First Mac OS X virus?

J

jonw757

Gawd
Joined
Dec 7, 2004
Messages
661
http://www.macrumors.com/pages/2006/02/20060216005401.shtml

On the evening of the 13th, an unknown user posted an external link to a file on MacRumors Forums claiming to be the latest Leopard Mac OS X 10.5 screenshots. The file was named "latestpics.tgz"

The resultant file decompresses into what appears to be a standard JPEG icon in Mac OS X but is actually a compiled Unix executable in disguise. An initial disassembly (from original discussion thread) reveals evidence that the application is virus-like or was designed to give that impression. Routines listed include:

_infect:
_infectApps:
_installHooks:
_copySelf:

The exact consequences of the application are unclear, but according to the users that originally executed the application have noted that it appeared to self propogate:

If anyone remembers last night, when lasthope spread that picture that opened in terminal. I just turned on my other computer and it said it had an incoming file, from my computer, which was the latest pics file. Any help. I have already secure deleted it off of my harddrive, but how do i know that it will not come back.
Andrew Welch who had done some of the initial disassembly is posting updates to this thread.

According to the initial investigation, the application uses Spotlight to find the other applications on the infected machine and subsequently inserts a stub of code into each application executable.

Update: It appears that there is some debate about the classification of this application, and as it does require user activation, it appears to fall into the Trojan classification, rather than self-propogating through any particular vulnerability in OS X.

Your thoughts?
 
It's not a virus at all. It requires you to manually launch it and enter your admin password. It uses social engineering, not some flaw in Mac OS X. Just don't give your password to every little app that asks and you'll be fine.
 
If it requires user intervention and root authority at that, it's not going to be very effective now is it?

First of all i'd be suspicious when I click on an image, and instead of preview opening, I get an auth window.
Right there I'd say <Will Smith>Oh helll nawwww!</will smith> and kill it.
 
Is Norton saying anything about this? I have it running on my machine but it seems like a bit of a waste. I'm also running ClamXav, which seems like a nice, small quality program. I found about Clam on Macintouch (I think) when another user posted his experiences with an apparent piece of malware that was installed on his machine. It scanned traffic on his Comcast LAN and WAN and had a user list of people supposedly allowed to access his machine. He killed the process and deleted the file and it hasn't returned. He later discovered that access to his machine was gained by his daughter entering her login and password (for the Mac) on some website.

So it doesn't seem like OSX itself is becoming more vulnerable - perhaps only the users.
 
init6 said:
So it doesn't seem like OSX itself is becoming more vulnerable - perhaps only the users.
Click to expand...

Yep there is always that problem. Box pops up "oh look, I must have to type in something to keep going, let me just do that..." and then you could have problems. It's the same thing with pop-ups that look like real Windows windows or DOS windows telling you to do stuff, we know it's something trying to attack, the average user doesn't.

I don't think it's a virus, but it could cause problems for the average user.
 
If anything, the Mac population is a little bit more at risk to this sort of attack than the windoze population.

Windoze people are always worried about "OMG, it's a worm/virus/hack/trojan/std/the hiv/etc."

Mac folks .. well, they don't have to worry about that, and most of them, not really having to be security minded at all, will probably go right ahead and enter in that lovely w00t password.
 
It's a script with a JPEG icon tacked onto it. Wouldn't something in your brain raise a flag when you try to open a JPEG and the password prompt opens up? I don't think twice when I'm changing a system setting or file, but I think even the average user should question why a password needs to be entered for a picture.

The other idea here is that this "virus" is pretty harmless. I can do worse things with Automator. It also seems like the media loves to use the word virus, despite the facts. I guess it's like Kleenex and tissues.

