I think it's another proof of concept not in the wild.
If you want on or off the Mac Ping List, Freepmail me.
Posted on 11/03/2006 6:07:42 PM PST by Swordmaker
Source code for a Mac virus has gone public, a security company warned Friday, and although the original doesn't carry a malicious payload, more dangerous variants can be expected.
The virus, dubbed "OSX.Macarena" by Symantec, targets some, but not all, Mac OS X Mach-O executables. Mach-O is the format used by Apple Computer Inc.'s operating system for native executables, libraries, and object code. According to Symantec, OSX.Macarena, isn't designed to infect PowerPC Mach-O binaries, nor Universal binaries, those meant to run on both the PowerPC and Intel Mac platforms.
"Although methods of infecting Mach-O binaries have been publicly available for some time, this marks the first known fully functional Mach-O file infecter [sic] virus," Symantec noted in an alert to customers of its DeepSight threat network on Friday. "The source code for this virus is publicly available and as such it is possible that variants may be trivially developed to extend the viruses [sic] functionality."
The virus affects both client and server editions of Mac OS X from 10.0.0 through 10.4.8; the latter is the most current version of the Apple operating system.
The SANS Institute's Internet Storm Center (ISC) downplayed the significance of the Mac virus. "To be honest the virus is no big deal in itself. But it is yet another warning," wrote ISC analyst Swa Frantzen on the team's Web site.
"It is a warning to get anti-virus protection for those Macs, even if the shopkeeper told you do not need it, even if there are no viruses in the wild today, even if it's hard to buy it, and even if the vendors seem not to know what they talk about," Frantzen added.
Symantec has pegged OSX.Macarena with its lowest-possible threat rating.
Macarena: once again no more than a demo virus for Mac OS X
Symantec has been predicting for quite a while now that virus authors would increasingly dedicate their attention to the Mac platform and that Macs were becoming a tempting target for hackers. However, a newly discovered Mac OSX virus is hardly the firewall breach that the antivirus software makers have been prophesising.
The malware, dubbed "Macarena" in tribute either to the summer music hit of 1996 or to the game Quake Arena, has a certain proof-of-concept character to it, Symantec reports. What exactly that means is not cogently explained in Symantec's virus description. The virus nevertheless infects other data in the folder in which it is started, regardless of extension. It appears not to possess an internal processing routine of its own. It may require the aid of the user to spread it by sending it out by mail or passing it via removable storage media.
The distribution of the 528 Byte bug is low; while Symantec does not provide an estimate, somewhere between zero and 49 infections are believed to have been reported. It is also unclear where it came from. Symantec suffered from a slight lapse when it recommended in the first version of the virus description that users clean the system by deactivating the system restoration (Windows ME/XP). This passage was removed in an updated version.
Back in the middle of the year, McAfee diagnosed a strong rise in vulnerabilities in Mac OS X. While it is true that none of the bugs for Mac OS X had managed to achieve wide dissemination, this has typically reflected programming errors by the virus authors and the still-minor market share of the OS. Exploit code for the Mac is easy to find on the internet, the security vendor claims, which makes it likely that Mac OS X will soon be faced with the same plagues as Windows: botnets, spyware, spam and DDoS attacks. For their part, Mac partisans note that they are still waiting for the first hard proof.
Please see also:
OSX.Macarena, virus report from Symantec.
Symantec provides no evidence how this can spread. They do not describe how it runs; does it require the user to execute it or does it run by itself - which is highly unlikely. If it comes attached to an OS X executable then it is merely another Trojan Horse.
"According to Symantec, OSX.Macarena, isn't designed to infect PowerPC Mach-O binaries, nor Universal binaries"
Apparently ALL non-Intel PowerPC Macs and Universal apps (those that run on both Intel and PowerPC Mac) are imune from OSX.Maracena - leaving only those few non-universal Intel apps vulnerable.
Finally, Symantec's rating of "Very Low" and Number of infections as "0-49" and web site as "0-1" would indicate to me that NO ONE has been infected and someone sent in some proof-of-concept code, that if installed in a directory on a Mac, could append itself to the files in that directory. There is no evidence at all that this was discovered in the "wild".
It is interesting that Symantec's advisory on how to avoid this malware is boilerplate for PCs...
Ergo, this is FUD.
I think it's another proof of concept not in the wild.
If you want on or off the Mac Ping List, Freepmail me.
Symantec Reports on Mac OS X VirusBy Nate Mook, BetaNews
November 3, 2006, 1:33 PM
Security firm Symantec on Friday detailed a new proof-of-concept virus that has surfaced for Mac OS X. Although the malware is not in the wild and is rated a very low risk, researchers say it highlights the fact that no operating system is immune from viruses.
Dubbed OSX.Macarena, the virus infects files in the current folder on the compromised computer. Symantec has updated its definition files to remove the virus and repair the files, although it's unlikely even one Mac OS X system has been affected as of yet.
Apple has long touted the security of its operating system as a key advantage over Windows, which has seen a constant bombardment of viruses and other malware for years. Although such proof-of-concept viruses have appeared in the past, Macs have been spared from actual real world attacks.
