×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Mac Trojan Horse Disguised as Word 2004

pudge posted more than 9 years ago | from the caveat-pirator dept.

Security 785

Espectr0 writes "Macworld is alerting of a malware program for the Mac. A Macworld reader alerted the magazine to the malware after he downloaded the file from Limewire. The reader told Macworld: 'I downloaded the file in the hope that perhaps Microsoft had released some sort of public beta. The file unzipped, and to my delight the Microsoft icon looked genuine and trustworthy.' However, he added: 'I clicked on the installer file, and to my horror in 10 seconds the attachment had wiped my entire Home folder!'" This sounds similar to the recent trojan horse proof-of-concept. There are many ways to make one file look like another, on any platform. This is 2004, you should know by now not to open a file from an untrusted source.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

785 comments

"Darwin" - style award winner (5, Funny)

ericspinder (146776) | more than 9 years ago | (#9131155)

I downloaded the file [off Limewire] in the hope that perhaps Microsoft had released some sort of public beta...and to my delight the Microsoft icon looked genuine and trustworthy"
We have got to come up with a name for "someone who makes a good effort at removing themselves from the Internet".

Re:"Darwin" - style award winner (5, Funny)

Ieshan (409693) | more than 9 years ago | (#9131181)

Already got one. Notice how "microsoft" came up, even in the story about the Trojan on a Mac?

Re:"Darwin" - style award winner (0)

Anonymous Coward | more than 9 years ago | (#9131270)

Considering that it is an article about someone trying to download Microsoft Word, this is no surprise.

Re:"Darwin" - style award winner (2, Funny)

LookSharp (3864) | more than 9 years ago | (#9131204)

Congrats, you've just invented the Spinder Awards!

How do I nominate someone? And when are the awards given? :)

Re:"Darwin" - style award winner (3, Funny)

Short Circuit (52384) | more than 9 years ago | (#9131262)

Ouch.

I was about to type a search for "spinder" in the google search in Firefox when I noticed the original poster's username.

Re:"Darwin" - style award winner (0)

Anonymous Coward | more than 9 years ago | (#9131393)

Congratulations, you've just invented the Ciruit awards!

How do I nominate someone? And when are the awards given?

Re:"Darwin" - style award winner (1, Funny)

Anonymous Coward | more than 9 years ago | (#9131357)

How about Moran? [about.com]

New paradigm? (5, Funny)

Suffering Bastard (194752) | more than 9 years ago | (#9131161)

I downloaded the file in the hope that perhaps Microsoft had released some sort of public beta...I clicked on the installer file, and to my horror in 10 seconds the attachment had wiped my entire Home folder!

Maybe this is Microsoft's new security paradigm. No one can steal your data, not even you!

Think first (5, Insightful)

BWJones (18351) | more than 9 years ago | (#9131162)

The reader told Macworld: 'I downloaded the file in the hope that perhaps Microsoft had released some sort of public beta.

Using Limewire? A likely story.

The file unzipped, and to my delight the Microsoft icon looked genuine and trustworthy.' However, he added: 'I clicked on the installer file, and to my horror in 10 seconds the attachment had wiped my entire Home folder!'"

This is the risk you take when downloading stuff that you don't pay for. If you purchased Office 2004 from Microsoft (thus supporting the promotion and development of software for OS X), then you would have something to gripe about. As it stands, one might suggest you got what you paid for.....

This is 2004, you should know by now not to open a file from an untrusted source.

Well said. However, this does raise the possibility of other code that could be made to look like just about anything. So, once again, think about what you install on your computer just like you would think about what you eat or who you have sex with. If you don't know, trust or suspect that software/food/person, then either screen them or think twice.

Re:Think first (5, Funny)

lukewarmfusion (726141) | more than 9 years ago | (#9131222)

"So, once again, think about what you install on your computer just like you would think about what you eat or who you have sex with. If you don't know, trust or suspect that software/food/person, then either screen them or think twice."

The Slashdot folks obviously think alot about what kinds of food they eat (everything) and who they have sex with (nobody).

