February 17, 2006 1:08 PM PST

Bluetooth worm targets Mac OS X

Related Stories

New worm targets Apple chat users

February 16, 2006

Apple puts out more patches

June 8, 2005
Another day, another Mac OS X pest?

Just a day after experts warned of what is believed to be the first Trojan in the wild to target Apple Computer's Mac OS X, alerts are being published on a new worm that exploits an 8-month-old vulnerability in the operating system.

The new Inqtana worm spreads through a security flaw in Apple's Bluetooth software, antivirus vendors Symantec and F-Secure said on Friday. Apple provided a fix for the flaw last June with security update 2005-006.

The worm attempts to use Bluetooth to propagate. Once it infects a computer it searches for other Bluetooth-enabled devices and sends itself to those it finds, Symantec said.

Inqtana is a "proof-of-concept" worm, according to Symantec and F-Secure, meaning it's an example of attack code, but itself likely won't affect many users, if any at all. Inqtana is not believed to have actually attacked Mac users. Furthermore, it uses a Bluetooth component that is locked to a specific address and expires next week, according to F-Secure.

"It is quite unlikely that Inqtana would be any kind of threat," F-Secure said on its blog.

However, two examples of malicious software to target Mac OS X in two days may be the start of a trend, Vincent Weafer, senior director at Symantec Security Response, said in a statement.

"We have speculated that attackers would turn their attention to other platforms, and two back-to-back examples of malicious code targeting Macintosh OS X this week illustrates this emerging trend," he said. "While this particular worm is not fully functional, the source code could be easily modified by a future attacker to do damage."

The new worm follows the Leap Trojan that was discovered Thursday. Symantec says it believes the two pests were developed on a parallel time line and that Inqtana was not created in response to Leap.

Symantec recommends that Mac OS X users keep antivirus and firewall software, as well as operating systems, up to date. Apple has a safety guide on its Web site.

An Apple representative did not have an immediate comment.

See more CNET content tagged:
Inqtana, F-Secure Corp., Symantec Corp., worm, Apple Mac OS

40 comments

Join the conversation!
Add your comment
What a joke
So two antivirus vendors wait until the day after a OS X Trojan
surfaces to announce a worm (that is not even in the wild) that was
effectively squashed 8 months ago, and then call it a trend.

How convenient.
Posted by mvora (38 comments )
Reply Link Flag
ridiculous
I don't understand how it is possible to report on a non-story.
Posted by Michael Greenler (2 comments )
Link Flag
Oh please...
A bluetooth worm? So it can only spread to bluetooth enabled
computers that happen to be within, what, 30ft?

Oooh, I'm shaking in my boots.
Posted by privatec (75 comments )
Reply Link Flag
You should Upgrade to Windows...
MAC OS is based on UNIX so its like swiss cheese with zillions of seciruty holes - just like Linux.

Upgrade to Windows and have no more problems with BLuetooth infestations!.

nb - Blootooth works up to 100 Metres away!
Posted by richto (895 comments )
Link Flag
You should Upgrade to Windows...
MAC OS is based on UNIX so its like swiss cheese with zillions of security holes - just like Linux.

Upgrade to Windows and have no more problems with BLuetooth infestations!.

nb - Blootooth works up to 100 Metres away!
Posted by richto (895 comments )
Link Flag
anti-antivirus
What ever terror those antivirus companies predict, whatever
security hole they expose(to thos hackers to hackers to exploit)
even if your system crashes every second , do not buy any of their
products. if they don't announce it,most hackers won't know about
nowadays. old school hackers knew a lot now they just wait until
these companies reveal the problems
and if someone with a bluetooth device comes near your precious
powerbook or macbook and infects you ,put down your and tussle,
put him down.
Posted by iHateSymantec (1 comment )
Reply Link Flag
Are you kidding?
You are reporting that there is a "worm" that was that takes
advantage of "flaws" that were patched a year ago?
Seriously, in your article you even say "Inqtana is a "proof-of-
concept" worm".... which means... there is no threat.. it's not even
out in the wild.
This is ridiculous.
Posted by (96 comments )
Reply Link Flag
A trend?
Since when does a sample of two make a trend?
Posted by dune1953 (6 comments )
Reply Link Flag
It's time
to generate some fear and some hysteria. Our sales to Mac owners
has been falling for a decade, we can't keep up with the Windows
virus' and we could really use some money.

Signed,
The Anti-Virus Companies

puh-lease.
Posted by corelogik (680 comments )
Reply Link Flag
Hey Jesus
How can you be smart in this thread, and yet post stupid evolution
nonsense in others? MPD!
Posted by CentrOS (126 comments )
Reply Link Flag
what are you talking about?
Stupid evolution comments? Really?
Show me.