But that doesn't mean users should let their guard down says Swa Frantzen from the SANS Internet Storm Center. "To be honest the virus is no big deal in itself. But it is yet another warning for a lot of parties involved," said Frantzen, who noted there is no "magic shield" for the Mac.
"As we said before the ability to have viruses and all sorts of other malware is inherently available in all modern operating systems, Mac, Linux, BSD, ... included," Frantzen added. "It is a warning to get antivirus protection for those Macs, even if the shopkeeper told you you do not need it, even if there are no viruses in the wild today."
The problem with spreading Malware on a Mac is how does the malware writer find a vector for it... how does it spread from one Mac to another without involving the user through psychological means.
...by affirmative act of the user and not automatically or surreptitiously, right?
What a load of bull seed!
Indeed. Subverting the system with user intervention is most likely what you'll see. I'm not a Mac guy, and don't play one on TV, so I'd like to know something about the way that OSX handles attachments and the like. On Linux, when you save a file attachment or download something, if you want it to execute you must chmod it to run. This is one of those things that makes unix systems safer than MS-Windows which executes based on file extensions. Does OSX do anything to eliminate this step? I'd kind of be suprised if they did, as it breaks a lot of security models.
You can include execute permissions inside a tar or zip file, but you still have the intermediate step of extracting bafore you'd be able to run it. Even then, this doesn't break user-level security, as you can't elevate your own permissions just because those permissions had been set in the tar. Granted, you can wipe your own stuff out if you do something stupid, but there is nothing you can really do about that, as a user generally will have write permissions on his own data pretty much no matter what.
If you download an executable file on a Mac, the system comes up with a message asking if you're sure you want to download it. It then appears in a disk image and you have to double click on the installer to run it. It will ask for your password when you run the installer to upgrade privileges sufficiently to install it.
I don't think there is as much protection if you download an executable in an email. Then again, I don't remember ever receiving a Mac executable in an email so it may not be considered a useful vector.
In any event, you would have to actually download and deliberately run it for it to work. There is no system that allows for a "drive by download" because the Mac has no equivalent to Active-X controls.
Microsoft's decision to make Internet Explorer integral to the operating system appears to have been the worst possible security mistake. There is no technical reason to make a web browser capable of updating the OS. In MacOS X, system updates are performed in a way entirely unrelated to the web browser and so there is no way a web browser can update the OS.
The ability to make Windowsupdate work from the web forces horrible security vulerabilities since it means that Windows has to be updateable from the browser environment. Browser helper objects, the things that create those ghastly popups, can be downloaded automatically thanks to these same technologies.
Since there's nothing like them on the Mac, the Mac is inherently far more secure than a Windows machine.
In addition, the Mac's email software does not have a javaScript interpreter and so you can't script emails. Outlook was fully scriptable via emails, which again was a huge and very costly mistake.
Did that help?
D
Pardon me, but I would like to target your mac for a virus. Please give me your admin password and let me sit with your computer for about a half hour.
(Fools. They'll never know what hit them!)
Yup. Thanks!
I have a questions about firewalls/virus protection: I recently bought a new MacBook and am wondering if I need protection beyond what is installed on the machine?? I'm also running a 2000 iBook with Linksys; what additions do I need here? (I'm a computer pre-schooler, so simple terms are needed!)
Nothing. Just make sure that your internal Firewall is turned on... and you are good to go. The firewall is controlled from the System Preferences - Internet & network - Sharing option.
The other thing I do for all of my Mac using clients is set up a "Standard User" account for every day work... save the "Administrator User" for installing software and housekeeping when necessary.
A "Standard User" can do everything on the Web, run all software, etc., but cannot modify the Applications directory or any system files, or install software without providing an Administrator's username and password. That way, if some future hypothetical malware that can evade the Mac's industrial strength security IS downloaded by the Standard User, the only thing that can be affected is the users files.
The easy way to do this is to create a new account, make it the Administrator Account, then change your existing account from Administrator to Standard. Don't forget the Administrator account password...
Good Lord, the firewall is turned off! How do I get it turned on? And what about the list of options under the Allow sceen?
Re: #12, I fixed it.
Nothing to worry about... as an experiment, I have been running without a firewall on my Mac G5 for over six months to see what would happen (everything is backed up, of course), and so far, nothing has happened. Hackers hit and bounce.
That's good to know. Another question. When I went to eBay this evening they advise I upgrade to Firefox. Do you think this is a good idea? (iBook 2000 w/OS X, Safari 1.) Or should I upgrade Safari?
What OS X version are you running? If it is OS X.4 (Tiger) just use the Software Update under the Blue Apple on the menu bar and you will have the latest and greatest Safari. eBay works fine with Safari.
You can download and try Firefox 2.0 if you like... it can be used when some Microsoft software created websites refuse to play nice because MS uses non-standard HTML.
I'm on OS 3.9. Is the OS 4 available free? Also, since I never use Explorer, should I just get it off my computer??
Then what exactly is infected???
I know Entourage askes if you really want to open attached files.
Apparently only system files for OS X Intel which are neither PowerPC nor Universal.
Interestingly, since it can only infect files in the same folder where it's located, then it has to be installed in a SYSTEM folder where the vulnerable files are located... which would require ROOT level permissions to do. One more reason this cannot spread.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.