Forgot your password?
typodupeerror

Demo Virus For Mac OS X Released 268

Posted by Zonk
from the i-don't-think-i'll-download-that-demo dept.
Juha-Matti Laurio writes "Heise Security has a report about new Proof of Concept virus for Mac entitled as OSX.Macarena by AV vendor Symantec. Symantec suffered from a slight lapse when it recommended in the first version of the virus description that users clean the system by deactivating the system restoration (Windows ME/XP). It is known that the virus infects other data in the folder in which it is started, regardless of extension, says Heise."
This discussion has been archived. No new comments can be posted.

Demo Virus For Mac OS X Released

Comments Filter:
  • by daveschroeder (516195) * on Friday November 03, 2006 @02:16PM (#16706053)
    So, this is a "virus" that is nothing more than something that programmatically attaches/appends itself to other files that are in the same directory as itself when executed (which is easy to do and doesn't rely on any deficiency in the system), isn't in the wild and therefore doesn't have any real impact on users, is a proof-of-concept, and still has no vector or mechanism for propagation, much less mass-propagation?

    Wow. Um. Raise the alarm. One if by land, two of by sea, and all that.

    Oh, and here's my new piece of nasty Mac OS X malware:

    Place this in a text file and name it ElectricSlide.command:

    rm -rf ~/*

    Double click it. Voilà. A piece of malware that can't actually spread that deletes the contents of your home directory with no warning!

    Maybe we can see a Symantec warning about OSX.ElectricSlide!

    I realize Symantec or any AV vendor has to catalog known malware, but come on: the coverage this is getting is ridiculous, and now the front page of slashdot?

    Mac OS X certainly has vulnerabilities. The people saying it doesn't are morons. But the problem is that any vulnerability discovered in any Apple product gets amplified in the press massively disproportionately. For example, the iPod Windows virus issue:

    By all accounts, there was likely a Windows PC used for QA at a non-Apple contractor that was infected with a virus that was infecting iPods with the virus when they were plugged in to that machine. (If anything, this is a problem in the QA process at Apple's manufacturing contractors, not ANY indication that "Macs" or Apple are any more susceptible to viruses or attacks, in any way, shape, or form - I'm surprised at the level of shoddy journalism on this. This is a Windows worm copying itself to a locally attached Windows disk (that happens to be an iPod), nothing more. Yes, it's really bad for any manufacturer to ship something with a virus on it, but this doesn't indicate the susceptibility of Apple or Macs in general. If anything, it indicates the iPod is effective as a USB-attached disk. Which it is. Again, no excuse for the processes to let something like this happen, but still.)

    Then, the coverage of this goes on to rehash the (incorrect) assumption that someday there will be a huge worm outbreak on Macs, an assertion that is completely unrelated to iPods being infected with a Windows (or even Mac) virus.

    I'm not going to rehash why it's literally impossible for the type of devastating mass-propagating worms that we've seen on Windows happen on Macs; marketshare/presense alone is enough to make that argument, but marketshare is only one of many factors.

    I predict that we'll continue seeing these sky-is-falling and "WAKEUP CALL FOR APPLE" articles month after month and year after year, with nothing actually happening of any consequence to the installed Mac OS X base. Will there be new viruses, worms, malware, and proofs of concept of malicious items for Mac OS X? Yep. Absolutely. Just as there have been. Will there be something that can mass-propagate to the point where it costs the tens/hundreds of billions of dollars and hundreds of thousands of manhours in recovery and lost productivity like we do on Windows? Nope. The architectural, use, marketshare, and security differences on the Apple platform versus Windows ensures that.

    The coverage of this will likely be further classic examples of press jumping on any negative or security-related story that has to do with Apple.

    Maybe this will even be the sixth or seventh, by my count, "FIRST MAC OS X VIRUS" story that can be trumpeted around on CNN, AP, and Reuters! One can only hope!

    Also, before anyone says "There's also a Bluetooth 0day [sans.org] for OS X," that would actually be the same, months-old, single Bluetooth issue that has already been reported on months ago, and that was patched in all versions of Mac OS X for a year even at the time that the worm,
    • Re: (Score:3, Funny)

      by 517714 (762276)
      Isn't it bad form for one's post to exceed the length of the cited article?
    • Trojans will still be trojans and users will still be able to tricked into doing Bad Things.

      Hopefully, even that will be mitigated to some degree by 10.5's MAC and application signing technologies. I'm not counting on it, but at least for power users it will let us run untrusted code safely and if Apple pulls a rabbit out of their hat, it could conceivably do the same for even novice users making trojans a really hard social engineering challenge.

