# Possible Mac Virus?



## macguy.nielsen (Sep 18, 2004)

Found this on Digg.

http://digg.com/apple/First_Mac_OS_X_virus

Also on Mac Rumors.

http://www.macrumors.com/pages/2006/02/20060216005401.shtml

Seems like this could be it. It spreads through AIM/iChat and its in the form on a JPEG. It also works through networks, so if you're connected to a network with another Apple computer it can get it as well.

Lets see what comes of this.


----------



## Chealion (Jan 16, 2001)

For more deconstruction news check:
http://www.ambrosiasw.com/forums/index.php?showtopic=102379

All in all, it's more of a Trojan horse using a pasted icon on top of an executable (nothing new). The question however is exactly what payload the executable is giving.

As always, pay attention to what you're opening and keep a backup in case you eat a nasty.


----------



## Tiranis (Jun 19, 2005)

Who cares what it can do? I can create such a trojan in a matter of seconds, even more dangerous than this one... but you would still have to run it. It does not spread itself, you have to run it. It's also not first—there was a terminal script that looked like MP3 not so long ago. But, dammit, it's obvious that you don't run files that somebody sent you and you have no idea who—you especially don't authorize them with password, gosh. If you do, you probably deserved this "wake-up call".


----------



## macguy.nielsen (Sep 18, 2004)

Who pissed in your cornflakes, Tiranis?


----------



## Mrsam (Jan 14, 2006)

macguy.nielsen said:


> Who pissed in your cornflakes, Tiranis?


It was me!


----------



## Chealion (Jan 16, 2001)

Given more of the evidence the program has to be originally run like a trojan horse but after that it operates a lot more like a virus in that it copies itself to other executables and attempts to send itself over iChat (I'm assuming over Bonjour but we have no idea as there is only one report on this).

So we have a bonafide virus. I wouldn't be concerned so long as you're practising safe <strike>sex</strike> computing

Definitions: 
Trojan Horse - a Trojan horse is a malicious program that is disguised as legitimate software.( http://en.wikipedia.org/wiki/Trojan_horse_(computing) ) 
Virus - a virus is a self-replicating program that spreads by inserting copies of itself into other executable code or documents. ( http://en.wikipedia.org/wiki/Computer_virus )

-----

EDIT: To get this off my chest please remember:
1) Intel != Virus. Just because Apple switched to Intel does not mean it's more susceptible to virii or malware. The malware in this instance is actually compiled as a PPC application to boot.

2) The sky will not fall. Intego said it once before and it didn't fall that time. However I bet their bottom line got a nice padding.

3)


arn said:


> it appears when launched the app infects all other apps on the computer and inserts an executable stub and code into the resource forks of all the applications. When those apps launch, it runs this code. unknown what the subsequent code dose.


 - Sounds like a virus style activity. It's just missing the true replication.


----------



## Tiranis (Jun 19, 2005)

macguy.nielsen said:


> Who pissed in your cornflakes, Tiranis?


Macrumors thread.  Anyway, sorry for the tone of my previous post, but when people start blaming Apple and shouting "Virus, virus" when it's just them being stupid, I get angry. 

Would you take a pill that some random person gave you without even knowing what it is? I don't think so.


----------



## macguy.nielsen (Sep 18, 2004)

Who was blaming Apple? And the file was said to be a Leopard screenshot. So people trusted the guy and downloaded and opened it.


----------



## Tiranis (Jun 19, 2005)

Look at the thread.  "So people trusted the guy and downloaded and opened it." Right, so you would take the pill (see previous post) if somebody told you it's a candy?


----------



## macguy.nielsen (Sep 18, 2004)

If someone were to post a pic on this forum that said Leopard screenshots, you wouldnt be curious and look at it? 

I did not open the file or look at the pic. But I think you are missing the point. If you supply someone with something they may want, then they'll go for it. It's a simple truth.


----------



## Tiranis (Jun 19, 2005)

Somebody posted it on another forum I go to, I downloaded it (although I was very skeptical that it's really a picture because it was in TAR), looked at poster's number of posts, checked exif (none). Deleted.

