Mac Trojan Horse Disguised as Word 2004 785
Espectr0 writes "Macworld is alerting of a malware program for the Mac. A Macworld reader alerted the magazine to the malware after he downloaded the file from Limewire. The reader told Macworld: 'I downloaded the file in the hope that perhaps Microsoft had released some sort of public beta. The file unzipped, and to my delight the Microsoft icon looked genuine and trustworthy.' However, he added: 'I clicked on the installer file, and to my horror in 10 seconds the attachment had wiped my entire Home folder!'" This sounds similar to the recent trojan horse proof-of-concept. There are many ways to make one file look like another, on any platform. This is 2004, you should know by now not to open a file from an untrusted source.
Think first (Score:5, Insightful)
Using Limewire? A likely story.
The file unzipped, and to my delight the Microsoft icon looked genuine and trustworthy.' However, he added: 'I clicked on the installer file, and to my horror in 10 seconds the attachment had wiped my entire Home folder!'"
This is the risk you take when downloading stuff that you don't pay for. If you purchased Office 2004 from Microsoft (thus supporting the promotion and development of software for OS X), then you would have something to gripe about. As it stands, one might suggest you got what you paid for.....
This is 2004, you should know by now not to open a file from an untrusted source.
Well said. However, this does raise the possibility of other code that could be made to look like just about anything. So, once again, think about what you install on your computer just like you would think about what you eat or who you have sex with. If you don't know, trust or suspect that software/food/person, then either screen them or think twice.
Why Not? (Score:3, Insightful)
This has nothing to do with Apple? (Score:5, Insightful)
This should be filed under the "Humans" topic as this has nothing to do with apple or even computers.
Trojan Horses are social problems -- there isn't much apple or microsoft or anyone can do other than try to keep people on their toes.
I mean come on, limewire?
davidu
I'm lost (Score:2, Insightful)
Is it just me, or did I miss all the Trojan like aspects of that program?
Yes, it had undesirable consequences of running an un-trusted application, but Trojan?
Hmm (Score:3, Insightful)
Not really, no. The point of that was that it was a application that looked like an mp3. This is just a application with a misleading name/icon. Anyone write code that erases a users home folder and call it Microsoft Word.
One question I'd like answered (Score:3, Insightful)
I would assume it would have to before it runs an rf command on his home directory.
If it didn't ask for one, that's not good. If it did and he entered it in, he's a complete moron. Although the reality is, any OS will always be vunerable to user stupidity. It's the worms etc., that are a serious problem.
Untrusted source, maybe... (Score:3, Insightful)
But forget that fact that this happened on an unethical download. The fact that this is malware, not a virus or a worm, not something that is exploiting the operating system by opening known bugs or attempting to hack into key parts of the system which normally would require keychain access, but that this is merely software that the user chose to install, and chose to authenticate (maybe? did it require keychain access to be able to delete files from the home directory? I think Apple probably allowed that to happen since programs *do* need to be able to write files to the Home directory, just not anywhere else, save for a temporary folder like
Just keep in mind that while the program itself was not ethical, nor were the actions of the user by downloading non-free software, this should come as no surprise to the user or to Apple, since this is not a compromise of the system nor something Apple can prevent, except through education (Don't open untrusted files and programs).
Do you think this would have happened if the user was downloading legit sourceforge or another self-produced program that claimed to do something else and just became malware or a random pop-up creator? Would we cry foul if the program was *not* downloaded illegally?
Actually... (Score:5, Insightful)
If it was a windows installed you could check to make sure that various files were signed and authenticated by MS, information which I don't believe can actually be faked (dlls, exe, cab files, etc.).
I don't know if Mac has a similar feature, and I don't know if some random moron like this guy would even have bothered to check. However, it would seem that MS' own security would indeed have offered a better chance of preventing such a Trojan.
-rt
Only home folder was hosed by trojan.... (Score:5, Insightful)
A similar program om Windows could do far more than just hose someones Home folder, because most Windows users runs with high privileges.
Mac as prophylactic? (Score:2, Insightful)
Re:Sort of... (Score:3, Insightful)
Re:New paradigm? (Score:5, Insightful)
Open Office porters take note. At my last check, Mac users are still stuck with a sucky x11 version of OOO1.1 rather than the spiffy version available for Windows users.
How to write a OS X Trojan (Score:5, Insightful)
2) Package script with Microsoft Icon
3) Upload to P2P network
4) ???
5) Laugh as retarded Slashdot editors call it valid malware
Come on guys... lets get serious.
