|
|
More Confirmation
At least one version of this is going around under the name "Microsoft Word 2004 OSX Web Install" (presumably so that some users who might wonder why it's only 60 kb might think that running it will download the rest from the internet). What's most interesting about this file is that it's not even saved as run-only--if you drop it on Script Editor, it opens up as an editable one-line script:
Just as Rob suspected.
A couple things to note: First, this is a script any idiot with five minutes' worth of AppleScript experience and access to Apple's documentation on "do shell script" could write. Second, the fact that the author is distributing it as an editable script either means that he's trying to show how easy this is (perhaps to encourage others to do the same) or he's the idiot I mentioned in the first point. Third, the "Get Info" window has at least two dead giveaways to anyone who is familiar with AppleScript (in addition to the trick mentioned above--deleting the icon)--there's a checkbox for "Open in the Classic environment" (why would Office 2004 have an installer that could open in Classic?) and there's a "Memory" section (again, only used for Classic apps). All said, it's really pretty amazing no one's ever done this before. What needs to be said, over and over and over again, however, is that this is really not some sort of "security hole," "virus," or "exploit." Even "trojan horse," as the analyst from Jupiter Research has pointed out, is really overstating this. This is social engineering, plain and simple, and it will only affect people who are trying to pirate software, because (with all due respect to Rob) even though this could be used in any variety of AppleScripts or AppleScript Studio apps, no one is going to get such a script or app from a P2P network but only from an identifiable--and therefore prosecutable--source.
More Confirmation--Clarification
To clarify my last point, here are two remarks that Rob made: However, think about this version: A useful AppleScript that does something cool (change type/creator codes, backs up your directory, etc.). However, buried in the code is a timer that counts the number of times you've used the program. On the 50th run, it deletes your entire user's folder. Or worse, it pops up a dialog that says "In order to backup the Foo_bar file, we need your admin password." It may then be possible (I'm not quite sure how) for the app to delete the entire hard drive, instead of just your user's folder. If the script were useful enough, it could be very widely distributed, and then go blam! at some non-specified time in the future. I realize that more experienced Mac users may think they're immune to this, but a properly disguised and coded AppleScript, as discussed above, could potentially catch even the most cautious user off guard. Also consider something packed in a .PKG installer which uses the real Apple-approved means of asking for permission to use your Admin password -- I install such things at least once or twice a day. Buried inside any of them could be a very malicious script that I wouldn't see until it was too late. I download A LOT of scripts and apps (probably as many or more than Rob). But I always know where I'm getting them from--which is very different from getting something from a P2P network. If one of these were to execute malicious code, I could and would go after the author--and, in most cases, he would probably be open to criminal prosecution. All of that is really just a long way of saying that the average MacOSXHints reader, if he's keeping his nose clean and avoiding P2P, has a whole lot less to worry about than he did back in the days of System 7, System 8, and OS 9, when there were real viruses running around--and compared with a Windows user, he's more likely to get hit by lightning than to be bit by this kind of malicious code.
More Confirmation
I think that we are being a little short-sighted in this discussion. Sure, in this case it is a simple Applescript that deleted the users home directory. But as pointed out in the earlier discussions, the same thing can be achieved by a number of methods. This doesn't really concern me as much since this only affects the user downloading the malicious script. It seems very plausible that the same script could have been modified to go and get the names and emails addresses of everyone in that persons' address book, which could then send a message to everyone in the address book to execute something that reads, "see new photos of my vacation." Of course the sender is the person who activated the malicious script in the first place so people receiving the email would be unaware of what is going on since they believe it is coming from someone they know. The execution of the script would then be out of control. The recipicients of the emails would then become the victims of this trojan horse and the process would just continue until knowledge of the script spread worldwide.
More Confirmation
It seems very plausible that the same script could have been modified to go and get the names and emails addresses of everyone in that persons' address book, which could then send a message to everyone in the address book to execute something that reads, "see new photos of my vacation." No, in fact, it does not seem very plausible. AppleScript has no native capabilities to send e-mails in the background. It would either have to script Mail, in which case the user would have to be completely blind not to notice the e-mails leaving his machine, or it would have to use "do shell script" to automate the sending of the mail through sendmail (on Jaguar) or postfix (on Panther). But both sendmail and postfix are off by default. The kind of user who would activate them is precisely the kind of user who is unlikely to get bitten by such an AppleScript.
More Confirmation
Sendmail and postfix are mail routing programs, they take an incoming mail and send it somewhere else. You can send mail without using sendmail or postfix. For example, through "do shell script" you could use the mail command or you could use the telnet command - both will work to send out e-mail.
More Confirmation
Sendmail and postfix are mail routing programs,Yes. they take an incoming mail and send it somewhere else.Yes, but that's not all they do. You can send mail without using sendmail or postfix.Locally, yes, but not across the internet on a stock OS X installation. Try it; it will fail. If it doesn't, it's because you've enabled sendmail or postfix. For example, through "do shell script" you could use the mail commandNot through a stock installation. or you could use the telnet commandBy telnetting to an outgoing mail server, sure--but that requires knowledge of a compromised mail server at the time the author is writing the script or it requires him to set up such a server--and the latter activity is likely to lead authorities to him. So even though sendmail and postfix might not be activated you don't need them to send e-mail through the command-line.Yes, you do, on a stock OS X installation. It would indeed be easy to make a self-replicating trojan out of AppleScript.Then make a proof-of-concept. Intego will be happy to publicize it. I look forward to seeing the stories... (By the way, it couldn't be "self-replicating." AppleScript requires the user to run it; "self-replicating," in the world of viruses, etc., is confined to programs that can be activated without user intervention--simply by opening an e-mail, visiting a webpage, etc.)
From my email...
The following was sent in by an unregistered user; I thought it interesting enough to post. Everything below the hyphens is the user's text, not mine (previous replies noted by single and double bars -- |, ||).
-rob. ------------------- || You can send mail without using sendmail or postfix. | Locally, yes, but not across the internet on a stock OS X installation. Try it; it will fail. If it doesn't, it's because you've enabled sendmail or postfix. There are many mail agents out there. Most Windows mass mailing worms include their own smtp agent. For a simple mass mailer, they are trivial to write || For example, through "do shell script" you could use the mail command | Not through a stock installation. || or you could use the telnet command | By telnetting to an outgoing mail server, sure--but that requires knowledge of a compromised mail server at the time the author is writing the script or it requires him to set up such a server--and the latter activity is likely to lead authorities to him. Actually, all you need is the address of the user's smtp server which can be found in this file: ~/Library/Preferences/com.apple.mail.plist You'd probably want to use the XML parser to extract smtp server names correctly. Of course, since a worm isn't too concerned with efficiency, trying to nslookup all strings (i.e. those things within tags) would eventually work too. So what's the answer? Don't run anything from unknown or untrusted sources! |
SearchFrom our Sponsor...Latest Mountain Lion HintsWhat's New:HintsNo new hintsComments last 2 daysNo new commentsLinks last 2 weeksNo recent new linksWhat's New in the Forums?
Hints by TopicNews from Macworld
From Our Sponsors |
|
Copyright © 2014 IDG Consumer & SMB (Privacy Policy) Contact Us All trademarks and copyrights on this page are owned by their respective owners. |
Visit other IDG sites: |
|
|
|
Created this page in 0.09 seconds |
|