OSX Inqtana-B Virus?

It is not a bug in the OS but rather a bug in Safari
and perhaps in Mail.app that has the potential
to leave the OS vulnerable.

There seems to be some concern that the bug is at a deeper level, one that would affect any app that has the capacity to open a zip file & then rely on the OS to decide if it is safe to open the results without first asking the user.

I don't know if any apps besides Safari & Mail actually offer this, though, so I can't say if there are other apps we need to be similarly careful about using.

FWIW, turning off the open "safe" files Safari option seems to be effective, but I haven't found any similar option in Mail, which I don't use much. Anybody know if there is one?

It's now official. Sophos screwed up. They have released an updated definition file that stops the false positives. The question now is how many perfectly good systems did their software hose versus how many systems were compromised by the in-the lab only, not in-the-wild Inqtana-B proof-of-concept exploit.

And by the way, the flaw that this proof-of-concept code exploits was patched eight months ago. The posters reporting that Sophos software found the proof-of-concept code and hosed their systems appear to be running OS 10.4.5 which would mean they can't even get infected anyway.

http://www.vnunet.com/vnunet/news/2150741/sophos-sees-virus-ghosts

Yet another day in the FUD factory that is "the sky is falling" security debate.



Dual 2.5GHz G5 Power Macintosh Mac OS X (10.4.5) 1.5GB RAM 20" Apple Cinema Display

Ermm, wasn't this opening safe files problem addressed two years ago? I remember it coming up then, and being addressed but I don't remember the details.

Matthew Whiting

my understanding is that if I dont use safari or mail I should be OK so I have switched to entourage and outlook express

It is slang.
It means he doesn't believe the post/comment/report/claim.
It is intended to have everyone take a step back and calmly consider what is being said and how reasonable it is.

Like someone having 154 instances of one virus noone has heard of before. It is possible-but not reasonable. False Positive is more likely.

iMac 17 w/ internal BT Mac OS X (10.4.4)

Edited by an Apple Discussions Host

The bug seems to be that a shell script in a zipped file can trick the 'safe files' check if certain metadata in the zip is removed. Apparently, the OS (?) expects the metadata to tell it what kind of file the zip archive contains & if it is missing, some routine doesn't recognize that it is an executable file &, at least in Safari, no warning results & the file is opened if the 'open safe files' option is enabled.

It's not metadata in the zip, it's the shebang line in the shell script. The first line of every shell script should be a shebang line, which tells the shell what program to use to interpret the script. Apparently the presence of that line is what told Safari whether or not a file in an archive was an executable script or not. So ommitting that line from the script makes Safari believe it is a simple text file.

It appears to be more complicated than if the shebang line is missing. Apparently, the OS looks at the metadata file in the zip to determine what to open the unzipped file with, at least with the Safari auto-open option. This overrides the extension or user-selected default app the Finder would use for opening the file.

The shebang line appears to be a factor in that if it is present, some routine in the OS notices that the file really is a shell script, regardless of what the metadata says.

Hi, Allan.

I addressed these concerns to a large degree in this thread, which I cited above. You should read my comments there as they refute most of the FUD spread about NAV.

I never encountered the spacesucking.xxx file. That was a bug in NAV 9.0 that was fixed in 9.0.1. It only affected some users, which I suspect had other problems on their systems, such as directory issues. See the Symantec KB article "Less free space on your hard disk after running Norton AntiVirus for Macintosh 9.0."

As to the mailbox issue (I don't know of a Home folder issue, I think this is confusion over the Mail issue), again that is old news. See the Symantec KB document: "Email inbox is moved to Quarantine when Norton AntiVirus for Macintosh 9.0.x detects a virus in email." The fix was distributed in the Virus Definition files shipped after 18 June 2004. There was also a workaround, i.e. disable Quarantine / Auto Repair: it would still alert you to the presence of an infected file automatically with AutoProtect enabled.

I never experienced that since I did not receive any infected e-mails and also kept NAV and the virus defs updated through LiveUpdate. That's not a risk now as (a) Symantec fixed the issue, (b) Tiger users should use NAV 10, and (c) Mail no longer uses a database structure for in-boxes. Under Tiger, Mail was redesigned for Spotlight so that each e-mail is an individual file in an in-box folder, rather than an entry in an in-box database.