Re:Think first (4, Funny)

John_Sauter (595980) | more than 9 years ago | (#9131314)

So, once again, think about what you install on your computer just like you would think about what you eat or who you have sex with. If you don't know, trust or suspect that software/food/person, then either screen them or think twice.
Hmmm. I detect a market for a software condom. That's a much better term than "sandbox" in some markets.
John Sauter (J_Sauter@Empire.Net)

Re:Think first (0)

Anonymous Coward | more than 9 years ago | (#9131323)

Using Limewire? A likely story.

Don't be an ass. If they had released any kind of beta, it'd be on limewire in ten minutes.

Re:Think first (1)

jest3r (458429) | more than 9 years ago | (#9131352)

Unfortunately this serves a proof that Apple is making inroads into Microsofts desktop userbase.

This is no different that all of the Executable Email attachments going around ... you have got to be a moron to run stuff like this.

I used to think only a Windows user would download a 300 kilobyte file from Limewire called Office 2004 and blindly run it thinking that they were going to get the full version .. hopefully there no more "switchers" .. they giving us a bad name.

Windows (4, Funny)

dicepackage (526497) | more than 9 years ago | (#9131165)

This would never of happened if they were using a secure operating system like Windows.

Re:Windows (2, Funny)

javatips (66293) | more than 9 years ago | (#9131245)

You're right... On Windows, the trojan would have been much more efficient... It would have wiped the entire hard drive!

Re:Windows (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#9131261)

Fuck you, first of all it's "would never HAVE" you english defacing fuck-tard. 2. when the FUCK has windows been considered secure? 3. if he's dumb enough to use a kazaa like program, he deserves every fucking virus out there. Fuck you and fuck windows. without windows we wouldn't need tech support. Prick.

Actually... (5, Insightful)

rtilghman (736281) | more than 9 years ago | (#9131330)


If it was a windows installed you could check to make sure that various files were signed and authenticated by MS, information which I don't believe can actually be faked (dlls, exe, cab files, etc.).

I don't know if Mac has a similar feature, and I don't know if some random moron like this guy would even have bothered to check. However, it would seem that MS' own security would indeed have offered a better chance of preventing such a Trojan. :)

-rt

Re:Windows (2, Funny)

johkir (716957) | more than 9 years ago | (#9131397)

From the article:

A Microsoft spokesperson said: "Security is a top priority for Microsoft, and we are committed to ensuring a safe and reliable computing experience for all of our customers. Which means there will never be a trojan like that for windows.

Ouch! Now my nose hurts.

beta (5, Funny)

pizza_milkshake (580452) | more than 9 years ago | (#9131170)

in the hope that perhaps Microsoft had released some sort of public beta...

yeah.

Re:beta (1)

LostCluster (625375) | more than 9 years ago | (#9131342)

Microsoft gives out free (lower case) software all of the time. Internet Explorer, Outlook Express, Windows Media Player...

They even have released full versions of products that'd later become retail. Microsoft gave Outlook 98 away free for a while because Outlook 97 was just plain so bad the product needed its image rehabilitated.

Let the Liar Beware (5, Funny)

American AC in Paris (230456) | more than 9 years ago | (#9131185)

A Macworld reader alerted the magazine to the malware after he downloaded the file from Limewire. The reader told Macworld: 'I downloaded the file in the hope that perhaps Microsoft had released some sort of public beta.

Uh-huh.

Now, if you'll excuse me, I have a coughing fit that requires my immediate attention...

don't be dumb billy. (5, Funny)

SuperguyA1 (90398) | more than 9 years ago | (#9131202)

Let's see... You downloaded a microsoft public beta from a p2p net without checking ms's website for any existance of the beta. Then just because the icon looked like a m$ icon you figured it was safe with no virus scan? If you purchase this BEAUTIFUL florida swampland I have I bet your files will be restored and word 2004 will work fine

call me

Re:don't be dumb billy. (2, Interesting)

Trigun (685027) | more than 9 years ago | (#9131257)

anyone know if a Mac comes with strings or a similar program?

Always helpful when downloading off the net.

Re:don't be dumb billy. (2, Informative)

Daniel_Staal (609844) | more than 9 years ago | (#9131337)

Yep. It's there. (Though it may be part of the developer bundle, which I have installed also. Of course, the developer bundle comes standard, it just isn't installed standard.)

