Join 3,512 readers in helping fund MetaFilter (Hide)


Another Mac OS X Trojan
February 16, 2006 6:03 AM   Subscribe

Barbarians are at the gates, testing the locks again. Mac OS X users beware: A file supposedly containing pictures of Mac OS X 10.5, actually does other things. Lots of info and links at this first link. Here's the disassembly of the executable (it's just a plain text file) and some notes on the application which comes to this conclusion: "In the end, it doesn't appear to actually do anything other than try to propagate itself via iChat, and unintentionally prevent infected applications from running It seems that this is more of a "proof of concept" implementation that could be utilized to actually do something in the future, depending on how successful it is, or it was simply done to garner attention/press. Which I'm sure it'll get. " Might be a good idea to check out a Mac OS X security primer.
posted by Brandon Blatcher (48 comments total)

 
In the time it took me to read this a few new PC virii were released. Virii that do work.

Mac virus writers are so lam3...
posted by kika at 6:24 AM on February 16, 2006


One of these days someone will make a malicious one. Because even with the Mac security model, nothing prevents a program you run from deleting your entire iTunes and iPhoto library.
posted by smackfu at 6:36 AM on February 16, 2006


will the new intel macs make viruses more common, or is it just the software and not the chip?
posted by amberglow at 6:48 AM on February 16, 2006


Marketshare must be up or something...
posted by mkultra at 6:53 AM on February 16, 2006


will the new intel macs make viruses more common, or is it just the software and not the chip?

The software doesn't care what chip it's running on. VirtualPC running on a G5 will still catch all (?) the normal PC viruses.

The relative lack of malware on Macs isn't because Macs use Motorola chips or anything like that. It's a simple matter of having better security in the OS (harder to run stuff as root), fewer machines to target, and, I bet, a lack of prepackaged malware toolboxes so that you have to actually write your virus from scratch or nearly so.
posted by ROU_Xenophobe at 6:55 AM on February 16, 2006


Another factor has always been that your average hacker has a PC, not a Mac. Now that they have OS X running on generic PCs, that goes away...

OTOH, I believe most PC trojans nowadays are made by companies to spam, not bored high school kids. So they really only care about marketshare.
posted by smackfu at 7:01 AM on February 16, 2006


will the new intel macs make viruses more common, or is it just the software and not the chip?

My understanding is that the software is more secure by virtue of forcing Mac owners to distinguish between operating at user-level and install/admin-level. Windows has effectively made operating a computer so easy (read: obfuscated underlying processes so effectively) that the average user has little way of knowing when they're about to do something bad for their machine.

In short: it's the software.
posted by voltairemodern at 7:03 AM on February 16, 2006


The /. thread notes there are a few steps one would have to take to actually get infected:

1 - Receive via email, iChat, etc, or download the "latestpics.tgz" file

2 - Double-click on the file to decompress it

3 - Double-click on the resulting file to open it

3a - For most users, you would be prompted to enter your Admin password

4 - Since the app would be executing for the 1st time, you would then be told this and asked if you wanted to run the app
posted by effwerd at 7:03 AM on February 16, 2006


Actually, I think 4 would happen before 3a.
posted by effwerd at 7:04 AM on February 16, 2006


Another factor has always been that your average hacker has a PC, not a Mac. Now that they have OS X running on generic PCs, that goes away...

Don't underestimate this. I predict Mac viruses sooner than later.

Luckily, it's harder to get code to execute without the user's knowledge/approval on a Mac than on a PC, as is evidenced by this thing.
posted by danb at 7:06 AM on February 16, 2006


They should have made it a dmg, since then steps 2 and 3 are automagically done for you.
posted by smackfu at 7:06 AM on February 16, 2006


I run as Admin - which I thought was safe, since with important changes to the System you are still prompted for the Admin password. Reading all this, it appears that my assumption was incorrect. Time to create a separate non-Admin account, I think.
posted by salmacis at 7:11 AM on February 16, 2006


smackfu said: They should have made it a dmg, since then steps 2 and 3 are automagically done for you.


