On Feb 21, 2006, at 8:34 PM, Nancy Haitz wrote:
Yesterday Bruce wrote:
Meanwhile, our mail server has stopped 290 different Windows
viruses from 284 different hosts since midnight.
Bruce,
You seem to be out on the bleeding edge of the new virus world (as
are most universities). What are your thoughts on the new Zip
Archive attack? Details here <http://www.macworld.co.uk/news/
index.cfm?NewsID=13911&Page=1&pagePos=2> and here <http://
secunia.com/advisories/18963/>
Actually this isn't as nasty as it appears at first glance.
This is, in fact a very old vulnerability that's been 'discovered'
countless times...the underlying mechanism has existed since the Mac
OS has has resource forks, along about 1984 or so, and this is
largely the same thing as in the MP3 Concept "virus" of 2004 <http://
secunia.com/virus_information/8739/macmp3concept.a/>. (which you'll
notice that secunia rates as a *low* threat.)
Trojans for the Mac OS as old as OS 6 have been written using this
mechanism.
File metadata (Creator/filetype/extension) can be forged, tricking
people into running a program under the pretext of it being a data
file, and this attack is essentially identical to the many
hotnekkidbritney.jpg.pif attachments you see on the PC side. Since
Windows by default hides the extension, people think they're clicking
on hotnekkidbritney.jpg.
The advice, disabling the "Open safe files after downloading" option
in Safari is VERY GOOD, but simply unpacking the Zip file does NOT
cause it to be executed, which SANS intimates.
On Firefox the POC downloads and sits there. If unzipped, it also
just sits there. The payload DOES execute if you double-click on the
thing. This isn't *nothing*, it's just not as automatic as, say, an
ActiveX exploit of Windows.
Like the MP3 Concept before it, <http://dbdev2.pharmacy.arizona.edu/
miscjunk/Trojan_poc_finderview.pdf>, properly identified as an
application, this one also displays its true colors in the Finder
<http://dbdev2.pharmacy.arizona.edu/miscjunk/Bad_zip.png> where it's
recognized as a terminal script.
Doing Get Info on the file shows the same information that it's a
script.
Note: dragging the file onto QT player, (in the case of the Secunia
POC) does not cause the script to run either, only double-clicking on
it does. Someone on our netmanagers list has reported that the trick
doesn't actually work in Mail: Mail says that "The attachment is
about to run a program, are you sure you want to do this?"
My guess is that were this to be a simple exploit to use, we'd have
seen real consequences by now, since it's been around since the Mac
has had resource forks, that is, since 1984 or so.
Unfortunately, while widspread, identical versions of this are
something that can easily be detected by AV programs, the underlying
issue needs to be dealt with on a system level by Apple.
--
Bruce Johnson
This is the sig who says 'Ni!'
--
G-List is sponsored by <http://lowendmac.com/> and...
Small Dog Electronics http://www.smalldog.com | Refurbished Drives |
-- We have Apple Refurbished Monitors in stock! | & CDRWs on Sale! |
Support Low End Mac <http://lowendmac.com/lists/support.html>
G-List list info: <http://lowendmac.com/lists/g-list.shtml>
--> AOL users, remove "mailto:";
Send list messages to: <mailto:g-list@mail.maclaunch.com>
To unsubscribe, email: <mailto:[EMAIL PROTECTED]>
For digest mode, email: <mailto:[EMAIL PROTECTED]>
Subscription questions: <mailto:[EMAIL PROTECTED]>
Archive: <http://www.mail-archive.com/g-list%40mail.maclaunch.com/>
iPod Accessories for Less
at 1-800-iPOD.COM
Fast Delivery, Low Price, Good Deal
www.1800ipod.com
