How Random Babbling Becomes Corporate Policy (t3knomanser) wrote,
How Random Babbling Becomes Corporate Policy

Mac Virus

Some idiot tried to make a mac virus. They disguised a shell script as a JPEG, making it a trojan. Severity? Less than minor- it can't do any serious damage to your system because of OS level security features.


According to this it is more severe than initially thought. While it still can't dig into your operating system, it can infect user-owned applications, and it does send itself to anyone in your buddy list. There is no payload- but it will prevent infected apps from launching.

The moral of the story? Regardless of what OS you use, when somebody sends you a zipped file and claims it's a picture, it PROBABLY ISN'T. Like most OSes, OSX disables file-name extensions for known types by default. From the Finder menu, if you go into Preferences, on the Advanced tab, you can check the box "Show all file extensions", which, while not a fix, does protect you if you read the file extension. The icon of the application was set to look like an image icon, but if you see an extension that is different (or no extension which is what you'd see on a Unix executable), unless you know and trust the source, don't open it. If you're not sure, select the file and type i, and an info window appears and it TELLS YOU whether or not the file is an executable.

This virus only infects files that are not owned by root. The following steps prevents that infection from occuring, but is COMPLETELY UNEEDED if you remember to check the content of strange downloads to ensure that they are the file they claim to be. The following will make it more difficult to update and modify your applications, and may break compatibility with the OSX Software Update tool.

To prevent files from being infected, go into a Terminal (Available in /Applications/Utilities) and type the following:

cd /Applications
ls -l

All of your apps will be listed, and the first few characters will look like this: "drwx...". Those are the file system protections- ensure that EVERY APP IN THERE has either the letter "d" as the first character or a "-". If you see anything else, this is a potentially unsafe fix- it means that the SUID bit may be set, and the next step will be DANGEROUS.

Once you've ensured that the SUID bit is NOT SET, type the following:

sudo chown root *

It will prompt you for a password, the one associated with your user account will do.

Type this: cd Utilities and repeat the same process as above, starting with the ls -l

That will prevent it from infecting any of those applications. This will also prevent you, as a normal user, from updating or modifying those applications- they are owned by root, preventing changes to them. The only way to change that back is to go into the terminal, cd to the appropriate directory, and sudo chown YOUR_ACCOUNT_NAME APP_NAME.

This is a simple fix to prevent infection, but simply DON'T click on strange attachments until you have checked the file type, and you shouldn't need to do this.

  • Strange Things People Say About Me (to my face)

    Recently, I've been at the center of a trend. That trend is complete strangers asking me "Are you ____?" A quick summary. For example: Are you…

  • Writer's Block: If I could find my way

    -10,000 years, at minimum. Tomorrow is always better than today, especially when you can't fact-check.

  • Bob Morlang

    When I was working at Tri-Mount, we had these camp trucks. They were army surplus, and while they could take a beating, they only sort of worked. And…

  • Post a new comment


    Comments allowed for friends only

    Anonymous comments are disabled in this journal

    default userpic

    Your IP address will be recorded