"This Trojan horse highlights a serious weakness with Mac OS X. Since it is built on a Unix foundation, it can run powerful commands very easily"

Yeah that sounds like a serious weakness. As if the very same thing couldn't be written in C/C++/Carbon/Cocoa/MFC/PowerPlant/C#/TK/Java/ObjC/Perl . . .

Any program that can get the user to open it can do great harm. Thank the Unix underpinnings that all this thing affects is the current user's home directory.

It's not a weakness in OS X, it's a weakness on the part of any moron that would actually execute such a file. If it's only 108k, it doesn't masquerade as a Word demo very effectively either...

What a load of c***. Somebody got pissed at seeing how Macs were imprevious to virus and decided to code a rm -rf ~/* script to spread fear.

This is no virus:
1. It does not spread by itself
2. It does not trash your system since it cannot gain root access

Just about abybody can write apps that will erase a few files and disguise them into something that will compell a user to double click on it. And I don't thing there is any OS out there that can have any protection from that (Linux, FreeBSD, PalmOS, Windows, Mac OS 9/X included).

Hey, at least it's not a crappy RealBasic app! ;)

Question.... if filevault was activated would this trojan still work?

" The reader in question downloaded the file from the Gnutella peer-to-peer network, thinking that it was a public beta of Microsoft Word 2004. When he double-clicked the application, it immediately and permanently erased his home folder and all its contents."

Where did this guy download the file to and double click it from? Every browser I know downloads to the desktop by default and so do many pnp clients. If this guy downloaded the file and double clicked it from somewhere in his home folder, how did he send it to MW UK?

Since this is simply an apple script application that deletes files and masquerades as something else, anyone could write it, even the geniuses as Intego. Can their software protect me from all applications that may delete files? h*** no. Can they protect me from this one if it's name and icon are changed to something else? h*** no. In fact that would make it a separate trojan.

An a full application that deletes files that requires the user to double click it and doesn't reproduce itself isn't a trojan. It's just an application. Whether it's written Cocoa, C, Java, Real Basic, AppleScript or any other language is completely irrelevant.

This isn't a trojan, it's just an app. The only trojan that exists on the OS X platform was made by these guys and uses an exploit that has existed since OS 1.0. The exploit has been used by anyone else because logistically it is way too hard to make it effectively do something.

They're just drumming up business by scare mongering. They could have the best virus scanner in the world (which they certainly don't) and I would never buy from them simply because of their moral bankruptcy.

You KNOW its an inside job man.

http://www.eonblue.com/archives/000075.html

Why is that only Intego seems to know about this? This "trojan" is not known about by Symatec's AV Center, or Sophos. Hmmmm.....

To the folks talking about a virus, this isn't one. It isn't using any "hole" in Mac OS X but a hole in the head of a the one sitting in front of said Mac OS X system.

It is simply an application (compiled AppleScript) that was written to erase what it could in your home directory. You can write on yourself and double click it if you want, have fun.

Basically only run/install applications downloaded from trusted locations and companies (no P2P networks are NOT trusted sources for software).

I love how Intego does a press release about this ... especially the part about working in close collaboration with Apple and Microsoft... yeah what work?

Also what vulnerability do they address with their software? one doesn't exist...

Note some folks use internet download installers. They are small applications that you download, which can scan your system for what is needed, and then proceed to download it. Mindvision has this type of product and has had since Mac OS 9 days and many folks have used it (MS included).

So using file size of the installer isn't the best bet, something to consider but not definitive.

"The reader in question downloaded the file from the Gnutella peer-to-peer network, thinking that it was a public beta of Microsoft Word 2004."

Yeah, I'm sure the guy using Gnutella thought it was a public beta. I'm sure he didn't think it was a full working copy of Word 2004 because downloading something like that would be wrong.

If you are stealing software, be prepared for risks such as this or maybe even getting caught.

I hear that dragging files to the trash can has resulted in those said files being deleted. It's amazing when an operating system has such a huge security flaw.

Where did this guy download the file to and double click it from? Every browser I know downloads to the desktop by default and so do many pnp clients. If this guy downloaded the file and double clicked it from somewhere in his home folder, how did he send it to MW UK?

Well, not everyone lives in a world of defaults. My downloads folder is under /Files/Downloads, next to /Files/Music (my desktop is cluttered enough without stupid download files all over the place). So if I were stupid enough to download this (which I wouldn't because what the heck would I care about office for the mac, I don't even have the disk space to install it at the moment), it wouldn't have deleted the installer.


An a full application that deletes files that requires the user to double click it and doesn't reproduce itself isn't a trojan. It's just an application. Whether it's written Cocoa, C, Java, Real Basic, AppleScript or any other language is completely irrelevant.

This isn't a trojan, it's just an app. The only trojan that exists on the OS X platform was made by these guys and uses an exploit that has existed since OS 1.0. The exploit has been used by anyone else because logistically it is way too hard to make it effectively do something.

Sorry, but trojans generally don't recreate. If they did, they'd be viruses. Viruses spread (just like real viruses). Trojans are just files/software that pose as one thing and contain a 'timebomb' type of thing. Just like the Trojan Horse of myth (that didn't magically become 12 horses going to other cities, you know).

The Trojan Horse poses as a valid file, while inside it contains a surprise.

This Trojan would be kinda hard to spread considering it kills the user folder of anyone who is foolish enough to run it.

"Note some folks use internet download installers. They are small applications that you download, which can scan your system for what is needed, and then proceed to download it. Mindvision has this type of product and has had since Mac OS 9 days and many folks have used it (MS included)."

On the other hand, do you really think this guy thought that he was downloading a Web installer from a peer-to-peer network? Yeah, that would work. I am sure Microsoft would service that request . . .