But it's their problem that they went for it! You still didn't answer my question from previous post. It's the same thing, really.

In any case, the trojan is simple applied social enginnering—nobody says it isn't, but you need to think before you open something. Why would you receive a file through iChat from a random person and why would anyone who wants to show you a screenshot give it to you in form of a tar file for download, instead of posting the JPG. There's a reason we have brains, they're not just a decoration. And the argument that there are people who are not very good with computers won't work—this is not a computer issue, this is just not thinking before acting.

I think you are the one missing the point—no one ever doubted this could be done on OS X and it has been done before. It can be done on any OS, no matter how secure it is. The OS has nothing to do with this, it's the user that does. People that ran it and gave it access to their system should learn from this, something they should have known already—think before you act and be responsible for your actions. Instead of shouting "Oh, it's a virus, it's a bloody virus" they should be saying "I got fooled, I'll learn from this."

By the way, if you don't know about this guy, go read about Kevin Mitnick—he is the most famous "cracker" who didn't use much technological knowledge, instead he used social engineering.


----------



## macguy.nielsen (Sep 18, 2004)

Someone pissed in Tiranis' cornflakes again...


----------



## Tiranis (Jun 19, 2005)

The phrase is getting old, really... how about actually saying something meaningful or nothing at all?

I don't even know what you're trying to prove here—it's clear that it was a mistake of the users who downloaded it and launched it. You, it seems, believe that some higher power affected them and cursed their Macs… or that this was somehow preventable.


----------



## macguy.nielsen (Sep 18, 2004)

Dude, you attack faster then Dick Chenney trying to kill a duck, and you spray the people around you with your crossfire. 

My simple point is that your constant murmuring that everyone is dumb if they are possibly technologically inept comes to no logical conclusion. You need to start to understand that not everyone is as godly as you. Simply saying that they need to use their brains is an argument that will only make the user more annoyed at techies and not want to talk with them about how to fix issues. 

Technology is not a natural ability. This we must understand. Yes, people should think twice before opening everything. But we cannot educate people about things by hitting them with the "Use your brain" bat. This creates animosity, not admoration. 

And back to this file. Since we've taken a tangent that really has no end. 

As Chealion said, this has the ability to attach itself to files and "infect" other machines. We still know nothing of what it really does, besides simply spreading itself for no apparent reason.


----------



## Tiranis (Jun 19, 2005)

First, no I don't say they're dumb. You must be reading something else. But the point is this is NOT a technological issue. That argument doesn't work. It's social engineering. My grandmother is really, really bad at working with computers yet she would never open a file she doesn't know anything about. Why? Because it's simple logic.

Ok, let's make this clear: the file spreads through iChat, but it doesn't do that automatically—you're required to save it first. That's the first mistake—accepting file that you have no idea where it came from. Now, it unzips the file for you, so you go on and launch it. If you're running as an admin it writes it's code into several programs found through Spotlight. If not, then it asks you for a password. If you actually enter the password—well, second mistake. So let's say it found the files to infect, it then writes several new calls to the programs. That's as far the guy got and as far as I could get studying the deassembled code. Now, as far as I know it doesn't delete anything at first, therefore the only way the user is affected is that some of his programs get infected. But it's pretty easy to re-install those and next time the user will know not launch anything suspicious or unknown. That's what I mean by saying they needed the "wake-up call". It might be a good thing that this one came around first, rather than some other trojan that could be much more serious.

There's nothing that would classify this trojan as a virus or worm. It doesn't spread on its own, it requires user to launch it. There's been many of these trojans on Windows. There could've been many of them on Macs. Why? Because they're easy to create and don't require any exploits in the OS itself. They play with the user, they try to fool him—the OS or technology overall has no role in this. (Since I'm putting forward all those analogies—they're like those meat eating plants that look beatiful but as soon as the fly/bee lands on it, it's eaten).


----------



## jdurston (Jan 28, 2005)

*First Virus? Malware*

http://www.macrumors.com/pages/2006/02/20060216005401.shtml

Just noticed this on Mac rumors. It look to be more of a trojan than a virus.


