First Mac OS X Virus?

bubba451 writes "MacRumors reports on what may be the first virus to affect Mac OS X, disguised as screenshots for the upcoming Mac OS X 10.5 Leopard. From the report: 'The resultant file decompresses into what appears to be a standard JPEG icon in Mac OS X but was actually a compiled Unix executable in disguise. An initial disassembly reveals evidence that the application is a virus or was designed to give that impression.' The virus is said to also spread via Bonjour instant messaging." Update: 02/17 00:09 GMT by P : This is not a virus, it is a simple Trojan Horse: it requires manual user interaction to launch the executable. See Andrew Welch's dissection.

Phew!

[by Anonymous Coward]

Glad I just 'switched' to windows ;-)

(fp?)

Re:Phew!

[by Anonymous Coward]

Should have waited. Dvorak is predicting that Apple will adopt Windows [pcmag.com].

I wish I also got paid to be a crackhead.

It's not a virus...

[xwizbt (513040)]

Note the following from http://www.ambrosiasw.com/forums/index.php?showtop ic=102379 [ambrosiasw.com] :

You cannot be infected by this unless you do all of the following:

1) Are somehow sent (via email, iChat, etc.) or download the "latestpics.tgz" file

2) Double-click on the file to decompress it

3) Double-click on the resulting file to "open" it ...and then for most users, you must also enter your Admin password.

You cannot simply "catch" the virus. Even if someone does send you the "latestpics.tgz" file, you cannot be infected unless you unarchive the file, and then open it.

Re:It's not a virus...

[pubjames (468013)]

Can you explain to me where the security flaw in OSX is in this case?

There is no double standard here.

Re:It's not a virus...

[Shishak (12540)]

Um.. no, completly different

In the windows scenario you have a real .JPG image which contains code insdie of it that crashes the Windows JPG image library. The code in the image is then executed. In essence in windows a .JPG image file can become an executable running as user admin. This executable now has full access over your computer. This image can be embedded in an e-mail/web page and will execute, launch and own your machine with having you do anything but go to a website or read your e-mail

In the Mac scenario you have an executable which is made to look like an image because its icon was changed. The computer itself knows that it isn't an image so it doesn't try to load it automatically from e-mail or web. This 'virus' is designed to trick the user. The user needs to double click and run the executable. It will then try to write into a protected directory and the OS will prompt the user for the admin password. If the user is dumb enough to click on a executable *and* enter the admin password there really isn't much else you can do. The executable never actually crashes any part of the OS to gain control of the OS and do something that the user doesn't authorize.

Trojan?

[Sidde (758228)]

How can it be a virus if it is a Trojan?
You have to execute it yourself, and that is why it is _not_ a virus.

Reminds me of old Applescript "hacks"

[by Anonymous Coward]

Back in high school we used to make little mean scripts in Applescript. Since there was no concept of security or multiple users in Mac OS 7 and 8, the script could do all sorts of nasty damage. All you had to do was compile/"save as" a standalone executable application from the Applescript Editor and paste an innocent icon on it. We liked to use the ClarisWorks icon to be extra mean.

Another variant was useful on computers that were proteted with OnGuard or AtEase. Simply make a script that would pop up a dialog box asking for the password. An unknowning teacher would enter the password and the script would exit... leaving behind a log file with the password in it for later use.

Nothing magical about these. Very basic trojan horses.

10.5 Screenshots?!

[fightzombies (876201)]

Where? I want to see!

I Like The Trojan Horse That Was Used

[RobotRunAmok (595286)]

The first Mac virus hidden cleverly inside a picture of desktop eyecandy. No doubt it will spread like wildfire. Insidious.

What wrapper will the first Linux widespread virus take? "Hey, download this PDF -- it's a transcript of a big IRC shouting match about which is better, emacs or vi! You gotta read this!"

We won't know what hit us...

Need a Universal Binary

[WhiteWolf666 (145211)]

Anyone know when the Universal Binary will be avaliable? Plus, we need a "no password" crack.

When will Mac viruses get to the level of Windows when? For godsakes, this one still requires user intervention, and it doesn't even work on all OS X platforms!