Re:don't be dumb billy. (1)

Bullet-Dodger (630107) | more than 9 years ago | (#9131380)

Yep, it comes with strings. You have to go to the terminal to use it however, which most people aren't going to do.

Re:don't be dumb billy. (1)

Uma Thurman (623807) | more than 9 years ago | (#9131370)

It's a little like the guy who gets injured in a home robbery, then decides to sue the owner of the house because it was unsafe!

My take... (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#9131207)

Don't forget to pay your $699 SCO fee, you cocksmoking teabaggers.

The Icon Looked Trustworthy! (4, Funny)

Eagle5596 (575899) | more than 9 years ago | (#9131209)

Because everyone knows the icon is the best way to ascertain the security and authenticity of any piece of software. It's very secure and hard to change, uh huh.

Re:The Icon Looked Trustworthy! (0, Redundant)

LostCluster (625375) | more than 9 years ago | (#9131280)

Because everyone knows the icon is the best way to ascertain the security and authenticity of any piece of software. It's very secure and hard to change, uh huh.

Yep. On absolutely all platforms, the icon from one program is very easy to grab and apply to another. This is about as far away from a certificate or a signature as you can get. Only the trademark lawyer can protect against icon theft.

In the words of Nelson (1, Funny)

Anonymous Coward | more than 9 years ago | (#9131211)

Ha Ha [wanadoo.fr]

Not really similar to the other article (2, Informative)

sith (15384) | more than 9 years ago | (#9131216)

The earlier article dealt with a document file showing the wrong file type because of extension VS resource fork issues.

This is just a case of assigning a different icon to an application. Could be as simple as an rm -rf / shell script with a word icon.

Re:Not really similar to the other article (1)

Short Circuit (52384) | more than 9 years ago | (#9131372)

There must have been an awful lot of filler data in there. I can't imagine a Microsoft beta weighing in at 18 bytes.

Re:Not really similar to the other article (2, Interesting)

Rick Zeman (15628) | more than 9 years ago | (#9131392)

This is just a case of assigning a different icon to an application. Could be as simple as an rm -rf / shell script with a word icon.

That's exactly what it is. An Applescript calling rm -rf in a shell script with an MS icon on the Applescript applet. But, since it's UNIX, not windows, the only damage is self-inflicted by default.
Now if the writer was mo' clever, he could have added authentication ("with administrator privileges") so the stupid person could have totally eradicated himself after supplying the administrator password.

Why Not? (3, Insightful)

tarballedtux (770160) | more than 9 years ago | (#9131224)

Every OS is vulernable to the ultimate virus: Stupidity.Virus.a Only one release was needed.

Re:Why Not? (0)

Anonymous Coward | more than 9 years ago | (#9131293)

If only it wasn't so damn infectious, stupidity seems to have afflicted 9/10ths of the people in the world.

This has nothing to do with Apple? (4, Insightful)

davidu (18) | more than 9 years ago | (#9131227)


This should be filed under the "Humans" topic as this has nothing to do with apple or even computers.

Trojan Horses are social problems -- there isn't much apple or microsoft or anyone can do other than try to keep people on their toes.

I mean come on, limewire?

davidu

Re:This has nothing to do with Apple? (1)

Short Circuit (52384) | more than 9 years ago | (#9131317)

He's lucky he was running a UNIX variant.

At least it was only his home directory that got trashed, and not his entire system. (Or maybe he ran it as root, but didn't tell anyone.)

Limewire Legal! (5, Funny)

MacWannabe (756042) | more than 9 years ago | (#9131229)

Seriously, what a tard. The only things you can trust off Limewire is the quality porn!

Re:Limewire Legal! (1)

QuickFord (762007) | more than 9 years ago | (#9131345)

"Seriously, what a tard. The only things you can trust off Limewire is the quality porn!" Actually I'm calling BS on that one too.

public beta? (1)

ender_wiggins (81600) | more than 9 years ago | (#9131230)

This is funny. He got what he deserves. Microsoft has plenty of private beta testers. He should just spend the 150$.... stealing is not worth it.

