Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

First Mac OS X Virus?

Zonk posted more than 8 years ago | from the is-nothing-sacred dept.

577

bubba451 writes "MacRumors reports on what may be the first virus to affect Mac OS X, disguised as screenshots for the upcoming Mac OS X 10.5 Leopard. From the report: 'The resultant file decompresses into what appears to be a standard JPEG icon in Mac OS X but was actually a compiled Unix executable in disguise. An initial disassembly reveals evidence that the application is a virus or was designed to give that impression.' The virus is said to also spread via Bonjour instant messaging." Update: 02/17 00:09 GMT by P : This is not a virus, it is a simple Trojan Horse: it requires manual user interaction to launch the executable. See Andrew Welch's dissection.

cancel ×

577 comments

Sorry! There are no comments related to the filter you selected.

Phew! (5, Funny)

Anonymous Coward | more than 8 years ago | (#14731950)

Glad I just 'switched' to windows ;-)

(fp?)

Re:Phew! Thanks! (2, Funny)

platypibri (762478) | more than 8 years ago | (#14732104)

That may be THE funniest slashdot post ever! I, for one, welcome our executable jpeg masters.

Re:Phew! (5, Funny)

Anonymous Coward | more than 8 years ago | (#14732121)

Should have waited. Dvorak is predicting that Apple will adopt Windows [pcmag.com] .

I wish I also got paid to be a crackhead.

Trojan Man? (4, Interesting)

green pizza (159161) | more than 8 years ago | (#14731957)

Sounds more like a trojan to me. But the question is, how in the world did they get it to show up as a JPEG image and still be executable? And does this script do any damage beyond the user's home directory? I.E., does it have some sort of a rootkit? Or does it simply prompt the user for the root/admin/sudo password?

Somebody better wake up Apple and fix this application-looks-like-a-pretty-JPEG icon bug!!

Re:Trojan Man? (5, Informative)

Epaminondas Pantulis (926394) | more than 8 years ago | (#14731990)

I guess they put the standard JPEG icon in the app's bundle...

Re:Trojan Man? (5, Informative)

fracai (796392) | more than 8 years ago | (#14731999)

There's this thing called reading the article... oh, right.

It's a "JPEG" because the author was clever enough to paste the icon of a JPEG onto the executable.
If the user is root, or possibly admin, the script writes files in /Library/InputManagers. If you aren't it does the same in the user Library.
No kit, just a prompt.

http://www.ambrosiasw.com/forums/index.php?showtop ic=102379 [ambrosiasw.com] as linked from MacRumors has a really good writeup on what is going on.

Re:Trojan Man? (5, Insightful)

mstroeck (411799) | more than 8 years ago | (#14732000)

Uhm, how are proposing to "fix" this? You can give your application any icon you want, and as long as it looks even remotely like the native JPEG-icon, 95% of users won't notice.

The only way would be some sort of flag that shows up on any icon that represents something executable, and that wouldn't be a fix but a completely new approach.

Re:Trojan Man? (4, Informative)

n3k5 (606163) | more than 8 years ago | (#14732010)

Sounds more like a trojan to me. But the question is, how in the world did they get it to show up as a JPEG image and still be executable?
It definitely is a trojan, and a harmless one at that. It seems that if you have configured your computer correctly, you would have to enter your admin password in order to allow it to do any harm.

It doesn't really disguise as an image. It just uses the OS X standard icon for images as its own icon. However, it does not have a jpeg extension and if you select it in the finder, you will not get a preview thumbnail, thus you would know that opening in the Preview application (which you would do by double clicking) cannot work. Maybe, if you have set your Finder not to display extensions, or just didn't pay attention, you would try to open it in another image viewer, which would fail and not do any harm.

configured correctly? (1)

green pizza (159161) | more than 8 years ago | (#14732033)

It seems that if you have configured your computer correctly, you would have to enter your admin password in order to allow it to do any harm.

That should be pretty much any default or out-of-the-box configuration of Mac OS X me thinks. Even on Macs with only one user and no password the machine will generally put up a prompt before making certain changes. Probably even saver if you have a password and multiple user accounts.

Re:configured correctly? (0)

Anonymous Coward | more than 8 years ago | (#14732137)

Right. However, a persistent user could potentially activate the root account and log in as it regularly. I can't think of any other way to get around this, though (other than running it from Terminal and using sudo, which isn't much different).

Basically you just about have to be trying to do something stupid.

