Mac OS X Trojan Horse

...or is it a large wooden badger?

Surprise, surprise, a new trojan horse has been announced by the company, Intego Software, that a couple of months ago talked about a potential virus that I blogged here that had to do with malicious code piggybacking on the resource fork of certain Mac files.

Faaaake!

The new trojan horse has been found in the wild, on P2P networks, disguising itself as Microsoft Office 2004.  When the person double-clicks on the “installer”, it erases their user folder.  Basically, it’s a Microsoft icon slapped on a compiled Applescript that runs a Unix command to delete the user folder without confirmation.

What’s amazing is that Intego, a new, and pretty much unheard of company is on top of this, while Symantec, McAffee, and others remain silent, having said nothing about it.  The trojan horse cannot replicate itself, it can not spread itself.  It is not a virus.  It is a prank, a scam file, and was caught, and protections released by the same company when no one else had even heard of it.  Oh, except MacWorld, which made an official report to Intego about it.  You’ll notice that Intego and MacWorld are closely tied together, having a subscription deal.

I have no doubts that Intego wrote the script (which is a ridiculously simple “rm -rf ~” Unix command DON’T RUN THAT, BTW) and then slapped it up on some P2P networks as a “MS Office 2004 Beta” to drum up some business.  The fact of the matter is, OS X is still virus free and you don’t need any anti-virus or security software, or any other protective bloat.  It’s a company trying to create a market for itself when one doesn’t exist.

NetNewsWire truncated the characters on a MacSlash headline that I believe reads correct as is:
attachment.php?postid=1139186

Posted Thursday May 13, 2004 in Around the Internet by Chris Curtis

This is an older entry and as such, it may be by a guest author or contain formatting problems / extraneous code. If you notice something wrong with the entry, please use the Contact page to let me know the entry title and issue.

Comments

Oh, I nearly forgot.  There’s an easy way to check your installers before running them.  Get Info (Cmd-I) on the file, and then select the icon in the Info window.  Hit Delete.  If a custom icon was applied to the file, it will be removed, and the default Finder-supplied icon will appear, in this case, a compiled Applescript.

By Derek Jones on May 13, 2004 at 07:14am link

HA yeah i saw some goobers downloading this. i twasn’t fooled.

By Greg Ferrell on May 13, 2004 at 07:19am link

It’s out there and it’s coming. And were bringin it to you live baby. 

By the_equalizer on May 16, 2004 at 02:31pm link

Leave Your Comment

Comments may be edited for content or deleted at any time. Civilized discussion is welcome. Anyone spamming, going way off topic, or otherwise being a jerk will probably be deleted or banned.

User Information

pMcode is allowed for comment formatting. pop-up mini reference

Personalization Options

Comment Security