Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Demo Virus For Mac OS X Released

Zonk posted more than 7 years ago | from the i-don't-think-i'll-download-that-demo dept.

268

Juha-Matti Laurio writes "Heise Security has a report about new Proof of Concept virus for Mac entitled as OSX.Macarena by AV vendor Symantec. Symantec suffered from a slight lapse when it recommended in the first version of the virus description that users clean the system by deactivating the system restoration (Windows ME/XP). It is known that the virus infects other data in the folder in which it is started, regardless of extension, says Heise."

Sorry! There are no comments related to the filter you selected.

This is on the front page of slashdot why? (5, Insightful)

daveschroeder (516195) | more than 7 years ago | (#16706053)

So, this is a "virus" that is nothing more than something that programmatically attaches/appends itself to other files that are in the same directory as itself when executed (which is easy to do and doesn't rely on any deficiency in the system), isn't in the wild and therefore doesn't have any real impact on users, is a proof-of-concept, and still has no vector or mechanism for propagation, much less mass-propagation?

Wow. Um. Raise the alarm. One if by land, two of by sea, and all that.

Oh, and here's my new piece of nasty Mac OS X malware:

Place this in a text file and name it ElectricSlide.command:

rm -rf ~/*

Double click it. Voilà. A piece of malware that can't actually spread that deletes the contents of your home directory with no warning!

Maybe we can see a Symantec warning about OSX.ElectricSlide!

I realize Symantec or any AV vendor has to catalog known malware, but come on: the coverage this is getting is ridiculous, and now the front page of slashdot?

Mac OS X certainly has vulnerabilities. The people saying it doesn't are morons. But the problem is that any vulnerability discovered in any Apple product gets amplified in the press massively disproportionately. For example, the iPod Windows virus issue:

By all accounts, there was likely a Windows PC used for QA at a non-Apple contractor that was infected with a virus that was infecting iPods with the virus when they were plugged in to that machine. (If anything, this is a problem in the QA process at Apple's manufacturing contractors, not ANY indication that "Macs" or Apple are any more susceptible to viruses or attacks, in any way, shape, or form - I'm surprised at the level of shoddy journalism on this. This is a Windows worm copying itself to a locally attached Windows disk (that happens to be an iPod), nothing more. Yes, it's really bad for any manufacturer to ship something with a virus on it, but this doesn't indicate the susceptibility of Apple or Macs in general. If anything, it indicates the iPod is effective as a USB-attached disk. Which it is. Again, no excuse for the processes to let something like this happen, but still.)

Then, the coverage of this goes on to rehash the (incorrect) assumption that someday there will be a huge worm outbreak on Macs, an assertion that is completely unrelated to iPods being infected with a Windows (or even Mac) virus.

I'm not going to rehash why it's literally impossible for the type of devastating mass-propagating worms that we've seen on Windows happen on Macs; marketshare/presense alone is enough to make that argument, but marketshare is only one of many factors.

I predict that we'll continue seeing these sky-is-falling and "WAKEUP CALL FOR APPLE" articles month after month and year after year, with nothing actually happening of any consequence to the installed Mac OS X base. Will there be new viruses, worms, malware, and proofs of concept of malicious items for Mac OS X? Yep. Absolutely. Just as there have been. Will there be something that can mass-propagate to the point where it costs the tens/hundreds of billions of dollars and hundreds of thousands of manhours in recovery and lost productivity like we do on Windows? Nope. The architectural, use, marketshare, and security differences on the Apple platform versus Windows ensures that.

The coverage of this will likely be further classic examples of press jumping on any negative or security-related story that has to do with Apple.

Maybe this will even be the sixth or seventh, by my count, "FIRST MAC OS X VIRUS" story that can be trumpeted around on CNN, AP, and Reuters! One can only hope!

Also, before anyone says "There's also a Bluetooth 0day [sans.org] for OS X," that would actually be the same, months-old, single Bluetooth issue that has already been reported on months ago, and that was patched in all versions of Mac OS X for a year even at the time that the worm, itself a proof of concept, was released. The issue has been patched since June of 2005, and no shipping system, or any system that had been patched once sometime in the prior year was even vulnerable.

So, if that's a 0day, I guess we're getting kind of lax on what we call 0days.

And finally, the new AirPort vulnerability [blogspot.com] announced a couple of days ago requires the card be in promiscuous scanning mode to even be exploited from a practical standpoint. (Also, for the actual background on what happened with the previous Black Hat wireless issue, see here [blogspot.com] .)

Mac OS X has and will continue to have vulnerabilities, like all platforms and environments. As its popularity grows, sure, more people will try to target it. But it will never rise to the level of the amount of problems Windows has had, for architectural and other reasons. Period. Trojans will still be trojans and users will still be able to tricked into doing Bad Things. But we won't see things like Nimda, Code Red, and so on - mass propagating malware that cost billions of dollars and hundreds of thousands of manhours in lost productivity and recovery - on the Apple platform, for a variety of reasons. And as long as Apple continues to be as responsive to security issues as one can expect any commercial company to be, and continues to strike a reasonable balance between the open source components and the proprietary components while keeping things secure, Mac OS X will continue to be the reasonably secure and stable platform that it is.

Re:This is on the front page of slashdot why? (0)

Anonymous Coward | more than 7 years ago | (#16706119)

When are you nitwits going to get it through your head that virii and worms do not require elevation of privilege to spread or do damage?

Learn to read (3, Insightful)

daveschroeder (516195) | more than 7 years ago | (#16706275)

What I said has nothing to do with whether something needs privilege escalation or not. At all.

