Feb 17
First Mac OS X Virus, that’s it! I switch!
2006 at 04.28 am posted by Veerle Pieters
Got you there ;-) Please remain calm, breath and for God’s sake stop all the FUD. The Belgium papers even write about it so it must be a slow newsday. Some even speak of a wide spread panic among the Mac community. High time for some real facts and tips to prevent yourself from becoming a victim of this malware.
OS X/Leap.A
They called it OS X/Leap.A and it was first seen on February 13th in a thread on MacOSRumors.com called “Alleged screenshots of OS 10.5 Leopard”. So it tried to trick users in downloading a file called “latestpics.tgz”. You need to unstuff it first and then double click it. When you do, it opens terminal and executes when you’re running an admin account.
Some call it a virus, others a worm but it is just a piece malicious software. So let’s set the record straight if hyperventilating is really necessary. First off all, no Operating system is safe, it’s just like with cars, in the wrong hands they can do harm. People are the greatest security risk so every system is vulnerable to Social engineering. This OS X/Leap DOES NOT exploit any security flaw in Mac OS X at all. The floats are NOT open and this is NOT the end.
Is it dangerous?
It’s another proof of concept just like the previous time so not particularly dangerous. It attempts to self-propagate through iChat. Setting iChat to not automatically accept incoming files is a pretty good protective method, this is the standard setting btw on a fresh install.
Am I likely to be infected?
So far the risk of infection is relatively small as it has only appeared on MacRumors Forums but was quickly removed by the forum’s moderator. Remember, you first must uncompress it and then double click it to run, it will NOT run itself. For those that believe that OS X is the unconquerable castle this is a wake-up call. The possibility is real that next time it will be more destructive. It only runs in PowerPC code so Intel Mac are not affected.
What can I do to be safe
Never ever download a file from an unknown source is a pretty good start, even when somebody from your address book tries to send you the file, do as I would do and ask first what it’s all about. You could also run a non-admin account. The boys and girls from Iconfactory have a good program called DownloadCheck, an application that checks for applications in your Downloads folder. So it looks for Applications that hide behind document icons. It was written in response to the MP3Concept Trojan horse release of April 2004.
Anti-virus can’t hurt either and I think these guys are laughing with this proof of concept since it will generate sales for them. If you don’t want to spend money you can use ClamXav, a free application. I personally don’t have any virus app on my Mac now, I use to, but will not bother until it is absolutely necessary, until then common sense will prevail. A pretty good in-depth article is written by Andrew Welch of Ambrosia Software makers of SnapzPro.
36served
1
“You could also run a non-admin account.“
Or to put it another way, you should NEVER run as an admin account, once you’ve set up your mac there is no good reason to.
2
Maybe a good idea for a poll: who’s running anti-virus software on his Mac ? Personally, I haven’t used any AV-app since the last 10 years.
3
@Matt Turner: I adjusted my article with your comment in it. Hope you don’t mind ;-)
@Raven: Good idea and I added two questions to the article ;-) I do not use anti-virus and run as admin, yes I’m guilty.
4
just something nice to know: 25 years ago the first virus was called: Elk Cloner and was a virus for the apple II. (source)
And now i’m going to unplugg my internet connection untill the world is a save place again :)
5
I like the part where you say: “no Operating system is safe, it’s just like with cars, in the wrong hands they can do harm.“, this is very true (and a perfect metaphor).
And as for anti-virus on my macs, no I don’t use it anymore. I used Virex for about a year on my powerbook (company policy), but it only warned once about some Windows virus. Most of times it was just eating my precious CPU cycles, so I got rid of it.
I do, however, have anti-virus on my fileserver (linux), to ensure virus free files so that I don’t have to worry if I ever need to send files that I didn’t create to customers.
6
I’m not running any virus protection either. I’ve also have an admin account which is the case for most Mac users I would guess.
7
I agree, as long as the Mac isn’t infected through exploits, I’m not installing a resource-eating virus scanner.
What’s next? Anti-spy-and-adware software, just in case one developer would try to incorporate it in his software? Please… get real.
Besides, if someone would ever try to do so, it would not be accepted as easily by the Mac community as it has been in the past by Windows users. Guess they’re used to all invading their system core :-)
8
This stuff is just crap. It has nothing to do with ‘a virus’. It’s like sending a malicious binary to any UNIX sysadmin and ask him to please run this under the root account.