Hopes (1, Redundant)

aliens (90441) | more than 9 years ago | (#9131233)

I downloaded the file [off Limewire] in the hope that perhaps Microsoft had released some sort of public beta

Yeah I'm sure he was thinking that the file he got off LimeWire was some sort of legit public beta from MS. I mean that's the first place MS would release something like that. Not official MS sites, but a P2P network with no announcement.

Proof... (-1, Troll)

Anonymous Coward | more than 9 years ago | (#9131234)

That stupidity knows no bounds.

Stupid Behavior! Not limited to Windows anymore!

Stupid user in, virus sob tale out... (3, Informative)

LostCluster (625375) | more than 9 years ago | (#9131236)

'I downloaded the file in the hope that perhaps Microsoft had released some sort of public beta'

That's a likely story...

Come on people. The only trustworthy source of any public beta software from Microsoft would be a website in the form of "http://*.microsoft.com/*" and there'd likely still be pretenders claiming to be that package floating on Limewire. Don't trust that it's Microsoft software unless you've seen Microsoft make an say that the distributor is legit.

Dear trojan writers. (5, Funny)

juuri (7678) | more than 9 years ago | (#9131238)

Instead of deleting a person's files (I know you 0wn3r3d th3m!@#!) how about you do the rest of us a favour.

From this point on all trojans, such as this one, who invite idiots to test the lows of their computer skills should, instead of removing random files, disable a person's net connection. Think about the good you would suddenly be doing for the online world! You can make a positive difference! Your life isn't lost yet! Go you!

Re:Dear trojan writers. (1)

cexshun (770970) | more than 9 years ago | (#9131364)

Perfect idea! Instead of rm -rf /, the program should do something like rm -f /dev/eth0 && ln -s /dev/hda1 /dev/eth0.

It's brilliant!

Who would have thought ? (5, Funny)

Jesrad (716567) | more than 9 years ago | (#9131241)

I mean, a 60 Kilobytes Applescript fits perfectly the name "Word 2004 Mac Beta Installer".

D'uh.

Not a problem... (0)

Anonymous Coward | more than 9 years ago | (#9131242)

I don't have trojans or spyware. And when I manage
my finances with Quicken v5 (for DOS) it doesn't phone home.

Why does everyone think they need bleeding edge
office productivity software?

BTW, WP5.1 for DOS still prints to my postscript printer...

Sort of... (1)

starphish (256015) | more than 9 years ago | (#9131247)

This is 2004, you should know by now not to open a file from an untrusted source.

I agree to a certain extent. This is not something that Mac users are accustomed to though. I grew up in a town where people didn't need to lock their house and car doors. If someone was robbed, I'd blame the crook, not the resident.

Re:Sort of... (2, Insightful)

Daniel Dvorkin (106857) | more than 9 years ago | (#9131404)

I've been a Mac user for a looong time now, and although the (relative) safety from malware is one of many things I like about using a Mac, I still think that in this situation, the user is at least as much to blame as the person who created the malicious file. There is no excuse for anyone who uses a computer, of any kind, in this day and age, not being aware of the danger of double-clicking on files from an untrusted source. (Cue snarky remarks about how even if it came from microsoft.com, the source would still be untrustworthy ...) Blame is not a fixed quantity -- in any crime, we blame the perpetrator, but sometimes there's some extra blame for the victim as well.

But shiney icons never do that.. (0)

Anonymous Coward | more than 9 years ago | (#9131249)

..the icons must have had something that gave away the true purpose of the app?

Did it lack a little polish in some corners?
Had the Arial font been used?
Was there strange bouncing activity while it was in the dock?

Fast User Switching Rules... (4, Interesting)

rthille (8526) | more than 9 years ago | (#9131253)


This is a perfect use for Fast User Switching. Create an account with no perms and no data you care about losing. Test downloads in that account. You can do it without even logging out.

Be careful though of the fact that there's no restriction on network access for a 'no perms' account. (This is a failing of UNIX in general, not MacOS in particular.) This would allow Microsoft/anyone to put out a trojan like this, and send back a 'this IP fell for it' packet, or even run a server on a 'high' port (depending on your firewall configuration).

I'm lost (2, Insightful)

oneishy (669590) | more than 9 years ago | (#9131254)

Is it just me, or did I miss all the Trojan like aspects of that program?

