New Mac OS X Trojan warning

A file called “latestpics.tgz” was recently posted on a Mac rumors web site (www.macrumors.com), claiming to be pictures of “Mac OS X Leopard.” Mac Rumors has, for some unknown reason, headlined their article “The First Mac OS X Virus?” – although they do seem to have recently tacked on the parenthetical “A New OS X Trojan” to the headine and added this statement to the end of their article: “It appears that there is some debate about the classification of this application, and as it does require user activation, it appears to fall into the Trojan classification, rather than self-propogating through any particular vulnerability in OS X.”

Ambrosia Software’s Andrew Welch explains:
You cannot be infected by this unless you do all of the following:
1) Are somehow sent (via email, iChat, etc.) or download the “latestpics.tgz” file
2) Double-click on the file to decompress it
3) Double-click on the resulting file to “open” it
…and then for most users, you must also enter your Admin password.

It does not exploit any security holes; rather it uses “social engineering” to get the user to launch it on their system. It requires the admin password if you’re not running as an admin user. It doesn’t actually do anything other than attempt to propagate itself via iChat. It has a bug in the code that prevents it from working as intended, which has the side-effect of preventing infected applications from launching. It’s not particularly sophisticated.

So, for those inclined to hyperbole and panic: relax. You cannot simply “catch” a trojan as you would a “virus.” There are zero Mac OS X viruses. This is not the first Mac OS X trojan and it won’t be the last. Even if someone does send you the “latestpics.tgz” file, you cannot be infected unless you unarchive the file, then open it, and authorize it to run. Just trash it. As usual, do not install and run applications from untrusted sources. Do not run Mac OS X as “root.” Same stuff as usual.

More information about this trojan in Welch’s full article here.

MacDailyNews Take: It’ll be interesting to see which media organizations, if any, pick up on this and run the incorrect story of “the first Mac OS X virus.”

Advertisements:
MacBook Pro. The first Mac notebook built upon Intel Core Duo with iLife ’06, Front Row and built-in iSight. Starting at $1999. Free shipping.
iMac. Twice as amazing — Intel Core Duo, iLife ’06, Front Row media experience, Apple Remote, built-in iSight. Starting at $1299. Free shipping.
iMac and MacBook Pro owners: Apple USB Modem. Easily connect to the Internet using dial-up service. Only $49.
iPod Radio Remote. Listen to FM radio on your iPod and control everything with a convenient wired remote. Just $49.
iPod. 15,000 songs. 25,000 photos. 150 hours of video. The new iPod. 30GB and 60GB models start at just $299. Free shipping.
Connect iPod to your television set with the iPod AV Cable. Just $19.

Related MacDailyNews article:
Incorrect reports of ‘Mac OS X virus’ begin to circulate – February 16, 2006
Apple: ‘Opener’ is not a virus, Trojan horse, or worm – November 02, 2004

52 Comments

  1. All viruses/trojans rely on social engineering. This one is no different. PC viruses rely on the large number of people who don’t install or update their anti virus software. Mac trojans exploit Mac users’ complacency. Little difference.

  2. We in the “real IT world” understand that this is why the Apple platform is inherently unsafe – the entire user base is operating without any anti-virus software.

    Furthermore we the “pro’s” have a very limited tool set to use when a virus like this strikes. It is going to be a very long weekend for IT professionals that have the unfortunate burden of maintaining a network of infected Apple pc’s.

    Once again the blind allegiance to a specific platform, one that is full of security holes I might add, is not the solution we would recommend to computer users.

    At least Microsoft is dedicated to developing tools and resources for the mitigation of viruses – Apple just leaves you out in the cold…

    ©

  3. Um…but Microsoft will charge you $49.99 a year for a service to protect the operating system that they made poorly which allows executable files to be run without the users knowledge. Big difference.

    Not to mention that there have been many studies regarding Mac users — we are better educated, better paid, and smarter. That is why we choose Apple.

  4. We really need to get this out to the MAC community.

    As we are adding new users to the OSX base there are new users that aren’t as sophisticated as the core community.

    Some “New” users will activate this Trojan and install it unknowingly.

    We need to have some tool to remove for those that have installed.

    We are at the cusp of growing our base and we need to be able to diffuse anything that might slow down or threaten our momentum.

  5. It’s 2, 2, 2 morons in one!

    Reality Check:
    Are you really going to post that bit of inane logic here and not expect to get called on it?

    I did actually get a laugh out of it though.

    Sputnik:
    What can I say. Where would we be without the goose-stepping retards like Sputnik.

    In point of fact, this little file amounts to nothing more than a badly coded app. Apparently it can’t even do what it was written to do (which makes me think it was written by Microsoft) so it isn’t much of a danger.

    The truth of the matter is this is just another scare we really don’t have to worry about.

  6. “how does one run osx as ‘root’ anyway? and why would one do so?”

    bscepter: You just have to enable the root account in NetInfo Manager, set a password for the root account, then log in as root. As to why? Not entirely sure why someone would need to do that anymore except maybe to apply some hack or something. In the early days of Mac OS X, before the majority of Mac users were Unix savvy (or Mac OS X savvy for that matter), it seemed like the easiest way to do certain things or fix certain problems, but I haven’t seen anyone recommending the use of root to accomplish anything for years.

  7. Wouldn’t you find it strange if opening a jpeg asked you for your username/password? I know I would.
    Sure the general public won’t get this, but for the professional mac community an image should not need authorization to open.

  8. “It requires the admin password if you’re not running as an admin user.”

    Is this correct? Even admin users are prompted for passwords to make system-level changes. Should it say “if you’re not running as root”? Or is it correct in implying that admin users would not be prompted?

  9. Listen people you are not getting this correct. (reality_check specifically)

    There is a HUGE difference between Trojan and Virus.
    A virus (windows biggest problem) is somethng that self installs and can run itself. You may visit a web site and “get infected”. The ONLY defense against this is active anti-virus software. Not only that, but the AV software nust “know” about the virus through daily updates over the internet.
    Mac OS X doesnt have a single virus (yet, if ever) because it is just simply built more securely.

    A trojan is malicious code hidden inside “clean” code. “Check out these pictures of a hot chick!” They trick you into d’loading and installing software unknowingly. This is definately a vulnerability for ANY (linux, wintel, mac, unix, solaris, palm, etc.) computer.
    The way to beat this is to have a new class of software (mostly to change the name) Anti-Malware (or whatever) This would simply scan what you are installing and check it against a known database of “malware”. It would see that you are about to install “latestpics.tgz” and warn you that it may be bad code.

    Unfortunately we would probably hear about it here before our AntiMalware app would “learn” to protect us against it.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.