How big was the file? (Score:5, Insightful)
Latest greatest Mac Virus (Score:1, Insightful)
Here is the latest mac virus. written completely in applescript.
tell application "Finder"
activate
set target to folder home
delete target
empty trash
end tell
This won't actually work though because r/o access to the root of the home directory is provided through applescript. This is really a non-event in trojan terms. It's affected a user trying to pirate software, be it beta Microsoft stuff. I guess you get what you deserve for installing beta office builds... :-)
Re:Fast User Switching Rules... (Score:5, Insightful)
Out in the professional world we do pay for everything. Why? In the last 6 months, two graphics designers in this town were busted for using warezed versions of Photoshop and black listed by other companies in the area including long time clients. And advertising/marketing being cut-throat as it is, there were glaring stories about it in the local business journal. Wow, probably $100k+ income lost to save $5k on software. Smart move there!
If there was such a thing, then download from a MS website or trusted mirror (like download.com) or else roll the dice and take your chances.
Personally I am waiting for the $10 for shipping beta from MS as I am classified as an "IT manager/decision maker" for our company (and several others as I also do consulting).
Re:This has nothing to do with Apple? (Score:3, Insightful)
So if the trojan popped up the "you must enter your administrator password to continue" box, how many would without asking questions?
I mean the guy thought he was getting a beta release of word2k4 off of limewire?
How big was the package he downloaded? Hundred megs or so, like word would be, or some 50k zip?
UNIX doesnt magically protect you from stupidity, or from making mistakes.
Comment removed (Score:3, Insightful)
There is no secure system (Score:2, Insightful)
And bragging that such and such OS is more-secure-than-thou does not help either. The least-gifted users of this OSs will believe this and will feel a false sense of security and run whatever application falls on their hand. Most of these will be honest appl, but it takes only one to wreak havoc.
As Albert Einstein said,
Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.
It *IS* a public beta from Microsoft (Score:3, Insightful)
You're exactly right (Score:3, Insightful)
This exact same problem exists for Linux, Windows, Solaris, and *BSD. Unfortunately people will probably take this example to mean that the Mac OS X platform is somehow insecure because of it. I could do the exact same thing for Windows and if you would download it from LimeWire (or any other untrusted source) and run it then it could do just as much damage.
Is there any reason to believe this at all? (Score:3, Insightful)
It is a non story even if it happened, and it is unlikely to have happened. Unless the guy is a 10-year old who fell for a trap his 11-year old sister set up for him.
Re:Macosxhints take on it (Score:3, Insightful)
If you have the power to delete all of your own files, then any program you run has that power too. Nothing can change that. Trojan horses are nothing new, and nothing surprising. They are a problem on every platform, even Linux, and have nothing to do with the operating system or the computer.
There are companies that call people on the telephone and convince them to send them a check for $300 in return for a big-screen TV they'll never receive. This is made possible because (a) people can receive phone calls, and (b) people can give money to other people. No one suggests we remove telephones or checks from our lives to prevent such fraud.
Trojan horses are just the computer equivalent of fraud. They have been around for a very, very, very long time, and will be around until the end of time. Nothing can be done by Apple to prevent them, just as nothing can be done by Microsoft or any of the Linux distribution maintainers. It's just how life works: if you have a gun, and someone tricks you into shooting yourself in the foot, you've just shot yourself in the foot. It's not a flaw in the gun.
So how do you combat Trojan horses? Well, Trojan horses are not new. They date back to... yep! Troy!
Beware of Greeks bearing gifts.
The ancient adage still holds true today. Welcome a wooden horse full of soldiers into your city, and you're going to have a tough time blaming the manufacturer of the city wall for your city's subsequent downfall.
Mac trojan/viruses: the next big thing? (Score:4, Insightful)
Most Mac users I talk to do nothing but go on about how they never have to worry about this sort of thing. Seems like a group of users that's that overconfident in their systems are ripe for infection.
Nice handling of it... (Score:5, Insightful)
I have to say I'm impressed with how Apple handles this situation. You actually have to do rm -rf ~/* but anyways, once your home directory is emptying there is no error message. No flood of missing files or application crashes. You just log out and log back in and hey you have the default's loaded again like a fresh user. Being a Windows/Linux switcher I have to say this is handled quite differently than I expected. At least in windows losing all your windows files is gonna cause some serious problems, may not be able to log back in again.
Maybe I'm odd but eh.
-Don.