Your not one of those looney ID proponents, are you?
Posted by (96 comments )
Link Flag
Oh No!
Let me quickly reach for my nearest credit card and buy the latest
Mac anti-virus software!!
Posted by uparrow (19 comments )
Reply Link Flag
What's next, an exploit for OS 8?
This was patched eight months ago, for crying out loud.

I know that the Mac stuff brings page views to CNet, but seriously, have some professionalism.
Posted by M C (598 comments )
Reply Link Flag
Sounds like the AntiVirus companies are panicked
Microsoft is entering the antivirus market so all the old hands are
looking for non-Windows market share? Too bad. ClamAV works
great on a Mac - and is free.

But I've seen more Windows mobile phones advertised lately and
they are sure to be the next MS platform to be successfully
attacked. So make sure you have a mobile av product ready.
Posted by rcrusoe (1305 comments )
Reply Link Flag
works great???
ClamAV works great??? Maybe if there are no Mac viruses for it to
detect.

Check out the University of Hamburg's (authoritative) AV test
results at <a class="jive-link-external" href="http://agn-www.informatik.uni-hamburg.de/vtc/" target="_newWindow">http://agn-www.informatik.uni-hamburg.de/vtc/</a>
en0407.htm

If you don't want to read that much, they gave Clam a grade of
"useless."
Posted by JoeCrow (83 comments )
Link Flag
Still matters
Slammer hit SQL with a vulnerability that was also fixed about 8 months before the virus was created.
Posted by Mike E. (25 comments )
Reply Link Flag
Re:Still Matters (are you sure)
Apparently MSSQL was not fixed. Gee, how surprised we all are.
Posted by Thomas, David (1947 comments )
Link Flag
This is news
This most certainly is a legitimate news story. Most of the
successful Windows worms have exploited old vulnerabilities.
Most people do not patch their systems religiously. And a lot of
people have been burned by past problems with Apple's Security
Updates -- I have two friends who have sworn off installing any
updates from Apple after one of the earlier Security Updates
killed their Airport access.

Face it, two OS X worms in two days -- after five years of
nothing -- is news. It was enough to get me to reinstall my
copy of Norton.
Posted by booboo1243 (328 comments )
Reply Link Flag
Duh
That's exactly why these companies hype this BS, to get you to buy
their products. You fell for it.
Posted by mvora (38 comments )
Link Flag
Norton is the biggest security threat on the Mac!
Norton is worse than useless. It's a root kit.
Posted by Byronic (95 comments )
Link Flag
Here is the truth about the Trojan (truth of concept)
<a class="jive-link-external" href="http://www.macworld.com/news/2006/02/17/leapafollow/" target="_newWindow">http://www.macworld.com/news/2006/02/17/leapafollow/</a>
index.php
Posted by scweezil (171 comments )
Reply Link Flag
good article
I liked his conclusion "It should, however, serve as a good wake-up
call for all of us to closely examine those things we download prior
to making the double-click decision."

Of course some people here are too busy blaming the AV
companies to hear that wake up call. Sucks to be them.
Posted by JoeCrow (83 comments )
Link Flag
Disgraceful behaviour by Anti-Virus Companies
With many of them quoting the leap-A malware as a "virus" and
others now reporting proof of concepts as something to be
alarmed about.

Never, ever buy a product from Symantec, F-Secure etc.
Posted by naden (2 comments )
Reply Link Flag
wrong!
Leap is a file infector. That makes it a virus.

Leap also propogates through Instant Messaging. That makes it
a worm.

The fact that humans are involved in its propogation is
immaterial. The same is true of the vast majority of malware for
the PC.

Look, we're all upset to learn that the malware authors have
discovered our beloved Macs. But to claim that the AV
companies are at fault for categorizing the malware using the
same criteria as they use for Windows malware... well, that's just
whining.
Posted by JoeCrow (83 comments )
Link Flag
8-month old vulnerability? Not exactly.
The article states:

"Just a day after experts warned of what is believed to be the
first Trojan in the wild to target Apple Computer's Mac OS X,
alerts are being published on a new worm that exploits an 8-
month-old vulnerability in the operating system.

The new Inqtana worm spreads through a security flaw in
Apple's Bluetooth software, antivirus vendors Symantec and F-
Secure said on Friday. Apple provided a fix for the flaw last June
with security update 2005-006."

The vulnerability is not 8-months old. The announcement is!
Apple fixed this 8-months ago. A little late to be reporting it.
Posted by dejo (182 comments )
Reply Link Flag
Except it's NOT NEW
I heard about Inqtana before. It's NOT NEW. Also, where is even
ONE infected machine? (Outside of M$, er, Symantec)
Posted by Byronic (95 comments )
Link Flag
The All Powerful Apple
Proof of Concept is obviously useless when regarding a Mac, right? I mean, look at all the replies saying how ridiculous it is and that it's not even in the wild! But, this is a Mac, so that's okay! But! And I mean BUT! Don't let a Mac user come across a story of a Proof of Concept regarding a Windows or Microsoft flaw, oh no no no! Those are prime target for ridicule and perfect reason to attack Microsoft. But not Apple. Because Apple is all powerful, right?