Which is why you turn off that option in safari under the Preferences, uncheck the option for "Open 'safe' files after downloading.

iChat does not automatically open downloaded files. It merely opens a Finder window to show you where the file downloaded to (usually the user desktop).

Mail.app asks you if you really want to open the document directly from the e-mail attachment or if you want to save the file before opening.

Virex is available for the Mac with daily updates available (if you use 3rd party download and install scripts, since McAfee thinks the Mac definition only need to be updated monthly, while they update the unix definitions on the same schedule as the windows versions).


Also, if you are dumb enough to open a file someone just sends you without any details as to the content of the attached files, welcome to the Purgatory of Idiocy. Half the purpose of most "silly" virus and malware is to keep the lower rungs of the internet constantly learning (and to pad the pockets of end user tech support and high school kids everywhere. Ah, Darwin at work).

I'm a jerk. Yes. I'm well aware of this.
posted by daq at 7:20 AM on February 16, 2006


What does creating and using a non-Admin account do in terms of protection?
posted by Brandon Blatcher at 7:20 AM on February 16, 2006


salmacis said : I run as Admin - which I thought was safe, since with important changes to the System you are still prompted for the Admin password.

The only reason you should ever run on a daily basis as admin is if you are a server adminitrator and all you do day in and day out is manage services (meaning you don't surf from that account unless you're downloading updates or software packages) and you never read e-mail in that account (except maybe log reports). Of course, this idea is only beaten into mostly unix admins (and some linux kids). You really don't need to run as admin ever unless you _absolutely_ _positively_ _HAVE_ to run some legacy software that has been written poorly and requires more priveledges that a standard user account provides (I love me some shareware, but I really wish everyone would read the "correct" way to secure applications and use the correct frameworks. For example, your preference files should be located in the user home directory, not in the same directory as the executable application. Gotta love those old OS 9 habits).

Yes, I've been running OS X since the public beta. I also have a NeXT slab sitting on the shelf behind me. Marvel in the awesomeness of my geek-fu.
posted by daq at 7:27 AM on February 16, 2006


Which is why you turn off that option in safari under the Preferences, uncheck the option for "Open 'safe' files after downloading.

True, but defaults are all that matter in this kind of social-engineering trojan. (And honestly, I don't have that option turned off. I like it.)
posted by smackfu at 7:27 AM on February 16, 2006


smackfu said 'They should have made it a dmg, since then steps 2 and 3 are automagically done for you.'

Yeah, but its the step where you're warned it's an application that's key - something that purports to be an archive of images throwing that warning would set off alarm bells in my head, and there's no way I'd agree to running it (and it's not like I'm some sort of wild power user Mac guru...)

Brandon Blatcher said 'What does creating and using a non-Admin account do in terms of protection?'

Er, nothing, I would've thought.

smackfu said 'nothing prevents a program you run from deleting your entire iTunes and iPhoto library.'

Is that down to the permissions on stuff in the Home folder being a bit loose to make it easier for folk to do stuff (if you see what I mean, don't know the jargon...)?
posted by jack_mo at 7:34 AM on February 16, 2006


daq said 'The only reason you should ever run on a daily basis as admin is if you are a server adminitrator and all you do day in and day out is manage services'

Scratch my 'Er, nothing' above then! So what risks are there when running as admin alll the time, daq? The only real reason I do so is that I'm the only person who uses my computer, so I've never had the need to set up a second account (not counting temporary ones when something has gone wrong and I'm trying to work out what) and the fact that I have to input my password/use sudo in the Terminal all the time gave me the vague impression that stuff was secure...
posted by jack_mo at 7:40 AM on February 16, 2006


Security trough obscurity is no security at all.
posted by Artw at 7:45 AM on February 16, 2006


I call BS on this FPP (which is being saved by some good comments). No system will protect users from themselves. If you don't know enough to know when you are running malicious, executable apps, then, eat macaroni and cheese and give all your passwords to phishers. I am a computer bonehead and even I know how to avoid this stuff.

