Page 1 of 2 1 2 LastLast
Results 1 to 20 of 28

Thread: OS X Vulnerable??

  1. #1
    Join Date
    Jan 2001
    Location
    Mobius Strip
    Posts
    13,045

    Lightbulb OS X Vulnerable??

    The "latestpics" Trojan

    From http://www.macrumors.com/
    The First Mac OS X Virus? (A New OS X Trojan)

    Thursday February 16, 2006 12:54 AM EST
    Posted by arn

    On the evening of the 13th, an unknown user posted an external link to a file on MacRumors Forums claiming to be the latest Leopard Mac OS X 10.5 screenshots. The file was named "latestpics.tgz"

    The resultant file decompresses into what appears to be a standard JPEG icon in Mac OS X but is actually a compiled Unix executable in disguise. An initial disassembly (from original discussion thread) reveals evidence that the application is virus-like or was designed to give that impression. Routines listed include:

    _infect:
    _infectApps:
    _installHooks:
    _copySelf:

    The exact consequences of the application are unclear, but according to the users that originally executed the application have noted that it appeared to self propogate:

    If anyone remembers last night, when lasthope spread that picture that opened in terminal. I just turned on my other computer and it said it had an incoming file, from my computer, which was the latest pics file. Any help. I have already secure deleted it off of my harddrive, but how do i know that it will not come back.

    Andrew Welch who had done some of the initial disassembly is posting updates to this thread.

    According to the initial investigation, the application uses Spotlight to find the other applications on the infected machine and subsequently inserts a stub of code into each application executable.

    Update: It appears that there is some debate about the classification of this application, and as it does require user activation, it appears to fall into the Trojan classification, rather than self-propogating through any particular vulnerability in OS X.
    And this from another blog:

    The dangerous thing is that the UN*X executable it unpacks looks like a JPEG file, although it doesn't have the file extension. (It just has a JPEG icon pasted onto it.) If you do double-click it, it installs itself as an input manager and tries to infect applications with itself and to propagate through iChat (it'll send itself to your iChat buddies).

    This is not technically a virus, though. And if you don't double-click files you don't know the source of, you're still safe. Also: Never doubleclick images without file extensions, anyway. (Set the Finder to _show_ you file extensions, of course.)

    Update: Sites like TheRegister (their "article" about Leap.A here) are now keen to call this a virus, although by definition it is not. They also fail to mention that the script does no harm other than to propagate via iChat.

    Again: Of course we shouldn't go into denial whenever something like this pops up. But in order to do even a little harm, the user still has to actually execute this script himself. And things like that have always been known on Mac OS X. It tries to take advantage of a vulnerability of the user, not the operating system. Unless you open/execute the UN*X script yourself, you're safe.
    TechWorld - World's first OS X virus hits Apple
    Symantec goes into the details
    Andrew Welch detailed technical summmary
    Last edited by TZ; 02-17-2006 at 08:59 AM.

  2. #2
    Join Date
    May 2004
    Location
    FLL-Florida
    Posts
    60

    Default Remedy??

    And now a lot of users (like me) who do not have any anti-virus software ask themselves, would it be necessary to sheel out some $$$ to buy virus protection software? What would be the gurus software of choice?
    What is reliable and works fine on OS X 10.4.x with the least impact on system performance.

    Uli

  3. #3
    Join Date
    Jan 2001
    Location
    Mobius Strip
    Posts
    13,045

    Lightbulb clamXav Anti-Virus

    I think if you read the links, or head over to some of the sites (macrumors, macintouch, macfixit) you will find additional information, and that ClamXav may have a new rule set. no need to shell out for AV software.

    And disable ftp via iChat and some other things (IM software along with IRC etc have been popular means to spread damage).

    I think the most likely avenue could be someone sending a photo that is suppose to be 'normal' "new photo of kids" or something - and is not.

    Some people have too much time on their hands - I think it is disgusting and criminal - (if someone would unleash the power of all that NSA-Echelon on something like all the virus-email out there, the world WOULD be a safer and better place maybe!).

