The First Mac OS X Virus? (A New OS X Trojan)

MacRumors.com ^ | 02/16/2006

[Panerai]

On the evening of the 13th, an unknown user posted an external link to a file on MacRumors Forums claiming to be the latest Leopard Mac OS X 10.5 screenshots. The file was named "latestpics.tgz"

The resultant file decompresses into what appears to be a standard JPEG icon in Mac OS X but is actually a compiled Unix executable in disguise. An initial disassembly (from original discussion thread) reveals evidence that the application is virus-like or was designed to give that impression. Routines listed include:

_infect: _infectApps: _installHooks: _copySelf:

The exact consequences of the application are unclear, but according to the users that originally executed the application have noted that it appeared to self propogate:

If anyone remembers last night, when lasthope spread that picture that opened in terminal. I just turned on my other computer and it said it had an incoming file, from my computer, which was the latest pics file. Any help. I have already secure deleted it off of my harddrive, but how do i know that it will not come back. Andrew Welch who had done some of the initial disassembly is posting updates to this thread.

According to the initial investigation, the application uses Spotlight to find the other applications on the infected machine and subsequently inserts a stub of code into each application executable.

Update: It appears that there is some debate about the classification of this application, and as it does require user activation, it appears to fall into the Trojan classification, rather than self-propogating through any particular vulnerability in OS X.

[Panerai]

OSX Trojan

[HAL9000]

So it's not a virus.

[goldstategop]

There is no virus written for Unix. Its obvious since to get a program installed, you need to log on as a superuser in Linux/Mac OS X. I still don't have an antivirus program on either my Linux laptop or Mac Mini since there doesn't appear to be any instance of a successful Unix virus in the wild. I think this is a hoax.

(Denny Crane: "I Don't Want To Socialize With A Pinko Liberal Democrat Commie. Say What You Like About Republicans. We Stick To Our Convictions. Even When We Know We're Dead Wrong.")

[GarySpFc]

Ping - Gottcha

[IncPen]

Boo!

[papertyger]

So it's not a virus.

But you're missing the point! Macs are no longer immune! (Oh, happy day!) ;^>

[TalonDJ]

Your wrong. The program had to prompt the user to enter his password. I.E. the user has to allow the installation off the program. No computer in existence is 'immune' to a user installing something deliberately. Macs never were immune to that so their 'immunity' has not changed.

[antiRepublicrat]

Getting closer to the first self-propagating worm. It'll happen eventually. Still, five years into OS X and we're still waiting for the first one.

[papertyger]

Lighten up, Francis. Do you not know what ;^> means?

[goldstategop]

You have to get past the root user. Most people in Unix don't have to run as root so you can't download or install anything. That makes these computers inherently much more secure than Windows. And malware written for Unix can't harm Windows and vice versa.

(Denny Crane: "I Don't Want To Socialize With A Pinko Liberal Democrat Commie. Say What You Like About Republicans. We Stick To Our Convictions. Even When We Know We're Dead Wrong.")

[TommyDale]

Why not issue a challenge for someone to develop such a worm or virus? That would prove interesting.

[SengirV]

But you're missing the point! Macs are no longer immune! (Oh, happy day!) ;^>

Immune? Did you read what the users had to do to get this thing running on their machine? ANYONE can write a program that ASKS to be installed with admin privilege that then does nefarious things.

Surf a website and have a OS X system compromised, then come talk to me.

[antiRepublicrat]

Why not issue a challenge for someone to develop such a worm or virus?

Somebody started one a while ago, but withdrew the offer due to legal reasons.

[antiRepublicrat]

You have to get past the root user.

That makes it hard, but not impossible. The first successful worm will probably use one exploit as a delivery method in conjunction with a privilege-escalation exploit to install and propagate.

[r9etb]

This oughta make Apple happy, actually ... it means that they're getting popular enough for people to write viruses for them. Their market share may be heading north soon....

[Element187]

Yes i never seen a virus on a unix or linux box, but i wouldnt be doubting someone out there is trying to exploit one of the thousands of security vulnerabilities on MAC OSX.... OSX might be based on BSD, but soon as steve jobs adds all those pretty bells and whistles to the operating system and complicates and bloats the code, there is bound to be some serious security flaws.

[papertyger]

No, no, NO! Macs are not safer! Lalalalalalalala. I can't hear you...

[papertyger]

but soon as steve jobs adds all those pretty bells and whistles to the operating system and complicates and bloats the code, there is bound to be some serious security flaws.

Empirical evidence would seem to indicate otherwise...

[SlowBoat407]

In order to install this virus you must enter your user name and password.