Also, what mkultra said.

Also, what effwerd said (which is from the the FPP/shlashdot link).

As for FPP link to the "security primer," it goes to a Peachpit book. WTF?
posted by a_day_late at 7:50 AM on February 16, 2006


PS. daq, please provide some more theroy as to why it is good policy to run normally from standarad account (not adiminstrator).
posted by a_day_late at 7:55 AM on February 16, 2006


A day late is right. this is not a virus this is Social Engineering. Click the pretty picture and win a prize! reminds me of when I was 5 or 6 and one of the older kids in the neighborhood told me if I pulled the red lever I would get some candy...delivered by the firemen.
posted by Gungho at 7:59 AM on February 16, 2006


Mac users will never notice.

The whole point of a Mac is cluelessness.
posted by HTuttle at 8:04 AM on February 16, 2006


The key here, if I understand correctly, is that if you are not running as Admin, you will be prompted for the Admin password before any applications can be infected. If you are running as Admin, applications can be infected without requiring a password.

It does seem that a non-Admin user would have to be pretty stupid to fall for this. The request for a password would itself be a huge indication.
posted by salmacis at 8:08 AM on February 16, 2006


I call BS on this FPP (which is being saved by some good comments). No system will protect users from themselves.

Then it's probably a good idea to point this out to people, then yes? If people follow and read the links they'll get plenty of info and advice for avoiding this crap.

Request to fix the primer link has been sent. Posted wrong link, my bad.
posted by Brandon Blatcher at 8:13 AM on February 16, 2006


If you're not running as admin, it's impossible to effect changes at the system level since you lack the permissions and also lack the ability to promote yourself to that level of access. It won't stop you from messing up your local area through negligence or accident but the mess will be contained such that if things in your sandbox become insufferable, you can throw away the user account and create a new one. If the mess is at the system level you're faced with wiping your hard drives and re-installing. Also, if you cannot effect changes to system level files, chances are you're not allowed to muck around with system level services. This is another check on propagating infection.

It's also a good way to raise the barrier to installing new crap on your computer. It's one thing to sudo yourself as root and another thing entirely to have to [possibly] log out, log in as admin/root/etc and then install something. First, people are lazy so the extra effort is usually enough for them to decide screenshots of OSX.5 aren't worth the bother. Second, it gives you time to realize: WTF? Why should I have to go admin just to see some stupid JPGs? At that time visions of Admiral Ackbar start running through your head and you stop.

There are other good reasons, but these are the easiest to lay out and should be sufficient.
posted by Fezboy! at 8:17 AM on February 16, 2006


It's about fucking time someone wrote an OS X virus and got it into the wild. I'm really wondering what took them so long. After 16 billion flame wars about this topic, you would've thought it would come much faster, but no.

Mac users will never notice. The whole point of a Mac is cluelessness.

Which is my point: if you're a hacker, and you hate Mac users, you think they're all a bunch of idiots with way too much disposable income to use on their shiny computers, why wouldn't you want to write something that exploits that? And how come no one has until now? (And even this one is weak by PC standards.)

Could it be they're not as stupid as you assume? Or that you get what you pay for?
posted by fungible at 8:24 AM on February 16, 2006


At that time visions of Admiral Ackbar start running through your head and you stop.

Bad analogy. Ackbar is damn hot, for a walking, talking fish.
posted by Brandon Blatcher at 8:30 AM on February 16, 2006


It's a Trap!
posted by Fezboy! at 8:36 AM on February 16, 2006


Thank you Fezboy! for giving the most obvious answers that I falied to include in my previous nerdocity.

