[olePigeon]

http://www.macrumors.com/pages/2006/...16005401.shtml

But not really, it's a trojan horse. And not a very good one. Unlike Windows where you have a real JPG that crashes the API and executes code, this is just a normal application with a JPG icon pasted on it.

First, if you're using Safari, it'll warn you that the file contains an application. So if you donload the "JPG" and it's warning you it's an application, there's one flag.

Secondly, when you open the "JPG," like any application modifying system files, it asks you for your administrative password. So there's a second huge flag.

You have to get past a few security measures (all require user intervention) before this thing will even run.

[production_coordinator]

On my scale, I would rate it a 1 out of 5 regarding danger. You would have to blindly click yes and type in your password (that's if you have admin privileges)

I told my computer novice sister "NEVER type in your password unless you would trust the software company"

[Chuckit]

Since when is a password required to work within the user's home directory?

[olePigeon]

Originally Posted by Chuckit

Since when is a password required to work within the user's home directory?

I meant root directory, it writes to your Library folder.

[Millennium]

Technically, if it can spread to apps, then it's a true virus. It spreads the old-fashioned way: from app to app. Disguising a JPEG as an app is a poor way to set up the initial vector, but it qualifies.

Or rather, it at least theoretically qualifies. Once the virus has infected an app, can that app be used to infect other apps? That's the main kicker here: it has to be able to actually survive the process of spreading.

[olePigeon]

nm.

[Person Man]

Originally Posted by Millennium

Disguising a JPEG as an app...

Don't you mean disguising an app as a JPEG, which is the case here?

[goMac]

Originally Posted by Millennium

Technically, if it can spread to apps, then it's a true virus. It spreads the old-fashioned way: from app to app. Disguising a JPEG as an app is a poor way to set up the initial vector, but it qualifies.

Or rather, it at least theoretically qualifies. Once the virus has infected an app, can that app be used to infect other apps? That's the main kicker here: it has to be able to actually survive the process of spreading.

Actually, it doesn't do the spreading itself. It loads something on the machine called an "Input Manager". And Input Manager is something that OS X will put into every application on it's own. I would still call it a trojan, considering OS X itself is spreading the trojan in publicly available functionality. The trojan is not directly infecting applications.

[olePigeon]

Originally Posted by goMac

Actually, it doesn't do the spreading itself. It loads something on the machine called an "Input Manager". And Input Manager is something that OS X will put into every application on it's own. I would still call it a trojan, considering OS X itself is spreading the trojan in publicly available functionality. The trojan is not directly infecting applications.

That'd make it a worm and not a virus, wouldn't it?

[Person Man]

Originally Posted by olePigeon

That'd make it a worm and not a virus, wouldn't it?

No.

The only thing that keeps it from being a worm is that it requires user intervention to get it started on a newly infected machine.

Now, if it could somehow get it to automatically download itself through iChat and then run without the user knowing about it, THEN it would be a worm. As it stands, an iChat user has to choose to download it, and then choose to run it first, before it can execute.

This is a virus in the true sense of the word.

[goMac]

Originally Posted by olePigeon

That'd make it a worm and not a virus, wouldn't it?

IIRC a worm infects your hard disk and destroys data.

The one thing I worry about with this sort of attack is in theory if the input manager got into an authenticated application, it could hijack the authentication and do nasty things.

[olePigeon]

Originally Posted by Person Man

This is a virus in the true sense of the word.

Well, I'd still call it a Trojan and not a virus. Not that it matters.

[Millennium]

Originally Posted by Person Man

Don't you mean disguising an app as a JPEG, which is the case here?

You're right, of course. Sorry about the juxtaposition.

[Person Man]

Originally Posted by olePigeon

Well, I'd still call it a Trojan and not a virus. Not that it matters.

It's both, actually.

[demograph68]

about ****ing time

[Binarymix]

All Apple has to do is add a dialog similar to dashboards warning, to any new input managers/plugins etc...

[Salty]

So how is this thing spreading? Or... is it?