Apple people, how about this? Since your beloved Operating System is so great and secure, don't install ANY AntiVirus, AntiMalware software, and just run free like a nudist on his birthday. Ignore all the warnings anyone gives, and let nature take its course. You'll be fiiine!

Or, grow up! Respect software companies for what they are and stop slandering them! This applies to Microsoft people too. Zealotry will only lead to a lot more crap.
Posted by smithjohn2003 (3 comments )
Reply Link Flag
Uh - yes I do, and no problem
re "Apple people, how about this? Since your beloved Operating
System is so great and secure, don't install ANY AntiVirus,
AntiMalware software, and just run free like a nudist on his
birthday. Ignore all the warnings anyone gives, and let nature
take its course. You'll be fiiine!"

Um... yes i do - I setup a PC on my network and it has viruses on
it before I can patch to SP2 if I plug it into the network.

My iMac on my desk has no antivirus software and is virus and
malware free, no problem.

Do I take off my clothes now?
Posted by papastanley (9 comments )
Link Flag
As Steven Stanley said,
I use no AV software and I have no problems with my Mac. What
angers me and I think most Mac users is that both (this and
Leap-A) of these so called proof of concept trojans are poor
proofs but they've gotten attention that should be reserved for
real threats.

Both require an extraordinary set of circumstances to be in place
in order to work at all. This guarantees that neither can be
spread without direct and constant human intervention, making
them hardly worthy of a mention other than the fact that
somebody is making an attempt at writing Mac malware. We've
known that for a long time though, so where's the news?

Is there going to be a trojan that endangers my bank account if I
log in from my Mac as there are for Windows systems? ( <a class="jive-link-external" href="http://" target="_newWindow">http://</a>
news.cbsi.com/New+Trojans+plunder+bank+accounts/
2100-7349_3-6041173.html?tag=nefd.top )
I seriously doubt it. If these two are any indication of what Mac
users have to look forward to, then the future is looking great.
All I have to do to protect my Mac is not be incredibly unlucky
AND not be incredibly stupid at the same time. I think I can
manage that without any 'help' from Symantec. I think my 75
year old mother can manage that too.
Posted by Macsaresafer (802 comments )
Link Flag
Well... I could...
I could install all that crap, <i>or</i> I can keep my iBook <i>properly</i> secured without devoting precious hard drive and CPU resources to a virus scanner and a malware scanner.

Of course, I'm an old school linux geek, so I know how to administer a *nix system.

That said, these viruses are jokes. They don't even <i>work</i> properly, and if you're dilligent in maintaining your updates (not like Apple makes that difficult, as opposed to MSoft) then you have nothing to worry about.

Hell, even when I was on Windows I didn't run any anti-malware software. Why? Becuase <i>I</i> know how to frikkin' take care of a computer, handle patches, I never EVER used Internet Exploder.

And personally, regardless of <i>what</i> OS I hear about a Proof-Of-Concept for, I point it out to friends, and discuss its severity.

Which brings me to my last point. These two proof-of-concepts gave the virus the capacity to do what? Not much- one tricked a user into thinking it was an image (which should teach people about getting images from .tgz files!) and the other requires user intervention to accept the bluetooth file anyway. At that point, you're tricking the user and can do anything you want. Hell, I could whip up a nice little "virus" that IMs itself to all of your friends and formats your hard drive- unless you've properly secured your computer (Don't run as ADMIN!)

Meanwhile, in the Windows world, the last flaw allowed somebody to execute any program on your computer from a WEB PAGE. That too, was a proof of concept, but which one is more severe?
Posted by t3knomanser (5 comments )
Link Flag
BULL CRAP
Let me get this straight.

It's supposedly a worm, that is supposed to be able to propagate via bluetooth. But it is a "proof of concept" presented by the Symantec and F-Secure, and it is an 8 month old vulnerability that was fixed last June?!

-- proof of concept. Hmm where is it and is it working (but as you will soon see, not)

-- proof of concept. Did Symantec and F-Secure author this worm to sell their software?

-- 8 month old vulnerability that was fixed last June. By my calculations, (can't stop laughing), then it must have been a vunerablitity for about a day, and therefore does not even exist.

-- 8 month old vulnerability that was fixed last June. How the hell can it be 8 months old when it was fixed last June?! Stranger and stranger.

-- Furthermore, it uses a Bluetooth component that is locked to a specific address, that expires next week. What the hell does that mean?! Did F-Secure create some kind of temporary device to try and infect one of their "test" machines?!

What in the world is really going on? Symantec can't sell software to Mac users, and Mac users are growing in numbers. As a result they result to a campaign of fear, and smear? If they keep this up, they might just find themselves in a whole hell of a lot of legal trouble.

Sick of this.
Posted by Thomas, David (1947 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.