Linked by Amjith Ramanujam on Thu 24th Jul 2008 18:01 UTC, submitted by Ward D
Bugs & Viruses Mac Antivirus developer Intego might have stumbled across an OS X specific virus being offered for auction that targets a previously unknown ZIP archive vulnerability. From Intego's posting, it appears that an enterprising auctioneer seems determined to make sure that his name is one that is not forgotten when it comes to Apple security, claiming that his exploit is a poisoned ZIP archive that will "KO the system and Hard Drive" when unarchived.
Order by: Score:
Hmm
by tyrnight on Thu 24th Jul 2008 18:11 UTC
tyrnight
Member since:
2006-10-05

Scare Tactics?

Reply Score: 1

This should get far
by joshv on Thu 24th Jul 2008 18:43 UTC
joshv
Member since:
2006-03-18

"claiming that his exploit is a poisoned ZIP archive that will "KO the system and Hard Drive" when unarchived."

Wow - should propagate like molasses then if the first thing it does is kill the hard drive.

Reply Score: 17

RE: This should get far
by Morgan on Fri 25th Jul 2008 01:19 UTC in reply to "This should get far"
Morgan Member since:
2005-06-29

Excellent point. I'd also like to know how a "virus" unleashed by opening a Zip archive can possibly escalate to root privileges without some level of social engineering. It has to ask for my password at some point, and since no Zip archive ever does that, it would immediately be suspect.

Reply Score: 4

RE[2]: This should get far
by flakron.bytyqi on Fri 25th Jul 2008 11:27 UTC in reply to "RE: This should get far"
flakron.bytyqi Member since:
2008-07-24

a story : Bob 6-pack
downloads a zip, saying "a nude hot super star"
he's lucky ain't he??? Extracts the damn thing, asks for the root password, TAKE IT gimme the photos b*atch!!!
BOOOM, infected

The user is the problem, very very often. Very rarely it's the OS be it Windows, GNU/Linux or Mac OS

Reply Score: 1

Comment by shadoweva09
by shadoweva09 on Thu 24th Jul 2008 18:49 UTC
shadoweva09
Member since:
2008-03-10

Hopefully, I'm tired of all this "my system is more secure", when 99% of the time a user purposely installs a virus through something like a font pack they found online. The system is irrelevant, it is usually the users fault; and of course it would be too rude to tell them that so this remains a dirty little secret.

Edited 2008-07-24 18:54 UTC

Reply Score: 6

RE: Comment by shadoweva09
by jack_perry on Thu 24th Jul 2008 18:51 UTC in reply to "Comment by shadoweva09"
jack_perry Member since:
2005-07-06

"Purposely" may not be the word you were striving for there.

Reply Score: 5

RE[2]: Comment by shadoweva09
by Morgan on Fri 25th Jul 2008 01:20 UTC in reply to "RE: Comment by shadoweva09"
Morgan Member since:
2005-06-29

Yeah, I'm thinking "inadvertently" would be more appropriate.

Reply Score: 3

It's Not Possible!
by Jon Dough on Thu 24th Jul 2008 18:52 UTC
Jon Dough
Member since:
2005-11-30

[sarcasm]

It's not possible! Windoze has the only real virii! OS-X and GNU/Linux are the most secure evah! Everybody knows this!

[/sarcasm]

Reply Score: 7

RE: It's Not Possible!
by looncraz on Fri 25th Jul 2008 06:14 UTC in reply to "It's Not Possible!"
looncraz Member since:
2005-07-24

Exactly, even BeOS ( with its incredibly tiny market share ) had a couple of viruses

which brings me to 'virii' vs 'viruses'

I learned the plural of virus as virii, but the d**n spell checker says it ain't a word, and most people don't understand it, so with the general rule being 'common usage,' I use 'viruses' to avoid confusing the confused even more than I already confuse them with my long words ... and my small... difficult... words.

--The loon

Reply Score: 3

They are viruses not virii!
by unclefester on Fri 25th Jul 2008 10:40 UTC in reply to "RE: It's Not Possible!"
unclefester Member since:
2007-01-13

Virus is an English word based on a Latin stem meaning 'alive'. The plural is therefore viruses not virii. In medical terminology they are always referred to as viruses.

