MacDailyNews - Where Mac news comes first

Currently 4% of people think Windows is more secure. Even if you accepted the security through obscurity argument it would still mean OS X is more secure. What planet are they on?

is it just me, or are they all making a big deal out of nothing?

Anyone who is stupid enough to thinking typing in their Admin password is necessary to open a JPEG deserves their computer to be infected.

I think we've been here before though. Isn't this exactly the same as the "Word 2004 Installer"?

theyre just gutter-trash, thats all they are.

gutter-trash scum.

All of the anti-virus software producers are going to spread this fallacy as loud and as fast as possible. I think it really sucks that we now must do damage control AGAINST the ones that CLAIM to be helping us.

1 inert Trojan file does NOT equal 100,000 self-replicating viruses!

Thanks to the fools at MacRumors for posting the story in the first place for the other fools to blindly pick up...

Yes - they're gutter-trash scum, alright. Why don't you flame this one, too. He deserves it:

http://blogs.ittoolbox.com/security/investigator/archives/007754.asp

Graham Cluley, senior technology consultant for Sophos, said: 'Some owners of Mac computers have held the belief that Mac OS X is incapable of harbouring computer viruses, but Leap-A will leave them shell-shocked, as it shows that the malware threat on Mac OS X is real..."

Exactly WHO has ever said that "Mac OS X is completely invulnerable!"? Who? I have never heard anyone - 'experts', users, or developers - say that. Why is it that some people seem to want to make us look like we're complete idiots. Seriously, I've never held that belief. But I also don't believe I need to run Anti-Virus to protect Mac OS X...yet. I run it to keep files clean of WINDOWS™ MALWARE® to protect other Windows users I share files with.

If I'm required to accept a file to download, decrompress it, open it, double click on it, type in my admin password, sacrifice a chicken to Foghorn Leghorn, do the Hokey Pokey and bowl a perfect 300....IT AIN'T A VIRUS. And it sure as hell isn't going to fool 99% of Mac Users.

Sorry, I'm just in a pissy mood this morning and this didn't help much. (>_<)

Although it is more of a Trojan than a virus, that is pointless hair splitting. It can be propogated by naive users - thats a key reason WIndows Trojans propogate - people love to click on an image (and this file reprecsents itself as an image).
A lot of windows nasties have not particularly targeted OS flaws but just user stupidity, e.g. knowing if they email a user what *appears" to be an image with a suitably worded message in the email then a certain proportion of users will click that image and launch the Trojan.
Such a thing will not spread like wildfire in the way a virus that needs no human intervention will (e.g. windows nimda / code red) but it will spread and disproportionately affect the most naive / trusting users. Simplistic social engineering always gets some easy victims.

Raised apple profile means inevitably more mac exploits, get used to it, do not take a hide your head in the sand approach. Past "safety" on mac does not mean you should not take a paranoid approach to files / emails you receive.

It's now 2% who think Windows is more secure: 1% Microsoft staff under duress and 1% military justifying their decision to acquire unsecure hardware.

if you ask me..it sounds to me like Norton is behind this -- I mean, they are getting no sales from Mac users and are being threathen by Microsoft .

For everybody who hasn't been following this since the 13th when it was released, here is the information on it. (First an formost Sophos never discovered this. It was released as a file on the macrumors forum by a user know as "lasthope". The original post can be found here http://forums.macrumors.com/showthread.php?t=180066.

This has been a hot topic on the macrumors forum for some time and the experts have been working to see how dangerous this truely is.

One thing that is missleading is that uses Bonjour to send itself (due to zero-networking) although it can be sent via iChat/AIM.

Andrew, Forum Adminstrator, over at Ambrosia Software has be disassembling the file and this is what he has to say:

------------------------------------
http://www.ambrosiasw.com/forums/index.php?showtopic=102379
------------------------------------

---cont.

---Contiuned

A file called "latestpics.tgz" was posted on a Mac rumors web site http://www.macrumors.com/ , claiming to be pictures of "MacOS X Leopard" (an upcoming version of MacOS X, aka "MacOS X 10.5"). It is actually a Trojan (or arguably, a very non-virulent virus). We'll call it "Oompa-Loompa" (aka "OSX/Oomp-A") for reasons that will become obvious.

Unless you work for an anti-virus company, please don't email/message me asking for a copy of this trojan. It's not going to happen.

