[- - e r i k - -]

MacRumors.com reports:

On the evening of the 13th, an unknown user posted a link to a file on MacRumors Forums claiming to be the latest Leopard Mac OS X 10.5 screenshots. The file was named "latestpics.tgz"

The resultant file decompresses into what appears to be a standard JPEG icon in Mac OS X but is actually a compiled Unix executable in disguise. An initial disassembly (from original discussion thread) reveals evidence that the application is a virus or was designed to give that impression. Routines listed include:

_infect:
_infectApps:
_installHooks:
_copySelf:

The exact consequences of the application are unclear, but according to the users that originally executed the application have noted that it appears to self propogate:
If anyone remembers last night, when lasthope spread that picture that opened in terminal. I just turned on my other computer and it said it had an incoming file, from my computer, which was the latest pics file. Any help. I have already secure deleted it off of my harddrive, but how do i know that it will not come back.

Andrew Welch who had done some of the initial disassembly is posting updates to this thread.

According to the initial investigation, the application uses Spotlight to find the other applications on the infected machine and subsequently inserts a stub of code into each application executable.

Oh well. It was bound to happen sooner or later. Yes it is "just" a Trojan, requiring a user to click on it. But what's worse is that it seems not to need permissions to execute.

[Severed Hand of Skywalker]

Funny how we get the first virus 30 days after Apple goes intel.

[Catfish_Man]

Third trojan, not first virus, actually. People always forget about the one that pretended to be an MS Office installer, and the one that pretended to be an mp3 file. Also, this "virus" only runs on PPC Macs...

[- - e r i k - -]

Funny how that is a coincidental, not causal, relationship.

[- - e r i k - -]

The one who pretended to be an mp3-file was only a proof-of-concept that was never released and ironically never proved to work either.

Perhaps people forgot about the MS Office-installer since it was only released on a warez-site and had really weak social engineering. A ~512KB MS Office-installer? People that got that only got what they deserved.

[Catfish_Man]

Originally Posted by - - e r i k - -

The one who pretended to be an mp3-file was only a proof-of-concept that was never released and ironically never proved to work either.

Perhaps people forgot about the MS Office-installer since it was only released on a warez-site and had really weak social engineering. A ~512KB MS Office-installer? People that got that only got what they deserved.

Oh, definitely. I'm not saying either of the previous two trojans were threats, just pointing out their existence. This is certainly more serious.

[moonmonkey]

Originally Posted by Catfish_Man

Third trojan, not first virus, actually. People always forget about the one that pretended to be an MS Office installer, and the one that pretended to be an mp3 file. Also, this "virus" only runs on PPC Macs...

what about Rosetta?

[Catfish_Man]

Originally Posted by moonmonkey

what about Rosetta?

Good question. Any volunteers?

[Tiranis]

Originally Posted by moonmonkey

what about Rosetta?

Nope, it seems to fail on the Intel Macs, the people didn't post why, but it doesn't work. I would still urge you not to experiment with it though, you never know—those people might have lied (hopefully not). Better safe than sorry.

In any case—if you run an admin account and launched this—you needed the "wake-up call", if you ran a managed account and launched this, then entered the root password—you needed the "wake-up call". Otherwise you're safe.

Seriously, although I've already used this on another forum, would you take a pill if a complete stranger offered it to you on the street and claimed it to be a candy?

[moonmonkey]

Jesus, its all going off, tons of people have launched this, people claim its propogating through iChat too.

The mainstream press are going to be all over this tomorrow.

[monkeybrain]

So does anyone know what it does yet? Let's hope it does no actual harm, other than cause worry.

Apple is no doubt on this already.

[CharlesS]

The Andrew Welch post that the OP linked to contains some information on what it does. What I'm worried about is the Bonjour aspect of it - hopefully this just means it sends files via iChat/Bonjour and not that someone found a security hole in Bonjour that would allow a remote exploit without user intervention...

[analogika]

Originally Posted by Severed Hand of Skywalker

Funny how we get the first virus 30 days after Apple goes intel.

Yeah - seeing as it only runs on PPC, I'd say somebody's desperate to get his little bit in before it's too late...


you moron.

