Viruses On Os X

I see nothing in the Sophos advisory about it running things at root level. Maybe I'm blind, but if someone can quote anything that says "root" or "privilege" or "escalation", I'd appreciate it. Perhaps it was removed. Please remember that without escalation, the damage to your system is limited to your data or any programs that you installed without providing the system password. That sucks, but it won't rob you of a working computer. If a virus or trojan can escalate itself, through a vulnerability in the OS (or by you providing it with the system password), everything on your system is at risk.

Also, this is a trojan. A trojan needs you to install it before it can do a single thing to your system. If you don't install it, you won't get infected. If you install lots of public scripts or use warez, this sort of trojan should worry you. But then again, you should probably have always been worrying if you installed such things. Sophos, being an anti-virus company, says absolutely nothing about how this trojan has been distributed so far. None of this worries me.

Also, this is not the first trojan for OS X. Search Sophos for "Renepo".

Also, according to Sophos, this is a proxy trojan -- that is it can be used by its author to turn your computer into a gateway to launch attacks on other systems while hiding his/her identity. This sort of infection has a LONG history in UNIX. I would frankly be surprised if there weren't more of these in the wild. If the author really wanted to be a dick, its payload could be much worse.
 
It doesn't say how it gets installed or what it does. Doesn't say anything about running as root or how it does this.

They list it as a low priority.
 
Use a Folder Action to notify you if anything tries to put something in the Startup Items.

A safeguard is to keep an eye on two OS X folders: Library/StartUp Items and System/Library/StartUp Items. You can check them manually or you can use one of the Folder Action scripts provided by Apple as part of OS X. Using a folder action will automate the process and help you keep an eye on future additons to the folders.

Here is how to do it:

1. Go to Library/Scripts/FolderActions.

2. Locate Enable Folder Actions.scpt.

3. Double-click the script.

4. Click the "Run" button and close the script window. Now you can run folder action scripts on your Mac!

5. Go to Library/StartUp Items.

6. Control-click the folder icon and choose Attach a Folder Action from the drop-down menu.

7. In the dialog box find and select Library/Scripts/Folder Actions/add-new item alert.scpt.

8. Go to System/StartUpItems.

9. Repeat steps 6 and 7.

Now whenever anything new is added to either of the folders you will automatically get an alert.
 
Now that there is a Trojan on OS X :mad: what is the best anti-virus software out there? Sophos, Norton, or Virex? I currently have norton installed on my laptop.

Is there any free ones like Avast for the PC?

I can see it now, all the PC user's i know will be like there's a Trojan for the Mac! ::ha:: Yea, but it's only 1 compared to how many on the PC?
 
Norton's is probably the worst of the three. Get rid of anything on your hard drive that bears the name "Norton" -- it's worse than the virus itself!

I also don't see anything mentioned about the level of access that trojan provides to the remote user.
 
Take anything Sophos says with a healthy grain of salt!

They seem to have trouble with the subtlies of truth.

Doug
 
Here's the WiredNew's Article on the Worm

(Editor's note: This story corrects an earlier report that stated that the Macintosh operating system had become a target of a malicious Trojan Horse.)

Security experts on Friday slammed security firm Intego for exaggerating the threat of what the company identified as the first Trojan for Mac OS X.

On Thursday, Intego issued a press release saying it had found OS X's first Trojan Horse, a piece of malware called MP3Concept or MP3Virus.Gen that appears to be an MP3 file. If double-clicked and launched in the Finder, the Trojan accesses certain system files, the company claimed.

While Intego said the Trojan was benign, it said future versions could be authored to delete files or hijack infected machines. In the release, and in subsequent telephone interviews, Intego was vague about the purported Trojan's workings and its origins.

On Friday, Mac programmers and security experts accused the company of exaggerating the threat to sell its security software.

"They gave the impression that this is a threat, but it isn't," said Dave Schroeder, a systems engineer with the University of Wisconsin. "It is a benign proof of concept that was posted to a newsgroup. It isn't in the wild, and can't be spread in the wild. It's a non-issue."

"They are spreading FUD to sell their software," said Ryan Kaldari, a programmer from Nashville, Tennessee, referring to the shorthand for fear, uncertainty and doubt.

Rob Rosenberger of Vmyths said he'd seen virus hype many, many times, and if antivirus companies put out alarmist press releases, it's for one of two reasons: "Either they're delusional or they're trying to own the hysteria," he said. "This has been going on for 16 years now."

