Macworld Forums

http://forums.macrumors.com/showthread.php?t=180579

A trojan horse masked as jpgs of 10.5 screenshots.

Be careful out there...

andybarton,

Assuming that this as reported, it underlines the need to be aware, not to enter the admin password when asked without thinking why (although this might not have asked for the password) & also to think why these, or any other jpegs, need to be downloaded rather than just displayed in the browser.

But then that's what Trojans do, they fool you. Is it going to spread like a Windows virus or just be a slight sniffle at worst, we shall have to see.

andybarton,

There's already been a trojan in the form of a MS Office installer, this isn't the first. Plus when you download it Safari will tell you it's an app, and it'll ask for an admin password.

JP.

Apple Certified System Administrator

andybarton,

A Trojan is not a virus, but no doubt many news reports will refer to it as a virus.

Basically it's a con-trick. It's one thing masquerading as another. It uses a wheeze often referred to as 'social engineering' whereby users download something expecting it to be one thing, but it turns out to be something else in disguise.

Any jpg that asks for an Admin Password ought to raise suspicions in even the least savvy user.

I have no doubt that we'll hear a lot about this story, but as it's not a self-replicating virus, very few Mac users will ever see examples for themselves.

andybarton,
I guess the only difference is people with a mindset to destruction and chaos (who traditionally use PCs) are also now switching to the Mac. One downside to an increase in market share I guess.

Just don't open an App unless you know it comes from a good source. I've installed things like email notifiers before, and put user names and pass words into the settings box. Silly really because, although it's probably safe, there's nothing stopping a malicious programmer adding something that will return those details back to their machine. Then they have access to your email.

AlanAudio,
I'm sure it'll hit the headlines somewhere, especially in the M$urdock ones. But as you say, being asked for an admin password to view a picture is something that will never happen.

I want to know if it's possible for an App to simulate a request for an admin password and then pass those details back somewhere else, possibly allowing access to your server.

As far as I know, there's no way of knowing if a request for a password is genuinely from the OS or just a window that sends the data elsewhere. You need an OS equivalent of HTTPS (secure between you and your OS) to show what you're doing is secure and will go no further than the OS.

J.P., Alan, et al

I know all this. I know it's not the first. I know what a trojan is. I know it's not a virus. I know that you have to put your admin password in before it will do anything (and, according to Macrumors, it uses Spotlight to replicate...), but I just thought it was worth a 30 second heads-up.

Camino and Firefox, which many of you seem to prefer over Safari does not give you a warning re download contents being apps.

andybarton,

IMO, it was worth the thread & I'm not implying that you don't know - just that I'm loath to start using 'one'. If it uses Spotlight to replicate, then it's only going to replicate on Tiger. So is this even more limited?

Cynic,
I've been following the thread on Macrumours and it does seem to be a Tiger only threat. One tip was to go into the Advanced option in Finder Preferences and select 'show all file extensions'. That way it will appear as something like xyz123.jpg.app rather than xyz123.jpg and so reveal itself to be something other than an image.

BULLEID34081@mac,

If it's Tiger only, then the impact will be less & I'm still on Panther I've also always shown extensions, just something that I've always wanted to know.

Cynic,
Panther here too. I suspect a fix won't be that long in coming from Cupertino.

BULLEID34081@mac,

Well, there's only one to deal with, not 100,000

By all accounts it doesn't need a password to run. No one seems to know what it 'does' at the moment. Bottom line is only to download from trusted sites.

Expect sensationalist headlines everywhere today (including Macworld) and AAPL to tank

Ade

DESIGNADE,
As I understand it the password issue is only if you are using an admin account. If you are using an account without admin priviliges then you'll have to type in something before it installs.
As you so rightly point out, don't download and open things from dodgy sources.

BULLEID34081@mac,

this is as good a time as any to remind people yet again to create individual user accounts for each person who uses their Mac, together with one called 'Guest' ( for infrequent users ) and another called 'Admin'.

Guess which account should be the only one with admin privileges !

Normal surfing of the net should be done within a normal user account, without admin privileges and then the possibilities of bad things happening in the future get drastically reduced.

AlanAudio,

Your spot on Alan; unfortunately the default, and therefore the option used by most novice users/switchers, is to set-up and use an admin account. It'll be interesting to see Apple's response.

Ade