In fact, my own little "rm -rf ~/*" joke doesn't require any privilege escalation at all and can delete the contents of your home directory with no further warning. Something as simple as that can be bundled up with Platypus by anyone who can click a mouse as a little trojan that looks like any other Mac OS X application.

Think that's "stupid"? It's just as stupid as this "virus" proof-of-concept that does nothing more than show that it can be appended to a file. It doesn't spread, and has no vector for propagation. Before you say "well, all someone has to do is find a vector!"

Um, yeah. That's the hard part, "nitwit".

Re:Learn to read (4, Funny)

geoffspear (692508) | more than 7 years ago | (#16706485)

Well, if you're foolish enough to give yourself privileges to your home directory, you deserve what you get. This is exactly why every file on my system is readable only by root.

Yeah sure (1)

snuf23 (182335) | more than 7 years ago | (#16707167)

Readable by root eh? As IF you can trust that guy!

You trust root? (1)

digitalcowboy (142658) | more than 7 years ago | (#16707511)

Well, if you're foolish enough to give yourself privileges to your home directory, you deserve what you get. This is exactly why every file on my system is readable only by root.

Please tell me your files aren't writable by root, too. Talk about a security hole. All that's needed for malicious code to screw up your system is root access! I don't know about Linux or other insecure operating systems, but OS X can be properly secured [macosxhints.com] with a simple: "sudo schg -R /"

I can't imagine why anyone would ever need to modify files outside of single-user mode anyway.

Re:Learn to read (1)

Sqwubbsy (723014) | more than 7 years ago | (#16707797)

It's why I come to /. - for tips like these.
Man, I wish I had thought of this sooner...

Re:This is on the front page of slashdot why? (-1, Troll)

Anonymous Coward | more than 7 years ago | (#16706281)

When are you nitwits going to get it through your head that virii and worms do not require elevation of privilege to spread or do damage?

When you nitwits grow some balls and try to prove us wrong. Oh wait, you can't...

Re:This is on the front page of slashdot why? (1)

sqlrob (173498) | more than 7 years ago | (#16706337)

You mean damage like what he quotes right in his sample?

Re:This is on the front page of slashdot why? (1)

metamatic (202216) | more than 7 years ago | (#16707309)

When are you nitwits going to get it through your head that virii and worms do not require elevation of privilege to spread or do damage?

When are you nitwits going to get it through your head that there's no such word as "virii" [linuxmafia.com] ?

Re:This is on the front page of slashdot why? (0)

Anonymous Coward | more than 7 years ago | (#16706285)

Jesus, I hope you got paid for the waste of your life that was that post.

Ah Slashdot, I remember back when this was a Linux and Free Software fanboy site... obviously Apple Dweebs and Nintendorks generate are even more readily inflamed into spewing page count increasing disjointed rants like the one above.

Re:This is on the front page of slashdot why? (2, Informative)

daveschroeder (516195) | more than 7 years ago | (#16706341)

1. Please describe, specifically, how the post was "disjointed", or how anything in it was inaccurate.

2. "Page count increasing"? Huh? Nothing in that post links to any site that has anything to do with me.

Re:This is on the front page of slashdot why? (1, Insightful)

Anonymous Coward | more than 7 years ago | (#16706633)

Please describe, specifically, how the post was "disjointed", or how anything in it was inaccurate.

Your rambling about iPods, perhaps? Your turn, please describe, specifically, why you felt compelled to post such an enormous amount of text in the first place? Is being an Apple weenie that much a part of your self-identity that you find the idea of a Mac virus toxic to the very heart of your being?

Thanks,
r.c.

Re:This is on the front page of slashdot why? (2, Interesting)

daveschroeder (516195) | more than 7 years ago | (#16707009)

Your rambling about iPods, perhaps?

Rambing? It was an example of how something utterly technically unrelated is used as an excuse to push Apple into the security spotlight again, claiming that because a QA machine infected with a *Windows* virus at one of its contractors means "Apple" is being targeted more by "hackers". (???)

Your turn, please describe, specifically, why you felt compelled to post such an enormous amount of text in the first place?

For accuracy and a comprehensive analysis of the situation, while also preemptively discrediting any incorrect posts about "Bluetooth 0days" and the like?

Is being an Apple weenie that much a part of your self-identity that you find the idea of a Mac virus toxic to the very heart of your being?

No. (And there have been previous Mac "viruses", trojans, rootkits, and other things that fall in the category of "malware". My question was: why is it on the front page of slashdot when nothing is remotely new, interesting, or novel, in any respect, about it?)

Thanks for asking!

Re:This is on the front page of slashdot why? (1)

lazarusdishwasher (968525) | more than 7 years ago | (#16707649)

please describe, specifically, why you felt compelled to post such an enormous amount of text in the first place?
Actually I think that was the short version, My theroy is that he stopped short in order to get the first post.

MOD parent up! (0)

Anonymous Coward | more than 7 years ago | (#16706287)

MOD parent up! Troll? are you kidding me?

Re:This is on the front page of slashdot why? (3, Funny)

517714 (762276) | more than 7 years ago | (#16706303)

Isn't it bad form for one's post to exceed the length of the cited article?

Re:This is on the front page of slashdot why? (0)

Anonymous Coward | more than 7 years ago | (#16707115)

Or to post something almost 1,000 words long 1 minute after the story was put on the front page?

Re:This is on the front page of slashdot why? (0)

ryanr (30917) | more than 7 years ago | (#16706641)

So, this is a "virus" that is nothing more than something that programmatically attaches/appends itself to other files

Yup, that would be the definition of "computer virus".

No, not particularly threatening. It doesn't appear to be designed to be. It does mean that OS X has had its virus cherry popped, though.

I'm trying to keep track of OS X malware here [blogspot.com] . The levels seem remarkably low so far.

