[alcimedes]

http://macintouch.com/opener.html

Called opener, and if real does some nasty stuff. Perhaps out days of living in shelter are over....

[usurp]

from what i understood though is the user has to install/run the software himself the first time. its not really dangerous until u do.

[alcimedes]

except of course that's how every windows virus manages to spread itself. stupid people clicking on things. granted, it's not a worm, but anything that can spread via user stupidity should not be counted out as a serious problem. now, it does have to run as admin, so if you don't log in normally as admin you should be safe. last i checked though, OSX sets the first user that's set up as admin, and logs you in automatically as admin every time.

[Wrao]

Bleh.

[DMBand0026]

A few general precautions that you can take, and this goes for everyday, not just dealing with this apparent virus.

- Don't open attachments that you don't know where they came from. That is just common sense, even in the Mac world.

- In your Safari (I'm assuming most here use Safari) preference window, under General, unchecked "Open 'safe' files after downloading."

- Don't download from websites that might carry a virus. Make sure you trust your download provider.

- Turn your OSX Firewall on! (System Preferences/Sharing/Firewall. If it says "Firewall On," you're good to go. If not, click the "start" button. I believe the firewall is on by default, so most won't need to worry about this.


That's about all I can think of, because it's extremely easy to avoid viruses, but most people just don't know how.

[Paul]

little snitch is a nice security blanket as well...

I wonder how long it will take virex to get a patch for it...

AHH! it kills littlesnitch!!!

well, it is a real trojan horse, like that office 2004 file a few months back. Actually, the file was created by the same people...

anyone here frequent macunderground? I used to way back when, but not recently. That is where the trojan(s) came from, a thread in their forums...
it was a matter of time I guess, but it is still not really a virus...
Apple is probably working on a patch right now. They have been good about security lately.

[Kickaha]

IT'S NOT A VIRUS!

JEEBUS people. Learn the terminology.

It is a trojan horse. It CANNOT propagate on its own. You HAVE to be tricked into installing it. NO FORCE ON EARTH CAN PREVENT THAT. Users are stupid, period.

Not only that, but *you have to authenticate for it to be installed*. So you have to manually install it *AND* type in your password! This is *NOT* a virus! A virus propagates *itself*, no user intervention needed. This? This is just malware tricking idiot users.

In addition... the group Intego that is reporting it? And wrote it? Yeah, well, they want you to buy their anti-virus program. They did this once before a few months ago. Personally, I think they should be hauled up on criminal charges, starting with fraud.

NOT A VIRUS!

YOU HAVE TO INSTALL IT!

YOU HAVE TO AUTHENTICATE YOUR ADMIN PASSWORD!

CREATED BY FRAUDS WHO ARE TRYING TO SCARE PEOPLE INTO BUYING THEIR 'ANTI-VIRUS' SOFTWARE!

Period.

[Paul]

good write up

its experiences like this that make this article true.

[Eugene]

I've been warning people about this for how long now? Considering how easy it is to make an installer package, I'm surprised nobody else has encountered one yet.

Also, it might be a good idea to use John the Ripper on your own encrypted passwords just to see how easily crackable they are.

[DMBand0026]

I suspected Intego again, and I can't tell you how much that bothers me. Is there anything we can do to stop them from doing this again?

I agree, they should be hauled in on criminal charges. This is absurd.

[curiousuburb]

I'd wager a cookie that Intego is probably encouraging if not funding this FUD.

"Hey, how can we sell pointless crap to the mac community if they don't have viruses?"
"Let's write some!"
"Won't technically be viruses."
"Let's get bloggers to say its a mac virus anyway. Corrections are always smaller than headlines."

Oh, they're going to get such a karmic smack... just wait.

[Kickaha]

Actually, evidence points that they're the bastards that WROTE it.

[DMBand0026]

I ask again in all seriousness, what can we do to stop this? I hardly think an indignant e mail (in all caps, bolded red letters) is going to do anything. This is one of the most unethical things I have ever seen and I'm personally appalled.

I guess step one is to discourage friends, family, community, anyone from buying from Intego.

[johnq]

Call your state's Attorney General's office.

[AirSluf]

......

[Kickaha]

No harder than it would be for anyone else to... which is why the folks at versiontracker, macupdate, etc have to verify the source of incoming installers.

Personally, I make every attempt to get installers from the original developer. Is it *possible* for someone to spoof an actual developer's site and host a malware version? Sure. Is it detectable? Yup.

We are no less secure today than we were two days ago. This one is just a lame and slimy attempt by a developer of anti-virus software of dubious quality to scare people into buying their product, that's all.

[LudwigVan]

Quote:

Originally Posted by Kickaha In addition... the group Intego that is reporting it? And wrote it? Yeah, well, they want you to buy their anti-virus program.

I haven't read anything about Intego releasing information on this particular trojan, neither at MacInTouch nor at Intego's own site. The initial post at MacInTouch is from some anonymous poster (which is suspicious in its own right after having read some of the more level-headed replies there.)

[Mac+]

If Intego has done this - just how low can they go? "Karmic smack" is right - I hope it hits the culprits hard when it comes around too!

