|Home » Learning Curve
Fanboy Quotes II
'I didn't write it for the press - although I knew that was coming. It was more just because I was annoyed with all the fanboys.'
Clearwater, sharpen your pencils! No cult in the world is as rabid - or as stupid - as the Apple Maccie fanboys. Purchasing an Apple computer for that renowned OOTB - out of the box experience - is only half the joy.
Welcome online / at your neighbourhood Apple store for the 2nd half: the OOTM - out of their minds experience.
2. Oompa Loompa
The author of the Oompa Loompa worm, in communication with this website, explained the reason for unleashing the malware: Apple Maccie fanboys. They just pissed him off and he wanted to scare them to the point they dirtied their lace undergarments.
He didn't work at making Oompa Loompa good at proliferating - he concentrated on a design that made fun of the security holes in OS X the fanboys insisted on continually dismissing. And despite the minimal damage his Oompa Loompa caused, he got his message out.
[Note: you'll see a suggestion below that the ace Maccies 'trace' the IP of the author and post it. The author was in fact using an onion router.]
Oh wow, this member should be banned. I downloaded the file and it comes up as a picture file then when I click on it it pops open Terminal and runs something. Looks like someone attempted to make a Mac virus...
It does seem so. Also looks like they failed (though I'm not sure because i didn't download it myself)
This guy should really be banned. Only one post and his first post is this. Thanks for the warnings people.
lol, i downloaded it and ran it. Now if this was a pc, i would have already reformatted and reinstalled it. But since im on a mac right now im just like WTF. has anyone been able to find out what it does exactly. Probably not somthing harmful since you would have had to enter your password.
It's an IM client
I'm surprised this hasn't happened more on here...it's so easy to write an applescript file and disguise it as anything...scary!
Wow, out of all the places, I'd never expect that to happen here. Ban the user and his IP address, that's definitely the kind of people we don't need here. I hope this doesn't start something big. I'm just glad I didn't download anything
Filthy scum. Too bad there is no physical payment to take vengeance upon these morons.
hmm... just discovered something else about this... it copied to every computer on my Bonjour network. I went on the PowerMac and it popped up as an incoming file transfer. So he succeeded in something. Mods: PLEASE ban this member, attempting to distribute a Trojan horse on MacRumors is unacceptable.
illegal has a great idea. somebody trace his IP and post it
If anyone remembers last night, when lasthope spread that picture that opened in terminal. I just turned on my other computer and it said it had an incoming file, from my computer, which was the latest pics file. Any help. I have already secure deleted it off of my harddrive, but how do i know that it will not come back. Any help is appreciated.
Same thing happened over here (as you see from my post in the other thread) and everything seems to be fine but we have no way of telling because [rant] APPLE DOESN'T INCLUDE ****ING VIRUS PROTECTION IN THE .MAC ANY MORE!!!!!!!!! [/rant]
Um...dude, virus protection only looks for known viruses and trojans, it wouldn't find a newly released one anyway until Apple updated it to look for it. And since there are no Mac viruses anyway, it's perfectly fine for Apple to not include it.
I ran it, opened terminal and then closed it. Dont know about sending messages to other computers though because i have the only mac in my house.
Mac OS X is very specific about making installing viruses a thing that the user has a very large part in. Don't impulsively type your system password when a dialogue box pops up and you should be fine.
well what it did, was when you opened the file disguesed as a jpeg, it would open terminal and run a script. no passwords or anything.
but for what it was trying to do it DID need a password, that's why the permission was denied and we're "safe"
but permission was not denied for me. it ran a full script, (but i closed terminal and deleted it before screenshots) without any permissions being denied.
The trojan still exists on this computer. Does anyone know where the file would be located on my HDD.
Unlike benjamin, mine somehow got permission to do whatever it had to do. I have the file mirrored (i think thats the right term) on a seperate site, so if anyone wants to reverse engineer it, you can do that. just remember that you are downloading a known trojan (because the downloader knows that it is trojan (you can't get past that on the site), i think i am allowed to give it out, just PM me so i am sure).
The virus is still alive on my computer despite secure deleting the script (it tried to get itself to my sisters computer), so any help is appreciated, and i hope this isn't worse than it seems. But it didn't require a password so i believe that it can't do anything very bad, but why would someone make a trojan just to spread it, so he can say he made the first mac virus (i know its not a virus, but that might be what the guy was aiming for). All help is appreciated.
I did scan my home library folder with the above linked app.
BTW, i think that lasthope should be banned, and tell exactly what it does.