----------



## TrevX (May 10, 2005)

jdurston said:


> http://www.macrumors.com/pages/2006/02/20060216005401.shtml
> 
> Just noticed this on Mac rumors. It look to be more of a trojan than a virus.


Yeah, its a Trojan. Anyone can write a malicious program to do whatever they want. Its not exploiting any vulnerabilities in OS X. Bottom line, don't open any files from people who you do not know.

Trev


----------



## TrevX (May 10, 2005)

Tiranis is correct. Social engineering has been around for as long as there was sunlight. There are people who find enjoyment in taking advantage of others. If someone sent you a file and said it contained Leopard screen shots and you opened it then you have been "socially engineered." You got fooled because someone made you believe it was something it was not. You still have to run this thing for it to do anything. Safe computing practices still apply.

Trev


----------



## SINC (Feb 16, 2001)

Does no one read before they post anymore?

We now have THREE separate threads on this same subject:

This One

First Virus? Malware

and

OSX Trojan discovered

Just wondering . . .


----------



## Chealion (Jan 16, 2001)

jdurston's thread was merged in here, jicon's was deleted per request.


----------



## macguy.nielsen (Sep 18, 2004)

TrevX said:


> Tiranis is correct. Social engineering has been around for as long as there was sunlight. There are people who find enjoyment in taking advantage of others. If someone sent you a file and said it contained Leopard screen shots and you opened it then you have been "socially engineered." You got fooled because someone made you believe it was something it was not. You still have to run this thing for it to do anything. Safe computing practices still apply.
> 
> Trev


For the freaking last time, I'm not arguing that it isn't due to social engineering. For the fact that you just said that means you proved my point WAY back in the thread, that if you give something to somebody that they really want they WILL go for it. Of course there's nothing new about it. Social engineering = Marketing tactics

The basic argument is that you all are assuming that everyone has this techie intuition of "Safe computing practices". If everyone had this, then there wouldn't be problems with virus'. 

It the same argument as, if everyone had safe driving habits there would be no deaths on the roads. If everyone was truly this up to this "safe" standard, there wouldn't be any deaths.

Tiranis - if you got a "virus like" file on your computer that was named grandchildren pictures and it sent itself to your grandmother, and you didn't know about the file, there is a huge chance, your grandmother will open that file. Because it is something that she would really like to see. 

We are all arguing the same thing but we're using different terms. Whether it be social engineering or marketing. The bottomline here is that we CANNOT assume everyone has this safe computing practice. Because "safe" within itself is a relative term, as its meaning differs from person to person.


----------



## rubeole (Oct 21, 2005)

Tiranis said:


> Would you take a pill that some random person gave you without even knowing what it is?


Good way to sum up how I lived the 1990s, yeah.


----------



## gastonbuffet (Sep 23, 2004)

1) I posted a virus thread too!!!! 

2) The moral of the story then is: if the virus gets your computer, not only you may loose your files, but Tiranis will crash into your house, grab you by the neck, and kick the living ****e out of you while shouting, to your face, "MORON".

got it. No open nothing. Me behave good.



ps: Chealion, if you care to delete my last thread, to save me the embarrasment and Sinc's sermon, obliged.


----------



## gastonbuffet (Sep 23, 2004)

trojan or virus?

http://www.sophos.com/pressoffice/news/articles/2006/02/macosxleap.html



Is Leap-A a virus or a Trojan?


Some members of the ehmac Macintosh community have claimed that OSX/Leap-A is a Trojan horse, and not a virus or worm, because it requires user interaction (the user has to receive a file via iChat, and manually choose to open and run the file contained inside).

However, this is not the definition of a Trojan horse.

A Trojan horse is a seemingly legitimate computer program that has been intentionally designed to disrupt and damage computer activity. Importantly, Trojan horses do not replicate or have any mechanism of spreading themselves. They have to be deliberately planted on a website, or accidentally shared with another user, or spammed out to email addresses. There is nothing inside a Trojan's code to distribute themselves further to other victims.

Trojan horses do not contain any code to distribute or spread themselves, viruses and worms do.