[moonmonkey]

Originally Posted by monkeybrain

So does anyone know what it does yet? Let's hope it does no actual harm, other than cause worry.

Apple is no doubt on this already.

Apparently it picks the most recent four applications that you used (depending on permissions) and adds the code into those apps. From what I can tell it renders the apps useless as well as infectious.

It seems to take advantage of the fact that different apps are installed with different permissions.

I may be wrong, but it doesn't look harmless.

*It really deserves an Apple Design Award for Best Mac OS X Tiger Technology Adoption*

[ism]

Been thinking about this: http://forums.macrumors.com/showpost...&postcount=148

There is only so much you can do to avoid social engineering tricks. Most people aren't going to check every file they download.

For the paranoid, you could use a folder action on your desktop to unset the executable flag of files added there (by unzipping a downloaded archive, etc):

Code:
on adding folder items to this_folder after receiving added_items
do shell script "cd ~/Desktop; chmod -R ugo-x *"
end adding folder items to

That isn't great since it recursively sets all desktop files instead of just the ones that have been added, but it's a start.

[moonmonkey]

Originally Posted by ism

Been thinking about this: http://forums.macrumors.com/showpost...&postcount=148

There is only so much you can do to avoid social engineering tricks. Most people aren't going to check every file they download.

For the paranoid, you could use a folder action on your desktop to unset the executable flag of files added there (by unzipping a downloaded archive, etc):

Code:
on adding folder items to this_folder after receiving added_items
do shell script "cd ~/Desktop; chmod -R ugo-x *"
end adding folder items to

That isn't great since it recursively sets all desktop files instead of just the ones that have been added, but it's a start.

Wont this kill any downloaded app?
please explain?

[JKT]

Reading the details of Andrew Welch's post, it installs something into /Library/Input Managers/ which is how it injects its code into your apps. Could this be prevented by altering the permissions on that folder or by locking it?

[Philip J. Fry]

Originally Posted by JKT

Reading the details of Andrew Welch's post, it installs something into /Library/Input Managers/ which is how it injects its code into your apps. Could this be prevented by altering the permissions on that folder or by locking it?

Common sense claims that we should know better than to look for 10.5 'Leopard' screenshots anyway, esp. since Steve hasn't mentioned it since last June.

[moonmonkey]

Originally Posted by JKT

Reading the details of Andrew Welch's post, it installs something into /Library/Input Managers/ which is how it injects its code into your apps. Could this be prevented by altering the permissions on that folder or by locking it?

This seems like a great idea, can someone (who knows what they are talking about) comment on the viability of this?

[JKT]

Originally Posted by Philip J. Fry

Common sense claims that we should know better than to look for 10.5 'Leopard' screenshots anyway, esp. since Steve hasn't mentioned it since last June.

Yes, I know this (though one thing that is far from common is sense, as they say). I'm just thinking of the script-kiddies who will copy-cat this thing. If it is as simple a fix as preventing Input Managers from being installed without explicit permission (even if you are running as admin which is probably what 99% of OS X users are doing) then this is something Apple could do immediately to close this hole, much like the change of permissions for the Widgets folder.

[Millennium]

Actually, if this can infect apps, then it's a true virus. It spreads the old-fashioned way: from app to app instead of directly from machine to machine. What many people call 'viruses' today are actually worms.

[ShotgunEd]

Originally Posted by moonmonkey

Wont this kill any downloaded app?
please explain?

It would, but if you trust the source, then you can unzip the app to somewhere other than the desktop, and besides, most apps come on disk images.

[Geobunny]

MacRumours have removed the link from their story (fair enough I suppose!). Can someone please forward me the file or tell me where I can download it please. I need to pull it apart and upload it to www.clamav.net so that ClamXav will be able to fish it out.

Thanks

[moonmonkey]

Originally Posted by Geobunny

MacRumours have removed the link from their story (fair enough I suppose!). Can someone please forward me the file or tell me where I can download it please. I need to pull it apart and upload it to www.clamav.net so that ClamXav will be able to fish it out.

Thanks

Speak to Moki about this, he has a copy.

[Geobunny]

Thanks, moonmonkey, will do.

[Horsepoo!!!]

What's funny is that people on Intel-based Macs are immune to it.

