# Possible OS X Trojan?



## bbloke (Feb 16, 2006)

MacRumors.com is carrying a story about a possible new trojan for OS X, although they first termed it a virus.  It appears to be in the form of a file that must be decompressed, and the content pretends to be a JPEG.  



			
				MacRumors.com said:
			
		

> The resultant file decompresses into what appears to be a standard JPEG icon in Mac OS X but is actually a compiled Unix executable in disguise. An initial disassembly (from original discussion thread) reveals evidence that the application is virus-like or was designed to give that impression.  Routines listed include:
> 
> _infect:
> _infectApps:
> ...


 I thought I should mention this article in case it is true and anyone here comes across the file, but I'm not panicking and saying the sky is falling, though.


----------



## bbloke (Feb 16, 2006)

Sophos have stated it is the first Mac OS X virus, and that it spreads via iChat software:



> *First ever virus for Mac OS X discovered*
> 
> *OSX/Leap-A worm spreads via iChat instant messaging software*
> 
> ...


----------



## Mikuro (Feb 16, 2006)

> Sophos advises all computer users, whether running PCs or Macs, to practise safe computing and keep their anti-virus software updated.


Bad advice. Safe computing = good. Anti-virus Mac software = a cure that's worse than the disease.

This is certainly interesting. Didn't Apple make it so the OS would warn you the first time it launched an application in a certain way? They probably ought to expand that to include launching an application by double-clicking it.


----------



## Tommo (Feb 16, 2006)

There are more details here.

http://www.theregister.co.uk/2006/02/16/mac_os-x_virus/

They say it prompts for an admin password, but I sometimes think OSX does that so often that some users may become complacent and just type it in before they think why they are being asked.


----------



## bbloke (Feb 16, 2006)

And probably the most detail I have come across can be found on the Ambrosia forums, believe it or not!  Here are some excerpts:



> *A few important points*
> 
> -- This should _probably_ be classified as a Trojan, not a virus, because it doesn't self-propagate externally (though it could arguably be called a very non-virulent virus)
> 
> ...





> Here's what it does if a user double-clicks on the file, or otherwise executes it:
> 
> 1) It copies itself to /tmp as "latestpics"
> 2) It recreates its resource fork in /tmp (with the custom icon in it) from an internally stored gzip'd copy, then sets custom icon bit for the new file in /tmp
> ...


----------



## fryke (Feb 16, 2006)

Doooooooooooooooooooooooon't panic. It's a trojan, which you have to execute yourself, if you want to be harmed. Which, of course, you don't.


----------



## bbloke (Feb 16, 2006)

Who's panicking?  

It does seem to be another case the user having to "pull the trigger" on themselves, so the user is not exactly defenseless against this delightful offering...


----------



## sinclair_tm (Feb 16, 2006)

sounds easy to advoid, just don't open anything sent to you in ichat, unless you have cleared it with the person that sent it to you.  and i know i'll never see this rhing, nobody i have in ichat has a mac, they are using aim on windows, or on their cell phone.  i just find it humors that my dad and i just had a disscution about malware and macs last night.  he must be a prophet because he said it wasn't a matter of if, but when, and promised me that they were coming.  don't you just hate it how dads are always right.


----------



## Shookster (Feb 16, 2006)

I think they're blowing it out of proportion. Everyone's saying "Oh my God, there's a Mac OS trojan now. The world's going to end!" It can propogate via iChat but the program doesn't do anything malicious. On top of that, you have to download and open it yourself, so why worry?


----------



## fryke (Feb 16, 2006)

bbloke said:
			
		

> Who's panicking?
> 
> It does seem to be another case the user having to "pull the trigger" on themselves, so the user is not exactly defenseless against this delightful offering...


Well... I just wanted to make it clear.  ... I saw the thread, saw three or more linked articles and thought: Wow, I hope this is not too MUCH information for the casual reader. 

It doesn't propagate through iChat, really, either. The recipient has to _accept_ the file first, unpack it and run the executable. "It _tries_ to propagate through iChat" is more like it, I think... And yes, it gets blown out of proportion.


