: Just got nailed!!


Apple101
Feb 17th, 2006, 11:14 PM
Well, I donít know how this happened, but I left my system unattended for a couple minutes to say hi to my sister because she just came home from UWO to study for a bit, so anyways to make a long story short, I came back and NAV just came up with this...

Klaatu
Feb 17th, 2006, 11:18 PM
Well, I donít know how this happened, but I left my system unattended for a couple minutes to say hi to my sister because she just came home from UWO to study for a bit, so anyways to make a long story short, I came back and NAV just came up with this...

Why on earth do you have anti-virus software on a Mac?

Ian Seyler
Feb 17th, 2006, 11:29 PM
http://securityresponse.symantec.com/avcenter/venc/data/osx.inqtana.a.html

According to Symantec it spreads via BlueTooth. This is the first I've heard of it.

-Ian

Apple101
Feb 17th, 2006, 11:30 PM
It’s a dam good thing I did because if I didn’t then OS X would have been compromised by the Bluetooth Directory Traversal Vulnerability.

Apple101
Feb 17th, 2006, 11:32 PM
This is the first I've heard of it.
-Ian

Same here

lpkmckenna
Feb 17th, 2006, 11:45 PM
How did you manage to get a virus over Bluetooth? Do you hang out with some really seedy hacker-types?

What version of OS X do you have? Because reports say only 10.3.9 and 10.4.1 corrected this vulnerability.

lpkmckenna
Feb 17th, 2006, 11:47 PM
ok, you've got an eMac. So someone with another computer got within 30 ft of your eMac and gave you a virus?

MannyP Design
Feb 17th, 2006, 11:48 PM
What version of Mac OS are you running?

http://docs.info.apple.com/article.html?artnum=301742
CVE-ID: CAN-2005-1333
Available for: Mac OS X v10.4.1, Mac OS X Server v10.4.1, Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact: Directory traversal via Bluetooth object exchange
Description: Due to insufficient input checking, the Bluetooth object exchange services could be used to access files outside of the default file exchange directory. This update provides an additional security improvement over the previous release by adding enhanced filtering for path-delimiting characters. Credit to kf_lists[at]digitalmunition[dot]com

HowEver
Feb 17th, 2006, 11:58 PM
Looks like the OP got bluesnarfed.

Apple101
Feb 18th, 2006, 12:04 AM
I am running OS X version 10.4.5, also just to make it clear I am NOT here to bash Macs. And lpkmckenna you could be right a system within my range could have spread the worm. I know itís not my dads or sisterís iMac's so it has to be either my neighbors, or someone near my house.

Klaatu
Feb 18th, 2006, 12:24 AM
http://www.computing.co.uk/vnunet/news/2150563/second-virus-exploits-bluetooth

mr.steevo
Feb 18th, 2006, 01:07 AM
hi,

according to the article, Apple patched this security hole a while ago.

Is this real?

s.

snowmen
Feb 18th, 2006, 01:15 AM
I suspect it was from the people who use PC with OS X 10.4.1 (or who else will use 10.4.1 or less now?)

MannyP Design
Feb 18th, 2006, 01:16 AM
I was under the same impression--this appeared some time last year and has since been patched (or so I thought.)

iMeowbot
Feb 18th, 2006, 01:41 AM
Hi all!

This is probably a false alarm.

Apparently, Norton will falsely detect Inqtana in your browser cache if you visit ... wait for it ... Symantec's page describing Inqtana!

Would any Norton users care to go visit the Symantec site, visit the Inqtana page, and see what happens?

Kosh
Feb 18th, 2006, 01:45 AM
This is VERY weird because that Symantec website says it was just discovered Feb. 17. How the h*ll did you get it already? Something doesn't make sense. It would have to travel and multiply in a more convenient way than bluetooth for you to get it already. Unless it was spreading around before Symantec discovered it.

Sometimes I wonder if these antivirus companies don't spread the viruses.

Well, at least it doesn't cause any damage, it's just a proof of concept worm.


edit: maybe iMeowbot has solved that?

