus, it's just a program that appends unwanted crap to other files.

Re:This is on the front page of slashdot why?

[Scooter's_dad]

Not when one's post is coherent and makes a fair point. (That's bad form only because it's unusual enough to upset the regulars.)

Technologically Sophisticated

[AKAImBatman]

DEAR RECEIVER,

You have just received a Mac OS X virus. Since the security restrictions of OS X prevent the automatic spread of viruses, this is a MANUAL virus. Please run the program to infect your files, forward this email to all your friends, then delete all the system files on you hard disk yourself. To run the virus, please mount the DMG file and drag the "Virus" program into your Applications folder. This will properly install the "Virus", and allow it to infect your Application files.

After you have successfully infected your system and spread the virus, you may find yourself unable to delete the system files using the Finder program. In this case, you must open a terminal and follow the instructions below:

1. Type 'sudo su -l' and hit ENTER.
2. Enter your password and hit ENTER.
3. Type 'rm -rf /'

This process will take several minutes, so please be patient.

Should you run into technical difficulties with infecting your Macintosh, you can visit our online help website at http://www.infectmymacwithanastyvirus.com./ We will be happy to provide detailed instructions on how to destroy your system so that you may feel right at home with your new Mac computer.

Thank you very much for your assistance.

--Mac OS X Hackerz

Attachment: Virus.DMG

P.S. If you don't get the joke, please read the article and virus report.

Re:Technologically Sophisticated

[AKAImBatman]

Bullshit.

Bullshit on your bullshit, my good bullshitting sir. You underestimate the amount of bullshit that the Mac will put you through in order to run a bullshit application attachment.

All you need to do is convince the user to save an archive attachment. extract it and run the contents.

You missed a few steps. In order to simply run the attachment, you need to:

1. Save the archive attachment.
2. Ignore the warning about an "unsafe application" given by Safari or Mail.app.
3. Mount the DMG file or unzip the ZIP file.
4. Still not realize that the dearchived file is not a document despite looking exactly like an application.
5. Run the application.

Okay, so now the user has infected their system. Sort of. Their documents may be infected, but those are useless to the virus. They can't be executed, and the user isn't likely to pack up his .APP folders and share them with all his friends. Effectively, the virus has stopped spreading. So what is a virus to do? Under a Windows system, it would get ahold of the Outlook address book and mail itself to everyone. Alternatively, it would want to stay resident after reboots and/or collect information about the user's activities. Under a Mac, these things need elevated privileges to do. So the virus would have to:

6. Invoke the SUDO app to request elevated privledges.
7. User would need to fill their password into the prompt.
8. Virus would infect the necessary files to do its dirty work of spreading.

At this point, however, the user is so stupid he belongs in a mental facility. He's already ignored half a dozen explicit and implied warnings that something is wrong, just to ensure that this virus can take over his system! That's one determined user!

Some people may believe that Mac users are really that dumb, but if that were the case then viruses would already run rampant. Instead, we get an impotent "proof of concept" that can't actually spread itself. All it can do is damage your files. For a proof of concept, that's pretty pathetic.

From there the worm can easily spread on OSX, and no, root would not be required to do so.

As I've mentioned twice now, that's blatently incorrect. It can "infect" your documents, but system files require elevated privileges. "Infecting" your documents does nothing more than damage your files, and the virus can't even stay resident (or stop the user from killing it on the Dock!) without a password. So it's effective impotent and contained unless it can trick the user into giving it his/her password.

This reminds me of a story

A number of years ago, IBM Canada ordered some parts from a new supplier in Japan. The company noted in its order that acceptable quality allowed for 1.5 per cent defects (a fairly high standard in North America at the time).

The Japanese sent the order, with a few parts packaged separately in plastic. The accompanying letter said: "We don't know why you want 1.5 per cent defective parts, but for your convenience, we've packed them separately."

Here is your Mac OS X virus, in this box over here.

Updated Score

In case you're keeping score, here are the latest standings:
In Theory/In the Wild
Windows: 114,000/114,000
Linux: 863/0
OS X: 1/0
source

Re:Updated Score

[ryanr]

The Linux in-the-wild score is incorrect.

I've personally analyzed at least three Linux viruses that were found in the wild. And that's not counting the worms.

Re:Updated Score

[GoombaTroopa]

Yay, Windows is winning!

Learn to read

[daveschroeder]

What I said has nothing to do with whether something needs privilege escalation or not. At all.

In fact, my own little "rm -rf ~/*" joke doesn't require any privilege escalation at all and can delete the contents of your home directory with no further warning. Something as simple as that can be bundled up with Platypus by anyone who can click a mouse as a little trojan that looks like any other Mac OS X application.

Think that's "stupid"? It's just as stupid as this "virus" proof-of-concept that does nothing more than show that it can be appended to a file. It doesn't spread, and has no vector for propagation. Before you say "well, all someone has to do is find a vector!"

Um, yeah. That's the hard part, "nitwit".

