Thursday, February 16, 2006
Mac users, don't panic, but heads up
People are calling it the "first Mac OS X virus", then collapsing into arguments about whether it's actually a "Trojan", and then getting really confused.
Here's what happened.
Someone posted a file to a forum, which he claimed was screenshots of the next OS X release. It was a .tgz file, which is sort of the Unix equivalent of StuffIt. You could have downloaded it and unpacked it safely. But then the next step would have been dangerous, because (and here's the important part): it unpacked into a file that had the same ICON as a JPEG image but which was actually a program. If you had double-clicked the phony JPEG icon in the hope of seeing the future, you would have started that program and it would have made a buggy attempt to insert itself into other programs on your computer (breaking them all in the process) and then sent copies of itself to your buddies on iChat. But, and here's another important thing, first it would have asked for your Administrator password.
Things to do
If you get that popup asking for your Administrator password, stop and think. Are you installing software? From someone you've got a reason to trust? Are you making a change to how the system works? If not, say "no". That dialog is a security feature, not a video game to train you to enter a password as fast as possible. No way would it be legimate for opening a picture.
Be a little more suspicious, sadly, of files from people you don't know.
Be a little more suspicious, sadly, of files from people you do know. That file from your iChat buddy could in theory be a file from a virus on your iChat buddy's computer.
Check whether that so-called picture has a preview. This piece of malware pretended to be a JPEG but didn't have a preview icon. That was a clue that it was a wolf in sheep's clothing.
Technical article by Andrew Welch about the "Oompa-Loompa" (aka "OSX/Oomp-A" virus or Trojan for your technical friends.
|
Here's what happened.
Someone posted a file to a forum, which he claimed was screenshots of the next OS X release. It was a .tgz file, which is sort of the Unix equivalent of StuffIt. You could have downloaded it and unpacked it safely. But then the next step would have been dangerous, because (and here's the important part): it unpacked into a file that had the same ICON as a JPEG image but which was actually a program. If you had double-clicked the phony JPEG icon in the hope of seeing the future, you would have started that program and it would have made a buggy attempt to insert itself into other programs on your computer (breaking them all in the process) and then sent copies of itself to your buddies on iChat. But, and here's another important thing, first it would have asked for your Administrator password.
Things to do
If you get that popup asking for your Administrator password, stop and think. Are you installing software? From someone you've got a reason to trust? Are you making a change to how the system works? If not, say "no". That dialog is a security feature, not a video game to train you to enter a password as fast as possible. No way would it be legimate for opening a picture.
Be a little more suspicious, sadly, of files from people you don't know.
Be a little more suspicious, sadly, of files from people you do know. That file from your iChat buddy could in theory be a file from a virus on your iChat buddy's computer.
Check whether that so-called picture has a preview. This piece of malware pretended to be a JPEG but didn't have a preview icon. That was a clue that it was a wolf in sheep's clothing.
Technical article by Andrew Welch about the "Oompa-Loompa" (aka "OSX/Oomp-A" virus or Trojan for your technical friends.
# posted by Frederick @ 1:38 PM Email to a friend:
Haloscan: they provide trackback