  4. #4
    Join Date
    Feb 2001
    Location
    on the landline, Mr. Smith
    Posts
    7,787

    Default

    Good time to point out it is safest (in any OS) not to work in an admin account. Anything like this trying to install executables or the like will ask a managed user for an admin password - a real tip off to watch out!
    "Imagine if every Thursday your shoes exploded if you tied them the usual way. This happens to us all the time with computers, and nobody thinks of complaining." -- Jef Raskin

  5. #5
    Join Date
    Feb 2001
    Location
    on the landline, Mr. Smith
    Posts
    7,787

    Default OS X INfection!!

    Came in after a 3 day weekend to find at least 4 10.3/10.4 boxes infected. What?!

    Attached is one of the messages.
    "Imagine if every Thursday your shoes exploded if you tied them the usual way. This happens to us all the time with computers, and nobody thinks of complaining." -- Jef Raskin

  6. #6
    Join Date
    Feb 2001
    Location
    on the landline, Mr. Smith
    Posts
    7,787

    Default Sounds like someone has a case of the Mondays.....

    Greaatttt........

    No definition.

    Wait..... I know I read that updated machines are not at risk for Inqtana or Leak, nor ar managed users (non-admin). So these users should be protecected two different ways even before AV software. Huh?

    I check out the updates, defs, and fixes from Sophos. Turns out there is an update for this as of this morning. I run the update, and, now the messages are gone. Not fixed, detoxed, or deleted. Gone. What?

    So I call Sophos to figure out what is going on. Turns out they had a bad def, and this is a false positive. Never was infected. The new def actually removed the erronious def that throws out infection notices for files that are not infected. Office, Abobe, and at least for us, Epson printer plugins.

    Glad it was not real, but what a pain.

    "Imagine if every Thursday your shoes exploded if you tied them the usual way. This happens to us all the time with computers, and nobody thinks of complaining." -- Jef Raskin

  7. #7
    Join Date
    Nov 2004
    Location
    Germany
    Posts
    2,352

    Default

    Unc,

    the virus get spreaded over Bluetooth connections and came from a file called "latestpics.tgz" which was posted on a Mac forum.
    It is not a JPG it is a SCRIPT with a custom JPEG-icon!!!!!
    Also another file get installed called "._latestpics" which is the resource fork of "latsetpics.tgz" but this is not a risk.

    It infects the 4 recently used applications or files, it also connects through iChat connections.

    It installs itself at /Library/InputManagers if your on a Admin Account.
    ALso at User/Library/InputManagers if on an User Account.

    You can avoid getting infected by creating a directory within terminal:
    sudo mkdir /Library/InputManagers

    Then change the owner of the folder to Wheel with
    sudo chown root:wheel /Library/InputManagers

    and
    sudo chmod go-w /Library/InputManagers
    This line avoid that someone can write into that directory besides ROOT.
    And if someone ask for the root psw you been warned

    Did this today on all Macs with inet connection and send an email to all our employees.

    Wrote a script with the needed tasks to stealth the folder.


    Best regards

    Nicolas
    Custom Configurations! Rad Hacks and Mods!

  8. #8
    Join Date
    Mar 2001
    Location
    Virginia... where one Democrat CAN make a difference
    Posts
    2,929

    Default

    You know what I find odd.... Sophos is in every OS X virus/trojan story. It seems since they discovered this latest trojan that they have been promoting it shamelessly. If I were the paranoid type I would think that maybe they are trying to drum up some business...
    Damien,

  9. #9
    Join Date
    Jan 2001
    Location
    Mobius Strip
    Posts
    13,045

    Lightbulb

    Safari and shell scripts
    http://www.heise.de/english/newsticker/news/69862

    Serious flaw on OS X [SANS Institute]
    http://isc.sans.org/diary.php?storyid=1138

    Many Mac users have been hoping that ClamXav would fill that niche. ClamXav is a free OS X graphic front end of ClamAV, which is a free and opensource UNIX toolkit, mainly used on UNIX servers as an anti-virus application for use with Windows networks. (ClamAV is also included with Apple's Mac OS X Server software.)

    The problem with relying on ClamXav, for now, is that the ClamAV database doesn't include definitions for all known Macintosh malware. (For instance, it doesn't include definitions for Opener/Renepo, or for any of the OS 8/9 viruses that can still infect Classic running in OSX.) Part of the reason for this is that folks in the industry won't release any new malware threats that they encounter to anyone other than well-known established developers of commercial anti-viral software (and probably rightly so).