OSX/Leap-A is programmed to use the iChat instant messaging system to spread itself to other users. As such, it is comparable to an email or instant messaging worm on the Windows platform. Worms are a sub category of the group of malware known as viruses.

Therefore, it is correct to call OSX/Leap-A a virus or a worm. It is not correct to call OSX/Leap-A a Trojan horse.


----------



## DBerG (May 24, 2005)

> and as it does require user activation, and a password if you are not already an administrator


You must be stupid or a computer noob to run this. Really.
EDIT : Oh sorry, I just re-read and I thought that it was a root command, but it's only admin. Well...


----------



## lreynolds (Dec 28, 2005)

Man, this is all over. A little worm/Trojan/virus (depending on who you talk to), and it is all over the news. Everyone is saying ha ha, the Mac users finally got a virus, and making it out to be a huge deal. Minimal damage, easy removal, and in most cases it makes it blatantly obvious that it is going to install something. How is this such a big deal? Run for the hills, there is a Mac "virus"!!!


----------



## Apple101 (Jan 22, 2006)

Hey I heard about this as well. I checked the global threat assessment widget from Symantec and I noticed it as well. Its a very good thing I have an antivirus application installed (I use Symantec Antivirus 10) because I use iChat myself and Norton found and quarantined the file immediately because it was unable to automatically clean the file. Before the definition files were updated it identified it as bloodhound, which is Symantec’s heuristic scan engine. And please before anyone calls me stupid for accepting the file, I personally did not know that it was an infected file as I expected my friend to send me a couple of pictures that he had from my school trip.

I have to question ClamXav's effectiveness because my friend uses ClamXav on his Mac even with the definition files updated it couldn’t find the worm. 

I would also like to note that if you don’t have Mac OS X Tiger installed on your system then this does not affect you.


----------



## TroutMaskReplica (Feb 28, 2003)

> trojan or virus?


it is a trojan containing a virus


----------



## gordguide (Jan 13, 2001)

Virus, trojan and worm, actually. It acts as all three at different times. Keep in mind that we must go by what others say, so some details could change. The critical aspect is the custom icon; watch for that and you should be fine.

Before the Windows users get too smug, remember:
You have to get the file somehow; if someone you know manages to infect himself, it will be an attachment in an iChat message from someone who both runs OS 10.4 and has you on his iChat buddy list. Unlike Windows, it won't auto-install. You have to help it.

However, that's not how the first user got it; he downloaded it from a forum; apparently it was a proof of concept. You could also have someone deliberately send it to you as an eMail attachment, as part of a disk, etc.

Now, of course, this is the part where things differ between Windows and OSX. You have to decompress the file manually (it has a tgz extension; a GnuZipped Tarball which is a UNIX file compression scheme). If you don't, it does nothing at all.

Then, after you decompress it, it appears to be a graphic image file; although it isn't, it will disguise itself with a custom icon representing a graphic file. Since the extension would give this away, I have a hard time agreeing with the definition that it's a trojan, but if you are willing to accept that an incorrect icon suffices to make it a trojan (executable file disguised as something else) then it fits.
If you have OSX set to show file extensions, you shouldn't be fooled by the custom icon, though.

If it does fool you, you still must help it out a second time, buy double-clicking the resulting (decompressed) file. Opening it with another common Mac means (ie Open With ... ) probably will do nothing, since you are probably going to select a program that opens graphics files. If you tried "Open With ... terminal.app", it would work just fine, although if you're likely to do that you probably shouldn't be using a computer in the first place.

Some say you will be asked for your admin password, others say not. In any case, a shell will launch (you might see the "Welcome to Darwin!" greeting) that moves a file into either your home directory library (probably the default) or the system library [~/Library/Input Managers]

At that point, you are probably compromised. It then uses Spotlight to search for the last four open applications (thus 10.4 is mandatory), where it will replicate (thus, a virus) and hide itself. It then searches your iChat buddy list with Spotlight for addresses. Next, it sends itself to everyone on the iChat buddy list (which is the definition of a worm).

Your iChat friends will see the file as an attachment.

It's listed as Level 1 (the lowest of 5 levels of threat) and you need to jump through a few hoops to get this installed on your machine; it's not able to do stuff by itself without your active help. Of course, now that you know about it, the chances of that are ....

