Network News

X My Profile
View More Activity

Apple Worm and More Mac Patches

The first piece of self-propagating malware targeting Apple's Mac OS X operating system has been spotted online and appears to be spreading disguised as a picture of the next version of the OS.

This is significant on many levels. I have been talking with security experts over the past few weeks about the research community's increased interest of late in Mac virus threats and exploits. The general theory among some of the folks I spoke with at recent hacker conferences was that 2006 was ripe to be the year of "Macsploitation" (my term).

This kind of talk has never sat well with the Mac user community, which tends to view these sorts of predictions as a type of jealous, wishful thinking from users of another operating system that is constantly under attack. (For an excellent illustration of this dynamic, check out the "Castle OS X Stormed" posts over at the A Day in the Life of an Information Security Investigator blog.)

Just yesterday in fact, I spoke with John Barnes, president of Washington Apple Pi, a local Mac user group with a long history, and he echoed those sentiments, noting that if Mac users are somewhat smug when it comes to security ... well, they have a right to be.

Slashdot has now picked up on this, linking to the original thread about this problem over at Mac Rumors. The anti-virus firm Sophos has classified this thing as a worm, calling it OSX/Leap-A. Sophos classifies it as an instant-messaging worm.

It's not clear to me at this point whether this is truly self-propagating, as I'm fairly sure OS X is set up so that infecting a machine and spreading malware would require some sort of user interaction or approval. Imagine that: the first Mac OS X malware worth noting and no one knows whether to call it a worm, a virus or a Trojan horse. At any rate, I'm sure we'll hear more about this soon (and see a slew of other names for this thing once the other anti-virus companies jump on the bandwagon).

In other Mac news, Apple has issued an update to fix several problems in OS X, but the company could be a little clearer about what exactly those problems might entail.

In a somewhat spare advisory issued Tuesday (a few hours after Microsoft released its bundle of patches) Apple advised OS X 10.4.4 users to upgrade to 10.4.5 to address a few "improvements" in the operating system. Among the improvements Apple cited were "time zone and daylight saving changes for 2006 and 2007"; a fix that addresses "a potential crash which may occur when processing large amounts of data in MySQL" databases; and an "issue with using and mounting Windows-formatted storage devices."

Apple provides no other information or acknowledgment on its Web site as to whether these are security problems or merely fixes to help ensure smooth functioning. Mac users who have subscribed to Apple's security mailing list received an e-mail detailing one security-related fix in 10.4.5 (although this is not a particuarly serious risk). Why not include that information in the advisory on Apple's Web site?

If I'm a little sensitive to this, it's because I've spent the last several weeks poring over Apple's security advisories going back three years, and noticed a welcome trend from 2003 into 2004 (OS X 10.3.4 and prior versions) away from such vague disclosures where security fixes were routinely called "improvements" with little elaboration.

Mac OS X 10.4.4 users can upgrade in one of two ways: through the standalone installer, available from Apple Downloads, or through Software Update.

Update, 10:49 a.m. ET:This thread over at Ambrosia Software seems to have the most coherent and rational explanation of what's going on with this Mac OS X malware. From that post:

"You cannot be infected by this unless you do all of the following:

1) Are somehow sent (via email, iChat, etc.) or download the "latestpics.tgz" file

2) Double-click on the file to decompress it

3) Double-click on the resulting file to "open" it

...and then for most users, you must also enter your Admin password.

You cannot simply "catch" the virus. Even if someone does send you the "latestpics.tgz" file, you cannot be infected unless you unarchive the file, and then open it."

By Brian Krebs  |  February 16, 2006; 10:05 AM ET
 
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: 2005 Patch Times for Firefox and Internet Explorer
Next: Wanted: Critical Windows Flaw ... Reward: $10,000

Comments

Quote:
...and then for most users, you must also enter your Admin password

This is the crux of the better base security environment on OS X as opposed to XP. Most software, including most (though not all) of the operating system itself runs at a privilege level that does not allow it to modify critical system files. This means that buffer overflows, trojans, and other exploits are limited in the damage they can do, particularly in terms of installing malware that can survive a reboot.

That's not wishful thinking, that's fact and was recently cited by eWeek as OS X's biggest security advantage over XP.

XP Pro does support running at lower levels, but almost no one does it since a lot of software simply doesn't work and you can't install most software. XP has no capability to temporarily escalate privilege levels for one operation (which is how OS X gets around the problem).

Vista does fix this, with the same temporary escalation solution which OS X uses.

It should be noted that this isn't Apple's innovation: it's just a neat graphical front end on the class Unix su/sudo approach.

Posted by: MarkGo | February 16, 2006 11:38 AM | Report abuse

"Macsploitation" ? i like "iExploit" better to keep with the mac theme.