You wrote:

"Do you have some suggestions on what to do or not do so that you don't experience problems with NAV beyond using the current version of 10.1?"

Yes:

1. Keep NAV and the virus defs up-to-date. Keeping one's software current is simply part of good maintenance. LiveUpdate can be configured to check regularly, ala Software Update.

2. If you're concerned about it doing something untoward automatically, you can disable functions such as AutoProtect, Quarantine, or Automatic Repair and use it to check downloads or e-mail attachments manually before opening them. Enabling AutoProtect while disabling Quarantine and Auto Repair will still alert you to problems but won't move infected files or attempt to fix them, leaving it up to you to decide what to do with them.

How much risk one has traditionally been exposed to re: Mac OS X malware has in large part depended on their computing environment, as I discuss in my "Detecting and avoiding malware and spyware" FAQ. That risk may now be increasing for Mac OS X users. Mac OS X has had a target painted on its head for some time now. Interest in writing destructive malware for Mac OS X, perhaps even iPods, may be fueled by both:

- The growing popularity of the platforms.

- The casual attitudes toward malware taken by most Mac users. They have a false sense of security concerning the apparent invulnerability of Mac OS X, despite Apple continuing to release Security Updates, meaning holes have been found, just not exploited.

This may put many Mac users at risk down the road. Some day some hacker may hit pay dirt. Forewarned is forearmed. 😉

Good luck!

😉 Dr. Smoke
Author: Troubleshooting Mac® OS X

---
Note: The information provided in the link(s) above is freely available. However, because I own The X Lab™, a commercial Web site to which some of these links point, the Apple Discussions Terms of Use require I include the following disclosure statement with this post:

I may receive some form of compensation, financial or otherwise, from my recommendation or link.

Thanks Robert. Now I understand, but I'm not used to see it abbreviated this way ...

There is apparently a simple workaround for this shell script problem until Apple fixes it. Rename terminal.app (make up your own unique name for it) then make an automator workflow that first asks for permission then runs the newly renamed Terminal.app. Name the workflow Terminal and save it as an application in the same folder as the real Terminal. Just remember to change things back before you do a software update.

I read that this defeats the exploit. That is, unless you get tricked into giving it permission.

Hi Dr. Smoke;

Thank you for the update. I didn't realize I was that far behind on my knowledge of NAV.

A couple of years ago I had some very serious problems with my system caused by NUM. I found the tech support from Symantec less then helpful so I got rid of all of their products, NAV included.

At that time I changed the ISP I was using. The new ISP runs a spam and virus checking software on all email before passing through their servers to me. This software traps any spam or email containing a virus. Everything that is trapped by this software is maintained for a week. So once a week I look at it to be sure nothing I want has been trapped. If there is a new address that I wish have passed on I enter it into an accept list. I also have blocked list. All of the trapped mail I have no interest in I simple reject on their servers. Personally I like this solution since the impact is miniumal for my system.

So I guess while I don't run anti-virus software on my Mac, you can't say I am totally unprotected.

Allan

I don't think that's the case but maybe someone can correct me if I'm wrong. The issue with Safari is that a website could download something to you in the background and it will run without any user intervention, or you could download it on purpose and it would run once it completed the download. Even if you set Safari to not automatically open "safe" downloads, you could still be tricked (social engineered) into running it yourself, thinking it was a jpg and not a terminal script. If you get attachments in Entourage or Outlook, I believe they can potentially have the same malware in them. Clicking on an attachment would do the same as clicking on a downloaded file.

Hmmm. My last post didn't make much sense in the timeline of this thread. It was a response to an earlier post. I must not have scrolled to the end when I was reading.

Nevermind. I don't know what was up earlier with the posts in this topic (or in how Safari displayed this page) but they were in a different order last time I checked back.

20" Intel iMac and 20" G5 iMac Mac OS X (10.4.5) 20" Intel iMac 2GB 256MB 500GB