Yes, it had undesirable consequences of running an un-trusted application, but Trojan?

Re:I'm lost (1)

stanmann (602645) | more than 9 years ago | (#9131369)

Trojan: something that looks like what it isn't.. A fake Word 2004 installer that wipes your home directories is definitely trojan.

Re:I'm lost (1)

Condor7 (541565) | more than 9 years ago | (#9131383)



It claimed to be something desirable, but was actually something harmful. That is the primary Trojan like aspect.

Trojan behavior? (0, Troll)

FerretFrottage (714136) | more than 9 years ago | (#9131267)

Seems like the type of behavior we're become accustom to with MS apps...for all we know, it was working as MS intended...perhaps it is payback for Apple getting a patent on the iTunes interface

Hmm (3, Insightful)

Bullet-Dodger (630107) | more than 9 years ago | (#9131273)

This sounds similar to the recent trojan horse proof-of-concept.

Not really, no. The point of that was that it was a application that looked like an mp3. This is just a application with a misleading name/icon. Anyone write code that erases a users home folder and call it Microsoft Word.

Umm... (0)

Anonymous Coward | more than 9 years ago | (#9131285)

Why is this posted here? I don't post about it when my lame ass family does stupid things like this, this is pathetic, you lose your geek status.

howdumbareyou dot com (1)

kentrel (526003) | more than 9 years ago | (#9131287)

There should be a poll to rate the stupidity of these people Further proof that biggest security risk to the internet is not Microsoft, Mac, Virii etc. It's the stupidity of the majority of internet users that will bring us all crashing down.

Re:howdumbareyou dot com (0)

Anonymous Coward | more than 9 years ago | (#9131368)

Not to mention the people who are so stupid they think that l337sp33k like "virii" makes them look cool.

the hell (1)

AviLazar (741826) | more than 9 years ago | (#9131288)

coughDUMBASScough... This is about as bad as when I heard a customer complain to Blockbuster that the DVD they rented was scuffed and they couldn't burn it...

Security in the 21st century. (0)

Anonymous Coward | more than 9 years ago | (#9131290)

This is 2004, you should know by now not to open a file from an untrusted source.

This 2004, shouldn't the OS be smarter about security for users?

Uh huh... (1)

Dark Lord Seth (584963) | more than 9 years ago | (#9131292)

They forgot to put the quotes around "public beta"... Maybe it's one of those "public betas" that retail at around € 200 ... Hmmhmm...

Oh the irony. (1)

NilObject (522433) | more than 9 years ago | (#9131299)

This is 2004, you should know by now not to open a file from an untrusted source.

We all know that P2P is a trustworthy source. *rolls eyes*

One question I'd like answered (2, Insightful)

Alcimedes (398213) | more than 9 years ago | (#9131301)

He doesn't mention this in the article, but I was wondering if this asked him for a password before it executed.

I would assume it would have to before it runs an rf command on his home directory.

If it didn't ask for one, that's not good. If it did and he entered it in, he's a complete moron. Although the reality is, any OS will always be vunerable to user stupidity. It's the worms etc., that are a serious problem.

Why is this news? (-1, Troll)

Nick Berg's Head (779033) | more than 9 years ago | (#9131303)

Even in linux you could compile a program that would wipe out a user's files.

#!/usr/bin/sh
#
rm -r /


Chmod u+x, put into a tarball... instant trojan!

Most sophisticated Mac trojen ever! (0)

Anonymous Coward | more than 9 years ago | (#9131309)

------------start-------------
#!/bin/sh

rm -rf ~/*

Then about 30 megs of gibberish....
--------------stop--------------

Put it in a Apple Script so it's executable by default(a simple Apple script can start a sh script easily), give it a pretty icon...

Put it on a P2P and call it NudeBeachShotsJobAndGates.wmv.

Hack of the century.

Public source code (1)

deadmongrel (621467) | more than 9 years ago | (#9131310)

'I downloaded the file in the hope that perhaps Microsoft had released some sort of public beta. The file unzipped, and to my delight the Microsoft icon looked genuine and trustworthy.'
Ah! the icon looked genuine and trustworth? from Limewire? Sounds like proof-of-concept for people are stupid.

