[doglesby]

In reply to:

---

OSX/Leap-A, Oompa-Loompa, or whatever else you want to call it, also requires an admin password if youre not running as an admin, said Ambrosias Welch.

---

This is why I don't run with admin priveleges. Unfortunately, most people don't take this precautionary step (hence the installers/apps in the early days of OS X that didn't work unless you were admin).

[Grapho]

To get infected you need to do ALL THIS.
1) Are somehow sent (via email, iChat, etc.) or download the "latestpics.tgz" file
2) Double-click on the file to decompress it
3) Double-click on the resulting file to "open" it
...and then for most users, you must also enter your Admin password.
You cannot simply "catch" the virus. Even if someone does send you the "latestpics.tgz" file, you cannot be infected unless you unarchive the file, and then open it.

[DarkSith]

I agree with you to a point, but I still stand by my original post. All of these anti-virus companies come out every few months making a statement of some new virus/worm/trojan, but none have ever actually done anything. They are as some earlier said, 'proof of concept'. Of course some type of malware is possible, I never said it wasn't. But nothing has happended in 5 years of OS X. The last major Mac virus was for OS 9, back in '98 or '99. OS X, being based on Unix, and having been open source for years, many people have contributed to it's security over the years. Unlike Windows, which is propritary and still built on 20 year old DOS; which is why a lot of virus' exist, (along with the approx. 90% installed base), because programming for it hasn't changed!

Here is the definitions from McAfee's website about trojans, virus' and worms:
What is a Virus?
A virus is a manmade program or piece of code that causes an unexpected, usually negative, event. Viruses are often disguised games or images with clever marketing titles such as "Me, nude."
What is a Worm?
Computer Worms are viruses that reside in the active memory of a computer and duplicate themselves. They may send copies of themselves to other computers, such as through email or Internet Relay Chat (IRC).
What is a Trojan Horse?
A Trojan horse program is a malicious program that pretends to be a benign application; a Trojan horse program purposefully does something the user does not expect. Trojans are not viruses since they do not replicate, but Trojan horse programs can be just as destructive.
Many people use the term to refer only to non-replicating malicious programs, thus making a distinction between Trojans and viruses.

[Morrick]

What I'm disliking of all this "trojan/virus/worm" fanfare is that the casual reader may think that there has been found some Mac OS X vulnerability, and that Mac OS X is somewhat less secure. This is so wrong.
This piece of junk, which doesn't even deserve the "malware" label, tries to exploit the weakest link in this security chain, the user. Quoting Andrew Welch of Ambrosia:
You cannot be infected by this unless you do all of the following:
1) Are somehow sent (via email, iChat, etc.) or download the "latestpics.tgz" file
2) Double-click on the file to decompress it
3) Double-click on the resulting file to "open" it
...and then for most users, you must also enter your Admin password.
The user has to do not one, but at least three steps to activate the piece of junk on his/her machine. If downloading with Safari, very probably one gets the warning that the file "may contain an application". Since when a common image file contains an application? Since when an image file asks for an Admin password?
This so called trojan/worm/whatever is easily avoidable following very basic good security practices, first of which is to never download/accept files coming from untrusted or unverified sources, and generally to be careful with whatever you download. To activate this junk, one must be very distracted at best, willingly dumb at worst. Screenshots of Mac OS X 10.5? Come on, if they were really available, they'd be plainly visible on every rumour site, without the need to download a compressed archive.
That said, I'm not advocating a "don't worry, it'll never happen on OS X" campaign, I'm just saying that it's better to read between the lines of all this malware hype, because it's easy to be misled into thinking that the Mac OS X platform is getting weaker. So far, it isn't.

[warlock7]

Definitions:
In computer security technology, a virus is a self-replicating program that spreads by inserting copies of itself into other executable code or documents. A computer virus behaves in a way similar to a biological virus, which spreads by inserting itself into living cells. Extending the analogy, the insertion of a virus into the program is termed as an infection, and the infected file (or executable code that is not part of a file) is called a host. Viruses are one of the several types of malicious software or malware. In a common parlance, the term virus is often extended to refer to worms, trojan horses and other sorts of malware; however, this can confuse computer users, since viruses in the narrow sense of the word are less common than they used to be, compared to other forms of malware. This confusion can have serious consequences, because it may lead to a focus on preventing one genre of malware over another, potentially leaving computers vulnerable to future damage. However, a basic rule is that computer viruses cannot directly damage hardware, but only software.

A computer worm is a self-replicating computer program, similar to a computer virus. A virus attaches itself to, and becomes part of, another executable program; however, a worm is self-contained and does not need to be part of another program to propagate itself. They are often designed to exploit the file transmission capabilities found on many computers. The main difference between a computer virus and a worm is that a virus can not propagate by itself whereas worms can. A worm uses a network to send copies of itself to other systems and it does so without any intervention. In general, worms harm the network and consume bandwidth, whereas viruses infect or corrupt files on a targeted computer. Viruses generally do not affect network performance, as their malicious activities are mostly confined within the target computer itself.

In the context of computer software, a Trojan horse is a malicious program that is disguised as legitimate software. The term is derived from the classical myth of the Trojan horse. In the siege of Troy, the Greeks left a large wooden horse outside the city. The Trojans were convinced that it was a gift, and moved the horse to a place within the city walls. It turned out that the horse was hollow, containing Greek soldiers who opened the city gates of Troy at night, making it possible for the Greek army to pillage the city. Trojan horse programs work in a similar way: they may look useful or interesting (or at the very least harmless) to an unsuspecting user, but are actually harmful when executed. Trojan horse programs cannot replicate themselves, in contrast to some other types of malware, like viruses or worms. A Trojan horse can be deliberately attached to otherwise useful software by a cracker, or it can be spread by tricking users into believing that it is a useful program.