Reply Score: 2

RE: They are viruses not virii!
by Soulbender on Fri 25th Jul 2008 11:55 UTC in reply to "They are viruses not virii!"
Soulbender Member since:
2005-08-18

Hey, when you're dumbfsck virus creator virii sounds much cooler. And after all, that is what counts.

Reply Score: 1

RE[2]: It's Not Possible!
by LB06 on Fri 25th Jul 2008 23:54 UTC in reply to "RE: It's Not Possible!"
LB06 Member since:
2005-07-06

If you use the word "virus" as something that has been incorporated into your own language then of course the regular grammar rules apply. So it becomes "viruses" in English, "virussen" in Dutch etc etc. But if "virus" was still being used as a word in its untranslated Latin meaning (like etcetera, mens rea, ergo, etc, etc ;) ) then the plurar form would be viri, virorum, viris or viros, depending on its function within a sentence. Much like the german language.

"These three viri infected my computer" (nominativus)
"My virus scanner will delete these viros" (accusativus)
"My PC was infected by these viris" (dativus)
"One of the properties of these virorum is that they delete all data" (genitivus)
"With these viris I can DOS an entire server" (ablativus).

So far what I remember from my Latin classes regarding this subject. But since virus was adopted by almost any language we can safely use viruses.

Edited 2008-07-25 23:57 UTC

Reply Score: 2

RE[3]: It's Not Possible!
by looncraz on Sat 26th Jul 2008 16:11 UTC in reply to "RE[2]: It's Not Possible!"
looncraz Member since:
2005-07-24

See!?!? THAT is why I wanted to take Latin, sadly no school I went to offered it. :-(

All I got was Quebec French, something like German, or mangled Spanish.

Fortunately, I just so happen to speak the most important language: C++ :-)

--The loon

Reply Score: 2

..mmhh..
by mtzmtulivu on Thu 24th Jul 2008 19:09 UTC
mtzmtulivu
Member since:
2006-11-14

a company that is in a business of selling anti-virus programs is reporting a virus on a platform that is currently not known to have virus issues and hence its users arent looking for anti-virus solutions

i am not saying they are trying to spread FUD to increase their bottom line but ...cant we wonder?

Reply Score: 10

As with doctors...
by Kroc on Thu 24th Jul 2008 19:15 UTC
Kroc
Member since:
2005-11-10

Always get a second opinion.
Intego are not a trusted source, they have heavy bias to be releasing this information. I hope this "virus" can be verified by an independent security firm or white/gray-hat.

Reply Score: 8

Hardly likely
by Buck on Thu 24th Jul 2008 19:46 UTC
Buck
Member since:
2005-06-29

That is hardly likely. A vulnerability in zip-whatever (e.g. bomarchivehelper) won't lead to control of the system. I can't think of anything that would require a zip decompressor on the system to run with root privileges, nor is it suid root, so given that the only thing an attacker can gain using that vector is a shell access with the rights of the currently logged in user. Not a small thing by any means, but hardly the system KO being promised.

PS. Also that wouldn't technically be a 'virus' being just an exploit for a certain vulnerability.

Edited 2008-07-24 19:55 UTC

Reply Score: 7

RE: Hardly likely
by tomcat on Fri 25th Jul 2008 00:10 UTC in reply to "Hardly likely"
tomcat Member since:
2006-01-06

That is hardly likely. A vulnerability in zip-whatever (e.g. bomarchivehelper) won't lead to control of the system.


HTF can you conclude that? You don't have any idea where the ZIP decompression is called from. If it's running in privileged code, then you DO have a problem that can lead to control of the system.

Reply Score: 2

RE[2]: Hardly likely
by SReilly on Fri 25th Jul 2008 16:00 UTC in reply to "RE: Hardly likely"
SReilly Member since:
2006-12-28

HTF can you conclude that? You don't have any idea where the ZIP decompression is called from. If it's running in privileged code, then you DO have a problem that can lead to control of the system.

Where the f*** have you ever seen a decompression utility running privileged code? Oh, I forgot, you come from a windows centric world.