And OS X is not securuty through obscurity. AES-128, last I checked, was good hard encryption. They do have a few "user" issues (like allowing empty passwords or allowing simple dictionary passwords, as basic examples), as well as framework problems (gotta love that ATS services. Really, I just love font caching. Love it. To death.).

Oh, and the beauty of LDAP and Kerberos. I have love in my heart for all things that expire.
posted by daq at 8:37 AM on February 16, 2006


The key here, if I understand correctly, is that if you are not running as Admin, you will be prompted for the Admin password before any applications can be infected.

Nah, even if you are running as Admin, you'll be prompted for your Admin password in this case.

Fezboy!: so basically your saying that, assuming the user is not a total idiot, running as Admin is okay?

I'd really like to know what those 'other good reasons' are, and why daq said above that only sysadmin types should be running as Admin all the time (which is the default state when you install OS X, as far as I recall, another reason I assumed it's cool.) Maybe I'll hit up AskMe later...
posted by jack_mo at 8:49 AM on February 16, 2006


Nah, even if you are running as Admin, you'll be prompted for your Admin password in this case.

That's what surprised me. As far as I can tell, a user running as Admin is not asked for a password in this particular case. If I'm wrong in this, then I can't really see an issue in running as Admin. At the moment, details are still sketchy.
posted by salmacis at 8:54 AM on February 16, 2006


jack_mo, I'll try and answer this, but it seems to have been pretty well covered above. If that answer is not good enough, then the best we can say is "we warned you". Always assume the user is an idiot. Including yourself. Unless you wrote the OS (which is not impossible, just really, really tedious), you probably don't know everything there is to know about the system (well, you might know it all, but you didn't think your buddy would send you something that might possibly be harmful and delete all your files in your home directory). If your only account on the machine is the admin account, and that account gets hosed for some reason (any reason, I mean something as dumb as forgetting your password, or your 3 year old banging away on the keyboard and "accidentally" somehow, miraculously, changing your one and only password) you have no recourse but to a) either do the smart thing and boot from an install CD and reset the password (if that happens to be the only problem) but more than likely you need some kind of adminitrative access to the system to fix whatever the problem is or troubleshoot the issue. This is why you have the admin account that is almost never used for anything except system administrative things. There's less chance of that account being compramised and since it is the admin account, you can pretty much guarantee you will have all the priveledges you need to troubleshoot and fix a problem with your normal user account.

Sorry, it's one of those things I try to explain to people on a pretty regular basis. I still laugh (oh, do I ever laugh. I laugh loud and long and in their faces for added effect) when they complain that they can't seem to fix a problems because the a) don't have another account on the system, b) have been running as admin all the time and needed to clear some disk space so they went into the terminal and deleted these hidden folder that they didn't want on their computer called /var /etc /private because they didn't see anything in them that they used.

Man, I'm feeling off today. Must be the weather.
I really don't do any of that. Except the repetition of these reasons why you don't run as admin.

Another fun and overly techincal reason not to run as the initial user that is set up on the machine. By default, that user account is given the UID (User Identification) of 501. A lot of services and scripts for admin access are actually hard coded to only run if the UID is 501 (for Mac OS X Server mostly, but it does affect some 3rd party programs and services in Mac OS X Client). It doesn't matter if the account is set to be an admin or not, if they are not the inital admin account with the proper UID, it "breaks" those services.

Anyway. If this makes any sense, please let me know. Otherwise I might have to rewrite it until it does.
posted by daq at 9:34 AM on February 16, 2006


jack_mo writes "
"Fezboy!: so basically your saying that, assuming the user is not a total idiot, running as Admin is okay?

It's an unnecessary gamble. I'm [self-professedly] nowhere near 'total idiot' but do not run as admin or, on linux, in the wheel group. Some analogies:

"If I don't drive like a total idiot, I don't need to wear a seatbelt."
"If I'm not a total idiot about open flames in my home I don't need a smoke detector."
"If I live in a nice neighborhood I don't need to lock my doors."
etc...

