Seapegasus Blog

« Not many fishes are... | Main | Exporting Bookmarks... »

Thursday February 16, 2006

MacOS Wanna Have Virus Too

Gosh, dudes, this is exciting: Open iChat and see whether you caught one! Sophos reports in "First ever virus for Mac OS X discovered" that the "OSX LEAP-A worm spreads via iChat instant messaging software."

And? *Sigh* Nope. Nothing in my iChat. I was so looking forward to downloading the worm, double-clicking it, then entering my sudo-password... What? Yes, it seems MacOS is less user-friendly than most people think. ;-)

If you don't know yet how the LEAP worm works, I recommened this extremely enlightening daringfireball article about how you get from smart crash Reports to InputManager hacks -- InputManagers are loaded automatically from the Libraries folder to add new functions to running apps as soon as the user starts them...

Are you thinking what I'm thinking? 8-|

Interestingly, the first (and only!) report of this virus said it came in a tgz-file -- a zipped tar archive that can be set to archive files while keeping the original permissions. Such as... an 'executable' permission on a file with a custom icon that happens to end in .jpg for example...

Preliminary fix?

If you have a folder /Library/InputManagers, use ls -la to check what's in there. If it's fishy, delete it. ;-) If you don't have this folder, create it (before another app creates it for you with unpleasant permissions).
```
sudo mkdir /Library/InputManagers
```
Write-protect your InputManager folder and (all its contents, if you trust them) for everyone but root.
```
sudo chown -R root:wheel /Library/InputManagers/
sudo chmod -R go-w /Library/InputManagers/
```
Do the same for all /Users/*/Library/InputManagers/
If you want to preven any Smart Crash Reporter from ever installing, create an empty locked root-owned file named "Smart Crash Reporter" in every InputManager folder.
General Tip: Do not use a root account for daily work. Don't make users sudoer (they may not " administrate this Mac" in System Preferences > Users) who don't know what this all means. If you yourself are working with a sudoer account... refrain from entering your sudo password into any old dialog that pops up. =-)

Phew. We did it. For now... :( See you again at the next worm!

Posted by seapegasus ( Feb 16 2006, 11:29:26 PM CET ) Permalink Comments [2]

Comments:

I think it is a bit far fetched to call this a virus...perhaps trojan would be a more appropriate decription.

Posted by che Kristo on February 17, 2006 at 01:24 AM CET #

Yes, as you can see, the original Sophos page later added a PS to its article discussing that the term virus in the headline was not well chosen, and one could argue for Trojan Horse or even Worm. "Virus" is just a good word to use in a headline -- simply because it attracts readers. IIRC, BBC had a headline about a "worm in an apple". X-)

Posted by Seapegasus on February 19, 2006 at 12:25 PM CET #

Sun	Mon	Tue	Wed	Thu	Fri	Sat
« May 2008
				1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28	29	30	31

Today

Seapegasus Blog

Calendar

Content

Search

Links

RSS Feeds

Recent...