[Spliff]

More hysteria at Macintouch.com today about a potential virus called "HackTool" that infects VM swapfiles(?)

What y'all think?

Readers are trying to understand a mysterious new phenomenon that looks like a virus:

[Terry Harpold] As of yesterday afternoon, I've been getting repeated, if irregular, warning messages from Norton AntiVirus that one or another of my Mac (OS X 10.3.9)'s swapfiles is infected with "Hacktool.Underhand".

Attempts to repair the infection with NAV result in a hard crash of the computer. Scans by Norton of the machine show no further infection, but the error messages continue, so something running at a low level that NAV doesn't know about is reinfecting me (?).

"Hacktool.Underhand" is not listed among the virii treated in the most recent update of Norton's virus database.

I can find nothing re ".Underhand" on the Norton.com WWW site
I can find only one mention of "Hacktool.Underhand" on the WWW via Google, on a Japanese-language WWW site, which, unfortunately, I can't read. Google's translation of the page leaves, ah, much to be desired. That posting is less than 48 hours old. Perhaps this is a new Mac OS X virus? (I thought that most "Hacktools" were Windows trojans...)
Any advice for finding this thing and purging it from my system? Has anyone else been infected?

[Ed Baskerville] I haven't seen the Hacktool.Underhand operating firsthand, but a frantic father just called me to say he had received the same unnerving message from Norton AntiVirus. The message told him that swapfile1 was infected, and that Norton was unable to repair it.

There are some more people reporting this problem here: [Hacktool Virus]. I'll follow up with more information if I find anything out - I may have to call Symantec technical support and pay their fee.

http://www.macintouch.com/#tips.2005.05.03

[smeger]

I'll bet Norton is scanning for known signatures and it scans the swapfile while it's doing its scanning. The known signature its scanning for gets swapped out while its doing the scanning and goes into the swapfile. Then Norton scans the swapfile and sees the signature its scanning for and, not realizing that it put it there itself, forecasts doom and gloom.

I don't know anything other than what was in the initial post, but that's my bet.

[Spliff]

That sounds very plausible.

[turtle777]

WhyTF do you use a Antivirus program on a Mac running OS X ? Do you believe all the FUD put out there by all the antivirus companies ? I still don't understand who'd buy such a product, with literally 0 known and existant visurses for OS X. I don't get it...

-t

[Applefreak01]

Working in the tech field, I think every computer should have some kind of antivirus program installed no matter what OS it is running. I still can't believe it when a computer comes in with Norton 2003 and the subscription ran out back in October 2003 and the computer is infected so with many viruses and spyware and all that fun stuff. Believe it or not Macs can get viruses. These are Windows viruses, yes they won't hurt the Mac but they can spread to other computers which they can hurt. Think of the Mac that gets a Windows only virus like the monkey from Outbreak. The Mac is the host and doesn't appear to have the symptoms of the virus. Then say the Mac is connected to a Windows network or the virus is in a email and forwarded to a Windows user. So the Mac transmits the virus to a Windows computer with either no antivirus program or out dated subscriptions and infects that computer.

Isn't it better to stop the spread rather than help aid it? If everyone would realize that a good antivirus program and active subscription to download definitions is a must in todays computer world, the issue with viruses wouldn't be so bad. Yes there is no Mac OS X virus YET. But with growning popularity the door opens wider and wider...

[Zimphire]

Yes there is no Mac OS X virus YET. But with grown popularity the door opens wider and wider...

Been hearing that since the PB.

Over 5 years ago.

[sideus]

New Mac virus...

Yeah, it is titled "norton.ANTI.virus.mac".

[Applefreak01]

Originally Posted by sideus

Yeah, it is titled "norton.ANTI.virus.mac".

Lol. Agreed. Norton Antivirus whether on a Mac or PC is horrible.