At some level I'd say, "okay, you're right." But then, why invite problems unnecessarily? Again, I'm a relatively experienced computer user and even have some experience doing sysadmin but in a moment of wrecklessness enabled an email-delivered virus while bulk-opening email attachments (law faculty understand email, they don't quite seem to get network drives). Had I been running as admin my machine would have been toast. Since I wasn't all I had to do was tar my personal files and dump them in a chroot jail, trash my old account, create a new account, and bring my personal files across as they passed a virus scan.

or, basically what daq said...
posted by Fezboy! at 9:50 AM on February 16, 2006


daq, you had me up to this point:

Another fun and overly techincal reason not to run as the initial user that is set up on the machine. By default, that user account is given the UID (User Identification) of 501. A lot of services and scripts for admin access are actually hard coded to only run if the UID is 501 (for Mac OS X Server mostly, but it does affect some 3rd party programs and services in Mac OS X Client). It doesn't matter if the account is set to be an admin or not, if they are not the inital admin account with the proper UID, it "breaks" those services.

Re; daily use, is your advice to:

A. Do not use the initial user account
B. Do not use ANY administrative account or the initial user account
C. Use any account that is not administrative and have an administrative account at the standby for emergencies and system stuff
D. Some combination of the above or something wholly different
posted by a_day_late at 10:02 AM on February 16, 2006


At some level I'd say, "okay, you're right." But then, why invite problems unnecessarily?

Conveinence? Unless things are setup really well, not being root will always make things a little more of a hassle.
posted by delmoi at 10:55 AM on February 16, 2006


a_day_late -

recommended usage = when you install the OS, set up the first account as something generic like "admin" or "localadmin" with a secure (but something you'll remember easily without having to write down anywhere) password. Once that account is set up, set up your own account. You can make your account an admin account as well, or not, but remember that if you do, you have the ability to royally mess up your system. If you want to feel more secure and not have to worry too much about it, just run as a standard user.

So, for the most part, A, B, C, but not quite D.
posted by daq at 10:59 AM on February 16, 2006


Argh. I'm a reasonably smart fellow, but I still don't understand this hoopla over the Admin account. On the surface, I can *certainly* understand why I shouldn't be running as admin. But then I read daq's words, and he's telling me that if I *don't* run as Admin, a bunch of stuff will quit working.

I ran this through Terminal:
$ id
uid=501(fish) gid=501(fish) groups=501(fish), 81(appserveradm), 79(appserverusr), 80(admin)


I can easily enough make an account that will also belong to groups 79, 80, and 81. And thus it, too, would be an Admin account. I can password protect it quite well, too, as I wouldn't expect to need to use it except on exceedingly rare occassion (right?!)

Then I can remove my primary, uid 501 account from groups 79, 80, and 81, thus turning it into an ordinary user account. I can continue with the weak password, on the trust that there's nothing so special about its capabilities and data.

But if I do that, am I going to hose a bunch of applications?
posted by five fresh fish at 11:34 AM on February 16, 2006


And if I'm barking up the wrong tree there, then what should I do?
posted by five fresh fish at 11:37 AM on February 16, 2006


Hey, my sort of boss wrote that!
posted by Captaintripps at 12:54 PM on February 16, 2006


delmoi writes: "Conveinence? Unless things are setup really well, not being root will always make things a little more of a hassle."

As opposed to setting things up right in the first place? And the hassle part is a feature, not a bug—it gives the Ackbar Reflex time to kick in.

But I'm not the one who will be there to help *you* clean up in the event of an accident. I'm not here to convert you. I just wanted to help explain the advantages of not running as root since someone asked. If you know the risks (as you probably do, delmoi) and elect to go run as root anyway, then you'll also know why some geeks around the Jolt Cooler will chuckle if/when things go awry.
posted by Fezboy! at 1:52 PM on February 16, 2006


I suspect this will go much the same way as Windows. Just have a decent virus/malware checker. My Windows systems and those of all the companies I freelance for haven't been infected, trojaned, wormed, whatever, in years.