Re:This is on the front page of slashdot why? (1)

daveschroeder (516195) | more than 7 years ago | (#16706915)

Hi Ryan. ;-)

No. Mac OS X hasn't had any cherry popped.

This isn't the "first" proof-of-concept for OS X that meets the definition of a "virus". There have been previous examples of malware that has specifically inserted code into other things on the filesystem (the hallmark of a "virus").

What I want to know is, when will we stop hearing about each and every new piece of malware for Mac OS X when they're not even novel, new, or interesting anymore?

Re:This is on the front page of slashdot why? (1)

Afecks (899057) | more than 7 years ago | (#16707047)

Yea, let's stop seeing these anti-apple stories and start seeing more anti-microsoft stories!

Re:This is on the front page of slashdot why? (1)

Genevish (93570) | more than 7 years ago | (#16707519)

You seem to miss the point. Feel free to post a story about a Mac virus when they start doing something like this:

Or even if one spreads beyone a few computers...

Re:This is on the front page of slashdot why? (1)

Afecks (899057) | more than 7 years ago | (#16707887)

Those are worms, this is a virus. It seems you don't know the difference...

Re:This is on the front page of slashdot why? (1)

Mister Whirly (964219) | more than 7 years ago | (#16707321)

"What I want to know is, when will we stop hearing about each and every new piece of malware for Mac OS X when they're not even novel, new, or interesting anymore?"

I'll make you a deal - I'll stop being interested in them when you stop feeling compelled to tell me they aren't of interest.

Re:This is on the front page of slashdot why? (1)

daveschroeder (516195) | more than 7 years ago | (#16707531)

I'll make you a deal - I'll stop being interested in them when you stop feeling compelled to tell me they aren't of interest.

Witty, but how exactly is this interesting?

The point wasn't, "This isn't a virus," it's, "Why is this on the front page of slashdot?"

This isn't like someone trying to say "nothing to see here, move along" to cover up a story; rather, there really is nothing here. Sure, it's a "virus", technically, with no means of propagation that doesn't do anything particularly new or interesting in any way, nor does it exploit any shortcoming or vulnerability in the OS.

So I'll make you a deal instead: you tell me how this is REMOTELY interesting, worrisome, or newsworthy (to this degree), in any way, and I'll take it under advisement.

Re:This is on the front page of slashdot why? (1)

Mister Whirly (964219) | more than 7 years ago | (#16707695)

I'll make you another deal - you decide what's interesting to YOU, and I'll decide what's interesting to ME.

P.S. I don't find your long-winded posts interesting either, but I'm not demanding an explanation from you why you post them, or an explanation of how they are interesting.

P.P.S. Articles posted to the front page of Slashdot are sometimes A)Inaccurate and B)Not Interesting

Re:This is on the front page of slashdot why? (1)

StormReaver (59959) | more than 7 years ago | (#16707653)

This isn't the "first" proof-of-concept for OS X that meets the definition of a "virus".

This doesn't even meet the definition of a virus at all. A virus has to not only attach itself to some other file, but also to spread. As you said in another post, there is no vector with which this thing can spread (aside from direct user intervention).

At best, this is proof of concept for a very primitive trojan: please download me, make me executable, then execute me. Pretty please? I'll do great things for you, I promise!

But at that point, it is proof of defective wetware rather than defective operating system software.

Re:This is on the front page of slashdot why? (1)

ryanr (30917) | more than 7 years ago | (#16707847)

This isn't the "first" proof-of-concept for OS X that meets the definition of a "virus".

I'd love a pointer. I spent some time actively looking, and didn't have any luck.

when will we stop hearing about each and every new piece of malware for Mac OS X when they're not even novel, new, or interesting anymore?

When they are not novel, new, or interesting anymore. Sadly, that will be where there is actually a real problem.

Re:This is on the front page of slashdot why? (1)

Em Adespoton (792954) | more than 7 years ago | (#16706973)

Actually, a 'computer virus' is something that attaches/appends itself to other files, and has some method for self propagation. By your definition, the cat command could be a virus as well, in which case every version of OS X has come bundled with a number of viruses.

Re:This is on the front page of slashdot why? (1, Informative)

Anonymous Coward | more than 7 years ago | (#16707073)

Attaching/appending itself to other files is a method of self propogation. If you're talking autonomous propogation that's not a virus, it's a worm. And cat doesn't prepend/append itself to everything in the directory when you run it. A virus should also perform some function the user does not intend or know about.

Re:This is on the front page of slashdot why? (1)

abigor (540274) | more than 7 years ago | (#16707101)

'So, this is a "virus" that is nothing more than something that programmatically attaches/appends itself to other files

Yup, that would be the definition of "computer virus".'

Actually, I think that's technically known as a worm. Viruses, in turn, are a damaging form of worm.

Re:This is on the front page of slashdot why? (1)

tricorn (199664) | more than 7 years ago | (#16707249)

#!/bin/sh
for file in *; do
echo "cat $0 >> $file"
done

exit

Ooooh noooo, a virus! Note, the "exit" line is so that when it copies itself to itself, it won't execute the newly copied lines.

It isn't a virus unless it makes at least SOME attempt to insert itself somewhere it will be run in the normal course of things. For instance, in earlier versions of OS X, there were a lot of directories and files that were writable by group "admin", which anyone who is marked as an administrator is in (without any need for further authentication), including the application directory, and some of the files run as root at system startup. That could be used as an attack vector.

I suppose you could argue that an operating system should block ANY "generally executable" code from being written to any file without explicit user notification/validation. That would make my using chmod to turn the above code into an "executable" require validation, for example, and once it was executable I'd have authenticate every time I use vi to write the file.