    • by noewun (591275) on Friday November 03, 2006 @03:06PM (#16706885) Journal
      One if by land, two of by sea, and all that.

      Three if by tubes?

    • by JonTurner (178845)
      360. Slam. F'ng. Dunk!

      It's a rare thing, unfortunately, to see a counterpoint so well executed as yours but you nailed every point. Well done, sir.
    • by danpsmith (922127)

      Mac OS X certainly has vulnerabilities. The people saying it doesn't are morons. But the problem is that any vulnerability discovered in any Apple product gets amplified in the press massively disproportionately.

      The truth of this argument is, as inherently insecure as Windows may be, the argument shouldn't be about vulnerabilities. It should be about time from vulnerability acknowledgment until correction. That being said, Mac didn't take this stance. They took the "we don't get viruses" high road. I'

      • by ceoyoyo (59147)
        Time to fix is important yes, but the really important metrics are, over a given timespan what is the probability that I will be infected AND how many computers are infected at any given time?

        The first is what matters to me directly regarding the security of my OS. The second is what effect that OS has on the network.
    • by ceoyoyo (59147)
      Every time there's one of these crazy non-virus viruses that gets trumpeted I think how the whole thing indicates how much MORE secure (not perfect, of course, as you mentioned) OS X is than Windows.

      A new Windows virus that can actually do some damage? News item. OS X proof-of-concept-lame-trojan? Hullabaloo. Hopefully that will keep up. When we get to the point where non-issues aren't mentioned and major ones are routine it will be time to go in search of a new OS.
  • DEAR RECEIVER,

    You have just received a Mac OS X virus. Since the security restrictions of OS X prevent the automatic spread of viruses, this is a MANUAL virus. Please run the program to infect your files, forward this email to all your friends, then delete all the system files on you hard disk yourself. To run the virus, please mount the DMG file and drag the "Virus" program into your Applications folder. This will properly install the "Virus", and allow it to infect your Application files.

    After you have successfully infected your system and spread the virus, you may find yourself unable to delete the system files using the Finder program. In this case, you must open a terminal and follow the instructions below:

    1. Type 'sudo su -l' and hit ENTER.
    2. Enter your password and hit ENTER.
    3. Type 'rm -rf /'

    This process will take several minutes, so please be patient.

    Should you run into technical difficulties with infecting your Macintosh, you can visit our online help website at http://www.infectmymacwithanastyvirus.com./ [www.infect...yvirus.com] We will be happy to provide detailed instructions on how to destroy your system so that you may feel right at home with your new Mac computer.

    Thank you very much for your assistance.

    --Mac OS X Hackerz

    Attachment: Virus.DMG

    P.S. If you don't get the joke, please read the article and virus report.
    • I have many millons of dolars US from untimely death of ambasador.

      Pleese go to your local hardware store and purkhase a hammer or mallot.

      Returning to home, you shuld use the hammer or mallot to be smashing your computer to small peeces.

      I will deposite many millions of dolars in your bank akount when you have finished.

      Sincerely,
      Nigerian roolaty.
    • by Temporal (96070)
      Since the security restrictions of OS X prevent the automatic spread of viruses

      What security restrictions might those be?
      • 1. It is not possible to run an application directly from an email. It must be either dearchived to a .APP folder, or marked as executable.

        2. You can only modify your own files. The system files are protected against user modification. Programs looking to modify the OS need a user marked as administrator to enter his password. The password is sent directly to SUDO to give the temporary permissions required.

        3. The Mac has no open ports by default. Which means no Web Server worms, no buffer overflows, no pass
  • by Anonymous Coward on Friday November 03, 2006 @02:22PM (#16706149)
    A number of years ago, IBM Canada ordered some parts from a new supplier in Japan. The company noted in its order that acceptable quality allowed for 1.5 per cent defects (a fairly high standard in North America at the time).

    The Japanese sent the order, with a few parts packaged separately in plastic. The accompanying letter said: "We don't know why you want 1.5 per cent defective parts, but for your convenience, we've packed them separately."

    Here is your Mac OS X virus, in this box over here.

