The First Mac OS X Virus? (A New OS X Trojan) [Updated]
On the evening of the 13th, an unknown user posted an external link to a file on MacRumors Forums claiming to be the latest Leopard Mac OS X 10.5 screenshots. The file was named "latestpics.tgz"
The resultant file decompresses into what appears to be a standard JPEG icon in Mac OS X but is actually a compiled Unix executable in disguise. An initial disassembly (from original discussion thread) reveals evidence that the application is virus-like or was designed to give that impression. Routines listed include:
_infect:
_infectApps:
_installHooks:
_copySelf:
The exact consequences of the application are unclear, but users who originally executed the application have noted that it appeared to self propogate:
Andrew Welch, who had done some of the initial disassembly, is posting updates to this thread.
According to the initial investigation, the application uses Spotlight to find the other applications on the infected machine and subsequently inserts a stub of code into each application executable.
Update: It appears that there is some debate about the classification of this application, and as it does require user activation it appears to fall into the Trojan classification, rather than self-propogating through any particular vulnerability in OS X.
Update #2: The most recent updates show that the file does send itself to other users in your AIM/iChat buddy list.
Update #3:
Andrew Welch posted the final technical analysis of the application with assistance from Ed Wynne and Glenn Anderson.
Symantec has posted a step by step guide on what happens when you launch this application.
The resultant file decompresses into what appears to be a standard JPEG icon in Mac OS X but is actually a compiled Unix executable in disguise. An initial disassembly (from original discussion thread) reveals evidence that the application is virus-like or was designed to give that impression. Routines listed include:
_infect:
_infectApps:
_installHooks:
_copySelf:
The exact consequences of the application are unclear, but users who originally executed the application have noted that it appeared to self propogate:
If anyone remembers last night, when lasthope spread that picture that opened in terminal. I just turned on my other computer and it said it had an incoming file, from my computer, which was the latest pics file. Any help. I have already secure deleted it off of my harddrive, but how do i know that it will not come back.
Andrew Welch, who had done some of the initial disassembly, is posting updates to this thread.
According to the initial investigation, the application uses Spotlight to find the other applications on the infected machine and subsequently inserts a stub of code into each application executable.
Update: It appears that there is some debate about the classification of this application, and as it does require user activation it appears to fall into the Trojan classification, rather than self-propogating through any particular vulnerability in OS X.
Update #2: The most recent updates show that the file does send itself to other users in your AIM/iChat buddy list.
Update #3:
Andrew Welch posted the final technical analysis of the application with assistance from Ed Wynne and Glenn Anderson.
Symantec has posted a step by step guide on what happens when you launch this application.
Top Rated Comments
(View all)
78 months ago
Granted, this is just a script. It doesn't exploit a secruity flaw. Correct?
78 months ago
Remember not to type your administrator password just because you get prompted for it. Always know why before you do so.
78 months ago
so does OS X warn you that it is an executable when you D/L it? how does it disguise itself? If you get info on it does it say "open with preview", or does it say it's a script ? What does it propagate besides itself - by that I mean, how does it damage you except by spreading?
78 months ago
OMG :eek: OMG :eek: OMG :eek: OMG :eek: OMG :eek: OMG :eek: OMG :eek: OMG:confused: :eek:
78 months ago
I think it's important to ask a few questions.
1. if you Get Info on the file what does it say?
2. when you double-click the file does it ask for your Admin password?
3. when it's downloaded does Safari indicate it's a program and not a regular file?
4. what's the uploaders IP address and has his ISP been contacted about this?
1. if you Get Info on the file what does it say?
2. when you double-click the file does it ask for your Admin password?
3. when it's downloaded does Safari indicate it's a program and not a regular file?
4. what's the uploaders IP address and has his ISP been contacted about this?
[ Read All Comments ]
Analytics firm Chitika today released a report showing that by its metrics iOS has now surpassed OS X in overall web traffic share in the United States. Chitika's methodology involves an analysis...
One of the most frequent reasons for an iPhone to go on a trip to the Apple Store's Genius Bar is because of water damage. Typically, a water damaged iPhone can be replaced for a flat $199...
TheVerge's Joshua Topolsky summarizes the iPad 3 casing findings reported earlier today, but also adds his own sources regarding some details of the iPad 3.
Image from RepairLabs
As...
Last July, Apple discontinued the white MacBook from its consumer lineup, pushing consumers toward the company's popular MacBook Air line or the 13-inch MacBook Pro. The company didn't kill...
Popular iPhone Twitter client Tweetbot has finally arrived on the iPad, with a user interface instantly familiar to any current Tweetbot user. Designed for the Twitter power-user, Tweetbot packs a...