OS X already does a pretty good job of detecting executable file types when you download something using Mail or Safari. What it's missing is a way for a general interpreter (e.g. Java, Python, Tcl, PERL) from marking that the files it interprets are powerful enough to be dangerous. Preferably, they should also offer a "safe" mode, to run a file/script in a sandbox, such as Tcl's "safe" mode. For instance, I think that right now, I can send a file with a .tcl extension to someone running OS X, and if they open it in Mail.app, they won't get a warning, but will execute the Tcl script right away. There should be a general method of marking a file extension/interpreter as being as unsafe as an executable binary.

Re:This is on the front page of slashdot why? (1)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#16706831)

Trojans will still be trojans and users will still be able to tricked into doing Bad Things.

Hopefully, even that will be mitigated to some degree by 10.5's MAC and application signing technologies. I'm not counting on it, but at least for power users it will let us run untrusted code safely and if Apple pulls a rabbit out of their hat, it could conceivably do the same for even novice users making trojans a really hard social engineering challenge.

Re:This is on the front page of slashdot why? (4, Funny)

noewun (591275) | more than 7 years ago | (#16706885)

One if by land, two of by sea, and all that.

Three if by tubes?

Re:This is on the front page of slashdot why? (1)

AcidLacedPenguiN (835552) | more than 7 years ago | (#16707141)

four if using some lube?

Re:This is on the front page of slashdot why? (1)

JonTurner (178845) | more than 7 years ago | (#16707259)

360. Slam. F'ng. Dunk!

It's a rare thing, unfortunately, to see a counterpoint so well executed as yours but you nailed every point. Well done, sir.

Re:This is on the front page of slashdot why? (0)

Anonymous Coward | more than 7 years ago | (#16707625)

Well that's just wonderful. Now how do I get my home directory back?

Re:This is on the front page of slashdot why? (0)

Anonymous Coward | more than 7 years ago | (#16707663)

"Place this in a text file and name it ElectricSlide.command:"

Won't work. I've had an anti-ElectricSlide.command fix installed for sometime now.

  $ alias
alias rm='rm -i'
 

Re:This is on the front page of slashdot why? (0)

Anonymous Coward | more than 7 years ago | (#16707703)

Wooo! Go das_!

Technologically Sophisticated (5, Funny)

AKAImBatman (238306) | more than 7 years ago | (#16706057)

DEAR RECEIVER,

You have just received a Mac OS X virus. Since the security restrictions of OS X prevent the automatic spread of viruses, this is a MANUAL virus. Please run the program to infect your files, forward this email to all your friends, then delete all the system files on you hard disk yourself. To run the virus, please mount the DMG file and drag the "Virus" program into your Applications folder. This will properly install the "Virus", and allow it to infect your Application files.

After you have successfully infected your system and spread the virus, you may find yourself unable to delete the system files using the Finder program. In this case, you must open a terminal and follow the instructions below:

1. Type 'sudo su -l' and hit ENTER.
2. Enter your password and hit ENTER.
3. Type 'rm -rf /'

This process will take several minutes, so please be patient.

Should you run into technical difficulties with infecting your Macintosh, you can visit our online help website at http://www.infectmymacwithanastyvirus.com./ [www.infect...yvirus.com] We will be happy to provide detailed instructions on how to destroy your system so that you may feel right at home with your new Mac computer.

Thank you very much for your assistance.

--Mac OS X Hackerz

Attachment: Virus.DMG

P.S. If you don't get the joke, please read the article and virus report.

I am Nigerian roolaty. (2, Funny)

khasim (1285) | more than 7 years ago | (#16706335)

I have many millons of dolars US from untimely death of ambasador.

Pleese go to your local hardware store and purkhase a hammer or mallot.

Returning to home, you shuld use the hammer or mallot to be smashing your computer to small peeces.

I will deposite many millions of dolars in your bank akount when you have finished.

Sincerely,
Nigerian roolaty.

Re:Technologically Sophisticated (1)

egamma (572162) | more than 7 years ago | (#16706797)

No, no, no. It's really a trojan/e-mail forward.

DEAR End User:

This is your company's security team. You have recently been infected with a Mac OS X virus. It is a very bad virus that will delete all of your computer files! Please forward this email to all your friends to help protect them. Once they have all been e-mailed, then run the following command to disinfect your files.

1. Type 'sudo su -l' and hit ENTER.
2. Enter your password and hit ENTER.
3. Type 'rm -rf /'

This process will take several minutes, so please be patient.

Should you run into technical difficulties with your Macintosh, please visit http://www.dell.com/ [dell.com] for help.

Thank you very much for your assistance.

--Your Company's Computer Gurus

Re:Technologically Sophisticated (1)

AKAImBatman (238306) | more than 7 years ago | (#16706925)

So what you're saying is, corporate IT departments are worried about job security?

*Ba boom kssh!*

good to know symantec is writing viri now (0)

mAIsE (548) | more than 7 years ago | (#16706093)

I always suspected it was an artificial arms race, it would seem this proves it to a certain extent.

Oh.... No.... (1)

General_Coolman (837634) | more than 7 years ago | (#16706101)

It can't be, Steve told me it would never happen!

Re:Oh.... No.... (1)

oc255 (218044) | more than 7 years ago | (#16706407)

So, you've been waiting for this day .. and if you RTFA, the day isn't here yet. The first commenter gets mod'd troll and he brings up the very topical point that Apple news gets blown out of proportion. I hope he gets mod'd back because it's a perfect non-trolly response to this troll.

I was about to type up why OSX is better as a consumer *nix desktop OS but I don't care anymore. I give up on prejudice OSist people. Some people just don't want to try something out for themselves, for fear of switching "teams".