----------



## Mikuro (Feb 16, 2006)

Back in the old days, propogating from system to system was not the way viruses worked &#8212; with Internet usage so common, how _could_ they? A virus is not something that "infects" a system by being installed; it infects multiple programs _within_ a single system by attaching itself to them, altering their code so that it can run when they run, and then spread to _other_ programs, etc.

So it sounds to me like this is a honest-to-goodness VIRUS, not just a trojan. Which is quite rare these days &#8212; I can't remember the last "virus" I've heard of that was _actually_ a virus.

I'm giddy with geeky excitement!


----------



## bbloke (Feb 16, 2006)

fryke said:
			
		

> Well... I just wanted to make it clear.  ... I saw the thread, saw three or more linked articles and thought: Wow, I hope this is not too MUCH information for the casual reader.


Ah, I like to be well-informed.   

Actually, I thought this was something that could be blown out of proportion, so I wanted to provide information as I came across it.  I suspected anti-virus manufacturers would, of course, try to build on people's fears!

It still seems like the user has to assist this malware and so it is not as bad as one could expect, but it is an interesting beast, nonetheless.


----------



## fryke (Feb 16, 2006)

Mikuro said:
			
		

> Back in the old days, propogating from system to system was not the way viruses worked  with Internet usage so common, how _could_ they? A virus is not something that "infects" a system by being installed; it infects multiple programs _within_ a single system by attaching itself to them, altering their code so that it can run when they run, and then spread to _other_ programs, etc.



Well... Back in the old days, propagating from system to system was EXACTLY how viruses worked. With floppies. Where would you get infected if not through those...

It's considered a trojan because like the Trojan Horse (Homer) it comes as something people might want (screenshots of Leopard), so they might double-click the executable, thinking it was a JPEG-file. That makes it a trojan by definition.

A virus, in my opinion, doesn't really need user interaction...


----------



## stizz (Feb 17, 2006)

drudge is spreading the wrong info. He still calls it a virus on his front page.

www.drudgereport.com

i emailed him already,..maybe we all should


----------



## Rhisiart (Feb 17, 2006)

The press just couldn't wait for a Mac virus story (virus or not).

The King is dead!
Long live the King!


----------



## Mikuro (Feb 17, 2006)

fryke said:
			
		

> Well... Back in the old days, propagating from system to system was EXACTLY how viruses worked. With floppies. Where would you get infected if not through those...
> 
> It's considered a trojan because like the Trojan Horse (Homer) it comes as something people might want (screenshots of Leopard), so they might double-click the executable, thinking it was a JPEG-file. That makes it a trojan by definition.
> 
> A virus, in my opinion, doesn't really need user interaction...


Hmm. Well, spreading from computer to computer was not IN the virus's code. It just happened, through user interaction. Viruses did not specifically target floppies for the purpose of spreading to other computers. All they were programmed to do was infect program after program.

So I still think we've got a genuine virus here, even if it's wrapped up in a trojan. The two terms aren't really mutually exclusive, after all.

Come to think of it, I guess you could call it a worm, too, since it does try to propogate itself through networking. Hmm...


----------



## sinclair_tm (Feb 18, 2006)

there's a second one now. check it out.


----------



## Mikuro (Feb 18, 2006)

Any more info on that second one? What they offer is awfully vague. Using bluetooth sounds interesting, but it also sounds like it would have a very, very narrow scope. I mean, most systems don't even have Bluetooth, and even the ones that do would only be able to spread it to other Bluetooth-enabled machines within, what, 30-100 feet?


----------



## Ricky (Feb 18, 2006)

The sky is falling!  Everyone run for your lives!!


----------



## Cheryl (Feb 18, 2006)

It was released from Symantec. Figures. They want us to buy their product. And then subscribe yearly for definition updates. And they probably will raise that subscription price just because of this.