Posted by: guest | February 16, 2006 12:37 PM | Report abuse

You say this piece of malware "appears to be spreading." We here believe quite the opposite: there's no sign of it spreading at all. It was quickly removed from the site where it was posted, the anti-virus community is keeping a tight lid on copies, and it does an incredibly poor job of trying to spread itself. Check http://www.isfym.com for further thoughts.

Posted by: Alan Oppenheimer | February 16, 2006 1:35 PM | Report abuse

haha. yeah, ok, it's not spreading. just you wait until OSX/Leap.B, lol! they'll fix it.

Posted by: anon | February 16, 2006 1:44 PM | Report abuse

Did you find the Ambrosia board while browsing for word on this bit of malware, Brian, or are you by chance an Escape Velocity fan?

Posted by: Waveflux | February 16, 2006 2:09 PM | Report abuse

Haha, no never played Escape Velocity, but I was a HUGE fan of Maelstrom back in my college days. My roommate at the time had the only computer in the entire townhome of 4 college students (a Mac, actually) and I must have burned dozens of hours playing that addictive little asteroids game. I was pleasantly surprised to find a few years back that the game had been ported over to Windows. I can still hear the voice of that guy who says "Right on!" when you hit the comets flying by.

Posted by: Bk | February 16, 2006 2:18 PM | Report abuse

This malware is a Trojan ... it requires the assistance of the user at either three or four times - the fourth would be if the user were not running in an Admin account and was asked to provide the password. This is NOT taking advantage of a flaw in the OS or an app, but of social engineering.

Posted by: David Meyer | February 16, 2006 3:21 PM | Report abuse

Windows: 60,000+ viruses
Mac OS X: 1 virus

I like my odds.

Whit
Mac OS X - because life is too short

Posted by: Off to the races | February 16, 2006 3:43 PM | Report abuse

"It's not clear to me at this point whether this is truly self-propagating, as I'm fairly sure OS X is set up so that infecting a machine and spreading malware would require some sort of user interaction or approval."

Given the poorly-educated, click-and-drool, Mac crowd; I'd say the code is most certainly self-propagating.

They're off to the next Flash joke movie, and the code is making itself at home.

Posted by: Earstwhile | February 16, 2006 3:46 PM | Report abuse

Apple fanaticism aside, OS X's real security strength (especially as compared to Windows) has been the relative lack of security holes that would allow a worm to be truly self-propagating, and the rapid fixes to such holes when discovered.

No OS can completely protect against a virus that requires action from a user to spread -- and all reports are that this virus does: a user has to actually open a "latestupdates.tgz" file.

So, you're right that this is significant, but your article does a really lousy job of explaining what this program is, and what it isn't. In your first paragraph:

"The first piece of self-propagating malware targeting [OS X] has been spotted online..."

...but then later:

"It's not clear to me at this point whether this is truly self-propagating."

Then why did you say it was? Get it together man. This is OS X malware (and that's big news), but it exploits users, not a security hole -- and it's not a worm.

Posted by: Paul | February 16, 2006 4:35 PM | Report abuse

If a really vicious virus/worm/trojan were to penetrate OS X, it would find millions of defenseless users even more clueless about security than their Windows counterparts. I can't think of a better incentive for the malicious programmers out there: a chance to cause real pain and destruction in a community with few defenses or security tools.

The Macintosh provides a false sense of security to its customers, much like the New Orleans levees did for Katrina victims. Just because today is sunny and warm, does not meant that there isn't a future Cat 5 storm with Apple's name on it.

Posted by: Ken L | February 16, 2006 4:45 PM | Report abuse

I've been reading posts for years and years from the doom-and-gloomers that the sky is falling on the Macs.

Just because the Microsoft barn has been burning for years, and the Microsoftees can't help themselves but keep running back into that burning barn like a horse that doesn't know any better, don't assume our barn is on fire too.

Our barn is already sprinkler-equipped.

Whit
60,000+ to 1. Apple wins the Gold.

Posted by: Off to the Races | February 16, 2006 5:06 PM | Report abuse

>>"You cannot be infected by this unless you do all of the following:
>>
>>1) Are somehow sent (via email, iChat, etc.) or download the "latestpics.tgz" file

Mail.app can't or doesn't filter attachments by actual filetype (binary-header check, not extension)?

iChat automatically renders text URLs as hyperlinks &/or allows file transfers by default?

>>2) Double-click on the file to decompress it

OS X has automatic GZIP-file decompression enabled by default?

>>3) Double-click on the resulting file to "open" it

Mail.app's attachments directory isn't mounted noexec by default?

>>...and then for most users, you must also enter your Admin password.