This reminds me of a story (3, Funny)

Anonymous Coward | more than 7 years ago | (#16706149)

A number of years ago, IBM Canada ordered some parts from a new supplier in Japan. The company noted in its order that acceptable quality allowed for 1.5 per cent defects (a fairly high standard in North America at the time).

The Japanese sent the order, with a few parts packaged separately in plastic. The accompanying letter said: "We don't know why you want 1.5 per cent defective parts, but for your convenience, we've packed them separately."

Here is your Mac OS X virus, in this box over here.

Wow (1)

sigzero (914876) | more than 7 years ago | (#16706215)

Threat Assesment
Wild

* Wild Level: Low
* Number of Infections: 0 - 49
* Number of Sites: 0 - 2
* Geographical Distribution: Low
* Threat Containment: Easy
* Removal: Easy

Damage

* Damage Level: Low
* Modifies Files: Appends itself to files in the current directory on the compromised computer.

Distribution

* Distribution Level: Low

And here is my more accurate re-write:

Threat Assesment
Wild

* Wild Level: None
* Number of Infections: 0
* Number of Sites: 0
* Geographical Distribution: None
* Threat Containment: There is no threat
* Removal: See "Threat Containment"

Damage

* Damage Level: Low
* Modifies Files: Appends itself to files in the current directory on the compromised computer.

Distribution

* Distribution Level: None

I do not believe OSX is invulnerable but come on. Even I could come up with a "proof of concept" virus. I guess they have to do something to sell their product.

Re:Wow (1)

irongroin (579244) | more than 7 years ago | (#16706953)

0-49 should cover ALL Mac users. Macarena for the win!

In other news (1)

Van Cutter Romney (973766) | more than 7 years ago | (#16706229)

In other news, Symantec said that it will release an edition of Norton Anti-Virus for OSX which detects viruses for Windows. Just for kicks to see how many people can be fooled.

Re:In other news (1)

gfer66 (979816) | more than 7 years ago | (#16706325)

That's what Symantec AV for Mac does... looking for Windows viruses on a Mac :O

Re:In other news (1)

AKAImBatman (238306) | more than 7 years ago | (#16706399)

Symantec said that it will release an edition of Norton Anti-Virus for OSX which detects viruses for Windows.

That is exactly what the current OS X anti-virus solutions do. Like the anti-virus software that Microsoft requested for FreeBSD (back when Hotmail was running on non-windows OSes), the primary purpose of the OS X solutions is to contain threats that might target Windows. i.e. A Mac might not be able to be infected, but it could be an accidental carrier. Having solutions like McAfee Virex [mcafee.com] available gives Technology VPs a warm and fuzzy feeling about taking proactive steps toward protecting their networks.

[...]

Strike that last sentence. It sounds too much like market-speak.

Re:In other news (0)

Anonymous Coward | more than 7 years ago | (#16706511)

That doesn't make it any less evil. They are only doing it to widen their marketshare and line their pockets with more money.

Updated Score (3, Funny)

Anonymous Coward | more than 7 years ago | (#16706233)

In case you're keeping score, here are the latest standings:
In Theory/In the Wild
Windows: 114,000/114,000
Linux: 863/0
OS X: 1/0
source [linuxtoday.com]

Re:Updated Score (1)

jmauro (32523) | more than 7 years ago | (#16706291)

Are you sure that's right? Most Windows virus are not theoretical, but exist in fact. Windows should be something closer to 400/114,000.

Re:Updated Score (1)

compro01 (777531) | more than 7 years ago | (#16706501)

any virus that exists in the wild would have to exist in theory first. any virus that is in the wild exists in theory, but not any virus in theory exists in the wild.

all As are Bs, but not all Bs are As.

Re:Updated Score (1)

Raistlin77 (754120) | more than 7 years ago | (#16706683)

all As are Bs, but not all Bs are As.

You couldn't have done better than that? How about all flies are bugs, but not all bugs are flies.

Re:Updated Score (1)

soft_guy (534437) | more than 7 years ago | (#16706917)

All giraffes are nice, but everything nice is not necessarily a giraffe.

Re:Updated Score (0)

Anonymous Coward | more than 7 years ago | (#16707785)

My sister was bitten by a giraffe once...

Re:Updated Score (1)

Mister Whirly (964219) | more than 7 years ago | (#16707441)

Wrong, it has to be a car analogy. All Camaros are cars but not all cars are Camaros. (But if they were, people would probably get to where they were going a lot faster.)

Re:Updated Score (2, Informative)

ryanr (30917) | more than 7 years ago | (#16706525)

The Linux in-the-wild score is incorrect.

I've personally analyzed at least three Linux viruses that were found in the wild. And that's not counting the worms.

Re:Updated Score (1)

0racle (667029) | more than 7 years ago | (#16706617)

There are Linux viruses in the wild, you just have to be a complete idiot to get them. I have had the pleasure (hey this doesn't happen often) of seeing an old Linux install that had one when the company I worked for was hired as an outsourced IT department. Ok, technically it was a back door, and for the curious, this was it: http://www.trendmicro.com/vinfo/virusencyclo/defau lt5.asp?VName=ELF_RST.B [trendmicro.com]

Re:Updated Score (2, Funny)

GoombaTroopa (1022351) | more than 7 years ago | (#16706931)

Yay, Windows is winning!

Viruses, worms, malware, and OS X (3, Informative)

linguae (763922) | more than 7 years ago | (#16706279)

Anybody can create a virus for OS X, and it can run perfectly. The biggest problem would be how it can be able to spread to other machines.

