Bluetooth worm targets Mac OS X

Another day, another Mac OS X pest?

Just a day after experts warned of what is believed to be the first Trojan in the wild to target Apple Computer's Mac OS X, alerts are being published on a new worm that exploits an 8-month-old vulnerability in the operating system.

The new Inqtana worm spreads through a security flaw in Apple's Bluetooth software, antivirus vendors Symantec and F-Secure said on Friday. Apple provided a fix for the flaw last June with security update 2005-006.

The worm attempts to use Bluetooth to propagate. Once it infects a computer it searches for other Bluetooth-enabled devices and sends itself to those it finds, Symantec said.

Inqtana is a "proof-of-concept" worm, according to Symantec and F-Secure, meaning it's an example of attack code, but itself likely won't affect many users, if any at all. Inqtana is not believed to have actually attacked Mac users. Furthermore, it uses a Bluetooth component that is locked to a specific address and expires next week, according to F-Secure.

"It is quite unlikely that Inqtana would be any kind of threat," F-Secure said on its blog.

However, two examples of malicious software to target Mac OS X in two days may be the start of a trend, Vincent Weafer, senior director at Symantec Security Response, said in a statement.

"We have speculated that attackers would turn their attention to other platforms, and two back-to-back examples of malicious code targeting Macintosh OS X this week illustrates this emerging trend," he said. "While this particular worm is not fully functional, the source code could be easily modified by a future attacker to do damage."

The new worm follows the Leap Trojan that was discovered Thursday. Symantec says it believes the two pests were developed on a parallel time line and that Inqtana was not created in response to Leap.

Symantec recommends that Mac OS X users keep antivirus and firewall software, as well as operating systems, up to date. Apple has a safety guide on its Web site.

An Apple representative did not have an immediate comment.

[mvora]

What a joke

So two antivirus vendors wait until the day after a OS X Trojan
surfaces to announce a worm (that is not even in the wild) that was
effectively squashed 8 months ago, and then call it a trend.

How convenient.

[Michael Greenler]

ridiculous

I don't understand how it is possible to report on a non-story.

[privatec]

Oh please...

A bluetooth worm? So it can only spread to bluetooth enabled
computers that happen to be within, what, 30ft?

Oooh, I'm shaking in my boots.

[richto]

You should Upgrade to Windows...

MAC OS is based on UNIX so its like swiss cheese with zillions of seciruty holes - just like Linux.

Upgrade to Windows and have no more problems with BLuetooth infestations!.

nb - Blootooth works up to 100 Metres away!

[richto]

You should Upgrade to Windows...

MAC OS is based on UNIX so its like swiss cheese with zillions of security holes - just like Linux.

Upgrade to Windows and have no more problems with BLuetooth infestations!.

nb - Blootooth works up to 100 Metres away!

[iHateSymantec]

anti-antivirus

What ever terror those antivirus companies predict, whatever
security hole they expose(to thos hackers to hackers to exploit)
even if your system crashes every second , do not buy any of their
products. if they don't announce it,most hackers won't know about
nowadays. old school hackers knew a lot now they just wait until
these companies reveal the problems
and if someone with a bluetooth device comes near your precious
powerbook or macbook and infects you ,put down your and tussle,
put him down.

Are you kidding?

You are reporting that there is a "worm" that was that takes
advantage of "flaws" that were patched a year ago?
Seriously, in your article you even say "Inqtana is a "proof-of-
concept" worm".... which means... there is no threat.. it's not even
out in the wild.
This is ridiculous.

[dune1953]

A trend?

Since when does a sample of two make a trend?

[corelogik]

It's time

to generate some fear and some hysteria. Our sales to Mac owners
has been falling for a decade, we can't keep up with the Windows
virus' and we could really use some money.

Signed,
The Anti-Virus Companies

puh-lease.

[CentrOS]

Hey Jesus

How can you be smart in this thread, and yet post stupid evolution
nonsense in others? MPD!

what are you talking about?

Stupid evolution comments? Really?
Show me.

Your not one of those looney ID proponents, are you?

[uparrow]

Oh No!

Let me quickly reach for my nearest credit card and buy the latest
Mac anti-virus software!!

[M C]

What's next, an exploit for OS 8?

This was patched eight months ago, for crying out loud.