MannyP Design
Feb 18th, 2006, 02:07 AM
I'd question the quality of the software--Symantec's, not the worm. ;)

kps
Feb 18th, 2006, 01:00 PM
Anything Symantec IS a virus.:lmao:

Schmoe
Feb 18th, 2006, 01:10 PM
Uh, I'm currently on a Windows machine (MBP coming this week!!) and after viewing that screenshot, Norton popped up and noticed the same virus and deleted it successfully off my Windows machine. Odd? I think so.

It was in my Firefox browser cache and Norton caught it immediately. I just thought that was really wierd because its a Mac OSX virus. :confused:

milhaus
Feb 18th, 2006, 01:31 PM
Uh, I'm currently on a Windows machine (MBP coming this week!!) and after viewing that screenshot, Norton popped up and noticed the same virus and deleted it successfully off my Windows machine. Odd? I think so.

It was in my Firefox browser cache and Norton caught it immediately. I just thought that was really wierd because its a Mac OSX virus. :confused:
F&%^%[email protected]### Norton!!!

Atroz
Feb 18th, 2006, 01:51 PM
Where was this file? Is it a browser cache file, or something else?

It's certainly possible that this is a false positive. Just last week MS's anti-spyware software was flagging Norton AV (on Windows) as malware and killing it. Oops.

Klaatu
Feb 18th, 2006, 01:54 PM
F&%^%[email protected]### Norton!!!

Yeah, no kidding. Of course there was a time when I thought I should have Norton too. Mostly because I always saw it sitting prominently on the shelf at Mac stores I visited. Silly me, I figured "well, they're experts. They must sell it for a good reason."

That's when I discovered system slowdowns and annoying pop-ups for every little thing -- all of which is pointless because the job of anti-virus software is to guard against KNOWN threats. It's like always carrying an umbrella, warning people who don't that it could rain someday. But if a real virus truly surfaced it'll be like a tornado, and no one will be protected.

But getting rid of Norton proved more difficult than I thought. Even after installing new drives, and reformatting, I still get pop-ups from Norton whenever I update my OS. It just won't go away. It's worse than any virus I encountered in the pc world.

Save yourself. Update your system software, repair permissions, and get a program called Little Snitch to monitor who your computer talks to. It's the best protection for a Mac.

Apple101
Feb 18th, 2006, 03:13 PM
WOW if itís a false positive then I am going to be pissed. I remember Symantecís CEO talking about how good their product was, etc...etc.. and all these reviews about how Symantec reached perfection, and so and so on, I guess itís a pile of crap! The only reason why I have NAV installed on my system is because my sisters University requires antivirus to be installed on all systems regardless of the platform, now if my sister calls me at home which she has in the past for support I can at least tell her were to go, and what to do. Other then that if they didnít require antivirus, I probably would not have put it on my system. Thanks for sharing your views though! I knew something was kinda weird.

Any suggestions on a replacement antivirus?

seetobylive
Feb 18th, 2006, 03:30 PM
Any suggestions on a replacement antivirus?

Whacking head against wall!!XX)

Atroz
Feb 18th, 2006, 03:44 PM
WOW if itís a false positive then I am going to be pissed.
Any suggestions on a replacement antivirus?

A false positive is better than a false negative. A false negative is when you should get upset.

Antivirus is pretty much signature (pattern) based. It's possible for it to find the same signature in some place that is harmless. Antivirus software companies work hard to prevent this, but when you are matching nearly a 100,000 signatures against a near infinite possible inputs, you are going to get the odd false hit.

HowEver
Feb 18th, 2006, 03:47 PM
You know, you are allowed to drag apps to the dock and launch them from there?

Well, I donít know how this happened, but I left my system unattended for a couple minutes to say hi to my sister because she just came home from UWO to study for a bit, so anyways to make a long story short, I came back and NAV just came up with this...

Apple101
Feb 18th, 2006, 03:49 PM
Whacking head against wall!!XX)

:lmao: :lmao:

A false positive is better than a false negative. A false negative is when you should get upset.

Antivirus is pretty much signature (pattern) based. It's possible for it to find the same signature in some place that is harmless. Antivirus software companies work hard to prevent this, but when you are matching nearly a 100,000 signatures against a near infinite possible inputs, you are going to get the odd false hit.

You make a very good point here. So far I never received that message again. Since My Sisters University requires an antivirus application what would you guys recommend? Should I stick with Norton? or go with McAfee Virex?