I really hope this guy gets what he deserved. I also hope that this doesn't get worse as we find out more about it. It already has the ability to spread to every mac on the network. Good thing I downloaded the file and then just decided to delete it. What if I opened it at school?? Every Mac in the school would have this "thing" on it!
It also spreads through AIM in iChat, I just IMed someone and the file popped up.
well i have alerted my mac friend (its amazing how many people i know who use windows) about it. I just hope it doesn't spread to windows. Ok then, i am switching to my other computer now (my old 1 GHz TiBook) until i learn more about this or someone finds a solution.
You mean the file tried to go to their computer? Was it a Mac? This is getting kinda serious. Passing the file through AIM opens of a whole new door of possibilities for this thing. Why in God's name has the poster of this file not been banned yet?
I have a BAD feeling that this is only going to get worse. I just have to recommend everyone who downloaded this file and uncompressed it to BACKUP RIGHT NOW! if this is going to spread like it seems to be doing (bonjour and aim) i think this is a delayed reaction type thing. I'll get back to you after i reverse engineer it. (im going to create a new account and then download it off of my mirror and then see what apps its affecting. if its something minor i will uninstall and reinstall, but if its an apple app (such as finder or ichat) we might all have a problem.
Unfortunately, I agree with you. It seems like this thing is more advanced than we thought, and it seems to be revealing its capabilities to us as it goes along. Good luck in reverse engineering it. If you can find out what makes it run we might be able to stop it before it becomes too widespread.
I THINK I've removed it off my laptop, it embeds it's self in the UNIX file system of random apps. To find what apps its in download the file again (should be in your history) and it will ask if you want to overwrite (choose no) and it will tell you all the apps its in. When you try to run most of the apps that are effected they wont run. Just trash the apps that it's embedded in. This seems to have worked and my laptop seems fast again. In a few days we will see if it's still around when it tries (or doesn't) to send to other people again.
the only thing is that the apps that it gave me were all random added apps. not everyone will have those. i'm creating another account and will give you another update with a new clean download.
i think i have a side note. i still believe that it is going to be something big, and will be hard (if possible) to remove. It is putting itself into the apps scripts to make sure that it is not removed. I tried to uninstall it, but it came up again. I believe that something big is going to happen. Backup your drive EXTERNALLY and then stop using any chatting apps on your infected computer. The fact that it came as a tar file (i know nothing about it) suggests that there may be an extra file somewhere hidden within the computer.
I am currently backing up RELIGIOUSLY everything on all of the computers in the house to my external. Then I'm going to disconnect my external so it doesn't get infected. My Mac is not infected yet *knocks on wood* but I cannot afford to lose any data. Right now, I am genuinely scared as to what is going to become of this.
I wonder what the mods are doing about this? Are they aware of it? This guy might be punished by law if anything serious happens like data loss. I'm like shaking. Someone please comfort me.
I LOVE THE COURT OF LAW, except we don't know if he is in the US or the UK (the only confirmed places i have heard this virus exists), so if he is in india or russia or china, we have to rely on extradition (probably to the US because that is where this site is hosted), and if their mysterious government doesn't comply, we have a problem. But if he IS in the US/UK, i guess when we press charges (if we) he has a real problem.
This is a what if situation, btw.
This might be a n33b question, but can this be officially called the first Mac virus?
that's wat i am calling it. It might be more technically a mac TROJAN but the same concept. any one who receives it from iChat/AIM/whatever would indeed have the first mac VIRUS. so its a split. i am calling it a virus.
This is a VERY< VERY sad day for the Mac platform. I always hoped that this would not happen in my lifetime. I am almost in shock now, I can't believe this is reality. All because of this bastard with hi pics. I am extremely pissed, sad, and scared. This guy needs to pay. This is war IMO.
I have sent a threatening PM to lasthope and have forwarded the PM to DoctorQ as well. I have also asked DoctorQ for the users email address or if he can't release that for him to forward my message to it as well. Of course I have asked that lasthope be banned.
Has anyone contacted Apple about this? Someone with more knowledge than me should really contact Apple and let them know that this is becoming serious and many people are becoming infected. Maybe they will know what to do or release a patch or something.
I have worked at an Apple Store. I can tell you for a fact that there will be at very least a dozen people looking into this. I bet they'll have a fix / explanation in no time.
i have to agree with this. th last thing apple needs right now is for all this wild fire about viruses coming out during the intel transition. Tomorrow Steve jobs is going to yell at a lot of engineers to get this fixed fast cause thier jobs depend on. I see mac patch in 5 days
Oh God, shut up. The fact that you worked at an Apple Store means nothing, get over yourself. "At least a dozen people" HAHA yeah OK, you want to tell me you didn't pull that completely out of your butt?
