[X4U] Did this guy short AAPL?

DZ-Jay dz at caribe.net
Wed May 3 02:29:44 PDT 2006 

 From what I understand, the Leap-A trojan/worm prompts for the 
Administrator password before being able to install anything.  When run 
as a regular unpriviledge user, it has very limited effect, i.e. it 
tries to spread itself via iChat but does not delete local files.  
Also, it runs only on OSX 10.4.  It relies on social engineering (i.e. 
convincing the user to run it), and does not exploit any OS security 
hole.  Because of this, and some other reasons, it has been categorized 
by various security organizations as "low risk".

Here's more information:
http://www.securityfocus.com/brief/142

Here are a few interesting bits from that article:

"There are also a number of steps that require user interaction for a 
system to be infected: the user must first be sent the infected file 
(manually by email, or automated via iChat instant messaging), then the 
user must double-click and decompress the image, open the image, and 
finally provide his administrator account and password for the code to 
be installed. Once installed, the malicious code attempts to hook the 
launching of any application in a user's application library, and then 
inject code into application executables. However, a bug in the virus' 
coding prevents the launching of any application executable after 
infection."

"The steps required to install the worm highlight the fact that a 
default install of OS X finds the average user running without 
administrator privileges, and therefore malicious code must trick the 
user into manually installing it. In comparison, most users of the more 
popular Microsoft Windows system are still logged in as an 
administrator, where worms, viruses, spyware and other malicious code 
are extremely common."

If this information is incorrect, I would appreciate you pointing me to 
a more accurate resource.

	Thanks,
	dZ.

On May 2, 2006, at 19:53, Michael Elliott wrote:

> I think that this was more serious that you would imagine.
>
> The trojan, as I recall, exploits what is basically a convention for 
> the typical OSX install:  the first account to register is given 
> administrator privileges.  The second defect as I recall is that 
> Terminal will run some of these scripts as administrator even without 
> a password.  The lynchpin, as is always so common on Windows, is the 
> browser:  Safari would consider the downloaded file as an image file 
> if it was named with .jpg or something on it, but was actually a 
> terminal script, and would "open" it automatically in Terminal.
>
> The description of commands being sent across the screen is him 
> describing Terminal as being launched and various UNIX commands being 
> processed.
>
> This problem was detailed many weeks ago in such reputable websites as 
> xlr8yourmac.com and macfixit.com.  One of the remedies suggested was 
> to create another account without administrator privileges, then use 
> that one exclusively as the primary account.
>
> I think that the issue was Terminal-specific in some way, as I know 
> that my administrator account is still required to manually enter 
> passwords whenever I want to do something important, like OS updates, 
> etc.
>
> My impression was that this was not a problem to be blown off.
>
> Michael
>
> On May 1, 2006, at 7:49 AM, Aron Spencer wrote:
>
>> He shorted AAPL.
>>
>> he had to type in his administrator password to get anything bad to 
>> happen...
>
> _______________________________________________
> X4U mailing list
> X4U at listserver.themacintoshguy.com
> http://listserver.themacintoshguy.com/mailman/listinfo/x4u
>
> Listmom is trying to clean out his closets! Vintage Mac and random 
> stuff:
>          http://search.ebay.com/_W0QQsassZmacguy1984

-- 
[localhost] # chown -R us /usr/home/*/base

More information about the X4U mailing list