Viruses on OS X

[Andrew Adamson]

I see nothing in the Sophos advisory about it running things at root level. Maybe I'm blind, but if someone can quote anything that says "root" or "privilege" or "escalation", I'd appreciate it. Perhaps it was removed. Please remember that without escalation, the damage to your system is limited to your data or any programs that you installed without providing the system password. That sucks, but it won't rob you of a working computer. If a virus or trojan can escalate itself, through a vulnerability in the OS (or by you providing it with the system password), everything on your system is at risk.

Also, this is a trojan. A trojan needs you to install it before it can do a single thing to your system. If you don't install it, you won't get infected. If you install lots of public scripts or use warez, this sort of trojan should worry you. But then again, you should probably have always been worrying if you installed such things. Sophos, being an anti-virus company, says absolutely nothing about how this trojan has been distributed so far. None of this worries me.

Also, this is not the first trojan for OS X. Search Sophos for "Renepo".

Also, according to Sophos, this is a proxy trojan -- that is it can be used by its author to turn your computer into a gateway to launch attacks on other systems while hiding his/her identity. This sort of infection has a LONG history in UNIX. I would frankly be surprised if there weren't more of these in the wild. If the author really wanted to be a dick, its payload could be much worse.

[Captain Code]

It doesn't say how it gets installed or what it does. Doesn't say anything about running as root or how it does this.

They list it as a low priority.

[bobw]

Use a Folder Action to notify you if anything tries to put something in the Startup Items.

A safeguard is to keep an eye on two OS X folders: Library/StartUp Items and System/Library/StartUp Items. You can check them manually or you can use one of the Folder Action scripts provided by Apple as part of OS X. Using a folder action will automate the process and help you keep an eye on future additons to the folders.

Here is how to do it:

1. Go to Library/Scripts/FolderActions.

2. Locate Enable Folder Actions.scpt.

3. Double-click the script.

4. Click the "Run" button and close the script window. Now you can run folder action scripts on your Mac!

5. Go to Library/StartUp Items.

6. Control-click the folder icon and choose Attach a Folder Action from the drop-down menu.

7. In the dialog box find and select Library/Scripts/Folder Actions/add-new item alert.scpt.

8. Go to System/StartUpItems.

9. Repeat steps 6 and 7.

Now whenever anything new is added to either of the folders you will automatically get an alert.

[RGrphc2]

Now that there is a Trojan on OS X what is the best anti-virus software out there? Sophos, Norton, or Virex? I currently have norton installed on my laptop.

Is there any free ones like Avast for the PC?

I can see it now, all the PC user's i know will be like there's a Trojan for the Mac! Yea, but it's only 1 compared to how many on the PC?

[ElDiabloConCaca]

Norton's is probably the worst of the three. Get rid of anything on your hard drive that bears the name "Norton" -- it's worse than the virus itself!

I also don't see anything mentioned about the level of access that trojan provides to the remote user.

[mw84]

http://www.pure-mac.com/virus.html

ClamXav? Has anyone tried it

[ex2bot]

Take anything Sophos says with a healthy grain of salt!

They seem to have trouble with the subtlies of truth.

Doug

[RGrphc2]

Here's the WiredNew's Article on the Worm

(Editor's note: This story corrects an earlier report that stated that the Macintosh operating system had become a target of a malicious Trojan Horse.)

Security experts on Friday slammed security firm Intego for exaggerating the threat of what the company identified as the first Trojan for Mac OS X.

On Thursday, Intego issued a press release saying it had found OS X's first Trojan Horse, a piece of malware called MP3Concept or MP3Virus.Gen that appears to be an MP3 file. If double-clicked and launched in the Finder, the Trojan accesses certain system files, the company claimed.

While Intego said the Trojan was benign, it said future versions could be authored to delete files or hijack infected machines. In the release, and in subsequent telephone interviews, Intego was vague about the purported Trojan's workings and its origins.

On Friday, Mac programmers and security experts accused the company of exaggerating the threat to sell its security software.

"They gave the impression that this is a threat, but it isn't," said Dave Schroeder, a systems engineer with the University of Wisconsin. "It is a benign proof of concept that was posted to a newsgroup. It isn't in the wild, and can't be spread in the wild. It's a non-issue."

"They are spreading FUD to sell their software," said Ryan Kaldari, a programmer from Nashville, Tennessee, referring to the shorthand for fear, uncertainty and doubt.

Rob Rosenberger of Vmyths said he'd seen virus hype many, many times, and if antivirus companies put out alarmist press releases, it's for one of two reasons: "Either they're delusional or they're trying to own the hysteria," he said. "This has been going on for 16 years now."

Rachel Keiserman, a tech-support person at Intego, denied on Friday that her company exaggerated the threat or was attempting a publicity stunt. "It's not a hoax or anything like that." She declined to comment further and pointed to a press release listing questions and answers, which defended the company's decision to classify the issue as a threat.

"While the first versions of this Trojan Horse that Intego has isolated are benign, this technique opens the door to more serious risks," the company said. "The exploit that it uses is both insidious and dangerous, and it is our duty as a vendor of Macintosh security solutions to protect our users. We don't believe in waiting until the damage occurs, unlike some of our competitors."

Technically, the threat isn't a Trojan Horse by the standard definition: It isn't a working piece of malicious code and can't easily be spread to other computers, experts said. Instead, it is a demonstration of a possible threat.

"We're talking about theoreticals here," said Schroeder. "It is possible for OS X to be infested with Trojans, viruses and security issues, but until it is, they aren't justified in raising the alarm."

The demonstration contains a real MP3 file of someone laughing. When launched in jukebox software like iTunes, the MP3 file plays and nothing else happens. But if double-clicked in the Finder, the MP3 file plays and a warning is displayed.

The program can't be spread by e-mail or through a file-sharing network unless it is compressed using software like Aladdin's Stuffit. Failing to compress the MP3 file before sending it renders the software inoperative.

The program exploits a vulnerability that goes back to the original Mac operating system: The system allows programs to appear as a file. Programs can have any icons, names or file extension. In other words, users could be tricked into activating a malicious program, thinking they were opening a document, picture or song.

The vulnerability was exploited several times by Trojans authored for previous versions of the Mac OS.

Mac programmer Bo Lindbergh wrote the threat demonstration and posted a link on the comp.sys.mac.programmer.misc newsgroup on March 20. The link leads to a site in Sweden. The file has now been removed. Lindbergh didn't respond to an e-mail requesting comment.

Symantec on Friday said it was aware of the software. "It is a proof-of-concept Trojan that does affect the Mac platform; however, it is currently not present in the wild," the company said in a statement. It said it would continue to monitor the situation.

Likewise, Apple spokeswoman Natalie Sequeira said the company was investigating. "We are aware of the potential issue identified by Intego and are working proactively to investigate it," she said.

Intego probably said it was a threat just to get their sales up...