Re:Trojan Man? (2, Informative)

squidguy (846256) | more than 8 years ago | (#14732159)

It definitely is a trojan, and a harmless one at that. It seems that if you have configured your computer correctly, you would have to enter your admin password in order to allow it to do any harm.

You raise valid points here. This is a single instance, but undoubtedly more will come and we need to view these developments agnostically.
Unfortunately, despite all best efforts to dissuade the novices, folks still tend to run as root or admin on their systems. A large percentage of Windows virii won't infect unless the user has admin privs, and unfortunately, M$ doesn't do a good enough job of dissuading this in their earlier platforms. Vista supposedly (I haven't hacked on it yet) does a better job of pushing least privilege and a *nix-like SU model (but since at least the 2000 platform, the RUN AS option existed) -- don't know how this'll work with the clueless crowd yet.
The advantage of *nix is that it at least (in most cases) makes the user think twice about running as root.
My point is - if we get novices (and some lazy experienced types) using OS X or RedHat or whatever, some will undoubtedly run as root, admin etc because they are too lazy or too clueless to run as least privileges. Ergo, the existance OS X virii & trojans should not be taken lightly.

Re:Trojan Man? (1)

n3k5 (606163) | more than 8 years ago | (#14732229)

It seems that if you have configured your computer correctly, you would have to enter your admin password in order to allow it to do any harm.
Replying to myself here (and green pizza [slashdot.org] and squidguy) in order to clear up a mistake, I had misunderstood information from another source: Apparently you only have to enter your admin password if you are root (highly unlikely, so I don't know why some sources say 'most users' would have to enter it); otherwise it leaves your system files alone and only touches what it, running under your UID, has write access to. Which usually includes all apps you use. However it's still true that it doesn't do any significant harm. Infected apps stop working, but are easily indentified and thus cleaned because of that 'oompa' xattr. Oh, and it only propagated via iChat, and even then only if you accept files that you haven't asked for. [slashdot.org]

And if I may lump in a reply to squidguy's post: Lazy, clueless users don't run as root on Mac OS X, since it's not default. Figuring out how to run as root is way more difficult (thus more work, which lazy users loathe and clueless ones won't figure out) that simply entering your password any time you need it. Surely, many people will just enter it every time without thinking about it much, or checking which priviledges are required exactly, but when the dialog pops up even though you didn't ask for having anything about your system changed, and still give your authorization ... well, then it really is your fault, not the system's.

You are of course right when you say more malware will come, and we shouldn't take it too lightly, but as an OS X user, I'm not exactly losing my sleep over the issue either.

Re:Trojan Man? (1)

Billosaur (927319) | more than 8 years ago | (#14732025)

Update: It appears that there is some debate about the classification of this application, and as it does require user activation, it appears to fall into the Trojan classification, rather than self-propogating through any particular vulnerability in OS X.

Sounds like Mac users will need better protection.

Re:Trojan Man? (0)

Anonymous Coward | more than 8 years ago | (#14732083)

How do you protect against "stupid user"??

Re:Trojan Man? (1, Funny)

green pizza (159161) | more than 8 years ago | (#14732131)

How do you protect against "stupid user"??
WebTV?
Etch-a-Sketch?

Re:Trojan Man? (1)

PFI_Optix (936301) | more than 8 years ago | (#14732198)

Microsoft has been struggling with this question for a long time ;)

It is a virus. (0, Troll)

tpgp (48001) | more than 8 years ago | (#14732130)

Sounds more like a trojan to me.

Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate.

I would say (from the description in tfa) that this piece of malware is more similar to a virus then a worm or a trojan.

Why?

1) It appears to self propagate (Trojans do not do this).
2) It appears to attach to other executables (worms are stand alone)

So we have a self-propagating piece of code that attaches itself to other executables. Quacks like a virus if you ask me.

first (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14731962)

on a first :)

It's not a virus... (5, Informative)

xwizbt (513040) | more than 8 years ago | (#14731965)

Note the following from http://www.ambrosiasw.com/forums/index.php?showtop ic=102379 [ambrosiasw.com] :

You cannot be infected by this unless you do all of the following:

1) Are somehow sent (via email, iChat, etc.) or download the "latestpics.tgz" file

2) Double-click on the file to decompress it

3) Double-click on the resulting file to "open" it ...and then for most users, you must also enter your Admin password.

You cannot simply "catch" the virus. Even if someone does send you the "latestpics.tgz" file, you cannot be infected unless you unarchive the file, and then open it.