    To deal with this, there is a site where users who suspect that they have been infected with a virus or a Trojan that isn't already in ClamAV's database can upload a sample of any file that they consider suspicious, so that it can be inspected, and it can be used to create a new definition to be added to the ClamAV database.

    Hopefully users will take advantage of this service and ClamXav will grow to be a complete, and free, defense against all Macintosh malware.

    Sophos anti-virus appears to have a false-positive problem. It looks like Norton AntiVirus may be suffering from "false positive" problems also.

    Another security problem only affects users of RapidWeaver.

    It appears that in addition to Norton AntiVirus throwing false positives on the Safari cache file for OSX/Inqtana.A, Sophos Anti-Virus is now throwing false positives for OSX/Inqtana.B on a wide variety of files on typical Mac OS X installations, improperly quarantining/deleting files critical to software installations or Mac OS X itself. MacIntouch
    new variants of a Bluetooth worm that poses little threat, due to a time limitation.

    F-Secure reports 2 new variants of OSX/Inqtana... Full details -
    http://www.f-secure.com/weblog/

    http://www.macintouch.com/security.html
    Last edited by TZ; 02-22-2006 at 06:55 AM.

  10. #10
    Join Date
    Jan 2001
    Location
    Mobius Strip
    Posts
    13,045

    Lightbulb AppleDouble MIME

    Security hole in Mac OS X also affects Apple Mail

    The weak point in Apple's Mac OS X operating system is apparently worse than originally thought. In addition to attacks via the Safari web browser, Apple Mail also executes scripts without asking in certain circumstances.

    It suffices to disguise a script with the ending "jpg" and assign the Terminal application for opening it.

    If this script is then sent in the AppleDouble format as an attachment, the information is passed along so that the recipient's system also opens it with the Terminal.

    Apple Mail displays the attachment with a JPG file symbol, but when users click on it, the script executes within Terminal without further prompting.

    This has been tested on Apple Mail 2 and Mac OS X 10.4. Older versions display a warning.

    Like the numerous Windows viruses, Mac OS X could also spread viruses via emails in this manner. The virus need only tempt users with a text to open the faked image file. You can use heise Security's Emailcheck to have a harmless e-mail sent to you that demonstrates the problem.

    The main problem is that the attacker can determine which application should open a file.

    Normally, this information is hidden in the file's resource fork and hence limited to the local system. To transport this via the Web, resources typical of Mac can be included for analysis by the local programs.

    In the weak point reported yesterday, a ZIP archive also contains the folder __MACOSX with metadata. You may infect your computer if you open the JPG file in such an archive without a warning even if the ZIP file was downloaded and saved to your Mac via Firefox.

    For e-mails, the MIME format AppleDouble allows resource forks to be attached; Apple Mail automatically analyses them. To make things worse, in both cases the type of a file is determined via the extension -- and that can be misleading.

    The free e-mail client Thunderbird does not fall for this trick because it does not analyze AppleDouble. A protective measure is to move the Terminal application from /Applications/Utilities into a different folder. But the best idea is not to open any files if you don't know where they came from. heise
    Emailcheck
    Thunderbird

  11. #11
    Join Date
    Feb 2001
    Location
    on the landline, Mr. Smith
    Posts
    7,787

    Default There is no infection, there is no infection, there is no....

    There is no infection. Sorry, I did not make that clear enough in my posts above. Appparently I am not the only one not being clear enough...

    This is getting comical.

    There is no infection.

    THERE IS NO INFECTION.

    THERE IS NO INFECTION.

    From Macfixit today:
    In yet another case of AntiVirus software causing serious issues while purporting to be identifying infected files, it appears that Sophos' AntiVirus software is generating false positives for the "OSX/Inqtana.B worm", invoking users to delete critical application and system files and causing serious issues.

    Again, the virus being identified by Sophos AntiVirus is marked Inqtana.B -- apparently a variant of the Inqtana.A malware that likewise spreads by copying itself to other computers via a bluetooth connection.

    As previously reported, OSX/Inqtana.A -- a Java based proof of concept bluetooth worm that affects older versions of Mac OS X 10.4.x (Tiger). The vulnerability does not affect Mac OS X 10.4.5, and has not been found in the wild.