----------



## scruffy (Feb 18, 2006)

The second one is a proof of concept only - it has not been spotted in the wild, and looks as though it's been written specifically to prevent it from spreading in the wild.  The programmer of this one was pretty careful too - in case the measures to prevent spreading were buggy, they even put in code that will deactivate the virus after 24 February.

http://www.f-secure.com/weblog/
http://www.f-secure.com/v-descs/inqtana_a.shtml


----------



## bbloke (Feb 20, 2006)

Of course, an alternative to commercial anti-virus software and subscriptions is ClamXav, which is a free anti-virus program.  According to MacFixit, the virus definitions have been updated to deal with the "Leap-A"/"Oompa-Loompa" trojan:



> *ClamXav virus definitions updated* The free graphical front-end to ClamXav has been updated to include a virus definition for the Oompa-Loompa Trojan (OSX/Oomp-A).
> This is the recommended route for protecting against this potential threat -- it's free, and does not cause the issues apparent with some other virus protection utilities.


 I haven't downloaded ClamXav myself, but maybe should do.


----------



## fryke (Feb 20, 2006)

There were many boot-viruses. I've had some on my Atari STs and Amigas, and I've also seen them on PCs back then. Their code quite clearly aimed at spreading through floppies.
That was only _part_ of what those viruses did, though.



			
				Mikuro said:
			
		

> Hmm. Well, spreading from computer to computer was not IN the virus's code. It just happened, through user interaction. Viruses did not specifically target floppies for the purpose of spreading to other computers. All they were programmed to do was infect program after program.


----------



## easterhay (Feb 20, 2006)

Isn't it true that Clamx scans but doesn't heal?


----------



## fryke (Feb 20, 2006)

clamxav can "heal" (I think it's rather deleting infected files, though...)...

Btw.: http://haligon.blogspot.com/2006/02/safari-executes-shell-scripts.html (apparently, there's a new weakness in Safari that Apple has to cover soon...).


----------



## Mikuro (Feb 20, 2006)

fryke said:
			
		

> Btw.: http://haligon.blogspot.com/2006/02/safari-executes-shell-scripts.html (apparently, there's a new weakness in Safari that Apple has to cover soon...).


What a surprise. </sarcasm> How many times has the "Open 'safe' files after downloading" feature been part of a security hole? I lost count after three or four. From day 1, this feature was _obviously_ a bad idea. Apple needs to simply _get rid of it_.

I recommend that everyone turn it off. It's always a good idea.


----------



## fryke (Feb 20, 2006)

Yeah. The problem is that for new users, Safari is set to automatically open "safe" files. I think they should finally change the default behaviour...


----------



## camgangrel21 (Feb 20, 2006)

I have been working on a mac now going on about a year and I would have to say that the Safari Open "safe" Files acts just a windows boxes do right after you install them. Even Firefox on a PC will do this. if it see a helper app to open or run something your downloading it will do that if you don't tell it not to. Really if you look at this "problem" it's just showing how much stuped software is have to be made to run right out of the box. I mean it toke me about 20 mins right here on this forum reading and I found a program that would stop that behaviour and some othes that I did not like.
I just hope that when my kids get to the point that there useing there own computers. that they don't need to kind of hand holding by the OS.


----------



## Mikuro (Feb 20, 2006)

Really? Even Firefox? I'm surprised at that. Of course, the feature could be completely benign if only Apple were a little smarter about what they considered to be a safe file type.

And I think it's awfully telling that Apple feels the need to put the word _safe_ in quotes! ::ha::


----------



## fryke (Feb 21, 2006)

Well... Let's look at this more closely. Apple _is_ looking for executables and doesn't run them automatically. However: If a shell script does not have the first line which tells the Terminal what shell/command to open the script with, the security in place fails to see it as an executable. So actually, to "see" shell scripts, Apple checks for that line. They "simply" have to update that code now. (Again, they should *also* make the default behaviour to not postprocess files at all. Sure, it's more user-friendly if zip-files are auto-expanded and the results shown in the Finder, but if it's a security risk...)


----------



## Mikuro (Feb 21, 2006)

The problem here is really that Safari opens files as if they were double-clicked in the Finder. That's simply a recipe for disaster. Instead, it should open files with predetermined applications (e.g., if Safari thinks it's a JPEG, it should open it with the user's default JPEG viewer). If Safari thinks it's a JPEG, obviously it shouldn't be opening it with Terminal.

That would do a lot to ensure that even if Safari mis-identifies a file (which is bound to happen, just like it has here), it still won't do any harm. If you open a shell script with Preview, for example, it's not going to run.