Re:It's not a virus... (3, Insightful)

slungsolow (722380) | more than 8 years ago | (#14732013)

If I have to type in my System Admin password to intall it, then I don't consider it a threat. This seems like a rather lame attempt at a vulnerability. The folks who would be interested in screenshots of 10.5 are the kind of folks who know an archive of photos does not require an admin password.

Good point (1)

QuaintRealist (905302) | more than 8 years ago | (#14732064)

Looks like a Trojan, not a virus. And any OS (disclosure: I admin a mixed Linux/windows system at work and the wife has a Mac at home) is vulnerable to Trojan attack with varying degrees of user "assistance". Our internet capable machines at work are livecd only for this reason (Slax FWIW). Windows laptops use DSL imbedded (at the moment).

Use protection, browse safely, and the net is a pretty safe place still...

Re:It's not a virus... (0)

pulse2600 (625694) | more than 8 years ago | (#14732080)

Um, this sounds very similar to a variety of Windows vulnerabilities...why aren't people jumping down Apple's throat about their insecurity as well? Or should OSX be held to a different standard than Windows?

Windows malicious graphic flaw comes out: OH NOES MICRO$OFT IS TEH EVIL SUKK0RS!!!!111!one

MAC OSX malicious graphic flaw comes out: "You cannot simply "catch" the virus. Even if someone does send you the "latestpics.tgz" file, you cannot be infected unless you unarchive the file, and then open it."

BTW I am not trying to attack the parent, just using his words as an example of how many people perceive security issues based on what OS is affected. Based on the parent's analysis of the vulnerability I believe he would apply the same logic and risk assessment if this was a Windows flaw.

Re:It's not a virus... (1)

slungsolow (722380) | more than 8 years ago | (#14732141)

you missed the part about typing in an admin password. windows doesn't have that additional layer of security on it. You can unarchive and open it under any user account. It will infect the whole computer. with a mac, you can unarchive it and attempt to open it with any user account. but in the end, you can't actually open it without root access. any computer user should immediately suspect something when a jpg requires your system admin password (and I believe in this case it would require the sys admin username and password).

Re:It's not a virus... (1)

minus_273 (174041) | more than 8 years ago | (#14732166)

"MAC OSX malicious graphic flaw comes out: "You cannot simply "catch" the virus. Even if someone does send you the "latestpics.tgz" file, you cannot be infected unless you unarchive the file, and then open it.""

maybe because it is not a flaw. There have always been malicious program for OSX the rm -rf / script comes to mind. But like all of them, you have to manually download, decompress, run it and then type your admin password. That is not a flaw.

Re:It's not a virus... (0)

Anonymous Coward | more than 8 years ago | (#14732169)

Um, this sounds very similar to a variety of Windows vulnerabilities

Um, this sounds nothing like any Windows vulnerabilities at all, ever. This is a trojan, and can be done on any Operating System ever. It's like someone sending your Windows using ass an executable over AIM with the message "LOL this si teh gretats game EVAR!!!1!1" and you running it as a local Administrator. How the fuck would that be Microsofts problem?

Based on the parent's analysis of the vulnerability I believe he would apply the same logic and risk assessment if this was a Windows flaw.

Based on my analysus of your post, I believe you're a dumbass. I say that as a non-Mac user, by the way.

Re:It's not a virus... (5, Insightful)

pubjames (468013) | more than 8 years ago | (#14732170)

Can you explain to me where the security flaw in OSX is in this case?

There is no double standard here.

.Well, I don't know (1)

IAAP (937607) | more than 8 years ago | (#14732126)

You cannot simply "catch" the virus.

I put my Mac on a toilet seat and I got this virus...Really!

Re:It's not a virus... (2, Interesting)

strider44 (650833) | more than 8 years ago | (#14732139)

Hmm reading the article and the forum threads it seems that the trojan wrecks the user account should it be run, so you don't have to enter the Admin password.

In other words MacOSX is giving *some* protection in that it can only attack the user that runs it, but that protection is shallow comfort. KDE has the best approach I think in this in that every executable, no matter what the extension etc, has the same executable icon. It also doesn't have automatic autoplay (possibly the worst "feature" of Windows). The icon of course in this case is what the trojan is exploiting.

I'm not sure about this though, but don't Macs like KDE instead of showing an icon for JPEGs show a preview of the picture instead of a standard icon?