[- - e r i k - -]

Originally Posted by Applefreak01

Believe it or not Macs can get viruses. These are Windows viruses, yes they won't hurt the Mac but they can spread to other computers which they can hurt. Think of the Mac that gets a Windows only virus like the monkey from Outbreak. The Mac is the host and doesn't appear to have the symptoms of the virus. Then say the Mac is connected to a Windows network or the virus is in a email and forwarded to a Windows user. So the Mac transmits the virus to a Windows computer with either no antivirus program or out dated subscriptions and infects that computer.

This post contains a number of fallacies, which creates a hypothetical - and very improbable - situation where a mac-user unknowingly spreads a virus to a PC.

1) The mac has to get the virus in the first place. About the only situation a virus lands on a mac these days is through a forwarded attachment.

2) A mac user, with subpar intelligence tries opening this unknown attachment which consequentially does absolutely nothing.

3) A mac user, with even less than subpar intelligence forwards the unknown attachment to a PC-user, asking "Do you know what this is?"

4) The PC user, who must be even stupider than the previously mentioned mac user, does not run any anti-virus software / runs Outlook Express / double-clicks the attachments.

My conclusion: If there exist people stupid enough to follow all these steps they probably deserve getting a virus.

And don't get me started on the whole "security-by-obscurity" issue that you alluded to in the last comment there.

[CharlesS]

Originally Posted by Applefreak01

Working in the tech field, I think every computer should have some kind of antivirus program installed no matter what OS it is running. I still can't believe it when a computer comes in with Norton 2003 and the subscription ran out back in October 2003 and the computer is infected so with many viruses and spyware and all that fun stuff. Believe it or not Macs can get viruses. These are Windows viruses, yes they won't hurt the Mac but they can spread to other computers which they can hurt. Think of the Mac that gets a Windows only virus like the monkey from Outbreak. The Mac is the host and doesn't appear to have the symptoms of the virus. Then say the Mac is connected to a Windows network or the virus is in a email and forwarded to a Windows user. So the Mac transmits the virus to a Windows computer with either no antivirus program or out dated subscriptions and infects that computer.

What kind of idiot forwards a virus e-mail to his friends?

[Applefreak01]

I told you I can't believe the amount of people that come in with computers with either no or way out dated antivirus programs. One lady didn't even know what a computer virus was, one thought that all you needed was a program and didn't know what the virus definitions should be up to date. Not everyone is as computer smart as you think. And I don't forward anything, I was simply giving an example.

[CharlesS]

What's more important, IMO, is finding out whether this "HackTool" thing is for real. Only information I can find so far is here:

http://www.computing.net/mac/wwwboard/forum/10972.html

WTF? Why isn't this on Symantec's site?

[Applefreak01]

Yeah me too. If this is for real why isn't symantec all over it?

[CharlesS]

The weird thing is that it would be in the swap file. I mean, the swap files get cleared on reboot. Therefore, even if you had a virus in the swap file (is this even possible?), wouldn't you have to also have it somewhere else in order for it to survive a reboot?

[HytestA]

I had this 'Hacktool.Underhand" and it is due to NAV. Its only appeared since the Liveupdate redone the definition file. There is a large discusion over here
Just to clarify why I have Nortons installed, I have Nortons installed only because we (my work) share Internet connections with several other companies in one building, the company that run the buildings connection cut off our access because they detected a virus on one of out macs, after installing and running checks on all computers I did find one on one of our macs. I even argued that it cant be us as we are mac only... blah blah, but I was proved wrong, I think the ISP was right in cutting my connection if it put others at risk.

[das]

First of all, this is not a "virus". It is a trojan, and can only be installed on your computer by you or someone else with local/physical/administrative access.

But that is beside the point, because NONE OF YOU HAVE THIS TROJAN ON YOUR COMPUTER!

This is a FALSE POSITIVE because Symantec's signature for detecting this tool was too broad! Since the swapfile has large amounts of dynamically changing data, they're apparently detecting the same overly-broad binary snippet they're searching for in your swapfile.

