Mac Antivirus developer Intego might have stumbled across an OS X specific virus being offered for auction that targets a previously unknown ZIP archive vulnerability. From Intego’s posting, it appears that an enterprising auctioneer seems determined to make sure that his name is one that is not forgotten when it comes to Apple security, claiming that his exploit is a poisoned ZIP archive that will “KO the system and Hard Drive” when unarchived.
Scare Tactics?
“claiming that his exploit is a poisoned ZIP archive that will “KO the system and Hard Drive” when unarchived.”
Wow – should propagate like molasses then if the first thing it does is kill the hard drive.
Excellent point. I’d also like to know how a “virus” unleashed by opening a Zip archive can possibly escalate to root privileges without some level of social engineering. It has to ask for my password at some point, and since no Zip archive ever does that, it would immediately be suspect.
a story : Bob 6-pack
downloads a zip, saying “a nude hot super star”
he’s lucky ain’t he??? Extracts the damn thing, asks for the root password, TAKE IT gimme the photos b*atch!!!
BOOOM, infected
The user is the problem, very very often. Very rarely it’s the OS be it Windows, GNU/Linux or Mac OS
Hopefully, I’m tired of all this “my system is more secure”, when 99% of the time a user purposely installs a virus through something like a font pack they found online. The system is irrelevant, it is usually the users fault; and of course it would be too rude to tell them that so this remains a dirty little secret.
Edited 2008-07-24 18:54 UTC
“Purposely” may not be the word you were striving for there.
Yeah, I’m thinking “inadvertently” would be more appropriate.
[sarcasm]
It’s not possible! Windoze has the only real virii! OS-X and GNU/Linux are the most secure evah! Everybody knows this!
[/sarcasm]
Exactly, even BeOS ( with its incredibly tiny market share ) had a couple of viruses
which brings me to ‘virii’ vs ‘viruses’
I learned the plural of virus as virii, but the d**n spell checker says it ain’t a word, and most people don’t understand it, so with the general rule being ‘common usage,’ I use ‘viruses’ to avoid confusing the confused even more than I already confuse them with my long words … and my small… difficult… words.
–The loon
Virus is an English word based on a Latin stem meaning ‘alive’. The plural is therefore viruses not virii. In medical terminology they are always referred to as viruses.
Hey, when you’re dumbfsck virus creator virii sounds much cooler. And after all, that is what counts.
If you use the word “virus” as something that has been incorporated into your own language then of course the regular grammar rules apply. So it becomes “viruses” in English, “virussen” in Dutch etc etc. But if “virus” was still being used as a word in its untranslated Latin meaning (like etcetera, mens rea, ergo, etc, etc ) then the plurar form would be viri, virorum, viris or viros, depending on its function within a sentence. Much like the german language.
“These three viri infected my computer” (nominativus)
“My virus scanner will delete these viros” (accusativus)
“My PC was infected by these viris” (dativus)
“One of the properties of these virorum is that they delete all data” (genitivus)
“With these viris I can DOS an entire server” (ablativus).
So far what I remember from my Latin classes regarding this subject. But since virus was adopted by almost any language we can safely use viruses.
Edited 2008-07-25 23:57 UTC
See!?!? THAT is why I wanted to take Latin, sadly no school I went to offered it. 🙁
All I got was Quebec French, something like German, or mangled Spanish.
Fortunately, I just so happen to speak the most important language: C++ 🙂
–The loon
a company that is in a business of selling anti-virus programs is reporting a virus on a platform that is currently not known to have virus issues and hence its users arent looking for anti-virus solutions
i am not saying they are trying to spread FUD to increase their bottom line but …cant we wonder?
Always get a second opinion.
Intego are not a trusted source, they have heavy bias to be releasing this information. I hope this “virus” can be verified by an independent security firm or white/gray-hat.
That is hardly likely. A vulnerability in zip-whatever (e.g. bomarchivehelper) won’t lead to control of the system. I can’t think of anything that would require a zip decompressor on the system to run with root privileges, nor is it suid root, so given that the only thing an attacker can gain using that vector is a shell access with the rights of the currently logged in user. Not a small thing by any means, but hardly the system KO being promised.