Come on Apple! Microsoft has you soundly beaten in this regard :(

The vulnerability isn't always plugged in

[Overzeetop (214511)]

Everybody seems so certain that this is a non-starter on OSX because it requires some user intervention to propagate. I have bad news for you: there are clueless Mac users out there, too. These are probably the same folks who will click on a web popup to "see the lastest hollywood gaff" and then "accept" the untrusted executable when windows warns about the download to be executed. And they're the same ones who will dutifully click their bank url in an email and login to make sure their information is correct .

Never understimate the power of the incomptenece of 20% of your userbase.

Re:The vulnerability isn't always plugged in

[WhiteWolf666 (145211)]

That's why we don't consider it a vulnerability. There is no way to "fix" this without totally locking out the user.

There is no way to compensate for an Administator who is computer illiterate. It's simply not possible. You can lower the bar as much as you like, however, there is a certain minimum level of knowledge which is required to safely administer a computer.

Like don't run every application you get your hand on. This is similar to don't delete all your files.

Five stages of grief

[sg3000 (87992)]

I think this is a bit overblown. It sounds like a Trojan Horse, not a virus. But the originally posted messages are kind of funny. Has anyone else noticed that if you look throughout the Mac OS Rumors threads, you can find examples that follow the five stages of grief [wikipedia.org]?

1. Denial and isolation

Is this another non story just so we can toss a non story at people who argue that a Mac will be just as crap as windows given time and enough crazy automation in our email clients?

2. Anger

Oh God, shut up. The fact that you worked at an Apple Store means nothing, get over yourself. "At least a dozen people" HAHA yeah OK, you want to tell me you didn't pull that completely out of your butt?

3. Bargaining

if anyone thinks that they can isolate it and reverse engineer it or anything like that i will be happy to give you the mirrored link

4. Depression

that is seriously depressing. i am officially shaken from my nice little warm fuzzy macintosh lull.

5. Acceptance

We all knew this day would come.
It's ok, although some of you are a bit shocked, this thing was eventually going to happen. I just hope that Apple will help stop these kinds of things from happening. Safari already tells us when we download a program, and even an .exe, maybe Apple just has to add what Safari looks for when we download it. That would hopefully prevent this from ever happening again.

I think with the appropriate counseling, the MacOSRumors.com community will be just fine.

Re:Trojan Man?

[Epaminondas Pantulis (926394)]

I guess they put the standard JPEG icon in the app's bundle...

Re:Trojan Man?

[fracai (796392)]

There's this thing called reading the article... oh, right.

It's a "JPEG" because the author was clever enough to paste the icon of a JPEG onto the executable.
If the user is root, or possibly admin, the script writes files in /Library/InputManagers. If you aren't it does the same in the user Library.
No kit, just a prompt.

http://www.ambrosiasw.com/forums/index.php?showtop ic=102379 [ambrosiasw.com] as linked from MacRumors has a really good writeup on what is going on.

Re:Trojan Man?

[Vicsun (812730)]

An honest question (I'm pretty ignorant):

How can a user differentiate between an executable file with a pretty icon and a jpeg in OSX (or Linux for that matter)? In Windows there are file extensions so a trojan with an icon will still have to be called something.exe in order to do any damage. How can I tell the difference between a binary file with an icon and a file that doesn't execute any code with the absense of extensions?

Please don't laugh :(

Re:Trojan Man?

[Ortega-Starfire (930563)]

All you have to do is right click... oh, nm

Re:Trojan Man?

[Megane (129182)]

If the user is root, or possibly admin, the script writes files in /Library/InputManagers.

Um, why is my /Library chmod 775? It's that way on all four OS X machines that I can reach via SSH right now, two 10.4.x and two 10.3.x. Because there is no /Library/InputManagers in my /Library, so any program running under an admin account on my machine could create one. Admittedly, /Library/StartupItems being group-writable would be a much worse security violation (stuff in there runs as root at startup), and I have seen cases where installers will create one chmod 775 or 777, but I don't see any reason why a program that isn't setuid root (in other words, requiring the security dialog first) should be able to create new directories or drop files into /Library.