REPEAT: YOU DO NOT HAVE THIS TROJAN IF YOU ARE GETTING A NOTICE IT'S IN YOUR SWAPFILE.

Underhand is a conventional .app application bundle that hides itself from the Dock and the normal user-space running process listings. It can physically be searched for, and its mode of operation is clear: it will be present in your Login Items and process listings, and runs from the user home directory's Library/Preferences folder. Yes, names can be changed, etc., but it is fundamentally a Mac OS X application bundle that runs interactively (albeit invisibly) while a user is logged in. A signature, in the context of AV detection, or anything else that defines it in that manner is not present in swap, and that is technically impossible. Therefore, this is a false positive, and the detection scheme likely appeared in Symantec's most recent definition update.

Symantec has CONFIRMED this and has issued new virus definitions to fix their mistake:

Subject: Re: Hacktool babble
From: Michael Romo <michael_romo@symantec.com>
Date: Wed, 4 May 2005 10:30:09 -0700

-----------------
Hi--

We figured out what's happening and are releasing a new defs file today. I will let you know when it's up!!

thanks,
mike
---
Mike Romo
Product Manager, Macintosh Symantec Corporation
Office: 310-449-8347
Interoffice: 6 [310] 8347
Fax: 310-449-4246
email: michael_romo@symantec.com
-----------------

Also, the recommendation to UNINSTALL your virus software is very ignorant. It IS possible for malware to affect the platform, though statistically a lot less likely than, e.g., Windows. However, if you have NO protection, you may be caught unprepared when there is a real threat.

REPEAT: No one who has this report about this being in their swapfile is infected. NO ONE.

Anyone who has any doubts may contact me below.

Regards,

Dave Schroeder
Apple Distinguished Educator
University of Wisconsin - Madison
Division of Information Technology
Platforms and Operating Systems
1210 W Dayton St Rm B263
Madison, WI 53706-1685
das@doit.wisc.edu
http://das.doit.wisc.edu
(608) 265-4737

[Millennium]

Originally Posted by turtle777

WhyTF do you use a Antivirus program on a Mac running OS X ? Do you believe all the FUD put out there by all the antivirus companies ? I still don't understand who'd buy such a product, with literally 0 known and existant visurses for OS X. I don't get it...

Do not listen to this advice. It is misguided and foolish in the extreme.

Although it is true that there are no viruses in the wild for OSX yet, Macs are not invincible. Macro viruses can still do some damage if you use Microsoft products (they cannot do as much damage as they can on Windows, but they can still do a fair amount). In addition, it is only a matter of time before a virus is written, and it is wise to be prepared for that eventuality. Das is right in everything he's said.

[mitchell_pgh]

While I feel very safe on my computer, I run NAV. I've found many (pc) viruses that my friends are sending out and told my friends about them.

I'll put up with the occasional false positive to protect my computer from a potential threat. Just because there aren't any known viruses doesn't mean the next killer one isn't just around the corner.

[turtle777]

Originally Posted by Millennium

Do not listen to this advice. It is misguided and foolish in the extreme.

Although it is true that there are no viruses in the wild for OSX yet, Macs are not invincible. Macro viruses can still do some damage if you use Microsoft products (they cannot do as much damage as they can on Windows, but they can still do a fair amount). In addition, it is only a matter of time before a virus is written, and it is wise to be prepared for that eventuality. Das is right in everything he's said.

Macro viruses ? When is the last time you had a problem with that ?

I work with Excel on a daily basis, PC and Mac. I share XLS files on a daily basis, company-wide. The last time I encountered a XLS macro virus was sometime in 1997 or 1998.

From my experience, they are almost extinct. I don't say this will be true for everyone, but you can easily turn on macro virus protection in Word and Excel, that's it. I have it turned off, because I work a lot with macros. Still, no probs in the last 7 years.

Is that your only concern ? Would you recommend for someone to buy a OS X Antivisurs program just for macro viruses ? FUD !