I know that the Mac stuff brings page views to CNet, but seriously, have some professionalism.

[rcrusoe]

Sounds like the AntiVirus companies are panicked

Microsoft is entering the antivirus market so all the old hands are
looking for non-Windows market share? Too bad. ClamAV works
great on a Mac - and is free.

But I've seen more Windows mobile phones advertised lately and
they are sure to be the next MS platform to be successfully
attacked. So make sure you have a mobile av product ready.

[JoeCrow]

works great???

ClamAV works great??? Maybe if there are no Mac viruses for it to
detect.

Check out the University of Hamburg's (authoritative) AV test
results at http://agn-www.informatik.uni-hamburg.de/vtc/
en0407.htm

If you don't want to read that much, they gave Clam a grade of
"useless."

[Mike E.]

Still matters

Slammer hit SQL with a vulnerability that was also fixed about 8 months before the virus was created.

[Thomas, David]

Re:Still Matters (are you sure)

Apparently MSSQL was not fixed. Gee, how surprised we all are.

[booboo1243]

This is news

This most certainly is a legitimate news story. Most of the
successful Windows worms have exploited old vulnerabilities.
Most people do not patch their systems religiously. And a lot of
people have been burned by past problems with Apple's Security
Updates -- I have two friends who have sworn off installing any
updates from Apple after one of the earlier Security Updates
killed their Airport access.

Face it, two OS X worms in two days -- after five years of
nothing -- is news. It was enough to get me to reinstall my
copy of Norton.

[mvora]

Duh

That's exactly why these companies hype this BS, to get you to buy
their products. You fell for it.

[Byronic]

Norton is the biggest security threat on the Mac!

Norton is worse than useless. It's a root kit.

[scweezil]

Here is the truth about the Trojan (truth of concept)

http://www.macworld.com/news/2006/02/17/leapafollow/
index.php

[JoeCrow]

good article

I liked his conclusion "It should, however, serve as a good wake-up
call for all of us to closely examine those things we download prior
to making the double-click decision."

Of course some people here are too busy blaming the AV
companies to hear that wake up call. Sucks to be them.

[naden]

Disgraceful behaviour by Anti-Virus Companies

With many of them quoting the leap-A malware as a "virus" and
others now reporting proof of concepts as something to be
alarmed about.

Never, ever buy a product from Symantec, F-Secure etc.

[JoeCrow]

wrong!

Leap is a file infector. That makes it a virus.

Leap also propogates through Instant Messaging. That makes it
a worm.

The fact that humans are involved in its propogation is
immaterial. The same is true of the vast majority of malware for
the PC.

Look, we're all upset to learn that the malware authors have
discovered our beloved Macs. But to claim that the AV
companies are at fault for categorizing the malware using the
same criteria as they use for Windows malware... well, that's just
whining.

[dejo]

8-month old vulnerability? Not exactly.

The article states:

"Just a day after experts warned of what is believed to be the
first Trojan in the wild to target Apple Computer's Mac OS X,
alerts are being published on a new worm that exploits an 8-
month-old vulnerability in the operating system.

The new Inqtana worm spreads through a security flaw in
Apple's Bluetooth software, antivirus vendors Symantec and F-
Secure said on Friday. Apple provided a fix for the flaw last June
with security update 2005-006."

The vulnerability is not 8-months old. The announcement is!
Apple fixed this 8-months ago. A little late to be reporting it.

[Byronic]

Except it's NOT NEW

I heard about Inqtana before. It's NOT NEW. Also, where is even
ONE infected machine? (Outside of M$, er, Symantec)

[smithjohn2003]

The All Powerful Apple

Proof of Concept is obviously useless when regarding a Mac, right? I mean, look at all the replies saying how ridiculous it is and that it's not even in the wild! But, this is a Mac, so that's okay! But! And I mean BUT! Don't let a Mac user come across a story of a Proof of Concept regarding a Windows or Microsoft flaw, oh no no no! Those are prime target for ridicule and perfect reason to attack Microsoft. But not Apple. Because Apple is all powerful, right?

Apple people, how about this? Since your beloved Operating System is so great and secure, don't install ANY AntiVirus, AntiMalware software, and just run free like a nudist on his birthday. Ignore all the warnings anyone gives, and let nature take its course. You'll be fiiine!