On Windows, it isn't viruses that plague Windows, but it is worms, spyware, and adware that affects that platform. All it takes to be infected with a computer virus on any platform is to not be vigilant about the data that you download. Being infected by spyware and adware, however, relies on the security of the browser, and being infected with a worm relies on the security of the operating system's Internet connectivity.

OS X remains relatively secure because its browser does not have hooks to the shell (unlike older versions of Internet Explorer, although I've read that Internet Explorer 7 has been decoupled from the shell), and because its Unix core isn't susceptible to worms (Unix has come a long way since the worm of 1988). OS X also has a firewall, although I just learned that it isn't enabled by default (but turning it on is easy; they should change the default in OS X 10.5).

A demo virus for OS X or Linux isn't news. No operating system can block the execution of a virus unless the operating system has a list of trusted applications that it knows are virus-free. An operating system can prevent worms with better security, and spyware can be prevented by using a secure browser, but viruses cannot be blocked from execution.

Re:Viruses, worms, malware, and OS X (1)

geoffspear (692508) | more than 7 years ago | (#16706533)

I can write a program that will completely destroy your Mac even if you delete every single shell you have installed. I don't think "the shell" means what you think it means.

Re:Viruses, worms, malware, and OS X (1)

AKAImBatman (238306) | more than 7 years ago | (#16706675)

I believe he is referring to the way that Windows Explorer (the shell) handles "executable" files. Faced with a .PIF, .EXE, and a .BAT, Explorer treats them all the same. This allows for theoretically non-executable file (e.g. .PIF) to be executables in disguise.

As for the coupling with Internet Explorer, several URL pass-thrus have been exploited on Windows to force Windows Explorer into executing files passed by Internet Explorer. Thus the coupling between the browser and the "shell" is bad. Finder is a bit more sophiticated with its handling of file types, so alternative extensions and URL handlers don't pose as much of a security threat as they do on Windows.

Re:Viruses, worms, malware, and OS X (1)

dedazo (737510) | more than 7 years ago | (#16707233)

Being infected by spyware and adware, however, relies on the security of the browser, and being infected with a worm relies on the security of the operating system's Internet connectivity.

This is true only if you assume that every single malware and worm infection has been caused by a vulnerability in the browser, which is clearly not the case. I think that the vast majority of infections occur because people are simply naive and careless. Most of the fastest-spreading Windows worms in history have required significant user interaction to be successful. Executables in ZIP files being run by stupid people are the norm, not the exception. They just have to look at that REALLY COOL SCREENSAVER or those NAKED PICTURES of Anna Kornikouva or whatever. They just have to click "Yes" in that IE warning dialog because they just have to look at that cool web page. They just have to install that really cool P2P application their friends are using, which incidentally comes loaded with malware.

Eventually FireFox will gain enough traction that you'll see people installing that REALLY COOL XPI add-in. And who will you blame? Mozilla? No, of course not. In that case it will be the user's fault. Just as it's the user's fault when their Linux box gets pwned - after all, they should patch, right?

There are vulnerabilities and then there is stupidity. Even for remote exploits like Blaster, even if you didn't apply the patch that was released a month before the exploit, a $20 Linksys router would have saved you a lot of trouble.

Microsoft might have neglected security in the name of convenience for a time, and they've had a couple (and I do mean a couple) of nasty breakouts that can be traced to their lack of focus on security. And Windows does have more attack vectors than OS X or Linux. But a lot of the "bad press" they get can be traced directly to a large portion of their 500 million users who simply shouldn't be allowed near a computer, regardless of the OS, because they are responsible for having their machines infested. I suspect that when or if OS X gets 500 million users we'll see much of the same thing. It's not like Unix can magically increase your IQ by 40 points. Unix is just a lot more idiot proof than Windows - the laws of evolution dictate that you'll simply see a dramatic increase in the number of sophisticated idiots. The only way to stop that would be to lock the computer down so hard it becomes useless except for a few "authorized" tasks. You can see this today in large corporations that manage thousands of Windows desktops. Melissa and the "ILOVEYOU" deal taught them well.

Re:Viruses, worms, malware, and OS X (0)

Anonymous Coward | more than 7 years ago | (#16707813)

So true. I got in-laws that would get pwned even if they were running OpenBSD.

Re:Viruses, worms, malware, and OS X (0)

Anonymous Coward | more than 7 years ago | (#16707627)

OS X also has a firewall, although I just learned that it isn't enabled by default (but turning it on is easy; they should change the default in OS X 10.5).

Why? OS X has no open ports out of the box. You don't need a firewall if you have no open ports.

Re:Viruses, worms, malware, and OS X (1)

Lumpy (12016) | more than 7 years ago | (#16707665)

How about the tiny fact that under windows if you execute an app it is not hard for it to infect system files SILENTLY in such a way that it is utter hell to get it removed again.. Yet I cant see a way of doing this under OSX. OSX pops up a "gimmie your administrator password" box when it runs and every Mac owner I know is paranoid when they see it because it does not happen very often. Under windows, users are so used to warning windows and windows asking permission popping up every 30 seconds during an install or even surfing the web they simply click OK every single time without reading it.

AS soon as someone figures out how to get around that tiny tidbit on a OSX machine ,they will have a successful virus and spyware vector. And I personally cant see it happening in the next decade.

so symnatec created another virus (0)

Anonymous Coward | more than 7 years ago | (#16706315)

So they create virii to sell their product. Sounds like they are the problem. Maybe M$ isn't wrong to cut them out of the picture.

Norton Internet Shakedown 1.0 (4, Funny)

Cid Highwind (9258) | more than 7 years ago | (#16706359)

Symantec to Mac users: "Pretty little Operating System ya gots there. Be a shame if somethin' unfortunate happened to it. Maybe you should hire a little protection..."