Try a real platform some time ;-P

Reply Score: 1

RE: Hardly likely
by looncraz on Fri 25th Jul 2008 06:30 UTC in reply to "Hardly likely"
looncraz Member since:
2005-07-24

Imagine if you will:

1. Create trojan application which acquires root privilege because the user is not suspicious.

2. Use elevated status to integrate virus with the system as tightly as possible.

3. Read e-mail addresses from the address book, and hack the e-mail program to automatically attach the trojan.

4. Wait for one hour, giving the user a chance to forget the last thin they did on the computer.

5. Ensure the next time a browser is lauched, it crashes.

6. Give the three-finger solute to the boot sector and partition table, zap holes on the cylinder boundaries.

7. Enjoy the ensuing chaos.


Naturally, though, while it is possible to do the above, these kinds of infections have problems spreading. They are devastating and draw much attention - the author will likely be caught and punished.

This is one of the real reasons why these types of infections have nearly vanished. Another big reason is that those with the know-how have discovered that they could avoid their risks and make money with ad&spy-ware - sorta mostly legally [ ;-) ].

Of course, the above steps really require knowledge of multiple issues, but only one exploit ( obtaining root ), which can be very easy thanks to general complacency in the Apple community of users.

--The loon

P.S. I run BeOS, it would be pretty easy to do my machine in - write a script which simply states rm -rf /boot/ and call it some app on BeBits :-)

Reply Score: 2

RE[2]: Hardly likely
by Earl C Pottinger on Fri 25th Jul 2008 14:50 UTC in reply to "RE: Hardly likely"
Earl C Pottinger Member since:
2008-07-12

Sorry, takes me 15 seconds to reboot of my backup partition which is normally is not mounted so it can't be touched without my noticing.

Additionally, about 95% of my data found on my /boot drive are infact links to other partitions and rm does not follow links off the partition it is working on.

Is there an option for that?

Reply Score: 1

RE[3]: Hardly likely
by looncraz on Fri 25th Jul 2008 16:45 UTC in reply to "RE[2]: Hardly likely"
looncraz Member since:
2005-07-24

Well, I could write a simple recursive loop with the BeOS API which natively follows symlinks, would compile to something like 16 KB.

OR, I could just have fun giving everything a random name :-)

Nothing would be in my way of doing so.

If I REALLY wanted to be a PITA, I'd scan for any unmounted volumes and mount them first, damaging all I could.

Of course, it would be just as easy to secretly install a driver which will destroy the boot sectors, partition tables, and the first and last block on each cylinder boundary ( to prevent recovery ).

BeOS has NOTHING to prevent access, though there are indeed some tricks ( i.e. try setting read and execute permission to everything in the system folders, but not write - you may want to use group settings for that and change the user name of those files - but be careful, this is untested on BeOS kernels, and can be problematic ).


--The loon

P.S. I think I'll try the aforementioned 'trick' and see how it works, perhaps today.

-- edit: stupid stray letters...

Edited 2008-07-25 16:47 UTC

Reply Score: 2

RE: Hardly likely
by Soulbender on Fri 25th Jul 2008 11:58 UTC in reply to "Hardly likely"
Soulbender Member since:
2005-08-18

The point of using an exploit is that you DO NOT need to be root in order to get privileged access.

Edited 2008-07-25 12:00 UTC

Reply Score: 2

OS X Virus
by protagonist on Thu 24th Jul 2008 20:37 UTC
protagonist
Member since:
2005-07-06

I will concede it is possible, but, as with Windows social engineering would most likely required. Even when I used to run Windows I was never infected with a virus. In most cases it requires that the user do something stupid.

Reply Score: 1

A ZIP bomb maybe?
by evangs on Thu 24th Jul 2008 20:39 UTC
evangs
Member since:
2005-07-07

Compress a huge terabyte text file that contains nothing but 0s and then get the user to decompress it? That would totally fsck up a system. In lieu of any more details, it's hard to know what exploit this is.

Reply Score: 3

RE: A ZIP bomb maybe?
by henrikmk on Fri 25th Jul 2008 11:37 UTC in reply to "A ZIP bomb maybe?"
henrikmk Member since:
2005-07-10

That would totally fsck up a system.


It would more likely just report that the disk ran full or that there is not enough diskspace to decompress it, assuming that ZIP reports the file size back to the system before attempting to uncompress it. ZIP can't harm a system that way.

Reply Score: 2

exploit
by miro on Thu 24th Jul 2008 20:50 UTC
miro
Member since:
2005-07-13

zip like jpeg, gif png etc use the very same library for decompressing. find a stack overflow in the lib, then find a root exploit and you are ready to go. remember kids use address space randomization, stack protection cookies and/or selinux. until we run a system with runtime boundary checks (java/c# etc.) nobody is safe.