PS. Also that wouldn’t technically be a ‘virus’ being just an exploit for a certain vulnerability.
Edited 2008-07-24 19:55 UTC
HTF can you conclude that? You don’t have any idea where the ZIP decompression is called from. If it’s running in privileged code, then you DO have a problem that can lead to control of the system.
Where the f*** have you ever seen a decompression utility running privileged code? Oh, I forgot, you come from a windows centric world.
Try a real platform some time ;-P
Imagine if you will:
1. Create trojan application which acquires root privilege because the user is not suspicious.
2. Use elevated status to integrate virus with the system as tightly as possible.
3. Read e-mail addresses from the address book, and hack the e-mail program to automatically attach the trojan.
4. Wait for one hour, giving the user a chance to forget the last thin they did on the computer.
5. Ensure the next time a browser is lauched, it crashes.
6. Give the three-finger solute to the boot sector and partition table, zap holes on the cylinder boundaries.
7. Enjoy the ensuing chaos.
Naturally, though, while it is possible to do the above, these kinds of infections have problems spreading. They are devastating and draw much attention – the author will likely be caught and punished.
This is one of the real reasons why these types of infections have nearly vanished. Another big reason is that those with the know-how have discovered that they could avoid their risks and make money with ad&spy-ware – sorta mostly legally [ 😉 ].
Of course, the above steps really require knowledge of multiple issues, but only one exploit ( obtaining root ), which can be very easy thanks to general complacency in the Apple community of users.
–The loon
P.S. I run BeOS, it would be pretty easy to do my machine in – write a script which simply states rm -rf /boot/ and call it some app on BeBits 🙂
Sorry, takes me 15 seconds to reboot of my backup partition which is normally is not mounted so it can’t be touched without my noticing.
Additionally, about 95% of my data found on my /boot drive are infact links to other partitions and rm does not follow links off the partition it is working on.
Is there an option for that?
Well, I could write a simple recursive loop with the BeOS API which natively follows symlinks, would compile to something like 16 KB.
OR, I could just have fun giving everything a random name 🙂
Nothing would be in my way of doing so.
If I REALLY wanted to be a PITA, I’d scan for any unmounted volumes and mount them first, damaging all I could.
Of course, it would be just as easy to secretly install a driver which will destroy the boot sectors, partition tables, and the first and last block on each cylinder boundary ( to prevent recovery ).
BeOS has NOTHING to prevent access, though there are indeed some tricks ( i.e. try setting read and execute permission to everything in the system folders, but not write – you may want to use group settings for that and change the user name of those files – but be careful, this is untested on BeOS kernels, and can be problematic ).
–The loon
P.S. I think I’ll try the aforementioned ‘trick’ and see how it works, perhaps today.
— edit: stupid stray letters…
Edited 2008-07-25 16:47 UTC
The point of using an exploit is that you DO NOT need to be root in order to get privileged access.
Edited 2008-07-25 12:00 UTC
I will concede it is possible, but, as with Windows social engineering would most likely required. Even when I used to run Windows I was never infected with a virus. In most cases it requires that the user do something stupid.
Compress a huge terabyte text file that contains nothing but 0s and then get the user to decompress it? That would totally fsck up a system. In lieu of any more details, it’s hard to know what exploit this is.
It would more likely just report that the disk ran full or that there is not enough diskspace to decompress it, assuming that ZIP reports the file size back to the system before attempting to uncompress it. ZIP can’t harm a system that way.
zip like jpeg, gif png etc use the very same library for decompressing. find a stack overflow in the lib, then find a root exploit and you are ready to go. remember kids use address space randomization, stack protection cookies and/or selinux. until we run a system with runtime boundary checks (java/c# etc.) nobody is safe.
Browser: Palm680/RC1 Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; PalmSource/Palm-D053; Blazer/4.5) 16;320×320
OS X has address space randomization and stack protection, among other security features. Potentially it is just as secure as Linux if not more so in a couple of departments. It is, after all, similar under the hood and Apple made sure to check a lot of security check-boxes.