Slim to None.

Apple knows about it and I would expect this won't be a problem for long (if at all; there is no world on actual infections and since it's quite obvious to your buddies who will all of a sudden get these attachments, it's not going to be much of a secret if you are infected). This is essentially the same as Intego's Proof last year, which also relied on a custom icon that is easily defeated by showing file extensions.


----------



## NBiBooker (Apr 3, 2004)

I'm not losing any sleep over this, heck I don't even use iChat.


----------



## pcronin (Feb 20, 2005)

Apple101 said:


> And please before anyone calls me stupid for accepting the file, I personally did not know that it was an infected file as I expected my friend to send me a couple of pictures that he had from my school trip.


Not calling you stupid in any way, just wondering if your friend has common practice of putting images into a .tar to send of iChat.
from the articles I"ve read, that is the main way it propigates.

It's just that when I'm sending pics, I send .jpgs.. Unless this thing did send thru iChat as .jpg, then in that case, nothing you could do.


----------



## mr.steevo (Jul 22, 2005)

Hi,

If a friend sent me a .tar file, I'd open it without thinking.

Does that make me "stupid"?

s.


----------



## pcronin (Feb 20, 2005)

mr.steevo said:


> Hi,
> 
> If a friend sent me a .tar file, I'd open it without thinking.
> 
> ...


not if that's something that happens normall, like I was asking.

I mean, if you got email on regular basis from someone that attached raw jpgs, then suddenly he switches to including a tar or zip or whatever, wouldn't you ask if they switched? 

Myabe I'm just more paranoid..


----------



## paulohnine (Aug 6, 2004)

Thats it, this attack is overwhelming. Im switching to Windows.


----------



## Kosh (May 27, 2002)

More info On Leap-A or Oompa Loompa

http://www.macworld.com/news/2006/02/16/leapafaq/index.php


----------



## CN (Sep 3, 2004)

paulohnine said:


> Thats it, this attack is overwhelming. Im switching to Windows.


:lmao: Me too! I haven't slept for days! And in this sleep deprived condition, I'm likely to open a .tar that I think is a jpeg!

At least it requires the user to execute the file, which really limits its effectiveness. I wonder why it wasn't made more malicious though...now people will be on the lookout (at least more so) for this kind of thing.


----------



## Klaatu (Jun 3, 2003)

I haven't read all the responses, but I saw this article that begins: 

"Security companies discover the first virus for the Mac OS X operating system but it doesn’t cause any damage."

In other words, a company that makes it living by creating fear so people will buy their product, makes this announcement. Second, they acknowledge it's not really a threat.

I don't get the fuss.


----------



## Kosh (May 27, 2002)

Klaatu said:


> I haven't read all the responses, but I saw this article that begins:
> 
> "Security companies discover the first virus for the Mac OS X operating system but it doesn’t cause any damage."


Actually it does cause some minor damage if you read the MacWorld article I linked to. It infects applications and because of a bug in the malware, prevents infected applications from running. Of course you can just reinstall the infected application.


----------



## DP004 (Mar 9, 2005)

So, the score is now 75,438 to 1.
We should ask for a time-out to calm down and think positively.


----------



## Apple101 (Jan 22, 2006)

pcronin said:


> Not calling you stupid in any way, just wondering if your friend has common practice of putting images into a .tar to send of iChat.
> from the articles I"ve read, that is the main way it propigates.
> 
> It's just that when I'm sending pics, I send .jpgs.. Unless this thing did send thru iChat as .jpg, then in that case, nothing you could do.


Well my friend had about 160 pictures lol so to slow down the download time I told him to compress it. I never got infected obviously, NAV picked up on it before I even had a chance to look at it. Also now some fruit cakes in the Windows forums are starting to bash Mac over this.....

http://news.com.com/Bluetooth+worm+targets+Mac+OS+X/2100-7349_3-6041091.html


----------



## jlcinc (Dec 13, 2002)

Well I just watched a Global news report about the new OSX mac virus. Of course they didn't give any real info.
John


----------



## macguy.nielsen (Sep 18, 2004)

This writer is now known as the most accomplished, miss-represented, malware writer in OS X history. Kudos to him/her for writing something that does nothing but scares the world. *shakes head*


----------



## DBerG (May 24, 2005)

http://www.macworld.com/news/2006/02/17/inqtana/index.php?lsrc=mwrss

Why haven't we heard about them before? It's like as if OS X became less secure on one night.


