A file called “latestpics.tgz” was recently posted on a Mac rumors web site (www.macrumors.com), claiming to be pictures of “Mac OS X Leopard.” Mac Rumors has, for some unknown reason, headlined their article “The First Mac OS X Virus?” – although they do seem to have recently tacked on the parenthetical “A New OS X Trojan” to the headine and added this statement to the end of their article: “It appears that there is some debate about the classification of this application, and as it does require user activation, it appears to fall into the Trojan classification, rather than self-propogating through any particular vulnerability in OS X.”
Ambrosia Software’s Andrew Welch explains:
You cannot be infected by this unless you do all of the following:
1) Are somehow sent (via email, iChat, etc.) or download the “latestpics.tgz” file
2) Double-click on the file to decompress it
3) Double-click on the resulting file to “open” it
…and then for most users, you must also enter your Admin password.
It does not exploit any security holes; rather it uses “social engineering” to get the user to launch it on their system. It requires the admin password if you’re not running as an admin user. It doesn’t actually do anything other than attempt to propagate itself via iChat. It has a bug in the code that prevents it from working as intended, which has the side-effect of preventing infected applications from launching. It’s not particularly sophisticated.
So, for those inclined to hyperbole and panic: relax. You cannot simply “catch” a trojan as you would a “virus.” There are zero Mac OS X viruses. This is not the first Mac OS X trojan and it won’t be the last. Even if someone does send you the “latestpics.tgz” file, you cannot be infected unless you unarchive the file, then open it, and authorize it to run. Just trash it. As usual, do not install and run applications from untrusted sources. Do not run Mac OS X as “root.” Same stuff as usual.
More information about this trojan in Welch’s full article here.
MacDailyNews Take: It’ll be interesting to see which media organizations, if any, pick up on this and run the incorrect story of “the first Mac OS X virus.”
Advertisements:
• MacBook Pro. The first Mac notebook built upon Intel Core Duo with iLife ’06, Front Row and built-in iSight. Starting at $1999. Free shipping.
• iMac. Twice as amazing — Intel Core Duo, iLife ’06, Front Row media experience, Apple Remote, built-in iSight. Starting at $1299. Free shipping.
• iMac and MacBook Pro owners: Apple USB Modem. Easily connect to the Internet using dial-up service. Only $49.
• iPod Radio Remote. Listen to FM radio on your iPod and control everything with a convenient wired remote. Just $49.
• iPod. 15,000 songs. 25,000 photos. 150 hours of video. The new iPod. 30GB and 60GB models start at just $299. Free shipping.
• Connect iPod to your television set with the iPod AV Cable. Just $19.
Related MacDailyNews article:
Incorrect reports of ‘Mac OS X virus’ begin to circulate – February 16, 2006
Apple: ‘Opener’ is not a virus, Trojan horse, or worm – November 02, 2004
Actually, Orson Wells may be alive. I thinking Orson Welles is dead. But you can’t tell it from some of the posts today.
Who cares. Anyone with any level of intelligence knows that this is nothing to worry about. Moving on…
Sputnik, do you seriously consider yourself a professional?
I am a professional, there are mac AV software’s out there, mostly to deal with windows infected documents.
Your ignorance amazes me.
Does anyone have the source code for this trojan? Could you post it, please?
Thanks much…
There is a point at which the general population becomes incapable of protecting the lowliest of their village idiots. For all of the signs and guard rails, many still manage to drive into trees. These are the same ones that download from Limewire (do you really think that “iWork ’06” is only 500Mb?). We can only do so much.
A Trojan-like Mac file is not any more revolutionary than a bomb in a Ryder rental truck or a sawn-off shotgun under a coat. In order to live in a free society, we must accept two basic facts: [1] Evil idiots will always exist and [2] we cannot allow the peaceful lives of the vast majority to be effected by them. To allow my life to change, however small including running protection software, is to allow these psychos effect my life, and I won’t do it. I would much rather live 1,000 days in peace and possibly be open to a moment of attack rather than living those 1,000 days in fear and paranoia.
We CHOOSE to be terrorized.
We CHOOSE to be idiots.
We CHOOSE to be isolated.
What will you choose to be today?
He he he he he he! (The sound of giggles from the corner) You guys crack me up. More entertaining than a bunch of monkeys.
There’s nothing that can’t be hacked. And you’ll all be in denial even when work is being deleted and your contact lists are being passed around like that slutty cheer leader in high school.
Reality Check and Sputnik, so well informed they can’t define ‘virus’.
A comedy double-act, bit like Balmer and Gates really.
Sputnik – Long time no flame! I thought perhaps you had just been listening to the RADIO for a while..seeing as you wouldn’t have possibly gotten caught up in the iTunes/iPod craze.
But your statements on Virus/Trojans having little difference is just plain wrong. Trojans cannot propogate themselves without user intervention. Viruses can. The fact that a user can choose to patch their system and protect themselves from a virus makes no difference. viruses can spread without anyone doing anything. Trojans cannot.
BTW, I consider MS Outlook to be a type of trojan because every once and a while, it crashes my Dell computer – nice.