[Chuckit]

Originally Posted by Tiranis

Nope, it seems to fail on the Intel Macs, the people didn't post why, but it doesn't work.

Looks like it uses a code-injection technique, which just won't work in Rosetta (for once the plugin problem is helpful).

By the way, I always open downloaded files by right-clicking and doing Open With…. Much less danger of the OS interpreting that as "Execute this virus please."

[torifile]

If this uses the four most recent apps, what if you turned set your most recent apps to be displayed in the Apple menu to zero? I don't know if that's how it's getting its info, but it could be an easy work around to this type of exploit.

[monkeybrain]

Originally Posted by torifile

If this uses the four most recent apps, what if you turned set your most recent apps to be displayed in the Apple menu to zero? I don't know if that's how it's getting its info, but it could be an easy work around to this type of exploit.

But maybe it's using Spotlight to find the recent apps, since you can set up a Smart Folder to find recent app/documents or whatever.

[ism]

Originally Posted by moonmonkey

Wont this kill any downloaded app?
please explain?

I see shotgunEd answered this for you.

In addition:

Downloaded apps, etc don't need/shouldn't be executable (zip files, dmgs, etc). This script would just ensure that if you unzipped an archive it would set everything to be unexecutable. If the file you clicked on was a true image it'd still open. But if it was a trojan, it wouldn't run.

This doesn't help with disk images though. Can't see what could be done about that, i.e. if you decide to open the 'image' from the disk image. To play safe you'd want to copy it to the desktop, etc.

This is a more efficient Applescript (only targets added items not all can be applied to any folder):

Code:
on adding folder items to this_folder after receiving added_items
   repeat with i from 1 to count added_items
      tell (info for (item i of added_items)) to set item_name to name
      set path_display to quoted form of the POSIX path of ((this_folder as string) & item_name)
      do shell script "/bin/chmod ugo-x " & path_display
   end repeat
end adding folder items to

Formatting sucks, hope you can figure it out

[Severed Hand of Skywalker]

Originally Posted by analogika

Yeah - seeing as it only runs on PPC, I'd say somebody's desperate to get his little bit in before it's too late...


you moron.

I think you are the moron as it was sarcasm but you were too stupid to pick up on it

So don't lose any more hair over it

[analogika]

Don't tell me you've come out of the closet regarding the Big Switch?


Say it ain't so!





Oh, the humanity!

[betasp]

It requires the user to enter the admin password before it can do anything, otherwise the install fails. OSXs inherit security is doing what it is supposed to do, users are not!

[TheSpaz]

I think this whole thing is funny. I don't feel threatened yet. I would be very suspicious about any file that I had to type in my password to open... Why would you need a password to view screenshots anyways?

[Chuckit]

It requires a password to run? Worst. Virus. EVAR.

[JKT]

Er... no it doesn't if you are running as an Admin account, which is what 99% of Mac users will be doing as that is the type of account you first create when you install OS X.

[kman42]

Even admins have to enter an admin password on installing applications.

Can someone explain how this file exploits iChat? I read somewhere that it sends itself to all iChat buddies. Does the recipient have to accept the file as one does when someone normally sends a file via iChat?

kman

[JKT]

Good grief... will people please look at the facts. This is why this thing has been able to spread - it doesn't need you to type in your password if you are running an admin account as you already have read/write access to the folder it installs into and executes from (InputManagers don't need a password to be installed). This is one of the big security issues with it. It will only ask for a password if you are running a non-admin account which is going to be the minority of Mac users.

[JKT]

Originally Posted by kman42

Even admins have to enter an admin password on installing applications.

Can someone explain how this file exploits iChat? I read somewhere that it sends itself to all iChat buddies. Does the recipient have to accept the file as one does when someone normally sends a file via iChat?

kman

Yes they do and yes they need to unzip the file to execute it. So, yes, you need to be ignorant to do it, but the majority of computer users are ignorant, so it will be possible for it to spread. If not this particular version, then others that use better social engineering, unless Apple successfully closes the security holes that it exposes.

[kman42]

JKT-Which is it? Your last two posts seem to contradict one another. Does an admin have to enter a password to install this or not? I'm not trying to be belligerent, just understand how it works. I run as an admin most of the time and I always have to enter my password before installing an application. Is this virus/trojan/malware different?

kman

[moodymonster]

The poster's name was lasthope. The exploit doesn't do too much - it seems more like a warning than really malicious.

