Thursday February 16, 2006 Seapegasus Blog
Thursday February 16, 2006 Gosh, dudes, this is exciting: Open iChat and see whether you caught one! Sophos reports in "First ever virus for Mac OS X discovered" that the "OSX LEAP-A worm spreads via iChat instant messaging software."
And? *Sigh* Nope. Nothing in my iChat. I was so looking forward to downloading the worm, double-clicking it, then entering my sudo-password... What? Yes, it seems MacOS is less user-friendly than most people think. ;-)
If you don't know yet how the LEAP worm works, I recommened this extremely enlightening daringfireball article about how you get from smart crash Reports to InputManager hacks -- InputManagers are loaded automatically from the Libraries folder to add new functions to running apps as soon as the user starts them...
Are you thinking what I'm thinking? 8-|
Interestingly, the first (and only!) report of this virus said it came in a tgz-file -- a zipped tar archive that can be set to archive files while keeping the original permissions. Such as... an 'executable' permission on a file with a custom icon that happens to end in .jpg for example...
Preliminary fix?
- If you have a folder /Library/InputManagers, use
ls -lato check what's in there. If it's fishy, delete it. ;-) If you don't have this folder, create it (before another app creates it for you with unpleasant permissions).sudo mkdir /Library/InputManagers
- Write-protect your InputManager folder and (all its contents, if you trust them) for everyone but root.
sudo chown -R root:wheel /Library/InputManagers/ sudo chmod -R go-w /Library/InputManagers/
- Do the same for all
/Users/*/Library/InputManagers/ - If you want to preven any Smart Crash Reporter from ever installing, create an empty locked root-owned file named "Smart Crash Reporter" in every InputManager folder.
- General Tip: Do not use a root account for daily work. Don't make users sudoer (they may not " administrate this Mac" in System Preferences > Users) who don't know what this all means. If you yourself are working with a sudoer account... refrain from entering your sudo password into any old dialog that pops up. =-)
Phew. We did it. For now... :( See you again at the next worm!
Posted by seapegasus ( Feb 16 2006, 11:29:26 PM CET ) Permalink Comments [2]