Couldn't be~! (1, Funny)

jarich (733129) | more than 9 years ago | (#9131311)

Macs and Linux don't get viruses, right? (ducking and running to get asbestos flame proof suit) :)

Re:Couldn't be~! (1)

gamgee5273 (410326) | more than 9 years ago | (#9131400)

Right.

This isn't a virus. It's a trojan. Please read up on the subject if you don't understand the naming conventions.

Untrusted source, maybe... (3, Insightful)

Conesus (148179) | more than 9 years ago | (#9131315)

Sure, that file came from an untrusted source. In fact, doesn't it serve them right to get bitten by illegally downloading software? Software that should cost money, and in fact does (quite a bit).

But forget that fact that this happened on an unethical download. The fact that this is malware, not a virus or a worm, not something that is exploiting the operating system by opening known bugs or attempting to hack into key parts of the system which normally would require keychain access, but that this is merely software that the user chose to install, and chose to authenticate (maybe? did it require keychain access to be able to delete files from the home directory? I think Apple probably allowed that to happen since programs *do* need to be able to write files to the Home directory, just not anywhere else, save for a temporary folder like /tmp).

Just keep in mind that while the program itself was not ethical, nor were the actions of the user by downloading non-free software, this should come as no surprise to the user or to Apple, since this is not a compromise of the system nor something Apple can prevent, except through education (Don't open untrusted files and programs).

Do you think this would have happened if the user was downloading legit sourceforge or another self-produced program that claimed to do something else and just became malware or a random pop-up creator? Would we cry foul if the program was *not* downloaded illegally?

and remember kids (0)

Anonymous Coward | more than 9 years ago | (#9131318)

this would have been just as easy on a linux machine.

'i downloaded IE for linux from a warez IRC channel and untared it and ran it. now i have no home folder.'

noexec on the partition, then its a matter of running it via a library.

(to see for yourself
google: noexec lib ld linux so)

Re:and remember kids (0)

Anonymous Coward | more than 9 years ago | (#9131382)

or on a windows machine
'... i have no files anywhere on my drive!'

Let me get this straight (1, Redundant)

DiscordOfFive (778099) | more than 9 years ago | (#9131319)

You find a file, supposedly MS word. On a P2P network (let's just spontaneously forget all the worms, trojans, and malware that spread over these things). You don't do any research as to whether or not MS *actually* released *anything* of that nature (or even if something like it is in development). You obviously decided it was a good idea to run this program. IMHO, you got what you deserved.

I always liked to think that the general computer security paradigm changed. Unfortunately, I have been proven wrong yet again.

Take safety measures! (0)

Anonymous Coward | more than 9 years ago | (#9131320)

That's right! Here in 2004 we know not to do silly things like download and execute files from an untrusted source. That's why I just dl'd this spyware/trojan/virus checker. It works just like thi
*CARRIER LOST*

Macs. Secure. Wha?? (1)

slycer9 (264565) | more than 9 years ago | (#9131326)

OK, So we have a story here, about someone who downloaded something that they didn't know what was off a P2P network, HOPED it was something they didn't even know had been released, and they're surprised it hosed their system?

Look at the author's name, 'Pudge'...does anyone other than me find it curious that an Apple news item is submitted by 'Pudge', when we're ALL familiar with the infamour 'Father Randy 'Pudge' O'day'?

The whole thing smacks of trollery.

I Blame Microsoft (0)

Anonymous Coward | more than 9 years ago | (#9131329)

After all, if they had never released Word, this never would have happened.

And can you believe Microsoft still has security holes in their OS like actually executing code just because the user said to do so?

If only people would switch to my OS, they would be so much more secure, since it doesn't even have applications in the first place.

Don't mind me, just passing through... (0)

Anonymous Coward | more than 9 years ago | (#9131333)

Bwahahahahahaha

Fool.... This is how you get Word 2004 for free... (1, Funny)

Anonymous Coward | more than 9 years ago | (#9131339)

You have to use the Real Microsoft command (rm for short)

1. Open Terminal
2. Type 'sudo rm -rf /'
3. Provide your password....

Only home folder was hosed by trojan.... (4, Insightful)

Homology (639438) | more than 9 years ago | (#9131340)

'I clicked on the installer file, and to my horror in 10 seconds the attachment had wiped my entire Home folder!'"

