Source code for a Mac virus has gone public, a security company warned Friday, and although the original doesn’t carry a malicious payload, more dangerous variants can be expected. The virus, dubbed ‘OSX.Macarena’ by Symantec, targets some, but not all, Mac OS X Mach-O executables. “Although methods of infecting Mach-O binaries have been publicly available for some time, this marks the first known fully functional Mach-O file infecter virus,” Symantec noted in an alert to customers of its DeepSight threat network on Friday. “The source code for this virus is publicly available and as such it is possible that variants may be trivially developed to extend the virus’s functionality.”
This is going to be a fun thread, right?
Before anybody jumps to conclusions, get a sense of perspective please. 1 vs 140’000; lowest rating possible vs critical flaws; proper disk permission vs free reign.
I’m still safe as I was before thanks.
Edited 2006-11-04 21:56
Proper disk permission vs. free reign?
It looks like someone has never researched NTFS’s ACL, and actually looked at the default file permissions on various directories on a Windows system …
I’m not sure what your point is, but default on my Win2K3 system is that I cannot write much outside my home folder ( C:Documents And Settings|username|* ). I have modified permissions since installation, but default is pretty strict.
Exactly my point. Windows has rather strict NTFS permissions. The poster is simply ignorant.
The problem is, once again, people using Windows as Administrators.
It would be nice if – when loading the desktop in Windows as Administrator – a warning popped up, telling the user about the risks when running as Administrator.
The fact XP gives the first created user Administrator rights doesn’t make it any better.
Actually, the problem is that Microsoft has never made it convenient for people to run as *non* Administrators.
I mean, c’mon… I have to have special privilege to *eject* removable storage?
Which, by the way, under 2000/XP was covered under the obvious policy “Allow user to format removable media”.
And don’t get me started on application vendors who will tell you with a perfectly straight face that you have to have local Administrator privilege to run their application, and they don’t support it in any other configuration.
Woot? O_o
You don’t need special privileges to do that. Anyone can eject CD’s, USB-sticks and such in Windows.
It’s in Linux, we need special rights (sometimes taken care of during post-installation configuration) to mount, and unmount.
What you do need special privileges for in Win2K, XP and Win2K3 is direct access to hardware – like if you need to burn a CD/DVD-R(W).
There are also many applications for Linux that will not run unless you run with root access. However, they tend to require root access of good reasons. Like a disk partitioner.
So far I haven’t encountered any application requiring Administrator rights in Windows, except for installation, Windows/Microsoft Update and a few low level tools.
It _is_ somewhat inconvenient to run as non-Administrator, but mostly in regard to installation of applications. There will be a few applications where you need to modify read/write permissions in order to run as restricted user.
An alternative is to run as (Power) User, in which case, you need to modify very little.
And don’t get me started on application vendors who will tell you with a perfectly straight face that you have to have local Administrator privilege to run their application, and they don’t support it in any other configuration.
Let me first mention that this is kind of off-topic; although as a developer that targets Windows/.NET exclusively these days, I will give you a nice example of that.
One of our applications makes use of Crystal Reports (the version shipped with Visual Studio has free royalties, so you can code for it and the redistribute it with your application). I could look for the link or post your a screenshot of the documentation where it clearly says that administrator priviledges are required for the Crystal Reports Merge Module to install, during the install process, otherwise you won’t be able to register the OCX/COM DLLs properly.
Now before you scream: “but i’ve said *run*, not *install*”, I can only say: you’re right, but *normally* unless you’re writting a new .NET application with no dependencies and everything tightly integrated (and not using the GAC) you will need Admin priviledges to *at least* install the application.
The thing is, back to my example, if you later run the application with limited priviledges, some Crystal Reports calls will raise an exception.
Now we could blame Crystal Reports (and we do) but that’s what we have. Love it or hate it (and we hate it)
To be honest, the correct way to say it is: Windows doesn’t make it easy to use a limited account; everything is a possible little problem or additional step.
YMMV.
“The problem is, once again, people using Windows as Administrators.”
No, the problem is that the majority of Windows developers does not have a single clue about security and willingly and/or cluelessly design their applications to only work for the Administrator user (or other user with full privs).
Really? Do you know “most” Windows developers?
“Most” of the software I use on any Windows system runs perfectly well under a limited account.
