The First Mac OS X Trojan?
Thread Starter
Pic Whore
Joined: Jul 2004
Posts: 22,224
Likes: 1
From: NJ
The First Mac OS X Trojan?
On the evening of the 13th, an unknown user posted an external link to a file on MacRumors Forums claiming to be the latest Leopard Mac OS X 10.5 screenshots. The file was named "latestpics.tgz"
The resultant file decompresses into what appears to be a standard JPEG icon in Mac OS X but is actually a compiled Unix executable in disguise. An initial disassembly (from original discussion thread) reveals evidence that the application is virus-like or was designed to give that impression. Routines listed include:
_infect:
_infectApps:
_installHooks:
_copySelf:
The exact consequences of the application are unclear, but according to the users that originally executed the application have noted that it appeared to self propogate:If anyone remembers last night, when lasthope spread that picture that opened in terminal. I just turned on my other computer and it said it had an incoming file, from my computer, which was the latest pics file. Any help. I have already secure deleted it off of my harddrive, but how do i know that it will not come back.
Andrew Welch who had done some of the initial disassembly is posting updates to this thread.
According to the initial investigation, the application uses Spotlight to find the other applications on the infected machine and subsequently inserts a stub of code into each application executable.
Update: It appears that there is some debate about the classification of this application, and as it does require user activation, it appears to fall into the Trojan classification, rather than self-propogating through any particular vulnerability in OS X.
Update #2: The most recent updates show that the file does send itself to other users in your AIM/iChat buddy list.
Update #3:
Andrew Welch posted the final technical analysis of the application with assistance from Ed Wynne and Glenn Anderson.
Symantec has posted a step by step guide on what happens when you launch this application.
The resultant file decompresses into what appears to be a standard JPEG icon in Mac OS X but is actually a compiled Unix executable in disguise. An initial disassembly (from original discussion thread) reveals evidence that the application is virus-like or was designed to give that impression. Routines listed include:
_infect:
_infectApps:
_installHooks:
_copySelf:
The exact consequences of the application are unclear, but according to the users that originally executed the application have noted that it appeared to self propogate:If anyone remembers last night, when lasthope spread that picture that opened in terminal. I just turned on my other computer and it said it had an incoming file, from my computer, which was the latest pics file. Any help. I have already secure deleted it off of my harddrive, but how do i know that it will not come back.
Andrew Welch who had done some of the initial disassembly is posting updates to this thread.
According to the initial investigation, the application uses Spotlight to find the other applications on the infected machine and subsequently inserts a stub of code into each application executable.
Update: It appears that there is some debate about the classification of this application, and as it does require user activation, it appears to fall into the Trojan classification, rather than self-propogating through any particular vulnerability in OS X.
Update #2: The most recent updates show that the file does send itself to other users in your AIM/iChat buddy list.
Update #3:
Andrew Welch posted the final technical analysis of the application with assistance from Ed Wynne and Glenn Anderson.
Symantec has posted a step by step guide on what happens when you launch this application.
Last edited by Misa; Feb 16, 2006 at 10:39 PM.
Thread Starter
Pic Whore
Joined: Jul 2004
Posts: 22,224
Likes: 1
From: NJ
It seems that this is more of a "proof of concept" implementation that could be utilized to actually do something in the future, depending on how successful it is, or it was simply done to garner attention/press. Which I'm sure it'll get.
sancho on the sizzide!
Joined: Aug 2000
Posts: 27,129
Likes: 0
viruses have been around for macs. this isnt new.
they just arent widespread as the ones spread on pc's.
they just arent widespread as the ones spread on pc's.
__________________
[ASIANDOOOD.COM] [INSPIRE USA] [FACEBOOK] [ENDLESS 8]
F/S: JDM EG9 Parts - PM me for info
[ASIANDOOOD.COM] [INSPIRE USA] [FACEBOOK] [ENDLESS 8]
F/S: JDM EG9 Parts - PM me for info
Moderator
Joined: Dec 2000
Posts: 21,573
Likes: 0
Originally Posted by antarius
... and we don't get them merely by opening a webpage or an e-mail.
On Jan 10 (2006), Apple, after having 2 and 3 months respectively to fix them, finally released a patch (7.0.4) that closed major holes in QuickTime, that allows .MOV, .GIF and QTIF (an Apple specific image format, like Microsoft's WMF) files to execute arbitrary code on both Mac OS X and Windows (assuming Windows has QuickTime installed) just by viewing them (such as through a webpage with an embedded QuickTime video).
anyway, this isn't the beginning, nor is it even close to the end.. :reechy:
Large Member
Joined: Oct 2000
Posts: 4,735
Likes: 0
From: Bay Area, CA
No doubt that as market share increases, so do threats and vulnerabilities. The bottom line is the base of the system, BSD, is inherently more secure than a Win-style system.
Not that it's impossible to find holes in, we all know UNIX machines, LINUX machines (All flavors), all have their issues. Most of the issues occur within the applications rather than the kernel itself having problems, but those do occur as well. No system is 100% secure.
It's just more secure.
Not that it's impossible to find holes in, we all know UNIX machines, LINUX machines (All flavors), all have their issues. Most of the issues occur within the applications rather than the kernel itself having problems, but those do occur as well. No system is 100% secure.
It's just more secure.
Large Member
Joined: Oct 2000
Posts: 4,735
Likes: 0
From: Bay Area, CA
Originally Posted by reno96teg
well, you know what? now that OSX is becoming a bigger and bigger target, i foresee a TON of issues, simply due to Apple's arrogance and the way that they do things..
I'd still take an Apple over any PC -- even if it had the same amount of problems that PC's too. OSX is merely a prettier and smoother running OS -- IMO.