-t

[Millennium]

Originally Posted by turtle777

Is that your only concern ? Would you recommend for someone to buy a OS X Antivisurs program just for macro viruses ?

Certainly not, but if that is what it takes to pierce someone's illusions of invincibility, then so be it. I only hope that you wake up from your little dream before it comes back to bite you.

[CatOne]

Originally Posted by turtle777

Macro viruses ? When is the last time you had a problem with that ?

I work with Excel on a daily basis, PC and Mac. I share XLS files on a daily basis, company-wide. The last time I encountered a XLS macro virus was sometime in 1997 or 1998.

From my experience, they are almost extinct. I don't say this will be true for everyone, but you can easily turn on macro virus protection in Word and Excel, that's it. I have it turned off, because I work a lot with macros. Still, no probs in the last 7 years.

Is that your only concern ? Would you recommend for someone to buy a OS X Antivisurs program just for macro viruses ? FUD !

-t

Macro viruses CAN run on OS X and I HAVE seen it happen. A group of sales reps I work with use Macs daily. A customer sent an infected Excel spreadsheet on, which was used by the reps in the group. They shared it, edited it, and sent it on. Well it was infected, so their customers were getting all sorts of Macro virus warnings on their side, and the reps had to install Symantec on their Macs to clean out the cruft.

This was last year -- Office v.X on OS X 10.2. No harm came to the Macs (it couldn't really damange the machines), but the virus did live in teh documents and could be passed on. So the Macs were acting like "Typhoid Mary" here. Sure, it's caught by people with AV software on the PC side, but it looks pretty stupid when you pass on infected documents without knowing it. You could say "yeah, but it's only for stupid MICROSOFT" files, but still... it hurts perception because it is something that can live in Mac Office.

That said, I won't run that AV crap on my mac ;-)

[TETENAL]

Originally Posted by Millennium

Do not listen to this advice. It is misguided and foolish in the extreme.

Although it is true that there are no viruses in the wild for OSX yet, Macs are not invincible.

Then why did Apple discontinue Virex for .Mac members?

[tooki]

Because it's not compatible with Tiger. It wouldn't surprise me if it returned once it's compatible again. Or perhaps Apple has plans to offer a different antivirus package instead. Both NAV and VirusBarrier are superior to Virex 7. (Talk about a product decaying... the early versions of Virex were absolutely superb, worlds better than the competition, and then when Mac OS X came along, they appear to have hired a bunch of coders who've never seen, much less used, a Mac before, gave them $10 to put together a mockup, and called it a day.)

tooki

[lookmark]

Good question. I'm assuming that Apple got fed up with Virex causing problems with the OS, and started their own AV software in-house, but it's not ready yet. Just a guess though.

[das]

Official acknowledgment from Symantec:

http://service1.symantec.com/SUPPORT...05050417004611

Alert: "swapfile is infected with Hacktool.Underhand"

Situation:
You are running Norton AntiVirus for Macintosh 9.x with virus definitions dated April 28, 2005, or you are running Norton AntiVirus for Macintosh 8.x with virus definitions dated May 1, 2005. You see an Auto-Protect alert, "swapfile is infected with Hacktool.Underhand. The file could not be repaired but was quarantined." After Norton AntiVirus quarantines the file, a kernel panic message may appear.

Solution:
A false positive in Norton AntiVirus for Macintosh virus definitions causes this behavior. To fix the problem in Norton AntiVirus for Macintosh 9.x, download and install virus definitions dated May 2, 2005 or later, and then delete the quarantined file.

[TheSpaz]

I think Norton Antivirus causes more problems than it actually fixes... I've NEVER... I repeat... NEVER had any weird problems on any of my Macs that I couldn't find a logical source to the problem.

I've been using Macs for 10 years. Wow... Ten Year Anniversary... Horray me.