“Really? Do you know “most” Windows developers? ”
Having used Windows in all incarnations since 3.1 to date I have a pretty good clue about how security conscious Windows developers in general are.
And yet one does not have to do anything special as a developer (if your program doesn’t do any lower-level HW access) to allow your program to work under a limited account, so yours is a moot point.
Sounds like you’re just looking for a reason to rag on Microsoft.
bad registry access such as HKML for a limited user is a bad software design I find everywhere( even for the last flash plugins for example ).
but again as for windows, user account compromission could be dreadful if not taken seriously on OSX.
plus I will repeat again, limiting uses of removable devices on workstation for limited account is not a bad idea either, as they pose more and more security problem (think floppies, think information leakage ).
From what I have seen Win2k3 is a server system that is set up with a good set of defaults. I think that the original comment was directed more toward desktop systems (OSX is marketed/sold as a desktop station, as is XP).
Comparing OSX to XP defaults (where user is admin) is a different matter. Vista is just about fully out, and will bring a much more sensible set of rules when it comes to security.
XP has some sensible defaults except for the “first user is Admin”-approach.
If you use XP as Power User or Restricted User, you will see that read/write permissions are quite sane. Even obnoxious. The problem is that the typical XP-user is running as Administrator.
Even at my college, we’re running with Admin-rights on our PC’s. Luckily we _are_ behind a proper firewall – but still. I could ruin every single XP-installation if I wanted to, since I have admin rights on all the student-accessible machines have access to. And all the other students can do the same. It only works because we have no incentitive to do damage. (We’re bending the rules, but that’s because we’re not allowed to install Firefox – so we do it anyway.)
Problem is, Symantec has that often warned that somehow Macs would now be under attack, that you wouldn’t believe them anymore, even if they should be right this time.
Will this virus become a real problem?
no.
Wasn’t this Macarena virus created a few days ago as proof of concept? And suddenly now it’s “out in the wild”? How convenient for Symantec, with their shrinking Vista user base. Pardon me if I smell a large rat here.
“Wasn’t this Macarena virus created a few days ago as proof of concept? And suddenly now it’s “out in the wild”? How convenient for Symantec, with their shrinking Vista user base. Pardon me if I smell a large rat here.”
I was thinking the same thing, but if they lose most of the windows market to Vista’s own AV package, even if they could convince every Mac user to buy their software it wouldn’t wouldn’t begin to make up for the windows loss. The installed base of Mac users just isn’t big enough. I believe they tried the same thing with pocket PCs.
Symantec has a big problem. Maybe they are working on “proof of concepts” for phones?
software, so of course they’re going to warn more Mac OS X exploits are coming.
If it can’t get past your home folder, how much trouble can it cause?
If it can’t get past your home folder, how much trouble can it cause?
Well, it might make Apple push backups harder, which will drive external hard drive sales, etc. So, probably not much “trouble” at all!
If it can’t get past your home folder, how much trouble can it cause?
Way too much. Only deleting all your emails, documents, scan for PINs, CC numbers, passwords, email/IM itself to your entire address book.
It would be trivial to modify this to get past your home folder given that the vast majority of OS X users log in with administrative accounts. Note that the password dialog that pops up for elevated privileges (under an administrator account) is a mere courtesy from application writers, not something that is required by the OS.
This is wrong. An Administrator account in Mac OS is still under root. Try going to your hard disk, select Applications or System and press Cmd+Backspace. Instead of all your applications going into the bin, it prompts for your password. An administrator password can substitue for root actions, but you are always prompted.
This is not the same as Windows where you can delete as you please, only stopped by anything already in use.
Try going to your hard disk, select Applications or System and press Cmd+Backspace. Instead of all your applications going into the bin, it prompts for your password.
That’s only due to UNIX permissions on the folder. Try selecting the applications within the Applications folder and pressing Cmd+Backspace.
That’s not what I was talking about, however.
An administrator password can substitue for root actions, but you are always prompted.
This is absolutely and utterly false. See Apple’s own documentation on the issue: http://developer.apple.com/documentation/DeveloperTools/Conceptual/…
The authentication services API allows administrators to use elevated privileges without prompting for a password. Note that such popular software as Parallels actually uses this procedure to install kernel extensions without prompting for a password.
