“A malicious program that could be the first Trojan in the wild to target Apple Computer’s Mac OS X operating system has been discovered, security experts confirmed Thursday. Apple and outside analysts said the program, referred to as Leap-A, is not a ‘virus,’ per se. Rather, it ‘requires a user to download the application and execute the resulting file,’ Apple said in a statement to CNET News.com. The company provided no further comment on the nature of the program,” Anne Broache reports for CNET News. “The malicious software, which has also been dubbed OSX/Oompa-A and the Ooompa Loompa Trojan Horse by other security experts, appears to have spread minimally so far and has achieved low-level threat classifications from McAfee and Symantec. But security experts cautioned Macintosh users to view the incident as a wake-up call that all operating systems have vulnerabilities.”
MacDailyNews Take: Did security experts also caution Macintosh users to view the incident as a wake-up call that all operating systems can run programs, too? Do not download “latestpics.tgz” and then uncompress it and then run it by giving Mac OS X your Admin password at the prompt. Also, do not drag files that you wish to keep on your hard drives to the Trash and then empty it.
“‘It’s not really news as far as threats go,’ said Ray Wagner, a senior vice president in Gartner’s information security group. ‘It is news because it targets OS X, and as far as I know, it’s certainly the first OS X malicious content in the wild that’s been noted at this point,'” Broache reports. “Apple directed customers to a safety guide at its site and said it ‘always advises Macintosh users to only accept files from vendors and Web sites that they know and trust.'”
Full article here.
Advertisements:
• MacBook Pro. The first Mac notebook built upon Intel Core Duo with iLife ’06, Front Row and built-in iSight. Starting at $1999. Free shipping.
• iMac. Twice as amazing — Intel Core Duo, iLife ’06, Front Row media experience, Apple Remote, built-in iSight. Starting at $1299. Free shipping.
• iMac and MacBook Pro owners: Apple USB Modem. Easily connect to the Internet using dial-up service. Only $49.
• iPod Radio Remote. Listen to FM radio on your iPod and control everything with a convenient wired remote. Just $49.
• iPod. 15,000 songs. 25,000 photos. 150 hours of video. The new iPod. 30GB and 60GB models start at just $299. Free shipping.
• Connect iPod to your television set with the iPod AV Cable. Just $19.
Related MacDailyNews articles:
Incorrect reports of ‘Mac OS X virus’ begin to circulate – February 16, 2006
New Mac OS X Trojan warning – February 16, 2006
Apple: ‘Opener’ is not a virus, Trojan horse, or worm – November 02, 2004
Now its on the DrudgeReport: Here is the (Reuters) title:
“Virus attacking APPLE Macintosh PCs found…”
MacDude- Hint: Nostradomus’ error was to use quotes (which of course you should use in HTML).
Winblows will always suck so keep on paying people to find something wrong with OSX all you want because we all know that it is superior in every aspect.
This is bullshit.
Nonetheless, the peecee fanbase and Mafiasoft lapdogs are getting moist and touching themselves over this “much ado about nothing”®
Use “common sense” folks. Why give your admin or root password to picture?
OMG, a trojan that requires 5 to 6* acknowledgments from an admin user to work! You never know, one might just download an unknown file from an unknown source, double-click the file to decompress, double-click to open, enter pw for first run of new app, and enter admin pw to enable. This could potentially cause at least a few dollars in global economic damage.
* if DLd from Safari with Open Safe Files disabled, the DL window will warn the user requiring a positive response to continue the DL.
That should be “click OK to allow first run of new app,” dammit.
I’m tired of us Mac users being treated like second class citizens. Why can’t we get a proper, hardcore, bag the whole fsking computer, network, servers and bank machines like Windows users have had for so many years.
It’s just not fare damn it!
Rainy Day
Can you tell me how to format URLS into words in your posts like you demonstrated above. Thanks.
Geez–
Can’t we get anything right? No self-propagating virrii. We should just give up. Seriously.
Give. Up.
The following html tags are allowed in Reader Feedback:
<b>bold</b> result: bold
<i>italics</i> result: italics
<u>underline</u> result: <u>underline</u>
<em>emphasis</em> result: emphasis
<strike>strikethru</strike> result: <strike>strikethru</strike>
<strong>strong<strong> result: strong
Also allowed:
<pre>pre-formatted text</pre>
<code>code</code>
Link format:
<a href=”http://www.macdailynews.com”>MacDailyNews</a> result: MacDailyNews
[This information has been added above the feedback box for future reference.]