Re:It's not a virus... (1)

hattig (47930) | more than 8 years ago | (#14732175)

You have to admit though that many Mac users would like to see Panther pictures, and this is a good way of propagating the trojan.

What can you do about it? User education is the only way.

Otherwise, mark downloaded files as 'downloaded', and when unzipping such files apply that to all files inside too. Upon first access to an 'downloaded' application you should ask the user if they want to run the application. For a real data file there's no issue, it'd open in Preview, etc. It would catch applications pretending to be datafiles though, and equally it wouldn't stop terminally retarded people running it. Hopefully other people would go 'hang on, this isn't an application...' and thus save their computer.

nitpick, panther=10.3 (1)

green pizza (159161) | more than 8 years ago | (#14732236)

You have to admit though that many Mac users would like to see Panther pictures, and this is a good way of propagating the trojan.
Panther was 10.3
Tiger is 10.4
Dunno what 10.5 is

Re:It's not a virus... (3, Insightful)

confused one (671304) | more than 8 years ago | (#14732237)

Yes... Unfortunately the Windows user world has shown that more than enough people will

1. download it

2. double-click and decompress it.

3. double-click and execute it.

Hardware (4, Funny)

levik (52444) | more than 8 years ago | (#14731966)

Well, of course there's a mac virus now - virus writers have been comfortably writing to the intel platform for years, and now with the processor switch, all the viruses will be very easy to port over :)

Re:Hardware (1)

creepynut (933825) | more than 8 years ago | (#14731992)

Yeah. Which is why viruses on Linux are so rampant in the wild.

Re:Hardware (2, Insightful)

iBod (534920) | more than 8 years ago | (#14732015)

I don't think the underlying CPU architecture is much of an issue.

Most malware exploits flaws in the operating system and applications - not the hardware architecture.

I have heard this FUD from various Mac-heads (pissed at the change from PPC) that they are suddenly going to be swimming in malware due to a chip change. It's nonsense.

Re:Hardware (1)

Fahrvergnuugen (700293) | more than 8 years ago | (#14732215)

This trojan is compiled as a PPC binary too.

Re:Hardware (1)

JFlex (763276) | more than 8 years ago | (#14732076)

A combination of many things, including and not limited to Windows' insecurity and poor programming are reasons why there are more viruses and malware for Windows.. not because of the processor architecture.

Re:Hardware (1)

InfraredAD (904482) | more than 8 years ago | (#14732262)

Hey genius, if you had a clue you'd see that the code is written for PowerPC. Good try though, why don't you go back to watching Teletubbies or something...

Trojan? (5, Insightful)

Sidde (758228) | more than 8 years ago | (#14731976)

How can it be a virus if it is a Trojan?
You have to execute it yourself, and that is why it is _not_ a virus.

Re:Trojan? (-1, Flamebait)

tpgp (48001) | more than 8 years ago | (#14732101)

You have to execute it yourself, and that is why it is _not_ a virus.

Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate.

I would say (from the description in tfa) that this piece of malware is more similar to a virus then a worm or a trojan.

Why?

1) It appears to self propagate (Trojans do not do this).
2) It appears to attach to other executables (worms are stand alone)

So we have a self-propagating piece of code that attaches itself to other executables. Quacks like a virus if you ask me.

Re:Trojan? (1)

the_humeister (922869) | more than 8 years ago | (#14732119)

Once the media gets a hold of a blanket term, we're stuck with it. Yes, it's technically a trojan. But nowadays malware that's not adware gets lumped into the virus category. Take a look at the term "hacker." "Cracker" would be the preferred term for a bad hacker, but the media still uses "hacker."

Re:Trojan? (0)

Sidde (758228) | more than 8 years ago | (#14732176)

But slashdot is not the daily inquirer.

Re:Trojan? (2, Informative)

Emetophobe (878584) | more than 8 years ago | (#14732156)

Also, it's masking itself as something that it is not, which would make it a trojan.

You want security... (0, Funny)

Anonymous Coward | more than 8 years ago | (#14731980)

Use windows vista. I heard it has zero viruses.

Re:You want security... (1)

Vo0k (760020) | more than 8 years ago | (#14732116)

But it DOES have 0 viruses.
yet.

Had to happen really (2, Insightful)

iBod (534920) | more than 8 years ago | (#14731982)

But, I don't think OS X users have too much to worry about yet.

Might be good in a way - to shake some people out of the complacent "OS X is invulnerable" mindset.