I look at this as a stupid attempt from people to discredit the Mac’s superior security model (just as secure as any well maintained UNIX OS like Linux, FreeBSD etc.)
You just can’t screw around with UNIX OSes like you can with Windows. Linux has been around for much longer than MacOS X and no one has ever managed to write a windows style virus for it. Trojans, exploits and worms have been created on any OS but real viruses? Nope, not on UNIX.
9
I do not use anti-virus software. It wouldn’t help with this particular malicious software anyway from what I hear about it.
I do not run as an admin account
10
I think Mac OS is as secure as it can but of course it’s not perfect. But in security, the weakest link is often the user. It would be a mistake to think that because we are using a “secure” OS, we don’t need to think about what we are doing. I mean, a lot of problems (not all obviously) can be avoided with user education and afterwards, when one is educated, with good sense and vigilance.
For my part, I don’t use any anti-virus (on my Mac) and I use an admin account (I know, I shouldn’t) :-)
11
I don’t run AV software, and I do run an admin account. But, thinking about it, I really don’t need to, the only trouble is I have alot of fonts/software installed for this user now so it’s not feasible for me to setup a non-admin account.
However, this isn’t to mean I’d be as naive as to double-click something without knowing what it is. This is (as others have pointed out) an attempt to defecate on the *nix safety net we all live in…however, we are all a bit too confident, and should be more careful.
Rule 1, run a non-admin account if it’s feasilbe.
Rule 2, don’t double click files sent to you, without asking what it is first.
Rule 3, engage brain before activating computer.
12
I don’t have any antivirus software. I used to run Virex and ClamXav, but they don’t really do anything except slow down my Mac. (I haven’t ever had a virus on my Mac in the past… 10 years or so.)
The account I normally use is an admin account.
13
I have never heard of the rule as to not use an admin account. I am still relatively new to mac so I am still learning. Are you suggesting that you just set up a “standard” account and use that account day to day? Is there a difference between the default admin and if you were to create a new user and give them admin rights? You have peaked my interest and I feel like I need to be using a new account. Any help would be appreciated.
Thanks
14
No anti virus here and I run in as admin.
15
Is this a coloquialism of the Flemish (Belgish/Belgic sounded terrible):
The floats are NOT open
I can guess from the context what you mean by it but what is it actually referring to? Do you have a quiet fear that the floats (whatever they are) will suddenly open?
16
I use Sophos AntiVirus, and recommend that ALL my Mac clients run anti-virus software for three reasons:
1) while they currently do no damage on the Mac, Word and Excel virus can and do infect the mac normal.dot file, and allow Mac users to spread viruses to PC users who they share documents with. These files can cause damage on the PC;
2) Most people get sent a slew of viruses via email, even if they don’t infect your Mac, there’s no legitimate reason to keep those files around on your Mac. Except laziness, stupidity, and a I don’t care attitude tend to be a common thread in insuring against ongoing removal, which anti-virus software will do; and
3) a secure past is never a guarantee for a secure future. I love Mac OS X, and trust that it is far more secure than any Windows machine I’ve seen, even those I’ve personally secured; but let’s face it
a) it doesn’t always prompt for an admin password before installing. Admittedly this is normally caused by lazy software developers, but could be caused by malicious software developers as well (also not running as admin will force the issue more);
b) trusting and curious users are good fodder for being taken advantage of (how many people do you know who have software installed that they have no idea what it does or is suppose to do). From input managers to widgets to actual applications, tons of people are clueless or accept information from not so great sources; and lastly
c) there are actual vulnerabilities in some of the open source code that Apple uses, and while Apple patches rapidly, and hasn’t been exploited (large scale); people have taken advantage in one to one situations, so good policies, and good practices make for good habits, which further secure a secure environment.
17
@Nick: To my knowledge there is no difference between several admin accounts. The rule of thumb is indeed to use a standard account for daily work. Most people run as admin because you need to enter an admin account password for almost anything like running Disk Utility or replacing an application with a newer one etc. It’s just safer that’s all.
@Kelly: I’m referring to a device like you find in toilet tanks controlling flow in and out and that it’s open. Maybe floodgates would have been a better metaphor.
18
I don’t use anti-virus and run as admin, yes I’m guilty too.
19
Same here, I don’t use any anti-virus and I run as admin. :s
20
No anti-virus software, my account does not have admin privs.