Us Slashdot-geeks have created a monster! (Score:5, Insightful)
No matter how often we tell them otherwise, it is ingrained in them to use the icon as an indictor of a file's content. If it wasn't then a great deal fewer email viruses would make it into the wild.
News Flash: Macs can get viruses and trojans (Score:3, Insightful)
Slight mis-reporting of facts (Score:4, Insightful)
Since there are at least 3 other Gnutella clients available for Mac OS X (Phex, Acquisition, and XFactor are the ones I know of), there are many more potential vectors for this Trojan to find its way onto a Mac user's computer.
Yeah, I know, it's asinine to trade warez on any P2P network...
There's nothing to stop this Trojan from making it to other file sharing networks, except perhaps a dose of common sense, so this isn't even a Gnutella-specific problem. I'm just a little peeved with sloppy news reporting.
The real questions... (Score:5, Insightful)
Strange that Microsoft has popped up in this one, huh? Hmm... if I were a conspiracy theorist....
The real issues is whether it can it replicate itself and whether it can use security holes in OS X to distribute itself to others. I've been round and round with people on this topic and the conclusion is that, at every point, OS X presents too great a hurdle to allow it to occur. You either have to rely on lots of Apple programs working together to do it (which is too unwieldy and too visible to the user) or you have to rely on the more stealthy Unix stuff, much of which is turned off by default (i.e., no using mail quietly in the background to distribute the trojan/virus because sendmail is off by default.)
It seems to me that Intego is looking to scare people into buying their products and in doing so, they have blown any credibility they have.
Re:New paradigm? (Score:3, Insightful)
Re:"Darwin" - style award winner (Score:5, Insightful)
Are they Serious!! (Score:2, Insightful)
They claim there is a file out there that when you download it it deletes your home directory. I will say YES, there is...
ONLY IF YOU ARE A FRICKIN IDIOT!!!!
The "File" is nothing but a script that executes an "rm -rf ~" command. I can write a "Trojan Horse" with the same command in shell script, MS .bat, and numerous other scripting languages and in some cases compile it into an application as to remain unseen till it's too late. Please people stop making this shit up. If anyone seriously thinks the pirated application they are trying to get only takes 1-2 hundred K then THEY DESERVE TO GET THEIR INFO WIPED OUT!!!!
hahaha (Score:1, Insightful)
that SHOULD read...
"This is 2004. All slashdot readers know not to open files from an untrusted source, but the rest of the world is still as dumb as ever."
Re:New paradigm? (Score:2, Insightful)
Well the fact that he expected us to believe that "public beta" line does call his intelligence into question.
Re:Macosxhints take on it (Score:3, Insightful)
Re:I think of the old yarn (Score:5, Insightful)
Everyone else knows that they never release applications for public beta testing. They only release operating systems as public betas.
Re:New paradigm? (Score:3, Insightful)
Feature Suggestion - launch as untrusted (Score:5, Insightful)
Re:The actual command (Score:3, Insightful)
An alias is easy to defeat, so it shouldn't be seen as a good defense. An alias will not prevent the following commands from deleting files automatically:
\rm -rf ~
Try running on a junk file after you've created the alias if you want to see for yourself.
Re:I think of the old yarn (Score:2, Insightful)
When I made my original comment, I'm referring to the baseline that Word X is not, and as far as I know has never been a free or open product, therefore a public beta is very out of character (not to mention a good find for those who use word) and therefore suspect. As a reference point, Word X for Mac retails at the Apple store for $230 [apple.com]
Re:Let the Liar Beware (Score:4, Insightful)
Like most companies selling security software for personal computers, they're basically in the business of marketing snake oil, and that means the creation of FUD. It's a new concept in the Mac world, but age-old for Windows.
From the Intego site:
WTF is that supposed to mean? And what is "infection" in the context of a Trojan horse?
Re:I think of the old yarn (Score:2, Insightful)
Newsflash! (Score:4, Insightful)
Don't you think Slashdot is the last place where people need to be made aware of something like this?
Turning your boneheaded mistake into a security advisory isn't going to win you much respect here.
/. dichotomy (Score:3, Insightful)
Conclusion - said Mac user is at fault.
Windows user open an unknown file from an untrusted source, it turns out to be destructive, and it blows away his data.
Conclusion - Microsoft is at fault.
Of course! How could I not see the difference?
Why is this news? (Score:3, Insightful)
User downloads executable from peer to peer network, runs said executable, and loses data.
If it wasn't labeled MS-Word would we have even seen this? I find it highly doubtful.