  • by Anonymous Coward on Friday November 03, 2006 @02:26PM (#16706233)
    In case you're keeping score, here are the latest standings:
    In Theory/In the Wild
    Windows: 114,000/114,000
    Linux: 863/0
    OS X: 1/0
    source [linuxtoday.com]
    • by jmauro (32523)
      Are you sure that's right? Most Windows virus are not theoretical, but exist in fact. Windows should be something closer to 400/114,000.
      • by compro01 (777531)
        any virus that exists in the wild would have to exist in theory first. any virus that is in the wild exists in theory, but not any virus in theory exists in the wild.

        all As are Bs, but not all Bs are As.
        • by jmauro (32523)
          No, one theory can cover more than one virus. So the theory can be less, or even much less than a specific implementation in the wild.
    • Re: (Score:3, Informative)

      by ryanr (30917) *
      The Linux in-the-wild score is incorrect.

      I've personally analyzed at least three Linux viruses that were found in the wild. And that's not counting the worms.
    • by 0racle (667029)
      There are Linux viruses in the wild, you just have to be a complete idiot to get them. I have had the pleasure (hey this doesn't happen often) of seeing an old Linux install that had one when the company I worked for was hired as an outsourced IT department. Ok, technically it was a back door, and for the curious, this was it: http://www.trendmicro.com/vinfo/virusencyclo/defa u lt5.asp?VName=ELF_RST.B [trendmicro.com]
    • Re: (Score:2, Funny)

      by GoombaTroopa (1022351)
      Yay, Windows is winning!
    • by Himring (646324)
      Ah, the great unwashed. What would we do without them....

      You forget that one microsoft attaboy! is equal to a million apple and linux attaboys! And one apple/linux theoretical vulnerability is likewise calculated to one windows actual vulnerability.

      Let's not forget codered: when microsoft, according to the media, fixed the Internet. No one reported that they were the reason codered existed in the first place....

  • by linguae (763922) on Friday November 03, 2006 @02:29PM (#16706279)

    Anybody can create a virus for OS X, and it can run perfectly. The biggest problem would be how it can be able to spread to other machines.

    On Windows, it isn't viruses that plague Windows, but it is worms, spyware, and adware that affects that platform. All it takes to be infected with a computer virus on any platform is to not be vigilant about the data that you download. Being infected by spyware and adware, however, relies on the security of the browser, and being infected with a worm relies on the security of the operating system's Internet connectivity.

    OS X remains relatively secure because its browser does not have hooks to the shell (unlike older versions of Internet Explorer, although I've read that Internet Explorer 7 has been decoupled from the shell), and because its Unix core isn't susceptible to worms (Unix has come a long way since the worm of 1988). OS X also has a firewall, although I just learned that it isn't enabled by default (but turning it on is easy; they should change the default in OS X 10.5).

    A demo virus for OS X or Linux isn't news. No operating system can block the execution of a virus unless the operating system has a list of trusted applications that it knows are virus-free. An operating system can prevent worms with better security, and spyware can be prevented by using a secure browser, but viruses cannot be blocked from execution.

    • I can write a program that will completely destroy your Mac even if you delete every single shell you have installed. I don't think "the shell" means what you think it means.
      • I believe he is referring to the way that Windows Explorer (the shell) handles "executable" files. Faced with a .PIF, .EXE, and a .BAT, Explorer treats them all the same. This allows for theoretically non-executable file (e.g. .PIF) to be executables in disguise.

        As for the coupling with Internet Explorer, several URL pass-thrus have been exploited on Windows to force Windows Explorer into executing files passed by Internet Explorer. Thus the coupling between the browser and the "shell" is bad. Finder is a b
      • Shhhh, don't tell them about @pplescript!
      • by Jesus_666 (702802)
        Note that in the Windows world "the shell" is either the GUI or any kernel interface. The Windows word for "shell" is "command line".
    • by dedazo (737510)

      Being infected by spyware and adware, however, relies on the security of the browser, and being infected with a worm relies on the security of the operating system's Internet connectivity.

      This is true only if you assume that every single malware and worm infection has been caused by a vulnerability in the browser, which is clearly not the case. I think that the vast majority of infections occur because people are simply naive and careless. Most of the fastest-spreading Windows worms in history have requir

      • I think that the vast majority of infections occur because people are simply naive and careless. Most of the fastest-spreading Windows worms in history have required significant user interaction to be successful.

        I think you are factually incorrect. The studies I've seen all indicate while there are more malware programs that require user interaction than there are automated ones, there are more infections and they spread faster when they require no interaction. The majority of infections to date are the

        • by dedazo (737510)

          The majority of infections to date are the result of worms that require no interaction from the user.

          I disagree, by simple observation. Every single infected machine I've ever seen infected with something was a direct result of the lack of patching or user action. And believe me, I've seen quite a few.