Or, grow up! Respect software companies for what they are and stop slandering them! This applies to Microsoft people too. Zealotry will only lead to a lot more crap.

[papastanley]

Uh - yes I do, and no problem

re "Apple people, how about this? Since your beloved Operating
System is so great and secure, don't install ANY AntiVirus,
AntiMalware software, and just run free like a nudist on his
birthday. Ignore all the warnings anyone gives, and let nature
take its course. You'll be fiiine!"

Um... yes i do - I setup a PC on my network and it has viruses on
it before I can patch to SP2 if I plug it into the network.

My iMac on my desk has no antivirus software and is virus and
malware free, no problem.

Do I take off my clothes now?

[Macsaresafer]

As Steven Stanley said,

I use no AV software and I have no problems with my Mac. What
angers me and I think most Mac users is that both (this and
Leap-A) of these so called proof of concept trojans are poor
proofs but they've gotten attention that should be reserved for
real threats.

Both require an extraordinary set of circumstances to be in place
in order to work at all. This guarantees that neither can be
spread without direct and constant human intervention, making
them hardly worthy of a mention other than the fact that
somebody is making an attempt at writing Mac malware. We've
known that for a long time though, so where's the news?

Is there going to be a trojan that endangers my bank account if I
log in from my Mac as there are for Windows systems? ( http://
news.com.com/New+Trojans+plunder+bank+accounts/
2100-7349_3-6041173.html?tag=nefd.top )
I seriously doubt it. If these two are any indication of what Mac
users have to look forward to, then the future is looking great.
All I have to do to protect my Mac is not be incredibly unlucky
AND not be incredibly stupid at the same time. I think I can
manage that without any 'help' from Symantec. I think my 75
year old mother can manage that too.

[t3knomanser]

Well... I could...

I could install all that crap, or I can keep my iBook properly secured without devoting precious hard drive and CPU resources to a virus scanner and a malware scanner.

Of course, I'm an old school linux geek, so I know how to administer a *nix system.

That said, these viruses are jokes. They don't even work properly, and if you're dilligent in maintaining your updates (not like Apple makes that difficult, as opposed to MSoft) then you have nothing to worry about.

Hell, even when I was on Windows I didn't run any anti-malware software. Why? Becuase I know how to frikkin' take care of a computer, handle patches, I never EVER used Internet Exploder.

And personally, regardless of what OS I hear about a Proof-Of-Concept for, I point it out to friends, and discuss its severity.

Which brings me to my last point. These two proof-of-concepts gave the virus the capacity to do what? Not much- one tricked a user into thinking it was an image (which should teach people about getting images from .tgz files!) and the other requires user intervention to accept the bluetooth file anyway. At that point, you're tricking the user and can do anything you want. Hell, I could whip up a nice little "virus" that IMs itself to all of your friends and formats your hard drive- unless you've properly secured your computer (Don't run as ADMIN!)

Meanwhile, in the Windows world, the last flaw allowed somebody to execute any program on your computer from a WEB PAGE. That too, was a proof of concept, but which one is more severe?

[Thomas, David]

BULL CRAP

Let me get this straight.

It's supposedly a worm, that is supposed to be able to propagate via bluetooth. But it is a "proof of concept" presented by the Symantec and F-Secure, and it is an 8 month old vulnerability that was fixed last June?!

-- proof of concept. Hmm where is it and is it working (but as you will soon see, not)

-- proof of concept. Did Symantec and F-Secure author this worm to sell their software?

-- 8 month old vulnerability that was fixed last June. By my calculations, (can't stop laughing), then it must have been a vunerablitity for about a day, and therefore does not even exist.

-- 8 month old vulnerability that was fixed last June. How the hell can it be 8 months old when it was fixed last June?! Stranger and stranger.

-- Furthermore, it uses a Bluetooth component that is locked to a specific address, that expires next week. What the hell does that mean?! Did F-Secure create some kind of temporary device to try and infect one of their "test" machines?!

What in the world is really going on? Symantec can't sell software to Mac users, and Mac users are growing in numbers. As a result they result to a campaign of fear, and smear? If they keep this up, they might just find themselves in a whole hell of a lot of legal trouble.

Sick of this.