Possible OS X Trojan?

Of course, an alternative to commercial anti-virus software and subscriptions is ClamXav, which is a free anti-virus program. According to MacFixit, the virus definitions have been updated to deal with the "Leap-A"/"Oompa-Loompa" trojan:

ClamXav virus definitions updated The free graphical front-end to ClamXav has been updated to include a virus definition for the Oompa-Loompa Trojan (OSX/Oomp-A).
This is the recommended route for protecting against this potential threat -- it's free, and does not cause the issues apparent with some other virus protection utilities.
Click to expand...
I haven't downloaded ClamXav myself, but maybe should do. :)
 
There were many boot-viruses. I've had some on my Atari STs and Amigas, and I've also seen them on PCs back then. Their code quite clearly aimed at spreading through floppies.
That was only _part_ of what those viruses did, though.

Mikuro said:
Hmm. Well, spreading from computer to computer was not IN the virus's code. It just happened, through user interaction. Viruses did not specifically target floppies for the purpose of spreading to other computers. All they were programmed to do was infect program after program.
Click to expand...
 
fryke said:
Btw.: http://haligon.blogspot.com/2006/02/safari-executes-shell-scripts.html (apparently, there's a new weakness in Safari that Apple has to cover soon...).
Click to expand...
What a surprise. </sarcasm> How many times has the "Open 'safe' files after downloading" feature been part of a security hole? I lost count after three or four. From day 1, this feature was obviously a bad idea. Apple needs to simply get rid of it.

I recommend that everyone turn it off. It's always a good idea.
 
Yeah. The problem is that for new users, Safari is set to automatically open "safe" files. I think they should finally change the default behaviour...
 
I have been working on a mac now going on about a year and I would have to say that the Safari Open "safe" Files acts just a windows boxes do right after you install them. Even Firefox on a PC will do this. if it see a helper app to open or run something your downloading it will do that if you don't tell it not to. Really if you look at this "problem" it's just showing how much stuped software is have to be made to run right out of the box. I mean it toke me about 20 mins right here on this forum reading and I found a program that would stop that behaviour and some othes that I did not like.
I just hope that when my kids get to the point that there useing there own computers. that they don't need to kind of hand holding by the OS.
 
Really? Even Firefox? I'm surprised at that. Of course, the feature could be completely benign if only Apple were a little smarter about what they considered to be a safe file type.

And I think it's awfully telling that Apple feels the need to put the word safe in quotes! ::ha::
 
Well... Let's look at this more closely. Apple _is_ looking for executables and doesn't run them automatically. However: If a shell script does not have the first line which tells the Terminal what shell/command to open the script with, the security in place fails to see it as an executable. So actually, to "see" shell scripts, Apple checks for that line. They "simply" have to update that code now. (Again, they should *also* make the default behaviour to not postprocess files at all. Sure, it's more user-friendly if zip-files are auto-expanded and the results shown in the Finder, but if it's a security risk...)
 
The problem here is really that Safari opens files as if they were double-clicked in the Finder. That's simply a recipe for disaster. Instead, it should open files with predetermined applications (e.g., if Safari thinks it's a JPEG, it should open it with the user's default JPEG viewer). If Safari thinks it's a JPEG, obviously it shouldn't be opening it with Terminal.

That would do a lot to ensure that even if Safari mis-identifies a file (which is bound to happen, just like it has here), it still won't do any harm. If you open a shell script with Preview, for example, it's not going to run.
 
Well: Safari uses the Finder/System, of course, to post-process. If it has to provide its own database of what opens what, this is going to pose problems, too. I, for one, _don't_ want JPEGs to open in Preview, so I have set Photoshop as the default app for JPEGs. Now why should Safari, on *my* system, open them in Preview? Their way is correct here - from the user point of view.
 
As Apple says:

+ + + + +

Note that, while Safari and Mac OS X 10.4 offer this feature for increased security, no software can protect against each and every "unsafe" file or unauthorized access attempt. Safari protects against files it identifies as unsafe.

+ + + + +

Of course, the title of that article is "Safari can help prevent unsafe downloads".