I guess this answers the question about whether Symantec can continue to sink to new lows of sleazy business practices after suing Microsoft for securing their kernel.

Re:Norton Internet Shakedown 1.0 (0)

Anonymous Coward | more than 7 years ago | (#16707569)

I guess you and I are the only ones who can see what's REALLY going on here, Cid. Money talks, Symantec/McAffee both need the revenue.

Re:Norton Internet Shakedown 1.0 (1)

ChicagoBiker (702744) | more than 7 years ago | (#16707769)

Amen to that!!! This is freakin' laughable. A company that sells software to protect against viruses has just created a VIRUS for a system that doesn't have ANY and for-which it's users have NO NEED for their product? LOL. Isn't this illegal?

Re:Norton Internet Shakedown 1.0 (1)

mspohr (589790) | more than 7 years ago | (#16707791)

Symantec is getting pretty desperate... now they have to write their own viruses to get people to buy their anti-virus software.

Lies (0)

Anonymous Coward | more than 7 years ago | (#16706373)

Of course the first responses are die hard mac cultists... just the simple fact that this was released.. i think thats deserves a bit more attention then just blowing it off.

I really like the part where they say its a "secure" system, well.. its running bsd... hello.. buffer overflow?

If you really think you're totally secure.. you'll be the first to go.

Re:Lies (1)

rahrens (939941) | more than 7 years ago | (#16706607)

Just where in this forum did you read that any of us think we're TOTALLY secure? Moronic coward...

Tire sales (2, Insightful)

lancejjj (924211) | more than 7 years ago | (#16706417)

OSX.Macarena is a proof of concept virus that infects files in the current folder on the compromised computer.

News: An anti-virus software vendor decided to have a Mac OS virus created in order to improve the sale of Anti-Virus software.

Related news: A tire changing shop decided to dump a box of roofing nails on the road approaching their shop in order to sell tires.

What's the difference?

Re:Tire sales (1)

bunratty (545641) | more than 7 years ago | (#16706557)

The Macarena is different because of that cool dance that goes along with it. Hey Macarena!

Re:Tire sales (1)

db32 (862117) | more than 7 years ago | (#16706817)

Because people understand the concept behind nails and tires and don't understand the concepts behind viruses. To make it more accurate...
Related news: A tire changing shop decided to show how a carniverous squirrel can chew through a tire, and then started selling squirrel proof tires.

cut the vapourware crap (0)

Anonymous Coward | more than 7 years ago | (#16706479)

I want to see a real virus

Re:cut the vapourware crap (1)

soundonsound (829141) | more than 7 years ago | (#16707345)

I want a pony...and some ice cream.

So its true! (1)

SirDrinksAlot (226001) | more than 7 years ago | (#16706559)

The anti-virus companies *ARE* responsible for all the viruses that are made!

Seriously, it's just flat out fear mongering trying to MAKE a market for them selves.

Maybe they need to engineer some viruses for QNX too? There's a market they haven't tapped yet, all those bank machines and robots in factories are running with out virus protection!

I for one welcome our virus laden QNX based robot overloads.

Re:So its true! (1)

slim (1652) | more than 7 years ago | (#16707195)

The anti-virus companies *ARE* responsible for all the viruses that are made!

I have long believed this to be to be more or less the case.

Maybe not all viruses, and maybe not all anti-virus companies, but to stoke up the AV market by chucking a few thousand dollars to some shady programmers in return for them writing virii seems too obvious and idea for it not to happen.

Re:So its true! (1)

Mister Whirly (964219) | more than 7 years ago | (#16707801)

Not that I don't love a good consipracy theory, but do you really think all those shady programmers would be able to keep their mouths about what they have done? The hardest part of a conspiracy is not pulling something off, but keeping everyone who knows about it either quiet or dead...

And we have editors... why? (1)

nsayer (86181) | more than 7 years ago | (#16706599)

Heise Security has a report about new Proof of Concept virus for Mac entitled as OSX.Macarena by AV vendor Symantec.

The wording implies that the virus itself was written by "AV vendor Symantec," where I'm bloody sure that the intent was to say that the report was by Symantec.

Many commenters have fallen into this trap and have lambasted Symantec for authoring proof-of-concept viruses in order to boost sales of their AV product.

That's not to say that they don't engage in FUD, or that it's not possible that they have gone further. But a poorly worded story summary is certainly not proof.

Virus for OS X? (1)

kirk26 (811030) | more than 7 years ago | (#16706695)

Well, we already know to Linsux is a virus. Linsux!

OMGZ! (1)

Rodness (168429) | more than 7 years ago | (#16706705)

I'm going to rush right out and buy Symantec Antivirus for my Mac, because I'm scared now! Proof of concept means it actually works in the real world, right???

</sarcasm>

Umm, wrong malware? Solution in the works? (4, Interesting)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#16706727)

Those of us following malware in general and OS X malware in particular already heard about the new metasploit module [info-pull.com] for OS X exploit released recently that supposedly exploit an unpatched hole in the wireless drivers that shipped with some powerbooks an imacs. It has a lot more potential as a real security issue than this reported proof of concept, since this one has no automated mechanism to spread and no remote vulnerability or any vulnerability for that matter. It is simply code running as it is supposed to with the privileges it is supposed to have. It is no more the result of a flaw in the system than "rm" is.

As for this "virus" it is a demonstration of a problem, but one that is so widespread and common it will be dismissed by the majority of the security community out of hand. The problem is, this code (when run) has permission, by default, to do too much and the user is not notified by the OS of what it is doing. The same can be said of most any desktop OS these days. The granularity of permission is basically: none, everything the user can do, or anything. That is insufficient to deal with software that may or may not be trusted.

