[moonmonkey]

I assume i'm up before everyone else, found this in may email.
Screen shots included.

If anyone is brave enough to examine the ZIP files PM me.

P.S. Adam Betts is not being blamed for this.

http://homepage.mac.com/woodhams/images/ad_list.gif

the actual email with the dodgy .zip file (through web mail, if you use mail app may be other filetype).

http://homepage.mac.com/woodhams/images/email_issue.gif

and

http://homepage.mac.com/woodhams/images/returned.gif
[Inline images MUST be no more than 480 pixels wide, per the rules we impose for legibility reasons. -- tooki]

[theolein]

You're using Entourage or somethig, eh? I have no idea how you press the delete button in that application. Other than that welcome to the concept of Spam and the internet.

[macintologist]

Actually it looks like .mac webmail.

[ryju]

How is this a Mac virus? Maybe if the extension was .sit or .dmg I would get that impression...but .zip is way more common in the Windows world.

[RayX]

This is not a Mac virus...

It is "Sober.G", for Windows.

The latest worms for Windows when spreading spoof the sending address using whatever addresses it finds from various files on the host PC.

That's all it is, nothing to see here.

Do a minute of research in the future eh?

Thread = closed

[moonmonkey]

Originally posted by RayX:
This is not a Mac virus...

It is "Sober.G", for Windows.

The latest worms for Windows when spreading spoof the sending address using whatever addresses it finds from various files on the host PC.

That's all it is, nothing to see here.

Do a minute of research in the future eh?

Thread = closed

They are all from .mac addresses and real ones.
What are the chances that the 800+ recipients of the PC virus all have .mac addresses?

Tosser.

[theolein]

Originally posted by moonmonkey:
They are all from .mac addresses and real ones.
What are the chances that the 800+ recipients of the PC virus all have .mac addresses?

Tosser.

From what I see most of those addresses were not real, since the mailer daemon didn't accept them. The real one's such as that form Adam Betts, are gotten in the same way spammers get their mail address lists: by trollling the internet with a spammer email address harvester. Nothing really special except that it's a good idea not to stuff your email address on the web.

[CharlesS]

Originally posted by theolein:
From what I see most of those addresses were not real, since the mailer daemon didn't accept them. The real one's such as that form Adam Betts, are gotten in the same way spammers get their mail address lists: by trollling the internet with a spammer email address harvester. Nothing really special except that it's a good idea not to stuff your email address on the web.

Some of us have no choice, such as Adam, who runs a Web graphics and design business. He wouldn't be able to get customers without posting his e-mail address.

[theolein]

Originally posted by CharlesS:
Some of us have no choice, such as Adam, who runs a Web graphics and design business. He wouldn't be able to get customers without posting his e-mail address.

A php/perl based webform mailer? Would solve that problem, I think.

[RayX]

Originally posted by moonmonkey:
Tosser.

No need for the personal insults.

You took my post the wrong way.

You start a thread with "Wtf Is This? Mac Virus???" when it's obviously not, what do you expect?

[CharlesS]

Originally posted by theolein:
A php/perl based webform mailer? Would solve that problem, I think.

Meh. A lot of people prefer writing into their e-mail client of choice rather than writing into a web form.

[Angus_D]

Originally posted by CharlesS:
Meh. A lot of people prefer writing into their e-mail client of choice rather than writing into a web form.

Yes, well, then they'd have a record of the communication. Web forms suck. Especially because people seem to always install formmail.pl badly so it's a nice little gateway for spammers.

[theolein]

Originally posted by CharlesS:
Meh. A lot of people prefer writing into their e-mail client of choice rather than writing into a web form.

true, I'm not a huge fan of webforms either, but for basic business contacts I let people use the webform first, and then answer with a human readable email for further contacts. I get enough spam as it is, spam filter or no, and all that for one single time, in a moment of weakness, when I put my email on a c mailing list... (Don't laugh).

Finlay's right about formail.pl being one of the fav methods for spammers, though.

[tooki]

Repeat after me: There are no viruses for Mac OS X. There are no viruses for Mac OS X.

There are no viruses for Mac OS X.

tooki

[CharlesS]

Originally posted by tooki:
Repeat after me: There are no viruses for Mac OS X. There are no viruses for Mac OS X.

There are no viruses for Mac OS X.

tooki

There are no viruses yet for Mac OS X.

[alphasubzero949]

Originally posted by CharlesS:
There are no viruses yet for Mac OS X.

Well...besides that MP3 "virus" that received national media attention...

[CharlesS]

Originally posted by alphasubzero949:
Well...besides that MP3 "virus" that received national media attention...

Part of the definition of a virus is that it has to be able to spread.

[Cadaver]

Originally posted by alphasubzero949:
Well...besides that MP3 "virus" that received national media attention...

