WARNING PING!
Do NOT open a file claiming to contain pictures of Leopard.
|
Posted on 02/16/2006 5:27:22 AM PST by Panerai
On the evening of the 13th, an unknown user posted an external link to a file on MacRumors Forums claiming to be the latest Leopard Mac OS X 10.5 screenshots. The file was named "latestpics.tgz"
The resultant file decompresses into what appears to be a standard JPEG icon in Mac OS X but is actually a compiled Unix executable in disguise. An initial disassembly (from original discussion thread) reveals evidence that the application is virus-like or was designed to give that impression. Routines listed include:
_infect: _infectApps: _installHooks: _copySelf:
The exact consequences of the application are unclear, but according to the users that originally executed the application have noted that it appeared to self propogate:
If anyone remembers last night, when lasthope spread that picture that opened in terminal. I just turned on my other computer and it said it had an incoming file, from my computer, which was the latest pics file. Any help. I have already secure deleted it off of my harddrive, but how do i know that it will not come back. Andrew Welch who had done some of the initial disassembly is posting updates to this thread.
According to the initial investigation, the application uses Spotlight to find the other applications on the infected machine and subsequently inserts a stub of code into each application executable.
Update: It appears that there is some debate about the classification of this application, and as it does require user activation, it appears to fall into the Trojan classification, rather than self-propogating through any particular vulnerability in OS X.
uhh right... forgot MAC OSX is an invincible operating system developed by superman.... just wait til the kryptonite falls ... btw there have been unix worms... in fact the first worm ever written was aimed at unix machines.
In other words, only people stoopid enough to type in an admin's login and password when prompted will experience this exploit.
Funny, I don't see anything here that mitigates the statement "Empirical evidence would seem to indicate otherwise..."
Macs have never been immune, they simply have infinitly fewer viri and infinitly fewer holes for viri to take advantage of.
That's because they were pretty much the only thing on the Internet at the time and no one was really thinking of the possibility of this happening. They learned their lesson and hardned their UNIX software over the next 18 years. Meanwhile, Microsoft was working on making their software more vulnerable up until a few years ago.
Exactly WHO has ever said that "Mac OS X is completely invulnerable!"? Who? I have never heard anyone - 'experts', users, or developers - say that. Why is it that some people seem to want to make us look like we're complete idiots? Seriously, I've never held that belief. But I also don't believe I need to run Anti-Virus to protect Mac OS X ... not yet, at least. I DO run Anti-Virus it to keep my files clean of WINDOWS™ MALWARE® so as to protect other Windows users with whom I share files. I feel sorry for them ... they have hundreds of thousands of viruses, trojans, and malware apps running around trying to kill their computers. My Mac is currently impervious to everything that we know of that's out there right now. The least I can do is not spread something that will make it worse for my poor Windows friends.
If I'm required to open as root user, accept a file to download, decrompress it, open it, double click on it, type in my admin password, sacrifice a chicken to Foghorn Leghorn, do the Hokey Pokey and bowl a perfect 300....IT AIN'T A VIRUS. And it sure as hell isn't going to fool 99% of Mac Users.
Sorry, I'm just in a pissy mood this morning and this didn't help much.
It was bound to happen sooner or later...
I have 2 MACs in my house ... they are great for editing photos and video... but all my day to day tasks are done within linux and my recreational video games are played on my window pc.
No, it definately requires permission to install and run for the first time. It is a trojan.
According to what I've read, it does attempt to infect existing apps (The last four you ran) but it only causes them not to execute. It has code that attempts to spread copies of itself through iChat... but that doesn't work either.
To get infected one has to actually download, uncompress the file, and then give a JPEG file permission to run as an application for the first time. Unlikely.
WARNING PING!
Do NOT open a file claiming to contain pictures of Leopard.
|
http://www.neptunuslex.com/wp-content/iblogimg/gore.jpg
Don't click on this virus
Actually, this is a variant of the old "Texas Aggie Manually Operated Virus." You send someone an email that says, "I don't know how to write code. Please forward this email to everyone in your address book, and then go to the command prompt and type, "format C://"
Basically, if something asks for your password, and it's not something you intend to install, don't give it. Good to give out a warning, though.
This isn't completely true. Any user can install a program in, say, his home directory. You only have to have 'root' privs if you are installing to a directory that users don't have permission to write to.
Any program installed in a user's directory will execute with the same priviledges as a user though, so while it can harm any user data writable by the user, it can't touch system files (i.e., config files in /etc)
Actually this Trojan is very easy to write.
I could writer something similar for Linux, but the real trick is in getting some idiot to install it.
Yeah, I think you have to make a distinction between a program that does bad stuff and a legitimate virus or hack.
Too late....
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.