You cannot be infected by this unless you do all of the following:

1) Are somehow sent (via email, iChat, etc.) or download the "latestpics.tgz" file

2) Double-click on the file to decompress it

3) Double-click on the resulting file to "open" it

...and then for most users, you must also enter your Admin password.

You cannot simply "catch" the virus. Even if someone does send you the "latestpics.tgz" file, you cannot be infected unless you unarchive the file, and then open it.

A few important points

-- This should probably be classified as a Trojan, not a virus, because it doesn't self-propagate externally (though it could arguably be called a very non-virulent virus)

-- It does not exploit any security holes; rather it uses "social engineering" to get the user to launch it on their system

-- It requires the admin password if you're not running as an admin user

-- It doesn't actually do anything other than attempt to propagate itself via iChat

-- It has a bug in the code that prevents it from working as intended, which has the side-effect of preventing infected applications from launching

-- It's not particularly sophisticated

To be on the safe side...

DO NOT DOWNLOAD OR RUN THIS FILE

When unarchived (it is a gzip-compressed tar file), which can be done by simply double-clicking on the file, it appears to be a JPEG file because someone pasted the image of a JPEG file onto the file.

After it's been unzipped, tar will tell you there are two files in the archive:

._latestpics
latestpics

...the ._latestpics is just the resource fork of the file, which contains the pasted in custom icon meant to fool people into double-clicking on it to (in theory) open the JPEG file for viewing. In actuality, double-clicking on it will launch an executable file.

The file "latestpics" is actually a PowerPC-compiled executable program, with routines such as:

_infect:
_infectApps:
_installHooks:
_copySelf:

Here's what it does if a user double-clicks on the file, or otherwise executes it:

1) It copies itself to /tmp as "latestpics"
2) It recreates its resource fork in /tmp (with the custom icon in it) from an internally stored gzip'd copy, then sets custom icon bit for the new file in /tmp
3) It then tar + gzips itself so a pristine copy of itself in .tgz format is left in /tmp
4) It renames itself from "latestpics.tar.gz" to "latestpics.tgz" then deletes the copied "latestpics" executable from /tmp

--This gives it a pristine copy of itself, for later transmission.--

5) It extracts an Input Manager called "apphook.bundle" that is embedded in the macho executable, and copies it to /tmp
6a) If your uid = 0 (you're root), it creates /Library/InputManagers/ , deletes any existing "apphook" bundle in that folder, and copies "apphook" from /tmp to that folder
6b) If your uid != 0 (you're not root), it creates ~/Library/InputManagers/ , deletes any existing "apphook" bundle in that folder, and copies "apphook" from /tmp to that folder
7) When any application is launched, MacOS X loads the newly installed "apphook" Input Manager automatically into its address space

----cont.

-----Continued

--This allows it to have the code in the "apphook.bundle" injected into any subsequently launched application via the InputManager mechanism--

8a) When an application is subsequently launched, the "apphook.bundle" Input Manager then appears to try to send the pristine "latestpics.tgz" file in /tmp to people on your buddy list via iChat (who will then presumably download the file, double-click on it, and the cycle repeats).

8b) (It looks like the author intended to get it to send the "latestpics.tgz" file out via eMail as well, but never got around to writing that code)

--This lets it send itself to people on your buddy list via iChat; this appears to be the only way it self-propagates externally--

9) It then uses Spotlight to find the 4 most recently used applications on your machine that are not owned by root
10) In an apparent "Charlie and the Chocolate Factory" reference, it then checks to see if the xattr 'oompa' of the application executable is > 0... if so, it bails out, to prevent it from re-infecting an already infected application
11) If not, it sets the xattr 'oompa' of the application executable to be 'loompa' (this does nothing, it is just a marker that it has infected this app)
12) It then copies the application executable to its own resource fork, and replaces the application executable with the OSX/Oomp-A trojan

--It has thus effectively injected its code in the host application--

13) When an infected application is launched from then on, the trojan code is executed, and it tries to re-infect and re-propagate itself to other applications
14) It then does an execv on the resource fork of the executable, which is the original application, so the application launches as it normally would (in theory... see below)
15) Due to a bug in it's code for executing the original app from it's resource fork, it is only allocating a buffer 4 bytes bigger than the path when appending "/..namedfork/rsrc" to the path, it will stop any app it infects from running. Instead of adding the length of the string, it errantly adds the length of the pointer to the string, which is always 4 bytes.