Thanks to Microsoft-sponsored "journalists."

/conspiracy off

[Millennium]

Originally posted by alphasubzero949:
Well...besides that MP3 "virus" that received national media attention...

That was a Trojan horse, not a virus. The concept could easily be applied to create a virus or a worm, but what was actually released wasn't a virus.

[tooki]

A proof-of-concept isn't a Trojan Horse, either. It's a proof-of-concept of a potential trojan horse.

Repeat after me: there are no viruses for Mac OS X.

NO Mac OS X exploit so far has actually been exploited.

As of right now, those statements are completely true.

And the fact is, I don't expect that to change anytime soon. The Mac virus market had pretty much dried up by the early 90's (the heyday of new Mac viruses was the late 80's), and it never picked up.

tooki

[alphasubzero949]

Originally posted by Millennium:
That was a Trojan horse, not a virus.

I knew that already. Try telling that to the media.

[absmiths]

Originally posted by tooki:
A proof-of-concept isn't a Trojan Horse, either. It's a proof-of-concept of a potential trojan horse.

Repeat after me: there are no viruses for Mac OS X.

NO Mac OS X exploit so far has actually been exploited.

I agree with that, but this new URL bugger has the potential to really be bad - especially with people like my wife surfing the web and not paying much attention to what she clicks on. Sure, she isn't an admin user, but if her home directory gets deleted it would be at least as bad as the whole machine getting formatted.

Anyway, I hope that Apple will address this soon - it seems like such a small fix for such a long wait.

I wish they would do like the Software Update thing - where they disabled the service temporarily until the fix was out. At least that way no harm can be done in the meantime (Translation - quick release with a suboptimal fix but which closes the hole, followed later by a more thorough fix which keeps the hole closed while restoring functionality).

[Stradlater]

Originally posted by CharlesS:
Some of us have no choice, such as Adam, who runs a Web graphics and design business. He wouldn't be able to get customers without posting his e-mail address.

A lot of people, to avoid spam, post their emails like this:

Email me at john(at)doe(dot)net.

Or something similar.

[utidjian]

Originally posted by tooki:
A proof-of-concept isn't a Trojan Horse, either. It's a proof-of-concept of a potential trojan horse.

Repeat after me: there are no viruses for Mac OS X.

NO Mac OS X exploit so far has actually been exploited.

As of right now, those statements are completely true.

And the fact is, I don't expect that to change anytime soon. The Mac virus market had pretty much dried up by the early 90's (the heyday of new Mac viruses was the late 80's), and it never picked up.

I disagree. It is only trivially true that no Mac OS X exploit has been maliciously exploited. The exploit(s) exist in that there are holes... quite a few proof-of-concept exploits have already been posted here on MacNN and many other places on the web. All that it takes is a few keystrokes in an editor to change those to full-on malicious exploits. Because it is so easy to do some people have already tested more advanced versions.... and fortunately not released them.

It is true, as far as we know, that no Mac OS X exploit to date has resulted in a widespread worm/virus/trojan/whatever. From that point of view Mac OS X has a very good track record.

That could change.

[AJ]

Originally posted by Stradlater:
A lot of people, to avoid spam, post their emails like this:

Email me at john(at)doe(dot)net.

Or something similar.

Until the spam bots get intelligent to handle that too

[Stradlater]

Originally posted by AJ:
Until the spam bots get intelligent to handle that too

And then you find another method; at least this method dramatically cuts down spam.

[absmiths]

Originally posted by utidjian:
I disagree. It is only trivially true that no Mac OS X exploit has been maliciously exploited. The exploit(s) exist in that there are holes... quite a few proof-of-concept exploits have already been posted here on MacNN and many other places on the web. All that it takes is a few keystrokes in an editor to change those to full-on malicious exploits. Because it is so easy to do some people have already tested more advanced versions.... and fortunately not released them.

It is true, as far as we know, that no Mac OS X exploit to date has resulted in a widespread worm/virus/trojan/whatever. From that point of view Mac OS X has a very good track record.

That could change.

I think you are equivocating on this point, and not being entirely truthful. First of all, either a security hole has been exploited (read - used maliciously) or it hasn't. In this case, they haven't - that is the point tooki is making, not that the OS is impervious to exploitation.

Secondly, your statement that no exploit has resulted in widespread attack implies that it has resulted in limited-scope attacks, which as far as I know isn't true.

Keep in mind that a lot of the so-called 'exploits' discovered lately are nothing more than FUD. You might just as well classify the existence of the gcc compiler and the cocoa frameworks as exploits since they readily facilitate creation of trojans/viruses/whatever - they simply haven't been utilized with those few lines of code yet.

The only serious problem I know of to date that Apple hasn't fixed (for whatever reason) is the URL exploit, and luckily it hasn't harmed anyone yet. I don't consider intego's 'discoveries' to be valid, so I don't keep track of those.