    Despite that, Sophos' software is identifying "infected" files -- sometimes numbering in the thousands -- on Mac OS X 10.4.5 systems.

    The results of the false positives are, in some cases, disastrous.

    One MacFixIt reader writes:

    "I have read about the proof of concept bluetooth virus by the name of OSX/Inqtana-A, but today my Sophos AntiVirus program alerted me of a virus by the name of OSX/Inqtana-B when I tried to unstuff a stuffit .sitx file. I started a virus check of my hard drive and so far after 70,000 files, Sohpos reports 1077 infections. These mostly occur inside application bundles. Sophos reports this virus warning when I open pretty much every application; denying access to some programs or letting others continue to run.

    "I am running Mac OS X 10.4.5 and update via software update as soon as they arrive, and I also have my safari preferences/general/ Open 'safe' files after downloading unchecked."

    Roger Miller adds:

    "Inqtana.a may not be out in the wild, but inqtana.b is making a mess of our macs running OSX. We are running Sophos antivirus. I first noticed the infection when the antivirus program detected 2 instances of the virus. I started a scan and it immediately found another 7 copies. It's now up to 60+ copies of the virus. Sophos was set up to delete infected files. Many of our campus computers have lost access to their Microsoft and Adobe products. We're having trouble reinstalling them because they immediately get re-infected.

    Glen Winkelman reports:

    "My entire department is running Mac OS X. We are using Sophos Anti-Virus software. This morning, everyone who connected to our network got warning messages. (I have attached two screen shots for you to view.)

    "I contacted tech support at Sophos. They told me what to do to fix it. But now they are telling me to 'hold off' until they are sure it's not a false positive."

    Another reader writes:

    "Well, we have this OSX/Inqtana-B virus that's managed to get into our entire company somehow... we're protected with sophos Anti-virus... however, it seems to be hiding in the Acrobat application (6 and 7) itself and it destroys office 2004... even with a reinstall, office doesn't work."

    We currently recommend that users disable Sophos AntiVirus until further notice, and disallow the application to automatically delete any files it deems "infected."
    Sadly, all people have to do, as of yesterday morning about 10AM is update their Sophos defs. Or contact Sophos for assistance. No need to run around screaming in the middle of the street.

    There is no disaster. There is no infection. Update defs and warnings go away, all the files are fine, the machine is happy. Simple.

    As for the one user above who appears to have real problems....I don't know what to say. Sounds like they had Sophos set to delete infected files, as opposed to notify/disinfect. I thought that was too scarry to even consider....let software automatically delete anything it wants without so much as a how-do-ya-do?? No way. This is not the default setting, so I have a hard time blaming them entirely for that. The support was very good and fast when I called. Other than the core issue of a bad def that started this, I am happy with Sophos.

    I suppose some folks may really have an infection, but based on our experience, it does not sound likely.

    So basically, some punk kid let off what it the virus/trojan equivlent of fire crackers (lotta noise, but no damage), the towns folk stampeded at the sound of deadly "gun fire', and dozens of people were trampled to death in the panic.

    What will Mac users do during a *real* infection?
    "Imagine if every Thursday your shoes exploded if you tied them the usual way. This happens to us all the time with computers, and nobody thinks of complaining." -- Jef Raskin

  12. #12
    Join Date
    Nov 2004
    Location
    Germany
    Posts
    2,352

    Default Yep, NO INFECTION

    Hello,

    best thing should be prevention (as always):

    1. close the system as much as possible
    2. do not work on an Admin-account while surfing or reading mails or been connected to the internet in which way ever.
    3. do not open attachments from "unknown" people
    4. Always update your OS with the latest security patches
    5. if your not sure, open a file with text edit or subethaedit first or contact the sender.
    6. do not double click on files open those over the "open with" contextual menu.

    I can completely sign Damiens posting curious thing is most "virus" warnings are coming from Sophos or Symantec but AFAIK all are/was "proof of concepts" only.

    Sophos is good but costly, only something for companies.
    I don't like NAV, VBarrier, so there is ClamXav.

    Regards

    Nicolas
    Last edited by Nicolas; 02-23-2006 at 12:50 PM.
    Custom Configurations! Rad Hacks and Mods!

