MacOS Wanna Have Virus Too

Gosh, dudes, this is exciting: Open iChat and see whether you caught one! Sophos reports in "First ever virus for Mac OS X discovered" that the "OSX LEAP-A worm spreads via iChat instant messaging software."

And? \*Sigh\* Nope. Nothing in my iChat. I was so looking forward to downloading the worm, double-clicking it, then entering my sudo-password... What? Yes, it seems MacOS is less user-friendly than most people think. ;-)

If you don't know yet how the LEAP worm works, I recommened this extremely enlightening daringfireball article about how you get from smart crash Reports to InputManager hacks -- InputManagers are loaded automatically from the Libraries folder to add new functions to running apps as soon as the user starts them...

Are you thinking what I'm thinking? 8-|

Interestingly, the first (and only!) report of this virus said it came in a tgz-file -- a zipped tar archive that can be set to archive files while keeping the original permissions. Such as... an 'executable' permission on a file with a custom icon that happens to end in .jpg for example...

Preliminary fix?

  • If you have a folder /Library/InputManagers, use ls -la to check what's in there. If it's fishy, delete it. ;-) If you don't have this folder, create it (before another app creates it for you with unpleasant permissions).
    sudo mkdir /Library/InputManagers

  • Write-protect your InputManager folder and (all its contents, if you trust them) for everyone but root.
    sudo chown -R root:wheel /Library/InputManagers/
    sudo chmod -R go-w /Library/InputManagers/

  • Do the same for all /Users/\*/Library/InputManagers/

  • If you want to preven any Smart Crash Reporter from ever installing, create an empty locked root-owned file named "Smart Crash Reporter" in every InputManager folder.

  • General Tip: Do not use a root account for daily work. Don't make users sudoer (they may not " administrate this Mac" in System Preferences > Users) who don't know what this all means. If you yourself are working with a sudoer account... refrain from entering your sudo password into any old dialog that pops up. =-)

Phew. We did it. For now... :( See you again at the next worm!

Comments:

I think it is a bit far fetched to call this a virus...perhaps trojan would be a more appropriate decription.

Posted by che Kristo on February 16, 2006 at 05:24 PM CET #

Yes, as you can see, the original Sophos page later added a PS to its article discussing that the term virus in the headline was not well chosen, and one could argue for Trojan Horse or even Worm. "Virus" is just a good word to use in a headline -- simply because it attracts readers. IIRC, BBC had a headline about a "worm in an apple". X-)

Posted by Seapegasus on February 19, 2006 at 04:25 AM CET #

Post a Comment:
Comments are closed for this entry.
About

NetBeans IDE, Java SE and ME, 3D Games, Linux, Mac, Cocoa, Prague, Linguistics.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today
News

No bookmarks in folder

Blogroll