Intego says Mac OS X Trojan AppleScript applet in the wild

“AS.MW2004.Trojan – that affects Mac OS X. This Trojan horse, when double-clicked, permanently deletes all the files in the current user’s home folder. Intego has notified Apple, Microsoft and the CERT, and has been working in close collaboration with these companies and organizations,” Macworld UK reports.

“The AS.MW2004.Trojan is a compiled AppleScript applet, a 108 KB self-contained application, with an icon resembling an installer for Microsoft Office 2004 for Mac OS X. This AppleScript runs a Unix command that removes files, using AppleScript’s ability to run such commands. The AppleScript displays no messages, dialogs or alerts. Once the user double-clicks this file, their home folder and all its contents are deleted permanently,” Macworld UK reports.

“Intego advises all Macintosh users to only download and run applications from trusted sources. However Intego has updated its VirusBarrier X software to address this vulnerability. Intego VirusBarrier X eradicates this Trojan horse, using its virus definitions dated May 11, 2004, and Intego remains diligent to ensure that VirusBarrier X will also eradicate any future viruses that may try to exploit this same technique. All Intego VirusBarrier X users should make sure that their virus definitions are up to date by using the NetUpdate preference pane in the Mac OS X System Preferences,” Macworld UK reports.

“[According to Intego] Nothing prevents users from creating other, similar AppleScripts, with different names and custom icons that can run the same damaging command. The current version that is in the wild only deletes a user’s files and folders. Other such commands could attempt to delete all the files on a Macintosh computer running Mac OS X, but they would need to request an administrator password. However, users may not hesitate to type their administrator’s password for what they think is an installer; after all, Apple’s Installer requires this password to install any applications and updates to Mac OS X,” Macworld UK reports.

“[According to Intego] This Trojan horse highlights a serious weakness with Mac OS X. Since it is built on a Unix foundation, it can run powerful commands very easily. These commands can delete or damage a user’s files with no warning, and AppleScript offers no protection against malicious commands,” Macworld UK reports.

Full article here.

MacDailyNews Take: Intego is the company that, just over a month ago, trumpeted a so-called Mac OS X Trojan horse which turned out to be exaggerated FUD designed to sell security software – basically a non-issue. And this “trojan” supposedly comes with a Microsoft Office icon, of all things! So forgive us for being just a tad skeptical. We swear we just heard someone cry “wolf?” Maybe we’re hearing things.

This makes us wonder who would’ve released this in the wild via P2P file sharing networks, if it’s true? What would the creator(s) have to gain? What companies would have the most to gain? Interesting questions to ponder. But, hey, at least they used AppleScript!

In case you’re guessing, color us unconcerned, bored, or blue with pink spots for all we care about this. Just in case, and because we can, we post this story for your use. Enjoy.

Reminders:
1. don’t click it if you don’t know where it came from or what it is.
2. Microsoft wants you to buy Office for Mac, not download it for free. (Please note that MS Word is not, nor has it ever been, 108 KB)
3. Intego wants to sell you “VirusBarrier X.”

Throw all three in a blender, mix, and see what you come up with – we think it’s called “Intego-Schmintego.”

Related MacDailyNews articles:
Mac OS X so-called Trojan horse ‘exaggerated FUD to sell security software, a non-issue’ – April 10, 2004

96 Comments

  1. Even if this is just another proof of concept, the point is that this could probably work. I don’t know much about UNIX, or AppleScript for that matter, but it is very easy for a user to accidentally throw away all their files in Mac OS X, and I imagine AppleScript could be used to automate that command.

    Is there a good way to stop this?

  2. Other than a weak attempt to sell more “anti-virus” software, or a way to try and put OS X into the “wracked with viruses and security problems like Windows” category, why does this matter? There’s no way to prevent this on any platform, and there never has been. It’s possible to write a malicious application for any platform, and that’s all this is, a malicious app. Any application, at any time can wipe out your folder, or a drive *cough* iTunes installer *cough*

    There’s nothing to read here… move along, move along.

    Plus anyone that downloads 108K and thinks that THAT is any kind of Word demo is an idiot if they don’t suspect something.

  3. Someone with more expertise than me answer this one, but from everything I know, assuming this thing works, it is not self-executing like Windows stuff.

    If I had downloaded the real Office 2004, I think I would remember it, so why in Gods name would I click on an installer that I did not remember asking for?

    What Intego has actually accomplished here is that they are now on my “watch list.” That means that if they ever did come up with a good piece of software that I needed, I would automatically not trust it until they proved otherwise. Not likely.

    Talk about the “Law of Unintended Consequences”!

  4. Good thing, then, that the first thing I do when I get my macs is buy an external HD of the same capacity as my internal HD, only allow myself access to it (using a non-admin account), create a password protected dmg file that sits on the ex.HD, and keep everything in there.

    It’s actually much simpler than it sounds.

  5. Does it propagate in anyway shape or form on it’s own? My assumption is no and once again Intego is spreading FUD. The entire AppleScript could consist of…

    do shell script “rm -rf ~”

    I can not believe Apple is selling an operating system that allows a user to delete their files. Their system should require all writes to go to CDR’s so we could not actually delete anything. That would be much better.

    Intego is a really bad company that I hope no one supports.

  6. This is simply more FUD to attempt to sell useless software to scared lemmings. If you’re dumb enough to execute the file or buy their lame anti-virus software, then you get what you deserve. 99% of Mac users know better, so go away Intego…

  7. Well so Far my personal email account gets atleast 2-3 blatant Winviruses everyday.
    Mac Viruses O… Ever.

    And I am not in the habit of running applications from email. Nor think that a 108KB file is any form of Windows prgrams. Code that tight, can only be malicious. Cause MS never wrote tight code.

  8. Let me get this straight: Windows virii and hacks can perform system commands just by clicking, because Windows was never built as a multi-user system and VB-script is authorized to perform actions without user persmission.

    This and other Mac “virii” can perform system commands IF YOU SUPPLY AND ADMINISTRATOR password. That’s a big difference. But since Mac-users can be as stupid as Windows-users, things can go wrong.

  9. Rob Morton:

    Yep, that’s all it does. It runs a command anyone could run from a shell.

    Not a virus (Intego’s talking about it like it’s the next Slammer), and nothing that couldn’t be done, anyway. Hell, I’ve seen people trick others into running that command manually. ” width=”19″ height=”19″ alt=”wink” style=”border:0;” />

    What’s an OS maker supposed to do, prevent the user from deleting his or her own data?

    Can’t touch the system, move along, nothing to see here.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.