Malware (a portmanteau of "malicious software") is software designed to infiltrate or damage a computer system, without the owner's consent. The term describes the intent of the creator, rather than any particular features. Malware is commonly taken to include computer viruses, Trojan horses, and spyware. In law, malware is sometimes known as a computer contaminant, for instance in the legal codes of California, Virginia, and several other U.S. states [1]. Malware is sometimes pejoratively called scumware.

[montgomery_burns]

In reply to:

---

You cannot simply "catch" the virus. Even if someone does send you the "latestpics.tgz" file, you cannot be infected unless you unarchive the file, and then open it.

---

So now the question is: What should people do if they have already decompressed the file, entered their password, and got infected?

[bastion]

In reply to:

---

What bothers me is that the description seems to imply that the classical alert about launching an application for the first time is not displayed when the user double click on this pseudo-picture file.

---

There's no such alert. Never was. You're probably thinking of the alert that shows up the first time a given application will launch as a result of double-clicking a document. But this isn't a document; it's an app itself.

[jdb8167]

In reply to:

---

What bothers me is that the description seems to imply that the classical alert about launching an application for the first time is not displayed when

---

If you download a .tgz file in Safari and you have 'Open "safe" files after downloading' checked the file is decompressed to a .tar file after Safari gives you the standard unsafe warning that the file may contain an application.
After that you will get no warnings as far as I can tell. Most users would ignore the "May contain an application" warning on a .tar file assuming something else would warn them after the tar file is unarchived.
Additionally as far as I can tell from anecdotal evidence it is NOT true that most users run non-admin accounts. It takes an extra step that is moderately complicated and most users haven't ever been told that it is dangerous to run their day-to-day account as an admin. So I don't trust the statement that most users will have to type in a password to infect themselves. I would guess that most users would not have to type a password.

[Luke_Macwalker]

In reply to:

---

and then for most users, (to get infected) you must also enter your Admin password

---

I think you are overly optimistic here. I have yet to meet one Mac owner who does not use his/her Mac from the admin account, be it good or not. So I don't think most users would have to enter their password to get infected by this malware.
Also, note that all the 3 steps you described would be exactly the same with a valid picture file that has been compressed and sent via iChat. For a non informed user, I think it is really normal operations. THIS software is not dangerous per se because it does not try to destroy anything. But what with the next one with the bugs fixed and a real payload?
Just because it would not affect you (thanks to your serious and careful usage of your system) does not mean it is not dangerous for the casual user (and by casual user I don't mean frivolous nor benevolent user).

[jdb8167]

In reply to:

---

You cannot be infected by this unless you do all of the following:
1) Are somehow sent (via email, iChat, etc.) or download the "latestpics.tgz" file
2) Double-click on the file to decompress it
3) Double-click on the resulting file to "open" it
...and then for most users, you must also enter your Admin password.

---

I just created my own simulation of this trojan. I have to say that I can see how even relatively cautious people were caught by it.
My trojan is an 1 line AppleScript that puts up a Hello World dialog. Compiled to an application with a .app extension. Paste over the icon with a generic JPEG icon. Create .tgz file. Put it up on my personal website.
Here is what happens. I have Open "safe" files after download checked.
1. Get the standard warning dialog: "test.tar" may contain an application. The safety of this file cannot be determined. Do you want to download "test.tar".
2. Click OK
3. Double click on the subsequent .tar file to unarchive the contents
All this is normal. I want to look at the JPEG after all. The safety warning happens with archives whether or not they have applications. A JPEG in an archive will do the same thing as an application so not much help there.
4. Double click on the JPEG icon which is what I was told I was getting. Unfortunately at that point I can be attacked. If I'm running a non-admin account, the damage is more limited especially if none of the applications on the computer are "owned" by the non-admin account. But if I have been running with an admin account there are all sorts of things the malware can do without a password. Including infecting some applications that I've previously installed.
The more I look at this the more troubling it appears. I can see myself being hit by it if I wasn't cautious.

[RichTheOne]

What's a "republican"? I've been looking around in about twenty countries - no republicans. Exactly where are you from, and how do the so called republicans have anything to do with Trojans? /forums/ubbthreads/images/graemlins/tongue.gif

[bwanderson]

In reply to:

---

bwanderson wrote:
"Sweet zombie Jesus, what a load of crap! At BEST this is a trojan. Opportunistic jerks. "
Please take a few minutes to read about this. It is NOT a load of crap.

---

Yes, it is. Sophos and Intego are taking advantage of a piss-poor attempt at a trojan horse to try and beef up their coffers. This is a load of fertiliser.
They're characterising this as a VIRUS, which is most assuredly is not. That's misleading, and if there's one thing we don't need, it's misleading information being spewed around-by people who just HAPPEN to have something to gain from all their deceptive fearmongering-about a non-existant virus.

[RichTheOne]

Maybe there should be such an alert then.

[Steve_S]

"There goes the Mac advantage. We have one virus now. "
I know you put a smile on your post to indicate you're joking, but let's be clear, so far, this has not been proven to be a virus. Anything you have to download and execute and even enter password authentication for would be considered a Trojan Horse. A Trojan Horse is not a breach of security in anyway. Anyone can write a program that does nasty things and put an different kind of icon on it. That's not a security breach, it's a social issue.
We shouldn't be surprised to see anti-virus software makers making an opportunity out of such nonsense. They have financial incentivies to do so. I'd trust both Andrew Welch's technical review and Apple's official statement on the matter before those of an anti-virus software company that has much to gain from this.
Steve