Have an account? Log in to leave your comments!
journal: mac
Mac OS X Trojan Alert: This is NOT a Drill! [UPDATE]
It looks like there is a piece of OS X malware floating around!
A couple nights ago, a user posted a file entitled “latestpics.tgz” in a thread on MacRumors.com’s forums, disguising it as a Mac OS X 10.5 (Leopard) screenshot. The decompressed file sports a JPEG icon. Double-clicking it launches the Terminal, asks for the administrator’s password, then runs the executable. It is unknown at this time what damage, if any, is caused by this apparent trojan; it may very well be a proof-of-concept and nothing more. Also, it does not exploit a flaw in OS X as far as anyone can tell, but instead relies on social engineering to run and spread. It is also PowerPC-only and will not run on Intel-based Macs.
There have been a few unconfirmed reports of the trojan spreading through iChat or other instant message clients.
Andrew Welch of Ambrosia Software is working on deconstructing the trojan in Ambrosia’s forums.
If you’ve been infected by this trojan and have any further information, please post a comment or email us.
This may be obvious to many readers, but please use caution when downloading files! Do not download a file called “latestpics.tgz”! When you download any compressed file, be certain to check the decompressed file’s file kind in the Get Info window. For day-to-day use, use a non-administrator user account, or at the very least, turn on “Show all file extensions” in Finder Preferences. I know that Mac users like myself can get complacent since we’re not usually the target of malware, but be careful out there, surf safely, and don’t panic.
UPDATE: Andrew Welch has updated his analysis of the trojan. This malware is considered a proof-of-concept; from all accounts, it seems that this trojan does nothing but self-propigate and “unintentionally prevent infected applications from running,” as Welch puts it. Kudos to Andrew for his analysis and calming some anxiety.
Note: this is not the first Mac OS X trojan; previous ones include the “Virus.mp3” proof-of-concept and the “Office 2004 Web Installer,” which was a script that deleted a user’s home directory.
More Info
MacRumors article: “The First Mac OS X Virus? (New OS X Trojan)”
The thread where the trojan first appeared
MacRumors Forums: “A Mac Virus?”
Andrew Welch disassembles the trojan
 |
4 | 1 | 6167 |
| Nick | comments | track | views |
thinkback
1.
Tracked: Eeek. Gasp.
This is sure to make the top news in the Mac world today: First Mac Virus Discovered. Technically speaking, the headline's wrong -- the malware in question is a script that tries to pass itself off as an image. According to Deep Thought, when a user clic
Tracked on: Electric-Escape.net at 16-Feb-06 10:02 AM
comon, it opens a terminal asking for admin rights…
how many jpegs do that?
basically you could classify any executable with custom icon as a virus.
paste a custom jpeg icon on itunes - “hey, it’s no picture, it’s a virus that plays music!”
duh
Except if this thing does propagate itself to your Address Book (this one doesn’t) or your iChat Buddy List (this one supposedly does), I would call it a virus.
It does require quite a bit of interaction by the end user, as you point out, but I would definitely call this the first virus if it propagates itself.
I noticed that it requires OS 10.4, so I’m guessing that whatever mechanism this is using to attach itself to an IM and send it to your buddies is new to OS 10.4, which fully supports my position that there weren’t any viruses on OS X because of the OS design and not the fact that it’s not as common as Windows.
BTW, if you double-click on a .app that you think is a .JPEG, OS X always comes up with a dialog to tell you that you are about to launch a new application and whether or not you want to continue.
| Feb. 16, 2006 | ||
| 12:26 pm |
comon, it opens a terminal asking for admin rights…
“It requires the admin password if you’re not running as an admin user” --Andrew Welch
BTW, if you double-click on a .app that you think is a .JPEG, OS X always comes up with a dialog to tell you that you are about to launch a new application and whether or not you want to continue.
From what I’ve seen over at MacRumors, it doesn’t sound like this is the case; it seems like it just runs without that dialog. Most of the regular posters on MacRumors--including some who opened this trojan--are tech-saavy people and would have caught that.
And it requires 10.4. because it uses Spotlight, apperently.
If you haven’t already, be sure to read this:
http://www.ambrosiasw.com/forums/index.php? showtopic=102379
It sums everything up nicely.
| Nick | Feb. 16, 2006 | |
| 2:50 pm |
2.
I don’t understand. They specifically state that there is a bug in it and it doesn’t propagate itself. It looks like it’s designed to propagate itself, but it doesn’t work.
I guess OS X has become common now?