Atroz
Feb 18th, 2006, 04:13 PM
:
You make a very good point here. So far I never received that message again. Since My Sisters University requires an antivirus application what would you guys recommend? Should I stick with Norton? or go with McAfee Virex?

If I were you, I wouldn't spend any more money on what is essentially a non-issue. Go spend your money on a good backup solution so that you are protected when a false negative happens.

Apple101
Feb 18th, 2006, 04:19 PM
If I were you, I wouldn't spend any more money on what is essentially a non-issue. Go spend your money on a good backup solution so that you are protected when a false negative happens.


Good idea the antivirus application was I believe some where around $100.00. I know my dad has suggested that he purchase an external hard drive so my sister can backup any critical data such as university documents, etc. Any suggestions as to what brand?

TimStalin
Feb 18th, 2006, 04:35 PM
Spend your hard earned money on clamXav (http://www.clamxav.com/). Why pay for false positives when you can get them for free!

Apple101
Feb 18th, 2006, 04:57 PM
Spend your hard earned money on clamXav (http://www.clamxav.com/). Why pay for false positives when you can get them for free!

Well I don’t think I am about to switch antivirus vendors now, as ClamXav was used in the past and there were a number of issues with it. One of them being its scan engine was unable to intercept any win32 viruses that came in via email, I have experienced kernel panics with it, the register dump indicated ClamXav was to blame, also on other systems (not mine) there were issues with its scan engine, it was responsible for a privilege escalation DoS attack which on a successful return on the registers that points to an array of null terminated Unicode strings allows for the remote execution of arbitrary shell code, the malicious file could also manipulate the engines return address resulting in an upsurge to the memory location specified by the registers.

Atroz
Feb 18th, 2006, 04:59 PM
I know my dad has suggested that he purchase an external hard drive so my sister can backup any critical data such as university documents, etc. Any suggestions as to what brand?

Not really. I bought one a few months back, but as is my way, I went looking for technology, not brand. I bought a setup that I knew was boot capable, had a fan for cooling, support for USB2, FW400 and FW800, and contained a trusted hard drive capable of running cool and quiet.

Those above specs should serve you well, although you may not need FW800.

If you want opinions on brands, search the forums here. There's been lots of discussions in the past year.

Apple101
Feb 18th, 2006, 05:24 PM
Not really. I bought one a few months back, but as is my way, I went looking for technology, not brand. I bought a setup that I knew was boot capable, had a fan for cooling, support for USB2, FW400 and FW800, and contained a trusted hard drive capable of running cool and quiet.

Those above specs should serve you well, although you may not need FW800.

If you want opinions on brands, search the forums here. There's been lots of discussions in the past year.

Hey thanx for your suggestions!!

iMeowbot
Feb 18th, 2006, 06:02 PM
Uh, I'm currently on a Windows machine (MBP coming this week!!) and after viewing that screenshot, Norton popped up and noticed the same virus and deleted it successfully off my Windows machine. Odd? I think so.
Okay, that's what's supposed to happen, because the same signature database is used on both platforms. This is also why Mac users are forever warned about Windows malware. It's theoretically useful to prevent unaffected machines from sending bad stuff to machines where they could do harm.

That's good enough to confirm that this signature is generating false positives.

Apple101
Feb 18th, 2006, 06:17 PM
That's good enough to confirm that this signature is generating false positives.

I have contacted Symantec, and will be working with their engineers to resolve this issue.

TimStalin
Feb 18th, 2006, 11:07 PM
Well I donít think I am about to switch antivirus vendors now, as ClamXav was used in the past and there were a number of issues with it. One of them being its scan engine was unable to intercept any win32 viruses that came in via email, I have experienced kernel panics with it, the register dump indicated ClamXav was to blame, also on other systems (not mine) there were issues with its scan engine, it was responsible for a privilege escalation DoS attack which on a successful return on the registers that points to an array of null terminated Unicode strings allows for the remote execution of arbitrary shell code, the malicious file could also manipulate the engines return address resulting in an upsurge to the memory location specified by the registers.

