Linked by Amjith Ramanujam on Thu 24th Jul 2008 18:01 UTC, submitted by Ward D
Bugs & Viruses Mac Antivirus developer Intego might have stumbled across an OS X specific virus being offered for auction that targets a previously unknown ZIP archive vulnerability. From Intego's posting, it appears that an enterprising auctioneer seems determined to make sure that his name is one that is not forgotten when it comes to Apple security, claiming that his exploit is a poisoned ZIP archive that will "KO the system and Hard Drive" when unarchived.
Thread beginning with comment 324513
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Hardly likely
by looncraz on Fri 25th Jul 2008 06:30 UTC in reply to "Hardly likely"
looncraz
Member since:
2005-07-24

Imagine if you will:

1. Create trojan application which acquires root privilege because the user is not suspicious.

2. Use elevated status to integrate virus with the system as tightly as possible.

3. Read e-mail addresses from the address book, and hack the e-mail program to automatically attach the trojan.

4. Wait for one hour, giving the user a chance to forget the last thin they did on the computer.

5. Ensure the next time a browser is lauched, it crashes.

6. Give the three-finger solute to the boot sector and partition table, zap holes on the cylinder boundaries.

7. Enjoy the ensuing chaos.


Naturally, though, while it is possible to do the above, these kinds of infections have problems spreading. They are devastating and draw much attention - the author will likely be caught and punished.

This is one of the real reasons why these types of infections have nearly vanished. Another big reason is that those with the know-how have discovered that they could avoid their risks and make money with ad&spy-ware - sorta mostly legally [ ;-) ].

Of course, the above steps really require knowledge of multiple issues, but only one exploit ( obtaining root ), which can be very easy thanks to general complacency in the Apple community of users.

--The loon

P.S. I run BeOS, it would be pretty easy to do my machine in - write a script which simply states rm -rf /boot/ and call it some app on BeBits :-)

Reply Parent Score: 2

RE[2]: Hardly likely
by Earl C Pottinger on Fri 25th Jul 2008 14:50 in reply to "RE: Hardly likely"
Earl C Pottinger Member since:
2008-07-12

Sorry, takes me 15 seconds to reboot of my backup partition which is normally is not mounted so it can't be touched without my noticing.

Additionally, about 95% of my data found on my /boot drive are infact links to other partitions and rm does not follow links off the partition it is working on.

Is there an option for that?

Reply Parent Score: 1

RE[3]: Hardly likely
by looncraz on Fri 25th Jul 2008 16:45 in reply to "RE[2]: Hardly likely"
looncraz Member since:
2005-07-24

Well, I could write a simple recursive loop with the BeOS API which natively follows symlinks, would compile to something like 16 KB.

OR, I could just have fun giving everything a random name :-)

Nothing would be in my way of doing so.

If I REALLY wanted to be a PITA, I'd scan for any unmounted volumes and mount them first, damaging all I could.

Of course, it would be just as easy to secretly install a driver which will destroy the boot sectors, partition tables, and the first and last block on each cylinder boundary ( to prevent recovery ).

BeOS has NOTHING to prevent access, though there are indeed some tricks ( i.e. try setting read and execute permission to everything in the system folders, but not write - you may want to use group settings for that and change the user name of those files - but be careful, this is untested on BeOS kernels, and can be problematic ).


--The loon

P.S. I think I'll try the aforementioned 'trick' and see how it works, perhaps today.

-- edit: stupid stray letters...

Edited 2008-07-25 16:47 UTC

Reply Parent Score: 2