  13. #13
    Join Date
    Feb 2001
    Location
    on the landline, Mr. Smith
    Posts
    7,787

    Default

    Yup.

    Surprised Sophos does not do consumer, but they don't. And not cheap for small companies. Up at a certain volume they are only a few bucks more than NAV, which is icky.

    FWIW, we have about 350 total machines running Sophos.
    "Imagine if every Thursday your shoes exploded if you tied them the usual way. This happens to us all the time with computers, and nobody thinks of complaining." -- Jef Raskin

  14. #14
    Join Date
    Feb 2001
    Location
    on the landline, Mr. Smith
    Posts
    7,787

    Default The final word.

    Sophos fixes problem

    .....yeah. What I said.
    "Imagine if every Thursday your shoes exploded if you tied them the usual way. This happens to us all the time with computers, and nobody thinks of complaining." -- Jef Raskin

  15. #15
    Join Date
    Jan 2001
    Location
    Chicago, IL 60610
    Posts
    339

    Default More jib-jabbing about Inqtana-wanna..

    Some of it entertaining...

    http://www.wired.com/news/columns/0,...rss.technology

    Plus more blurb-ish:

    > Subject: Second Apple worm targeting Macs found: experts
    >
    > SAN FRANCISCO (Reuters) - A new computer worm targeting Apple Computer
    > Inc.'s (Nasdaq:AAPL - news) Macintosh computers has been
    > identified for the second time in one week, security experts said.
    >
    >
    > The new worm, called OSX.Inqtana.A, spreads through a vulnerability in
    > Apple's OS X operating system via Bluetooth wireless connections,
    > antivirus company Symantec said.
    >
    > "We have speculated that attackers would turn their attention to other
    > platforms, and two back-to-back examples of malicious code targeting
    > Macintosh OS X ... illustrate this emerging trend," said Vincent
    > Weafer, senior director at Symantec Security Response.
    >
    > The latest virus follows OSX/Leap-A, which was identified last week
    > and believed to be the first such virus targeting the Mac platform.
    > That worm attempts to spread via Apple's iChat instant messaging
    > program, which is compatible with America Online's popular AIM instant
    > messaging program.
    >
    > Symantec said the latest worm attempts to use Bluetooth connections to
    > spread by searching for other Bluetooth-using devices that will accept
    > requests for a connection when the computer is restarted.
    >
    > Bluetooth is a wireless technology used to transmit data among devices
    > at short distances.
    >
    > The worm spreads via a vulnerability in the OS X operating system
    > called the Apple Mac OS X BlueTooth Directory Traversal Vulnerability.
    >
    > If a Bluetooth connection is made, the worm attempts to send itself to
    > those remote computers. However, the worm itself does not appear to
    > pose an immediate threat.
    >
    > "While this particular worm is not fully functional, the source code
    > could be easily modified by a future attacker to do damage," Weafer
    > said, adding that Mac users should install available software patches
    > to their operating systems to prevent such attacks.
    >
    > The latest worm was identified on Friday. Both worms are ranked a
    > Level 1 threat on a scale of 1 to 5, with 5 being the most severe,
    > Symantec said.

  16. #16
    Join Date
    Sep 2004
    Location
    Loma Mar. CA
    Posts
    328

    Cool i ain't as savvy as you folks......

    But with the slew of reports this week, I note with interest this particular suggestion to do with the .ZIP vulnerabilty.

    DIY Flaw Correction

    Although Apple has said it is working to correct the problem, a simple change can protect Mac users from any potential exploits without waiting for a new patch, Cole explained. All a Mac user has to do is uncheck the "open safe files after downloading" option under the "general" section in Safari's preferences.

    Doing so will eliminate the biggest area of risk for Mac users, Cole said. "In general, opening random .ZIP files and trying to download .ZIP files from the Internet is a pretty bad practice to begin with unless you really know what [the file] is."

    Cole said that it is reasonable to expect to see some attack activity from malicious hackers attempting to exploit this vulnerability, but he emphasized that it is easy for Mac users to protect themselves from these attacks.

    "With a little bit of Internet street smarts and just simply unchecking this option, it is not difficult to protect yourself," Cole said.
    So as you are pointing out. Folks shouldn't go brainless at the keyboard and do dumb stuff on-line!!

