Feb 20 2006
Symantec Anti-Virus Research Center (SARC) has posted details on another Mac OS X worm. Surfacing only a few days after the OSX.Leap.A trojan, OSX.Inqtana.A is another low threat, low damage, low distibution, proof of concept malady. This time the payload worms its way to you Mac using three OBEX Push requests that you must accept before the worm can install itself and, after a restart, propagate to other Bluetooth enabled Macs.
SARC notes that the worm’s distribution of itself depends on a time limited demo version of the Avetana library, which is bound to a bluetooth address. As a result of this the worm may not be able to spread successfully.
SARC’s “best practices” for preventing infection seem to have been written for the much more virally susceptible Windows platform, but the basic premise is true: turn off services you don’t need (in this case, maybe, Bluetooth), lock your doors and windows (password protect, don’t run in ‘root’, etc.) and don’t take candy from strangers (don’t accept file transfers out of “the blue”).
Removal of the worm is as simple as deleting the files it creates. Details are found via the link above.
Note:MacMerc.com Reader, Dave Schroeder, notes:
All of the OSX.Inqtana coverage seems to be neglecting one somewhat important thing: the vulnerability this exploit requires has been closed on Mac OS X 10.3.x and 10.4.x since June 2005, and the only OS this affected was Mac OS X 10.4.0. Mac OS X 10.4.1 and newer were never vulnerable.
The patches were:
- 10.3.x: http://docs.info.apple.com/article.html?artnum=301528
- 10.4.x: http://docs.info.apple.com/article.html?artnum=301742
The vulnerability exploited was CVE CAN-2005-1333.
The patch was subsequently rolled into Mac OS X 10.4.1.