[turtle777]

Originally posted by alphasubzero949:
I knew that already. Try telling that to the media.

Great.

So why did you call it a "virus", and not a "potential trojan horse" ?

-t

[turtle777]

Originally posted by Stradlater:
A lot of people, to avoid spam, post their emails like this:

Email me at john(at)doe(dot)net.

Or something similar.

Actually, it's a mystery to me why the spambots can't read that kind of email address yet. (Well, maybe they can...)

Technically, it's more or less a joke to realize that.

-t

[utidjian]

Originally posted by absmiths:
I think you are equivocating on this point, and not being entirely truthful.

Sorry for the misunderstanding... I thought it was quite clear in my post in which sense of the word "exploit" I was using. Why do you think I was not being entirely truthful?

BTW, if you want a "formal" definition of the word exploit as it relates to computing:

"Jargon File (4.3.0, 30 APR 2001)"
exploit n. originally cracker slang 1. A vulnerability in software
that can be used for breaking security or otherwise attacking an
Internet host over the network. The Ping O' Death is a famous exploit.
2. More grammatically, a program that exploits an exploit in sense 1.

and

"The Free On-line Dictionary of Computing (27 SEP 03)"
exploit

<security> A security hole or an instance of taking advantage
of a security hole.

"... hackers say exploit. sysadmins say hole"
-- Mike Emke (http://emke.com/).

Emke reports that the stress is on the second syllable. If
this is true, this may be a case of hackerly zero-deriving
verbs (especially instantials) from nouns, akin to "write" as
a noun to describe an instance of a disk drive writing to a
disk.

First of all, either a security hole has been exploited (read - used maliciously) or it hasn't. In this case, they haven't - that is the point tooki is making, not that the OS is impervious to exploitation.

I agree.... but, as I said, this is trivial.

Secondly, your statement that no exploit has resulted in widespread attack implies that it has resulted in limited-scope attacks, which as far as I know isn't true.

I agree... something I didn't say (or imply) as far as I know isn't true.

Keep in mind that a lot of the so-called 'exploits' discovered lately are nothing more than FUD. You might just as well classify the existence of the gcc compiler and the cocoa frameworks as exploits since they readily facilitate creation of trojans/viruses/whatever - they simply haven't been utilized with those few lines of code yet.

Nice strawman.

The only serious problem I know of to date that Apple hasn't fixed (for whatever reason) is the URL exploit, and luckily it hasn't harmed anyone yet. I don't consider intego's 'discoveries' to be valid, so I don't keep track of those.

I agree. I wasn't aware that Intego had made more than one 'discovery'. I don't really know but I doubt that many Mac users go to Gnutella/Limewire/Kazaa/whatever to get their software. If they do then that is their problem. One aspect of the (so called) trojan that Intego announced but did not mention is that if the trojan is run by the admin user it could be designed to also delete the contents of the /Applications folder.

Another 'hole' that has since been fixed in 10.3 was the "nidump passwd ." hole. I had to "exploit" this hole in order to convince some of my co-workers that we have to upgrade all Macs running 10.2 to 10.3. Until I told them what their passwords were including the admin password for the systems they administered they thought it was no big deal. For most Mac users this hole wouldn't be a problem. For multiuser Macs deployed in school or college labs it was a big potential problem. This has been fixed in 10.3 with the use of shadow passwords.

My only disagreement with tooki is the assertion that the statements:

Repeat after me: there are no viruses for Mac OS X.

NO Mac OS X exploit so far has actually been exploited.

are "completely true" when I know that the second statement is not "completely true".

[absmiths]

Originally posted by utidjian:
Nice strawman.

Nice non-response. My point (which you obviously missed) is that the infamously stupid "MP3 exploit" boiled down to a simple Trojan horse which any fool can create with a compiler and an application framework with minimal effort - a few lines of code as you said - but thank you for attempting to trivialize my statement.

[utidjian]

I wasn't aware that one needed a compiler and application framework in order to create the "MP3 exploit". Is all that stuff really required?
Can't an exploit be as simple as a shell script or AppleScript? Seems to me that the current 'URL hole' only requires a plain text editor... no need for a compiler... no need for even a Mac.

[tooki]

Originally posted by Stradlater:
A lot of people, to avoid spam, post their emails like this:

Email me at john(at)doe(dot)net.

Or something similar.

Spambots have been able to take care of that for a while now. Doing so offers effectively no protection.

There are only two ways I really know of now to display an email address on a web page that are safe from spambots:

-use an image with the address (annoying, because it's not clickable)
-use JavaScript to generate the mailto: URL on the client side. What the spambot sees is a jumbled mess, the JavaScript in your browser cleans it up and makes it a working link.

tooki