Possibility of a Mac Virus?

J

JBytes

Registered
I hope I didn't scare you folks with the alarming subject title. Here's the dilemma. A friend's brother uses Internet Explorer on her home G5 to access his work's web mail account, which is on a PC network [of course]. His account was suddenly disabled by the network Admin who claims that the G5 infected his PC network with a virus. I told my friend to tell her brother to tell this network "guru" that he's full of it. Before I give him a "friendly" call, I thought I'd bring up the subject here to get your valued opinions. Here's a little exchange between the Admin and the young man. All parties names have been changed [I think]. Sorry for the lengthy message!


The sister:

Zak [the brother],
When you have a chance, can you please ask Mr. Admin to get a bit more specific? Is there a virus name or a specific action that keeps occurring. It might also be helpful to let him know that I own a Mac G5...


Mr. Admin: [After the above was forwarded to him][

Zak,
Have you used that PC to access your web-based e-mail?


To which Zak replied:

Hey Mr. Admin,
I have used several PC’s to access my web email. My sister’s computer is a “Mac” but I also use PC’s at my schools computer lab.
Look Mr. Admin, I don’t know much about computers, but what I do know is that not having access to my email has been quite frustrating. If there is any information you could share about this problem to help solve it as soon as possible that would be greatly appreciated. I really need to have my web email access reactivated.


Mr. Admin fired back:

Zak,
I can tell you that over the course of one month, your sister’s computer “Goal-Trigger's-Computer” (MAC or whatever platform is used) has attempted to access your account and guess your password more than 500 times. The only course of action is for your sister to take the Mac to a professional for virus, worm, and hijack software removal. There is nothing I can do from my end but it is my responsibility to defend the company network from security attacks.
I understand your frustration and as soon as that PC is cleaned I will open your account back up and check that the attacks do not happen again.

------------ End of exchange -----------

Is the above scenario possible?

Thanks,
--JBytes
 
As far as I know, theoretically yes it is possible. Antivirus software such as Virex is updated on a weekly basis to stop PC viruses being transmitted via Mac systems.

It is laso possible that the machine has been compromised or hacked in someway or that the IP address that it is using has been spoofed. How has the admin identified the machine as being the culprit ?

Also which mail client is your sister using ? If it is Mail and an older password is being stored in the keychain that could be a cause as it would fail at least once each time she tried to connect to her mail.
 
As Tommo said it is possible theoretically, I n fact it is slim but there is

the proof : I remember reading some time back an article from Charles Gaba. he did the same thing I did in 2003 and found no viruses for OS X, now here is the second part.

Theoretically speaking : Go on the website http://vil.nai.com/ and here you can make a simple searh on the viruses for macintosh.

Well mcafee tell us that there are more than 100.000 viruses in the world today. AS Charels Gaba says lets take their word for it....

Now try to search in advanced search "macintosh" . I did and guess what. Out of the 100.000 I found 609 (let the error be the error so give or take 1). An impressive number comapring with the "small" amount of 100.000.

But hey why stop here, a good idea lets remove the hoaxes.Indeed removing the hoaxes which are about 4. You get 605 viruses. Hmm lets go on... If one can look in the list one can see that lots of them start with WM or XM these are the so called MACRO viruses and thoretically they come thouthg the MICROSoFT application WORD or EXCEL. (they try to edit the congif.sys file on the windoze host, so on the mac they are passive unless they modify behaviour) SO in total WM are 531 and XM are 17. Lets recalculate all the thing ...Well have 51 left. After close inspection I saw that other 19 were also Macros (although not startign with WM OR XM) and discovered 1 more hoax. SO we remained with 31. Good..


Now .... AT this point looking on the rest we get 6 viruses that for sure can attack OSX. From this couple (2) can not really harm OSX . For example W32/yourde infects pdf through acrobat reader but can not infect OSX, which in fact can act as a intermediar.

Looking down the list of the 4 we can find also find something like MacOS/CODE32767 for which you can find info at this address http://vil.nai.com/vil/content/v_99838.htm. This kind of virus can spread only in machintosh machines but attention it can be reziliant on non APPLe mahines.

Now the other three musketeers are : FLAG, unix/OPENER and MW2004.

But one has to keep in mind that OS X can also "save" (in a non active mode the virses) and then transmit them to the fellow PCs.

So the answer to your question YES there are viruses for MAC (the bad news) the good news is that there are just 4 (FOUR) [GIVE OR TAKE A COUPLE :)]. AND YES they an transmit other to windows hosts.

the best solution as tommo said take virex and chek it up.

sorry I got so carried away and lenghty....
 
I forgot one thing for MACRO viruses is uncommon to change behaviour very uncommon.


maccco
 
Whether this is a virus or spyware on the Mac is a bit moot if it turns out that these "attacks" are in fact coming from somewhere else completely.

Or, another possibility often overlooked is that these are the result of legitimate software configured incorrectly. By default, Apple Mail.app will check for mail regularly, and if it uses an incorrect password due to a bad keychain entry, or attempts to use the wrong protocol (for instance if you had put your incoming and outgoing mail server entries the wrong way around) or uses an incorrect authentication method - well, its easy to see how a simple mistake could generate hundreds of alerts in the logs on the server. Add on a third party hack, like the httpmail plugin that lets Apple Mail work with webmail servers, and you could easily see a situation like this.

Firstly, can you please confirm for us if your sister's computer really is identified on the network as Goal-Trigger's-Computer? Secondly, we need to identify where these attacks are occurring: are they on a particular server, port, account, etc. The more information you can get, the better. Ask for specifics! In what way did Mr Administrator find out about this attack? Then you can start to narrow it down to possibilities.

That said, I'm still willing to bet anybody a pint that the attack doesn't even come from any of your computers, but represents a gross misjudgement on the part of your Mr Administrator. It almost certainly comes from a Windows-PC mass-mailer trojan that spoofs sender addresses. It wouldn't surprise me if an inexperienced Mr Admin has simply seen the same email address spoofed too many times in virus emails and jumped straight to pointing the finger.
 
How exactly has this computer "tried to access your account" Are we talking, webmail accesses? Or something else? Trying to guess your email password would be a very peculiar behaviour for a virus - not that it's impossible, it just seems unlikely.

Much more likely there's an incorrect password being stored somewhere, and sent every time you try to use your work account. Go through your keychain items, and clear out entries for your work email. Then enter the passwords again and see if it clears up the problem.
 
I'm also leaning towards a misconfigured mail program. Over a month, it'd be possible for there to be over 500 failures in authentication if the password is being sent wrong.

If it's only a mail program sending a wrong password, this hardly constitutes any type of virus behaviour.
 
Thanks for the replies and suggestions, guys. Zak is accessing his account via the browser only. I know his sister always had a nagging Keychain problem whenever she uses IE. It constantly prompts her to enter a password. Perhaps that's the culprit to this "virus" issue.

By the way, I'm really posting this on behalf of my friend's brother. I'm not the one with the problem.


--JBytes
 
You must log in or register to reply here.
Back
Top