----------



## fryke (Feb 21, 2006)

Well: Safari uses the Finder/System, of course, to post-process. If it has to provide its own database of what opens what, this is going to pose problems, too. I, for one, _don't_ want JPEGs to open in Preview, so I have set Photoshop as the default app for JPEGs. Now why should Safari, on *my* system, open them in Preview? Their way is correct here - from the user point of view.


----------



## billbaloney (Feb 21, 2006)

As Apple says:

+ + + + +

_Note that, while Safari and Mac OS X 10.4 offer this feature for increased security, no software can protect against each and every "unsafe" file or unauthorized access attempt. Safari protects against files it identifies as unsafe._

+ + + + +

Of course, the title of that article is "Safari can help prevent unsafe downloads".

I agree that the option should just be removed.  Let's avoid the "Windows-ization" of OS X and its apps: require a certain level of intelligence, critical thinking, and initiative by the user.  The idea that some of us should be "power users", and thus more secure in our everyday computer tasks, is both silly and dangerous.  The "power users" won't be vulnerable to any but the most pernicious worms, or the most fundamental security risks.

Don't auto-open; instead, to maintain an informative UI, provide a confirmation message showing where the file is.  It's easy, clean, and safe.


----------



## Mikuro (Feb 21, 2006)

fryke said:
			
		

> Well: Safari uses the Finder/System, of course, to post-process. If it has to provide its own database of what opens what, this is going to pose problems, too. I, for one, _don't_ want JPEGs to open in Preview, so I have set Photoshop as the default app for JPEGs. Now why should Safari, on *my* system, open them in Preview? Their way is correct here - from the user point of view.


That's not what I mean. I mean that Safari should use _your_ default application for the file, as opposed to what it does now, which is to use the _individual file's_ own settings (which the user, in cases like this, has no control over). So if you want them to open in Photoshop, it would, as long as you have Photoshop set as your default JPEG viewer. And if someone zipped up a JPEG that was specifically set to open in QuickTime Player, then it would _still_ open in Photoshop for you, because that's _your_ setting. The method I'm proposing is really _more_ about the user than the way it is now. It would also be a lot safer.


----------



## billbaloney (Feb 21, 2006)

That goes along with my suggestion.  In addition, if there's no user-specified helper app for the file, the user should be prompted to specify an action, Firefox-style.  No file should ever be passed directly from Safari to the Finder without user intervention.  The file itself should never be able to specify a default action.


----------



## Esquilinho (Feb 22, 2006)

We just got our first Mac virus infection in our company! 
The Inqtana-B spread from our headquarters in Belgium to our Italian and Portuguese affiliates. Here the consequence was that we could not open any Microsoft Office apps. In Belgium, our colleagues got some currupted files inn the Pre-press system. But we're all clean now


----------



## bbloke (Feb 22, 2006)

By the way, for anyone using Sophos and worrying about "Inqtana-B," have you seen the recent message from Sophos?  Apparently the Sophos software was giving a lot of false positives, but that has been fixed as of an updated yesterday afternoon (GMT).



> SophosLabs, Sophos's global network of virus, spyware and spam analysis centers, issued an update at 14:43 GMT on Monday 21 February to detect the OSX/Inqtana-B worm for Mac OS X.
> 
> Unfortunately, this update was flawed, and Mac OS X users may have been mistakenly warned by Sophos Anti-Virus for Mac OS X that some files on their computers were infected with the worm.
> 
> ...


Also, what are people's experiences of different anti-virus programs and/or manufacturers?  I always remember older, Norton-related disasters, but was wondering what more recent experiences are.


----------



## bbloke (Feb 22, 2006)

Mikuro and fryke: I've seen an article relating to the Safari and Mail vulnerabilities that may be of interest:

http://isc.incidents.org/diary.php?storyid=1138

Mmm.

Edit: More useful comment can be found at: http://www.unsanity.org/archives/000449.php


----------



## Esquilinho (Feb 22, 2006)

bbloke said:
			
		

> By the way, for anyone using Sophos and worrying about "Inqtana-B," have you seen the recent message from Sophos?  Apparently the Sophos software was giving a lot of false positives, but that has been fixed as of an updated yesterday afternoon (GMT).
> 
> 
> Also, what are people's experiences of different anti-virus programs and/or manufacturers?  I always remember older, Norton-related disasters, but was wondering what more recent experiences are.