Whoa, this is looking like Windows (non-secure "features" left enabled + PEBKAC = 0wn3d). Maybe Mac users really should go through "the checklist of stuff to disable" too.

MarkGo wrote:
>>XP has no capability to temporarily escalate privilege levels for one operation (which is how OS X gets around the problem).

http://www.palmersoft.co.uk/main.asp?content=runasuser

Posted by: Mark Odell | February 16, 2006 5:11 PM | Report abuse

The Mac crowd is so clueless that they don't realize that there are people out there who use something OTHER than winblows AND sMac.

We'll just check-in with you every now and again to make sure you kids don't hurt yourselves and really screw-up OUR Internet bandwidth.

Posted by: Heh... | February 16, 2006 5:15 PM | Report abuse

So what does this mean now? I always wondered about all them widgets that are made for the os, can they put a worm in that too?

Posted by: JAY | February 16, 2006 5:49 PM | Report abuse

This is not a virus, not a worm, because it is NOT self-propogating and is not self-replicating. It is a trojan horse - it requires tricking the user to run it, and it requires users to run it that receive it through iChat. The requirement means it is not self-propogating.

Now, people should be vigilant in refusing to open attachments that they don't know what they are, and this has always been the case. Such trojan horses have always been possible on every platform.

It's premature to say that MacOS X has a virus - it simply isn't true.

Posted by: Kevin Hayes | February 16, 2006 8:39 PM | Report abuse

It's very obvious that this so-called "writer" Has been and always will be a Mac basher. Look at any of his past articles. He just can't stand it that his below average I.Q. can't learn how to use such a great machine. Go back to the small town you came from and write about things you know about.

Microsoft.
Buy the way, Open your mail I'm SURE you have a virus or 2 that needs tending.


Posted by: Michael | February 16, 2006 9:52 PM | Report abuse

Michael -- It's "obvious" I'm a Mac basher? How did you arrive at that conclusion? I try very hard to be fair in everything I write.

Also, Washington D.C. is our nation's captial, and hardly a small town. Do you have anything of substance to add to this conversation?

Posted by: Bk | February 16, 2006 11:21 PM | Report abuse

Krebs Statement:
"The first piece of self-propagating malware targeting Apple's Mac OS X operating system has been spotted online and appears to be spreading disguised as a picture of the next version of the OS."

Krebs Assumption:
"It's not clear to me at this point whether this is truly self-propagating, as I'm fairly sure OS X is set up so that infecting a machine and spreading malware would require some sort of user interaction or approval. "

No spin here folks, nothing to see. Krebs has surely gotten our attention with the onslaught of a Mac OSX self propagating malware, only to question his own "hook" with the "questionable" facts. Mr Krebs, a little research would have certianly made for a better obvective article. Remember that word from Jounalism 101? O B J E C T IV E . But then again, who want the truth?

Posted by: media hound | February 17, 2006 12:21 AM | Report abuse

It's not a virus if it requires user interaction. If you are using any PC and it ask for your Admin Password to view an image then you should be cautious.

This is a User hit and not an OS vulernability.

A few years ago a text file was going around Windows OS that runs a VBScript without asking for a password. The file was named with double extensions. Test.txt.vb

This is a vulernability.

Posted by: Anonymous | February 17, 2006 12:35 AM | Report abuse

I love my Macs because I have to spend so very little time maintaining them. I don't have to defrag, I'm not constantly re-installing the operating system or applications, or any other maintenance. I'm just having fun with my computer. And I don't mind telling people about it.

But I fail to see how trolls making obscene personal insults that represent absolutely nothing beyond their own ignorance, and further their cause, whatever that is, not one bit - why do these trolls think the simple-minded posting of a bunch of expletives helps persuade anyone to their point of view even one little bit?

See? There's an insult for you, without having to use a bunch of little childish troll words.

Whit
Mac OS X - Because Life is Too Short

Posted by: Off to the Races | February 17, 2006 7:35 AM | Report abuse

People, please keep the comments on topic and free of profanity. Ad hominem attacks and expletive-laced comments will be removed.

Thank you.

Posted by: Bk | February 17, 2006 10:23 AM | Report abuse

So this worm only attacked an application, Not the OSX operating system itself? If new things are going to be written for the os itself then dont they need the admin pass to get to it? And if we dont allow it, then things should be ok??

Posted by: Jay | February 17, 2006 11:37 AM | Report abuse

it is both a worm (it spreads over IM) and a virus (a type of companion infector)... your question about "self-propagation" is actually an issue of self-instantiation and if self-instantiation were a requirement for worms then most email, IM, p2p, share enumerating, etc worms (as classified by the industry) would fail to qualify...

Posted by: kurt | February 17, 2006 12:26 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company