Is there really anything you can do to patch this kind of thing? If I write an application that has an icon like a jpg and deletes everything on your disk afer asking for your admin password... how exactly would you patch for that kind of thing?
Just for reference: this is not the first Mac trojan horse. There was one that masqueraded as a Microsoft Office Installer, and another proof-of-concept that pretended to be an mp3 file. It's also not a virus, as it doesn't appear to be able to spread itself.
There's also a rootkit (called Opener). I saw it installed on my parent's machine.
You guys act like the world has ended because of some little piece of code. Realistically it seems like this 'outbreak' could be easily quarantined as it seems to have affected only a small number of users.
Edit: Also since the definitions of trojan, virus and worm seem to be quite fuzzy with just about everyone, I think this would classify as a trojan since it takes the user downloading it to propagate from machine to machine.
I saw this on Digg, and after reading this far, I have to say you guys are in a world of FUD.
Stop. Calm down. Many of you are running around like the proverbial headless chicken.
First off, as a few others have mentioned, EVEN IF THIS QUALIFIES AS A VIRUS, THIS WOULD NOT BE THE FIRST. Nothing has changed. Today is not a "Dark day for Apple". Stop with the frikkin melodrama.
I'm going to have to agree 100% with this. I worked at an Apple Store. They're idiots, to be completely blunt. Months after the world knows about this virus if you go in there and ask an employee directly all but a few will tell you "There are no viruses for Mac!" THere are a few exceptions, of course.
Okay, please enlighten us as to what all the previous OS X viruses are...
This isnt a virus its a little executable file which runs terminal, it was just a matter of time before someone wrote something like this and spread it....Besides in order for it to do any damage you would have to log in as root by entering your password, so long as you dont do that the damage it can cause is minimal at best...
Wasnt there something simular to this with the release of 10.4, I remember a virus/trojan spreading through a widget??
I remember seeing a similar trojan back during 10.2
Virus, Trojan, whichever it gets classified as, the bottom line is that mac's have been targeted and exploited. Mac users are getting all fired up over this, and that is what viruses and trojans are all about, so I bet OS X gets targeted hardcore now.
So if mac's are not immune to viruses anymore, that leaves zero reasons to own a mac.
Can we stop with the hysteria, people?
There have been OS X trojans available for quite some time, and I'm amazed that it's taken so long for someone to post one like this, that lures other people into downloading it. It's just like the many that try to spread via MSN (you know, the "I know who's blocking me!!!!" one).
I'm assuming it started on these forums, so most of the people who are infected should know better than to trust someone claiming to have pictures of 'Leopard'. I mean, would you trust someone you'd never met when they offered you something for free? I'd expect that sort of behavior from a 12 year old girl, not people on a Mac forum with a reputation for being well knowledged.
I don't know about most of you, but one of the first things I did was set file extensions to 'on' when I got my Mac (I got fed up with different files having the same icon), and I'd be extremely wary of opening any 'pictures' without a .jpg extension.
Many of us have come from Windows backgrounds, and we shouldn't let the fact we're on a more secure OS go to our heads and change how we act, no matter how secure an operating system is, it's worth nothing if the system operator is a moron.
We've established what it does, now let's get rid of it. Nobody has a good reason for wanting to look at it, there's an in-depth post about it on ambrosia software. I recommend that everyone who's been infected reinstalls OS X, and we all get on with our lives (with more common sense)
Seeing as it requires user authentication, it's just as much of a virus as somebody formatting their own damned hard drive.
It doesn't require any sort of authentication if the user has admin privileges...it just goes.
From what I read online from different sites, here is what I have summarized. It started here on macrumors with the lastest leopard screenshot post. It install via terminal. It then scans using spotlight for the recently used apps and creates scripts/attachs to those apps and when they are activated it uses those apps to spread itself. Some site say they create duplicates of all the app it attaches to. Some say its a script, while some say its a unix shell. It only works on 10.4.5 and only infects PowerPC or was that only Intels. correct me if I am wrong or I have missed any points.
P.S. My 2 cent is that it logs in to the root account(because the root account name is root and the password is root) and install the program.
As far as I can tell it has only infected PowerPC, there are not reports of infected Intel Core Dous. Is this Apples way of converting people to Intel?
I didn't write it for the press - although I knew that was coming. It was more just because I was annoyed with all the fanboys.
- author of Oompa Loompa