Re:Had to happen really (1)

Sandor at the Zoo (98013) | more than 8 years ago | (#14732171)

The fact that this is news (actual Mac OS X malware!) is amazing.

What it tells us, I'm not sure. Depending on your viewpoint it's either Wow, Mac OS X is so secure that it took till now to have a virus! or Yeah yeah, Mac market share is so low that it took till now to have a virus.

:-) for the humor-impaired.

Re:Had to happen really (1)

WhiteWolf666 (145211) | more than 8 years ago | (#14732249)

No operating system is invulnerable versus administrator stupidity; and that's what anyone holding the admin password is.

User error can, and will, tank an operating system. The trick in OS design is making it difficult and obvious that they are about to do so.

It's The Final Countdown (-1, Offtopic)

wpanderson (67273) | more than 8 years ago | (#14731985)

"Bon Jour", is that like Bon Jovi?

Re:It's The Final Countdown (0)

Anonymous Coward | more than 8 years ago | (#14732038)

The Final Countdown was by Europe [wikipedia.org] , not Bon Jovi.

Re:It's The Final Countdown (0)

Anonymous Coward | more than 8 years ago | (#14732044)

"Bon Jour" is french for "Hello" or "Good Morning" or something like that.

Re:It's The Final Countdown (1)

post.scriptum (953120) | more than 8 years ago | (#14732049)

More like a typo of "Bonjour"... French "virus", this is sad.

Eh? (3, Funny)

TimeTrav (460837) | more than 8 years ago | (#14731991)

Wouldn't shock me if it was written by a software company whose name rhymes with 'pedantic'.

Reminds me of old Applescript "hacks" (5, Interesting)

Anonymous Coward | more than 8 years ago | (#14732002)

Back in high school we used to make little mean scripts in Applescript. Since there was no concept of security or multiple users in Mac OS 7 and 8, the script could do all sorts of nasty damage. All you had to do was compile/"save as" a standalone executable application from the Applescript Editor and paste an innocent icon on it. We liked to use the ClarisWorks icon to be extra mean.

Another variant was useful on computers that were proteted with OnGuard or AtEase. Simply make a script that would pop up a dialog box asking for the password. An unknowning teacher would enter the password and the script would exit... leaving behind a log file with the password in it for later use.

Nothing magical about these. Very basic trojan horses.

Re:Reminds me of old Applescript "hacks" (2, Funny)

tinkerghost (944862) | more than 8 years ago | (#14732056)

Ahh the days of pasting hard drive icons on a shutdown link .... I remember them well :)

Consider the source... (4, Insightful)

k3vmo (620362) | more than 8 years ago | (#14732004)

Come on. MacOSRumors.com on a forum post. Let's not loose our heads and start spreading FUD because of something someone's brother's first cousins next-door neighbor read in a forum post. If you're smart enough not to accept random files and put your admin password in for anything that pops up - this won't be much of an issue.

Hehehe (0, Flamebait)

Ravenscall (12240) | more than 8 years ago | (#14732019)

First, they dump the Power PC chip right before it is announced that they will be able to push it to 6 Ghz, then, they start getting viruses.

Where is your God now Mac users?

(Liked Macs when they still pushed performance over style)

Re:Hehehe (1)

jtalerico (950602) | more than 8 years ago | (#14732072)

First, they dump the Power PC chip right before it is announced that they will be able to push it to 6 Ghz, then, they start getting viruses.

I agree with you on that, but RIGHT now the 6ghz is a Server chip.

It is not a virus, it is just a simple script. A idiot searching on google can figure out how to write a bash script.

Where is your God now Mac users?

There is a Mac God?
(Liked Macs when they still pushed performance over style)

Re:Hehehe (2, Funny)

Meostro (788797) | more than 8 years ago | (#14732221)

There is a Mac God?
They've got one coming out in six months, it's called the iGod.

Re:Hehehe (0, Offtopic)

iBod (534920) | more than 8 years ago | (#14732252)

Is that a bit like Your Own Personal Jesus?

Re:Hehehe (4, Funny)

Jarlsberg (643324) | more than 8 years ago | (#14732258)

There is a Mac God?

They've got one coming out in six months, it's called the iGod.

Nah, that's just the title of Steve Jobs upcoming self-biography.

Re:Hehehe (1)

iBod (534920) | more than 8 years ago | (#14732077)

"Liked Macs when they still pushed performance over style"

When was that?