[goMac]

Originally Posted by Binarymix

All Apple has to do is add a dialog similar to dashboards warning, to any new input managers/plugins etc...

Or they could enforce something like 755 privs on the input manager directory.

[hayesk]

Originally Posted by goMac

IIRC a worm infects your hard disk and destroys data.

Not necessarily. A worm is something that can spread by itself through a network. This Leap-A thing can't do that. As soon as it gets anywhere, it requires those users to run it to spread again.

[alphasubzero949]

Originally Posted by goMac

Or they could enforce something like 755 privs on the input manager directory.

Or maybe not giving admin access to Joe User when he boots up his shiny new iMac for the first time.

[goMac]

Originally Posted by alphasubzero949

Or maybe not giving admin access to Joe User when he boots up his shiny new iMac for the first time.

So then Joe User can't install software, change control panel settings, or even add an admin account to the machine?

[alphasubzero949]

Originally Posted by goMac

So then Joe User can't install software, change control panel settings, or even add an admin account to the machine?

Put it this way: Joe User as an admin is probably sick and tired of being asked to enter in his password and will just sigh and do it when asked without thinking twice. Something like this comes along demanding a password and he pops it in. Now what would you consider more serious: (a) His directory being fubared or (b) Not only his directory, but everything else that has write permissions for admin?

Oh, and the last time I checked:

A standard/managed user can still install apps in ~/Applications (if Apple bothered including it by default) and change account-specific settings. IMHO only Apple apps belong in /Applications. Anything else should go in ~/Applications unless the admin specifically wants other users to access certain apps globally. Moreover, there are some third party apps that require sudo for no apparent reason and will not easily divulge why it wants such access (e.g. Safari Enhancer and other poorly written apps). Joe User doesn't know better...and while we can't patch stupidity, there should be an extra safeguard in place.

For chrissakes this is not Windows where being a non-privileged user is going to kill you...

Remember, not everyone who runs admin on a regular basis knows what they are doing (as evidenced by the succoring in the initial Macrumors thread).

[Salty]

Originally Posted by alphasubzero949

Put it this way: Joe User as an admin is probably sick and tired of being asked to enter in his password and will just sigh and do it when asked without thinking twice. Something like this comes along demanding a password and he pops it in. Now what would you consider more serious: (a) His directory being fubared or (b) Not only his directory, but everything else that has write permissions for admin?

Oh, and the last time I checked:

A standard/managed user can still install apps in ~/Applications (if Apple bothered including it by default) and change account-specific settings. IMHO only Apple apps belong in /Applications. Anything else should go in ~/Applications unless the admin specifically wants other users to access certain apps globally. Moreover, there are some third party apps that require sudo for no apparent reason and will not easily divulge why it wants such access (e.g. Safari Enhancer and other poorly written apps). Joe User doesn't know better...and while we can't patch stupidity, there should be an extra safeguard in place.

For chrissakes this is not Windows where being a non-privileged user is going to kill you...

Remember, not everyone who runs admin on a regular basis knows what they are doing (as evidenced by the succoring in the initial Macrumors thread).

I disagree, putting Apple's apps in their own directory is just silly. And who else is going to have my admin password if I don't? I don't want Apple to be the only one with admin privileges on my machine! What then someone hacks Apple and they've hacked every internet connected Mac!? NO THANK YOU!

[alphasubzero949]

Originally Posted by Salty

I disagree, putting Apple's apps in their own directory is just silly. And who else is going to have my admin password if I don't? I don't want Apple to be the only one with admin privileges on my machine! What then someone hacks Apple and they've hacked every internet connected Mac!? NO THANK YOU!

If the idea is silly, then why the b!tching with every SU about how the moved Apple apps aren't recognized? Perhaps that issue has been resolved but it makes you stop and think the next time you want to muck around in /Applications.

Do you even realize how much power you have as an admin? Unless you absolutely know what you're doing, you have no business doing day-to-day casual computing as one. You might as well enable root and run your GUI login from it.

