New AppleScript Trojan horse

Adam wrote: "If Trojan horse reports continue to roll in, the fault will lie with Intego and everyone else who published the instructions."

Certainly Intego hasn't helped, but the real fault lies with the idiot who writes the Trojan horse. Scum like Trojan horse creators actively choose to create havoc. This is a whole lot worse than merely telling people how to do it.

[Of course. But if such scum are enabled by these detailed reports published in mainstream publications, there's some responsibility there too. You don't see recipes for fertilizer bombs in the morning newspaper, even though how to make them is not a secret. -Adam]

On 5/19/04 6:03 PM, "Chuck Edwards" <tidbitscatherwoodproductions.com>
wrote:

>
> Odd that this new Mac Trojan virus seemed to be detected in CacheOut X, an old
> application from September 2002, especially since the trojan is only supposed
> to occur in the faked MS Word OSX Installer. Fortunately, I no longer was
> using the CacheOut program as its functionality has been incorporated into
> newer utilities I use. Nonetheless, the Anti-virus program did fully delete
> the program as shown in the log.

It's because this program uses the same command as the Trojan horse. I saw a
similar alert from VirusBarrier for the TrashIt program, an AppleScript that
deletes recalcitrant files in the Trash.

Kirk

              Co-author of Microsoft Office v. X Inside Out
                http://www.mcelhearn.com/insideout.html
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . kirkmcelhearn.com | http://www.mcelhearn.com . . . . . .
  . . Kirk McElhearn | Chemin de la Lauze | 05600 Guillestre | France . .

On 5/19/04 11:19 AM, "Matthew Stevens" <mlszeta.org.au> wrote:

> Adam wrote: "If Trojan horse reports continue to roll in, the fault will lie
> with Intego and everyone else who published the instructions."
>
> Certainly Intego hasn't helped, but the real fault lies with the idiot who
> writes the Trojan horse. Scum like Trojan horse creators actively choose to
> create havoc. This is a whole lot worse than merely telling people how to do
> it.
>
> [Of course. But if such scum are enabled by these detailed reports published
> in mainstream publications, there's some responsibility there too. You don't
> see recipes for fertilizer bombs in the morning newspaper, even though how to
> make them is not a secret. -Adam]

I have to disagree there...the Office 2004 trojan horse takes exactly one
line of AppleScript. It's a command in Standard Additions, well -
documented. In fact, I'm not sure why it took over 100K. My own test version
took only 40 - some k for the applet, and another 50+K for the icon. Maybe
whomever did this isn't terribly good with AppleScript.

[No, it really is only one line. It's unclear why it's 108K. -Adam]

A trojan that relies on a human double - clicking it can do amazing amounts
of damage with no passwords, no authentication, and no "black magic - uber
secret" tricks. Anyone with Script Editor, some very BASIC unix knowlege and
an hour of time could replicate that trojan.

Secondly, it's not a newspaper. It's a security alert, even if it's
disguised as a press release. Details SHOULD be given. Otherwise, how is
someone going to know what to look for?

[Because the security alert will tell them what sort of file to look out for and what kind of behavior to avoid. The fact that it's written in a particular language, no matter how common, doesn't help someone avoid double-clicking it unless everyone is going verify every download in Script Editor before launching. And as I've been discussing with others, there's a difference between openness and publicity. -Adam]

--
John C. Welch Writer/Analyst
Bynkii.com Mac and other opinions
jwelchbynkii.com

On 19 May 2004, at 10:19, Matthew Stevens wrote:
> Adam wrote: "If Trojan horse reports continue to roll in, the fault
> will lie with Intego and everyone else who published the
> instructions."
>
> Certainly Intego hasn't helped, but the real fault lies with the
> idiot who writes the Trojan horse. Scum like Trojan horse creators
> actively choose to create havoc. This is a whole lot worse than merely
> telling people how to do it.

At least in the case of the fake MS Office 108K "Demo" I would put the
blame 100 n the moron who downloaded and ran it.

This goes back to all the old Windows 'trojans' that plagued Windows
for so long until people (lets hope they still do) stop 'double
clicking' on files they shouldnt trust.

This isnt a Mac OR Windows security issue, its a HUMAN security issue.

On 5/22/04 1:04 AM, "Christopher R. Ungeheier" <ungeheiermac.com> wrote:

>
> This goes back to all the old Windows 'trojans' that plagued Windows
> for so long until people (lets hope they still do) stop 'double
> clicking' on files they shouldnt trust.
>
> This isnt a Mac OR Windows security issue, its a HUMAN security issue.

Many people have said this, as if it exonerates Mac OS X. But it doesn't
matter if it's a "human" issue or not. Many people double-click files with
abandon, because that's the way we interact with computers. Only a tiny
majority of people actually think twice before double-clicking; though in
the Windows world it has gotten better.

On Windows, everyone talks about viruses and trojans for things that are
"human security issues". Why is the terminology different for Macs?
 
 
Kirk
 
            My Latest Book: Mastering Mac OS X: Panther Edition
                  http://www.mcelhearn.com/panther.html
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . kirkmcelhearn.com | http://www.mcelhearn.com . . . . . .
  . . Kirk McElhearn | Chemin de la Lauze | 05600 Guillestre | France . .

On May 22, 2004, at 12:13 AM, Kirk McElhearn wrote:

> On 5/22/04 1:04 AM, "Christopher R. Ungeheier" <ungeheiermac.com>
> wrote:
>
>>
>> This goes back to all the old Windows 'trojans' that plagued Windows
>> for so long until people (lets hope they still do) stop 'double
>> clicking' on files they shouldnt trust.
>>
>> This isnt a Mac OR Windows security issue, its a HUMAN security issue.
>
> Many people have said this, as if it exonerates Mac OS X. But it
> doesn't
> matter if it's a "human" issue or not. Many people double-click files
> with
> abandon, because that's the way we interact with computers. Only a tiny
> majority of people actually think twice before double-clicking; though
> in
> the Windows world it has gotten better.
>
> On Windows, everyone talks about viruses and trojans for things that
> are
> "human security issues". Why is the terminology different for Macs?

Let me start off my saying, I'm not trying to exonerate any OS in my
comment. Ive been a use of Windows since 3.11, and only recently moved
to OS X late last year. So, don't get me wrong, im not trying to do the
'ours is better than yours' thing.

I guess it all stems from education. Remember, this Trojan was a file
taken from a P2P network. Now, just the simple fact that you're
getting files from a P2P network should be a little suspicious.
Secondly, NOTHING from a P2P network should really be trusted, just for
the fact that you have no idea WHO it is you are getting files from.

This guy was 'downloading' Office. Who knows who put that file up.
Maybe Microsoft, maybe just someone out to mess up people looking for
something free. Either way, the file wasn't what the user thought it
was (as with most of the files on P2P networks (remember the record
labels putting out false MP3s on Napster)).

Sure we interact with files by double clicking them, but it's not
Microsoft or Apple's fault that you're running a file that isn't what
you think it is.

There's no exploit with this trojan, other than exploiting the 'human
factor'.

It's about the same argument of someone saying 'i was in IRC, and the
guy said that to fix the help problem i had to type in: rm / ....
whatever'. (not going to go into specifics)

Is it Apple's fault that someone can be tricked into doing just about
anything on their computer?

I don't feel it is.