    Regards. CB.
    Last edited by TZ; 02-23-2006 at 06:57 AM.
    It's a nice nose! I like it! It's chewy!!

  17. #17
    Join Date
    Jan 2001
    Location
    Mobius Strip
    Posts
    13,045

    Lightbulb

    MacInTouch Reader] I just looked into the actual file in the "Heise.jpg.zip" file, and discovered that the exploit has nothing at all to do with file-types. The reason the file runs in Terminal is two-fold:

    1) The file has a 'usro' resource, which designates /Applications/Utilities/Terminal.app as the program to run.
    2) The file has executable permissions.
    As a result, Terminal executes the contents of the file's data-fork, which is a shell script.
    The 'usro' resource is put there with Get Info in the Finder, via the Open With pane.
    Any solution that doesn't address this specific resource will not solve anything. Also, this explains why using the 'zip' command directly causes the file to not run in Terminal. The 'zip' command doesn't know what to do with the __MACOSX sub-dir and its "._*" files that represent resource-forks. As a result, using 'zip' rather than BOMArchiveHelper creates the file WITHOUT its original resource-fork. No resource-fork, no 'usro' resource, so no problem.
    [Rudolf Mittelmann] German computer mag c't reports a severe security problem of Safari: With default preferences Safari executes certain types of shell scripts without asking the user for permission. The shell script usually starts with a "shebang" line like

    #!/bin/bash

    but when the shell script does not have such a line, (and under some more conditions which are usually fulfilled) Safari executes the script on downloading immediately. Even if the script file is named like "image.jpg".
    [MacInTouch Reader] I agree with Mark Sprague, BOMArchiveHelper.app automatically opening files is the problem (there might be some useful cases but BOM should never be allowed to open a file which wants to be opened by Terminal.app).

    If you have Stuffit installed you can also use RCD (both via extension and MIME type) to open .zip and any other compressed formats with it, with that you can still uncompress them in the Finder. However, the next 'virus' might simply override this setting (as the sample Secunia.mov file does) and ask the OS to be openend by BOM, although Safari and Mail might prevent this.
    [Mark Sprague] I have done a little experimentation with the arbitrary shell script execution issue. Several people have suggested quick fixes involving moving or renaming Terminal.app. I think that the problem is in the application BOMArchiveHelper.app, which is the default application for expanding ZIP archives. I downloaded the Heise.jpg.zip archive for testing. When I expand it with BOMArchiveHelper.app (double-clicking it in the Finder), the resulting file runs the shell script in the Terminal.app when double-clicked. When I expand the file with the command line using unzip, the file does not execute in Terminal.app, and the otherwise hidden file spoofs BOMArchiveHelper.app is revealed.

    My next step was to disable BOMArchiveHelper.app. My first attempt was to change the "Open With" application for a ZIP file using the Get Info window and apply the setting to all files with that extension, but this change would not stick (why?). Since Mac OS X does not have a preference pane or other interface to set default applications (!!), I used RCDefaultApp to set the application associated with the zip extension to "do nothing." This works. Now double-clicking on a ZIP archive does nothing, and I seem to be safe (until another extension has the same vulnerability). The drawback is that I have to expand ZIP archives in the command line.
    References:
    http://www.unsanity.org/archives/000449.php
    Paranoid Android
    http://www.macintouch.com/readerreports/security/
    http://www.kb.cert.org/vuls/id/999708
    Securing your web browser
    http://secunia.com/advisories/18963/
    http://www.heise.de/english/newsticker/news/69862
    Basic Mac OS X Security

    summary:
    "Zero-day exploit" ("Safari Automatically Executes Shell Scripts") a.k.a the resource fork hole

    "Safari Automatically Executes Shell Scripts" vulnerability (zero-day exploit) [#3]: Protective methods, more
    Explanation, fixes for "Safari Automatically Executes Shell Scripts" vulnerability; similar to Widget vulnerability

    OSX/Inqtana.A, OSX/Inqtana.B, OSX/Inqtana.C
    OSX/Inqtana.A, OSX/Inqtana.B worm (#3): Sophos fixes false positive flaw
    OSX/Inqtana.A, OSX/Inqtana.B worm (#2): Sophos AntiVirus software generating false positives, wreaking system havoc
    OSX/Inqtana.A worm affects older versions of Mac OS X 10.4.x (Tiger) -- not found in wild

