If we trusted that people, particularly a supposed tech site, made the distinction, the article would be MUCH more useful.
A new Trojan out there? I don't care much.
An actual virus that fits the definition of computer virus (that is, it infects and spreads without user interaction)? That's a huge deal.
Too bad they don't make a distinction.
My understanding was that viruses that spread without interaction are called worms. Both trojans and worms are viruses.
True viruses are rare these days because the infection vector is passive and relatively slow: an infected file must be transferred by user action to another computer, for example by sharing an infected file via floppy disk.
Or an "excel" file attached to an email or posted in a chat group that is execute by the host automatically and inserts itself somewhere. Viruses remain alive and well online.
Viruses spread via interactions like booting an infected floppy disc, or running an infected program copied from another user.
A virus is simply a piece of malicious code which attaches itself to programs, arranges for itself to be executed when those programs to be run, and thereby spreads to more programs as programs are copied from system to system by unsuspecting users.
A Trojan horse is a malicious program which a user is somehow fooled into trusting, installing and running. It doesn't have to be a virus at all; for instance, it could be a fake authentication dialog that steals their credentials and then defers to the real authentication.
A malicious thumb drive deliberately dropped in the parking lot of a company is a modern example of a Trojan horse. It might not infect anything, just steal information and transmit it.
A virus just attaches iself to a host (binary, document,...) to spread, like 30 years ago viruses spread via floppy disk which required a lot of manual doing.
A worm is what activley spreads by itself.
Both viruses or worms (malware so to speak) can be introduced to environments as trojans.
I think when someone says virus these days, including news, they just mean any kind of malware and it seems okay to me.
The important part is to start talking more about malware on macOS, as it seems a blind spot for many organizations.
That's also why it's important to make the distinction between the "naked-cheerleaders.jpg.exe" kind of malware, the "visited a website" or "opened a PDF" kind and finally the "had a machine online" kind. Because AFAIK the second kind of malware is very rare on macOS and the third kind is literally nonexistent. And some people rely on that (including me).
We had this debate in my office today. Imho malware is any software that the user/owner of a system doesn't want running. Others were of the opinion that "malware" doesn't include software for which someone, perhaps other than the user, has a legitimate use. So surveillance software isn't malware because it can be installed on a target device legitimately. So too most bloatware, stuff I call malware but many large corporations do not.
Presumably the malware author would open an AWS account with a stolen or prepaid credit card. They could probably even get away with using AWS's free tier.
Or they could even abuse a random web service that uploads data to predictable locations on S3.
2. It may be their bucket, but with false credentials. Stolen CC and faked contact information.
Along with the apparent lack of any actual payload, it seems to point to this being some kind of proof of concept.
They also had a backup hosted on Akamai.
I’m not sure if this means that the malware is no longer a thread
I find it weird how all of the stories about this thing have the tone of "oh no, what could it be for, there is no payload!?!", when it phones home to a control server regularly waiting for payload. Guys, it's a botnet. They're just waiting for it to get big enough to be worth selling. This isn't some huge mystery. It could be used for hundreds of uses from DDOSing, to spamming, to being a covert VPN network, to Warez distribution, porn, etc... Plus it will probably eventually install a keylogger on the system to harvest CC numbers and passwords from the infected users, maybe run some crypto-locking ransomware if the devs need some bitcoin. All of the typical stuff you can expect after a box is rooted by one of these botnet operators.
No obvious payload is actually the worst kind of malware to deal with, because you have no idea if Matthew in accounting had the specific key on his machine that installed a second stage that you know nothing about and can't detect.
`Trojan` is often used to refer to malware that provides a backdoor into your system, and if someone gets to run code on your machine it isn't your machine anymore.
The genie is out of the bottle and there is no putting it back - virus, malware, worm, trojan, etc. are all interchangeable marketing terms now.
Obsessing over motivations of the developers without providing useful mitigation steps or any kind of even vague description of who is at risk by this is frustrating.
I also just learned that you can see when the last update was with the following command:
system_profiler SPInstallHistoryDataType | grep -A 5 "XProtectPlistConfigData"
And then any updates are added to `/Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.yara` (for macOS 11, at least).
~/Library/._insu (empty file used to signal the malware to delete itself)
/tmp/agent.sh (shell script executed for installation callback)
/tmp/version.json (file downloaded from from S3 to determine execution flow)
/tmp/version.plist (version.json converted into a property list)
> Every hour, the persistence LaunchAgent tells launchd to execute a shell script that downloads a JSON file to disk, converts it into a plist, and uses its properties to determine further actions.
Was the article changed after your comment?
In my view, these are contradictory statements.
It hasn't done anything (according to evidence at the time of writing) is not the same as it doesn't do anything.