For a layman’s explanation, see http://www.macgeekery.com/tips/security/how_a_malformed_installer_p… .
This is not the same as Windows where you can delete as you please, only stopped by anything already in use.
Again, the same as with OS X. Except Vista actually fixes this.
Look, I use a MacBook with OS X myself; I’m not trying to make OS X look bad. But let’s not lie about the way security works.
EDIT: Follow-up at http://www.codepoetry.net/2006/09/20/thwap_thwap_is_this_thing_on .
Edited 2006-11-05 00:56
This just reinforces the idea that you should be running as a non-admin user for your everyday work. If I am not mistaken, all of the above actions require a password prompt under a regular user account (except for deleting an application installed by the user himself).
Edited 2006-11-05 01:17
This just reinforces the idea that you should be running as a non-admin user for your everyday work.
Right, but who does that?
Right, but who does that?
I certainly do. Almost all OS X applications are designed with limited permissions in mind and I haven’t encountered any that won’t work on my regular user account.
The bottom line: There is no reason not run as a regular user for your everyday work.
Edited 2006-11-05 02:15
Well, I do. I hope you do too. However, I’ve noticed many ordinary users run with admin rights. Bad, very bad.
Correct, but with the default installation of the OS creating an Admin user, OS X is on par with Windows XP in this regard.
Except as the default user on a XP system I can simply jump to a command prompt and delete anything I like anywhere in the system without it complaining (unless the file is in use). On OSX you at least have to use sudo, which then prompts for a password…
On XP home edition everybody is admin aka windows 98.
By default every user you created has admin rights.
It’s not true that on XP Home everybody is admin. The initial account is admin by default, but any accounts created after that can be admin or limited. When creating a new account, the Account Creation wizard presents you with radio buttons, one for Admin and one for Limited; you select one, then press Next to continue the process of creating the account.
I must be missing something here – I read the developer.apple.com article and it specifically says that the package will require authentication for root actions unless you are logged in as the root user. Is this not the case? Is it to do with the pre- and post- scripts – will they just do root stuff without needing authentication? Do these scripts run with root privs by default? If so this is a HUGE security issue.
Edited 2006-11-05 03:25
This is a bad security problem. However, it is only a bug in the installer. This does not let you run random code as root without putting it in an installer package, which at least does require confirmation from the user to run (if not a password). The authentication dialog is not a courtesy — it is actually required to gain root, unless you are running setuid root, like the Installer.
I’m not trying to imply that this is not a problem, but characterizing the entire OS X administrative framework as a “courtesy” because of a problem with the Installer is hardly accurate.
That’s not a bug in the installer. That’s a feature, well documented by Apple.
There’s no admin password asked when a package which required admin rights, is installed. But in this case, the preflight and posflight scripts are executed with ROOT privileges.
What may be encountered is a simple Application on a disk image, installed by dragndrop in the /Applications folder.
At first launch, that Application will execute the command line tool ‘installer’ on a bad package embedded in its resources.
BOOM, root privilege, that Application can do anything on your mac!
So, when I saw this tutorial on the vxheavens site, I was really scared.
This “virus” was named macarena by Symantec but the 29A author named it machoman.
just google it “machoman virus”, that’s not hard.
You might not be able to delete the Applications Folder without being prompted, but you can certainly muck with the contents of the folder without being prompted. In fact, that’s how much Mac software is installed – drag app to the Applications folder. If you’re running as admin, which nearly all Mac users do, you get no password prompt for such an operation. Nor do you get a prompted for deleting, renaming, or altering the contents of files in the Applications folder.
Edit: I wrote the above before I read eMagius’s more technical version of what I wrote. Refer to his post for technical details.
Edited 2006-11-05 03:05
Post Deleted
Edited 2006-11-05 01:09
If it can’t get past your home folder, how much trouble can it cause?
Use a little imagination. A lot of viruses today use multiple exploits to work their evil. For example, kernel buffer or network stack overflow to get in the door. This exploit to modify your executables.