It actually is a virus because it self-propagates, it was even classified as one. Who cares if it requires user interaction? Many Windows viruses require you to download and open attachments. This is exactly the same. Why is it so hard to admit the Mac OS X has one virus? It’s not like it does any damage, and it’s still 59,000 less than Windows has.
Ive been a windows user but mac fanboy for yrs and i have no viruses on my pc. You know why? cuz im not an idiot. Guess what else, I dont use virus protection, ive used virus detection software twice in 10 yrs… and only ever found one on my pc.
You have to be stupid to get a virus on windows, and EVEN MORE STUPID to get one on a mac, i think actually people who would get any sort of “malicious ware” on their mac should be shot because they delay human evolution… as long as i get their macs when they die.
Exactly – the days of Windows automatically installing and running virus code are long gone (about 5 years ago?). This Mac virus is identical in concept to current Windows viruses – the user must download it and then run it. Like all Windows viruses, it claims to be something interesting that you want to open.
It’s a virus folks. Get over it.
… when it’s on a Mac!
I can see a new Mac security phenomemon arriving. First we had “security by obscurity” and now we have “security by denial”. As long as we all redefine any Mac virus as something else involving “social engineering” the Mac will remain virus free! Excellent news!
Thanks for the formatting info!
<u>i</u> A<u>m</u>
cRaZy4 <u>m</u>Ac <u>Dai</u>LynEzzOk, we can go back to bashing Microsoft again, seems exploits for WMP are out and about.
<i>
The flaw, rated "critical" by Microsoft, could enable an attacker to seize control of a vulnerable computer system.<i>Now <u>that/u> sounds better don’t it?
No tricks url, just paste in your browser if your leary.
” width=”19″ height=”19″ alt=”wink” style=”border:0;” />
http://news.com.com/2100-1002_3-6040746.html?part=rss&tag=6040746&subj=news
“Exactly – the days of Windows automatically installing and running virus code are long gone (about 5 years ago?). “
I guess you missed the recent Windows WMF vulnerability which allowed for silent and automatic execution of code.
“It’s a virus folks. Get over it.”
An all-volunteer virus. What person would ignore Safari’s prompt of an executable being in the compressed file? Your attempt to align this with the insecure world of Windows doesn’t fly.
I’d like to mention, this is no different from past trojan proofs-of-concept that targeted OS X, like MP3Concept from 2004: http://securityresponse.symantec.com/avcenter/venc/data/mp3concept.html
MP3Concept even used the same icon swap technique. These things never end up spreading to any measurable degree, and when someone says Macs have no viruses and trojans, that’s what they’re referring to. Not that people haven’t written some and tried. Dozens have been written in the past five years. This isn’t the first trojan targeting OS X. The point is that they never go anywhere because OS X doesn’t have any exploitable mechanisms for automatically downloading and running the code.
This will be forgotten in a couple of weeks, just like the Safari widget auto-installation hooplah when Tiger first came out (which was an actual behavioral flaw). Basically, an isolated incident of some guy on a forum tricking some users into running his buggy executable before admins removed his post has now been picked up on the national newswire (Reuters, Drudge Report) as “The First OS X Virus!” Absolutely stunning.
I’m really disappointed with MacRumors right now for not only posting their announcement as “the first OS X trojan/virus” but for neglecting to mention that lots of trojans have targeted OS X (including MP3Concept which used the same icon trick), the point being that trojans on OS X never propogate to any measurable degree. Now the bigger tech sites have run their story, and misinformation is all over the place.
RC and others, sorry but you are all wrong. Exactly – the days of Windows automatically installing and running virus code are long gone (about 5 years ago?). This Mac virus is identical in concept to current Windows viruses – the user must download it and then run it. Like all Windows viruses, it claims to be something interesting that you want to open.
It’s a virus folks. Get over it.
What you describe above is not a virus, is a trojan horse. And it would be a trojan horse and not a virus also on Windows. If the user has to do ANYTHING it is not a virus. Same for Windows: if the user has to do ANYTHING is not a virus. A virus is like MSBlaster, you boot your PC, you do NOTHING, the PC gets infected just because it is on, and spread the same malware to other PCs. This is a virus: no user intervention, all automatic.
Trojan horses rely on the naive user to do their work, no OS can protect a naive user from himself. Not a single one. It can try to wake-up the naive user with “Are you sure?” “This is an application that wants to get installed” etc warnings, but if the user clicks ok, ok, ok, etc what can you do? So, if someone tells you that a new Windows virus is on the wild but you have to download and do something, please, next time just say: silly, this is not a virus, it is a naive-user catcher. In this case the weakness is not the OS, Windows or OS X, but the user. I could not blame Windows for being vulnerable to its users, as for a Mac.
