friday 24 february 2006

Dear All -


I have waited to write this note until things calmed down a little, and a proper assessment made.

A number (it's not clear whether it's 2, 3, or 4) recent possible threats to Apple Macintosh computers have been
identified over the last couple of weeks. Thanks to those who have written to me about them - I note here that
I read about 14 Macintosh news websites daily on your behalf, and always read the three major UK Macintosh-focused
magazines.

To be accurate, these threats are "trojan horses", and a "worm", and not a virus.

These attacks are NOT a serious menace for most people, as they all require input from you to make them work.
That is, they CANNOT automatically infect your machine.

Remember - the people who WANT there to be viruses on our machines are the people who write anti-virus software
(and perhaps envious PC users!). Writers of anti-virus software have had a very thin time since the release
of OS X. These are the people making most noise about these possible threats.

If you are running System 9 or earlier - you can stop reading now - these threats are to OS X.

If you are running OS X 10.1 - stop reading now - you have other problems to consider with your not-very-good
operating system (see earlier notes from me).

If you are running OS X 10.2 or OS X 10.3 - stop reading now - these malwares attack OS X 10.4

I have deliberated this week how much information to include here as my readership range from the technically
very literate, to the people who don't care how our beautiful machine works, they just want it to work.

So I'm going to give a short precis, and encourage you to Google for more information, or get in touch with me,
if you have further concerns.


In turn then.

1. Trojan Horse 1.

What is it? This is called the "Oompa-Loompa Trojan" or "Leap-A", and involves a compressed file called
"latestpics.tgz." which purport to be pictures of the next release of OS X (10.5 called Leopard).

What can it do? It replicates itself and propagates itself to other users via iChat. It does no other harm.

What can you do? Do not download this file. Do not expand it. No-one has been affected by this worm who was not
testing to find out what it did.

(There is possibly a second variant of the file.)

You cannot be infected by this unless you do all of the following:

1) Are somehow sent (via email, iChat, etc.) or download the "latestpics.tgz" file

2) Double-click on the file to decompress it

3) Double-click on the resulting file to "open" it

...and then for non-Admin users, it fails to infect most applications.

You cannot simply "catch" the virus. Even if someone does send you the "latestpics.tgz" file, you cannot be infected
unless you unarchive the file, and then open it.


2. Worm.

What is it? The new Java-based concept worm that will soon expire was discovered by F-Secure; it exploits a
Bluetooth vulnerability in older versions of Mac OS X 10.4 (Tiger).

What can it do?  MacSecurityNews reports that OSX/Inqtana.A tries to spread from one infected system to others by
using Bluetooth OBEX Push vulnerability CAN-2005-1333. Users are urged to update to the latest version of Apple's
OS X operating system (Mac OS X 10.4.5 was released earlier this week). No-one has been infected by this worm -
it's a proof-of-concept exercise.

What can you do? Upgrade your OS X 10.4.x to 10.4.5



3. Trojan Horse 2.

What is it? This is a Safari and Mail security flaw called the "Zero-day exploit" a.k.a the resource fork hole

What can it do? Safari and Mail can be set (via Preferences) to automatically open downloaded files. It is
possible for a "bad person" to create a file, make you download it, and then for the file to run operations via
the Terminal (directly into the underlying operating system)

What can you do?  Deactivate the open safe files option in the Safari and Mail Preferences. To further protect against
any sort of social engineering through scripts, renaming the Terminal application found in Applications>Utilities wil
 make it unreachable to malicious scripts. Also, it is recommended that home users not use the Administrator account,
rather utilizing a standard account for day-to-day computer work. (This requires the setting up of a second,
"every-day" account, separate from the main account - not difficult, a little involved perhaps).


Inspect files with Get Info As such, one of the best protective methods you can use (after turning off the option
to open "safe" files automatically in Safari) is to inspect any newly obtained downloads before launching them.

Click on the newly received download once to select it, then press the Command and I keys simultaneously, or go to
the "File" menu in the Finder and select "Get Info."

If the file carries the icon representation of an image or some other file, but shows a different "Kind" in the
Get Info window, something isn't right. Avoid launching the file and follow up by obtaining information about the
authenticity of the download source.



Lastly - there are anti-virus programs for the Macintosh - but at least one of them (Sophos) has caused more problems
than it has cured this week - for these threats AREN'T viruses. I am investigating a feeeware product called ClamXav
from  and will let you know how I get on.



thanks for being Mac users

hugh