OS X doesn't have some of the key holes in it that Windows has obviously but if it's not a worry or much of a deal on Windows it won't be a dramatic deal with the Mac. Protection is relatively easy. However, for commodity computer users, it may be a problem. They're not idiotic as was implied above, there are just some people who use and view a computer as a commodity tool.

There goes the old joke about the reason there hasn't been a virus on OS X is because certain Mac users go out of their way to make you associate unpleasantness with the Mac.
posted by juiceCake at 2:21 PM on February 16, 2006


the Ackbar Reflex

Brilliant!
posted by five fresh fish at 3:56 PM on February 16, 2006


There seems to be a bit of confusion over what the OS X admin accounts can and can't do, probably linked to the Windows situation -- which is both idiotic and different.

On the Mac, unless you're actually logged in as root (which would be monumentally stupid and is tricky to do), you're always subject to restrictions. The only difference is that when an authorisation box pops up, if you're logged in as admin it will already have your name filled in.

Daq's example that makes him laugh so of a user running as admin, logging into the terminal and deleting /private is irrelevant to this discussion, because you'd have to sudo to do it anyway, and you can do that from any level of account.

There is of course an argument for keeping a second admin login account on your mac, in case you fuck your own one up, but that's not an argument for not running as admin.

Neither is this virus. Sure, if you ran a program as admin it could delete all the files in your home directory. If you ran one as a standard user it could ... delete all the files in your home directory. If you authorised it as an admin user it could also delete all your system files, but who cares? The files you actually care about are those in your home folder, and they're at risk whatever you do.

jack: run as admin, it's fine. Setting up a standard account is just not worth the hassle. It's one of a set of pointless things done by people with Too Much Time, like repairing permissions before installing software updates.
posted by bonaldi at 6:32 PM on February 16, 2006


bonaldi is right (as far as I know). From what I remember, it's somewhat esoteric (tricky, as bonaldi says) to actually create a root user account. I think it involves (aside from using a shell) NetInfo Manager. At least that's what I remember from looking into this stuff way back when with OSX Beta. Don't know if that still applies. What's more, the root user is even limited in some respects (in OSX), e.g. I don't think running 'rm /' as root from a shell would just blindly execute and wipe your HD.

The basic advice I've incorporated since is just to never enable the root user account.
posted by effwerd at 7:20 PM on February 16, 2006


bonaldi, nice post. Might I add here how cheap HDs are nowadays? There is no reason not to have a duplicate of your entire internal HD on an external HD. I keep my firewire HD offline until I am ready to run my back up. In case of system hosing that is noticed on the spot, I will have a pretty good recovery path. I also keep another HD in a safe deposit box and swap it out about once a month. Additionally I run alternating (2) incremental back ups of my home folder to DVD--in case of file corruption or other unpleasantness. I am careful about the virus stuff but I am even more careful about the back ups and that surely allows me to sleep easier.
posted by a_day_late at 7:55 PM on February 16, 2006


Cheers bonaldi - you cleared up what I wasn't understanding from the scaremongering (or, rather, confirmed what I did get - you can't mess stuff up without giving your password or sudo-ing).

I take daq's general points, though, and might set up a secondary account just in case, but since I have a bootable backup of my laptop on an external drive that updates every night, if everything went tits up in the way he describes, it wouldn't really be a hassle. (If you don't back up that often, I can tell you an unfortunate story involving a can of beer, and an unfortunate story about a faulty logic board...)
posted by jack_mo at 9:28 PM on February 16, 2006


How can I check that there's no root-enabled user on my system? A simple check of the /etc/passwd file?
posted by five fresh fish at 10:40 AM on February 17, 2006


« Older Sheetrock (drywall) doesn't slow any round down mu...  |  File this handy Reuters articl... Newer »


This thread has been archived and is closed to new comments