Reading about this virus makes feel like placing my hands on my hips and singing:
When I dance they call me macarena
and the boys they say that I'm buena
they all want me, they can't have me
So they all come and dance beside me
move with me jam with me
and if your good i take you home with me
A la tuhuelpa legria macarena
Que tuhuelce paralla legria cosabuena
A la tuhuelpa legria macarena Eeeh, macarena
A-Hai 2x
Now don't you worry 'bout my boy friend
the boy who's name is Nicorino
I don't want him, 'cause sent him
he was no good so I – hahaaaa
Now, come on, what was I supposed to do ?
He was outta town and his two friends were soooo fine
Ref. 2x
Claps Ahai Ahai
Keys
Ref. 2x
Lach
Come and find me, my name is Macarena
always at the party,
'cause the chicos think I'm buena
come join me, dance with me
and all your fellows cat hello with me
Ref. 5x
+1 modup
THX for the lyrics & yeah same thought .. lets all dance the Macrarena … uhhh macarena … ahai
Silly people without sense of humour modin down .. uhh .
Finally I know what that song is about
Nice try but it’s something more like
dale a tu cuerpo alegría maracarena
que tu cuerpo es pa darle alegria y cosa buena
dale a tu cuerpo alegría macarena
the rest it’s ok
This should show how worried people are about the virus, this forum is being used to discuss the correct lyrics of Macarena
No matter how bad the virus is or even could be, the song is worse.
LOL. Completely offtopic, but if you are going to sing spanish, do it right.
It’s “baila tu cuerpo alegria macarena” not the gibberish you were singing.
Off-Topic
http://listserv.buffalo.edu/cgi-bin/wa?A2=ind9605&L=flteach&T=0&P=2…
As a spanish native speaker and owner of the Macarena song, I can tell that there are a few typos in that transcription, but it’s mainly accurate.
Heyyy Macarena!
It is a conspiracy. They need to sell av software. They created the virus and they let it out in the “open”.
True, they did create the virus:
“OSX.Macarena is a proof of concept virus that infects files in the current folder on the compromised computer.”
See http://www.symantec.com/security_response/writeup.jsp?docid=2006-11…
If the code is in the open, someone should sue Symantec – putting out code for everyone so they can get more money for their anti-virus. It’s like giving angry people guns to sell more body armor.
Edited 2006-11-04 22:25
True, they did create the virus:
“OSX.Macarena is a proof of concept virus that infects files in the current folder on the compromised computer.”
See http://www.symantec.com/security_response/writeup.jsp?docid=2006-11…..
Where does it say Symantec created the virus?
Woops – the docid = 2006-110217-1331-99
I see the virus listed on symantec’s site but I don’t see where symantec claims to have written it.
Proof of concept dosen’t mean they wrote it.
Very true, however my trust in Symantec has always been broken due to their tactics. It may be wrong to assume they wrote it and more wrong to say they did here however from their past I would bet they did.
It’s really not kosher to make claims about companies like that.
Is this the same virus which didn’t have a method of travel, i.e. the user had to manually copy it to another drive or email.
How is this any different than the other proof of concepts such as.
rm -rf ~/*
And because it’s deleting your home stuff, will it even ask for the password?
I think that’s really stupid.
Let’s see it!
Is there any actual info out there beyond the Symantec PR?
I still don’t see how this is supposed to travel. It does not automatically run if you are somehow tricked into downloading it (I mean, we don’t have IE or OE to do that for us in Mac-land), so what’s the big deal?
I can make a program in Xcode that will do a recursive delete of a user’s directory. Is that a virus?
their own mac software before scaring people.
I downloaded their Yahoo Widget
http://www.symantec.com/home_homeoffice/themes/threatmeter/index.js…
just out of morbid curiosity and it crashed and/or locked up. What a joke.
IF virus’s ever become a more moderate problem on OS X, I’d go with Virus Barrier or ClamAVX and Symantec and McAfee can suck up and bust. Mac users don’t put up with crapware.
Apple is not microsoft.
So since years there is the unix like root account, without the root password the virus can’t do much damage.
And every 2 years there is a new version of OS X. So it’s much more difficult for a virus developer to make it run on every OS X version.
So since years there is the unix like root account, without the root password the virus can’t do much damage.
I can assure you that “rm -rf ~” is very painful no matter which account type you are using.
And every 2 years there is a new version of OS X. So it’s much more difficult for a virus developer to make it run on every OS X version.