Sorry to hear about the problems. When I first moved away from Windows I was using Virex, because every OS has needs to have active virus scanning right ;) Removing that pile of suck from my Mac was greatest system enhancement I have ever performed. ClamXav has served me well ever since, although it is often called upon.

Klaatu
Feb 19th, 2006, 12:54 AM
The only reason why I have NAV installed on my system is because my sisters University requires antivirus to be installed on all systems regardless of the platform...

This is standard IT practice, usually because the Security techs are pc-experienced and mac-ignornant. I was instructed to do the same on my Mac recently and was finally able to convince them it was pointless: https://www.ehmac.ca/showthread.php?t=35022

Any suggestions on a replacement antivirus?

1) Backup everything on your computer.
2) Wipe your drive completely clean. It's the only way to hopefully rid your system of the Norton installation
3) After that, make sure your OS is always updated, repair permissions often, have a regular back-up plan in place. You're at MUCH greater risk of hard drive failure then anything, and this will at least ensure your data is protected. Hard drives are now much cheaper then they were so redundency is now affordable. Finally, I always like to recommend the program Little Snitch. It's very clever at spotting your computer talking to other computers.

There are vulnerabilities when connected to the internet and Little Snitch helps to at least protect your privacy. Beyond that, just keep alert. One of the handy things about OS X is that it can't install anything without authorization.

adb_ii
Feb 19th, 2006, 03:02 AM
Spend your hard earned money on clamXav (http://www.clamxav.com/). Why pay for false positives when you can get them for free!

awesome! thanks :D

Apple101
Feb 19th, 2006, 12:06 PM
This is standard IT practice, usually because the Security techs are pc-experienced and mac-ignornant. I was instructed to do the same on my Mac recently and was finally able to convince them it was pointless: https://www.ehmac.ca/showthread.php?t=35022



I know its standard IT practices...and it sucks lol. But I do see where they are coming from my dad being a software/hardware engineer himself has told me even though its UNIX you still one day might get attacked if you donít take the appropriate security measures. And my dad works with all sorts of platforms, UNIX being one of them. He also writes programs for certain industrial systems that use UNIX and in the past there have been viruses that attack the UNIX platform, but because the appropriate security measures were in place that attack never happened.
Also I noticed in the thread that you posted above you have indicated the NAV was vulnerable to a critical security flaw. Well Symantec has already taken care of that problem, by updating its signatures to look for any activity that would target that vulnerability, its old news. Also should I remind everyone that ClamXav is NOT the perfect antivirus application as it has a number of vulnerabilities, more so then Norton (Norton for OS X only has one). One of them being the one I posted above. After that little situation I will never use ClamXav, it has a poor scan engine, and to this day there are still vulnerabilities that havenít been resolved.
When it comes to security I prefer to stick with a well-established company, Symantec has been one of them. I havenít had any problems with Norton. I have used their Macintosh Antivirus for years and no issues, thatís why I cant seem to understand why all of these other people are having big issues with the program.

Ryankop
Feb 21st, 2006, 07:38 PM
Yea this is a worm my mom was talking to me about earlier today. Seems it's accessed via bluetooth. So it's kind'of funny, it's accessed via bluetooth via an iChat video accepting thing. Basically the hacker is like within 30 ft of you.

Jason H
Feb 21st, 2006, 08:31 PM
anyone else notice that apple now has norton AV for mac on sale?

pcronin
Feb 22nd, 2006, 10:14 AM
It was in my Firefox browser cache and Norton caught it immediately. I just thought that was really wierd because its a Mac OSX virus. :confused:

(bad norton response)
Well that's because this worm is a universial binary, so it can run on both ppc and intel based computers. and because firefox also runs on both, firefox is your problem. please switch to a more secure, windows only browser like internet explorer.
(/bad norton response)

:D:lmao: :lmao: :lmao: :lmao:

Jgamer
Feb 22nd, 2006, 10:33 AM
isnt firefox the most secure browser for windows? (atleast its a heck of a lot more secure than IE.)

pcronin
Feb 22nd, 2006, 10:37 AM
hence the "(bad norton response)"
;)

Klaatu
Feb 22nd, 2006, 01:10 PM
Finally, some sane advice from MacDoc: https://www.ehmac.ca/showthread.php?t=37644