Filed under: Analysis / Opinion, OS, Internet
Possible Mac OS X Trojan Horse (mostly harmless)
So
I saw the news this morning about a possible first trojan horse for Mac OS X and decided I didn't really want to deal
with the inevitable ensuing hysteria, flames, and crazy comments that would be sure to follow such a post. It was
8:00am and just way too early to deal. I mean, if I want to read stupid comments about Macs all day long, I'll just
spend my time over at Digg.Heh heh..I thought to myself, I'll let some other TUAW staff member post this news story. Then they can deal with the puerility.
But now it's almost noon and something like 42 people have sent in a tip and no one's stepped up to the plate, so I figure I probably should write up something.
Here's a quick summary: Someone uploaded a trojan horse to the MacRumors.com forums which claims to be a .tgz archive of screenshots of Apple's upcoming Mac OS X 10.5 Leopard. Problem is that it seems to be a proof-of-concept trojan and isn't very successful at doing what it's supposed to do, which is propagate itself out via your IM buddy list. Andrew Welch, who founded Ambrosia Software (thanks for Apeiron, BTW!), has been doing a bang-up job of dissecting the trojan and has determined that it's mostly harmless. You can read the specifics in the Ambrosia forums. Sophos has already posted a definition for this trojan here.
The bottom line is that this really seems to be a proof-of-concept trojan more than an actual "in the wild, self-propagating" virus. So yeah, it's certainly very interesting, but I'm not about to start watching for the sky to fall. Leave that to cartoon birds, storybook characters, and PC magazine columnists.

![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)


Reader Comments (Page 1 of 1)
LD said 12:42PM on 2-16-2006
This trojan simply proves that stupid computer users will find a way to break their computer.
It's not a virus that takes advantage of a security loophole. It's social-engineering that takes advantage of stupid users.
Reply
Christian said 12:49PM on 2-16-2006
Remember what the D.A.R.E. program taught us to say: "Users are losers!"
Reply
zverg said 1:05PM on 2-16-2006
wahhhh OMG my mac is back at my apartment and I'm stuck in class on my ThinkPad, what am I to do?!?!
oh wait.. nothing to worry about. We'll probably see a patch soon, it was nice of them to just release a proof-of-concept first.
oh and I just read that you usually have to put in your admin password to get the virus on top of all the other steps.. downloading it, uncompressing it, etc.
yawn the mac virus front is boring. I'll always have to keep a PC around so that I can watch in excitement as it scans for viruses daily.. 11 years on the internet and I haven't gotten a single virus yet.
Reply
Wheels said 1:19PM on 2-16-2006
Interesting. I find intriguing that this a PPC trojan, since all the hub bub was "ooo, when we all switch to Intel Macs, all hell is going to break loose because we'll be in hackers' main territory, the X86." Goes to show that Macs can get malware. Also shows that it's not very easy to do serious damage, and news spreads faster than the trojan, and that knowledge is the best defense against these threats
I thought McGruff told me that users were losers!
Reply
djones said 1:34PM on 2-16-2006
I *almost* wish this weren't a proof of concept. If you double click on a jpeg to view it, and type in your password, you deserve what's coming...
Half j/k
Reply
Jamie said 1:43PM on 2-16-2006
"If you double click on a jpeg to view it, and type in your password, you deserve what's coming..."
If you are running with a single user with admin rights turned on (which covers probably 95% of Mac users) you don't get the password request when opening this trojan.
Lesson learned for me? Create a second user, give it admin rights, turn off admin rights for your original account, make sure that the new admin account is the owner of all your apps, and going forward use your admin account to install software, upgrades, etc.
: )
Jamie
Reply
Mac Diva said 1:47PM on 2-16-2006
Type in your password? LOL! But, some people will. Contributory negligence to any kind of harm is common.
Reply
Mario Aeby said 2:01PM on 2-16-2006
#5: Jamie, that's exactly what I did. Contrary to degrading Windows users from Admin to limited, nothing serious happened with my day-to-day account here. Hope it stays this way.
Sad: Since my login windows users list now grow one more time, I have to scroll :-(
Reply
elf said 2:40PM on 2-16-2006
i typed in my password blindly and open the virus. it opened terminal and slowed down my computer. I searched for everything "created toady" and deleted it securly. no problems at all
Reply
Steve said 3:04PM on 2-16-2006
It's another reason why Apple themselves says nothing about OS X's "security advantage". No system is perfectly safe from attack.
I'm also not surprised it's being poo-pooed by the Mac crowed.
Reply
Jeremey said 3:07PM on 2-16-2006
I hate to beat a dead horse (ha), but if there is no protection in the universe for users who download things and run them without knowing what they are. You can drive your car into a tree as many times as you like, but they're not gonna make you a car that can't drive into trees.
Reply
Carniphage said 3:08PM on 2-16-2006
And to those who are forever pointing out the reckless behavior of those who "do not take Mac security seriously"... it should be pointed out that VIREX / Symantec or whatever other snake-oil nonsense would do precisely nothing to protect you from this sort of trojan.
C
Reply
fra said 3:27PM on 2-16-2006
One thing is missing here people... C.K's HORSE!
Reply
shrimp said 4:05PM on 2-16-2006
I'm happy with my intel iMac. Stupid trojan makers couldn't even make it Universal.
:D
Reply
rib said 12:20AM on 2-17-2006
Wouldn't this bring up the warning about being the first time opening the application when you double click the file?
Reply
benny said 4:12PM on 2-17-2006
Did any one notice the odd location of the stairs in that pic. Well done troy .. welllllll donneeeeee :-)
-b
Reply
random said 9:40AM on 2-18-2006
My thoughts are that if you have to type in your administrative password to install it then it is not a trojan or virus. How far could this one possibly get? Sure, a couple idiot users will open it (despite it being a compressed file claiming to be a bunch of pictures).
How about I just code up an AppleScript that deletes your iPhoto Library instead and stick it in a file titled MomPhotocast.tgz? After I figure out the self-propagating stuff, it could be a "virus" too.
Reply