Apple: ‘Leap-A’ not a virus; only accept files from vendors and Web sites that you know and trust

“A malicious program that could be the first Trojan in the wild to target Apple Computer’s Mac OS X operating system has been discovered, security experts confirmed Thursday. Apple and outside analysts said the program, referred to as Leap-A, is not a ‘virus,’ per se. Rather, it ‘requires a user to download the application and execute the resulting file,’ Apple said in a statement to CNET News.com. The company provided no further comment on the nature of the program,” Anne Broache reports for CNET News. “The malicious software, which has also been dubbed OSX/Oompa-A and the Ooompa Loompa Trojan Horse by other security experts, appears to have spread minimally so far and has achieved low-level threat classifications from McAfee and Symantec. But security experts cautioned Macintosh users to view the incident as a wake-up call that all operating systems have vulnerabilities.”

MacDailyNews Take: Did security experts also caution Macintosh users to view the incident as a wake-up call that all operating systems can run programs, too? Do not download “latestpics.tgz” and then uncompress it and then run it by giving Mac OS X your Admin password at the prompt. Also, do not drag files that you wish to keep on your hard drives to the Trash and then empty it.

“‘It’s not really news as far as threats go,’ said Ray Wagner, a senior vice president in Gartner’s information security group. ‘It is news because it targets OS X, and as far as I know, it’s certainly the first OS X malicious content in the wild that’s been noted at this point,'” Broache reports. “Apple directed customers to a safety guide at its site and said it ‘always advises Macintosh users to only accept files from vendors and Web sites that they know and trust.'”

Full article here.

Advertisements:
MacBook Pro. The first Mac notebook built upon Intel Core Duo with iLife ’06, Front Row and built-in iSight. Starting at $1999. Free shipping.
iMac. Twice as amazing — Intel Core Duo, iLife ’06, Front Row media experience, Apple Remote, built-in iSight. Starting at $1299. Free shipping.
iMac and MacBook Pro owners: Apple USB Modem. Easily connect to the Internet using dial-up service. Only $49.
iPod Radio Remote. Listen to FM radio on your iPod and control everything with a convenient wired remote. Just $49.
iPod. 15,000 songs. 25,000 photos. 150 hours of video. The new iPod. 30GB and 60GB models start at just $299. Free shipping.
Connect iPod to your television set with the iPod AV Cable. Just $19.

Related MacDailyNews articles:
Incorrect reports of ‘Mac OS X virus’ begin to circulate – February 16, 2006
New Mac OS X Trojan warning – February 16, 2006
Apple: ‘Opener’ is not a virus, Trojan horse, or worm – November 02, 2004

73 Comments

  1. “‘It’s not really news as far as threats go,’ said Ray Wagner, a senior vice president in Gartner’s information security group. ‘It is news because it targets OS X, and as far as I know, it’s certainly the first OS X malicious content in the wild that’s been noted at this point,'”

    Well Mr. Wagner… guess you haven’t been keeping track of OS X security information very well since you’ve never heard of the Opener script.

  2. Opener was virtually nothing more than a proof of concept script. There were no real confirmed sightings of it in the wild. As for Leap, the only ones that were infected were the dolts that downloaded and installed it from that rumor site’s message board. I’ve seen no confirmed reports of it actually propagating out in the wild.

  3. Third party programs using root are installing “helper programs”

    This is the email response I got back from a developer concerning the issue of secretly trying to install code in root when I was about to clone my drive using their software.

    I’m sorry that xxx isn’t at your convenience.

    Actually I must say, that I can’t agree with some of your critics. (Sorry, my english is not perfect.)

    1. The “Helper Tool” is a tool to make xxx more secure. xxx authorizes the helper tool to do root privileged operations. The helper tool itself, doesn’t keep the authorization, and so can’t be used to do root operation by any other user (via shell…). xxx keeps the authorization for some minutes (then it expires), just as any other “safe” third party system utilities (some really unsafe utilities even save the admin password in the keychain, and keep the authorization active until quit.).
    I decided to install the helper tool right at launch, to ensure that only admin users are able to use xxx (I confess, that this is uncommon, but in my opinion it provides further security. – other utilities does it “hidden” when starting the first admin priv. process). I also decided to install the helper tool (instead of using it in the app bundle) in a safe system location (just as most command-line tools are installed). A different method to execute admin commands is AppleScript (which is used by some other utilities), which is not at all safer than a proper helper tool. A helper tool is a common and “safe” way to do root privileged operations on Mac OS X, and the ADC (Apple Developer Connection) recommended me to build a helper tool, and not to execute via app or shell directly.