Browser: Palm680/RC1 Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; PalmSource/Palm-D053; Blazer/4.5) 16;320x320

Reply Score: 2

RE: exploit
by MobyTurbo on Thu 24th Jul 2008 22:54 UTC in reply to "exploit"
MobyTurbo Member since:
2005-07-08

zip like jpeg, gif png etc use the very same library for decompressing. find a stack overflow in the lib, then find a root exploit and you are ready to go. remember kids use address space randomization, stack protection cookies and/or selinux. until we run a system with runtime boundary checks (java/c# etc.) nobody is safe.

OS X has address space randomization and stack protection, among other security features. Potentially it is just as secure as Linux if not more so in a couple of departments. It is, after all, similar under the hood and Apple made sure to check a lot of security check-boxes.

The only problem is that Apple does security updates *very* infrequently compared to other vendors. Open source patches within days or a few weeks, Windows within a month, and OS X a few times a year. Sooner or later this policy will catch up with Apple, as much as they'd like the time to get patches right. (Well, that seems to be their excuse, but considering how many patches it took to fix outstanding Leopard bugs, I'm not sure.)

Reply Score: 1

Only A Matter of Time for Any OS
by computerishcat on Thu 24th Jul 2008 21:03 UTC
computerishcat
Member since:
2008-07-14

Well there is no way of confirming this is a real vulnerability, but I personally believe that if any modern operating system gets enough people using it for long enough, someone will find a serious vulnerability and exploit it.

Reply Score: 1

*shrugs*
by kaiwai on Thu 24th Jul 2008 21:18 UTC
kaiwai
Member since:
2005-07-06

What annoys me the most from these scare tactics is this; the mythology that is created that some how there is Johnny Innocent User sitting there and then out of the blue he is attacked by a virus. This mythology created that some how, virus's appear out of no where with no way to trace it back to a single point.

End users download files, they open files, they create files - a download that has a virus in it has to have come from some place. If it is from a large profile download site - then it would be known in a second. So what does that mean? it means that when I see these people become infected I have to ask where they got these files from.

It reminds me of people who complain about vulnerabilities in software. Some require no intervention of ones own self - blaster worm being the best example of this. A unpatched computer only needs to appear on the internet to get infected - my aunty's computer as an example of that.

Then there are those which are propagated through websites - to which I have to ask myself - what websites are you going to that propagate these worms and virus's? they don't seem like very reputable websites if they're infecting their audience!

I'm not blaming the end user outright, but I do think that the end user needs to have a good hard look in the mirror and ask whether they're the 'weakest link' when it comes to security.

Edited 2008-07-24 21:23 UTC

Reply Score: 2

RE: *shrugs*
by WorknMan on Thu 24th Jul 2008 22:10 UTC in reply to "*shrugs*"
WorknMan Member since:
2005-11-13

Then there are those which are propagated through websites - to which I have to ask myself - what websites are you going to that propagate these worms and virus's? they don't seem like very reputable websites if they're infecting their audience!


It could be a server that got hacked and is now infected.

I think the real question nobody is asking is this: if they spotted a guy trying to sell a virus, why didn't somebody break both of his legs? I bet the little bastard would think twice about writing another virus ;)

Reply Score: 2

RE: *shrugs*
by Punktyras on Thu 24th Jul 2008 22:17 UTC in reply to "*shrugs*"
Punktyras Member since:
2006-01-07

Then there are those which are propagated through websites - to which I have to ask myself - what websites are you going to that propagate these worms and virus's? they don't seem like very reputable websites if they're infecting their audience!


And what about sites, that are/were reputable, but got pwnd and spead virii without knowing it? Sure it's an exception, but not so rare it could be neglected.

Reply Score: 2

RE[2]: *shrugs*
by MobyTurbo on Thu 24th Jul 2008 22:56 UTC in reply to "RE: *shrugs*"
MobyTurbo Member since:
2005-07-08

And what about sites, that are/were reputable, but got pwnd and spead virii without knowing it? Sure it's an exception, but not so rare it could be neglected.


That's not rare at all, hundreds of thousands of sites are like that from one recent MSSQL injection attack alone. Another possibility are infected ad-banners. Otherwise "reputable" ad banner networks, such as doubleclick, sell towards the end of the month when commission pressure is high, some malware-spreading ad banners that appear on reputable sites.