In the end, it doesn't appear to actually do anything other than try to propagate itself via iChat, and unintentionally prevent infected applications from running

It seems that this is more of a "proof of concept" implementation that could be utilized to actually do something in the future, depending on how successful it is, or it was simply done to garner attention/press. Which I'm sure it'll get.

.....

The executable itself has a number of interesting things embedded into various macho segments, including an entire Input Manager bundle called "apphook" (stored as "latestpics_hook.tar"); the string data is "protected" with a simple XOR to prevent easy reading of what it's doing. It's definitely trying to mask what it is doing in a number of ways, but is relatively simplistic in nature.

If you are a programmer, attached is the disassembly of the executable (it's just a plain text file) for your reading pleasure. This is just the main executable portion of the code, not the embedded "apphook" InputManager code.

Thanks to Ed Wynne for his crucial help in uncovering the true nature of this trojan, Glenn Anderson for his southern-hemisphere hacking help, and other "smart friends".

"Apple Mac OS X users need to be careful running unknown or unsolicited code on their computers."

Not all, but many Windows viruses proliferate because naive users willingly run unsafe code on their computers.

As the Mac marketshare increases expect the level of naive users to rise accordingly.

Where we stand, lack of education is the biggest security threat by far.

FUD of the day!!!

Dave,

This thing doesn't need your password if your account is an admin. Safari will warn you that it is an application, but other browsers will not. The reason it wont ask you for your password is that it is running Unix commands and not installing software, but changing the files on your computer. Read ambrosias forum to get more info.

YOU IDIOTS!!! Sophos sure does classify this threat as a "Worm"...

Did any of you think to look up the definition of "Worm"????

i.e. - http://www.sophos.com/pressoffice/news/articles/2001/11/va_glossary.html#worm

here, I'll make it easy for you, I know the more times you do anything like clicking a mouse button on a mac, the more probable it is to have a crash... the first four words suffice: "A type of Virus"

Jeeze do some research before you go telling people that these news sources are "incorrect" and to be offended, half the people in the world are below average and thus prone to have inferiority complexes...

Apple could go a long way to help prevent Trojans from being effective. Like, when you open a document belonging to an app that has never been run on your system before, you get a dialog telling you that you're about to open xyz app for the first time and are you sure you want to proceed. They need to take this one step further, so that you get the same dialog whenever you directly open any app for the first time (i.e., double-click the app itself and not necessarily by opening one of its documents). They could also add some reasonability checks when an app is first opened and expand the wording in the dialog informing you that what you're doing may be risky.

If idiots want to believe this is a virus even though it's really not, then let them believe it. I simply don't care. It's FUD, pure and simple. Meanwhile the everyday matters of the world are carrying on as usual. To call this story "news" is dubious at best.

Warning to MDN:

Most of the time I run with my volume all the way down. Today it's up. And visiting your web site today makes me hear the sound of a mouse click - I'm sure you know what I'm talking about. Not just once, but over & over & over, about every 9 seconds.

If you want to annoy my ass out of your web site for good, just keep on signing up advertisers that do stuff like that.

This thing requires a password to run. That changes it from a "virus" or "trojan" to a mere user-run program. OS X is protecting you from these kinds of system-hooking attacks when it prompts you for permission first.

Second, as MDN reported, this isn't the "first time" these kinds of goofy proof-of-concept trojans have been written for OS X. I'm reminded of MP3Concept and a few others.

Sometimes I think the security press is purposely out to get OS X. Now uninformed people are going to read these reports and thing that OS X has now been infected with something when nothing at all has changed, and OS X is as safe as it ever was.

Notice the "update their antivirus" statements. Symantec's gotta be loving this misinformation.

Dear NotAMacUser:

You do realize Safari tells you this thing is an application when you download it, right? And it pops up a password prompt? That's why the reports are incorrect about this being a propogating worm going around. It's not doing anything at all.

I email SOPHOS regarding their inaccuracy in naming this a "virus". I actually received two miserable responses.

"
Thanks for the message.

I think the disagreement here is about the definition of a virus. Your
definition is not the one which is used by the anti-virus community.