I agree that the option should just be removed. Let's avoid the "Windows-ization" of OS X and its apps: require a certain level of intelligence, critical thinking, and initiative by the user. The idea that some of us should be "power users", and thus more secure in our everyday computer tasks, is both silly and dangerous. The "power users" won't be vulnerable to any but the most pernicious worms, or the most fundamental security risks.

Don't auto-open; instead, to maintain an informative UI, provide a confirmation message showing where the file is. It's easy, clean, and safe.
 
fryke said:
Well: Safari uses the Finder/System, of course, to post-process. If it has to provide its own database of what opens what, this is going to pose problems, too. I, for one, _don't_ want JPEGs to open in Preview, so I have set Photoshop as the default app for JPEGs. Now why should Safari, on *my* system, open them in Preview? Their way is correct here - from the user point of view.
Click to expand...
That's not what I mean. I mean that Safari should use your default application for the file, as opposed to what it does now, which is to use the individual file's own settings (which the user, in cases like this, has no control over). So if you want them to open in Photoshop, it would, as long as you have Photoshop set as your default JPEG viewer. And if someone zipped up a JPEG that was specifically set to open in QuickTime Player, then it would still open in Photoshop for you, because that's your setting. The method I'm proposing is really more about the user than the way it is now. It would also be a lot safer.
 
That goes along with my suggestion. In addition, if there's no user-specified helper app for the file, the user should be prompted to specify an action, Firefox-style. No file should ever be passed directly from Safari to the Finder without user intervention. The file itself should never be able to specify a default action.
 
We just got our first Mac virus infection in our company!
The Inqtana-B spread from our headquarters in Belgium to our Italian and Portuguese affiliates. Here the consequence was that we could not open any Microsoft Office apps. In Belgium, our colleagues got some currupted files inn the Pre-press system. But we're all clean now :D
 
By the way, for anyone using Sophos and worrying about "Inqtana-B," have you seen the recent message from Sophos? Apparently the Sophos software was giving a lot of false positives, but that has been fixed as of an updated yesterday afternoon (GMT).

SophosLabs, Sophos's global network of virus, spyware and spam analysis centers, issued an update at 14:43 GMT on Monday 21 February to detect the OSX/Inqtana-B worm for Mac OS X.

Unfortunately, this update was flawed, and Mac OS X users may have been mistakenly warned by Sophos Anti-Virus for Mac OS X that some files on their computers were infected with the worm.

SophosLabs quickly discovered the problem, and issued a revised update less than two hours later at 16:40 GMT, Monday 21 February. Customers who take advantage of Sophos's automated updating facility will have been automatically updated from this time, and will no longer experience the false positive.

Additionally, an email was sent to customers who are subscribed to Sophos's email notification list informing them that the IDE had been updated to correct the detection issue.

Sophos apologises for any inconvenience that this problem has caused. Measures have been put in place to ensure that the problem does not occur again. Any customers who require further guidance are recommended to contact Sophos Technical Support.

Sophos would like to remind customers that the OSX/Inqtana-B worm is not in-the-wild, and is unlikely to be encountered.
Click to expand...
Also, what are people's experiences of different anti-virus programs and/or manufacturers? I always remember older, Norton-related disasters, but was wondering what more recent experiences are.
 
bbloke said:
By the way, for anyone using Sophos and worrying about "Inqtana-B," have you seen the recent message from Sophos? Apparently the Sophos software was giving a lot of false positives, but that has been fixed as of an updated yesterday afternoon (GMT).


Also, what are people's experiences of different anti-virus programs and/or manufacturers? I always remember older, Norton-related disasters, but was wondering what more recent experiences are.
Click to expand...


Actually we do have Sophos. But since we did see some results from the virus (for example, Office apps not opening), I guess we did have the virus...
Unless it was Sophos itself that was causing the problem...

We've been using Sophos for almost a year now, I think, and so far I haven't noticed any problems or conflicts with other software. It just runs smoothly. We practically don't notice its presence... until yesterday, that is ;)
 
You must log in or register to reply here.
Back
Top