[besson3c]

For those who really want to run Antivirus software, why not run clamAV? There is even a GUI for this AV engine called clamXav. It's very popular in the Unix world and seems absolutely solid (it is tied into the back-end of many email servers via interfaces such as amavisd-new). Best of all, it's open source (i.e. free)!

Why pay money for a product that, for the time being, is out looking for the Easter Bunny, and is far more intrusive in its design (and some would say, far more faulty)? If you're concerned, there are viable free alternatives.

[Geobunny]

Originally Posted by besson3c

For those who really want to run Antivirus software, why not run clamAV? There is even a GUI for this AV engine called clamXav. It's very popular in the Unix world and seems absolutely solid (it is tied into the back-end of many email servers via interfaces such as amavisd-new). Best of all, it's open source (i.e. free)!

Why pay money for a product that, for the time being, is out looking for the Easter Bunny, and is far more intrusive in its design (and some would say, far more faulty)? If you're concerned, there are viable free alternatives.

Wow, someone must be smiling on me from above this week - this is the second shameless plug I've managed in as many days!

http://www.clamXav.com

[desertmac]

I did a simple update. I still have Virex 7.2 installed on my computer. It has not caused any problems yet, but I am sold on clamXav. Can someone point me to a simple process (or program) that will safely uninstall Virex 7.2?

Thanks for your help.

[wulf]

Originally Posted by TETENAL

Then why did Apple discontinue Virex for .Mac members?

They did? I (literally) just downloaded and installed 7.5.1 on one of my Panther machines.

It doesn't work under Tiger of course, but I assume an update will fix that. Eventually.



Maybe they'll even turn it into a properly working, sensibly designed app at the same time.

[ApeInTheShell]

We have seen monkies doing some terrible things to humans but the human is usually the cause of the problem. Take for example Ella, she was having fun until the good doctor stuck her with needles that made her super smart and evil in the Monkey Shines. That poor monkey.

Now the monkey in outbreak was a significant problem but she was not a hacker purposedly infecting people. She didn't wake up one day and say, "oooo ooo ahhh!" She said, "ooo ooo".
Why should it be our responsibility to protect Windows users? It is just proving that when Windows users have a problem with their computer they will always ask the Mac users for help. No thanks, I will not be the Windows tech support guy all my life. Besides, It may have been worse if the monkey could fly.

[ryaxnb]

Originally Posted by Millennium

Certainly not, but if that is what it takes to pierce someone's illusions of invincibility, then so be it. I only hope that you wake up from your little dream before it comes back to bite you.

I don't have a virus protector - I think viruses are just too unlikely. I mean maybe someone will come up with a killer, but most likely I'll be able to put Virex on my machine in the time it would take to download updates.

[seanc]

I don't think there will ever be viruses for OS X.
This is how I see it....
OS X is built on UNIX
How long has UNIX been available? Many many years.
How many viruses are there for it? As far as i'm concerned 0, but there maybe 1.
OS X is just a better and more enhanced version of x11 for UNIX (Darwin)
So I think i'm safe.
If we were to accidentally send a windows virus to a windows user, then if they're stupid enough to be using windows in the first place, then you'd think they might have a virus scanner.... yes there are free versions available for windows too.
If my parents weren't tied to there pc's because of the an access database they use, I would have had them back onto mac years ago.

Sean

[Chuckit]

Originally Posted by seanc

How long has UNIX been available? Many many years.
How many viruses are there for it? As far as i'm concerned 0, but there maybe 1.

I know there have been at least two Linux viruses (Staog and Bliss, both of them true viruses), and the field is way more well-inhabited than that if you mean malware in general (i.e. including worms, which originated on Unix) rather than viruses in particular.

[Geobunny]

Linux viruses:
http://www.viruslibrary.com/virusinfo/Linux.htm (by no means exhaustive)
http://www.claymania.com/unix-viruses.html
http://www.europe.f-secure.com/v-descs/bliss.shtml
http://www.desktoplinux.com/articles/AT3307459975.html