Re:Learn to read

[geoffspear]

Well, if you're foolish enough to give yourself privileges to your home directory, you deserve what you get. This is exactly why every file on my system is readable only by root.

Viruses, worms, malware, and OS X

[linguae]

Anybody can create a virus for OS X, and it can run perfectly. The biggest problem would be how it can be able to spread to other machines.

On Windows, it isn't viruses that plague Windows, but it is worms, spyware, and adware that affects that platform. All it takes to be infected with a computer virus on any platform is to not be vigilant about the data that you download. Being infected by spyware and adware, however, relies on the security of the browser, and being infected with a worm relies on the security of the operating system's Internet connectivity.

OS X remains relatively secure because its browser does not have hooks to the shell (unlike older versions of Internet Explorer, although I've read that Internet Explorer 7 has been decoupled from the shell), and because its Unix core isn't susceptible to worms (Unix has come a long way since the worm of 1988). OS X also has a firewall, although I just learned that it isn't enabled by default (but turning it on is easy; they should change the default in OS X 10.5).

A demo virus for OS X or Linux isn't news. No operating system can block the execution of a virus unless the operating system has a list of trusted applications that it knows are virus-free. An operating system can prevent worms with better security, and spyware can be prevented by using a secure browser, but viruses cannot be blocked from execution.

I am Nigerian roolaty.

[khasim]

I have many millons of dolars US from untimely death of ambasador.

Pleese go to your local hardware store and purkhase a hammer or mallot.

Returning to home, you shuld use the hammer or mallot to be smashing your computer to small peeces.

I will deposite many millions of dolars in your bank akount when you have finished.

Sincerely,
Nigerian roolaty.

Norton Internet Shakedown 1.0

[Cid+Highwind]

Symantec to Mac users: "Pretty little Operating System ya gots there. Be a shame if somethin' unfortunate happened to it. Maybe you should hire a little protection..."

I guess this answers the question about whether Symantec can continue to sink to new lows of sleazy business practices after suing Microsoft for securing their kernel.

Tire sales

[lancejjj]

OSX.Macarena is a proof of concept virus that infects files in the current folder on the compromised computer.

News: An anti-virus software vendor decided to have a Mac OS virus created in order to improve the sale of Anti-Virus software.

Related news: A tire changing shop decided to dump a box of roofing nails on the road approaching their shop in order to sell tires.

What's the difference?

Umm, wrong malware? Solution in the works?

[99BottlesOfBeerInMyF]

Those of us following malware in general and OS X malware in particular already heard about the new metasploit module for OS X exploit released recently that supposedly exploit an unpatched hole in the wireless drivers that shipped with some powerbooks an imacs. It has a lot more potential as a real security issue than this reported proof of concept, since this one has no automated mechanism to spread and no remote vulnerability or any vulnerability for that matter. It is simply code running as it is supposed to with the privileges it is supposed to have. It is no more the result of a flaw in the system than "rm" is.

As for this "virus" it is a demonstration of a problem, but one that is so widespread and common it will be dismissed by the majority of the security community out of hand. The problem is, this code (when run) has permission, by default, to do too much and the user is not notified by the OS of what it is doing. The same can be said of most any desktop OS these days. The granularity of permission is basically: none, everything the user can do, or anything. That is insufficient to deal with software that may or may not be trusted.

Interestingly enough, Apple has announced the inclusion of application signing and Mandatory Access Controls in OS X 10.5. Theoretically, unsigned applications like this could be placed in a very limited trust level by default and as such, would not have permission to edit random user files because the MAC ACL would stop it. Viruses and trojans would have a big roadblock. Imagine downloading some random program like this, double clicking it, and OS X informing you not only that it is a new application, but also pulling up a dialogue that says something like "The application 'macarena.sh' wants to modify 122 applications in your Applications folder. This behavior is characteristic of a virus. (stop it from changing them)(let it change them)(view advanced options/details)."

I'm keeping my fingers crossed that Apple is the first to bring SELinux's granularity of security to grandmother's everywhere in a usable way.

A demo virus?

[admactanium]

it's a demo virus huh? well, i'll try it, but if i don't like it, i'm not paying the shareware fee for it.

This demo is actually a real virus

[notnAP]

... affecting the computer between the ears.

Symantec has released it into the wild. Here's how it works.

The computer receives the virus into RAM, usually via the processing of input received from it's visual sensors, interfacing with language banks. For the virus to take hold, the computer must be improperly "patched," in that it holds incomplete definitions of what a computer virus is.

Thusly imporperly patched, with an inadequate understanding of what is truly dangerous to its silicon counterpart, the incompletely educated human computer incorrectly processes the information, making the false decision that a financial invesment in Symantec products are in order.

The virus spreads itself to other human computers through the need-to-appear-smart subroutine.

In order to protect itself, the human computer should run the program http://www.microsoft.com/athome/security/viruses/i ntro_viruses_what.mspx, which is simply an educational program, designed to infuse into the human computer an understanding about computer viruses. It is a free program offered by the computer company most experienced in viruses.