However the same method could be used for something malicious - deleting your documents folder etc - you don't need to authenticate to delete your own stuff. So if something gets in and runs using your permissions, it can do whatever you can do in your account.

[moodymonster]

Originally Posted by kman42

JKT-Which is it? Your last two posts seem to contradict one another. Does an admin have to enter a password to install this or not? I'm not trying to be belligerent, just understand how it works. I run as an admin most of the time and I always have to enter my password before installing an application. Is this virus/trojan/malware different?

kman

Unless the app is installed through an installer, you don't usually need to authorise it. OS X does ask you the first time you run an app whether you want to run it for the first time or not - only if you open the app via document linked to be opened by that app.

If you are running in a non admin account and drag an app into the apps folder, it will ask for an admin password.

[JKT]

Originally Posted by kman42

JKT-Which is it? Your last two posts seem to contradict one another. Does an admin have to enter a password to install this or not? I'm not trying to be belligerent, just understand how it works. I run as an admin most of the time and I always have to enter my password before installing an application. Is this virus/trojan/malware different?

kman

If you are running in your Admin account you do not have to enter your password for this malware to do its business. If you are running in a non-admin account you do. The default account on Macs is an Admin account. Read Moki's dissection of what it is and does here - although I would disagree with his assertion that it would not affect most users as the majority will be running as Admin accounts and not as non-Admin.

[moodymonster]

At the moment if you open a document that links to a never-before-used app, OS X asks if you want to run the app. Maybe it needs something like this for any new app. That way, if you open a file thinking it's a file, but it's actually and app, you'll get a warning so you can think "It's a pic, not an app, what's going on?"

[Pierre B.]

Originally Posted by JKT

Er... no it doesn't if you are running as an Admin account, which is what 99% of Mac users will be doing as that is the type of account you first create when you install OS X.

And this is why I am wondering how Apple still lets users have as default account the admin one. Apple should have already changed this. The installation procedure should install the admin account, but when this finishes, it should open a dialog asking the user to create his normal user account. The dialog should explain briefly why this is the recommended account for everyday work and why it is not a good idea to run an admin account for daily tasks. It's that simple.

[Apfhex]

Originally Posted by JKT

(InputManagers don't need a password to be installed)

Which I think they absolutely should require (I'm thinking of the SmartCrashReporter—however harmless it may be—that Daring Fireball had an article on a few weeks ago).

Originally Posted by moodymonster

At the moment if you open a document that links to a never-before-used app, OS X asks if you want to run the app. Maybe it needs something like this for any new app. That way, if you open a file thinking it's a file, but it's actually and app, you'll get a warning so you can think "It's a pic, not an app, what's going on?"

Yeah... I thought that was the entire POINT of that feature?! I guess not, but I agree.

[SirCastor]

Originally Posted by Pierre B.

And this is why I am wondering how Apple still lets users have as default account the admin one. Apple should have already changed this. The installation procedure should install the admin account, but when this finishes, it should open a dialog asking the user to create his normal user account. The dialog should explain briefly why this is the recommended account for everyday work and why it is not a good idea to run an admin account for daily tasks. It's that simple.

Yeah, but do you know how annoying it is for a power user to be stuck with an account that doesn't allow you to do anything? I guess for the majority of users, that's probably the best solution, but for things I do, I don't think I could stand it.

[theolein]

Originally Posted by moodymonster

At the moment if you open a document that links to a never-before-used app, OS X asks if you want to run the app. Maybe it needs something like this for any new app. That way, if you open a file thinking it's a file, but it's actually and app, you'll get a warning so you can think "It's a pic, not an app, what's going on?"

This is not true for command line executables which will run in the terminal when double clicked without asking for permission.


This had to happen sooner or later. I'm mainly surprised it took so long. Symantec, McAffee and others are going to be overjoyed.

[Chuckit]

In a normal user account, you can still do most stuff, and if you need to do more, you can authenticate as an admin.

[theolein]

symantec and MyAffee have given it a name: OSX/Leap-A

http://securityresponse.symantec.com...sx.leap.a.html