The impact of this is a lot less widespread than you would be led to believe. It's been on just about every major tech news site, along with the generic flames that you get when you bring the words "OS X" and "virus" near each other. Apple-bashers would love to see a virus and Apple-zealots would love to prove them wrong. And despite the fact that the zealots have won this round, the fact that it is a weakly coded trojan is not quieting any of the bashers. I even saw a guy on Digg comment about how "Apple invented the multi-button mouse, maybe next they'll invent file extensions." Some people will go to any length of idiocy (considering both OS X and Windows XP hide file extensions) to be "leet" or whatever the cool thing is now.

The point is, somebody wanted some attention, and they got it. It's pretty funny to see that this whole thing started on MacRumors' forum and it's all over 10.5 "pictures". I think it's a kind of cute irony.
 
osx doesn't necessarily need file extensions. you can have files with no extensions at all, as long as it is associated with a program it will function fine.
 
Shit like this has been around, I'm not going to worry about it. This is exactly why apple put passwords on EVERYthing
 
People, stop getting defensive about Apple products and look at the incident with a more objective view.

A virus, in the 'textbook' definition, is a program that spreads itself to other computers without the user's explicit command or consent. This program fits that description to a 'T'. What this program is not is something that is taking advantage of a security hole. Instead, it is using both social engineering and the underpinnings of the OS to do what it does, which is (luckily for all who ran it) not very much.

I am not going to attempt any proof-of-concept with the program, because the program seems to be more of a proof-of-concept in itself. Had the author added a simple command like '$rm -rf ~', the user's home directory would have been hosed. The program as it stands already did the hard part—propagating to other Macs on a local network and through AIM/iChat—so the easy part would be telling it what to do afterward.

This doesn't mean that the world is ending for the Mac fans or that Apple has failed in making a stellar OS. What it means is that Mac users, much like users of any other OS out there, need to be conscious of what they are downloading and double-clicking. Running with root (or admin) privileges when performing everyday computing has its risks and its dangers. As the user plinden over on the MacRumors forum displayed for everyone, running this program under a limited user account made the program unable to execute. This is, incidentally, exactly the method that is recommended to keep a Windows, Linux, and any other OS safe from harm directed at the user interfacing with the machine at that time.

This is definitely a virus, and yet is definitely not overly dangerous to users. What it does better than anything else is show that Mac users need to be just as conscious of downloading and clicking on files from sources that are not trusted.
 
mwarps said:
If anything, the Mac population is a little bit more at risk to this sort of attack than the windoze population.

Windoze people are always worried about "OMG, it's a worm/virus/hack/trojan/std/the hiv/etc."

Mac folks .. well, they don't have to worry about that, and most of them, not really having to be security minded at all, will probably go right ahead and enter in that lovely w00t password.
Click to expand...

Thats why it pays to be a Windows user while having a Mac as well :) that sorta cautios thinking would be embedded.. :p
 
KaosDG said:
If it requires user intervention and root authority at that, it's not going to be very effective now is it?

First of all i'd be suspicious when I click on an image, and instead of preview opening, I get an auth window.
Right there I'd say <Will Smith>Oh helll nawwww!</will smith> and kill it.
Click to expand...
You are incorrect in assuming it brings up an authorization window. According to a more in-depth examination of the program on the Ambrosia Software Message Board, the program will only prompt for password when run via the terminal. When clicked, it simply atempts to run with the privs of the account from which it was clicked.
 
GreNME said:
A virus, in the 'textbook' definition, is a program that spreads itself to other computers without the user's explicit command or consent.
Click to expand...

i don't see how this fits a virus description "to a 't'" when the user is prompted to authenticate.

That is the user's "explicit command or consent", so by your own definition it's not a virus.

Granted, once the user has authorized the application, it does propogate itself in a virus/worm like manner, but any OTHER user that receives the application will still have to authorize it in order for it to continue on living.
 
GreNME said:
You are incorrect in assuming it brings up an authorization window. According to a more in-depth examination of the program on the Ambrosia Software Message Board, the program will only prompt for password when run via the terminal. When clicked, it simply atempts to run with the privs of the account from which it was clicked.
Click to expand...