Under your definition viruses like The Love Bug (aka ILOVEYOU), Anna
Kournikova, Sobig-F, Nyxem-D (the recent Kama Sutra virus)
and literally tens of thousands of other pieces of malware aren't viruses.

Just about every Windows email virus, for instance, requires user
interaction (the user to click on the attached file). But
you'll realise that the media and IT community do not call them Trojan
horses. They call them viruses! There is no rule saying that "if user
interaction is required then it can't be a virus".

We also call OSX/Leap-A a worm. Worms are a subset of "viruses".

I realise that having a new piece of malware on Mac OS X is unusual, but i hope you understand why it is correct to call it a virus.

I notice you referenced some definitions from Symantec in your email. You should know that they also agree that it's a worm.

http://securityresponse.symantec.com/avcenter/venc/data/osx.leap.a.html

Sincerely,
Graham Cluley, Senior technology consultant, Sophos"

AND

"Dear Sir,

SophosLabs classifies malware by its ability to propagate, not its
infection technique. Upon infection, Leap-A (among other things) harvests the user's Buddy List (similar to an address book) and spreads itself to other users via iChat. Hence, since Leap-A self-propagates, it is
considered a worm. Had it only infected and not self-propagated, it would have been considered a Trojan.

Regards,
David Pomerleau
Sophos Technical Support"

You people are a bunch of idiots. This thing is SOPHISTICATED and DOES SPREAD - and you idiots are sitting there in denial as always.

If you had any brains (I know what a stretch that is) then you would analyse the report and see how easy it is for this thing to propagate.

- It keeps a payload in /tmp.

- It used input managers which as any Cocoa programmer will tell you are WIDE OPEN.

- It actually takes infected applications and copies them to its ever growing resource fork (see the nightmare of your favorite file system coming back to haunt).

- It copies itself to infected applications. Because it's already installed an input manager, it can get its copy of your application to run.

- It employs resource forks to lure users.

If you want to be complacent about this, fine; the rest of the world have already begun laughing at you, and you'll just have to accept that too.

MORONS.

Ah yes, the beginning of the end. I wrote several comments in the past few months saying wait for the viruses to attack and here they are. In a few months it will be all but impossible to do anything on a Mac except to reboot it. If there was ever a time to short Apple stock now is the time to do it. With no descent anti-virus program available and almost nobody running software to protect their systems is a recipe for disaster.

Any hope of Apple breaking into the business market has just dried up. There is no way a business is going to bet their lives on an untested operating system that is slow and prime to be attacked. Apple really screwed up on this and there is no easy way for them to talk their way out of it.

Sounds like a good idea to start trying to get Windows installed on the Mac you just purchased -- it's the only operating system that is fast, efficient, and secure.

Honestly MDN, you need to fix your "Take." Sophos classifies this as a worm, which is a "type of virus." Hence, this is a virus. Therefore this is the first OS X virus. We all knew it would happen someday; denial won't make it go away. So from now on we have to put the count at:

Windows viruses: 60,000+
Mac OS X viruses: 1

posted by: DakRoland

"If I'm required to accept a file to download, decrompress it, open it, double click on it, type in my admin password, sacrifice a chicken to Foghorn Leghorn, do the Hokey Pokey and bowl a perfect 300....IT AIN'T A VIRUS. And it sure as hell isn't going to fool 99% of Mac Users."

bravo

Hi all,

I'm a long time Mac user and I'm not a huge fan of Micro$oft Windose.

That said, MDN's TAKE IS WAY OFF ON THE LEAP-A ISSUE. As a matter of fact, most of MDN's virus-related articles have been nothing more than propaganda. I've always said that the only reason not to have an antivirus solution on your OS X Mac is if you want 100% of your system resources.

clamXav is a free antivirus program that has served me well for several months now -- I was getting tired of NAV hogging all of my system's resources. :~)

The fact is that Mac OS X can now be infected with [insert the term of your choice here]. Wouldn't MDN be better serving its readers by helping us to defend ourselves against this [insert the term of your choice here]?

Could someone explain to me exacly what this trojan does that makes it so malicious?

If it's a PowerPC-compiled (non-Universal) application, does that mean that Rosetta will run it on MacBooks and Intel iMacs?

--Rob

Ben

Thanks for the correction. In which case we have one more reason to always log into our Macs as standard accounts, and promote rights where necessary.