    2. I confess that the updates provide a potential security whole, and maybe its not a good argument, but this is also a very common way to distribute updates. There are hundreds of utilities, which require root privileges, that are distributed like this, and even major software companies offer their updated on normal download mirrors. Anyway I will not ignore your advices, and will continue to make the update notification and download more secure.

    3. I also confess, that I can’t deny that xxx is theoretically hackable, but I think not more or less than any common system utility. The authorization technology, I use in xxx, is a standard authorization technology provided by the ADC (Apple). Anyway I’m very concerned about the security of xxx and my customers, and will continue actualizing and improving its security.

    Thanks much for your email. Actually I appreciate critic customer, even if I regret to lose you as customer.

    The problem doesn’t sound bad, but it is, your using a program to do something as root, say offline for better security. The only problem is it leaves something behind for some other program to exploit it’s flaws.

    Since flaws can go unfounded for months or even years, this gives the bad guys access to root.

    I can’t find anything on the Apple Developer Connection recommending installing rootkits on peoples Mac’s.

    http://homepage.mac.com/hogfish/Personal21.html

  4. Good grief, why is the media feeding on this? Mac-aware security people are all saying that this is NOTHING to worry about. How come the media isn’t picking up on ThEIR side of the story?

    [url=”http://blogs.ittoolbox.com/security/investigator/archives/007789.asp”]
    Quote:Nothing to see here folks, move along![/url]

  5. Discussions at MR have a pretty good handle on the whole non issue since that is where the link was first posted yesterday
    http://forums.macrumors.com/showthread.php?t=180579
    On the evening of the 13th, an unknown user posted a link to a file on MacRumors Forums claiming to be the latest Leopard Mac OS X 10.5 screenshots. The file was named “latestpics.tgz”

    The resultant file decompresses into what appears to be a standard JPEG icon in Mac OS X but was actually a compiled Unix executable in disguise. An initial disassembly reveals evidence that the application is a virus or was designed to give that impression. Routines listed include:

    _infect:
    _infectApps:
    _installHooks:
    _copySelf:

    The exact consequences of the application are unclear, but users who originally executed the application have noted that it appears to self propogate even after the original file has been deleted:

  6. I left my front door unlocked. My computer was up and running. Someone came into the house and used it.

    Oh My God! Macs are just as vulnerable as PC’s!!

    For those idiots in the cheap seats, that was sarcasm.

  7. Nostradomus

    No BBCode here and the only HTML is Italic and perhaps bold (but I think it’s been turned off) so far I’ve gotten to work.

    You can paste a url and it will turn into a link, but not <a href =”http://macdailynews.com”>Visit this site</a> links or downloads.

  8. from Apple discussion board
    Trojan Warning “latestpics.tgz”
    Posted: Feb 16, 2006 6:50 AM

    This file may be renamed to something else and provided in a link in a post, iChat or email, it requires your admin password to run.

    It cannot get on your machine unannounced like a virus can. (no Mac OS X viruses so far) Although if your not paying attention it can appear on your desktop or downloads folder in a flash and you may wonder what it is and/or double click it by accident.

    It requires social engineering to trick the user into downloading and providing a admin password.

    As always guard that admin password and don’t give it out to any program you don’t trust 100%, and even then watch out as it may install something anyway as a “feature” or “helper” program, even make unknown internet connections or it’s code can be exploitable running as root. (such as the Sony/BMG rootkit or Norton AV rar files)

    Clone your boot drive occasionally and backup your files regularly, so in case you do get tricked, you simply c boot off the Mac OS X Installer disk and use Disk Utility to erase the infected drives(s), boot off the clone and reverse clone. (don’t hook a clean write-able drive to a infected system)

    More information about this Trojan can be found here.

    http://www.ambrosiasw.com/forums/index.php?showtopic=102379

    More info can be found how to clone your boot drive here

    http://homepage.mac.com/hogfish/Personal6.html

    Help cloning your boot drive can be found free of charge by visiting Carbon Copy Cloners forums.

  9. uuuuh, i am NOT scared! this is no virus… of course…if i tell you erase your hd and you do it… then this procedure “could” (eventually) be called a virus (but rather a virus of the sick mind than a computer virus)… falling asleep while standing… this is NONE-INFORMATION, since nothing new!!! get back to work!!!

  10. Actually the first Mac OS X trojan “in the wild” was program that looked like OfficeMac circulated via P2P networks and various posts, emails and such.

    Except this wasn’t very nice, it wiped out the entire contents of a users/home.

    Since then Apple has initated the “this is a program your downloading” warning to combat the “looks like a file” tricks, but nothing to combat downloading a malcious app.

    I’m surprised the author of this malware didn’t just wipe the contents of user/home.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.