[IP] OS X "comes of age" (malware)]]

To: ip@xxxxxxxxxxxxxx
Subject: [IP] OS X "comes of age" (malware)]]
From: Dave Farber <dave@xxxxxxxxxx>
Date: Fri, 17 Feb 2006 06:07:15 -0500
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
Reply-to: dave@xxxxxxxxxx
User-agent: Thunderbird 1.5 (Windows/20051201)


-------- Original Message --------
Subject: Re: [IP] OS X "comes of age" (malware)]
Date: Thu, 16 Feb 2006 20:50:21 -0500
From: Irwin Lazar <ilazar@xxxxxxxxxxxxxxx>
To: dave@xxxxxxxxxx

Dave, there's a lot of spreading of FUD around this.

For this "Mac Virus" to work, a user must download and attempt to open a
software package (latestpics.tgz) which poses as screenshots of the rumored
Jaguar version of OS X. During the install process, the user will be
prompted for their administrator user name and password. If they enter it,
the application will run on their machine where it attempts to propagate
itself via iChat (assuming you are running iChat).

There's the key. This file is harmless unless one tries to open it, and when
prompted gives logs in as an administrator. No operating system is immune to
users manually installing malicious software. Not Linux, not Windows, and
certainly not Mac OS X.  I would hope most Mac users would express some
immediate concern if they were trying to view what they thought was a JPEG
file and it asked them for their system password.

Irwin


> From: Dave Farber <dave@xxxxxxxxxx>
> Reply-To: <dave@xxxxxxxxxx>
> Date: Thu, 16 Feb 2006 18:11:38 -0500
> To: <ip@xxxxxxxxxxxxxx>
> Subject: [IP] OS X "comes of age" (malware)]
> 
> When I said this was possible, even IPers yelled so...
> 
> Dave
> 
> -------- Original Message --------
> Subject: OS X "comes of age" (malware)
> Date: Thu, 16 Feb 2006 13:31:20 -0500
> From: Steve Goldstein <steve.goldstein@xxxxxxx>
> To: dewayne@xxxxxxxxxxxxx (Dewayne Hendricks),        "David Farber
> [IP]" <dave@xxxxxxxxxx>
> 
> http://blog.washingtonpost.com/securityfix/?referrer=email
> 
> Brian Krebs on Computer Security
> 
> Posted at 10:05 AM ET, 02/16/2006
> Apple Worm and More Mac Patches
> The first piece of self-propagating malware targeting Apple's Mac OS
> X operating system has been spotted online and appears to be
> spreading disguised as a picture of the next version of the OS.
> This is significant on many levels. I have been talking with security
> experts over the past few weeks about the research community's
> increased interest of late in Mac virus threats and exploits. The
> general theory among some of the folks I spoke with at recent hacker
> conferences was that 2006 was ripe to be the year of "Macsploitation"
> (my term).
> This kind of talk has never sat well with the Mac user community,
> which tends to view these sorts of predictions as a type of jealous,
> wishful thinking from users of another operating system that is
> constantly under attack. (For an excellent illustration of this
> dynamic, check out the "Castle OS X Stormed" posts over at the A Day
> in the Life of an Information Security Investigator blog.)
> Just yesterday in fact, I spoke with John Barnes, president of
> Washington Apple Pi, a local Mac user group with a long history, and
> he echoed those sentiments, noting that if Mac users are somewhat
> smug when it comes to security ... well, they have a right to be.
> Slashdot has now picked up on this, linking to the original thread
> about this problem over at Mac Rumors. The anti-virus firm Sophos has
> classified this thing as a worm, calling it OSX/Leap-A. Sophos
> classifies it as an instant-messaging worm.
> It's not clear to me at this point whether this is truly
> self-propagating, as I'm fairly sure OS X is set up so that infecting
> a machine and spreading malware would require some sort of user
> interaction or approval. Imagine that: the first Mac OS X malware
> worth noting and no one knows whether to call it a worm, a virus or a
> Trojan horse. At any rate, I'm sure we'll hear more about this soon
> (and see a slew of other names for this thing once the other
> anti-virus companies jump on the bandwagon).
> In other Mac news, Apple has issued an update to fix several problems
> in OS X, but the company could be a little clearer about what exactly
> those problems might entail.
> In a somewhat spare advisory issued Tuesday (a few hours after
> Microsoft released its bundle of patches) Apple advised OS X 10.4.4
> users to upgrade to 10.4.5 to address a few "improvements" in the
> operating system. Among the improvements Apple cited were "time zone
> and daylight saving changes for 2006 and 2007"; a fix that addresses
> "a potential crash which may occur when processing large amounts of
> data in MySQL" databases; and an "issue with using and mounting
> Windows-formatted storage devices."
> Apple provides no other information or acknowledgment on its Web site
> as to whether these are security problems or merely fixes to help
> ensure smooth functioning. Mac users who have subscribed to Apple's
> security mailing list received an e-mail detailing one
> security-related fix in 10.4.5 (although this is not a particuarly
> serious risk). Why not include that information in the advisory on
> Apple's Web site?
> If I'm a little sensitive to this, it's because I've spent the last
> several weeks poring over Apple's security advisories going back
> three years, and noticed a welcome trend from 2003 into 2004 (OS X
> 10.3.4 and prior versions) away from such vague disclosures where
> security fixes were routinely called "improvements" with little
> elaboration.
> Mac OS X 10.4.4 users can upgrade in one of two ways: through the
> standalone installer, available from Apple Downloads, or through
> Software Update.
> Update, 10:49 a.m. ET:This thread over at Ambrosia Software seems to
> have the most coherent and rational explanation of what's going on
> with this Mac OS X malware. From that post:
> "You cannot be infected by this unless you do all of the following:
> 1) Are somehow sent (via email, iChat, etc.) or download the
> "latestpics.tgz" file
> 2) Double-click on the file to decompress it
> 3) Double-click on the resulting file to "open" it
> ...and then for most users, you must also enter your Admin password.
> You cannot simply "catch" the virus. Even if someone does send you
> the "latestpics.tgz" file, you cannot be infected unless you
> unarchive the file, and then open it."


-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] Net Neutrality question for IP list]
Next by Date: [IP] OS X hack sites closed;
Previous by thread: [IP] Net Neutrality question for IP list]
Next by thread: [IP] OS X hack sites closed;
Index(es):
- Date
- Thread