OS.X Macarena 'virus' (#2): No viable threat posed; Not exploiting a Mac OS X bug; not a 'warning' of more viruses to come

Intego is the latest publisher of Mac OS X antivirus software to document and claim protection against the largely innocuous OS.X Macarena virus -- a simple C program, not found in the wild (outside the proof of concept stage) that is capable of infecting files on Intel-based Macs in its same directory.

The statement from Intego reads:

"The virus can only infect Intel-based OS X computers. It consists of a C source file, an Assembler 'dropper' file, and documentation that explains how to create a virus that can infect Macintosh OS X binary files. Compiling the source code creates two binaries, the OS X virus file itself, and the dropper. The dropper is intended to infect Mac OS X binary files from a Windows installation on the current machine. This can be either via Apple?s Boot Camp, or via a virtualization application such as Parallels Desktop for Mac.

"The virus only infects mach-o binary files, not Universal or PowerPC binaries. [Ed- We assume that Intego means to say that the virus infects only Intel Mach-O binaries]

"Mach-o (Mach object file format) is the native file format used for executables by Mac OS X's Mach kernel. The virus does not carry a payload. When run it infects other executables in the current directory, regardless of their name or extension."

Again, OS.X Macarena poses no viable threat as currently conceived. Although we don't have our hands on the virus source code, according to Symantec (who initially publicized the virus last week) OSX.Macarena can infect neither PowerPC-exclusive binaries, nor Universal binaries. It can only affect binaries that are Intel-specific. That would include various system files, but since OSX.Macarena can only infect files in its own directory and has no means of gaining the privileges necessary to escalate into directories where most system files are stored, the the threat level is mitigated.

Further, it can be reasonably said that this "virus" is no more than a basic exploitation of the way in which UNIX permissions are designed to operate. By default, applications have permission to modify files that reside in their same directory. It's somewhat akin to writing a shell script that deletes one or more (or all) files in the home user directory then distributing that script as a download: Running the script has a malicious outcome, but there would be no way to prevent its operation without changing the granularity of permissions in Mac OS X (assigning some applications tigher restrictions than the default user-level permissions allow) -- something Apple may or may not enact in Mac OS X 10.5 (Leopard).

Symantec acknowledged to MacFixIt:

"I think the phrase 'proof of concept' which is used in the write-up may have caused some confusion.  This is not a threat which is exploiting some bug, rather the concept that is being proven is that Mach-O files can be infected, and that Mac OSX file infecting viruses are therefore possible."

Also, as has been the case with virtually all purported Mac OS X viruses documented by anti-virus firms thus far, there is no reliable vector for the spread of OSX.Macarena, meaning that a user would have to locate the source file, download it, compile the source and run the virus in order for any effect to occur.

As a result of these considerations, the OSX.Macarena has served less as a "warning shot" across the bow of Mac OS X than as a re-iteration of just how difficult it is to write an effective virus for the operating system.

Feedback? Late-breakers@macfixit.com.

Resources