Linked by Thom Holwerda on Fri 17th Feb 2006 20:17 UTC
Mac OS X A second strain of malware targeting Mac OS X has been discovered days after a Mac OS X Trojan appeared on the scene. The latest malware, Inqtana-A, is a proof-of-concept worm that attempts to spread using a Bluetooth vulnerability. The worm is not spreading in the wild and uses an internal counter that means it will expire on February 24, so it's unlikely to ever be much of a problem. Nonetheless, Mac OS X 10.4 (Tiger) users are still advised to make sure they're patched up in order to guard against attack from any future worm that uses the same exploit. In related OSX news, there's more fuel for the tablet-Mac fire.
Order by: Score:
Really a problem?
by MikeGA on Fri 17th Feb 2006 20:41 UTC
MikeGA
Member since:
2005-07-22

I have to admit that I'm not 100% clear on what exactly this "virus" does.

However, as I understand it, the software attempts to send itself to any bluetooth computers within range. The thing is the user then recieves a message from OS X asking if they want to accept the incoming transfer. So as far as I see it, to make something like this effective, you have to:

A. Accept an incoming bluetooth transfer that you weren't expecting

B. Open the file/program that you recieved in this transfer

Now I don't know if OS X includes a warning when accepting bluetooth transfers (that they might be malicious), but it seems to me that you'd have to be pretty stupid to fall for this one.

If I have misunderstood this, could someone correct me please? ;)

Reply Score: 5

RE: Really a problem?
by TomB7 on Fri 17th Feb 2006 21:09 UTC in reply to "Really a problem?"
TomB7 Member since:
2006-01-03

Yea. Symantec and Sophos are REALLY stretching to call this or the previuos "trojan" threats. They must be very worried about a lot of people going over to OS X and killing their business model.

Reply Score: 5

RE[2]: Really a problem?
by Kroc on Fri 17th Feb 2006 21:24 UTC in reply to "RE: Really a problem?"
Kroc Member since:
2005-11-10

Nether the less, holes are being exploited.
It only takes someone to exploit a hole and actually do something damaging with it.

So far, hackers have been trying to highlight the need for Apple to get on top of the job.

Reply Score: 5

RE[2]: Really a problem?
by axel on Fri 17th Feb 2006 22:15 UTC in reply to "RE: Really a problem?"
axel Member since:
2006-02-04

"Yea. Symantec and Sophos are REALLY stretching to call this or the previuos "trojan" threats. They must be very worried about a lot of people going over to OS X and killing their business model."


hate to break it to you but this is exactly how it happens on Windows. the opposition points to a spyware/malware/virus infested windows box and says "look its hopelessly insecure" (to be fair it IS) but the thing is 90 percent of that was installed or run by the user.

all those dread virii that were supposed to destroy the internet last year and what not? you had to download and open suspect attachments. The world is full of idiots who will download a 10mb .txt file claiming to be a joke and then unzip it, never mind that you shouldn't have to unzip a text file.

yeah this particular bit of code might not really do anything malicious but its highlighting that OSX is becoming a target, for whatever reasons and the word needs to get out to the morons, stop opening anything stop installing everything, even if you do use a Mac.

Reply Score: 3

RE[3]: Really a problem?
by dukes on Fri 17th Feb 2006 22:27 UTC in reply to "RE[2]: Really a problem?"
dukes Member since:
2005-07-06

I gave you a +1 on that comment.

The only difference which makes it not "exactly how it happens on Windows" is that Windows box can just sit on a network and get infected by a virus, malware, spyware, trojan, or worm with no interaction. There are NO claims that such happens on OS X or *nix.

Reply Score: 4

RE[4]: Really a problem?
by Tom K on Fri 17th Feb 2006 22:57 UTC in reply to "RE[3]: Really a problem?"
Tom K Member since:
2005-07-06

Not if it's patched.

Reply Score: 1

RE[5]: Really a problem?
by Tyr. on Fri 17th Feb 2006 23:03 UTC in reply to "RE[4]: Really a problem?"
Tyr. Member since:
2005-07-06

Not if it's patched.