Actually we do have Sophos. But since we did see some results from the virus (for example, Office apps not opening), I guess we did have the virus...  
Unless it was Sophos itself that was causing the problem... 

We've been using Sophos for almost a year now, I think, and so far I haven't noticed any problems or conflicts with other software. It just runs smoothly. We practically don't notice its presence... until yesterday, that is


----------



## powermac (Feb 22, 2006)

Awhile back, some one recommended and open source free program called ClamXav, can be found at www.clamxav.com. 

All I can report is the program appears to work well.


----------



## Mikuro (Feb 22, 2006)

bbloke, those links raise some interesting points, but I have to disagree with them when they say this is not a problem with Safari. The deeper "problem" they examine is not much of a problem at all, because it requires the user to specifically open the file. Disguising an application as a plain ol' file is the oldest trick in the book, and there's just no way around it. Common sense neatly patches up this "security hole".

Unsanity is making too big a deal about LaunchServices. The problem, as they portray it, is that you can make these shell scripts have a JPEG icon when they're really executable. Well, you've been able to do that on the Mac for 20+ years. It's called a custom icon. Just Get Info on the file, and paste on a JPEG icon. This has _exactly_ the same effect as the method currently used by the exploit  except that it won't trigger Safari's security hole.

It's very easy  on any platform  to make a program look like a harmless file. Users simply need to be careful what they open. This will never change, and it is not a flaw of any OS.

I agree that what Unsanity describes is poor design (it should be per-user, not per-file), but it's not a big issue when it comes to security.

The problem here IS with Safari, because as it is set up now, simply visiting a web site  and doing _nothing else_  could lead to some unknown arbitrary program getting installed and executed. This is all because Safari is naive and doesn't use caution when identifying and opening unknown files.

Edit: I should have read the first link more thoroughly. The last bit they mention, about sending attachments with the "x-unix-mode=0755" tag set, is definitely a problem. Any file that has the executable bit set should definitely be displayed as an application in the Finder, so I agree that this is something that needs to be fixed in the OS. But this is actually a different issue that the "strong bindings" problem Unsanity is talking about.


----------



## fryke (Feb 22, 2006)

but it happens in Mail.app, too now. So in the worst case, somebody uses an E-Mail address you know as the sender and sends you a "JPEG". And if you merely click on it in the mail window, the script is executed in Terminal.app. While I agree it still involves a user's click, it's still something that should be considered in Launch Services. Maybe even this specific case...


----------



## Parke (Feb 22, 2006)

I heard on the radio today that someone found a serious flaw in Safari allowing someone to hack in and delete files on the computer... Anyone know what thats about?  I had just woken up and only heard about half of the report...


----------



## fryke (Feb 22, 2006)

Had to merge your thread with this one, Parke... Somehow, though, your thread title didn't make it into your post title. :/ ... You asked whether Safari got hacked. You'll find answers in _this_ thread about it. But "Safari hacked" is definitely the wrong term...


----------



## Parke (Feb 22, 2006)

sorry about that...


----------



## fryke (Feb 22, 2006)

no prob.


----------



## Mikuro (Feb 22, 2006)

There are actually two different things we're talking about that affect Mail now. One is the same thing hitting Safari (a zipped up shell script that looks like a JPEG and is set to open in Terminal), and the other is an application that you can email, unzipped, that appears to be a JPEG. They sound very similar, but the method of trickery is distinctly different. 

Last year, after something like this happened, Apple added a feature to OS X that asks the user for confirmation before loading an application for the first time. For some reason, Apple only made this confirmation screen appear when the application loaded through certain means (for example, double-clicking an associated file). The only way Apple can really prevent the application-that-looks-like-a-file problem is by making this confirmation dialog appear the first time an application is loaded by _any_ means, even by the user explicitly double-clicking it. Apple really should do this. It'd be annoying, but that's the price of security, I suppose.


----------



## scruffy (Feb 22, 2006)

I'm not sure that will help much.  For example, if a user has already opened the Terminal, then there will be no confirmation if they get hit with one of these (the drive-by download in Safari, the emailed app-that-looks-like-a-jpeg)

Even if you forced the user to first save the file to the desktop, then open it from there, the problem stays the same - the OS gives every indication that the file is harmless, but when it's opened, it is treated as an application.

