homepage Welcome to WebmasterWorld Guest from 54.145.183.126
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / WebmasterWorld / The Macintosh Webmaster
Forum Library, Charter, Moderators: travelin cat

The Macintosh Webmaster Forum

    
Trojan Horse Attacks Mac OS X
"This is the first native Mac OS virus we've found,"
aaronjf

10+ Year Member



 
Msg#: 453 posted 4:09 pm on Apr 9, 2004 (gmt 0)

This is the first native Mac OS virus we've found," said Brian Davis, U.S. sales manager for Intego, a Mac security and privacy firm that discovered the Trojan.

The Trojan is benign, according to Intego. If launched, it doesn't do anything except access files in the System folder. But Intego warned that the code could be modified easily to delete files or hijack a machine and replicate itself through e-mail.

"This is likely a test Trojan showing these things are possible," said Davis. "There's definitely an open door we don't want to leave open."

The Trojan appears to be the first malicious code for Mac OS X, which was launched in March 2001.

Full story here [wired.com]

 

Serio

10+ Year Member



 
Msg#: 453 posted 4:18 pm on Apr 9, 2004 (gmt 0)

Good find aaronjf

We Mac users can get complacent - thanks for the heads up

Yidaki

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 453 posted 4:35 pm on Apr 9, 2004 (gmt 0)

>said Brian Davis, U.S. sales manager for Intego

Why does the sales manager comment?

>The Trojan's profile is included in ... VirusBarrier

Jack: How could we increase the sales of our Anti-Virus software, Joe?
Joe: Don't know, Jack. But let me ask my 12 year old brother ...

Yep, i'm sometimes paranoid.

microcars

10+ Year Member



 
Msg#: 453 posted 6:31 pm on Apr 9, 2004 (gmt 0)

This is the first native Mac OS virus we've found...

IT'S NOT A VIRUS!

and this is coming from the mouth of a company that SELLS antiVirus software!

You'd think they would know the difference. Hey, whatever you have to do to sell that $60 software!

EliteWeb

WebmasterWorld Senior Member eliteweb us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 453 posted 10:56 pm on Apr 9, 2004 (gmt 0)

Hi ;) I figured I'd comment on this. I run a Macintosh security site. I have taken the time to talk to a few people and the antivirus vendor themselves to get the facts straight.

'I got off the horn with Intego this afternoon to get the lowdown on this
trojan that the media is twisting in every different way to blow it up.
Even in the press release issued by Intego they stated it was a benign
trojan. Not deleting files, not destroying, or replicating, not anything
else.

They said the code could easily be modified to do those things which we
all know there is possibility but there is no parent threat from what was
found at the moment. Theyve updated their definitions to detect the nature
of what they received which is good and all but no need to do media hype.' Thats my email to another list. Figure it works here too ;)

258cib

10+ Year Member



 
Msg#: 453 posted 3:25 am on Apr 10, 2004 (gmt 0)

Update coming from Symantec:
[maccentral.macworld.com...]

microcars

10+ Year Member



 
Msg#: 453 posted 5:57 am on Apr 10, 2004 (gmt 0)

Wired has issued a "correction" to an earlier story they posted about this "threat":

[wired.com...]

the first line of the story:
"Security experts on Friday slammed security firm Intego for exaggerating the threat of what the company identified as the first Trojan for Mac OS X."

madmac

10+ Year Member



 
Msg#: 453 posted 5:36 am on Apr 12, 2004 (gmt 0)

If launched, it doesn't do anything except access files in the System folder. But Intego warned that the code could be modified easily to delete files or hijack a machine and replicate itself through e-mail.

I'm not all that up to speed on the security, etc of OS X... but just how could it delete my system files without root permissions (I think I would have to give it my password, no?)? Again, I am not up to speed on the whole security of OS X, but it is my understanding that even if someone modified the trojan to delete my system files, I would still need to explicitly type in my password for it so it could gain the necessary privileges to delete the files.

EliteWeb

WebmasterWorld Senior Member eliteweb us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 453 posted 6:02 am on Apr 12, 2004 (gmt 0)

madmac anything can delete files it has permission to delete. if altered to wait for root access or administrative access there could be an issue, or even package it as an administrative tool that the admin would open, and enter the password right there.

when it comes down to it, all this advisory or PR was about was that it could happen. Package something as something else and hope the user opens it and goes along with it. JPG, gif, mp3, tool, program etc. its just the first part getting the user to execute it.

madmac

10+ Year Member



 
Msg#: 453 posted 6:23 am on Apr 12, 2004 (gmt 0)

madmac anything can delete files it has permission to delete.

