[jdb8167]

In reply to:

---

Nothing can completely protect a user from being stupid. Otherwise the trash would be a virus. It deletes files, sure with a user's permission, but if you were stupid and didn't understand what it was doing, it would delete it anyway.

---

I really think we have to move beyond thinking that only dumb people will get hit by something like this. To me that doesn't appear to be the case.
I created a simple simulation of the trojan. Basically an AppleScript application bundle with a JPEG icon. I compressed it with gnutar like the trojan and I put it on my website. Then I went through the normal steps of what would happen if you were the first person on WildAndCrazyMacRumors.net to download it. There is almost no time to think about what is happening. A matter of a few seconds. The only suspicious thing is that the file is in a relatively odd format for a Mac but considering it is supposed to be a JPEG and JPEG is on all platforms, it isn't that suspicious.
Unlike the many accounts here, in reality the trojan does not require a password or as far as I can tell, ask for one. You only get a vague warning about not being able to determine if the file is safe and that is when the file is .tar file. Once you get to the latestpics.tar file on your desktop there are no further warnings. You could right/control click on it and see it is an application. You could open Get Info and see it as well but there really isn't that much reason to be suspicious (well now there is.)
Honestly, I can see myself making a mistake like that on a bad day. Missing the relatively subtle warning signs would be pretty easy.
Warning, some of what I've written is speculation. Trying to find this trojan has turned up nothing. So I'm basing my remarks on what people who have studied the trojan have reported.

[HumanJHawkins]

In reply to:

---

This is no worm since it requires a user to manually send it. It is not self propogating.

---

I'm not sure if you have been corrected on this yet or not, but this does self propogate in a very similar way to a lot of the Windows viruses that have been detrimental. Luckly, it appears to do a pretty poor job of it.

[HumanJHawkins]

In reply to:

---

It would be like calling an applescript with a JPEG icon that deletes your home folder a virus.

---

A more accurate comparison would be to the "Mellissa" or "I Love You" viruses. In both of those cases where billions of dollars in damage was done worldwide, no single machine could come to any harm without a user opening an attachment.
From the description, this is very similar, ecxept that it sends itself out via iChat. There are four reasons why this is going to cause only minimal damage: 1. Macs are less common, so the environment is poor for this type of virus to thrive. 2. A far lower percent of users use iChat as compared to e-mail. 3. Users are much more aware of the danger of viruses than they were when Melissa came out. 4. There is a bug in the code that causes it to have a low success rate.
However, none of the above reasons that it will not hurt much have anything to do with what type of malware it is. It is clearly a trojan horse type of virus.
FYI, you appear to be thinking of worms like "sasser" and it's variants as the only true viruses. Those are by far more dangerous since they can spread through multiple computers without user interaction. But any code that replicates itself secretly or without approval of the user, is a virus.

[HumanJHawkins]

In reply to:

---

All but the most delusional and rabid Mac devotees have understood that OS X is developed by engineers who are human beings who are fallible and that there is no computer platform which is invulnerable or perfectly secure.

---

Mincey, Mincey, Mincey... You still cling to the old ways. What is it going to take to get you to see the truth. Mac is the light and the life. It is infallable, as were the Dwarven gods who forged it years ago in the marble halls under Mt. Olympus.
(Do I get a prize for mixing three religeons and a vague Olympic reference while the Winter Games are happening?)

[HumanJHawkins]

In reply to:

---

"...the users who get it through iChat should activate it themselves too so it can install itself on the new machines."
Then it's not self-propagating.

---

I think you (though mostly right) and others (who are not mostly right) are mixing a few things up.
First, this IS self-propagating. In other words, it does make a potentially dangerous copy of itself on other systems when it is run.
Second, you are right that it is not a worm... As you have said, a worm is a really dangerous kind of virus that sends itself around by both self-propagating AND self-activating on the new computer. But the fact that it is not a worm does not mean that it is not a virus (I don't believe you have said it isn't, but I am replying to several posts here).
Anyway, this is a trojan horse. If well designed and well programmed, trojan horses can be more dangerous than mediocre worms. So this should be taken very seriously by the Mac community. It could be a warning of things to come.

[HumanJHawkins]

In reply to:

---

I don't care if many Windows 'worms' are like this, many are not like this and can self-replicate without any intervention by the user.

---

FYI, this is not true... The vast majority of damage done by Windows viruses is caused by viruses very similar to this. Only a small percent both send and activate themselfes on the target computer.
And, though it is counter-intuitive, many that can both send and activate themselves actually spread more slowly and do less damage than those that require user interaction.

[HumanJHawkins]

In reply to:

---

The admin account is not the default for OS X.

---

Actually, it is. But under OS X, many things require "Superuser" status. Any admin can enter their own password to grant themselves superuser status for that program. This is why even though running as admin, you still have to enter your password to install most software, etc.

[samrod]

That's EXACTLY what I was about to say. Thank you.

[samrod]

That's one of the reasons why I rarely double-click image files downloaded off the web unless I myself drag'em off a page. I'm in the habbit of dragging their icons to Preview in my Dock. If it's malware, Preview can't display it and I'm safe.

[bradleys]

In reply to:

---

Most users would ignore the " May contain an application" warning on a .tar file assuming something else would warn them after the tar file is unarchived.

---

Maybe someone can tell me why an operating system as sophisticated as OSX needs to use the lame phrase " May contain an application". Surely it is good enough to see into the archive and tell you that it "DOES contain an application" or tells you nothing because there isnt an executable file in the archive.
If you then get an archive purporting to contain the latest screenshot of Leopard, and OSX tells you that (despite the icon) you ARE getting an application, threats such as this one would be decimated.
Seems like a simple layer of additional protection to add, but then I only tinker with RealBasic and dont write Operating Systems.

[jdb8167]

In reply to:

---

Maybe someone can tell me why an operating system as sophisticated as OSX needs to use the lame phrase " May contain an application".

---

Probably because the programmers weren't sure they could accurately detect all different kinds of executables. I think it should be possible but it might be a very deep task. Since mostly this kind of attack is theoretical in OS X and not a regular occurrence, there probably wasn't that much incentive to do it. If it gets bad, they will probably reconsider. My best guess.

[Quoth_the_Raven]

Much ado about nothing. This is an application, not a virus or trojan. Even as Admin you will STILL be prompted that the file contains an application and you will STILL have to answer the question "Are you sure you want to continue downloading..." BEFORE it will proceed.

[leroybrown]

In reply to:

---

In reply to:

---

The admin account is not the default for OS X.

---

Actually, it is. But under OS X, many things require "Superuser" status. Any admin can enter their own password to grant themselves superuser status for that program. This is why even though running as admin, you still have to enter your password to install most software, etc.

---

Well, actually, it's not. While it's true that the first account is an admin account, any subsequent user has the "Allow user to administer this computer" box unchecked. (i.e. it defaults to a standard user.)
Many users might only have 1 account, but they shouldn't - it is poor systems administration. However, it IS necessary to have at least one administrator on the machine, so what are you going to do?
Perhaps Apple should consider making /Applications owned by root and 0755 permissions. That would add more fool-proofing to the system. An alternative would be removing write permissions -- this would do some good if the OS clues the user in that they are attempting to modify something (kinda like vi does when writing to write-protected files...)

[Earthling7]

In reply to:

---

Since mostly this kind of attack is theoretical in OS X and not a regular occurrence, there probably wasn't that much incentive to do it. If it

---

Isn't that exactly the mistake Microsoft made and the cause of the majority of their security issues in the last years?