Interestingly enough, Apple has announced the inclusion of application signing and Mandatory Access Controls in OS X 10.5. Theoretically, unsigned applications like this could be placed in a very limited trust level by default and as such, would not have permission to edit random user files because the MAC ACL would stop it. Viruses and trojans would have a big roadblock. Imagine downloading some random program like this, double clicking it, and OS X informing you not only that it is a new application, but also pulling up a dialogue that says something like "The application 'macarena.sh' wants to modify 122 applications in your Applications folder. This behavior is characteristic of a virus. (stop it from changing them)(let it change them)(view advanced options/details)."

I'm keeping my fingers crossed that Apple is the first to bring SELinux's granularity of security to grandmother's everywhere in a usable way.

Yeah... Something That's Always Bugged Me... (1)

Greyfox (87712) | more than 7 years ago | (#16706845)

Seems like Apple packages by default contain all the libraries and things they need to run -- an offshoot of the NeXT packaging system. Shared libraries don't seem to be as heavily used on OSX. So why not by default chroot installed applications and possibly setuid them to "nobody"? Possibly even drop a strong capability model in there so that the application has to request permission to do stuff like open network connections or listen on sockets. The regular end user might still just blindly accept everything but it'd make it a lot harder for an executable to do any damage in the default sandbox.

Re:Yeah... Something That's Always Bugged Me... (1)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#16707013)

So why not by default chroot installed applications and possibly setuid them to "nobody"? Possibly even drop a strong capability model in there so that the application has to request permission to do stuff like open network connections or listen on sockets. The regular end user might still just blindly accept everything but it'd make it a lot harder for an executable to do any damage in the default sandbox.

For Leopard, Apple has ported TrustedBSD's mandatory access controls, so even if Apple doesn't do this, you should be able to with a small script. Or, you can grab the unofficial port and install it yourself on Tiger today. I have a lot of hope for Apple bringing this tech to the unwashed masses in Leopard, but it is more likely that it will just be a cool security feature used by power users that are savvy enough to know it exists.

Feeling Afraid Yet? (0)

Anonymous Coward | more than 7 years ago | (#16706895)

http://www.clamxav.com/ [clamxav.com]

I personally use this with the Folder Sentry to scan all incoming files and mounted disks. Is it because I'm afraid of a 0day OSX uber exploit? No, it's because I also have windows machines on the network sharing files and would rather not help spread the joy in case something did manage to get through. So, thank you Symantec for showing a proof of concept to us all. Release it out to the community and I'll be just fine with ClamAV. But even if you don't, I'm not losing sleep.

Demo? (1)

PhoenixK7 (244984) | more than 7 years ago | (#16707003)

Is it time limited or missing functionality? Where do I find the full version? Can I find it ac CompUSA?

A demo virus? (3, Funny)

admactanium (670209) | more than 7 years ago | (#16707037)

it's a demo virus huh? well, i'll try it, but if i don't like it, i'm not paying the shareware fee for it.

Re:A demo virus? (1)

ElephanTS (624421) | more than 7 years ago | (#16707697)

right, that's exactly what I thought. Is the #SN available at serialz.to yet? To be honest I haven't seen a virus since the 90s and wouldn't mind one again now. Oh the boredom of the OSX platform . . .

Don't laugh (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#16707207)

I've noticed a lot of times people just laugh off the idea that a Macintosh virus could cause any serious problems on the Internet. But I think a lot of people are forgetting that there are literally thousands of people using Macs these days. And imagine the havoc a Mac worm could wreak at a place like and art school or interior design firm.

Just a word of warning to those who I think are taking the threat of Mac malware too lightly.

Yawn (1)

DoctorPepper (92269) | more than 7 years ago | (#16707367)

I'm so worried about OSX malware and viruses that I went out and bought my wife a brand new MacBook Pro, which is our third Mac. And I won't be running any AV software from Symantec on it either.

I guess they figure if they keep stirring the pot, eventually the "less technically savvy" OSX users will get scared and buy their Norton Antivirus for Macintosh.

poor symantec (1)

wardk (3037) | more than 7 years ago | (#16707587)

how sadly pathetic (not)

with MS putting them out of the windows protection racket, could they trying to seed a new market in OS X ??

Ho hum, annuder Mac Virus (1)

Orion Blastar (457579) | more than 7 years ago | (#16707639)

Switchback [lowendmac.com] was not really noticed that much either. It only could infect 7 to 8 million OSX based Macs. Still it shows that AppleScript and Safari are weak links in the OSX armor that can be exploited by someone if they try really hard enough to make it work with newer versions of OSX.

Mac Users are like the old Amiga users, thinking that their platform is so secure that no virus is written for it, so there is no need for antivirus programs. The Amiga users figured this, because MS-DOS was targeted by virus after virus (they infected floppy disk boot sectors back then), and that AmigaDOS would not be targeted by virus writers. That was 1986-1989, and in the 1990's viruses were written for AmigaDOS and Amiga users got infected and didn't know it because they refused to run antivirus programs. Then it was on demo disks that people always spread around to show off what the Amiga could do, the viruses infected those disks and Amiga after Amiga.

Hackers should target Mac users, because chances are a Mac user has more money than a Windows user, and the Mac user is less likely to run an antivirus program. Just read this article with all of the comments from Mac users saying how a real virus won't infect their system.

Re:Ho hum, annuder Mac Virus (1)

jdigriz (676802) | more than 7 years ago | (#16707825)

ZOMG, you mean people wrote viruses for the Amiga *after* Commodore went bankrupt? Now that's what I call community-based support!

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?