Welcome to WebmasterWorld Guest from 54.221.45.195

Forum Moderators: travelin cat

Message Too Old, No Replies

Trojan Horse Attacks Mac OS X

"This is the first native Mac OS virus we've found,"

     

aaronjf

4:09 pm on Apr 9, 2004 (gmt 0)

10+ Year Member



This is the first native Mac OS virus we've found," said Brian Davis, U.S. sales manager for Intego, a Mac security and privacy firm that discovered the Trojan.

The Trojan is benign, according to Intego. If launched, it doesn't do anything except access files in the System folder. But Intego warned that the code could be modified easily to delete files or hijack a machine and replicate itself through e-mail.

"This is likely a test Trojan showing these things are possible," said Davis. "There's definitely an open door we don't want to leave open."

The Trojan appears to be the first malicious code for Mac OS X, which was launched in March 2001.

Full story here [wired.com]

Serio

4:18 pm on Apr 9, 2004 (gmt 0)

10+ Year Member



Good find aaronjf

We Mac users can get complacent - thanks for the heads up

Yidaki

4:35 pm on Apr 9, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



>said Brian Davis, U.S. sales manager for Intego

Why does the sales manager comment?

>The Trojan's profile is included in ... VirusBarrier

Jack: How could we increase the sales of our Anti-Virus software, Joe?
Joe: Don't know, Jack. But let me ask my 12 year old brother ...

Yep, i'm sometimes paranoid.

microcars

6:31 pm on Apr 9, 2004 (gmt 0)

10+ Year Member



This is the first native Mac OS virus we've found...

IT'S NOT A VIRUS!

and this is coming from the mouth of a company that SELLS antiVirus software!

You'd think they would know the difference. Hey, whatever you have to do to sell that $60 software!

EliteWeb

10:56 pm on Apr 9, 2004 (gmt 0)

WebmasterWorld Senior Member eliteweb is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Hi ;) I figured I'd comment on this. I run a Macintosh security site. I have taken the time to talk to a few people and the antivirus vendor themselves to get the facts straight.

'I got off the horn with Intego this afternoon to get the lowdown on this
trojan that the media is twisting in every different way to blow it up.
Even in the press release issued by Intego they stated it was a benign
trojan. Not deleting files, not destroying, or replicating, not anything
else.

They said the code could easily be modified to do those things which we
all know there is possibility but there is no parent threat from what was
found at the moment. Theyve updated their definitions to detect the nature
of what they received which is good and all but no need to do media hype.' Thats my email to another list. Figure it works here too ;)

258cib

3:25 am on Apr 10, 2004 (gmt 0)

10+ Year Member



Update coming from Symantec:
[maccentral.macworld.com...]

microcars

5:57 am on Apr 10, 2004 (gmt 0)

10+ Year Member



Wired has issued a "correction" to an earlier story they posted about this "threat":

[wired.com...]

the first line of the story:
"Security experts on Friday slammed security firm Intego for exaggerating the threat of what the company identified as the first Trojan for Mac OS X."

madmac

5:36 am on Apr 12, 2004 (gmt 0)

10+ Year Member



If launched, it doesn't do anything except access files in the System folder. But Intego warned that the code could be modified easily to delete files or hijack a machine and replicate itself through e-mail.

I'm not all that up to speed on the security, etc of OS X... but just how could it delete my system files without root permissions (I think I would have to give it my password, no?)? Again, I am not up to speed on the whole security of OS X, but it is my understanding that even if someone modified the trojan to delete my system files, I would still need to explicitly type in my password for it so it could gain the necessary privileges to delete the files.

EliteWeb

6:02 am on Apr 12, 2004 (gmt 0)

WebmasterWorld Senior Member eliteweb is a WebmasterWorld Top Contributor of All Time 10+ Year Member



madmac anything can delete files it has permission to delete. if altered to wait for root access or administrative access there could be an issue, or even package it as an administrative tool that the admin would open, and enter the password right there.

when it comes down to it, all this advisory or PR was about was that it could happen. Package something as something else and hope the user opens it and goes along with it. JPG, gif, mp3, tool, program etc. its just the first part getting the user to execute it.

madmac

6:23 am on Apr 12, 2004 (gmt 0)

10+ Year Member



madmac anything can delete files it has permission to delete.

