Samsung's Best HDTV's - Click Here
OS.X Macarena 'virus' (#2): No viable threat posed; Not exploiting a Mac OS X bug; not a 'warning' of more viruses to come
Intego is the latest publisher of Mac OS X antivirus software to document and claim protection against the largely innocuous OS.X Macarena virus -- a simple C program, not found in the wild (outside the proof of concept stage) that is capable of infecting files on Intel-based Macs in its same directory.
The statement from Intego reads:
"The virus can only infect Intel-based OS X computers. It consists of a C source file, an Assembler 'dropper' file, and documentation that explains how to create a virus that can infect Macintosh OS X binary files. Compiling the source code creates two binaries, the OS X virus file itself, and the dropper. The dropper is intended to infect Mac OS X binary files from a Windows installation on the current machine. This can be either via Apple?s Boot Camp, or via a virtualization application such as Parallels Desktop for Mac.
"The virus only infects mach-o binary files, not Universal or PowerPC binaries. [Ed- We assume that Intego means to say that the virus infects only Intel Mach-O binaries]
"Mach-o (Mach object file format) is the native file format used for executables by Mac OS X's Mach kernel. The virus does not carry a payload. When run it infects other executables in the current directory, regardless of their name or extension."
Again, OS.X Macarena poses no viable threat as currently conceived. Although we don't have our hands on the virus source code, according to Symantec (who initially publicized the virus last week) OSX.Macarena can infect neither PowerPC-exclusive binaries, nor Universal binaries. It can only affect binaries that are Intel-specific. That would include various system files, but since OSX.Macarena can only infect files in its own directory and has no means of gaining the privileges necessary to escalate into directories where most system files are stored, the the threat level is mitigated.
Further, it can be reasonably said that this "virus" is no more than a basic exploitation of the way in which UNIX permissions are designed to operate. By default, applications have permission to modify files that reside in their same directory. It's somewhat akin to writing a shell script that deletes one or more (or all) files in the home user directory then distributing that script as a download: Running the script has a malicious outcome, but there would be no way to prevent its operation without changing the granularity of permissions in Mac OS X (assigning some applications tigher restrictions than the default user-level permissions allow) -- something Apple may or may not enact in Mac OS X 10.5 (Leopard).
Symantec acknowledged to MacFixIt:
"I think the phrase 'proof of concept' which is used in the write-up may have caused some confusion. This is not a threat which is exploiting some bug, rather the concept that is being proven is that Mach-O files can be infected, and that Mac OSX file infecting viruses are therefore possible."
Also, as has been the case with virtually all purported Mac OS X viruses documented by anti-virus firms thus far, there is no reliable vector for the spread of OSX.Macarena, meaning that a user would have to locate the source file, download it, compile the source and run the virus in order for any effect to occur.
As a result of these considerations, the OSX.Macarena has served less as a "warning shot" across the bow of Mac OS X than as a re-iteration of just how difficult it is to write an effective virus for the operating system.
Feedback? Late-breakers@macfixit.com.
Resources
:%20No%20viable%20threat%20posed;%20Not%20exploiting%20a%20Mac%20OS%20X%20bug;%20not%20a%20'warning'%20of%20more%20viruses%20to%20come%20%7C%20MacFixIt%20-%20CNET%20Reviews&srcUrl=http://reviews.cnet.com/8301-13727_7-10327648-263.html){kind=small}
The virus is available on a major virus site.
But not on that name, as Antivirus Vendors don't use the original hacker names.
Google may be your ennemy.
Why is it possible that 3 days after the alert, a site continues to deliver the virus?
I can't understand that.
Infecting Mach-O Files
Who is working at google or yahoo here?
Please eradicate the threat as soon as possible!
What the hell is that supposed to mean? Or perhaps they forgot the word "Intel"?
"... only infects Intel Mach-O binary files, not Universal or PowerPC..."?
The program that can edit files if you launch it - they call that a virus!
Come on, bring on something that does this without a user consent or knowledge!
Otherwise I call my TextEdit a virus!
thanks
jamie
NO. No. NO.
It's NOT a virus, it doesn't exist in the real world and can't be run without a programmer attached to it. This is why I hate the anti-virus panic companies.
It's probably either a drive directory issue or a corrupted spotlight plist or such. Run Disk Utility.
thanks very much for clarifying this!!! will this utility remove anything or do any damage to the mac as such ?? thanks for your advice.
- by Mark Douma November 7, 2006 4:41 AM PST
- Thanks for adding the clarification regarding "Intel-only Mach-O binaries".
- Like this Reply to this comment
-
(9 Comments)Given the fact that probably only 0.5% of the Mach-O objects that Apple provides are Intel-only (the rest are Universal) that's yet another reason that this would have virtually no effect.