Anyhow, this is not a virus, it's a trojan. A virus attaches itself to existing executables (boot blocks included in the definition of "executables"). This is a trojan, and if it replicates, then it's a file-propagating worm (as opposed to the e-mail- and network- propagating worms that plague Windows). So far there is still no malware for OS X that doesn't depend upon human stupidity for propagation. Whether that be saving an e-mail attachment to disk and then double-clicking on its icon on the desktop (this thing won't auto-open while reading e-mail), or simply using bad username/password combinations allowing a brute-force break-in over SSH, there is still no sign of any kind of fully-automated malware for OS X.

In the meantime, I'm going to be doing a lot of "sudo chmod 755 /Library".

Re:Trojan Man?

[mstroeck (411799)]

Uhm, how are proposing to "fix" this? You can give your application any icon you want, and as long as it looks even remotely like the native JPEG-icon, 95% of users won't notice.

The only way would be some sort of flag that shows up on any icon that represents something executable, and that wouldn't be a fix but a completely new approach.

Re:Trojan Man?

[CastrTroy (595695)]

Maybe we should be able to override the OS so that no matter what icon the executable file says it wants to display, the OS always shows an icon clearly depicting the fact that the file is an executable.

Re:Trojan Man?

[Kadin2048 (468275)]

I was thinking about this. I can't imagine it would be all that hard -- there is already a visual flag applied to all "alias" (that's symlink) files, so it doesn't seem like it would be out of the question to do something similar for executables, based on the eXecute bit.

However what I'm not sure about is how you'd make this work for MacOS bundles -- unlike UNIX applications they're not just single files; the thing that you click on in the Finder to launch a MacOS app (at least a Cocoa one) is actually a directory if you look at it in the Terminal, it just has the hidden suffix of ".app" (so for instance the program Mail in the finder is actually the directory/folder Mail.app). The actual executable file is normally buried somewhere within the folder -- usually like (appname).app/Contents/MacOS/executablefile.

I suppose what you'd have to do is put the visual flag on if a file was either a directory ending in ".app", or if the regular eXecute bit was set on a file itself.

Re:Trojan Man?

[devonbowen (231626)]

Uhm, how are proposing to "fix" this?

When I download a dmg file with Safari, I get a warning if the dmg contains an executable. (Not sure if that's Safari doing the warning or the code that mounts the archive or what.) Something like this in the code that unpacks tar files would go a long way toward fixing it.

Devon

Re:Trojan Man?

[n3k5 (606163)]

Sounds more like a trojan to me. But the question is, how in the world did they get it to show up as a JPEG image and still be executable?

It definitely is a trojan, and a harmless one at that. It seems that if you have configured your computer correctly, you would have to enter your admin password in order to allow it to do any harm.

It doesn't really disguise as an image. It just uses the OS X standard icon for images as its own icon. However, it does not have a jpeg extension and if you select it in the finder, you will not get a preview thumbnail, thus you would know that opening in the Preview application (which you would do by double clicking) cannot work. Maybe, if you have set your Finder not to display extensions, or just didn't pay attention, you would try to open it in another image viewer, which would fail and not do any harm.

Re:Trojan Man?

[Kadin2048 (468275)]

It's almost impossible for a clueless user to run as root on an OS X box.

Actually running/logging-in as root requires either some non-trivial Terminal work, or going in through NetInfo Manager (a fairly intimidating config utility) and enabling the root account (which at least the time I did it, a few years ago, gave you some pretty stern warnings).

That's not to say that you can't have root-like privs -- the default first user on a Mac is an "Administrator," which just means that they can sudo -s and become root temporarily. However to do this you have to authenticate for every action. (Or every 5 minutes or so.) The MacOS "Administrator" level user is not as powerful as the WinXP type of Administrator (which is effectively a root account). Macs have three levels of users: root, Admins (who can sudo), and everyone else (who can't).

So yes, there are definitely ways that a clueless person could damage themselves with a trojan, if they just mindlessly type in their password into any box that comes up, regardless of the context in which they're being asked, but there is at least one more step stopping you from doing it compared to running on a Windows system.

Re:Hehehe

[Jarlsberg (643324)]

There is a Mac God?

They've got one coming out in six months, it's called the iGod.

Nah, that's just the title of Steve Jobs upcoming self-biography.