Fake "Word 2004 Demo" trojan horse distributed
A Macworld UK story covers a trojan horse for Mac OS X -- disguished as an installer for a "demo" version of Microsoft Word 2004 -- circulating through file sharing networks such Limewire and Gnutella. Launching the "demo installer" allows it to erase your entire home directory.
A clue that this isn't really a real demo installer is that the file is just over 100k but purports to install the full version of Word 2004. If you download such a file, or receive it from another user, do not try to launch or open it. (According to a Microsoft spokesperson quoted in the Macworld UK article, "Microsoft does not currently offer any Web downloads for Microsoft Office 2004...customers should always download from www.microsoft.com/mac.")
The trojan is simply an AppleScript application with a custom installer icon. When the application is launched, it uses AppleScript's ability to execute Unix shell commands in order to run a command that deletes the user's home folder. Since the user is the owner of his/her home directory, no authentication is needed.
Intego has accounced that the latest virus definitions for its VirusBarrier X anti-virus utility have been updated to protect against this trojan. We expect other OS X anti-virus developers to announce similar updates soon.
Resources
protect against malicious AppleScripts? I posted <a href="http://
forums.maccentral.com/wwwthreads/showflat.php?
Cat=&Board=news040512integophp&Number=667551&page=&view=expan
ded&sb=5&o=&part=&returnto=http://maccentral.macworld.com/news/
2004/05/12/intego/index.php">info on my own "trojan" at MacCentral</a>
last night. (And I apologize in advance if the link doesn't work -- the hard
line breaks forced here at MFI may break the link. If so, just go to
MacCentral.com and look in the comments from yesterday's article on this
topic.) Four lines of code, a custom icon, and that's it. Your computer is
down. A few changes by someone with more than 5 minutes to spare (about
what it took me to write the script, save it as an app, and find the custom
icon) could produce devastating effects. But so what? In order to stop this,
you'd have to stop <B>all</B> AppleScripts and AS-based apps from
executing, a wholly unreasonable (if not impossible) task.
Actually, its even worse, because, since Apple distributes the developer tools with their OS, anyone with enough mindpower to write a script can write a nice Cocoa app that does the same thing (actually, they can make it look like its doing something, and then wipe the home folder).
This is why its generally impossible to stop trojans. Its because they're hiding as something else, and they can look like anything.
[Note that this is another trojan in the same vein as the MP3 trojan, which was just an application that also carried an MP3 file with it, to make it seem like it did something when it deleted your home directory]
Oh, and this could have been more disastrous, if the author had tried. Being that it posed as an installer, they should have prompted for the user's admin password (because you'd expect an installer to ask you that) and then delete the system files as well...oh well, oppurtunity lost.
<tt>""""GREAT""""".. now you told them how to delete system files on
the
next go
around...lol
piqueing the interest of those who stumble after the darkness of
Microsoft's Word. So the antidote clearly lies in ignoring Word and
using Nisus Writer Express. :-)
As for AppleScript, I've never had the time or interest to even try using
it. I asked myself if this might be used to wreak harm and wondered
why there never seemed to be any attacks (on Macs) based on it. Told
myself I didn't know enough to justify that question. Now I realize that
even a non-user could easily see the potential for harm here. Makes
you
wonder.
Every OS lets you choose to delete your own files. If you run ANY KIND of
untrustworthy program, it can delete all the files that you could manually.
<P>
This is NOT some kind of weakness in AppleScript. That is just Intego lies. If
it were, it is also a weakness in Pascal, BASIC, C, C++, Objective-C, and the
list goes on. Here's a great example - would you want to confirm every single
cached file that your web browser tries to clear from cache? You'd be clicking
to OK button hundreds of times every day. Your web browser doesn't use 'do
shell script "rm"' to do that.
Read more at: <A href="http://www.danshockley.com/
weblog.php">danshockley.com</A> to see just how ridiculous this whole
thing is.
interesting... another "discovery" by intego.
this is way too suspicious to me.
although i won't discount it, i'll take this intego alert with a grain of salt.
Can't dispute the indictment of Intego's, um, "aggressive" marketing.
It's not wrong IMHO to trumpet the treachery of a world in which any child can script a plausible-looking executable with the power to absolutely ruin your day.
Only, publicity makes it much, much worse. The trick has been available for a decade. Now, suddenly, every day is April Fool's :( .
- by prendergast May 13, 2004 4:21 PM PDT
- First "proof of concept", then the "real thing" - those Intego people are so
- Like this Reply to this comment
-
(8 Comments)switched on, one might be forgiven for thinking they created the whole thing.