The problem in Windows, and it is still there, sorry, is exploitable code that can take over your machine just because it is on.
In this case a user must first receive the malware file in question (either via download from a Web site, via e-mail, or via iChat file transfer), then double-click the file to expand it, then double-click the resulting file. Then the last file appears to be a JPEG graphic but is instead an executable file.
If you receive a file that doesn’t look like something you’d expect to receive, even if it’s ostensibly from someone you know, it’s pretty clear that you shouldn’t be launching the file.
I do not blame Windows for such problems. It is not an OS weakness if the user has to actively help the malware to do its job.
This isn’t really taking advantage of any holes in the OS security, instead, it’s taking advantage of the willingness of the user to open an unknown file. That’s not exactly a virus or worm. As was pointed out on the Apple OS X Server Admin mailing list, if I write an OS X user an e-mail message and say, “Hey, open the Terminal and type rm – rf *” it’s not really the fault of the OS if the user follows my instruction and a bunch of files get deleted. My e-mail isn’t a “virus,” and the inherent security of the system isn’t flawed.
Instead, it’s the fault of the user for believing me when I said the user should do something dumb.
There’s a somewhat technical discussion of what this file is and what it does here:
http://www.ambrosiasw.com/forums/index.php?showtopic=102379
RC and other windows users reaction to the “Get over it, it is a virus” clearly demonstrate the problem Microsoft faces with its users. If they do not know the difference between a virus and a trojan horse, how in the world Windows can rely on its users to help not get infected?
I said it many times already, one big problem in Windows is exactly that the ones that should be more aware of security issues and possible ways of attacking a computer are exactly the ones more in the dark. Devilish combination.
Follow-up
A good read is http://toxicsoftware.com/blog/index.php/weblog/entry/us_vs_them/
Why? because it describes Input Managers, what this trojan horse deals with as you have read in the link to ambrosia (you did read that, right?)
Personally I do not have any Input Manager myself. This particular malware also can act as a worm: it attempts to – if you give permission to install it – hijack InputManager to access iChat, then sends itself as an attachment to your iChat Buddys.
To a large extent, it does rely on user naivety: Safari at least will warn about it, and you need to manually extract the tgz and launch it.
Here’s a few things you can do. The first is valid no matter the OS you are running. Windows included:
a) Don’t download ANYTHING from anonymous sites
b) Heed Safari’s warnings about suspicious downloads
c) Don’t open attachments from Buddys without double check with them
d) Be *really* careful about authenticating as admin – you essentially tell the OS “don’t be paranoid, do it, I know what I am doing”. So the OS trusts you.
e) To disable Input Managers (if you don’t need them):
$ sudo chmod 755 /Library # so it requires explicit privileges to create
$ touch ~/Library/Input\ Managers
$ chmod 555 !$
With the above, the trojan will not be able to hijack Input Managers
It actually is a virus because it self-propagates, it was even classified as one. Who cares if it requires user interaction? Many Windows viruses require you to download and open attachments. This is exactly the same.<i> — Um
Amazing. Did you read yourself? A virus not only self-progate but installs without user intervention. A self-propagating malware is actually a worm, after the naive user has allowed itself to install.
<i>Many Windows viruses: Those are NOT Windows viruses.
As Seahawk said: how can you beat an enemy (the malware) if you do not even know it? Windows users, please, inform yourselves already!
Did anyone read the comments from the referring article?
One of them was absolute genius!
Take a few minutes and read this
MW: today, as it, today is the first day of the rest of y… I can’t do it.
Tried following my own link, didn’t work. Anyway, this is WELL WORTH THE TIME, head to the comments and look for the one titled “Well, DAVE…” attributed to Matthew Good — Feb 16 2006, 8:38 PM PST
You can delete files from a command prompt.
You can write a script that will delete files from a command prompt.
You can name that script HotSexyPicture.tgz, convince someone to uncompress it, give it their admin password, and run the script that deletes the files from a command prompt.
How is this new, and how is this a virus? I wouldn’t even call it a trojan because it requires so much work to make it happen.
However, if I wrote a one-line batch file that deletes the contents of “My Documents” on Windows, and named it HotSexyPicture.com or HotSexyPicture.bat, I could get that onto someone’s system with execute permissions without having to compress it first, and it would do its deed simply by double-clicking on it, no password needed.
So tell me again how Macs are “just as vulnerable as PCs”, corporate media. This case seems to prove the opposite.