Get Flash !/>

Thursday, February 16, 2006

MAC VIRUS RUUNNNNN!!!!!!!!!


Well if these two pieces of junk, what some people get paid for, and call reporting, these two sites should get pulitzer's for the worst ever in reporting.

It's bad enough we have crack pots like John C. Dvorak who think Apple will ditch Mac OS X for Microsoft's Windows! In which this dumb asses "evidence" is mostly based on claims that no one's switching over to the Mac. Hmmm, where does this crack pot get his info?? Apparently, he didn't see that Apple has doubled its U.S. market share last year, and is trying hard to keep up on all it's Mac orders. I mean if nobody is switching, then why are Mac unit sales and market share rising?

Also why would Apple want to trash OSX to go to a OS that the government can't even use and keep secure?
"The US government alleges that between February 2001 and March 2002, the 40-year-old computer enthusiast from North London hacked into dozens of US Army, Navy, Air Force, and Department of Defense computers, as well as 16 Nasa computers," Boyd reports. "It says his hacking caused some $700,000 dollars worth of damage to government systems. What's more, they allege that Mr McKinnon altered and deleted files at a US Naval Air Station not long after the terrorist attacks on September 11, 2001 and that the attack rendered critical systems inoperable. The US government also says Mr McKinnon once took down an entire network of 2,000 US Army computers. His goal, they claim, was to access classified information."

McKinnon admits "that he hacked into dozens of US government computer systems. In fact, he calmly detailed just how easy it was to access extremely sensitive information in those systems. 'I found out that the US military use Windows,' said Mr McKinnon in that BBC interview. 'And having realised this, I assumed it would probably be an easy hack if they hadn't secured it properly.' Using commercially available software, Mr McKinnon probed dozens of US military and government networks. He found many machines without adequate password or firewall protection. So, he simply hacked into them," Boyd reports."


Doesn't that story want you to run out and get windows XP? There are a lot of columnist's who sound like they know what's best for Apple or any other large corporation, but while they sit there with there $40,000 a year jobs, and hand out 2¢ opinions like this, and Steve has a major multi-milion dollar corparation to run, and is doing it successfully I might add. I'll go with Steve, till he proves other wise.

But lets get back to the headline, which first started in the MacRumors forums.
"On the evening of the 13th, an unknown user posted an external link to a file on MacRumors Forums claiming to be the latest Leopard Mac OS X 10.5 screenshots. The file was named "latestpics.tgz"

The resultant file decompresses into what appears to be a standard JPEG icon in Mac OS X but is actually a compiled Unix executable in disguise. An initial disassembly (from original discussion thread) reveals evidence that the application is virus-like or was designed to give that impression. Routines listed include:

_infect:
_infectApps:
_installHooks:
_copySelf:

The exact consequences of the application are unclear, but according to the users that originally executed the application have noted that it appeared to self propogate:
If anyone remembers last night, when lasthope spread that picture that opened in terminal. I just turned on my other computer and it said it had an incoming file, from my computer, which was the latest pics file. Any help. I have already secure deleted it off of my harddrive, but how do i know that it will not come back.

Andrew Welch who had done some of the initial disassembly is posting updates to this thread.

According to the initial investigation, the application uses Spotlight to find the other applications on the infected machine and subsequently inserts a stub of code into each application executable.

Update: It appears that there is some debate about the classification of this application, and as it does require user activation, it appears to fall into the Trojan classification, rather than self-propogating through any particular vulnerability in OS X.

Update #2: The most recent updates show that the file does send itself to other users in your AIM/iChat buddy list."
This really was just a terminal executable disguised with a different icon. It seems it just types "suspicious words"
_infect:
_infectApps:
_installHooks:
_copySelf:

but I think Andrew from the Ambrosia explains it best here. I think MDN says it best "This is what it's come to: making up a Mac OS X "virus" where none exists".

But that doesn't stop knuckle heads like John Leyden from The Register UK from writing junk like this:
"Antivirus researchers have discovered what's claimed to be the first computer Trojan to infect Apple Mac OS X computers. The malware, dubbed Leap-A, spreads via the iChat instant messaging system as a file called latestpics.tgz that infected machines send to contacts on an infected user's buddy list.

The malicious file, which poses as a set of pictures, is a compressed Unix shell program. The user is prompted for admin credentials to launch the malicious code, which is better described as a Trojan than a virus. Mac OS X users who do this will find their machines infected.

Mac viruses were relatively common at the dawn of personal computing, but these days the overwhelming majority of viruses are Windows specific. Leap-A shows other platforms are also vulnerable."

Mac viruses were common? what the hell is this guy smoking??

You want the short version of what Andrew wrote?

You cannot be infected by this unless you do all of the following:
1) Are somehow sent (via email, iChat, etc.) or download the "latestpics.tgz" file
2) Double-click on the file to decompress it
3) Double-click on the resulting file to "open" it
...and then for most users, you must also enter your Admin password.

It does not exploit any security holes; rather it uses "social engineering" to get the user to launch it on their system. It requires the admin password if you're not running as an admin user. It doesn't actually do anything other than attempt to propagate itself via iChat. It has a bug in the code that prevents it from working as intended, which has the side-effect of preventing infected applications from launching. It's not particularly sophisticated.

Remember You cannot simply catch a trojan as you would a virus. This is not the first Mac OS X trojan and I'm certain it won't be the last. Use common sense, Do not install and run applications from untrusted sources and Do not run Mac OS X as "root."

Sophos, Symantec, McAfee and Intego have all added the code’s description to their Mac anti-virus software files.

There are always malicious people out there looking to harm or misguide people, weather it be a PC or Mac user. Look at the Fake invite sent out by a user in Germany to Mac News reports.

Macnn reports:

"A fake invite today was sent out by a user in Germany. The hoax invite, which read and looked like a real Apple-sanctioned event, was sent to several Mac websites and touted a 'special event' with U2 lead Bono. The fake red invitation said "Please join Steve and Bono" for an "invitation-only event" at the Moscone Center West in San Francisco on March 1st at 10 am. The invite also offered the words "Together we can fight it." Several reports had speculated on a special red iPod from Apple to help Bono's fight against AIDS. "U2's Bono may partner with Apple on a new red iPod in the near future to help promote a new project to battle AIDS. The charity is designed to raise money to help finance the fight against HIV/AIDS, Tuberculosis, and Malaria in Africa, and hopes to convince the world's largest companies to release special red-branded products while offering a portion of the profits to the fund." [updated]

The invite came with the following headers:

Received-SPF: neutral (216.22.45.54 is neither permitted nor denied by best guess record for domain of webmaster@felixbruns.de)
Received: (qmail 63576 invoked by uid 89); 15 Feb 2006 16:53:36 -0000
Delivered-To: xxxxxx@macnn.com
Received: (qmail 63346 invoked from network); 15 Feb 2006 16:53:13 -0000
Received: from s169.evanzo-server.de (62.67.235.169)
by macnn.com with SMTP; 15 Feb 2006 16:53:13 -0000
Received: (from wwwrun@localhost)
by s169.evanzo-server.de (8.11.3/8.11.3/SuSE Linux 8.11.1-0.5) id k1FGrDl09934;
Wed, 15 Feb 2006 17:53:13 +0100
Date: Wed, 15 Feb 2006 17:53:13 +0100"


This is the pic of the fake invite

As quoted form Macnn "Many websites that initially reported the event have since pulled their stories without any correction, retraction, or other note." LoopRumors was one of them.
I give praise for a reporter to "man up" to any mistakes that may come from bad information.

0 Comments:

Post a Comment

<< Home