That is what I am saying... Even if someone modified it to delete critical files, it would not be able to do so unless I supplied it with the root password.. right? It cannot just gain root access on its own (versus Windows where it is much easier for a virus or trojan to gain administrative privileges without needing an admin password) or am I wrong in thinking that?

trebormojo

10:17 am on Apr 12, 2004 (gmt 0)

10+ Year Member



there's another one I saw on Symantec that makes itself look like an mp3 and when you open it, it plays the sound of a man lauging and brings up message box of some sort. They said it was harmless. I new Mac was in for it launching OSX so soon without the testing needed. How many versions have they had now?

timster

1:16 pm on Apr 12, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Even if someone modified it to delete critical files, it would not be able to do so unless I supplied it with the root password.. right?

Sorry, not so...

As an example, go into /System Folder/
click once on the "Finder app", and Get Info (Apple-I). You'll probably see that you have full access to this file, which means you (or programs you run) could delete it, replace it, or whatever, without a root password.

microcars

5:56 pm on Apr 12, 2004 (gmt 0)

10+ Year Member



...I new Mac was in for it launching OSX so soon without the testing needed.

what are you, trolling? You "knew"?

If you really did know, you would have known that this has nothing to do with OS X and testing. The Mac OS has always used a separate Resource Fork and a Data Fork for apps and files.

...As an example, go into /System Folder/
click once on the "Finder app", and Get Info (Apple-I). You'll probably see that you have full access to this file, which means you (or programs you run) could delete it, replace it, or whatever, without a root password.

You can't delete it while it is in use. I just tried. so much for that. It wouldn't even allow me to enter a password to get around that.

timster

7:18 pm on Apr 12, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



You can't delete it (the Finder file) while it is in use. I just tried.

That's true, you can't delete a file that's in use. But if Classic isn't currently running, /System Foldeer/Finder won't be in use, and you'd be able to delete it if you have Administrator rights.

Even with Classic running, there are lots of other files in the System Folder that aren't "locked down" and won't be constantly in use. A user (or program) with Admin rights would be able to delete them.

microcars, please don't construe this as an attack on the Mac. But please do point out any errors I make.

microcars

8:07 pm on Apr 12, 2004 (gmt 0)

10+ Year Member



I don't want this to turn into a Flame war about what is possible and what is not. This is a webmaster forum, not a Mac security forum. I don't like spreading F.U.D. for no reason. The fact that the original posting of this thread refers to this as a "virus" is VERY misleading.

You will really have a better chance of using plain old "social engineering" to get someone to delete important files from their Macs. The number of steps involved are very high to get this thing to do anything bad.

You probably stand a better chance of getting struck by lightning than you do getting any sort of Mac virus/worm/trojan. This whole story is highly overrated.

I ran across this little cartoon today that basically sums up my view on this issue:
[homepage.mac.com ]

There is a newsgroup for discussing this issue (and that's where it was ORIGINALLY discussed BTW...)

comp.sys.mac.programmer.misc

look for it on Google Groups or here is a direct link for anyone seriously interested in this discussion:

[groups.google.com ]

madmac

8:13 pm on Apr 12, 2004 (gmt 0)

10+ Year Member



As an example, go into /System Folder/
click once on the "Finder app", and Get Info (Apple-I). You'll probably see that you have full access to this file, which means you (or programs you run) could delete it, replace it, or whatever, without a root password.

What are you talking about? Finder is in /System/Library/CoreServices and administrators only have read access to it. You must gain root access to replace, modify, or delete it.

Unless you mean the Classic Finder if you have Classic installed, which all people do not. And even then it is not a file critical to OS X. All one would need to do is drag Classic to the trash and re-install it with their Apple software CD.

EliteWeb

10:37 pm on Apr 12, 2004 (gmt 0)

WebmasterWorld Senior Member eliteweb is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Think if I wrote a program that when launched deleted all your files. Or a program when launched played a sound... A program does what it has been written to do, ooOo to often people confuse trojans with viruses.

Trojans are only as good as the people executing them. If you can make them look good, smell good then there is more chance of execution. But its all on the user unless you find a hole or way into the system to remotely do something that doesn't require the end user to activate it.

timster

12:39 am on Apr 13, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Unless you mean the Classic Finder if you have Classic installed

Yes, that's what I mean. I did specify the directory and mention Classic specifically.

If you don't have Classic installed, you're protected from the exploit demonstrated in the MP3Concept code, but for those who do, they should be aware you don't need root access to mess around with the classic environment.

