• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: trojan horse for Mac os x - Of course it Microsoft related
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: trojan horse for Mac os x - Of course it Microsoft related

  • Subject: Re: trojan horse for Mac os x - Of course it Microsoft related
  • From: Jakob Peterhänsel <email@hidden>
  • Date: Wed, 12 May 2004 22:06:07 +0100
  • Resent-date: Wed, 12 May 2004 22:06:52 +0100
  • Resent-from: Jakob Peterhänsel <email@hidden>
  • Resent-message-id: <email@hidden>
  • Resent-to: Applescript List <email@hidden>
Ahh.. could we PLEASE stop this kind of messages?

It's a trojan - and there is, as the name implies, nothing but user-errors involved.

If you're so stupid an launced a 'installer' for MS Office 2004 (that's not yet released!) of 104Kb, you're simply asking for it. Ok?

Doh!
____________________________________________
Jakob Peterhdnsel
Network Consultant
Tel: +45 7022 1014
Fax: +45 7022 1013
Mob: +45 22 68 49 61
email@hidden
www.NetPoint.com


On 12. maj 2004, at 20:23, roncross wrote:

Begin forwarded message:

From: roncross <email@hidden>
Date: May 12, 2004 12:21:01 PM MST
To: XUsers Discussion List <email@hidden>
Subject: trojan horse for Mac os x - Of course it Microsoft related

http://www.macosxhints.com/



A warning on a new destructive 'trojan horse'
Wed, May 12 '04 at 01:10PM  from: robg

[demime 0.98b removed an attachment of type image/gif which had a name of rg-system.gif]



From robg website macosxhints:

This is a somewhat non-standard hint, but I felt it was worth
mentioning and discussing. Later today, if not already, you'll
probably be reading a lot about a new OS X trojan horse, as first
reported by Macworld UK, and then covered in an Intego press release.
According to Macworld UK and Intego, the trojan horse is a script that
has been neatly saved as a clickable application, complete with a
custom Microsoft Office icon. Double-click it, and your user's folder
contents are history. Note that this is not a virus; it cannot email
itself to others, nor replicate over a network, etc.

After reading the article and the press release, I think it's pretty
obvious what the program is doing -- I suspect it's nothing more than
a one-line AppleScript. Although some (perhaps many) will disagree
with me, I'm going to publish what I think the exploit to be, because
it's not a huge secret. Basically, my guess is that the trojan horse
is a one-line AppleScript that contains the following UNIX command (in
the script, the command will be accessed via the AppleScript method
for calling a shell command, but I'm not going to bother including
that part here):
rm -rf ~

WARNING!! DO NOT USE THIS COMMAND! YOU WILL ERASE YOUR USER'S
DIRECTORY!

I feel it's important that everyone understand the above command, and
know what it looks like -- the more people who know what this line
does and how it works, hopefully the fewer who will be fooled by it.
And to claim that this is some "deep dark secret" that needs to be
hidden is, in my opinion, trying to hide from the truth -- more
"security by obscurity," which we all know doesn't work well at all.
rm -rf is a very standard, very useful Unix command. In fact, if you
search macosxhints (using the advanced search page) for the 'exact
phrase' rm -rf, you'll get fully three pages of matches.

What makes it troublesome in this case is simply that it's called
from a program where the typical user will not know what's happening,
and will be shocked at the outcome. But listing the command is not
like explaining how to write a self-replicating virus that spreads
from machine to machine -- this is common knowledge to probably at
least a couple of million OS X users who have some knowledge of Unix.

For those that don't know Unix, rm is "move to and empty trash," -r
is "do this for all items and folders within this folder," the f means
"force removal without confirmation," and the ~ means "the user's
directory." Spelled out, this means that the script will, without
warning or user intervention, delete everything in the user's folder.
Permanently.

thanks
Ronald Cross


thanks
Ronald Cross
_______________________________________________
applescript-users mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/applescript-users
Do not post admin requests to the list. They will be ignored.
_______________________________________________
applescript-users mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/applescript-users
Do not post admin requests to the list. They will be ignored.

  • Prev by Date: Re: scripting keychain access - login keychain
  • Next by Date: Re: trojan horse for Mac os x - Of course it Microsoft related
  • Previous by thread: Re: trojan horse for Mac os x - Of course it Microsoft related
  • Next by thread: mail.app problem
  • Index(es):
    • Date
    • Thread