And therefore, under a normal operating circumstance, will neither infect nor propogate.
(Remember by default the root acount under OS X is not enabled to login)
 
KaosDG said:
And therefore, under a normal operating circumstance, will neither infect nor propogate.
(Remember by default the root acount under OS X is not enabled to login)
Click to expand...
You're assuming too much. If it is run with admin privs it will not prompt. Please read my link before making claims on how and when it will run. This malware has been tested extensively. I have a copy of the decompiled assembly myself and am looking for any additional info that the Ambrosia guys or the Slashdot guys may have missed. So far, they have been extremely thorough.

When run as an account with admin privs, it creates a fork in the /tmp directory and proceeds to propagate itself without any user intervention, and also spreads without any user intervention, taking advantage of some specific apps (AIM, iChat) on the system as well as the local network.

If it is run by someone with sufficient privs, it successfully behaves like a virus. If the account does not have sufficient privs, it fails. Ask yourself: how many Mac users in just the [H] forum run with accounts that have admin privs? That's all it takes.
 
GreNME said:
You're assuming too much. If it is run with admin privs it will not prompt. Please read my link before making claims on how and when it will run. This malware has been tested extensively. I have a copy of the decompiled assembly myself and am looking for any additional info that the Ambrosia guys or the Slashdot guys may have missed. So far, they have been extremely thorough.

When run as an account with admin privs, it creates a fork in the /tmp directory and proceeds to propagate itself without any user intervention, and also spreads without any user intervention, taking advantage of some specific apps (AIM, iChat) on the system as well as the local network.

If it is run by someone with sufficient privs, it successfully behaves like a virus. If the account does not have sufficient privs, it fails. Ask yourself: how many Mac users in just the [H] forum run with accounts that have admin privs? That's all it takes.
Click to expand...

Has anyone tried this on an intel mac?

i just ran it on an intel imac with 10.4.5 and got the prompt.
(and there's only one account on the machine with admin privs)


edit: second run no prompt, but nothing fishy in /tmp, that i can see
edit1b: apparently it's only ppc code.

edit2: they could have eaily incorporated launching preview and sending it junk data so the end-user would at least *think* it was a real file, just corrupt.

edit 4: It dies on 10.3.9, i assume its because it relies on spotlight to find applications to fubar
 
Everyone I know who has done it has done so on PPC Macs. There may be a slight chance that something in the code used to build it relied on something PPC or Altivec related, but I somehow doubt it. A couple people on the MacRumors forum seem to have claimed that it does not run the same on Intel Macs, but this is still circumspect to me because the focus right now seems to be on the OS level and not the hardware level where the program's calls are concerned.

It writes to /tmp, but it promptly removes it. Since my constant urges to read the link I made are not being heeded, I shall quote the part about the /tmp directory:
Here's what it does if a user double-clicks on the file, or otherwise executes it:

1) It copies itself to /tmp as "latestpics"
2) It recreates its resource fork in /tmp (with the custom icon in it) from an internally stored gzip'd copy, then sets custom icon bit for the new file in /tmp
3) It then tar + gzips itself so a pristine copy of itself in .tgz format is left in /tmp
4) It renames itself from "latestpics.tar.gz" to "latestpics.tgz" then deletes the copied "latestpics" executable from /tmp
Click to expand...
Instead of checking your /tmp folder, you should instead check your /Applications directory for recent changes to subdirectories and/or files. Additionally, look for a '~/Library/InputManagers/' directory that may have been created, and check the contents there as well.

It dies on 10.3.9, i assume its because it relies on spotlight to find applications to fubar
Click to expand...
This is correct. No Spotlight == no workie. Also, if you change your permissions to the /Applications directory to 755 instead of the default 775, things still operate properly but a program cannot alter files in that folder without authentication.
 
GreNME said:
Everyone I know who has done it has done so on PPC Macs. There may be a slight chance that something in the code used to build it relied on something PPC or Altivec related, but I somehow doubt it. A couple people on the MacRumors forum seem to have claimed that it does not run the same on Intel Macs, but this is still circumspect to me because the focus right now seems to be on the OS level and not the hardware level where the program's calls are concerned.

It writes to /tmp, but it promptly removes it. Since my constant urges to read the link I made are not being heeded, I shall quote the part about the /tmp directory:
Instead of checking your /tmp folder, you should instead check your /Applications directory for recent changes to subdirectories and/or files. Additionally, look for a '~/Library/InputManagers/' directory that may have been created, and check the contents there as well.


This is correct. No Spotlight == no workie. Also, if you change your permissions to the /Applications directory to 755 instead of the default 775, things still operate properly but a program cannot alter files in that folder without authentication.
Click to expand...

I did read the link.

And I was monitoring /tmp and /Applications, and there's no inputmanagers directory to be found. (Guess I'm safe?)

The code is still PPC code, if I had the time I'd look throught the asm dump and see if there was anything that would make rosetta not run it.

I find it odd that it prompted me the first time, though that may be because one the previous apps I ran was not gid=admin writeable.... still, it should have died silently and/or still created the fork in tmp, not prompted me, which makes me think something on intel makes it act differently.

Its more like a trojan/worm than a virus, I say.
There are too many factors involved in order for it to be successful in delivering it's payload in a virus like manner.
1) doesn't run on its own initially
2) requires at least a semi-privileged account
3) doesn't exploit a security hole or race condition to spread
(arguably a dumb user could be a security hole but that's a different topic)


I'll upgrade the 10.3.9 box to 10.4 tomorrow if I have time, and see how it works on PPC/10.4
 
KaosDG said:
I did read the link.

And I was monitoring /tmp and /Applications, and there's no inputmanagers directory to be found. (Guess I'm safe?)
Click to expand...
I think. You could try /usr/bin/find '/' -mmin -'60' -ls 2>/dev/null | grep -v -e"sec_qip" -e"proc" to check for changes in the last 60 minutes.

The code is still PPC code, if I had the time I'd look throught the asm dump and see if there was anything that would make rosetta not run it.
Click to expand...
Let me know what you find. I'd be interested. Rosetta may be the difference, but so far it appears to me to rely on forking that should be CPU-agnostic.

I find it odd that it prompted me the first time, though that may be because one the previous apps I ran was not gid=admin writeable.... still, it should have died silently and/or still created the fork in tmp, not prompted me, which makes me think something on intel makes it act differently.
Click to expand...
That is indeed interesting. Have you already made /Applications not writeable by group?

Its more like a trojan/worm than a virus, I say.
There are too many factors involved in order for it to be successful in delivering it's payload in a virus like manner.
1) doesn't run on its own initially
2) requires at least a semi-privileged account
3) doesn't exploit a security hole or race condition to spread
(arguably a dumb user could be a security hole but that's a different topic)
Click to expand...
Over 90% of the Windows viruses over the last six years required user initiation; a higher percentage of viruses for all operating systems require higher than regular user privileges; the same percentage allies to the number of viruses/trojans that did not exploit a security hole, but relied on duping the user.

Labelling it a trojan is a valid description. The main attribute that makes it fall under "virus" for me is the fact that it replicates without any user interaction. It definitely falls under both the "trojan" and "virus" categories, with aspects of each in its behavior.

I'll upgrade the 10.3.9 box to 10.4 tomorrow if I have time, and see how it works on PPC/10.4
Click to expand...
Cool. Keep me informed. :)
 
According to the Slashdot article it's a trojan horse. But this has turned into a really great thread, thanks GreNME and Kaos. Very interesting stuff here.
 
Guys, "trojan" and "virus" are not mutually exclusive terms. What makes something a trojan is how the code is introduced to the system, while what makes something a virus is how the code behaves on the system.

I just wanted to clear that up, because I don't want this to be the single discussion point of the issue. Currently, it exhibits properties of both a trojan and a virus. Someone calling it either is not incorrect.
 
You must log in or register to reply here.
Back
Top