Attention:Sputnik
Mom says it’s time to come upstairs. Breakfast is ready. You can go back to the basement and play with Dads computer when you’re finished.
“Reverse Thrust” has Abused Spouse Syndrome. They think that…
[1] Everyone else’s spouses beats up their partner’s, too. Just as they hide their own abuse, they think that their friends are hiding their own abusive relationships.
[2] No matter if they find someone new, they will be beaten up anyway, so why leave? “Better the devil you know than the devil you don’t know.”
It will take a VERY long time before Macs ever have the insane quantities and frequency of security incursions that Microsoft seems to be able to produce.
If it ever does get to that point, then I’ll probably just give up on graphics and computers altogether and maybe raise horses. But, until then, 1 inert Trojan file does NOT equal 100,000 self-replicating viruses.
I’m always surprised by just how many MDN posters think sputnik is serious.
You should all go sleep in Starbucks. It’s the only way you’re going to wake up and smell the coffee.
The word “virus” was chosen to represent computer infections for a reason. Would a disease actually kill anyone if you could only be infected by doing all of the following?
1)
Somehow receive a hyperdermic needle filled with the disease agent.
2)
Remove it from the box.
3)
Remove the safety cap
4)
Inject yourself.
Are all you people new here or what? It is SO good to see Sputnik back… his posts are some of the funniest and most vaguely sarcastic on MDN. I think he’s a Mac veteran.
Lighten up people!
Welcome back Sputnik! Where have you been?
Oh yea, by the way I warned of this trojan about a week ago. It was made by evil MS programers in Redmond. This is just the beginning…
I too welcome back Sputnik. “Sputnik”, in Russian by the way, means “tongue planted firmly in cheek.” LOL
The Register has edited their article to remove the word ‘virus’ entirely. New headline: “‘First’ Mac OS X Trojan sighted.”
Great work! Now let’s work on the rest of them.
RANT1: this is pointless. it’s not the first trojan. there have always been trojans. I could wrap ‘sudo rm -rf /*’ into what looks like a JPEG file and convince you to run it and insert your password, and guess what? your OS is going to disappear from beneath you. As long as you don’t do anything on your computer, you’ll be fine for a while (as long as you put a decent amount of RAM in) but seriously, you are SCREWED. I hope you have a recent backup…
RANT2: mac users need to know when NOT to use their password. guard it with your life guys! that’s why i don’t have ‘Windows Media Player’ on my powermac — they require you supply your admin password! For what?!? I say fsck -y!! If you are going to use the Internet today, you need to be smart, whether you use Mac/Windows/Linux.
RANT3: seeing retrogazer here made me think of this one… if you guys are downloading ‘cracked’ apps from sites like [M S J] then you are really taking a chance with that too! I only use them for serial nums. And ONLY download the app from the developer (or reputable site, or check the MD5 hash against what the developer provides) Really, there is no excuse for running code on your machine that somebody who you don’t know modified and re-compiled. don’t be an idiot.
tommyb-your 2nd point has me thinking, I wonder how many mac users know the potential dangers of the admin password. I have just been going through the password scenario in my thoughts. Possibly everyday a mac user has to use their password at some point so am I complacent becoming with the password or not? Apple could easily put a warning alongside the password request, just to make the user think twice.
Securitymonkey JUST talked about this situation happening!
http://blogs.ittoolbox.com/security/investigator/archives/007754.asp
There are applications out there to protect against viruses. Yes, there aren’t many now and most users don’t get infected, but new ones will be created. It’s a matter of $ and name recognition. Most people use windows, that is why people write viruses for windows – same as terrorism, hit the most amount of people. Mac viruses will come people, they will come. If you can’t spend $50 on anti-virus for your $2000 mac its your own fault.
Some german website got it wrong as well :http://www.zdnet.de/news/security/0,39023046,39141111,00.htm
Really, who doesn’t think that a password for access to downloaded images is a red flag?
If you want to get super technical:
A virus is code that inserts itself into another program and executes when that program runs and reproduces itself, infecting other programs. For example, the old Mac WDEF virus. Just like a biological virus, it cannot do anything without a “host” program.
A worm is a standalone program (or script, perhaps) that executes on its own and attempts to infect other computers/locations. Comparable to bacteria in the biological world.
A trojan is a malicious program that presents itself to the user as something legitimate; while appearing to do legitimate things, it does something sneaky in the background. This might include propogation, but it might just erase your document files.
Obviously the “trojan” category is not mutually exclusive to the other two. One can imagine a trojan that also incorporates/behaves like a worm or a virus.
Of course most novice users just call every kind of malware a “virus”
Please will all the newbies around here stop insulting Sputnik? Long-standing MDNers (even anonymous ones like me) appreciate his well-crafted ironic posts. Too subtle for some of us here, I guess (but not for Voyager or Spark).
MW: ‘cannot’ – ‘You cannot be serious!’
I guess someone is tracking who placed the file on the site? – surely a malicious act that requires the perpetrator to be made to account for their actions.