Which is sometimes difficult to do when MS knows about vulnerabilities but decides to keep them quiet either while working on a patch or just to avoid PR embarassement. All the while blackhats are exploiting the code (like "Russian hacker groups sold WMF exploit code" http://www.computerweekly.com/Articles/2006/02/03/214046/Russianhac... )

Just to say your response is a gross oversimplification.

Reply Score: 3

RE[6]: Really a problem?
by Tom K on Sat 18th Feb 2006 00:30 UTC in reply to "RE[5]: Really a problem?"
Tom K Member since:
2005-07-06

I'm more inclined to believe "working on a patch" rather than "avoid PR embarassment". Unless you have actual evidence of the latter, I'm going to believe that all cases where they keep quiet are cases where they are working on something.

Testing takes time. Better to test, than to release a faulty patch and get flamed into oblivion.

Reply Score: 1

RE: Really a problem?
by scottcantor on Fri 17th Feb 2006 21:23 UTC in reply to "Really a problem?"
scottcantor Member since:
2006-02-17

>but it seems to me that you'd have to be pretty
>stupid to fall for this one.

Good thing the world is running low on stupid people.

Imagine a coffee shop full of lonely hearts, pounding away on their laptops while shooting furtive glances across the room. Suddenly a message pops up on the screen that "secret_admirer" has sent you a file named "innocent_introduction.zip".

OK, OK, I give, no one would ever fall for that.

Reply Score: 5

RE[2]: Really a problem?
by Peragrin on Fri 17th Feb 2006 22:30 UTC in reply to "RE: Really a problem?"
Peragrin Member since:
2006-01-05

And is that message from the hot chick, or the 300lb guy two seats behind her?

You don't get secret bluetooth messages. As you never know to whom your sending or recieving it. It's not like the computer name is readily available and when it is knowing who is who is next to impossible.

yea I don't see it happening. It's more likely a mean co-worker would send it to you.

Reply Score: 1

Hmmm... makes you wonder...
by bornagainenguin on Fri 17th Feb 2006 22:11 UTC
bornagainenguin
Member since:
2005-08-07

This makes you wonder if Apple will manage to piss off a OSX86 hacker enough to start attacking the OS?

--bornagainpenguin

PS: I know the timing of these things are coincidential, I'm just saying.

Reply Score: 2

RE: Hmmm... makes you wonder...
by Jimmy on Sat 18th Feb 2006 04:00 UTC in reply to "Hmmm... makes you wonder..."
Jimmy Member since:
2005-07-06

I was thinking the same exact thing after reading about the first virus yesterday. After Apple sent osx86project.org that DMCA notice, I figured that they would tick off the x86 hackers; since Apple is screwing with their efforts, some of them are probably starting to think its okay to screw with Apple's efforts (their OS).


Now I doubt that this is the case, but you never know.

Reply Score: 2

RE: Hmmm... makes you wonder...
by evangs on Sat 18th Feb 2006 12:56 UTC in reply to "Hmmm... makes you wonder..."
evangs Member since:
2005-07-07

Yes, that underscores the maturity and mentality of those working on hacking OS X, don't it?

Reply Score: 0

RE[2]: Hmmm... makes you wonder...
by Jimmy on Sat 18th Feb 2006 18:12 UTC in reply to "RE: Hmmm... makes you wonder..."
Jimmy Member since:
2005-07-06

You have to understand that everyone hacking OS X isn't a 29 year old IT worker, who is all "mature and proper" and comes to hack OS X on their x86 machines wearing ties and sipping their Starbucks coffee.

A great deal of people working on the project are just high school kids; very smart at what they do, but some just arent very mature and could very well retailiate against Apple for shutting down their 'fun'.

Reply Score: 2

ah,
by rhetoric.sendmemoney on Fri 17th Feb 2006 22:21 UTC
rhetoric.sendmemoney
Member since:
2006-01-22

2 in as many days, heh.

Reply Score: 1

You can't call it..
by Finchwizard on Sat 18th Feb 2006 00:08 UTC
Finchwizard
Member since:
2006-02-01

You can't call these things Virus's or Trojans if you need this much manual input.

The bluetooth on Macs, is that disabled or enabled by default, on a fresh install? I can't remember.