You would think by now, with all the scumware out there, people would realize that software should be downloaded at the source, or from a reputable middleman, not from anonymous sources who may have altered the payload in some way.
It doesn't matter if it's on a Mac, Windows, or Linux machine. Running "mystery code" is just plain stupid.
Re:Only home folder was hosed by trojan.... (Score:3, Insightful)
There really is no way to protect the user from himself. If you allow that user to change or delete their own files, there is nothing short of a good backup system that will protect those files from a bad application that is allowed to run as that user. It's as simple as that.
Or of course you could block all users from actually running any executable application outside the system "Applications" folder. I think Linux and BSD can both do this with the nodev/noexec mount options. But you'd also have to block access to things like the shell, so they couldn't run "sh rm -rf ~" and manually execute shell scripts. And you'd have to disallow any dangerous commands in AppleScript if we're still talking about Macs. In short you'd have to lock down the system so tight that it really becomes useless for most users, just to protect people like this from his inability to have a good backup and use common sense.
But, I think if the home data is so important to everyone then personal computers should come with several FireWire backup drives the same size as the internal hard drive, and an ultra-simple backup/restore system, so they can plug one drive in every day/week and have incremental backups without thinking about it too much. It really wouldn't be too difficult, just expensive for all the extra disk space. Using external FireWire drives that get disconnected would mean that the backups can't get destroyed by a simple 'sudo rm -rf
Re:This looks more like a flaw in the OS. (Score:3, Insightful)
If you want an OS that won't give you complete control over your own data, I think Microsoft will oblige you in a few years, and I'm sure hard drive manufacturers would also welcome an operating system that never let a user delete anything.
Mac OS X, Linux, and Windows are all designed to let the user have control of their own files, up to and including the ability to delete them without confirmation. There are no dire consequences in this particular case with Mac OS X, the system is fine: it remains bootable, the other user accounts present on the system are untouched, and the affected user account is still perfectly usable, reverting to default settings for everything. Yeah, the victim's data is gone, but if you don't make backups you're just asking for trouble anyway.
This is nothing at all like a car having a self destruct button-- we're not talking about a special command that does nothing but trash the system here, we're talking about a perfectly valid command with perfectly valid uses. To adjust your analogy, this is like a car having an accelerator that you could push to the floor, and a steering wheel that you could use to guide it into the path of an 18-wheeler heading in the opposite direction.
Maybe it's time that OS makers realize that computers aren't just used by sys admins, but real people, which includes kids, morons, and the gulliable.
Microsoft did. This realization begat "Bob." 'Nuff said.
~Philly
Re:"This being 2004..." (Score:3, Insightful)
Suppose I wanted my installer to offer an option to convert my existing document files to a new format? Could I do that? Would the OS let me? How would I ask the user permission? Wouldn't the average user just say 'yes' if they were asked?
Even supposing the installer is prevented from doing anything bad, how do you prevent the application once installed from doing bad things? If it has permission to read and write
Fundamentally, my point still stands. In order to be useful, applications need sufficient permissions to do bad things, because it's not really possible to technologically tell the difference between good and bad in every case. A word processer has to be able to edit documents, so something posing as a word processor will have permissions to trash documents, and so forth.
Again, the root cause is that the system and the user have no way of knowing that an application is trustworthy. This is a distinct problem from that of fine grained permissions.
Smack..... (Score:3, Insightful)
When was the last time Microsoft released ANY program on a P2P network?
I guess I should say official release.
Re:"Darwin" - style award winner (Score:2, Insightful)
---
Download it from a trusted source (or check it against a hash from a trusted source). It might not be totally secure, but there's a lot less of a chance of it being malicious.
Re:Like in biology, viruses have hosts (Score:1, Insightful)
The poster spent more time trying to cover up the fact that he was trying to get some software for free, than he did explaining the file that he downloaded, exactly what happened, how he dealt with it.
Re:"Darwin" - style award winner (Score:3, Insightful)
Thank you for that completely inaccurate explanation of administrator priviledges, which demonstrates you don't have any clue whatsoever what you're talking about.
By default, root does not have a password at all. You don't need to enable the ability for the root user to login; setting an actual password for the root account (whether it's the same as that of any admin user or not) will allow root to login with that password. This is how the "Enable root access" option in NetInfo Manager enables root login. You can accomplish the same thing with "sudo passwd root" in your shell.
As for making the root password different from the password of the first user's admin account, that has no effect whatsoever. An admin user can run sudo from the command line or give root access to the Install application (or any other application that knows how to get root access) with his or her own password no matter what you change any other account's password to.