----------



## monster and machine (Aug 22, 2005)

*latestpics.tgz*

mac osx virus that apparently spreads through ichat...anyone know anymore? here is the article
http://www.zaman.com/?bl=national&alt=&hn=29917

this is just the beginning, and all of you people who always brag and boast about mac osx being so unstoppable are the main cause ironically. there are hordes of hackers just waiting to accomplish the task of actually getting a very good virus into the mac world. though this attempt obviously falls quite short, i think it is the beginning of something bigger. so brag whilst you can.


----------



## monokitty (Jan 26, 2002)

Feel free to join ArtistSeries' anti-Mac party.


----------



## markceltic (Jun 4, 2005)

monster and machine said:


> mac osx virus that apparently spreads through ichat...anyone know anymore? here is the article
> http://www.zaman.com/?bl=national&alt=&hn=29917
> 
> this is just the beginning, and all of you people who always brag and boast about mac osx being so unstoppable are the main cause ironically. there are hordes of hackers just waiting to accomplish the task of actually getting a very good virus into the mac world. though this attempt obviously falls quite short, i think it is the beginning of something bigger. so brag whilst you can.


So you're the one responsible aren't you admit it.


----------



## MannyP Design (Jun 8, 2000)

There are two threads about it already.

Generally... it's gimp of a virus/malware/worm hybrid that requires a really stupid person to allow it to propagate.

If this is the sign of things to come... I'm not worried the least little bit.


----------



## scootsandludes (Nov 28, 2003)

monster and machine said:


> mac osx virus that apparently spreads through ichat...anyone know anymore? here is the article
> http://www.zaman.com/?bl=national&alt=&hn=29917
> 
> this is just the beginning, and all of you people who always brag and boast about mac osx being so unstoppable are the main cause ironically. there are hordes of hackers just waiting to accomplish the task of actually getting a very good virus into the mac world. though this attempt obviously falls quite short, i think it is the beginning of something bigger. so brag whilst you can.



OMG, monster and machine has actually developed a flux capacitor, and has gone back in time to Monday, when this was news.

http://www.ehmac.ca/showthread.php?t=37426


----------



## Chealion (Jan 16, 2001)

Threads merged again.


----------



## gordguide (Jan 13, 2001)

" ... this is just the beginning, and all of you people who always brag and boast about mac osx being so unstoppable are the main cause ironically. there are hordes of hackers just waiting to accomplish the task of actually getting a very good virus into the mac world. though this attempt obviously falls quite short, i think it is the beginning of something bigger. so brag whilst you can. ..."

There have been Mac viruses in the past (pre OSX) and there will be in the future. What there has never been on MacOS and always been on WindowsOS are attachments that are automatically trusted by the OS and automatically installed by the OS without our knowledge.

In other words, this would have been a big deal if we were running MSN Messenger on Windows, and that, not the existence of viruses themselves, is the reason why it's still a problem for Windows users, 7 years after Windows2000 was released and 5 years after XP was released, when Microsoft should have fixed that fundamental flaw, a flaw that exists in no other OS, including all the other non-Microsoft OS's that run on x86 hardware.


----------



## macguy.nielsen (Sep 18, 2004)

monster and machine said:


> this is just the beginning, and all of you people who always brag and boast about mac osx being so unstoppable are the main cause ironically. there are hordes of hackers just waiting to accomplish the task of actually getting a very good virus into the mac world. though this attempt obviously falls quite short, i think it is the beginning of something bigger. so brag whilst you can.


Sooooo according to your analysis, Mac fan user base is the problem and hackers are bad coders? And _not_ the fact that MacOSX really is harder to crack and has absolutely nothing to do with the mac fan user base...


----------