Of course, it doesn't help with Apple's silly permission scheme (Whose bright idea was it to give /Library/InputManagers 775?).

[moodymonster]

Originally Posted by Binarymix

All Apple has to do is add a dialog similar to dashboards warning, to any new input managers/plugins etc...

makes sense, or something that comes up the first time you run an app. If you didn't think you were running an app, you'd get a shock (not literally )

[Millennium]

Originally Posted by goMac

So then Joe User can't install software, change control panel settings, or even add an admin account to the machine?

Sure he can, if he enters the Administrator name and password. I run my own machines like this, in fact. The only real user-visible difference is that you have to put in the Admin password when you try to copy things into /Applications or /Library, and that should always have been required anyway.

The point of asking for this password is so that the machine can be sure that the machine's owner actually wants these things to happen. In an age of automated GUI scripts this is absolutely necessary with no exceptions if we are to have even remotely secure computers. The user must always be made aware that something is going on, they must always have the chance to disallow it, and even if they do allow it, there must be a way to prove that this is actually the user who wants it and not some script. Thus, the password.

If people get "tired" of this, it is because they don't understand the value of being able to say no. There is little that can be done about this save education. I suppose that Apple might be able to word their dialogs a bit better to explain exactly why the password is needed, but that is a discussion for another time.

[turtle777]

Originally Posted by olePigeon

Well, I'd still call it a Trojan and not a virus. Not that it matters.

Right. It's called Trojan Horse for a reason, not Trojan Worm

[Fred_Cokebottle]

If it doesnt propagate itself then why would it be called a virus?

[turtle777]

Originally Posted by Fred_Cokebottle

If it doesnt propagate itself then why would it be called a virus?

Stop bringing reason into this, ok ?

People want a virus for OS X, and they'll make one up if they need to. It's always been like that. It's the rule.

[Fred_Cokebottle]

May be this virus was made for virus lovers by virus lovers.

[d4nth3m4n]

how about we just call it a "threat" and get over this bullshit already?

[turtle777]

Originally Posted by d4nth3m4n

how about we just call it a "threat" and get over this bullshit already?

What's the threat ? Stupid users ? Then I agree...

[Millennium]

Originally Posted by Fred_Cokebottle

If it doesnt propagate itself then why would it be called a virus?

The virus is not the app-disguised-as-JPEG: that's only the vector by which it first arrives on most machines. You could call that a Trojan horse, I suppose. But the payload it carries, the part that spreads, is a virus.

[stevesnj]

Symantec an McAfee are loving this worm, virus, whaterver you want to call it. They get a chance to profit from this.

[hayesk]

Originally Posted by Millennium

The virus is not the app-disguised-as-JPEG: that's only the vector by which it first arrives on most machines. You could call that a Trojan horse, I suppose. But the payload it carries, the part that spreads, is a virus.

The part that spreads uses the same trojan mechanism. If one app or all your apps are infected, who cares? I would consider one infected app as an infected system just as much as 5 apps.

A real virus would spread through standard user interactions that the user would normally do anyway - like by simply inserting a disk, or by opening an actual JPEG or loading a web page.

This is blown out of proportion just because the anti-virus vendors want to make money, and all the Mac-hating journalists want to say "Ha! Ha! MacOS has viruses now too." Well, it doesn't.

[aberdeenwriter]

So, what's the best thing to do to protect one's Mac?

[CharlesS]

Originally Posted by aberdeenwriter

So, what's the best thing to do to protect one's Mac?

Don't double-click the 'latestpics' file if someone sends it to you.

[Millennium]

Originally Posted by hayesk

The part that spreads uses the same trojan mechanism. If one app or all your apps are infected, who cares? I would consider one infected app as an infected system just as much as 5 apps.

A trojan does not spread. This spreads. Ergo, it is a virus. Viruses are not as common as they once were, simply because they don't go from machine to machine as fast as worms do, but it's still a virus.

A real virus would spread through standard user interactions that the user would normally do anyway - like by simply inserting a disk, or by opening an actual JPEG or loading a web page.