That is what I am saying... Even if someone modified it to delete critical files, it would not be able to do so unless I supplied it with the root password.. right? It cannot just gain root access on its own (versus Windows where it is much easier for a virus or trojan to gain administrative privileges without needing an admin password) or am I wrong in thinking that?

trebormojo

10+ Year Member



 
Msg#: 453 posted 10:17 am on Apr 12, 2004 (gmt 0)

there's another one I saw on Symantec that makes itself look like an mp3 and when you open it, it plays the sound of a man lauging and brings up message box of some sort. They said it was harmless. I new Mac was in for it launching OSX so soon without the testing needed. How many versions have they had now?

timster

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 453 posted 1:16 pm on Apr 12, 2004 (gmt 0)

Even if someone modified it to delete critical files, it would not be able to do so unless I supplied it with the root password.. right?

Sorry, not so...

As an example, go into /System Folder/
click once on the "Finder app", and Get Info (Apple-I). You'll probably see that you have full access to this file, which means you (or programs you run) could delete it, replace it, or whatever, without a root password.

microcars

10+ Year Member



 
Msg#: 453 posted 5:56 pm on Apr 12, 2004 (gmt 0)

...I new Mac was in for it launching OSX so soon without the testing needed.

what are you, trolling? You "knew"?

If you really did know, you would have known that this has nothing to do with OS X and testing. The Mac OS has always used a separate Resource Fork and a Data Fork for apps and files.

...As an example, go into /System Folder/
click once on the "Finder app", and Get Info (Apple-I). You'll probably see that you have full access to this file, which means you (or programs you run) could delete it, replace it, or whatever, without a root password.

You can't delete it while it is in use. I just tried. so much for that. It wouldn't even allow me to enter a password to get around that.

timster

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 453 posted 7:18 pm on Apr 12, 2004 (gmt 0)

You can't delete it (the Finder file) while it is in use. I just tried.

That's true, you can't delete a file that's in use. But if Classic isn't currently running, /System Foldeer/Finder won't be in use, and you'd be able to delete it if you have Administrator rights.

Even with Classic running, there are lots of other files in the System Folder that aren't "locked down" and won't be constantly in use. A user (or program) with Admin rights would be able to delete them.

microcars, please don't construe this as an attack on the Mac. But please do point out any errors I make.

microcars

10+ Year Member



 
Msg#: 453 posted 8:07 pm on Apr 12, 2004 (gmt 0)

I don't want this to turn into a Flame war about what is possible and what is not. This is a webmaster forum, not a Mac security forum. I don't like spreading F.U.D. for no reason. The fact that the original posting of this thread refers to this as a "virus" is VERY misleading.

You will really have a better chance of using plain old "social engineering" to get someone to delete important files from their Macs. The number of steps involved are very high to get this thing to do anything bad.

You probably stand a better chance of getting struck by lightning than you do getting any sort of Mac virus/worm/trojan. This whole story is highly overrated.

I ran across this little cartoon today that basically sums up my view on this issue:
[homepage.mac.com ]

There is a newsgroup for discussing this issue (and that's where it was ORIGINALLY discussed BTW...)

comp.sys.mac.programmer.misc

look for it on Google Groups or here is a direct link for anyone seriously interested in this discussion:

[groups.google.com ]

madmac

10+ Year Member



 
Msg#: 453 posted 8:13 pm on Apr 12, 2004 (gmt 0)

As an example, go into /System Folder/
click once on the "Finder app", and Get Info (Apple-I). You'll probably see that you have full access to this file, which means you (or programs you run) could delete it, replace it, or whatever, without a root password.

What are you talking about? Finder is in /System/Library/CoreServices and administrators only have read access to it. You must gain root access to replace, modify, or delete it.

Unless you mean the Classic Finder if you have Classic installed, which all people do not. And even then it is not a file critical to OS X. All one would need to do is drag Classic to the trash and re-install it with their Apple software CD.

EliteWeb

WebmasterWorld Senior Member eliteweb us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 453 posted 10:37 pm on Apr 12, 2004 (gmt 0)

Think if I wrote a program that when launched deleted all your files. Or a program when launched played a sound... A program does what it has been written to do, ooOo to often people confuse trojans with viruses.

Trojans are only as good as the people executing them. If you can make them look good, smell good then there is more chance of execution. But its all on the user unless you find a hole or way into the system to remotely do something that doesn't require the end user to activate it.

timster

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 453 posted 12:39 am on Apr 13, 2004 (gmt 0)

Unless you mean the Classic Finder if you have Classic installed

Yes, that's what I mean. I did specify the directory and mention Classic specifically.

If you don't have Classic installed, you're protected from the exploit demonstrated in the MP3Concept code, but for those who do, they should be aware you don't need root access to mess around with the classic environment.