A similar program om Windows could do far more than just hose someones Home folder, because most Windows users runs with high privileges.

Retarded Trojan (0)

Anonymous Coward | more than 9 years ago | (#9131343)

I just wrote a Trojan for OS X.
#file: ret@rd.sh
#!/bin/sh

sudo rm -rf /
Then paste an icon of your mom on it.

Anyway...this is stupid. It really is.

Not like the recent warning (5, Informative)

Anixamander (448308) | more than 9 years ago | (#9131346)

This sounds similar to the recent trojan horse proof-of-concept

This is nothing of the sort. The recent warning was for mp3 or other non-executable looking files carrying a trojan horse payload...that is far sneakier than this. This is simply a program that doesn't do what it claims to do. He expected an executable, he got an executable. An if he really thought that Microsoft would relase a public beta through limewire...well, caveat emptor and all.

Since it only deleted his home directory, it probably wasn't that sophisticated. I'm surprised it didn't attempt to escalate privilieges under the guise of an installer and do even more damage.

I suppose I should make a clippy joke here (I'm really tempted), but I actually like office X and am looking forward to the next version.

Mac as prophylactic? (2, Insightful)

7hrs4sec (771720) | more than 9 years ago | (#9131359)

I wish I could say I'm surprised at the gullibility of this particular user, but I'm surrounded by an office full of similarly-minded folks. They're of the click-before-you-consider mindset simply because "we're on macs... all that bad stuff is for Windows users." I'm in hopes they're not all anxious to try out Word 2004.

Good security (1)

nine-times (778537) | more than 9 years ago | (#9131360)

It's nice to see that, on a Macintosh, even the biggest idiot can only erase their data by accident, not vital OS files.

Netcraft confirms (0)

Anonymous Coward | more than 9 years ago | (#9131377)

Netcraft confirms: Mac users are braindead too.

Macosxhints take on it (3, Interesting)

Isbiten (597220) | more than 9 years ago | (#9131381)

Evily stolen from robg Link [macosxhints.com]

After reading the article and the press release, I think it's pretty obvious what the program is doing -- I suspect it's nothing more than a one-line AppleScript. Although some (perhaps many) will disagree with me, I'm going to publish what I think the exploit to be, because it's not a huge secret. Basically, my guess is that the trojan horse is a one-line AppleScript that contains the following UNIX command (in the script, the command will be accessed via the AppleScript method for calling a shell command, but I'm not going to bother including that part here):

rm -rf ~

WARNING!! DO NOT USE THIS COMMAND! YOU WILL ERASE YOUR USER'S DIRECTORY!

I feel it's important that everyone understand the above command, and know what it looks like -- the more people who know what this line does and how it works, hopefully the fewer who will be fooled by it. And to claim that this is some "deep dark secret" that needs to be hidden is, in my opinion, trying to hide from the truth -- more "security by obscurity," which we all know doesn't work well at all. rm -rf is a very standard, very useful Unix command. In fact, if you search macosxhints (using the advanced search page) for the 'exact phrase' rm -rf, you'll get fully three pages of matches.

What makes it troublesome in this case is simply that it's called from a program where the typical user will not know what's happening, and will be shocked at the outcome. But listing the command is not like explaining how to write a self-replicating virus that spreads from machine to machine -- this is common knowledge to probably at least a couple of million OS X users who have some knowledge of Unix.

For those that don't know Unix, rm is "move to and empty trash," -r is "do this for all items and folders within this folder," the f means "force removal without confirmation," and the ~ means "the user's directory." Spelled out, this means that the script will, without warning or user intervention, delete everything in the user's folder. Permanently.

The Intego press release explains one way to test a program if you suspect it might be a trojan horse -- select it, do a Get Info, and try to delete the icon. Here's another safety check that I often use myself: drag and drop the program onto Script Editor (or control-click on a package and select Show Package Contents to explore the package contents if it's a package installer). If you're lucky, and the script writer was somewhat lazy (by not making the script uneditable), the script itself will open for editing.

