[Bogartte]

Ok, is this the recent non-virus thing just recently argued over, or something new?

Today I found this in my usual startup Virex 7.2.1 scan of local volumes:

/Users/kronos/Library/Caches/Java Applets/cache/javapi/v1.0/jar/loaderfox.jar-1833c950-52f47e79.zip
Found the Exploit-ByteVerify trojan !!!

Any info on this?

[Mithras]

A little googling indicates that this is an exploit in Java applets, designed to take advantage of a flaw in a certain operating system known as Microsoft Windows. Breathe easy.

[nooon]

put this in your .bash_profile:

Code:
alias rm='sudo rm'

and you'll be safe from trojans forever.

[Xeo]

Phew.

Originally posted by nooon:
put this in your .bash_profile:

Code:
alias rm='sudo rm'

and you'll be safe from trojans forever.

Wow I hope that's a a joke. I mean, it's not like a trojan can just run /bin/rm directly, or use a different shell, or...

Not to mention the headaches you'll give yourself the first time you mistype the argument.

[mitchell_pgh]

Originally posted by nooon:
put this in your .bash_profile:

Code:
alias rm='sudo rm'

and you'll be safe from trojans forever.

Then why doesn't Apple do this as a standard practice?

[Spheric Harlot]

Originally posted by mitchell_pgh:
Then why doesn't Apple do this as a standard practice?

good question.

Though I believe the answer will be something like "because it's not standard practice".

Apple has caught enough flak from the *nix community for being a little different in their implementation.

[Xeo]

That particular implementation is no good at all. It provides zero security. Apps don't have to use the alias set up under bash to run rm. But Apple could, if they chose to, compile a new rm that forces the user to enter a password. Then you couldn't run rm without proving you are the person sitting at the keyboard.

But even still, then would-be hackers would just include their own version of rm (or some other program that deletes files) with whatever software they got running on your system.

And is file deletion even what we worry about most? Sure it's a concern but if you make back ups then the level of damage it can do is minimal. Is it worth so much effort to JUST stop file deletion? Would it not be more important to keep people from using your machine without your knowledge, using it for DoS or brute force hack attempts on some server, or who knows what else?

Apple would do better to include something like Little Snitch on OS X by default.

[turtle777]

Originally posted by Xeo:
Apple would do better to include something like Little Snitch on OS X by default.

I like that idea.

Unfortunately, I had some real problems with Little Snitch. One time, it almost messed up my whole system.
It seems to lose stored information every once in a while, especially if you work with more than one user at a time.

I finally disabled it. Maybe a later version will be more stable.

-t

[Bogartte]

Thanks! I had a little difficulty finding it, but found the MS connection... must have gotten this trojan when some email link automatically opened IE. Forget I had IE, so I just dumped it.

[SamuraiDL]

Trojans are too thick, no feeling, I prefer life styles, or none at all.

[hayesk]

Originally posted by Xeo:
That particular implementation is no good at all. It provides zero security. Apps don't have to use the alias set up under bash to run rm. But Apple could, if they chose to, compile a new rm that forces the user to enter a password. Then you couldn't run rm without proving you are the person sitting at the keyboard.

Wrong, it may be a really bad idea to do this. When you run a command with sudo, the authentication lasts for several minutes. If you try this you will see:

sudo ls /
sudo echo "hey, it did not ask me for a password."

You could do great damage if you type
"rm -r / Users/me/Preferences/Cache" by mistake after entering a sudo command a couple of minutes ago. (notice the extra space inadvertantly typed)

[mitchell_pgh]

Back on track, every virus/trojen etc. has always been due to Windows users sending it to me.

[Xeo]

Originally posted by hayesk:
Wrong, it may be a really bad idea to do this. When you run a command with sudo, the authentication lasts for several minutes. If you try this you will see:

sudo ls /
sudo echo "hey, it did not ask me for a password."

You could do great damage if you type
"rm -r / Users/me/Preferences/Cache" by mistake after entering a sudo command a couple of minutes ago. (notice the extra space inadvertantly typed)

That hadn't crossed my mind but you are exactly right. It does turn from "no good" to "really bad" very quickly whhen looking at it like that.

[nooon]

ok ok ok. disregard my previous post then

[Bogartte]

So... what's all this jar stuff in my Applets/cache/javapl/v1.0/jar/ folder all these .zip files?

Are there things that should be in there? After deleting the two Virex recognized "loaderfox.jar-1833c950-52f47e79.zip" files... Virex now recognizes another one that wasn't recognized before: "ar3.jar-6ce3b82f-29a7b591.zip"

Can I delete many of these .zip files from this folder? There are 67 of them...