You don't download Office Beta from Limewire to get a 100K web installer (like MS even had one of those for the Beta).

In other news, Mac OS X suffers from a new and highly destructive "virus" transmitted by conventional HTML pages, primarily online forum systems. All browsers are vulnerable. The "virus" takes the form of a forum posting suggesting that the user "Pull the power plug out of the wall to speed up your Mac," and is spread whenever a user quotes or repeats this damaging text. This text transmission may persuade the user to perform actions which compromise their computer, including such serious consequences as sudden loss of power and potential lost data. This flaw has not been acknowledged by Apple but is considered a serious risk. Intego recommends purchasing their software which will filter the damaging text and prevent serious damage.

It will be a text file called "Win a Million Dollars". In this text file will be the following message:

Congratulations! You can win a million dollars.
Step 1 Drag your Home folder to the Trash
Step 2 In the Finder menu, select Empty Trash
Step 3 Press OK

You have WON!!!


Yeah, this so called trojan horse is about as sophisticated as my Million Dollar text file.

Who cares whether it is sophisticated or not? A trojan is a trojan. You do not defend MS or the script kiddies when a virus/trojan/worm so why defend this? As if this was more sophisticated and then your tone might change?

This Trojan would be kinda hard to spread considering it kills the user folder of anyone who is foolish enough to run it.

Right, you must have missed reading the P2P part of the article....

"Who cares whether it is sophisticated or not? A trojan is a trojan. You do not defend MS or the script kiddies when a virus/trojan/worm so why defend this?"

While I agree that a trojan is a trojan (and this is a trojan), I don't view the comments of others as defending the Mac so much as blasting Intego. This exploit could be executed againts pretty much any operating system using any programming language. So declaring this as a major weakness of the Mac and hyping it up as much as they do seems pretty suspicious. For this type of exploit the security lapse is on the part of the user, whether they be sitting in front of a Mac, Windows, Unix, etc., and not the operating system.

Where I DO hold MS accountable are the weaknesses in Windows that allow a virus to spread exponetially by sending itself to other users and having so many security holes such that any half-competent hacker can take over your system and slave it to spread havoc throughout the internet.

"For this type of exploit the security lapse is on the part of the user, whether they be sitting in front of a Mac, Windows, Unix, etc., and not the operating system."

Of course, and people blast MS just as much for allowing user such flexibility too. And while this may just be a proof-of-concept trojan that is spread via P2P, what do you think the next logical step would had this been a real attempt by a hacker? Have the script send itself via sendmail and thus making itself a virus/worm before executing the rm -f command!

How hard would it be for OS X to require a confirmation before executing a rm -f command?

"How hard would it be for OS X to require a confirmation before executing a rm -f command?"

From the man page:

-f Attempt to remove the files without prompting for confirmation, regardless of the file's permissions. If the file does not exist, do not display a diagnostic message or modify the exit status to reflect an error. The -f option overrides any previous -i options.

Good point, kupan.

Yes, I would not expect rm -f to prompt if executed at the command level. Not knowing enough about the trojan, can OS X prevent or warn about execution of rm -f from Apple Script? Jusr curious.

There could be something, but this only stops the RM command. Then someone just needs to write a program that reads each file in your home directory, and overwrites it using the > or | command. Or they could have fun and just rename all your files to random names using the mv command.

I think it should be noted that, as opposed to windows, even if you're an administrator, this script wouldn't be able to wipe your System folder without prompting for a password (and you hope most users would go "Wait, a password, what for?", although, to be truthful, in this case with an Office installer, they probably wouldn't think anything of it). In windows, administrators (which is all home users by default) can pretty much install and delete anything they want anywhere they want with impunity.

That's not exactly true. A lot of OSX installers pop up asking for 'root equivalent' password to do their thing. I really wouldn't be that surprised if a "word 2004 installer" did that as long as it looked like the usual one.

The basic point is this : if you want to be sure of not getting your data wiped, don't download apps from Limewire, go and buy them from a shop. As the saying goes 'you can't con an honest man'.

applescript://com.apple.scripteditor?action=new&script=do%20shell%20script%20%22rm%20%2Dr%20%2Df%20%7E%2F%22

From http://scarydevil.com/~peter/io/intego.html ...

"This Trojan horse highlights a serious weakness with Mac OS X. Since it is built on a Unix foundation, it can run powerful commands very easily. These commands can delete or damage a user's files with no warning, and AppleScript offers no protection against malicious commands."

Come on, fellows, there's no operating system in the world below Orange Book class B2 that makes it the slightest bit difficult to "delete or damage a user's files with no warning" once a native script or executable is launched. And nobody sane would want to use a compartmentalised mode OS on a personal computer.

And why would you expect Applescript to offer "protection against malicious commands"? It's not a web scripting language like Javascript or Jscript, it's not intended nor used for an application where it might be running untrusted code.

I can not comprehend the confusion of the mind that would lead to such a comment.

A short story:
Imagine a Macintosh user who heard of so many viruses on Windows. About Macintoshes, people pretend there are no viruses, others say some do exist. This user wants to be on the safe side of life and purchased an Antivirus software.
Now he reads news from the respectable macworld.co.uk about a trojan horse deleting files in his home directory.
Now, what do you think he will expect from the company who builds his antivirus software?
I am naive, but I would expect:
- 1. That my antivirus software to protects me at least against all known viruses or whatever name trojan, worm etc is used for those things, including that new thing everybody is speaking about;
- 2. Be informed. I wish to know that my software is up to date.

Intego probably wants to sell its software.
What a surprise! What would you expect from a commercial company ?
Apple wants to sell computers and an OS, Microsoft Windows, Office, etc.
What a strange world indeed.