Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

Matts (1087)

Matts
  (email not shown publicly)

I work for MessageLabs [messagelabs.com] in Toronto, ON, Canada. I write spam filters, MTA software, high performance network software, string matching algorithms, and other cool stuff mostly in Perl and C.

Journal of Matts (1087)

Thursday September 04, 2003
03:01 AM

Mac viruses quite possible

[ #14483 ]

One thing a lot of Linux and Mac users don't know about the latest Sobig virus is that it didn't use any exploits whatsoever. It was just a plain old exe attached to an email, asking the recipient to run it.

So I thought I'd do an experiment. On a Linux machine, in order to send an application to someone you have to tar it up, and then they have to untar it, and then run it manually. But Apple used an idea from NEXT - the app bundle - to save you a lot of hassle shipping apps around. Apple Mac OS X can run these .app bundles as though they were plain applications.

My experiment was to mail myself an app. I'm using a Panther Beta right now, so I don't know if this works the same on Jaguar.

The app came back to me as AppName.app.zip in the email. I double clicked it. Mail.app put up the following alert:

Warning

The attachment “AppName” is an application. Since applications can contain viruses or be harmful to your computer, be sure this attachment is from a trustworthy sender before saving or opening it.

This seems pretty much verbatim what Windows (Outlook) says.

The three options were: "Open" "Cancel" "Save"

When I clicked on Open, the app launched.

No Apple, No!!! Bad Apple!

This just seems so incredibly stupid I'm absolutely aghast. I always took the hard line that Windows was the only OS vulnerable to the stupidity of its users in spreading viruses. I was wrong.

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • At first I thought you were whining because it opened when you clicked "save". But no, it did what you told it to do. There's nothing wrong with that behavior. The Apple interaction model for applications is that "opening" the application is the same as launch. The terminology is quite consistent. What else should it have done, I now wonder.
    --
    • Randal L. Schwartz
    • Stonehenge
    • I think I agree with Matt -- SoBig's spread has made it clear that simply asking to run it, still makes it too easy for viruses to spread.

      Adding a "save, then navigate to file, then execute" step at least imposes a technical ability barrier. ;)

      I can see the Apple POV too -- usability -- but these are arbitrary executable files that could contain any code whatsoever -- including the Apple equivalent of "format c:".
    • Yes thanks, I can read.

      Sobig made it big because users could run apps straight from their email client. Not because Windows is inherently insecure. If the Mac ever got as big as Windows then Sobig would be equally as likely to occur on that platform.

      We should learn from the past, not ignore it.
      • I don't get it. You think these people will be less likely to open it if they have to save it first?

        Really?

        All the virus has to do is call itself porn and it won't matter if the email client won't open it.
        • Absolutely.

          These things spread because it's easy, not because it's possible.

          Most total computer newbies I know wouldn't even be able to find it if they saved it to disk first. This gives the AV companies (the ones who use signatures at least - not MessageLabs) the window they need to distribute a signature for the virus.
    • SoBig assumes you don't read/don't care about the warning. You have to skip the "this might be bad" message in order to spread it. Ultimately, it's a human problem that is exacerbated by the email client's ability to run an executable without you having to particularly think about it. If Outlook (or mail.app for that matter) refused to give you the immediate option of running the program, then (simply put) the virus wouldn't spread anywhere nearly as rapidly, and wouldn't be nearly as much of a nuisance tha
  • What, you mean this whole damn sobig thing has been caused by eight zillion people manually infecting themselves? No preview pane exploits, no automatic Outlook actions, no wacky security holes--just a whole lot of people I now want to smack pushing the "yes I want to be infected" button?