Tiger is the first version of OS X with a stable API. This basically means a virus written for Tiger will most likely work on subsequent versions, such as Leopard.
Edited 2006-11-05 07:23
Funny tho .. The last time I installed OSX I created one account and ran that way for a while. I tried to run nmap from the terminal I think, which required root privileges to run certain options. Since I couldn’t su to the root account I tried without knowing if it would work to do a “sudo passwd”. Lo and behold it prompted me for the new root password. Which tells me that users have sudo privileges out of the box. On a side note enabling the administrator account and browsing around in finder I could not open any user’s home folders but as root in terminal I could see them all. So IMO OSX still has a way to go to be completely locked down.
Because it is the first account on the system?I wonder if sudo passwd still works for an additional regular user account.
“It would be trivial to modify this to get past your home folder given that the vast majority of OS X users log in with administrative accounts.”
From Mac OS X The missing manual.
“An administrator’s account isn’t exactly a skeleton key that gives unfettered access to every corner of the Mac. Even an administrator isn’t allowed to remove files from the System folder or other files whose removal could hobble the machine.” If this is correct it would be a bit more than trivial to do much damag.
Edited 2006-11-05 06:51
Symantec and Intego are the only anti-virus companies truly pushing their software for Mac OS X and, with 2 exceptions, they’re also the only ones “discovering” anything remotely close to a virus and they’re not self-sustaining. They require help to work, so that they can only be called exploits, of which there are a few.
It’s simple enough. I download an application and I click a button and it deletes my files. It meant to do that and I did not. Certainly, it didn’t do it on its own but I helped it. Obviously, if it says “file manager” in the title, it’s supposed to do things like that and if not, it’s probably a trojan horse.
The only thing worse than these exploits is installing Symantec’s software on a Mac. I see many people complaining about how their system ends up with kernel panics or crashes otherwise after installing one of their packages. At least, the current exploits don’t do anything that harmful.
They might want to wait for another vendor to “discover” exploits because they have little credibility.
Wheeeehoooyah, First potential virus for macs! Symantec’s going ka-ching! Now let me quickly load my free intelligent anti-propaganda program… I use a virus program called winxp for untrusted internet and untrusted email. If this virus program gets too corrupt I simply delete it outa OS X and start a fresh virtual machine, totally none affecting OS X!
Viruses for OS X…? They gotta get on the machine first before they can work! Bring em on!
Sure the virus itself can cause loads of damage, but without a method of spreading it’s pretty harmless. (At least if you keep backups).
So does anybody know how it would spread?
So does anybody know how it would spread?
Itunes?
So does anybody know how it would spread?
Perhaps, Symantec will include it as an attachment in their marketing e-mails.
It’s impossible that an executable don’t alter other executables of the same user during execution. There aren’t any OS capable of avoiding this.
If you download some executable, it can do it. Windows virus epidemic is due to OS design and implementation flaws which allow, for example, that a program execute in your machine when you are web surfing.
You may also have Applications flaws. Don’t forget it.
Firefox is actually vulnerable by instance.
Don’t be naive.
…than system security.
As for most people losing their documents ( or sending them in the wild ), keychains passwords, setting up notnet , is less important than losing system security.
Of course it is inconvenient to mount removable drive or acces external hardware, because in some compagny unverified leaking of document can occurs via these medias. And in most sysadmin job it is part of the job to be paranoid.
But I’m not afraid, usage of mac system is still sparse, so “natural” selection will make it again a failure in th emac virus attempt ( a bad analogy would be to compared macOSX system with panda, they’re cool but there is not much of them. So having a widespread virus amoung pandas is unlikely ).
“””Mac virus author admits coding difficulties The proof of concept Mac OS X virus, which we reported on last week as more of a publicity stunt than actual threat, includes comments in the code that indicate the author had a difficult time creating the malware according to ZDNet. “According to antivirus firm Symantec, Macarena was discovered last Thursday and has infected less than 50 machines. Macarena has a very poor replication mechanism and is unlikely to cause problems for the majority of Mac users. Peter Ferrie, senior security response engineer at Symantec, explained in his blog that the virus does not cause any serious problems and is unlikely to spread very far. ‘There is no payload in this virus — it simply replicates. However, it won’t replicate very well, because it is restricted to the current directory,’ said Ferrie.””””
nuf said!