To really solve this will involve some serious hard decisions about how to deal with the OS 9 legacy of file/creator codes - decisions that should have been made sometime before OS X public beta.  Unfortunately, I don't really trust that Apple has the will to make these decisions now.


----------



## Mikuro (Feb 22, 2006)

Hmm. Even shell scripts need to have the executable bit set, so Launch Services should be able identify them as dangerous before opening them just as if they were real applications, right?


----------



## BigMacAttack (Feb 22, 2006)

Not being a "Techie" I am only marginally concerned. However, is it safe to say that doing the following will provide some measure of security? In Safari preferences, shutting off the "open safe files after download" option would be a good place to start until Apple releases a patch? I tend not to open any files that I'm not sure of their origin but one never knows. Especially if its a forwarded file. OSX is new to me so I haven't the experience of much Admin input.


----------



## Viro (Feb 23, 2006)

Yes, turning off "Open safe files after download" will solve many of these problems.


----------



## scruffy (Feb 24, 2006)

Absolutely - turn off "open safe files after download", and don't manually open anything that you didn't expect to start downloading from a website.  That and don't open email attachments you weren't expecting, and you will be safe from not only these particular problems, but probably the next ones to show up too.


----------



## bbloke (Feb 28, 2006)

It seems that the originator of InqTana has given an interview!

http://www.securityfocus.com/columnists/389



> *Why did you decide to make a worm out of the vulnerability?
> 
> * *Finisterre:* I have heard of so many folks touting that misconception that Macs can't get viruses that I thought it was about time to start a dialog with some of the AV (antivirus) companies and express some of my ideas. In the process of confirming my own concerns, this code was created. I am not one for talking about things in concept form - I like to actually implement and prove a concept.
> 
> ...






> *Which of the three above methods do you think will be used by future worm and virus authors the most? Hopefully Apple will take note and address these areas of concern.
> 
> * *Finisterre:* The _InputManager_ technique seems to be very powerful. Using it to hook either - init or for a MethodSwizzle will most definitely be a popular thing to do. The primary reason I think it will be used often is due to the fact that it is portable across major versions of OS X. The _launchd_ and _dyld_ techniques are more specific to a particular version of OS X.






> *Are you worried about prosecution at all?
> 
> * *Finisterre:* Since this code was not maliciously released into the wild, I honestly had only given a little thought to it. I honestly see this being no different than any of the other exploits and full-disclosure-style releases that I do. I had asked a few folks to turn me on to malware specific laws, but I have yet to get any responses.
> 
> I was hoping that by being responsible and keeping this limited to proof-of-concept code, it would not come to that. I think it would be a shame to prosecute someone that did not have malicious intent.


----------



## billbaloney (Mar 2, 2006)

Just a note that the 1 March 2006 Security Update  seems to recognize this issue:

      * Safari, LaunchServices

      CVE-ID: CVE-2006-0394

      Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.5, Mac OS X Server v10.4.5

      Impact: Viewing a malicious web site may result in arbitrary code execution

      Description: It is possible to construct a file which appears to be a safe file type, such as an image or movie, but is actually an application. When the "Open `safe' files after downloading" option is enabled in Safari's General preferences, visiting a malicious web site may result in the automatic download and execution of such a file. A proof-of-concept has been detected on public web sites that demonstrates the automatic execution of shell scripts. This update addresses the issue by performing additional download validation so that the user is warned (in Mac OS X v10.4.5) or the download is not automatically opened (in Mac OS X v10.3.9).


----------



## fryke (Mar 2, 2006)

(Just keep in mind that while Safari etc. won't _autoexecute_ the scripts any longer, if you doubleclick those "JPG" files, they still open and execute in Terminal. Same goes for such files that you get by Mail.app and doubleclick them there.)


----------



## simbalala (Mar 2, 2006)

There's a  post over at macosxhints.com with a change to the .bashrc file which basically asks the user to confirm that they want to use Terminal. So if some trojan unexpectedly opens it you'll be warned.


----------