That's just a technical observation, though, not a press release.

dcrombie

11:29 am on Apr 13, 2004 (gmt 0)



After the story hit Yahoo! yesterday it took all of two minutes to find out that it's just hot air. The original announcement was nothing more than a publicily stunt by Integro(sp?) who are trying to justify anti-virus software for Macs (their best reason to date being that Macs can transfer files that infect Windows computers - well duh!).

The follow-up has been a cascade of poor journalism and wishful-thinking from users who regret buying Windows but will wait for hell to freeze over before admitting it.

Bottom line is that if you own a Mac then you STILL don't need anti-virus software.

;)

CritterNYC

5:09 pm on Apr 13, 2004 (gmt 0)

10+ Year Member



I know... it's benign, it doesn't delete any files or do anything malicious, it's just a proof-of-concept, it's a trojan, not a virus.

I remember a time before word macro viruses, when someone wrote a proof-of-concept to show it could be done. I even had the code and got to analyze it at the company I was working for. We all know what happened after that with the explosion of word macro viruses.

As for it being a trojan, requiring a click, etc. It could easily be modified to send itself out to everyone in an address book, and do some damagae as well. And as for the "noone would click on it" argument, I'd wager that even MORE mac users than windows users might click it, since they haven't had it beaten into their skulls not to like windows users (though it does little good, there are always idiots that click).

MichaelBluejay

6:15 pm on Apr 13, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



The title of this thread, as listed on the WW Highlighted Posts page, is: "BENIGN Trojan Horse ATTACKS...." (emphasis mine)

Am I the only one who sees the irony in that statement? Talk about an oxymoron....

Wife: Are you okay? What happened to you?

Husband: I got beat up by a pacifist.

digitalv

6:19 pm on Apr 13, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



You know, I've always had this theory that the majority of the viri out there were actually created by the anti-virus companies. Can you picture this conversation?

Person 1: "The PC market is saturated with all of the viri out there. Maybe we should look to Linux?"

Person 2: "Nah ... Linux users tend to know what they're doing. How about mac users? They're a bunch of dummies"

Person 1: "Make it so. We will create a MacOS virus and sell them the cure. Muhahahahahahahaha"

Person 2: "Muhahahahahaaha"

aaronjf

6:48 pm on Apr 13, 2004 (gmt 0)

10+ Year Member



All I know is that after 408 posts, I finally got one on the front page!

WebBender

6:51 pm on Apr 13, 2004 (gmt 0)

10+ Year Member



Even Mac virii/trojans "Think Different". ;)

dcrombie

7:02 pm on Apr 13, 2004 (gmt 0)



Latest news:

OpenOSX offers free 'TrojanDefuser' app [maccentral.macworld.com]
Apple responds to Trojan Horse Advisory [maccentral.macworld.com]

But what really got me was this article [maccentral.macworld.com] from February.

<snip>

[edited by: Macguru at 3:06 am (utc) on April 14, 2004]
[edit reason] devnull [/edit]

Hissingsid

6:15 pm on Apr 15, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Their best reason to date being that Macs can transfer files that infect Windows computers - well duh!

It's been a long day and my brain has stopped working.

How do they propose that this happens? The only way I can think is either deliberate intention, stupidity or the benign passing on of an infected file which could only have come from a Windows machine. So in order to not infect any of the poor folks I just have to remember not to give Windows machines stuff from other Windows machines.

Or am I being naive?

I'm currently getting about 20 emails a day containing Windows things like Bad trans and variants. I have not heard of a serious problem from a virus or trojan on Mac OS for about 6 years when there was an outbreak of a worm in the repro industry.

Lets hope its many more years before we have anything serious to contend with.

Best wishes

Sid

Lorel

9:04 pm on May 7, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Hey, did you folks watch Frontline last night on PBS?

It was all about cyber wars and how they think that terrorists are infiltrating cyberspace. Not necessarily to destroy (at present) but to investigate and experiment on how to get into different sytems.

They believe all the viruses/trogans, etc. were only a trial phase. And they fear that once the time is right they could shut down the internet by a massive attack.

So this infiltration of the Mac with a Trojan could be the first step in controlling Macs also--I mean, if all Windows machines were shut down they wouldn't want us macheads running the internet. Would they? :o)

Lorel

 

Featured Threads

Hot Threads This Week

Hot Threads This Month