Apple have always put a premium on style and their performance per buck was always behind the curve - even since the original 68000 Macintosh. You had one because it was cool, not for blistering performance.

Re:Hehehe (1)

green pizza (159161) | more than 8 years ago | (#14732155)

"Liked Macs when they still pushed performance over style"

When was that?


Macintosh IIfx
Macintosh Quadra 900 and 950
Daystar quad PowerPC 604e Mac clone

Ugly and fast. Like a good muscle car.

Re:Hehehe (1)

iBod (534920) | more than 8 years ago | (#14732228)

Yeah, I see what you're saying GP but those were somewhat atypical Macs.

Even so, with exception of the Daystar clone, they were still reasonably stylish compared to the Wintel beige boxes.

Re:Hehehe (1)

Ravenscall (12240) | more than 8 years ago | (#14732273)

Not true, in the early G3/G4 days, the PPC chip could knock the pants off of anything in the PC world for raw performance. That started slipping just before the G5 was introduce. Granted, they had been on the style kick ever since Jobs had returned, but there was more reason to get a Mac than just "shiny".

Now, that is the only reason to buy a Mac. It is computing for the style conscious and kids with ADHD. You will get a better machine rolling your own hardware and installing *nix.

Hmmm, First Virus to ask for your password? (2, Insightful)

jtalerico (950602) | more than 8 years ago | (#14732028)

Before this "Virus" Can do anything on macOS X it should ask for the users password. So if the user is dumb enough to put in his/her password to OPEN a JPEG!! Then his/her password should be posted on /. with the ip of their computer.

Re:Hmmm, First Virus to ask for your password? (2, Insightful)

Vo0k (760020) | more than 8 years ago | (#14732084)

The virus can still delete your personal files without root password, it can access your IM contact list and send itself to all people on the list. You still have fully functional OS but all your work you didn't backup is gone. Fun?
Or just install a keylogger and sit in the background waiting till you enter your root password thorough normal use.

Such a virus would be pretty hard on Linux, because icons are assigned to files by content, not by extension. It would have .jpg extension but the icon would be one of a binary. And of course variety of instant messenging software would make it way harder to spread. (still possible though, and despite what some would like to think, there ARE enough dumb Linux user to click on a file with .jpg extension even if it doesn't look like jpg)

Re:Hmmm, First Virus to ask for your password? (1)

jtalerico (950602) | more than 8 years ago | (#14732164)

To do what this file does, it will prompt the user for the password.

Re:Hmmm, First Virus to ask for your password? (1)

WhiteWolf666 (145211) | more than 8 years ago | (#14732209)

OS X did not assign an icon to the file. It's not even labeled at .jpeg

It's a .tgz, and it contains one executable (not labeled .jpg). Instead, the resource fork specifies an icon that looks remarkably similar to the one the operating system uses for JPEG.

10.5 Screenshots?! (5, Funny)

fightzombies (876201) | more than 8 years ago | (#14732029)

Where? I want to see!

This would work on Linux (0)

Anonymous Coward | more than 8 years ago | (#14732030)

I followed the link and found that the file in question was a '.tgz'. So, if someone is dumb enough to download such a file and untar it ... maybe they'll even su into root when it asks them to.

It would be trivial to write such a program for Linux. It would work as long as there was a naive user.

Re:This would work on Linux (1)

PeterSomnium (954672) | more than 8 years ago | (#14732113)

But that's the problem.. Even linux-users can be pretty naive. Anyway, this 'virus' isn't really going to pose any threats to the computing world , or is someone going to disagree with me there?

Re:This would work on Linux (0)

Anonymous Coward | more than 8 years ago | (#14732163)

No. Firstly, most (if not all) Linux DEs determine the file's icon from the content of the file itself - there is no universal way of bundling an icon with a program so that it shows up as the correct JPEG icon for the user's DE (Gnome/KDE or any theme thereof).

Secondly, Each disto handles root access differently. Ubuntu, for instance, doesn't set a root password by default as all user-admin tasks are performed through sudo. This is different than, say, Debian, where by default you have to su accounts to root. Then, to actually fool the user into entering their password you'd have to know which prompt to throw them. For Ubuntu, it's gksudo, for Kubuntu it'll be the KDE equivilent and so on and so forth for every distro out there.

So even if you write a 'virus' like this that even behaves properly on one flavour of Linux, it'd look totally out of place on all the rest.