That's just a technical observation, though, not a press release.

dcrombie

10+ Year Member



 
Msg#: 453 posted 11:29 am on Apr 13, 2004 (gmt 0)

After the story hit Yahoo! yesterday it took all of two minutes to find out that it's just hot air. The original announcement was nothing more than a publicily stunt by Integro(sp?) who are trying to justify anti-virus software for Macs (their best reason to date being that Macs can transfer files that infect Windows computers - well duh!).

The follow-up has been a cascade of poor journalism and wishful-thinking from users who regret buying Windows but will wait for hell to freeze over before admitting it.

Bottom line is that if you own a Mac then you STILL don't need anti-virus software.

;)

CritterNYC

10+ Year Member



 
Msg#: 453 posted 5:09 pm on Apr 13, 2004 (gmt 0)

I know... it's benign, it doesn't delete any files or do anything malicious, it's just a proof-of-concept, it's a trojan, not a virus.

I remember a time before word macro viruses, when someone wrote a proof-of-concept to show it could be done. I even had the code and got to analyze it at the company I was working for. We all know what happened after that with the explosion of word macro viruses.

As for it being a trojan, requiring a click, etc. It could easily be modified to send itself out to everyone in an address book, and do some damagae as well. And as for the "noone would click on it" argument, I'd wager that even MORE mac users than windows users might click it, since they haven't had it beaten into their skulls not to like windows users (though it does little good, there are always idiots that click).

MichaelBluejay

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 453 posted 6:15 pm on Apr 13, 2004 (gmt 0)

The title of this thread, as listed on the WW Highlighted Posts page, is: "BENIGN Trojan Horse ATTACKS...." (emphasis mine)

Am I the only one who sees the irony in that statement? Talk about an oxymoron....

Wife: Are you okay? What happened to you?

Husband: I got beat up by a pacifist.

digitalv

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 453 posted 6:19 pm on Apr 13, 2004 (gmt 0)

You know, I've always had this theory that the majority of the viri out there were actually created by the anti-virus companies. Can you picture this conversation?

Person 1: "The PC market is saturated with all of the viri out there. Maybe we should look to Linux?"

Person 2: "Nah ... Linux users tend to know what they're doing. How about mac users? They're a bunch of dummies"

Person 1: "Make it so. We will create a MacOS virus and sell them the cure. Muhahahahahahahaha"

Person 2: "Muhahahahahaaha"

aaronjf

10+ Year Member



 
Msg#: 453 posted 6:48 pm on Apr 13, 2004 (gmt 0)

All I know is that after 408 posts, I finally got one on the front page!

WebBender

10+ Year Member



 
Msg#: 453 posted 6:51 pm on Apr 13, 2004 (gmt 0)

Even Mac virii/trojans "Think Different". ;)

dcrombie

10+ Year Member



 
Msg#: 453 posted 7:02 pm on Apr 13, 2004 (gmt 0)

Latest news:

OpenOSX offers free 'TrojanDefuser' app [maccentral.macworld.com]
Apple responds to Trojan Horse Advisory [maccentral.macworld.com]

But what really got me was this article [maccentral.macworld.com] from February.

<snip>

[edited by: Macguru at 3:06 am (utc) on April 14, 2004]
[edit reason] devnull [/edit]

Hissingsid

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 453 posted 6:15 pm on Apr 15, 2004 (gmt 0)

Their best reason to date being that Macs can transfer files that infect Windows computers - well duh!

It's been a long day and my brain has stopped working.

How do they propose that this happens? The only way I can think is either deliberate intention, stupidity or the benign passing on of an infected file which could only have come from a Windows machine. So in order to not infect any of the poor folks I just have to remember not to give Windows machines stuff from other Windows machines.

Or am I being naive?

I'm currently getting about 20 emails a day containing Windows things like Bad trans and variants. I have not heard of a serious problem from a virus or trojan on Mac OS for about 6 years when there was an outbreak of a worm in the repro industry.

Lets hope its many more years before we have anything serious to contend with.

Best wishes

Sid

Lorel

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 453 posted 9:04 pm on May 7, 2004 (gmt 0)

Hey, did you folks watch Frontline last night on PBS?

It was all about cyber wars and how they think that terrorists are infiltrating cyberspace. Not necessarily to destroy (at present) but to investigate and experiment on how to get into different sytems.

They believe all the viruses/trogans, etc. were only a trial phase. And they fear that once the time is right they could shut down the internet by a massive attack.

So this infiltration of the Mac with a Trojan could be the first step in controlling Macs also--I mean, if all Windows machines were shut down they wouldn't want us macheads running the internet. Would they? :o)

Lorel

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / The Macintosh Webmaster
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved