“AS.MW2004.Trojan – that affects Mac OS X. This Trojan horse, when double-clicked, permanently deletes all the files in the current user’s home folder. Intego has notified Apple, Microsoft and the CERT, and has been working in close collaboration with these companies and organizations,” Macworld UK reports.
“The AS.MW2004.Trojan is a compiled AppleScript applet, a 108 KB self-contained application, with an icon resembling an installer for Microsoft Office 2004 for Mac OS X. This AppleScript runs a Unix command that removes files, using AppleScript’s ability to run such commands. The AppleScript displays no messages, dialogs or alerts. Once the user double-clicks this file, their home folder and all its contents are deleted permanently,” Macworld UK reports.
“Intego advises all Macintosh users to only download and run applications from trusted sources. However Intego has updated its VirusBarrier X software to address this vulnerability. Intego VirusBarrier X eradicates this Trojan horse, using its virus definitions dated May 11, 2004, and Intego remains diligent to ensure that VirusBarrier X will also eradicate any future viruses that may try to exploit this same technique. All Intego VirusBarrier X users should make sure that their virus definitions are up to date by using the NetUpdate preference pane in the Mac OS X System Preferences,” Macworld UK reports.
“[According to Intego] Nothing prevents users from creating other, similar AppleScripts, with different names and custom icons that can run the same damaging command. The current version that is in the wild only deletes a user’s files and folders. Other such commands could attempt to delete all the files on a Macintosh computer running Mac OS X, but they would need to request an administrator password. However, users may not hesitate to type their administrator’s password for what they think is an installer; after all, Apple’s Installer requires this password to install any applications and updates to Mac OS X,” Macworld UK reports.
“[According to Intego] This Trojan horse highlights a serious weakness with Mac OS X. Since it is built on a Unix foundation, it can run powerful commands very easily. These commands can delete or damage a user’s files with no warning, and AppleScript offers no protection against malicious commands,” Macworld UK reports.
Full article here.
MacDailyNews Take: Intego is the company that, just over a month ago, trumpeted a so-called Mac OS X Trojan horse which turned out to be exaggerated FUD designed to sell security software – basically a non-issue. And this “trojan” supposedly comes with a Microsoft Office icon, of all things! So forgive us for being just a tad skeptical. We swear we just heard someone cry “wolf?” Maybe we’re hearing things.
This makes us wonder who would’ve released this in the wild via P2P file sharing networks, if it’s true? What would the creator(s) have to gain? What companies would have the most to gain? Interesting questions to ponder. But, hey, at least they used AppleScript!
In case you’re guessing, color us unconcerned, bored, or blue with pink spots for all we care about this. Just in case, and because we can, we post this story for your use. Enjoy.
Reminders:
1. don’t click it if you don’t know where it came from or what it is.
2. Microsoft wants you to buy Office for Mac, not download it for free. (Please note that MS Word is not, nor has it ever been, 108 KB)
3. Intego wants to sell you “VirusBarrier X.”
Throw all three in a blender, mix, and see what you come up with – we think it’s called “Intego-Schmintego.”
Related MacDailyNews articles:
Mac OS X so-called Trojan horse ‘exaggerated FUD to sell security software, a non-issue’ – April 10, 2004
To make up for my wrong assumption (rm -i could in the future not be overridden by -f) I found a script to change rm into moving to trash as with Mac deletion:
http://www.macosxhints.com/article.php?story=20030217172653485
some users have then used alias rm to point to the script. the above link explains all.
Still, the best security also is on users’ shoulders and running an application (or an applescript) blindly and coming from unknown, untrusted sources, is never a good idea. You can only protect yourself up to a certain point.
This is just a program that deletes files when run, why are they calling this a trojan. I wrote pretty much this same program in Microsoft QuickBasic on my Mac Classic when I was about 8 years old just to see what would happen, except it deleted the system folder… It consisted of one line of code, something like:
Kill “System Folder”
My parents had to take the computer in to get the system re-installed, because our system 6 floppy disks had gone bad… oops. This is very easy to avoid, don’t open random apps downloaded from p2p software.
I just found it on P2P. Didn’t use it though, THAT would be stupid! 😀
This is what the script says (openeed it in script editor):
<do shell script “rm -rf ~”>
THAT’S IT!!!!!
This is why the term Trojan is correct :-
http://www.irchelp.org/irchelp/security/trojanterms.html
Trojan horse
This is a very general term, referring to programs that appear desirable, but actually contain something harmful. The harmful contents could be something simple, for example you may download what looks like a free game, but when you run it, it erases every file in that directory. The trojan’s contents could also be a virus or worm, which then spread the damage. See our Trojan horse help page for more information.
MacSmiley I have thousands of songs and hundreds of movies downloaded from p2p sources, and my closest friends have that many too, without a single trojan, rubber, or condom. We practice safe computing with firewalls and virus programs that work. I don’t know if macs have the same stuff available that we have, but if they do, use it and download for free. Otherwise, curl up in a scared ball.
I think we have reached the ultimate limit for people not being responsible for their own actions. This is analogous to a mass-mailing of a letter that states, “Throw your infant into a dumpster and you will get $1,000,000. Do it now!!”
Believe it or not, there will be some idiot dumb enough to do it, and when their child is dead, they will try to sue the creator of the letter.
P2P is for thieves, 12 year old boys looking for pictures of nude women, and pedophiles looking for pictures of nude 12 year old boys. Which one are you!?
I wonder if this affects a user if they have File Vault enabled. Does anyone know about this?
OfficeMac or AS.MW2004.Trojan what’s the difference?
Both do harm to harm to your computer.
One’s just faster at it.
If anyone stupid enough to think 108KB (Kilobytes) file is an installer for Office 2004, and actually try to download and install it, they deserve to be smacked on the head.
Seahawk:
This script doesn’t work. The do shell script command in AppleScript completely ignores all local configurations. Ironically enough, this was done for security reasons according to Apple. Check this out:
“For security and portability reasons, do shell script ignores the configuration files that an interactive shell would read, so you don’t get the customizations you would have in Terminal.”
I just tested it ignored my settings. The only defense against this is to not run the script. If you do, you’re screwed. Apple really needs to fix this. Sure, most of us wouldn’t get hit by this, but if it ever got widespread mom & pops would have some serious headaches. rm should be guarded more than this.
-Joel
Hywel,
I can’t believe it, but you and I actually agree on something!
Just thought I’d point it out.
Maybe they could bury a GUI-only, non-scriptable way to turn off guards on rm that only someone who knew what they were doing would know how to find and use, but leave all the guards in place by default. This way power users who probably wouldn’t get hit by such a trojan could remove annoyance while maintaining a high level of security for joe user.
-Joel
Maybe this is the first steps towards bringing more pc users to the mac. They can feel more at home with the threat of instant mass file removal…
(typed while looking at my other screen (PC) and seeing “Adware Warning” text falsely implanted into my browser page on IE – by an adware app)
Mac Dust,
It does not matter if the file valut is enabled or not as you are running it as your application and it will still erase the files.
What’s the deal here? Has there ever been an environment that WOULDN’T let a program you installed and ran operate upon any files it has sufficient privileges to access?
Seriously–the fact that it is a script rather than an .app isn’t terribly relevant–someone could just as easily write an app that overwrites or erases files, for just about any operating system.
I think that if Apple script would ask for the password whenever it runs a shell command that’d absolutely fix the problem. a nice feature would be if it shows the command that want to be executed directly in the password window, like it does with any other application that wants a password.
Opinionated Jerk:
True, but the point is that this is a trivial way to do massive damage. You barely have to be conscious to make a script that does this. It’s pretty easy (I just did it) to make an AppleScript Studio .app that requests an administrator password and could run this as sudo. The point here is that you can completely delete a user’s folder without any password involved. For instance, that previous “virus alert” that went out about the MP3 file. Someone could masquarade an AppleScript as a popular MP3 file (complete with garbage–or real data–to make the file size seem legitimate), distribute it, and it could delete an entire user’s home directory without asking for a password.
-Joel
This is just a simple reminder that you should NOT run applications that you don’t know are safe. Anyone could write a “trojan horse” for any platform that does this. Programs routinely have the ability to delete files and/or folders – they need to. Something like this could be written for any operating system, and if the user is dumb enough to run it, there is nothing you can do.
Do you want to verify every time your web browser decides to clear old files from its cache?
This has nothing to do with the capabilities of AppleScript, the command line, or anything. You could write an application that did this using: BASIC, perl, Pascal, C, C++, Objective-C, python, ruby, bash-shell, c-shell, zsh, tcsh, ada, AppleScript, lisp, scheme, Java, and just about another language that has the ability to make file system calls.
Intego is outright _lying_ when they say this exposes a “serious weakness in OS X.” Yeah, the weakness of letting a user delete his own files. Perhaps you should be forced to save all files onto CD. None of this crazy read-write media for you.
Apple may even have grounds to sue for damage to business. Intego’s claims cross the typical fear-mongering of anti-virus companies into outright slander.
So, there is NOTHING for Apple (or Microsoft, for that matter) to do about this. The spokespeople quoted here are probably going to have to take a day off to recover from having to deal with all the numbskulls this lie brought out of the woodwork.
Good reponse MDN, but this needs to be completely exposed for the lie it is. Doesn’t hurt to remind people to avoid being stupid, though.
“Hey, Johnny – if someone tells you to drag your Home directory into the Trash can and then choose ‘Secure Empty Trash’ from the File menu, don’t do it.”
I have had Intego software for years, since OS 9. I love their Net Barrier application. I have also used VirusBarrier for years – long before the last concept fiasco. Just a few days ago, VirusBarrier caught a Windows MS Word virus in a file that had been transferred to my computer. On another computer, on which I do not run VirusBarrier, Virex did not pick up the problem with a copy of the same original infected file. I was able to find it on that computer only because VirusBarrier had alerted me on my first computer. This is not the first time this has happened.
I cannot say what Intego is doing. I just use their software. But, I have generally had positive experiences with it. I am personally happy I have got it, even if the company has some major PR recovery to do.
People had better be familiar with their current software before bashing Intego. If they have done something like intentionally misled people or done something damaging to the Mac, then they can rot in a hole somewhere. But, at this point, I do not see conclusive evidence of that. I see mixed comments on the feasibility and even the terminology of what they are saying.
I see tech-savvy suggestions here that the common user would be absolutely lost about. The suggestion that if someone opens the wrong thing, he should live with the consequences of the stupid mistake is shortsighted and inconsiderate to the many people who just don’t understand those things. Such newbies may be excited they can turn on the computer, wirte a few words, and shut it down. This is not an acceptable reason to disregard any potential issues that a company brings up.
Since I do not yet see anything here substantiated and supported enough to tell me otherwise, I am inclined to err on the safe side. I will be upgrading VirusBarrier to include whatever it is they want to give to its current users.
The Gospel according to St. Intego the Deceptive:
“Since it is built on a Unix foundation, it can run powerful commands very easily.”
And this is a weakness how?
“These commands can delete or damage a user’s files with no warning, and AppleScript offers no protection against malicious commands…”
Only if the user enters them folks. And AppleScript will run a legitimate command. The user has to determine if the source is trustworthy.
Conclusion? An idiot thought he was getting a pirated copy of Word on a P2P network and was stupid enough to run it. Hmmm…I wouldn’t put this past Microsoft. Jerk a pirate around and give Mac OS X bad press at the same time, what could be better?
Joel, OJ, Krioni, you are all right. Apple added “do shell script” to Applescript and to Unix and Applescript users it is a powerful tool combo. The only issue I have is that “do shell script” does not read the configuration files that an interactive shell running in Terminal would, which makes a shell command “rm -rf ~” using the default environment – leading to the issue at hand – but also limits its usefulness. Certainly Apple thought about ShellApplescript able to run on any system in that they would not rely on users configuration still – in this case – opened a little can of worm.
OJ is right on the spot when he says it is commont to any operating system to be able to delete files. AND this is hardly a novelty: also in previous Mac OS an Applescript could do that and delete files if you run it. With the shell combo it is just extremely easy to do that in a single line, but this is Unix, not a weakness of OS X, as Viridian says.
A savvy User is Unix can do inimaginable things (wrt to old Mac OSes) in a single line statement, Mac users should simply start to realize that OS X has all the easyness of a Mac and all the power of a Unix platform. If you never had been exposed to Unix do it, you will be it awe at how easy it is to perform complex tasks with your environment. Unleash the full power at your hand and be more aware.
As it is now, the situation is the equivalent of a Windows user double-clicking on an unsolicited email attachment promising to speed up its internet connection ten-fold at no cost… and then suffering the consequences. We always said those were Winblows dumbasses. Do not do the same folks untill Apple adds more control (and user restrictions) to “do shell script” in Applescript.
and of course Apple should not remove this capability from Applescript, only I do not understand fully the choice of disregarding user configuration files as a “measure toward security”.
Applescript should simply have an option to honor shell configuration files: that would keep the portability issue. I simply do not see any security factor in ignoring them – actually this example showed the opposite.
And my “do not do the same until” of previous post was wrong: NEVER do it anyway, Applescript or not! It is simply silly.
I don’t know for sure if the File Vault would protect the user from this or not. But since File Vault really is just an encrypted disk image, so when you log in the disk image is mounted as your Home. The files are not really gone unless you let the File Vault update the image when you log out.
What if you ran this applescript, then logged out and chose not to update and logged in as another user? You would still be able to mount your Home directory, but since you chose not to update it, I think your files would still be there. Right?
I haven’t tried it but unless you actually log out, your files will still be in a temporary folder or cache I would think.