Edited 2008-07-24 22:58 UTC

Reply Score: 1

RE: *shrugs*
by StephenBeDoper on Fri 25th Jul 2008 01:58 UTC in reply to "*shrugs*"
StephenBeDoper Member since:
2005-07-06

Then there are those which are propagated through websites - to which I have to ask myself - what websites are you going to that propagate these worms and virus's? they don't seem like very reputable websites if they're infecting their audience!


In many cases I've seen, users get infected by visiting relatively-innocuous sites that have been hit by SQL injection attacks. That's the main purpose of most of the SQL injection attacks I've seen recently: the attackers insert code for an invisible iframe, and the iframe source is set to load a malicious page on another site. I've also seen the same thing done with SCRIPT tags to load an external (malicious) javascript file.

Reply Score: 2

Wait a second!
by Hakime on Fri 25th Jul 2008 01:43 UTC
Hakime
Member since:
2005-11-16

What it is all about here? Are you guys giving any credibility to this article full of non sense and trolling arguments.

Is there here anyone serious to give any credibility to a site where a random guy is pretending selling a virus which is supposed to magically mess up a hard drive? That's just BS, a guy is just trying to have fun in a stupid way and some stupid people like him are reporting his crap.

And by the way, the site in question went off-line 8 hours after the dudes at Indego have reported the information..... Is it a surprise?

I don't think so, and it is more disappointing that OS news is linking to such sensational stupid stories. It seems that Os news editors can only link to sensational stories for the sake of increasing hits on their forums, and that make me think that the new editorial members are pure joke.

I mean, i tried two times to post a very interesting article about the new static analyser built in clang (new front end of LLVM) as i thought that many people interested in writing code would find the article very interesting (here is the link by the way http://www.rogueamoeba.com/utm/2008/07/14/the-clang-static-analyzer...), but it never got published, why?

OS news editors do not care about technology or about well written informative articles, they rather care about fud..... and the stupidity of the net, right?

Reply Score: 5

RE: Wait a second!
by tyrione on Fri 25th Jul 2008 02:35 UTC in reply to "Wait a second!"
tyrione Member since:
2005-11-21

What it is all about here? Are you guys giving any credibility to this article full of non sense and trolling arguments.

Is there here anyone serious to give any credibility to a site where a random guy is pretending selling a virus which is supposed to magically mess up a hard drive? That's just BS, a guy is just trying to have fun in a stupid way and some stupid people like him are reporting his crap.

And by the way, the site in question went off-line 8 hours after the dudes at Indego have reported the information..... Is it a surprise?

I don't think so, and it is more disappointing that OS news is linking to such sensational stupid stories. It seems that Os news editors can only link to sensational stories for the sake of increasing hits on their forums, and that make me think that the new editorial members are pure joke.

I mean, i tried two times to post a very interesting article about the new static analyser built in clang (new front end of LLVM) as i thought that many people interested in writing code would find the article very interesting (here is the link by the way http://www.rogueamoeba.com/utm/2008/07/14/the-clang-static-analyzer...), but it never got published, why?

OS news editors do not care about technology or about well written informative articles, they rather care about fud..... and the stupidity of the net, right?


You got my interest and since I just installed Xcode 3.1 I've got a lot to check out with CLang.

Reply Score: 2

Theory v Practice
by darrelljon on Fri 25th Jul 2008 08:28 UTC
darrelljon
Member since:
2008-05-29

Loving how viruses on Unix-like systems are mainly a theoretical debate and discussion whereas on Windows they are a known fact.

Reply Score: 0

The plural of virus is viruses
by unclefester on Sat 26th Jul 2008 05:57 UTC
unclefester
Member since:
2007-01-13

Virus is a purely English word not a Latin word.

http://www.linguistlist.org/issues/15/15-1540.html

Reply Score: 2

What's the difference?
by melgross on Sun 27th Jul 2008 06:00 UTC
melgross
Member since:
2005-08-12

It doesn't matter how we spell it. Virii or viruses. Language is constantly evolving, and it's the number of uses that determines its correctness. If a majority use it, at some point, the dictionaries will change their definitions, and call "viruses" obsolete usage, as they do with other words, terms, etc.

The term "so fun" would have proceeded a slap on the hand from an English teacher when I was in school back when, but now, it's becoming accepted.

People should just get over it.

Reply Score: 1