[BuonRotto]

Where are people hearing that Intego is behind this one? I found this link through MacNN where the thing seems to have been written. Same folks who wrote the mp3 "proof of concept" a few months ago. If Intego is behind this, then we are talking about a real boycott, and possible prosecution. But I haven't seen evidence of that yet.

[DMBand0026]

So you're saying that the link from MacNN says that this was created by the Mp3 proof of concept people? I looked for a bit, but couldn't find it. If that is what it says, it was Intego that created the proof of concept.

<searches for phone number of stat attorney general>

<realizes it's sunday>

<crap>

If this does turn out to be Intego, I will be calling.

[Kickaha]

Hold off on that call (dammit). I'm trying to find further proof of Intego being the originating source of opener, and not finding it, just speculations.

It appears that it was created on Macintosh Underground *MONTHS* ago, and just now being detected in the wild. ie, someone actually was silly enough to get caught by it.

Intego seems to be silent on this one, perhaps after the bitchslapping they got surrounding their FUD re: the MP3 'trojan'. OTOH, someone claims to have evidence that the anonymous poster who originally reported it to Macintouch is from Intego, but they're not spilling... which is suspicious in and of itself.

Grrrr.

[Snoopy]

Hey, at least one of Apple's new security features is doing it's job. I installed WMP to listen to a .asf file. When I double clicked the file I got a good warning message. It said the file is attempting to run an application that has not been run before. It suggests canceling if this operation was not expected. It seems to me that this feature would catch some or most trojan horses, no?

[Brad]

Quote:

Originally Posted by Snoopy It seems to me that this feature would catch some or most trojan horses, no?

Yes and no.

You get that dialog when you open a document that launches an application for the first time, not when you launch the application itself for the first time.

A trojan like this requires the user to launch it directly. If it was to be masked with a pretty icon and name, I'm sure lots of ignorant Mac user would launch it just like lots of ignorant Windows users do the same.

[Snoopy]

Quote:

Originally Posted by Brad Yes and no. You get that dialog when you open a document that launches an application for the first time, not when you launch the application itself for the first time. A trojan like this requires the user to launch it directly. If it was to be masked with a pretty icon and name, I'm sure lots of ignorant Mac user would launch it just like lots of ignorant Windows users do the same.

I can see no downside to including this protection for the launch of an application the first time. It seems this should cover trojans. I don't understand why Apple would make the protection so limited. Oh well, I enjoyed the false sense of security for a few moments anyway.

[bauman]

Quote:

Originally Posted by Snoopy I can see no downside to including this protection for the launch of an application the first time. It seems this should cover trojans. I don't understand why Apple would make the protection so limited. Oh well, I enjoyed the false sense of security for a few moments anyway.

Not really. You double click on an application that you just downloaded, and then a dialog box comes up and asks if you are *really sure* that you want to open it. Well, of course you want to open it... you double clicked it.

[Brad]

bauman is right. That kind of confirmation cries of poor Microsoft design. I cringe every time Windows throws up a message for the most rudimentary activities.

[Moogs]

Someone asked about Virex. Considering how crappily received their 7.5 update was (pulled and not heard from since), I wouldn't expect an update before the regularly scheduled November variant.

[Snoopy]

Quote:

Originally Posted by bauman Not really. You double click on an application that you just downloaded, and then a dialog box comes up and asks if you are *really sure* that you want to open it. Well, of course you want to open it... you double clicked it.

Not what I meant. Just like the new dialog box I encountered, it would only appear the first time an application is run. It might say,

"You have attempted to run the application xxxx, which has not run before. If this is not what you expected, it's suggested that you cancel or get more information."

The choices would be cancel, run, or more information, with cancel as default just as it is now. The 'more information' selection could explain the security reasons for the dialog box. Now if Apple wants to get fancier, I guess an application could be placed on the run list if it is installed using an administrator password. That would eliminate the dialog box in some cases.

[alcimedes]

except if you just downloaded program X, and decided to run it, of course you'd say ok to run it.

the problem is that once someone fools you into downloading and planning on running this malware, you're going to follow through with it, a warning dialogue will do nothing.

there might be some solutions to this, but i can't think of any that wouldn't be intrusive.

[Snoopy]

Quote:

Originally Posted by alcimedes except if you just downloaded program X, and decided to run it, of course you'd say ok to run it. the problem is that once someone fools you into downloading and planning on running this malware, you're going to follow through with it, a warning dialogue will do nothing. there might be some solutions to this, but i can't think of any that wouldn't be intrusive.

What you say is true. If someone is foolish enough to download and run an application he or she knows nothing about, there is no way to protect them.

However, it's my understanding that a Trojan horse appears to be something else, like a text document or song. When you double click to view it or play it, the application (which it really is) runs. However, if the OS checks to see whether an application is on a run list, and this Trojan would not be there, then the warning dialog box appears. Since Apple already has this run list in place, it would seem trivial to extend its use for protection against Trojans.

Edit Addition: A refinement to a Trojan defense might be for the OS to check an application's icon before putting up the warning dialog box. If the icon is inappropriate, this fact can be included in the warning.