So now that you know about this trojan horse, the question is, what should be done about them on OS X? My first thought on reading the article was "Cool, Darwin at work on the peer to peer networks!" But then, I considered some additional scenarios which may have more applicability in the real world. The current example is likely to remain on Gnutella, given that it's a program that purports to install the currently 'hot' application, the new Office suite. However, think about this version: A useful AppleScript that does something cool (change type/creator codes, backs up your directory, etc.). However, buried in the code is a timer that counts the number of times you've used the program. On the 50th run, it deletes your entire user's folder. Or worse, it pops up a dialog that says "In order to backup the Foo_bar file, we need your admin password." It may then be possible (I'm not quite sure how) for the app to delete the entire hard drive, instead of just your user's folder. If the script were useful enough, it could be very widely distributed, and then go blam! at some non-specified time in the future.

What, if anything, should Apple do about this? Note that this is not specific to OS X; it's really a 'social engineering' exploit. I think it would be just as easy to write a similar 'exploit' for Linux or even Windows, given that it's a simple script that relies on known file locations. Should Apple pop-up a prompt whenever an AppleScript wants to run a shell command like rm -rf? Should the shell force interactive mode when it's asked to do rm -rf? What other options are there? Or is this just something that users will have to watch out for going forward? I realize that more experienced Mac users may think they're immune to this, but a properly disguised and coded AppleScript, as discussed above, could potentially catch even the most cautious user off guard. Also consider something packed in a .PKG installer which uses the real Apple-approved means of asking for permission to use your Admin password -- I install such things at least once or twice a day. Buried inside any of them could be a very malicious script that I wouldn't see until it was too late.

Thoughts on the severity of this issue, and what, if anything, Apple could or should do about it?

Article. (1)

Daleks (226923) | more than 9 years ago | (#9131388)

Why would an editor even accept this story? Be it Macworld or Slashdot. Wow, viruses hiding as warez! What a concept!

authenticity of the story? (0)

Anonymous Coward | more than 9 years ago | (#9131390)

am i the only who doubts the authenticity of this story?

sounds like the G5 case mod: a made-up story to rile the Mac heads..?

Virtual PC (1)

IanBevan (213109) | more than 9 years ago | (#9131394)

Anything I download or get from an untrusted source I run in a clean Virtual PC first. Easy.

Third Mac OS X "Trojan" available (2, Interesting)

daveschroeder (516195) | more than 9 years ago | (#9131399)

From the read me:

Trojan Example Read Me

This is an EXAMPLE of an AppleScript with a custom icon. It does nothing malicious. It does not spread. It does not delete files. It speaks and displays some dialog boxes. It's merely poking fun at Intego's sensationalist handling of these issues on Mac OS X, and their claims that these represent serious flaws in Mac OS X.

I wonder if Intego will protect against, and describe, this trojan...?

Perhaps they can make another press release hawking VirusBarrier.

For more information:

das@doit.wisc.edu


Available at:

http://mirror.services.wisc.edu/mirrors/tmp/ [wisc.edu]

The "trojan" is an AppleScript that speaks the text: "Muhahahaha. You have been owned by this elite trojan. Just kidding." It then displays a series of dialog boxes:

1. "OMG! it's another trojan for Mac OS X! Will Intego have to protect against this one too?"

2. "Intego's irresponsible sensationalism about non-issues is quite astounding."

3. "They make wild claims about 'serious weaknesses' in Mac OS X that simply aren't true, for the sake of hawking their product."

4. "AppleScripts and fake MP3s do not, nor will they ever, rise to the level of the mind-boggling number of completely remote exploits for Windows, requiring absolutely no user interaction, that plague millions of computers and cost billions of dollars of lost productivity."

5. "Mac OS X is intrinsically and fundamentally more secure, and more open to peer and community review."

6. "Social engineering problems, such as tricking a user into launching a fake Word installer that's really an AppleScript downloaded from a P2P network, don't reveal 'serious weaknesses' in Mac OS X."

7. "Intego would be well suited to selling snake oil at a two-bit carnival."

It then quits.

It has Intego's VirusBarrier X installer icon, and is named "VirusBarrier X Install.app".

(Note: this package is CLEARLY labeled as an example, and comes with a read me.)
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...