With UNIX, you should operate the least privilege rule at all times.

Ha, listen to me playing the schoolma'am.

Anyone gonna bring me an Apple?

Social engineering works on any platform. This malware does not exploit any security holes, so I don't see how this can be seen as a black mark against Mac security. If you run an application, that application has power over your system. Whudda revelation!

The more important questions are:
-- How easy is it to tell you've caught this thing?
-- How easy is it to get rid of?

I'm guessing "pretty easy" in both cases.

Let's quit splitting hairs. Some people consider it a virus some don't. I don't but who cares. Not all Mac users are smart. Some are very dumb.

Best advise is do not run as Admin. If you are responsible for other Mac's in your network make sure the user is a Standard account.

Once a mac user, always a mac user. 99% Mac heads (overblown and full of hot air as usual) aren't geared towards technical concepts so it'll take them a while to catch up. Welcome to the big times fellas.

Guess what guys - SYMANTEC HAS 'JUST SO HAPPENED' TO HAVE ANNOUNCED AN UPDATE TO FIGHT THIS SO CALLED 'WORM'.

I smell a rat...

re: Mac

'F-cough'

Wait for it...lil longer..there ya go; Dvorak, Enderle, and Thurrot's orgasmic grunts

To all the screaming halfwits:

I don't recall ever reading/hearing a Mac defender claim that malware couldn't be written to run on a Mac.

But, as has been stated many times, this malware isn't exploiting some OSX security flaw. It isn't opening up ports (it can't) and won't be turning any Mac into a malware-spewing drone (it can't).

It's a pretty big stretch to claim this is a virus.

Andrew Welch's dissassembly does indicate virus-like qualities once the trojan is activated--namely, "injecting" its code into non-root applications so that on next launch the corrupted application tries to spread or re-compromise the system.

It's a trojan first and foremost, but with the code-injection, it also falls into the virus category.

Trust me, I hate having saying this as much as any of you! The timing couldn't be worse; I got into a rare Mac/PC argument with friends last week, and said there were no modern Mac viruses. Less than a week later this comes out, so they'll surely try to make me eat crow on this point (fortunately, my main thrust was that Macs are inherently more secure).

User interaction is irrelavent. In the old days, after all, the user interaction was carrying infected programs via floppy disks. Only self-propagating worms require no user interaction, and only as a result of lax security, which isn't the case here.

Ok, I'm a little late in the game here, but has this acutally affected real users out there? If so, how many?

Anyway informed said that:

"But, as has been stated many times, this malware isn't exploiting some OSX security flaw."

Why is not a security flaw that OSX allows a program to send out a file to people on his mail list without the user's permission? Why not just make it so that a USER has to approve a file to be sent to people? That way, there'd be no way for a person to UNINTENTIONALLY send out a file to anyone. So if one person knows he's infected, he can not send the infected file to others, unless, of course, he's a real son of a bitch and wants people to be infected.

"Why is not a security flaw that OSX allows a program to send out a file to people on his mail list without the user's permission?"

Because once a user ignores security prompts and runs a program with admin permissions, that program can do whatever it wants.

"Why not just make it so that a USER has to approve a file to be sent to people? "

The user essentially does when they run the malicious program. Read up on what this thing does. And note that it's absolutely no different from other trojans in the past, including MP3Concept. This thing won't go anywhere.

It seems that a relatively simple solution would be to make whatever program that allows files to be sent (Mail, iChat, etc.) ask the user's permission before it sends a file to anyone, so that there's be no way for a file to be sent unintentionally. It may be a hassle, but for the sake of security, it would be an adjustment worth making.

I guess as an OS X user I'm one of the 'smug' ones. With this 'virus' out I'm even smuggier(?) because now I have the possibility of being like therest of the 'real world'.

ok ale pralka to oki doki jest coś ale Pralki

panasonic albo panasonik panasonic

Camcoo telewizory Telewizory

LOST-en.750.datadir.tar

In keeping with the general thread of these virus arguments in OSX ......

There's a folder called "scripts" in the Shared folder of OSX. The files contained in the 'scripts' folder have been traced to an excutable file with the name "LOST-en.750.datadir.tar"

Does anyone know if the scripts contained in the "scripts" folder are virus safe?

Thank,

Addison