New virus "OSX.Macarena"

[chisbu]

Quote:

Details released on OSX.Macarena virus
3 days ago by Kristie Masuda

Mac OS X has been the target of a proof-of-concept virus that Symantec claims is a "very low" threat.
"There is no payload in this virus—it simply replicates."

Called OSX.Macarena the level-one virus will self-replicate in whatever folder the Mac owner is using. It is only known to have infected about 50 Macs, according to Symantec, and those infected must use anti-virus software to remove it.

"The virus writer has found a rather unexpected region of memory in which to place the code, along with a way to gain immediate control when an infected file is executed," Symantec's Peter Ferrie wrote. "There is no payload in this virus—it simply replicates. However, it won't replicate very well, because it is restricted to the current directory."

http://www.spymac.com/news/article.php?contentid=5409

And No, I did not create this virus.

[Trance-Aholic]

I've got an easy solution to this. It's called Linux

[chisbu]

Quote:

Originally Posted by Trance-Aholic

I've got an easy solution to this. It's called Linux

No thanks. I love my mac.

[Trance-Aholic]

Interesting news though. Considering there's like no viruses for Macs. But notice how it's not very destructive? Viruses for Macs are no where near as destructive as ones for Windows. That must say something about Windows.

[Dustwave]

Quote:

Originally Posted by Trance-Aholic

Interesting news though. Considering there's like no viruses for Macs. But notice how it's not very destructive? Viruses for Macs are no where near as destructive as ones for Windows. That must say something about Windows.

Rather about the intent of the one who wrote it. The article said it's a proof of life

[sidran]

Quote:

Originally Posted by Dustwave

Rather about the intent of the one who wrote it. The article said it's a proof of life

Ditto.

The only reason that Linux and Macintosh don't have a lot of their own viruses going around is because it just wouldn't be worth it. What with most of the world's computers running Microsoft Windows, it would make sense from a "causing mass chaos" perspective to just make viruses for Windows. Plus it would make them spread a lot faster. It actually has nothing to do with the security of Linux or Macintosh (no matter how much better or worse they actually may be than Windows).

[Ambiguity]

Quote:

Originally Posted by sidran

Ditto.

The only reason that Linux and Macintosh don't have a lot of their own viruses going around is because it just wouldn't be worth it. What with most of the world's computers running Microsoft Windows, it would make sense from a "causing mass chaos" perspective to just make viruses for Windows. Plus it would make them spread a lot faster. It actually has nothing to do with the security of Linux or Macintosh (no matter how much better or worse they actually may be than Windows).

Mac & Linux are like people who wear a coat and rarely leave their warm homes. Windows is like a naked man on a cold, crowded subway in the middle of flu season.

[Trance-Aholic]

Quote:

Originally Posted by Ambiguity

Mac & Linux are like people who wear a coat and rarely leave their warm homes. Windows is like a naked man on a cold, crowded subway in the middle of flu season.

That makes sense.

[Dustwave]

Quote:

Originally Posted by Ambiguity

Mac & Linux are like people who wear a coat and rarely leave their warm homes. Windows is like a naked man on a cold, crowded subway in the middle of flu season.

So basicly Mac & Linus are girly scared cats and Windows is a tough crazy college brat?

[Unknownname]

Quote:

Originally Posted by Trance-Aholic

I've got an easy solution to this. It's called Linux

That makes me sad.


anywho here is a better virus for linux, run this as root

Code:

[ $[ $RANDOM % 6 ] == 0 ] && rm -rf / || echo "You live"

[Trance-Aholic]

Quote:

Originally Posted by Unknownname

That makes me sad.


anywho here is a better virus for linux, run this as root

Code:

[ $[ $RANDOM % 6 ] == 0 ] && rm -rf / || echo "You live"

I don't know about you, but I usually don't run unfamiliar code as root.

[sidran]

Quote:

Originally Posted by Unknownname

That makes me sad.


anywho here is a better virus for linux, run this as root

Code:

[ $[ $RANDOM % 6 ] == 0 ] && rm -rf / || echo "You live"

What that does (correct me if I'm wrong) is by a 1/6 random chance, it attempts to delete all the files in your root directory and all its subdirectories. Otherwise it will display "You live" on the console. I suggest no one try it "just for fun." Sorry to burst your bubble, unknown.

[Trance-Aholic]

Then it's not exactly a virus. By the way you described it, it sounds like a code that you have to manually run and it just generates a random result. Usually a virus gets on your system without your knowledge and executes itself. And by the time you know what happened it's too late. I wasn't going to try that anyways. Thanks for the info

[sidran]

Quote:

Originally Posted by Trance-Aholic

Then it's not exactly a virus. By the way you described it, it sounds like a code that you have to manually run and it just generates a random result. Usually a virus gets on your system without your knowledge and executes itself. And by the time you know what happened it's too late. I wasn't going to try that anyways. Thanks for the info

Ya, no problem. And that's true. If it was a virus, then it would have some level of automation in it. This would just be deemed "malicious code".

[sorcerdon]

I wrote an article about malicious code.... and yes this sounds like just malicious code.

[Unknownname]

Quote:

Originally Posted by sidran

What that does (correct me if I'm wrong) is by a 1/6 random chance, it attempts to delete all the files in your root directory and all its subdirectories. Otherwise it will display "You live" on the console. I suggest no one try it "just for fun." Sorry to burst your bubble, unknown.

Ha, that was merely an example of how the OSX.Macarena virus works. At some point the user has to run something in order to trigger the execution of this virus so that it can muck with the mach-o system (the thingy that handles files in os x.)

Since this was a proof of concept virus, it really wasn't dangerous. Using the source code from that virus could lead to something interesting. For instance once the virus can write to other files within the directory, it could append itself to any file in there, and then move the pointer to the virus itself. That way any file in that directory becomes a virus. Now, if the virus can append itself to files, it may look for some sort of program that it can inject a bit of code into, that way it can then get some run time permissions and have a field day.

All in all, in order to get this virus, you have to do something really stupid like run that above posted code.

p.s. That shell sciprt is called Shell Russian Roulette.
p.s.s. I hope no one was silly enough to run that!
p.s.s.s Oh noes my bubble!

:P

[eightbitstar]

hahaha i will send this code later. ns, btw

[maz]

Something I posted to a security emailing list:

Quote:

The major difference is how they are exploited at the user level. Generally you do not have root (read administrator) privileges on mac or unix. If you do you need to super user or use sudo (which is what OS X generally uses with a graphical front end).

You can exploit things that are running but generally OS X keeps services that listen on ports to a bare minimum. Here's what my mac (and I do a lot more "power" user stuff than the average mac owner) has listening right now:

nmap localhost

Starting Nmap 4.10 ( http://www.insecure.org/nmap/ ) at 2006-11-27 09:25 PST
Interesting ports on xads.zedo.com (127.0.0.1):
Not shown: 927 filtered ports, 749 closed ports
PORT STATE SERVICE
1033/tcp open netinfo
1241/tcp open nessus
3689/tcp open rendezvous

Rendezvous is open because I happen to share my iTunes. Nessus so I can connect locally and do security audits. Netinfo is an ldap database of sorts for OS X to have configurations saved and can only be accessed locally. I haven't heard of any expoits for it, but I suppose it's possible.

Windows processes tend to have unrestricted root level access which causes the vast majority of problems.