Previous slashdot coverage (-1, Redundant)

Anakron (899671) | more than 8 years ago | (#14732041)

Probably pertinent:
Bill Thompson of the BBC claims that Mac users take their security for granted [slashdot.org]

Re:Previous slashdot coverage (1)

kneeslasher (878676) | more than 8 years ago | (#14732063)

This is true. I've been much more complacent since I switched. While I'd never type in my Admin password due to a JPEG, I am sure the complacency of which you write might well mean that moany users would, especially as the Mac population grows and statistically includes more silly users.

Misread the preview (1)

steveo777 (183629) | more than 8 years ago | (#14732046)

Thought it said the virus spread via "Bon Jovi." I always thought there had to a reason to come out of retirement... other then the whole singing thing.

Further (3, Informative)

ktappe (747125) | more than 8 years ago | (#14732047)

In all the latest releases of OS X, the user will also receive the prompt "You are running for the first time. Are you sure you want to continue?" so that's *four* levels of security the user would have to specifically circumvent to be affected. At some point the responsibility has to reasonably be shifted from Apple to the user... -Kurt

Re:Further (1)

Gryle (933382) | more than 8 years ago | (#14732190)

Haven't you heard? Personal responsibility died a long time ago, my friend.

Oompa-Loompa Trojan (1)

coastin (780654) | more than 8 years ago | (#14732050)

Looks like a lot of work to just get this thing. Not at all a lazy persons trojan.

Virus Acid Test (1)

green pizza (159161) | more than 8 years ago | (#14732052)

So, to me the question remains... is there a way to get this (or any other) Mac OS X virus by just connecting a Mac to the Internet and/or surfing websites? Or do these exploits still require the user to manually execute a trojan? I guess I'm curious how automated these Mac OS X "viruses" are.

Re:Virus Acid Test (1)

Yahweh Doesn't Exist (906833) | more than 8 years ago | (#14732108)

you must receive an email with the attachment, unzip the attachment, open a file with an icon made to look like an image, type in the admin password, not think why looking at an image needs admin priviledges, and press ok.

Re:Virus Acid Test (1)

coastin (780654) | more than 8 years ago | (#14732115)

Unfortunately no, Mac users have to work harder than Win users to get free software over the nternet.

Re:grow up (1)

Lord Bitman (95493) | more than 8 years ago | (#14732117)

Virus != Worm

Re:Virus Acid Test (1)

WhiteWolf666 (145211) | more than 8 years ago | (#14732189)

There's no exploit.

Its a compressed file. You have to uncompress it.

Then, you have to double click on the icon. The sneaky part is the executable uses the JPEG icon.

Then, you have to enter your password.

I invented a similar trojan before. It requires slightly more user intervention. I'll quote you it here:

"Please type the following at the terminal for increased disk space:
sudo rm -r -f /
Please type your password when prompted, and make sure to send this performance tip to all your friends."

This 'trojan' is only slightly more sophisticated.

I Like The Trojan Horse That Was Used (4, Funny)

RobotRunAmok (595286) | more than 8 years ago | (#14732066)

The first Mac virus hidden cleverly inside a picture of desktop eyecandy. No doubt it will spread like wildfire. Insidious.

What wrapper will the first Linux widespread virus take? "Hey, download this PDF -- it's a transcript of a big IRC shouting match about which is better, emacs or vi! You gotta read this!"

We won't know what hit us...

Re:I Like The Trojan Horse That Was Used (1)

daveschroeder (516195) | more than 8 years ago | (#14732161)

Um, no.

There's no desktop eye candy, and this is hardly clever.

That's *social engineering*. Any Mac document or executable has been able to have the outward appearance of having any icon for 22 years. So that's not new.

This won't spread. It will be yet another social engineering/trojan/malware/"virus" novelty with little to no impact beyond the mock panic sure to ensue in the press.

All it's going to take is one major outlet to pick it up, and we'll have another "Mac OS X Just As Insecure As Windows" free-for-all.

See Steve Jobs and Steve Wosniak in Full Brokeback (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14732112)

See Steve Jobs and Steve Wozniak in full Brokeback.mov action. [goat.cx]

I only wish I had a click counter to show how many "infect" themselves. Today may not be the dawn of the OS X virus but, it is coming. The Linux virus is coming too!

Need a Universal Binary (4, Funny)

WhiteWolf666 (145211) | more than 8 years ago | (#14732123)

Anyone know when the Universal Binary will be avaliable? Plus, we need a "no password" crack.

