“AS.MW2004.Trojan – that affects Mac OS X. This Trojan horse, when double-clicked, permanently deletes all the files in the current user’s home folder. Intego has notified Apple, Microsoft and the CERT, and has been working in close collaboration with these companies and organizations,” Macworld UK reports.
“The AS.MW2004.Trojan is a compiled AppleScript applet, a 108 KB self-contained application, with an icon resembling an installer for Microsoft Office 2004 for Mac OS X. This AppleScript runs a Unix command that removes files, using AppleScript’s ability to run such commands. The AppleScript displays no messages, dialogs or alerts. Once the user double-clicks this file, their home folder and all its contents are deleted permanently,” Macworld UK reports.
“Intego advises all Macintosh users to only download and run applications from trusted sources. However Intego has updated its VirusBarrier X software to address this vulnerability. Intego VirusBarrier X eradicates this Trojan horse, using its virus definitions dated May 11, 2004, and Intego remains diligent to ensure that VirusBarrier X will also eradicate any future viruses that may try to exploit this same technique. All Intego VirusBarrier X users should make sure that their virus definitions are up to date by using the NetUpdate preference pane in the Mac OS X System Preferences,” Macworld UK reports.
“[According to Intego] Nothing prevents users from creating other, similar AppleScripts, with different names and custom icons that can run the same damaging command. The current version that is in the wild only deletes a user’s files and folders. Other such commands could attempt to delete all the files on a Macintosh computer running Mac OS X, but they would need to request an administrator password. However, users may not hesitate to type their administrator’s password for what they think is an installer; after all, Apple’s Installer requires this password to install any applications and updates to Mac OS X,” Macworld UK reports.
“[According to Intego] This Trojan horse highlights a serious weakness with Mac OS X. Since it is built on a Unix foundation, it can run powerful commands very easily. These commands can delete or damage a user’s files with no warning, and AppleScript offers no protection against malicious commands,” Macworld UK reports.
Full article here.
MacDailyNews Take: Intego is the company that, just over a month ago, trumpeted a so-called Mac OS X Trojan horse which turned out to be exaggerated FUD designed to sell security software – basically a non-issue. And this “trojan” supposedly comes with a Microsoft Office icon, of all things! So forgive us for being just a tad skeptical. We swear we just heard someone cry “wolf?” Maybe we’re hearing things.
This makes us wonder who would’ve released this in the wild via P2P file sharing networks, if it’s true? What would the creator(s) have to gain? What companies would have the most to gain? Interesting questions to ponder. But, hey, at least they used AppleScript!
In case you’re guessing, color us unconcerned, bored, or blue with pink spots for all we care about this. Just in case, and because we can, we post this story for your use. Enjoy.
Reminders:
1. don’t click it if you don’t know where it came from or what it is.
2. Microsoft wants you to buy Office for Mac, not download it for free. (Please note that MS Word is not, nor has it ever been, 108 KB)
3. Intego wants to sell you “VirusBarrier X.”
Throw all three in a blender, mix, and see what you come up with – we think it’s called “Intego-Schmintego.”
Related MacDailyNews articles:
Mac OS X so-called Trojan horse ‘exaggerated FUD to sell security software, a non-issue’ – April 10, 2004
Even if this is just another proof of concept, the point is that this could probably work. I don’t know much about UNIX, or AppleScript for that matter, but it is very easy for a user to accidentally throw away all their files in Mac OS X, and I imagine AppleScript could be used to automate that command.
Is there a good way to stop this?
It’s worth noting that this script came from Limewire usage.
Other than a weak attempt to sell more “anti-virus” software, or a way to try and put OS X into the “wracked with viruses and security problems like Windows” category, why does this matter? There’s no way to prevent this on any platform, and there never has been. It’s possible to write a malicious application for any platform, and that’s all this is, a malicious app. Any application, at any time can wipe out your folder, or a drive *cough* iTunes installer *cough*
There’s nothing to read here… move along, move along.
Plus anyone that downloads 108K and thinks that THAT is any kind of Word demo is an idiot if they don’t suspect something.
Oops on me.. MDN did mention P2P.
Oh I am so scared.
Someone with more expertise than me answer this one, but from everything I know, assuming this thing works, it is not self-executing like Windows stuff.
If I had downloaded the real Office 2004, I think I would remember it, so why in Gods name would I click on an installer that I did not remember asking for?
What Intego has actually accomplished here is that they are now on my “watch list.” That means that if they ever did come up with a good piece of software that I needed, I would automatically not trust it until they proved otherwise. Not likely.
Talk about the “Law of Unintended Consequences”!
Good thing, then, that the first thing I do when I get my macs is buy an external HD of the same capacity as my internal HD, only allow myself access to it (using a non-admin account), create a password protected dmg file that sits on the ex.HD, and keep everything in there.
It’s actually much simpler than it sounds.
Does it propagate in anyway shape or form on it’s own? My assumption is no and once again Intego is spreading FUD. The entire AppleScript could consist of…
do shell script “rm -rf ~”
I can not believe Apple is selling an operating system that allows a user to delete their files. Their system should require all writes to go to CDR’s so we could not actually delete anything. That would be much better.
Intego is a really bad company that I hope no one supports.
This is simply more FUD to attempt to sell useless software to scared lemmings. If you’re dumb enough to execute the file or buy their lame anti-virus software, then you get what you deserve. 99% of Mac users know better, so go away Intego…
Well so Far my personal email account gets atleast 2-3 blatant Winviruses everyday.
Mac Viruses O… Ever.
And I am not in the habit of running applications from email. Nor think that a 108KB file is any form of Windows prgrams. Code that tight, can only be malicious. Cause MS never wrote tight code.
Let me get this straight: Windows virii and hacks can perform system commands just by clicking, because Windows was never built as a multi-user system and VB-script is authorized to perform actions without user persmission.
This and other Mac “virii” can perform system commands IF YOU SUPPLY AND ADMINISTRATOR password. That’s a big difference. But since Mac-users can be as stupid as Windows-users, things can go wrong.
This one appears to have been “discovered” by MacWorld UK, but then they did a second story that makes it look like another Intego announcement. MW UK fed the trojan to Intego… the FIRST story:
http://www.macworld.co.uk/news/main_news.cfm?NewsID=8664
Rob Morton:
Yep, that’s all it does. It runs a command anyone could run from a shell.
Not a virus (Intego’s talking about it like it’s the next Slammer), and nothing that couldn’t be done, anyway. Hell, I’ve seen people trick others into running that command manually.
” width=”19″ height=”19″ alt=”wink” style=”border:0;” />
What’s an OS maker supposed to do, prevent the user from deleting his or her own data?
Can’t touch the system, move along, nothing to see here.
Yet another reason why I love MDN:
“Intego-Schmintego”
ROTFLMFAO!
What a pathetic attempt to drum up business.
Come on, they wrote this script and put it out there, didn’t they?!
If you type the command “rm -rf *” in your command prompt, it will erase everything in your home directory.
If you are stupid enough to run this, or stupid enough to download an application from somewhere else that would just have only 108 KB but will be a MS Word beta (unless K does not mean Kilo and B does not mean byte), then you can have this problem.
I think Intego must be sued for taking advantage of the ignorance of the people.
It doesn’t propogate, so it’s not a big problem for most. I’ll be taking a little extra care from now on.
Maybe Mail could be changed so that when a file is double clicked, rather than running it, it tries to open it with the application it’s pretending to be. Word would throw this out and it would be end of story.
I do think it needs to be take seriously though, and security awareness should be raised as we’re probably a little vulnerable due to feeling so invulnerable.
it is not a virus, and it is not an executable. It is an Applescript that runs the unix shell command ‘rm’ for remove.
do a ‘man rm’ if you need to and since it uses user shall, just by having rm aliased to ‘rm -i’ beats it: now rm has to ask your permission (a sort of “are you sure” warning).
This is nothing to do with OS X or security, it is Unix folks and Unix is very powerful.
To call this a virus or a trojan is silly. There is no exucuting code, it is just preying on those Mac users (maybe a lot) who know nothing about Unix.
As Unix and Linux user this news makes me laugh as hard as I could. Looks like someone is desperately trying to show OS X is vulnerable: idiots, this is Unix, not a vulnerability
These guys at Intego are just stirring up water and trying to look smart. To me they appear as crooks trying to scare off children and old ladies.
What Apple could do? Simply have Applescript having to ask for permission before spawning a shell and execute Unix commands there. And this would not be a move toward a non-existing virus, rather a protection for naive users.
In the meanwhile have your .profile have:
alias rm ‘rm -i’
Sure this can work, but I can just go over to a folder and drag it to the trach icon too. Does that make me a trojan. Anyone stupid enough to run an application from an untrusted source, especially warez or the like-there’s no protection against absolute stupidity or greed other than good morals.
“The current version that is in the wild”
This is pathetic, they use the same terms as for viruses and worms. Crooks.
No more buying from Intego, I say. They are the enemy now. Let them run outta business.
retards