Here is the complete list:

AARONapplet.jar-5be8151-7120e841.idx
AARONapplet.jar-5be8151-7120e841.zip
AnFade.jar-5ddbcab6-67a5b59c.idx
AnFade.jar-5ddbcab6-67a5b59c.zip
AnLake.jar-7fb0de2a-183abd37.idx
AnLake.jar-7fb0de2a-183abd37.zip
AnLake.jar-219e06e0-58163fe2.idx
AnLake.jar-219e06e0-58163fe2.zip
AnLens.jar-7d37c495-67b5d2a5.idx
AnLens.jar-7d37c495-67b5d2a5.zip
AnLens.jar-5060405e-2765d1b0.idx
AnLens.jar-5060405e-2765d1b0.zip
apPopupMenu.jar-72c13167-430e3732.idx
apPopupMenu.jar-72c13167-430e3732.zip
ar3.jar-6ce3b82f-29a7b591.idx
ar3.jar-6ce3b82f-29a7b591.zip
AXScroller.jar-3dd3a596-33eba508.idx
AXScroller.jar-3dd3a596-33eba508.zip
bookflip.jar-1b8005c4-6bc50281.idx
bookflip.jar-1b8005c4-6bc50281.zip
chat.jar-306a675c-508286c3.idx
chat.jar-306a675c-508286c3.zip
chat.jar-306a6772-26d9c181.idx
chat.jar-306a6772-26d9c181.zip
classload.jar-1f5b6b54-35b9a4f8.idx
classload.jar-1f5b6b54-35b9a4f8.zip
classload.jar-19061f19-18d424b5.idx
classload.jar-19061f19-18d424b5.zip
Client_Mac.jar-3605c6a1-5d57d7b9.idx
Client_Mac.jar-3605c6a1-5d57d7b9.zip
client.jar-59a7d0ca-53eab988.idx
client.jar-59a7d0ca-53eab988.zip
client.jar-83e676a-3dfd1147.idx
client.jar-83e676a-3dfd1147.zip
count1.jar-7b7d8d13-7e8bd02e.idx
count1.jar-7b7d8d13-7e8bd02e.zip
counter.jar-7271642a-29f3c93f.idx
counter.jar-7271642a-29f3c93f.zip
Counter.zip-23cc60c1-58bdc0c2.idx
Counter.zip-23cc60c1-58bdc0c2.zip
DigitalClock2.jar-1a0d9023-23828fdf.idx
DigitalClock2.jar-1a0d9023-23828fdf.zip
DropDownMenu.jar-68a5bf5-66b4250c.idx
DropDownMenu.jar-68a5bf5-66b4250c.zip
huerot.jar-6be0d952-4c951095.idx
huerot.jar-6be0d952-4c951095.zip
huerot.jar-517bb9c5-6cf1d3e9.idx
huerot.jar-517bb9c5-6cf1d3e9.zip
loader.jar-29a2a912-5013f793.idx
loader.jar-29a2a912-5013f793.zip
msgr.jar-19b9d7eb-39858ecc.idx
msgr.jar-19b9d7eb-39858ecc.zip
msgr.jar-19b9d7ec-60a44468.idx
msgr.jar-19b9d7ec-60a44468.zip
nk015r01.jar-53d19062-390eb76d.idx
nk015r01.jar-53d19062-390eb76d.zip
pchat.zip-3751469b-3d27d6d3.idx
pchat.zip-3751469b-3d27d6d3.zip
Portal.jar-a2cca24-247340b8.idx
Portal.jar-a2cca24-247340b8.zip
proc.jar-16c79c2c-2d887f12.idx
proc.jar-16c79c2c-2d887f12.zip
scclient_en.zip-5cdb25bd-75d4d4a5.idx
scclient_en.zip-5cdb25bd-75d4d4a5.zip
SIRtext.jar-4c4a6af6-655c7f94.idx
SIRtext.jar-4c4a6af6-655c7f94.zip
SiteMap2.jar-79f4659a-339a156a.idx
SiteMap2.jar-79f4659a-339a156a.zip

[Lancer409]

Originally posted by nooon:
ok ok ok. disregard my previous post then

i'm glad i kept on reading =P

Thanks Hayesk

[Xeo]

Originally posted by Bogartte:
So... what's all this jar stuff in my Applets/cache/javapl/v1.0/jar/ folder all these .zip files?

Are there things that should be in there? After deleting the two Virex recognized "loaderfox.jar-1833c950-52f47e79.zip" files... Virex now recognizes another one that wasn't recognized before: "ar3.jar-6ce3b82f-29a7b591.zip"

Can I delete many of these .zip files from this folder? There are 67 of them...

Here is the complete list:

<snip>

I would guess yes. It looks like a cache which means it's just a place the .jars are being stored so it doesn't have to redownload them if you visit the web site again. I can't even find a directory structure like that on my system. What is the full path to that directory?

[Bogartte]

Xeo,

Path is:

/Users/yourname/Library/Caches/Java Applets/cache/javapi/v1.0/jar

I deleted the ones Virex considered to be trojans, and now my system is clean...