Here we go again!
Well we haven’t even finished the discussion of the “Don’t Panic” non-virus when reports have surfaced (in the past 12 hours or so) about a new Mac-specific virus.  Although almost certainly not a cause for panic, this one does appear to be much closer to an actual, Mac OS X-specific virus than anything seen previously.  Thanks to Andrew Welch of Ambrosia software for bringing this one to light and providing excellent analysis of it.
First off, although it appears to have not spread at all, the file’s name is latestpics.tgz.  Do not download this file, and if you receive it in any way, DO NOT OPEN IT.  Notify the proper authorities (for instance us, or other security experts you may know).
Secondly, the putative virus does not exploit any Internet-available vulnerability in Mac OS X.  It uses “social engineering” techniques to trick you, the user, into downloading, uncompressing and activating (running) it.  In particular:
  1. 1.It was introduced on a Mac bulletin board by claiming to be screenshots of the next version of Mac OS X (”Leopard”).
  2. 2.It uses a custom icon to look like a JPEG image file, so you won’t be afraid to open it (although the custom icon didn’t show up here -- it just shows up as a Unix executable file as indicated in the picture above).
  3. 3.It may be capable of sending itself via iChat to your buddies, trying to trick them as well.
What else does the virus do?  Analysis is ongoing, but it appears to try to infect some of your recently-used applications so that when you run those applications again the virus will be re-run as well.  It seems to use Spotlight to do this, so it’s not clear what it does on Mac OS X 10.3 (”Panther”) which does not include Spotlight.  Moreover, like most viruses, this one seems to have various “bugs” that (1) prevent it from doing what it really wants to do and (2) mess up the applications it’s trying to infect so they no longer run (see “Unintentional damage” in chapter 11, “Viruses” of our book for an overview of this aspect of most viruses).
The long and short of it is that this file does seem to be a rudimentary “first attempt” at an OSX-specific virus.  No doubt we’ll see other such attempts over time.  More so than with the “Don’t Panic” non-virus, expect a whole lot of additional discussion of this one in the days to come...
Thursday, February 16, 2006