A second strain of malware targeting Mac OS X has been discovered days after a Mac OS X Trojan appeared on the scene. The latest malware, Inqtana-A, is a proof-of-concept worm that attempts to spread using a Bluetooth vulnerability. The worm is not spreading in the wild and uses an internal counter that means it will expire on February 24, so it’s unlikely to ever be much of a problem. Nonetheless, Mac OS X 10.4 (Tiger) users are still advised to make sure they’re patched up in order to guard against attack from any future worm that uses the same exploit. In related OSX news, there’s more fuel for the tablet-Mac fire.
Mac OS X Malware Latches Onto Bluetooth Vulnerability
About The Author
Follow me on Twitter @thomholwerda
2006-02-17 9:09 pmTomB7
Yea. Symantec and Sophos are REALLY stretching to call this or the previuos “trojan” threats. They must be very worried about a lot of people going over to OS X and killing their business model.
2006-02-17 9:24 pmKroc
Nether the less, holes are being exploited.
It only takes someone to exploit a hole and actually do something damaging with it.
So far, hackers have been trying to highlight the need for Apple to get on top of the job.
2006-02-17 10:15 pmaxel
“Yea. Symantec and Sophos are REALLY stretching to call this or the previuos “trojan” threats. They must be very worried about a lot of people going over to OS X and killing their business model.”
hate to break it to you but this is exactly how it happens on Windows. the opposition points to a spyware/malware/virus infested windows box and says “look its hopelessly insecure” (to be fair it IS) but the thing is 90 percent of that was installed or run by the user.
all those dread virii that were supposed to destroy the internet last year and what not? you had to download and open suspect attachments. The world is full of idiots who will download a 10mb .txt file claiming to be a joke and then unzip it, never mind that you shouldn’t have to unzip a text file.
yeah this particular bit of code might not really do anything malicious but its highlighting that OSX is becoming a target, for whatever reasons and the word needs to get out to the morons, stop opening anything stop installing everything, even if you do use a Mac.
2006-02-17 10:27 pmdukes
I gave you a +1 on that comment.
The only difference which makes it not “exactly how it happens on Windows” is that Windows box can just sit on a network and get infected by a virus, malware, spyware, trojan, or worm with no interaction. There are NO claims that such happens on OS X or *nix.
2006-02-17 10:57 pmAnonymous
Not if it’s patched.
2006-02-17 11:03 pmTyr.
Not if it’s patched.
Which is sometimes difficult to do when MS knows about vulnerabilities but decides to keep them quiet either while working on a patch or just to avoid PR embarassement. All the while blackhats are exploiting the code (like “Russian hacker groups sold WMF exploit code” http://www.computerweekly.com/Articles/2006/02/03/214046/Russianhac… )
Just to say your response is a gross oversimplification.
2006-02-18 12:30 amAnonymous
I’m more inclined to believe “working on a patch” rather than “avoid PR embarassment”. Unless you have actual evidence of the latter, I’m going to believe that all cases where they keep quiet are cases where they are working on something.
Testing takes time. Better to test, than to release a faulty patch and get flamed into oblivion.
2006-02-17 9:23 pmscottcantor
>but it seems to me that you’d have to be pretty
>stupid to fall for this one.
Good thing the world is running low on stupid people.
Imagine a coffee shop full of lonely hearts, pounding away on their laptops while shooting furtive glances across the room. Suddenly a message pops up on the screen that “secret_admirer” has sent you a file named “innocent_introduction.zip”.
OK, OK, I give, no one would ever fall for that.
2006-02-17 10:30 pmPeragrin
And is that message from the hot chick, or the 300lb guy two seats behind her?
You don’t get secret bluetooth messages. As you never know to whom your sending or recieving it. It’s not like the computer name is readily available and when it is knowing who is who is next to impossible.
yea I don’t see it happening. It’s more likely a mean co-worker would send it to you.
This makes you wonder if Apple will manage to piss off a OSX86 hacker enough to start attacking the OS?
PS: I know the timing of these things are coincidential, I’m just saying.
2006-02-18 4:00 amJimmy
I was thinking the same exact thing after reading about the first virus yesterday. After Apple sent osx86project.org that DMCA notice, I figured that they would tick off the x86 hackers; since Apple is screwing with their efforts, some of them are probably starting to think its okay to screw with Apple’s efforts (their OS).
Now I doubt that this is the case, but you never know.
2006-02-18 12:56 pmevangs
Yes, that underscores the maturity and mentality of those working on hacking OS X, don’t it?