          This is due in large part to the fact that Windows does a very poor job of informing the user what is data (and very low risk) and what is an executable (and very high risk).

          It used to. "Used to" bein

    • by Lumpy (12016)
      How about the tiny fact that under windows if you execute an app it is not hard for it to infect system files SILENTLY in such a way that it is utter hell to get it removed again.. Yet I cant see a way of doing this under OSX. OSX pops up a "gimmie your administrator password" box when it runs and every Mac owner I know is paranoid when they see it because it does not happen very often. Under windows, users are so used to warning windows and windows asking permission popping up every 30 seconds during an
    • by Tim C (15259)
      Being infected by spyware and adware, however, relies on the security of the browser

      No it doesn't; plenty of trojans install spyware and/or adware, no exploits required. (Remember Kazaa?)

      I've read that Internet Explorer 7 has been decoupled from the shell

      I don't know all the details, but certainly if you type a URL into Windows Explorer after installing IE 7, rather than handling it itself (and morphing into IE), it launches the system default browser to handle it. So if I type "http://slashdot.org" into Wi
    • by rawg (23000)
      "Anybody can create a virus for OS X, and it can run perfectly. The biggest problem would be how it can be able to spread to other machines."

      If it can't spread, then it's not a Virus.
  • by Cid Highwind (9258) on Friday November 03, 2006 @02:32PM (#16706359) Homepage
    Symantec to Mac users: "Pretty little Operating System ya gots there. Be a shame if somethin' unfortunate happened to it. Maybe you should hire a little protection..."

    I guess this answers the question about whether Symantec can continue to sink to new lows of sleazy business practices after suing Microsoft for securing their kernel.
    • by mspohr (589790)
      Symantec is getting pretty desperate... now they have to write their own viruses to get people to buy their anti-virus software.
    • by kinglink (195330)
      There's numerous theories about how certain viruses got created. Some of them involve Symantec in some way. This is the first time they admitted it.

      If you think this is the first virus Symantec ever created you're pretty naive, that's their business (basically to create viruses in test beds and try to find better heuristics for detecting them).

      However personally I think this the most benign virus they've create I certainly don't think they've never released a virus to the public accidently.
  • Tire sales (Score:3, Insightful)

    by lancejjj (924211) on Friday November 03, 2006 @02:36PM (#16706417) Homepage
    OSX.Macarena is a proof of concept virus that infects files in the current folder on the compromised computer.

    News: An anti-virus software vendor decided to have a Mac OS virus created in order to improve the sale of Anti-Virus software.

    Related news: A tire changing shop decided to dump a box of roofing nails on the road approaching their shop in order to sell tires.

    What's the difference?
    • by bunratty (545641)
      The Macarena is different because of that cool dance that goes along with it. Hey Macarena!
    • by db32 (862117)
      Because people understand the concept behind nails and tires and don't understand the concepts behind viruses. To make it more accurate...
      Related news: A tire changing shop decided to show how a carniverous squirrel can chew through a tire, and then started selling squirrel proof tires.
  • Heise Security has a report about new Proof of Concept virus for Mac entitled as OSX.Macarena by AV vendor Symantec.

    The wording implies that the virus itself was written by "AV vendor Symantec," where I'm bloody sure that the intent was to say that the report was by Symantec.

    Many commenters have fallen into this trap and have lambasted Symantec for authoring proof-of-concept viruses in order to boost sales of their AV product.

    That's not to say that they don't engage in FUD, or that it's not possible

    • by Jesus_666 (702802)
      The wording implies that the virus itself was written by "AV vendor Symantec," where I'm bloody sure that the intent was to say that the report was by Symantec.

      Actually, I think the virus was entitled OSX.Macarena by Symantec. It's amazing how you can put three meanings in one sentence.
  • by 99BottlesOfBeerInMyF (813746) on Friday November 03, 2006 @02:56PM (#16706727)

    Those of us following malware in general and OS X malware in particular already heard about the new metasploit module [info-pull.com] for OS X exploit released recently that supposedly exploit an unpatched hole in the wireless drivers that shipped with some powerbooks an imacs. It has a lot more potential as a real security issue than this reported proof of concept, since this one has no automated mechanism to spread and no remote vulnerability or any vulnerability for that matter. It is simply code running as it is supposed to with the privileges it is supposed to have. It is no more the result of a flaw in the system than "rm" is.