Reply Score: 1

RE: You can't call it..
by cilcoder on Sat 18th Feb 2006 00:16 UTC in reply to "You can't call it.."
cilcoder Member since:
2005-07-06

Isn't requiring manual input part of the definition of a trojan?

Reply Score: 2

Not sure
by Finchwizard on Sat 18th Feb 2006 00:32 UTC
Finchwizard
Member since:
2006-02-01

I would regard it more as Malware than Trojans though.

I think they are bumping it up and trying to scare people etc.

Reply Score: 2

v Tell me...
by JustAnotherMacUser on Sat 18th Feb 2006 00:33 UTC
I am missing something!!!
by Hakime on Sat 18th Feb 2006 06:57 UTC
Hakime
Member since:
2005-11-16

What's really the point of this news. I mean we are talking about a small malware that exploits a security hole into Bluetooth, but basically this malware by exploiting this hole can not do anything that read unauthorized files and it needs that the user accept the data transfer to execute. Thats not very scary....

But the thing that makes this information more unintersting is that we are talking avout a secutiy hole in the OS X Bluetooth that has been corrected last June (June 2005). Apple issued a security patch for this flaw last June and probably most users have updated their system and are safe now. If they are connected to internet, they are safe as the automatic software update would have downloaded the fix long time ago. If they are not connected to internet, they are safe by nature, they are exposed only if they connect an infected device which is not very likely, cf the previous reason.

So the threat of this malware is simply very close to 0!!!!

Sure it shows that a security hole can be exploited, but thats not a news we know it. A security flaw can be exploited on any OS, whatever it is Windows, OS X, Linux, etc....The end question is whether the malware exploiting the hole is dangerous or not. In this case, NO, .....

Reply Score: 4

Is there a cospiracy
by ActiveMan on Sat 18th Feb 2006 07:49 UTC
ActiveMan
Member since:
2006-01-15

1) A "Trojan horse" need to scale privileges. Leap-A is only another rm ~/* script.

2) A malware (like Inqtana-A) where the OS ask the user to perform the task is not more intelligent that previous (as someone appear interesting to call) "virus". And if it doesnīt scale privileges too (does not reach root), it's a ridiculous malware software.

In my definition a "virus" must take advantage of a OS flaw: like in the Windows world.

Is this a marketing campaign from antivirus manufactures? Does they want to launch a new OS X antivirus or something like this?

Edited 2006-02-18 07:51

Reply Score: 4

RE: Is there a cospiracy
by Morin on Sat 18th Feb 2006 12:47 UTC in reply to "Is there a cospiracy"
Morin Member since:
2005-12-31

> 1) A "Trojan horse" need to scale privileges. Leap-A is
> only another rm ~/* script.

... and ...

> In my definition a "virus" must take advantage of a OS
> flaw: like in the Windows world.

Did you know that "trojan horse" and "virus" are actually terms from the real world and they do have a meaning? Using them for computers only makes sense if you don't twist that meaning.

A "rm ~/*" script only causes trouble. It becomes a trojan horse as soon as it's looking like a gift, and takes over the place where it's taken by the user (in this case, the user's home directory).

A virus need not take advantage of flaws the way they exist in windows. Real virii don't do this - even a perfectly healthy man with a full-functioning body can get infected (whereas Joe User's typical windows system looks more like terminal cancer). The point about virii is that they infect something, and then use the infected unit for reproduction. There is one good example for something that closely matches a real-world virus, doesn't use any flaw, and did spread well: In a forum, "sign" your postings with the words "This is a signature virus. Copy me into your signature to help me spread."

- Morin

Reply Score: 1

strangely enough
by Dekkard on Sat 18th Feb 2006 13:46 UTC
Dekkard
Member since:
2006-01-07

well.. as for the first virus... from all the info I've been able to read it only affects users running the 10.4x variants of macOS. Seems that it uses spotlight to spot its favorite targets. So maybe disabling spotlight( there are a few programs that do this) would help. Being a cheapskate.. im still running 10.3.9.. the article says i'm not affected. LOL i also dont have a bluetooth module....Lucky me??

Reply Score: 1