    Oompa-Loompa Trojan (OSX/Oomp-A or Leap-A)
    Oompa-Loompa Trojan (OSX/Oomp-A) [#3]: ClamXav virus definitions updated; When the trojan will ask for an administrator password
    Virus protection software makers respond to Oompa-Loompa trojan (OSX/Oomp-A); protective methods
    Mac OS X malware "OSX/Oomp-A" discovered -- effects seem innocuous
    Last edited by TZ; 02-24-2006 at 01:02 PM.

  18. #18
    Join Date
    Jan 2001
    Location
    Mobius Strip
    Posts
    13,045

    Lightbulb Comcast

    Potential Security hole caused by Comcast installation software

    MacFixIt reader Rob Pattay recently alerted us to a potential security hole opened by Comcast's high-speed Internet software.

    Essentially, Comcast's software installs several files into the user's home directory that make use of the setuid flag -- a UNIX convention that changes the effective user ID while a process is being run. In other words, it allows a given program to escalate its privileges and run as -- among other things -- root (the superuser).

    What this means is that the files installed by Comcast have the capability to execute as root without asking for permission -- a dangerous proposition, and an unnecessary security violation enacted by software installed on a large number of Mac OS X users' systems.

    The files installed by Comcast's software (which still makes exclusive use of AppleScript and Internet Explorer) are as follows:

    -rwsr-sr-x 1 root admin 255676 Aug 7 01:23 .netprefs
    -rw-r--r-- 1 root admin 36 Aug 7 01:23 .netprefs_current
    -rw-r--r-- 1 root admin 43740 Aug 7 01:23 .netprefs_services
    -rw-r--r-- 1 root admin 7490 Aug 7 01:23 .netprefs_sets
    -rw-r--r-- 1 root admin 501 Aug 7 01:23 .netprefs_system

    Rob Pattay writes:

    "Turns out what installed these files on my system with setuid in effect was Comcast. My Comcast connection went flakey about a month ago and I ended up having to set it up again using the Comcast installation software."

    Though Comcast's software doesn't appear to have any malicious intent, the precedent (a veritable rootkit) being set is dangeorus, and could potentially be used by other malware to cause serious damage.

    You can use the following Terminal command to remove these files if they are present on your system (with no detrimental affects to your Comcast Internet access):

    sudo rm ~/.netprefs*

  19. #19
    Join Date
    Sep 2004
    Location
    Loma Mar. CA
    Posts
    328

    Default Excuse me?

    Wow. Gobsmacked.

    CB
    It's a nice nose! I like it! It's chewy!!

  20. #20
    Join Date
    Sep 2004
    Location
    Loma Mar. CA
    Posts
    328

    Confused Furthermore...........

    Quote Originally Posted by TZ
    Potential Security hole caused by Comcast installation software

    The files installed by Comcast's software (which still makes exclusive use of AppleScript and Internet Explorer) are as follows:

    -rwsr-sr-x 1 root admin 255676 Aug 7 01:23 .netprefs
    -rw-r--r-- 1 root admin 36 Aug 7 01:23 .netprefs_current
    -rw-r--r-- 1 root admin 43740 Aug 7 01:23 .netprefs_services
    -rw-r--r-- 1 root admin 7490 Aug 7 01:23 .netprefs_sets
    -rw-r--r-- 1 root admin 501 Aug 7 01:23 .netprefs_system

    Rob Pattay writes:

    "Turns out what installed these files on my system with setuid in effect was Comcast." My Comcast connection went flakey about a month ago and I ended up having to set it up again using the Comcast installation software."

    Though Comcast's software doesn't appear to have any malicious intent, the precedent (a veritable rootkit) being set is dangeorus, and could potentially be used by other malware to cause serious damage.

    You can use the following Terminal command to remove these files if they are present on your system (with no detrimental affects to your Comcast Internet access):

    sudo rm ~/.netprefs*

    So. If removing the files has no detrimental effect on the operation of the Comcastic Internet Access, what are they for? This seems crazy. Reckless even.

    CB
    It's a nice nose! I like it! It's chewy!!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •