Hi Everyone:

Well it appears that some bored individual has written a unix shell script, and changed the script file meta-tag and icon to make it appear to be Microsoft Word 2004.

http://www.macworld.co.uk/news/top_news_item.cfm?NewsID=8664

Some misguided individual in Europe downloaded what he thought was MS-Word 2004 from LimeWire (a peer-to-peer file-sharing service). That was his first mistake, as commercial applications are not legally distributed via peer-to-peer file-sharing services. His second mistake was double clicking on what he thought was MS-Word 2004. In actual fact, this individual unknowingly executed a malicious unix shell script. A shell script which most likely contained a rather innocuous looking command like the following:

rm -dfRP ~/

For those of you unfamiliar with unix commands. The 'rm' command is used for removing files. The "-" means use the following modifiers. In this case the 'rm' was to use the these modifiers: "d" remove directories, "f" do not challenge user for a 'yes/no' response to the removal of a file or directory, "R" run this command recursively (that is deletes every file or folder within any file or folder), and for good measure "P" tells 'rm' to overwrite the files three times. The "~/" means run the command on the home directory of the user running the script. This script would recursively delete every file and folder contained within that user's home directory without challenging the user for a 'yes/no' response to each file or folder deleted.

If you have ever worked on a computer running DOS, this is similar to but not as damaging as running the command, " C: *.* ".

Yep, this individual managed to very thoroughly delete their entire home directory. While this would not affect any other user on that computer, this particular user's account is completely unrecoverable.

Regardless of the hardware or operating system, the only thing that will protect your personal account from this type of malicious programming is good user practices. Consider creating yourself a user level account. Apple refers to this type of account as a "Standard" account. When you first start an new Mac, or after re-installing the operating system, you will be asked to create and account. That first account is an admin or administrator level account, which means that account has access to other folders and files then just home directory of that account (e.g. the Applications folder). By making yourself a "Standard" account on your computer for your every day work, you are providing a level of security for your system. This does not protect your account for the script above, but it will keep the script from running at an admin level. Thus providing protection against the deletion of Applications and other files outside of your home directory. If you are really concerned about this type of attack. Consider creating another account for testing applications. If the application is malicious, then only that test account will be impacted. Should that happen, delete the test account and create a new one. Thus preventing your working account, and the accounts of other users on the system from being damaged. In addition, if you are downloading files from the Internet make sure that you are downloading from a legitimate website (e.g. www.versiontraker.com, www.macupdate.com, www.apple.com/downloads/macosx/).

To keep someone from walking up to your computer and installing a malicious script/application or engaging in destructive activity. Use the security features of the operating system (e.g. turn off auto log-in, specify that the user must provide a password once the screen saver has been enabled). And if at all possible, physically secure your computer (e.g. lock your office door ... if you have an office door).

If you have any questions or concerns regarding this, please email me and I will post the question and answer to the list.

Regards, Doug

------------- Doug Hamilton, BA, MA, APP Senior Apple Computer Consultant Computers-on-Campus; Univ. of Manitoba 204-474-6196 204-474-7556 http://www.umanitoba.ca/bookstore/