When will Mac viruses get to the level of Windows when? For godsakes, this one still requires user intervention, and it doesn't even work on all OS X platforms!

Come on Apple! Microsoft has you soundly beaten in this regard :(

Re:Need a Universal Binary (2, Funny)

Gryle (933382) | more than 8 years ago | (#14732232)

Oh I see how it is. Leave out the open source software. I demand equality for all operating systems! Linux and BSD users should enjoy the same threat level as Windows or Mac!

And So It Begins... (1)

eno2001 (527078) | more than 8 years ago | (#14732178)

Grrreat... A Unix virus written by someone who probably knows more about Unix than most of the Slashdot crowd has forgotten, and it's targetted at the average non-technical Mac user who thinks that you are supposed to turn a computer off by pressing the power button. ;P (It's a joke folks. Lighten up.)

Input Manager as an infection vector (2, Insightful)

mrob2002 (564229) | more than 8 years ago | (#14732183)

John Gruber on daringfireball.net wrote at length recently about problems with OS X, mainly relating to how the Smart Crash library adds itself to applications through the Input Manager system hook. His current article "Smart Crash Reports Addenda" talks at length about the security implications of the input manager.

There is some good news in all this (3, Funny)

Anonymous Coward | more than 8 years ago | (#14732210)

It means at least one person at Microsoft still knows how to code.

Won't someone please think of the children!?!?! (-1, Offtopic)

elrous0 (869638) | more than 8 years ago | (#14732240)

Oh, I'm sorry, what was the topic again?

-Eric

The vulnerability isn't always plugged in (4, Insightful)

Overzeetop (214511) | more than 8 years ago | (#14732242)

Everybody seems so certain that this is a non-starter on OSX because it requires some user intervention to propagate. I have bad news for you: there are clueless Mac users out there, too. These are probably the same folks who will click on a web popup to "see the lastest hollywood gaff" and then "accept" the untrusted executable when windows warns about the download to be executed. And they're the same ones who will dutifully click their bank url in an email and login to make sure their information is correct .

Never understimate the power of the incomptenece of 20% of your userbase.

First of many (1)

aka_big_wurm (757512) | more than 8 years ago | (#14732244)

As the Mac user base goes up so will mal-ware. It doesent help that people will be running cracked versions OSX on Windows boxes.

You can't man a .app look like a .jpg in OS X (2, Insightful)

sjonke (457707) | more than 8 years ago | (#14732246)

I tried to create an application that had a name of test.jpg.app and was pleased to find that, at least in Mac OS X 10.4.5, when you try to do this, the Finder displays the entire name, including the entire extension ".jpg.app", even though normally the ".app" portion is hidden. Take out the ".jpg" and the ".app" goes missing again. The "hide extension" option in the get info window is disabled when you have a name like ".jpg.app". So, it isn't quite so easy to disguise an application as a jpeg in Mac OS X. Of course not everyone is going to know what the .app means and so it being visible won't help them. Then again, if that's the case, they probably don't know what the .jpg means either!

I also tried doing this with a .term file, which was set to hide the extension. When I made the name test.jpg.term, the full name was displayed including ".term", and the "hide extension" option was disabled.

Re:You can't man a .app look like a .jpg in OS X (0)

Anonymous Coward | more than 8 years ago | (#14732261)

Plain executables without .app bundles need no extension at all. Underneath all the Mac pretties, it's still Unix.

I call Dupe (-1)

Anonymous Coward | more than 8 years ago | (#14732260)

This is rehashing an old method:
http://apple.slashdot.org/article.pl?sid=04/04/08/ 1922237 [slashdot.org]

Apple refuses to call this a vulnerability, even though this sort of app disguised as a document can do a lot of damage to files writable by the user without prompting for a password.

my own new most vicious trojan script (0)

Anonymous Coward | more than 8 years ago | (#14732272)

(script of Trojan)

Hey User, Read and Do The Following:
open new finder window -> select all -> move to trash -> select "empty trash" -> click OK

If it's anywhere, it will be through Bonjour (1)

simong (32944) | more than 8 years ago | (#14732293)

Bonjour is a good implementation of zeroconf and will be one of the ways forward for making networking transparent in the future. However, at this stage in its development it still seems to me to be insecure and experimental in its wide area applications, perhaps more in its undiscovered potential than its current abilities. I suspect that to make it secure it's going to need a whole new level of content based security. I hope someone takes at Apple takes this as a warning. Oh soryy, what am I saying?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>