 |
Search |
|
|
|
|
Classic 2 Guys |
|
10 Random Stories:
|
|
|
|
The First (Real) Dangerous Trojan? |
|
 No, really. Well, at least that is what I heard. You see a friend of a friend of a friend has this aunt that has this dog groomer...
I first heard of the story on MacMinute this afternoon, which pointed to a Macworld UK article. Apparently there is a trojan horse making its rounds through P2P services, namely LimeWire. The article on Macworld claims it downloaded a copy of this trojan horse, and gave the file to our favorite Mac security company (made famous by blowing the concept trojan out of proportion to sell more copies of it's anti-virus software). Intego then verified the code was malicious, and Macworld UK posted an article that made it sound as if sky was falling right in the middle of tea time.
Now, I consider Macworld a very reputable source. I mean, they have a magazine after all. But I wanted to verify this whole Mac trojan for myself. So I downloaded, and fired up LimeWire and searched for it. I searched for "word 2004", "office 2004", "Mac word", "Mac Office", "2004", "Word", "Office", and "MW2004". I found nothing resembling the file described. So I switched the file type from "Application" to "Any Type" and tried those same searches again. I found nothing.
MacWorld UK claims they found the file on LimeWire, but I can't find it. So I checked The U.S. version of Macworld. They too had an article about this trojan, that was a lot more upbeat, and a whole lot more informative.
Turns out this file was an AppleScript with a Microsoft Office-like icon. I kinda trust MacWorld UK, but I don't trust Intego at all. The conspiracy theorist in me wonders if that the person that "alerted" MacWorld UK didn't have some kind of stake in Intego. But, then again, I am awfully paranoid. I did some minor checking to make sure Intego wasn't an advertiser on MacWorld UK (I didn't find anything) and started to wonder some more. What could an AppleScript do to wipe out an entire home folder? I'm not well versed in the world of AppleScripts (it's something I am just now getting into), however wouldn't any command to delete need permission? Does this file ask you to enter your password?
If anyone has a copy of this virus, I would be very excited to check it out. If you do, contact me at
|
|
May 12 2004, 9:58 PM EDT, by
 |
Comments:
|
|
5/12/04, 10:21 PM EDT |
NOPE. No password required. It runs a simple Unix shell script, Slashdot has a thread on this. This has been possible for a long, long time, I don't remember if the public beta, or 10.0 or 10.1 allowed Applescript to run Unix shell scripts, but as soon as that became possible, it's been fairly trivial to write a launchable AppleScript that ran the delete shell script that deleted your home directory, all you'd need to do is double click on it.
All the shell script has to do is run: "rm -rf ~"
Then change the icon, and bam. Takes an unsuspecting user to double click on it and no more home directory. Note, this is NOT self executing nor can it replicate itself, it requires participation from a very dopey user.
NEVER double click on ANY file that you are not sure of. This file would not launch itself if you dragged it over an application in the dock. It's supposedly disguised as a beta installer of MS Word 2004 and only available over a P2P, so anyone who got this file and ran it was doing something shady anyways...
Slashdot thread:
http://apple.slashdot.org/apple/04/05/12/1840230.shtml?tid=126&ti d=172&tid=179&tid=185&tid=190
|
| cAtraXx |
5/12/04, 10:41 PM EDT |
This should be very easy to fix.
|
| stickman67 |
5/12/04, 11:37 PM EDT |
I did a little research on the Trojan War, and guess what started it: a little number called the Apple of Discord.
Coincidence? I think not!
Apple have been in on this Trojan thing from the start!
Lying b*stards! This is all their own fault!
|
|
5/13/04, 8:23 AM EDT |
fnord
|
| nhmacusr |
5/13/04, 8:38 AM EDT |
I figured it was a shell script. Lucky it didn't say rm -rf / then everything is gone.
I have read some pretty dubious stuff on Macworld UK myself.
But I mean come on .... if the file size don't look right. Put it in /dev/null
|
| rlhamon |
5/13/04, 9:23 AM EDT |
But from my readings it only effected one person. I think I've seen some people who said that they downloaded the Trojan but majority of mac users had the same luck as iKen they found nothing.
I guess by definition this is classified as a Trojan Horse but I'm guessing that this whole development will become a false hoax like the other scare Intego reported.
Also rlhamon did some research and come to find out Intego (an anti virus company) posted a loss for last year. Makes you think that they are behind this possible Trojan Horse. final though when has ms office only been 108kb?
|
| nhmacusr |
5/13/04, 11:29 AM EDT |
You know, in all seriousness, I think this barely qualifies as a Trojan. All of the classic trojens were actually hacked versions of real programs. This is just a shell script with a clever name. Clasic trojans were like the hacked Unix ls (list) program when run by root, it would elevate a user (a user usually put on by whoever put the trojan in there) to root privelages and then destroy itself. Then the attacker had control of hte box. Many modern trojans work the same way. A real trojan doesn't aim to destroy anything on the machine, its main purpose is to give the attacker control of your machine.
|
| HTML Samurai |
5/14/04, 8:17 AM EDT |
nhmacusr:
FYI "rm -rf /" would not do what you would think it would. The UNIX OS is a bit smarter than the Windows OS. You don't have permissions to remove those files as a regular user, or even an administrator. You would have to be logged in as "root" (and anyone will tell you that is BAD because this type of thing could potentially happen) to have access to those files. And since a lot of the major system files are in use, they cannot be deleted. Same for Linux, or any other *NIX OS.
Boy, don't I feel like a geek at 8:20 AM... I'm going back to sleep!
|
| nhmacusr |
5/14/04, 8:28 AM EDT |
Just because it is "BAD" doesn't mean that it doesn't happen all of the time :) Just because tehy are in use doesn't mean that they can't be deleted. That is the beauty of a multitasking operating system. If you don't believe me try it :). I have been on the recieving end of many a Unix system where this has happened. Yes, it happens quite a lot. When it does happen, you might as well start over. Yes, I do agree that your system will run, but when you reboot, that ius all she wrote.
|
| Jonahan |
5/25/04, 2:03 PM EDT |
Let's all just go back to extension conflicts and control panels, eh? ;-)
|
This article is archived, so you may not comment on it.
(The good news is there's always the shoutbox, the forums or the contact form if you're socially-inclined at the moment!)
|
|
|
|
Site Links |
|
|
|
|
Deep Thoughts |
|
|
If you're ever shipwrecked on a tropical island and you don't know how to speak the natives' language, just say "Poppy-oomy." I bet it means something.
|
|
Around Da Web |
|
| iProng: |
iPhone steals show at CTIA Wireless 2007
|
DLO offers dual cover fashion case for iPod
|
AT&T received 1M inquiries on iPhone
|
| MacDailyNews: |
Ars Technica in-depth review: Apple TV ?impressed all those who touched it?
|
Inside Apple?s Mac OS X 10.5 Leopard Server OS
|
The chips inside Apple TV
|
| Think Secret: |
Adobe Creative Suite 3 pricing revealed
|
|
|
We Like: |
|
|
|
|
Side Projects |
|
Jonahan
- JediPoker.net
- Jonahan.com
- iProng
- MacProng
iKen
Jedbeck
J.P.
|
|
