Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'More Confirmation' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
More Confirmation
Authored by: roncross@cox.net on May 12, '04 09:56:56PM

I think that we are being a little short-sighted in this discussion. Sure, in this case it is a simple Applescript that deleted the users home directory. But as pointed out in the earlier discussions, the same thing can be achieved by a number of methods. This doesn't really concern me as much since this only affects the user downloading the malicious script. It seems very plausible that the same script could have been modified to go and get the names and emails addresses of everyone in that persons' address book, which could then send a message to everyone in the address book to execute something that reads, "see new photos of my vacation." Of course the sender is the person who activated the malicious script in the first place so people receiving the email would be unaware of what is going on since they believe it is coming from someone they know. The execution of the script would then be out of control. The recipicients of the emails would then become the victims of this trojan horse and the process would just continue until knowledge of the script spread worldwide.

How does our system stop something like a script that replicates itself and affects many systems, not just the person downloading the malicious script? I don't think that virus protection will help in this case.

My point here is that it take only one rotten apple (the person downloading the malicious script) to spoil the whole batch (people that are playing by the rules). In this case, the rotten apple happen to be a batch onto itself.

thx
RLC

---
rlc



[ Reply to This | # ]
More Confirmation
Authored by: ExecutiveEditor on May 12, '04 10:05:56PM
It seems very plausible that the same script could have been modified to go and get the names and emails addresses of everyone in that persons' address book, which could then send a message to everyone in the address book to execute something that reads, "see new photos of my vacation."

No, in fact, it does not seem very plausible. AppleScript has no native capabilities to send e-mails in the background. It would either have to script Mail, in which case the user would have to be completely blind not to notice the e-mails leaving his machine, or it would have to use "do shell script" to automate the sending of the mail through sendmail (on Jaguar) or postfix (on Panther). But both sendmail and postfix are off by default. The kind of user who would activate them is precisely the kind of user who is unlikely to get bitten by such an AppleScript.



[ Reply to This | # ]
More Confirmation
Authored by: Graff on May 12, '04 11:48:59PM

Sendmail and postfix are mail routing programs, they take an incoming mail and send it somewhere else. You can send mail without using sendmail or postfix. For example, through "do shell script" you could use the mail command or you could use the telnet command - both will work to send out e-mail.

So even though sendmail and postfix might not be activated you don't need them to send e-mail through the command-line. It would indeed be easy to make a self-replicating trojan out of AppleScript. Then again, it's not much easier or harder than using Java, Cocoa, Carbon, Perl, etc...

- Graff



[ Reply to This | # ]
More Confirmation
Authored by: ExecutiveEditor on May 13, '04 07:52:36AM
Sendmail and postfix are mail routing programs,
Yes.
they take an incoming mail and send it somewhere else.
Yes, but that's not all they do.
You can send mail without using sendmail or postfix.
Locally, yes, but not across the internet on a stock OS X installation. Try it; it will fail. If it doesn't, it's because you've enabled sendmail or postfix.
For example, through "do shell script" you could use the mail command
Not through a stock installation.
or you could use the telnet command
By telnetting to an outgoing mail server, sure--but that requires knowledge of a compromised mail server at the time the author is writing the script or it requires him to set up such a server--and the latter activity is likely to lead authorities to him.
So even though sendmail and postfix might not be activated you don't need them to send e-mail through the command-line.
Yes, you do, on a stock OS X installation.
It would indeed be easy to make a self-replicating trojan out of AppleScript.
Then make a proof-of-concept. Intego will be happy to publicize it. I look forward to seeing the stories... (By the way, it couldn't be "self-replicating." AppleScript requires the user to run it; "self-replicating," in the world of viruses, etc., is confined to programs that can be activated without user intervention--simply by opening an e-mail, visiting a webpage, etc.)

[ Reply to This | # ]
From my email...
Authored by: robg on May 15, '04 12:14:33AM
The following was sent in by an unregistered user; I thought it interesting enough to post. Everything below the hyphens is the user's text, not mine (previous replies noted by single and double bars -- |, ||).

-rob.
-------------------
|| You can send mail without using sendmail or postfix.

| Locally, yes, but not across the internet on a stock OS X installation. Try it; it will fail. If it doesn't, it's because you've enabled sendmail or postfix.

There are many mail agents out there. Most Windows mass mailing worms include their own smtp agent. For a simple mass mailer, they are trivial to write

|| For example, through "do shell script" you could use the mail command

| Not through a stock installation.

|| or you could use the telnet command

| By telnetting to an outgoing mail server, sure--but that requires knowledge of a compromised mail server at the time the author is writing the script or it requires him to set up such a server--and the latter activity is likely to lead authorities to him.

Actually, all you need is the address of the user's smtp server which can be found in this file:

~/Library/Preferences/com.apple.mail.plist

You'd probably want to use the XML parser to extract smtp server names correctly. Of course, since a worm isn't too concerned with efficiency, trying to nslookup all strings (i.e. those things within tags) would eventually work too.

So what's the answer? Don't run anything from unknown or untrusted sources!

[ Reply to This | # ]