21
I installed clamxav last week and am testing it out. So far, so good. The sentry has a small footprint (~5megs according to Activity Monitor), it’s F/OSS, and it has lots of good features. When I first scanned, it found about 50 viruses in my mail archives (going back 4 years) that were promptly quarantined and deleted. The only think I’d change would a prettier default icon ;)
22
Actually, a little correction, it was first spotted in Mac-Forums.com thread by the same name on February 12 and was reported ten minutes after, by me. :)
In any case, I run my Mac as admin, but I have LittleSnitch and ClamXAV. :) And I know my way round, so I don’t worry about anything hitting me.
23
Setting iChat to not automatically accept incoming files is a pretty good protective method, this is the standard setting btw on a fresh install.
I don’t see where to set iChat not to accept incoming files. I see a preference for where to put incoming files and a preference to warn when when sending a file. Hmmm..
24
@Mark: Well, there’s that little utility called Chax.
After installation, a Chax tab is added to the Preferences window in iChat.
In the Discussion sub-tab of the Chax tab, there’s a check-box saying “Automatically accept incoming file transfers” (or something like that… my account language configuration is not set to English). Hope that helps.
25
@Marc: You don’t need anything extra. This is accomplished by opening iChat’s preferences, then clicking the “Messages” tab, and selecting “Confirm before sending files.“ If this is ON you’ll get a window if you want to accept an incoming file. Like I said this is the default setting.
26
Veerle/Lionel: Thanks for the clarification.
[rhetorical question] It’s odd that the function of the “confirm before sending files” option is not more explicit. If it determines whether one is alerted on incoming files, why is it not labeled “confirm before sending/receiving files.“[/rhetorical question]
27
@Mark: you’re right it’s a lousy naming sheme on Apple’s part and not very user friendly also.
28
Backup your computer. I won’t run AV software even after the viruses start popping up for OS X. Just backup often. I don’t run AV on windows either, just patch often and backup.
29
i hereby declare that i am running norton antivirus on my system to thwart any viral propagation and pollution attempts ( cause i can’t ever recall getting paid to redistribute or store this kinda stuff ; my mac will not be used as a gateway to death and distruction….unless reasonable tole and storage fees arranged and settled :) ).
And yes I also use an admin account as default…taking it to the edge even, engaging the root account in a daily login-abuse-internet-logout affair with care-free aqua. Though, im slowly beginning to see sufficient reasons why some may think that root or the other admins are much too old, mature, responsible and insecure for frequent engagements with care-free aqua, hence the need to engage aqua in a regular affair with a younger,less mature, less responsible,and more secure normal user account. How much harm can be done with someone who can barely harm themselves…..., your safest bet is to alway have a backup and stay up-to-date.
30
Sadly, I think it is only a matter of time before viruses are turned more macwards…and no the last virus software i ran was on my 8600 in 98. (That was a great machine btw.)
31
I’m guilty. :-(
I run at the admin on my computer AND I don’t run any antivirus program.
That being said, I think I’m really good about not just downloading files and knowing what I’m downloading when I do. (old carryover from when I used PCs as my main computing)
32
The floats are NOT OPEN!!!
33
Another vulnerability in Mac OS X,
But is too hard writing a virus using this bug… for now. :|
34
I ran as admin until yesterday - you can create a new user in System Preferences/Accounts, check the box when to allow them to administer your Mac, and then uncheck the box for your regular account - a two minute job. Then you’ll have to authenticate when you need admin privileges - could be slightly annoying at times but also quite reassuring I guess.
35
I have no anti-virus app anymore since I figured out that Norton was selling av-software when there were no virusses around (couple of years ago). AV companies have totaly lost my confidence, because they are so eager to spread the news of a new virus to bump up their sales.
Plus, NAV made some apps crash (like Final Cut Pro)...
I also run as admin, and I’m quiet confident that it’s harmless if you know what you’re doing.
I don’t believe that OS X will become more vurnerable due to it’s growing popularity. There are enough mac-haters around that already have tried doing so with no success.
36
I despair of the media-panic about this. Mountains and molehills and all that. Perhaps it’s more of a reflection on just how high Apple are flying at the moment that major media outlets lapped this up before checking the details.
Personally, I run a non-admin account on my Mac with no Anti-Virus software. Unlike Windows, OSX does a very good job indeed of prompting for authentication and I don’t see the slightest problem of typing a password every so often. Giving the Admin account a short name helps too (‘adm’ is mine).
With far more pain, blood and angst, I also run a limited user account on Windows, but that’s a blog post in itself. (I run NOD32 Anti-Virus on there as well.)