Rachel Keiserman, a tech-support person at Intego, denied on Friday that her company exaggerated the threat or was attempting a publicity stunt. "It's not a hoax or anything like that." She declined to comment further and pointed to a press release listing questions and answers, which defended the company's decision to classify the issue as a threat.

"While the first versions of this Trojan Horse that Intego has isolated are benign, this technique opens the door to more serious risks," the company said. "The exploit that it uses is both insidious and dangerous, and it is our duty as a vendor of Macintosh security solutions to protect our users. We don't believe in waiting until the damage occurs, unlike some of our competitors."

Technically, the threat isn't a Trojan Horse by the standard definition: It isn't a working piece of malicious code and can't easily be spread to other computers, experts said. Instead, it is a demonstration of a possible threat.

"We're talking about theoreticals here," said Schroeder. "It is possible for OS X to be infested with Trojans, viruses and security issues, but until it is, they aren't justified in raising the alarm."

The demonstration contains a real MP3 file of someone laughing. When launched in jukebox software like iTunes, the MP3 file plays and nothing else happens. But if double-clicked in the Finder, the MP3 file plays and a warning is displayed.

The program can't be spread by e-mail or through a file-sharing network unless it is compressed using software like Aladdin's Stuffit. Failing to compress the MP3 file before sending it renders the software inoperative.

The program exploits a vulnerability that goes back to the original Mac operating system: The system allows programs to appear as a file. Programs can have any icons, names or file extension. In other words, users could be tricked into activating a malicious program, thinking they were opening a document, picture or song.

The vulnerability was exploited several times by Trojans authored for previous versions of the Mac OS.

Mac programmer Bo Lindbergh wrote the threat demonstration and posted a link on the comp.sys.mac.programmer.misc newsgroup on March 20. The link leads to a site in Sweden. The file has now been removed. Lindbergh didn't respond to an e-mail requesting comment.

Symantec on Friday said it was aware of the software. "It is a proof-of-concept Trojan that does affect the Mac platform; however, it is currently not present in the wild," the company said in a statement. It said it would continue to monitor the situation.

Likewise, Apple spokeswoman Natalie Sequeira said the company was investigating. "We are aware of the potential issue identified by Intego and are working proactively to investigate it," she said.
Click to expand...

Intego probably said it was a threat just to get their sales up... :D
 
Is this really the latest one they're talking about? It sounds a lot like that other proof of concept released a long time ago.
 
It's an older article about the old "Ha ha! I hid a trojan in an MP3 file that requires you to double-click the MP3 to launch the trojan, then enter your administrator password!" proof-of-concept. Nothing (yet) has come of it.

The virus mentioned at the beginning of the article is different.
 
Anyways, I don't think we need to worry. Viruses will - in my opinion - be very very rare for OS X, if there will ever be more viruses.
 
Well its interesting because in order to get a working trojan installed you would need to fool the user in to authenticating because its a privillaged operation...well thats not a very good trojan at all!!! I have read about something called xover but it requires the user to install it and doesnt seem to need authentication. Anybody heard anything about this?
 
WeeZer51402 said:
you would need to fool the user in to authenticating because its a privillaged operation...
Click to expand...

Why doesn't anybody read the security sites bevor writting such things. This is simply not true. I DON'T NEED ANY PASSWORT FROM THE USER TO GET ROOT.

Actually you just have to start the trojan (or whatever). And it's VERY easy to do this. I bet I can fool you in 2 seconds to doubleclick my 'folder'. And the best is that the script is so fast that it creates some files in /tmp, remove the faked folder, create a new folder, copy content in it and use AppleScript to open this created folder. You doesn't even notice that there was anything other than this folder. It just take 10ms longer to open. Would YOU realise this? Do you check every file/folder bevor clicking on it?

And than I just have to wait and monitor the logfile until the user install anything else or need sudo for an other application. I can just 'hijack' this sudo without ever noticed by a normal user.

There is simply no need to ask the user to authentificate. You just have to wait :D
And there is no possibility for a user to spot any of these activities if they don't how to use the shell.