    As for this "virus" it is a demonstration of a problem, but one that is so widespread and common it will be dismissed by the majority of the security community out of hand. The problem is, this code (when run) has permission, by default, to do too much and the user is not notified by the OS of what it is doing. The same can be said of most any desktop OS these days. The granularity of permission is basically: none, everything the user can do, or anything. That is insufficient to deal with software that may or may not be trusted.

    Interestingly enough, Apple has announced the inclusion of application signing and Mandatory Access Controls in OS X 10.5. Theoretically, unsigned applications like this could be placed in a very limited trust level by default and as such, would not have permission to edit random user files because the MAC ACL would stop it. Viruses and trojans would have a big roadblock. Imagine downloading some random program like this, double clicking it, and OS X informing you not only that it is a new application, but also pulling up a dialogue that says something like "The application 'macarena.sh' wants to modify 122 applications in your Applications folder. This behavior is characteristic of a virus. (stop it from changing them)(let it change them)(view advanced options/details)."

    I'm keeping my fingers crossed that Apple is the first to bring SELinux's granularity of security to grandmother's everywhere in a usable way.

  • Seems like Apple packages by default contain all the libraries and things they need to run -- an offshoot of the NeXT packaging system. Shared libraries don't seem to be as heavily used on OSX. So why not by default chroot installed applications and possibly setuid them to "nobody"? Possibly even drop a strong capability model in there so that the application has to request permission to do stuff like open network connections or listen on sockets. The regular end user might still just blindly accept everyth
    • So why not by default chroot installed applications and possibly setuid them to "nobody"? Possibly even drop a strong capability model in there so that the application has to request permission to do stuff like open network connections or listen on sockets. The regular end user might still just blindly accept everything but it'd make it a lot harder for an executable to do any damage in the default sandbox.

      For Leopard, Apple has ported TrustedBSD's mandatory access controls, so even if Apple doesn't do t

  • Is it time limited or missing functionality? Where do I find the full version? Can I find it ac CompUSA?
  • by admactanium (670209) on Friday November 03, 2006 @03:14PM (#16707037) Homepage
    it's a demo virus huh? well, i'll try it, but if i don't like it, i'm not paying the shareware fee for it.
    • by ElephanTS (624421)
      right, that's exactly what I thought. Is the #SN available at serialz.to yet? To be honest I haven't seen a virus since the 90s and wouldn't mind one again now. Oh the boredom of the OSX platform . . .

  • I'm so worried about OSX malware and viruses that I went out and bought my wife a brand new MacBook Pro, which is our third Mac. And I won't be running any AV software from Symantec on it either.

    I guess they figure if they keep stirring the pot, eventually the "less technically savvy" OSX users will get scared and buy their Norton Antivirus for Macintosh.
  • Switchback [lowendmac.com] was not really noticed that much either. It only could infect 7 to 8 million OSX based Macs. Still it shows that AppleScript and Safari are weak links in the OSX armor that can be exploited by someone if they try really hard enough to make it work with newer versions of OSX.

    Mac Users are like the old Amiga users, thinking that their platform is so secure that no virus is written for it, so there is no need for antivirus programs. The Amiga users figured this, because MS-DOS was targeted by virus
    • by jdigriz (676802)
      ZOMG, you mean people wrote viruses for the Amiga *after* Commodore went bankrupt? Now that's what I call community-based support!

    • Switchback was not really noticed that much either. It only could infect 7 to 8 million OSX based Macs.

      Umm, the exploit was released after it was patched, three years ago, if I recall. Given automatic update, not much of an issue. I don't think I've ever seen it and I have a signature running against a class A and then some.

      Still it shows that AppleScript and Safari are weak links in the OSX armor

      Of course the browser will always be a weak spot, it's going on to the Web and constantly downloading unt

  • Try again. Nothing released, nothing in the wild, proof-of-concept.

    Nothing to see here. Move along...
  • I mean, the story posting? Is it a cron job?

    Like, every two weeks we see, "$ASSHAT_ANTI_VIRUS_COMPANY sez there is something not entirely unlike an OSX worm in the wild, and uh, Mac users have been lulled into a false sense of security, and uh no Mac user has ever actually seen a real virus in the wild because they're not all that popular, and um, like, we should all go buy us some Anti-Virus software."

    Stop posting PR crap, please. Don't be a PR tool.

    http://slashdot.org/comments.pl?sid=178631&cid=148 09 [slashdot.org]

"I have more information in one place than anybody in the world." -- Jerry Pournelle, an absurd notion, apparently about the BIX BBS

Working...