05/12/2004, 2:05pm, EDT
Wednesday, May 12th
Intego warns of new Mac OS X Trojan Horse
Intego has says it has updated its VirusBarrier X software to address this vulnerability. Intego VirusBarrier X eradicates this Trojan horse, using its virus definitions dated May 11, 2004, which are only available through the program's NetUpdate feature. The company also forward the following Q&A from Microsoft regarding the issue.
Q&A from Microsoft about the AS.MW2004.Trojan Trojan Hourse
How did Microsoft find out about this Trojan horse?
Intego, the Macintosh security specialist, notified us.
Do you offer any Web downloads that use this icon?
No. Microsoft does not offer any Web downloads that use the icon identified
as Trojan horse, MW2004. Microsoft Office 2004 for Mac should only be
installed from retail CDs, and the authentic install icon will only be found
in the product install wizard.
What is the recommended way that customers should install Office 2004? Microsoft Office 2004 for Mac should only be installed from retail CDs, and
the authentic install icon will only be found in the product install wizard.
When looking for product enhancements from Microsoft, customers should
always download from www.microsoft.com or through the new AutoUpdate tool in
Microsoft Office 2004 for Mac.
I heard an individual downloaded the file from a peer-to-peer network, thinking it was a public beta of Microsoft Word 2004. Was there a public beta program for Office 2004 for Mac?
No, there was not a public beta of Office 2004. However, a trial version of
the product will soon be available, and should only be downloaded from
Mactopia.
Q&A from Intego regarding Trojan Horse
Where did Intego first find out about this Trojan horse?
Intego received a copy of this Trojan horse on May 10, 2004. It was sent to
Intego by an editor with Macworld magazine in the United Kingdom, who
received it from a reader. The reader in question downloaded the file from
the Gnutella peer-to-peer network, thinking that it was a public beta of
Microsoft Word 2004. When he double-clicked the application, it immediately
and permanently erased his home folder and all its contents.
Have you informed Apple, Microsoft and the CERT about this Trojan horse?
Yes, we informed Apple, Microsoft and the CERT as soon as we examined this
Trojan horse and discovered its dangers. We have been in close contact with
Apple and Microsoft, and have had several meetings and conference calls with
them to ensure that this Trojan horse is controlled as quickly as possible.
Has Microsoft made any comments about this Trojan horse?
Microsoft made the following comments: "Microsoft has verified that it does
not offer any web downloads that use this icon. This icon should only be
found when customers install Microsoft Office for Mac from retail CDs, and
will be found in the product install wizard. When looking for downloads from
Microsoft, always download from www.microsoft.com or through the new
AutoUpdate tool in Microsoft Office 2004 for Mac."
How exactly does this Trojan horse work?
When a user double-clicks the file, the Trojan horse runs its AppleScript
code. The AppleScript runs a Unix command, which immediately deletes the
current user's home folder, as well as all the files and folders it
contains. This command does not move files to the Trash; it deletes them
immediately. There is no warning; once the file is double-clicked, it is too
late. Since the AppleScript only deletes a user's home folder and its
contents-files and folders for which the user has permission to do so-it
does not need a password.
What is a user's home folder?
Under Mac OS X, a user's personal files are stored in their home folder.
This is the folder bearing the user's name and a house icon. This is where
a users store documents, music files, photos, movies, as well as all
preferences for the applications they use.
Does this Trojan horse affect any Mac OS X system files?
No, it only deletes a user's home folder and its contents. In order to
delete system files the user would have to enter an administrator's
password, and this would require that the Trojan horse display a dialog for
this purpose.
Does this Trojan horse affect Mac OS 9 or earlier versions of Mac OS?
No, while it only deletes files on Mac OS X, it freezes computers running
Mac OS 9 if it is run. Also, under Mac OS 9 this AppleScript appears with a
normal AppleScript applet icon.
Is there any way to get the deleted files back?
Some file recovery software may be able to recover some or all of the
deleted files, but the best protection is to make regular backups of
personal files, using a program such as Intego Personal Backup X3. Intego
VirusBarrier X cannot recover files; it offers protection if this Trojan
horse is launched.
How can you identify this Trojan horse?
The only way to identify this Trojan horse is from its name and icon. This
Trojan horse is simply an AppleScript applet with a custom icon pasted on
it. When examining the file with the Finder's Get Info command, it shows as
an application. This does not seem surprising, since a user downloading this
expects it to be an installer. Many applications use "web installers", which
are very small files, and allow users to select which modules or parts of
the application they wish to install then downloads only the necessary
files.
Can this Trojan horse spread on its own?
No, this Trojan horse cannot spread or replicate. It is only dangerous when
users download it from web sites or peer-to-peer services.
Can this technique be used with other commands?
Nothing prevents users from creating other, similar AppleScripts, with
different names and custom icons that can run the same damaging command. The
current version that is in the wild only deletes a user's files and folders.
Other such commands could attempt to delete all the files on a Macintosh
computer running Mac OS X, but they would need to request an administrator
password. However, users may not hesitate to type their administrator's
password for what they think is an installer; after all, Apple's Installer
requires this password to install any applications and updates to Mac OS X.
This Trojan horse highlights a serious weakness with Mac OS X. Since it is
built on a Unix foundation, it can run powerful commands very easily. These
commands can delete or damage a user's files with no warning, and
AppleScript offers no protection against malicious commands.
Is there any way to check installers to see if they are malicious?
One way to see if an application is really an AppleScript is to select the
file in the Finder, then press Command+I. The Finder's Get Info window
displays. Click the icon at the top of this window, then press the Delete
key. If any file is indeed a double-clickable AppleScript (or applet), it
displays a generic AppleScript applet icon.
Filed under: troubleshooting
, 
, 37
, 
, 
, 
, 
, 
Top
subscribe to comments
for this article
maybe we should all alias rm to mv ~/.Trash?
maybe we should all alias rm to mv ~/.Trash?
This would only help if the script uses the rm command. But since it probably doesn't, you'd need to alias the OS X framework used for handling files (which most likely does its own work vs. using the unix underpinnings).
Oh, and aliasing rm won't help if they full path the use, as in /bin/rm -rf ~ will still toss it. It only works if you just type 'rm -rf .' , and even in that case, you might have issues with the arguments.
dam, just a month ago they told us about the hole ,
and now they are telling us about the virus,
maybe they are a bunch of as$holes . . .
"Aiiiiiirrrrrrrggggggghhhhhh! Not ANOTHER virus infection for the mac. That's it, I'm going to windows!"
There, had to get it out of my system.
(Yes, I know its not a virus, that ain't the point. I also find the amount of space devoted to telling us about this is quite large for a common trojan horse. I don't remember reading three pages of info when trojans appeared for OS 9. You don't think this is intego trying to make mountains out of mole hills to try to encourage use of their software, do you).
Oh, and I think 100K could be right for the installer. Once MS optimized the software and took out the bloat, I'm sure this is correct ......oh, hell, who am I kidding.
Also whats with the - lets think of lame "viruses"/"trojans" for os x - thats happening at the moment... nothing fo sar seems like a real virus.
Making an app to delete stuff and renaming it and adding an icon is lame...
Hey, I just wrote a trojan horse.
I'm in stupidity shock. It happens to me when I read something so stupid that my head exlodes.