What you've described is a worm, not a virus. They are related, but not the same thing. The "viruses" made famous by Code Red and such are actually worms. The last malware known to affect OS9, the QuickTime Autostart issue, was also a worm, though it spread through disks rather than the network.

This is blown out of proportion just because the anti-virus vendors want to make money, and all the Mac-hating journalists want to say "Ha! Ha! MacOS has viruses now too." Well, it doesn't.

No, they're technically correct. Few people make true viruses anymore, mostly since a much smaller portion of Net users share applications than used to. But the virus reports are correct.

Frankly, they always have been correct. The Mac community has long been gripped by this naive and foolish idea that we don't have to worry about security. The Mac is better when it comes to security, but it is not invincible. No platform is. Maybe this will wake some people up to that fact.

[ghporter]

Originally Posted by Millennium

The Mac community has long been gripped by this naive and foolish idea that we don't have to worry about security. The Mac is better when it comes to security, but it is not invincible. No platform is. Maybe this will wake some people up to that fact.

Yup, and I somehow doubt this will change most people's ideas about it. They'll believe that this was a fluke and blithely go on about their business-and still fall for stupid social engineering stuff like Leap-A. The AV industry should be breaking out the champagne on this-not because of the stupid bug, but because of all the Mac users who will eventually need disinfecting because they didn't learn anything from this one.

Sorry, but my cynical side is being very dominant right now. From all the responses I've seen and heard, most are "gee, that's too bad," not "holy cow! What do I do to keep this from hapening to me?" One person even said "there goes one of the best reasons to get someone to switch from Windows!" It depresses me.

[Chuckit]

Yeah, this virus really shows what a grave danger there is to Mac users.

Show of hands, everybody: Who knows someone who's been infected by this?

[aberdeenwriter]

Originally Posted by CharlesS

Don't double-click the 'latestpics' file if someone sends it to you.

Thank you very much, CharlesS!

[hayesk]

Originally Posted by Millennium

A trojan does not spread. This spreads. Ergo, it is a virus. Viruses are not as common as they once were, simply because they don't go from machine to machine as fast as worms do, but it's still a virus.

This doesn't spread without explicit user help. It's not a virus. If it could spread just by the user using his computer in a typical fashion, i.e. sending email, browsing the web, giving a disk to another user, then I would admit it's a virus.

But this can't go anywhere without social engineering - ergo, a trojan. Though I admit it has some worm and/or virus like properties, but the bottom line is it isn't spreading anywhere without tricking the user into running. That's why it's not a full fledged worm or virus.

I do admit the lines are being blurred between what is a virus, worm, or trojan, but this is only a wake up call to those who don't want to exercise common sense. The general Mac community who are smart enough not to click on unknown attachments still have nothing to fear.

This doesn't open up a new reason to get anti-virus software, be more vigilant, etc. When a real virus comes along that can spread by exploiting the OS, then we should be concerned.

Until then, the journalists are spreading FUD, and the anti-virus vendors are trying to increase their sales.

[turtle777]

Originally Posted by aberdeenwriter

So, what's the best thing to do to protect one's Mac?

Just don't believe the hype, the FUD and never double-click files of uncertain content and authorship.

[production_coordinator]

Originally Posted by aberdeenwriter

So, what's the best thing to do to protect one's Mac?

1) Don't download items off of the internet if you don't trust the source.
2) Don't open email attachments if you don't know the source.

If people followed those two little things, we would see a dramatic reduction in viruses/worms/trojans on all platforms.

[ghporter]

And don't expect your OS to protect you from your own misguided actions... This is one very large issue that the Mac community MUST address. You simply cannot be complascent and play with whatever you see online, expecting to find your computer has protected itself.

Somebody once said stupidity should be painful; in this case it looks like that works. But what happens if the next iteration of this sort of thing is both truly malicious and disguised as a coupon for a free iPod Nano? I think we will all know a number of "innocent victims" who have "shot themselves in the hard drive" by believing such social engineering.