2006-02-18 6:12 pmJimmy
You have to understand that everyone hacking OS X isn’t a 29 year old IT worker, who is all “mature and proper” and comes to hack OS X on their x86 machines wearing ties and sipping their Starbucks coffee.
A great deal of people working on the project are just high school kids; very smart at what they do, but some just arent very mature and could very well retailiate against Apple for shutting down their ‘fun’.
2 in as many days, heh.
You can’t call these things Virus’s or Trojans if you need this much manual input.
The bluetooth on Macs, is that disabled or enabled by default, on a fresh install? I can’t remember.
2006-02-18 12:16 amcilcoder
Isn’t requiring manual input part of the definition of a trojan?
I would regard it more as Malware than Trojans though.
I think they are bumping it up and trying to scare people etc.
…what my desktop picture looks like.
Did I say I have over 4000 mp3’s, come and get me, I won’t rat.
If you DOS me I’ll just change my ip. I’m waiting.
Edited 2006-02-18 00:34
What’s really the point of this news. I mean we are talking about a small malware that exploits a security hole into Bluetooth, but basically this malware by exploiting this hole can not do anything that read unauthorized files and it needs that the user accept the data transfer to execute. Thats not very scary….
But the thing that makes this information more unintersting is that we are talking avout a secutiy hole in the OS X Bluetooth that has been corrected last June (June 2005). Apple issued a security patch for this flaw last June and probably most users have updated their system and are safe now. If they are connected to internet, they are safe as the automatic software update would have downloaded the fix long time ago. If they are not connected to internet, they are safe by nature, they are exposed only if they connect an infected device which is not very likely, cf the previous reason.
So the threat of this malware is simply very close to 0!!!!
Sure it shows that a security hole can be exploited, but thats not a news we know it. A security flaw can be exploited on any OS, whatever it is Windows, OS X, Linux, etc….The end question is whether the malware exploiting the hole is dangerous or not. In this case, NO, …..
1) A “Trojan horse” need to scale privileges. Leap-A is only another rm ~/* script.
2) A malware (like Inqtana-A) where the OS ask the user to perform the task is not more intelligent that previous (as someone appear interesting to call) “virus”. And if it doesn´t scale privileges too (does not reach root), it’s a ridiculous malware software.
In my definition a “virus” must take advantage of a OS flaw: like in the Windows world.
Is this a marketing campaign from antivirus manufactures? Does they want to launch a new OS X antivirus or something like this?
Edited 2006-02-18 07:51
2006-02-18 12:47 pmMorin
> 1) A “Trojan horse” need to scale privileges. Leap-A is
> only another rm ~/* script.
… and …
> In my definition a “virus” must take advantage of a OS
> flaw: like in the Windows world.
Did you know that “trojan horse” and “virus” are actually terms from the real world and they do have a meaning? Using them for computers only makes sense if you don’t twist that meaning.
A “rm ~/*” script only causes trouble. It becomes a trojan horse as soon as it’s looking like a gift, and takes over the place where it’s taken by the user (in this case, the user’s home directory).
A virus need not take advantage of flaws the way they exist in windows. Real virii don’t do this – even a perfectly healthy man with a full-functioning body can get infected (whereas Joe User’s typical windows system looks more like terminal cancer). The point about virii is that they infect something, and then use the infected unit for reproduction. There is one good example for something that closely matches a real-world virus, doesn’t use any flaw, and did spread well: In a forum, “sign” your postings with the words “This is a signature virus. Copy me into your signature to help me spread.”
well.. as for the first virus… from all the info I’ve been able to read it only affects users running the 10.4x variants of macOS. Seems that it uses spotlight to spot its favorite targets. So maybe disabling spotlight( there are a few programs that do this) would help. Being a cheapskate.. im still running 10.3.9.. the article says i’m not affected. LOL i also dont have a bluetooth module….Lucky me??
I have to admit that I’m not 100% clear on what exactly this “virus” does.
However, as I understand it, the software attempts to send itself to any bluetooth computers within range. The thing is the user then recieves a message from OS X asking if they want to accept the incoming transfer. So as far as I see it, to make something like this effective, you have to:
A. Accept an incoming bluetooth transfer that you weren’t expecting
B. Open the file/program that you recieved in this transfer
Now I don’t know if OS X includes a warning when accepting bluetooth transfers (that they might be malicious), but it seems to me that you’d have to be pretty stupid to fall for this one.
If I have misunderstood this, could someone correct me please?