Hopefully Apple will change the sudo behavior to log in a 'only root can read' log and bind sudo to the session and not global for x minutes. But if you don't have the latest update I can just use mRouter to get root what's even more easy ;)

I don't wanne say that OS X is unsecure or so. In my opinion it's in the top 3 or so of the most secure systems. But the 'normal' user should be aware that it isn't 100%.
And if ppl always say 'Don't worry. OS X is safe' they just do that: don't worry. And in 2 years we'll have 1000 viruses as all these users get fooled because they just open anything because 'Im using OS X, I'm safe'.

We should tell them that it's VERY easy to create a virus/trojan.. even for OS X. Actually we're just no target. And if users watch out we will stay there. But if they open everytding and the scrippt kiddies see that it's easy to fool a mac user they will switch. So better start worry today than complain next year about viruses.
 
rbuenger said:
Why doesn't anybody read the security sites bevor writting such things. This is simply not true. I DON'T NEED ANY PASSWORT FROM THE USER TO GET ROOT.
Click to expand...

I do not believe this is true. We are on a Unix system here - every priviliged operation requires the root password. On my Macs, I can do a sudo on the console and it actually asks for the password, however, none of my passwords lets me through. So I believe it is pretty impossible to get root permissions without anybody knowing or noticing.
 
You don't. He's simply referring to a program that runs constantly, waiting for you to authenticate for something (a program install, etc.). It then reads your password you enter, and uses it for whatever.

A clunky virus, if ever I heard of one. Still, it's possible to write this kind of virus fairly easily, but the hard part would be getting it onto a machine. It certainly wouldn't replicate very well -- even if it were disguised as another kind of file, the word would get out fast enough to stop it without it wreaking too much havoc.

Until I see it in action, I'm going to deem it not much of a threat.
 
Well, it's somewhat true, at least with Terminal. Open one console window and sudo something like 'sudo pico'. Then open a new window and so 'sudo pico' again. It doesn't ask you for your password in the second terminal after you have entered it in the first one.

Now, I don't know if this is just because the Terminal gets root for the default amount of time or if you issued a shell command from a program other than Terminal if it'd work without a password.
 
Just for the case you don't wanne disable syslog you can replace the Defaults:ALL !syslog with Defaults:ALL syslog=authpriv
And in my opinion that would be a thing Apple should have change long ago. And the statement that an admin user should know this is imho just stupid. Than Apple should stop giving the first user admin rights! Every gamer out there with an iMac.. is admin as this is Apples default for these users. 99% out there is playing with admin rights. And Apple can't expect that all these users get interested in Unix and security and fix this on their own.

And I never said that this would be a good virus or so. I just mentioned that you don't need the user to type a password and that they have to watch what they install. I know that nobody does this ( ;) ) but maybe someone try downloading a software using p2p. And it's very easy to let the user download there something he doesn't want. Of cause this isn't a virus but I bet the user is complaining that the harddisk is empty after installing this download.

And in my opinion many users won't use/install such software carelessly if they know what's possible. But because they get told again and again that OS X is safe and every app needs a password... they just install it. Ok it's not my problem but why not just tell everyone that it would be very easy to write such software and it doesn't need a password.

And remember: There are many Windows 'viruses' that also need a user to execute an attachment. It's a stupid 'virus' but it's working great as one can see it distributing around the world. And why should Mac users be better there ( especially if they everywhere get told that can't happen with OS X ).
 
WeeZer51402 said:
Heres the sudo fix for ya'll
Click to expand...
Thank you Weezer. Now I understand what the problem is. There are a few basic settings concerning sudo that can be combined by an attacker to screw you. rbuenger has pointed out a way that an attacker can launch process without your knowledge. Yes, it will run with your basic permissions and can't do anything really nasty yet. Yet. But, because of the way OS X ships:
1) any process (whether root or not) can see /var/log/secure and the time it was last updated. This file logs each attempt to run SUDO. When you run it, its timestamp changes.
2) when you run sudo, by default, you get to continue running sudo without a password for five minutes. This means an attacker has a window of at least five minutes from the time /var/log/secure is modified to the time a password must be re-entered.
3) if you run sudo in one window, all other windows automatically inherit the right to execute sudo without the need for a password. This one strikes me as an obviously stupid oversight on Apple's part, but it is the key to a successful hijack.

This apparently has been around since the beginning of OS X and as I now read about it, a LOT of UNIX engineers have been complaining about it. Kind of surprises me how Apple has got away with this. I presume Tiger still has this weakness. Perhaps someone can confirm....
 
You must log in or register to reply here.
Back
Top