The only problem is that Apple does security updates *very* infrequently compared to other vendors. Open source patches within days or a few weeks, Windows within a month, and OS X a few times a year. Sooner or later this policy will catch up with Apple, as much as they’d like the time to get patches right. (Well, that seems to be their excuse, but considering how many patches it took to fix outstanding Leopard bugs, I’m not sure.)
Well there is no way of confirming this is a real vulnerability, but I personally believe that if any modern operating system gets enough people using it for long enough, someone will find a serious vulnerability and exploit it.
What annoys me the most from these scare tactics is this; the mythology that is created that some how there is Johnny Innocent User sitting there and then out of the blue he is attacked by a virus. This mythology created that some how, virus’s appear out of no where with no way to trace it back to a single point.
End users download files, they open files, they create files – a download that has a virus in it has to have come from some place. If it is from a large profile download site – then it would be known in a second. So what does that mean? it means that when I see these people become infected I have to ask where they got these files from.
It reminds me of people who complain about vulnerabilities in software. Some require no intervention of ones own self – blaster worm being the best example of this. A unpatched computer only needs to appear on the internet to get infected – my aunty’s computer as an example of that.
Then there are those which are propagated through websites – to which I have to ask myself – what websites are you going to that propagate these worms and virus’s? they don’t seem like very reputable websites if they’re infecting their audience!
I’m not blaming the end user outright, but I do think that the end user needs to have a good hard look in the mirror and ask whether they’re the ‘weakest link’ when it comes to security.
Edited 2008-07-24 21:23 UTC
It could be a server that got hacked and is now infected.
I think the real question nobody is asking is this: if they spotted a guy trying to sell a virus, why didn’t somebody break both of his legs? I bet the little bastard would think twice about writing another virus
And what about sites, that are/were reputable, but got pwnd and spead virii without knowing it? Sure it’s an exception, but not so rare it could be neglected.
That’s not rare at all, hundreds of thousands of sites are like that from one recent MSSQL injection attack alone. Another possibility are infected ad-banners. Otherwise “reputable” ad banner networks, such as doubleclick, sell towards the end of the month when commission pressure is high, some malware-spreading ad banners that appear on reputable sites.
Edited 2008-07-24 22:58 UTC
In many cases I’ve seen, users get infected by visiting relatively-innocuous sites that have been hit by SQL injection attacks. That’s the main purpose of most of the SQL injection attacks I’ve seen recently: the attackers insert code for an invisible iframe, and the iframe source is set to load a malicious page on another site. I’ve also seen the same thing done with SCRIPT tags to load an external (malicious) javascript file.
What it is all about here? Are you guys giving any credibility to this article full of non sense and trolling arguments.
Is there here anyone serious to give any credibility to a site where a random guy is pretending selling a virus which is supposed to magically mess up a hard drive? That’s just BS, a guy is just trying to have fun in a stupid way and some stupid people like him are reporting his crap.
And by the way, the site in question went off-line 8 hours after the dudes at Indego have reported the information….. Is it a surprise?
I don’t think so, and it is more disappointing that OS news is linking to such sensational stupid stories. It seems that Os news editors can only link to sensational stories for the sake of increasing hits on their forums, and that make me think that the new editorial members are pure joke.
I mean, i tried two times to post a very interesting article about the new static analyser built in clang (new front end of LLVM) as i thought that many people interested in writing code would find the article very interesting (here is the link by the way http://www.rogueamoeba.com/utm/2008/07/14/the-clang-static-analyzer…), but it never got published, why?
OS news editors do not care about technology or about well written informative articles, they rather care about fud….. and the stupidity of the net, right?
You got my interest and since I just installed Xcode 3.1 I’ve got a lot to check out with CLang.
Loving how viruses on Unix-like systems are mainly a theoretical debate and discussion whereas on Windows they are a known fact.
Virus is a purely English word not a Latin word.
http://www.linguistlist.org/issues/15/15-1540.html
It doesn’t matter how we spell it. Virii or viruses. Language is constantly evolving, and it’s the number of uses that determines its correctness. If a majority use it, at some point, the dictionaries will change their definitions, and call “viruses” obsolete usage, as they do with other words, terms, etc.
The term “so fun” would have proceeded a slap on the hand from an English teacher when I was in school back when, but now, it’s becoming accepted.
People should just get over it.