Incorrect reports of ‘Mac OS X virus’ begin to circulate

“For the first time Mac users around the world are the target of a malicious code, security experts warn,” Veronique De Freitas reports for WebUser.com. “The virus, named OSX/Leap-A, spreads via the instant messaging iChat program as a file called latestpics.tgz and attempts to spread to contacts on an infected user’s buddy list. According to Sophos, when the latestpics.tgz file is opened it disguises itself with a JPEG graphic icon to fool people into thinking it is harmless.”

“According to Sophos, the recent increase in popularity of Mac computers might be the reason for this attack. Until now, most virus writers were targeting Windows users, but the Mac virus maybe an attempt by someone to prove it could be done, the security company warned,” De Freitas reports. “Graham Cluley, senior technology consultant for Sophos, said: ‘Some owners of Mac computers have held the belief that Mac OS X is incapable of harbouring computer viruses, but Leap-A will leave them shell-shocked, as it shows that the malware threat on Mac OS X is real. Apple Mac users need to be just as careful running unknown or unsolicited code on their computers as their friends and colleagues running Windows.’

“Security experts advice Mac users to ensure they run up-to-date anti-virus software, but admit there are fewer anti-virus products for Macintosh than Windows,” De Freitas reports.

Full article — which also features the online poll, “Which do you think is more secure? PC or Mac?” — here.

MacDailyNews Take: It’s not the first time Mac users have been the target of a malicious code. This example is not a virus. Leap-A will leave not leave anyone “shell-shocked.” There are fewer anti-virus products for Macintosh than Windows because there are no Mac OS X viruses. Sophos themselves do not classify Leap-A as a “virus.” Otherwise — note our sarcasm — the article is correct. Of course, Apple Mac OS X users need to be careful running unknown or unsolicited code on their computers. Duh.

This is what it’s come to: making up a Mac OS X “virus” where none exists. Another offender (so far) is The Inquirer.

Advertisements:
MacBook Pro. The first Mac notebook built upon Intel Core Duo with iLife ’06, Front Row and built-in iSight. Starting at $1999. Free shipping.
iMac. Twice as amazing — Intel Core Duo, iLife ’06, Front Row media experience, Apple Remote, built-in iSight. Starting at $1299. Free shipping.
iMac and MacBook Pro owners: Apple USB Modem. Easily connect to the Internet using dial-up service. Only $49.
iPod Radio Remote. Listen to FM radio on your iPod and control everything with a convenient wired remote. Just $49.
iPod. 15,000 songs. 25,000 photos. 150 hours of video. The new iPod. 30GB and 60GB models start at just $299. Free shipping.
Connect iPod to your television set with the iPod AV Cable. Just $19.

Related MacDailyNews article:
New Mac OS X Trojan warning – February 16, 2006

53 Comments

  1. Anyone who is stupid enough to thinking typing in their Admin password is necessary to open a JPEG deserves their computer to be infected.

    I think we’ve been here before though. Isn’t this exactly the same as the “Word 2004 Installer”?

  2. All of the anti-virus software producers are going to spread this fallacy as loud and as fast as possible. I think it really sucks that we now must do damage control AGAINST the ones that CLAIM to be helping us.

    1 inert Trojan file does NOT equal 100,000 self-replicating viruses!

  3. Graham Cluley, senior technology consultant for Sophos, said: ‘Some owners of Mac computers have held the belief that Mac OS X is incapable of harbouring computer viruses, but Leap-A will leave them shell-shocked, as it shows that the malware threat on Mac OS X is real…”

    Exactly WHO has ever said that “Mac OS X is completely invulnerable!”? Who? I have never heard anyone – ‘experts’, users, or developers – say that. Why is it that some people seem to want to make us look like we’re complete idiots. Seriously, I’ve never held that belief. But I also don’t believe I need to run Anti-Virus to protect Mac OS X…yet. I run it to keep files clean of WINDOWS™ MALWARE® to protect other Windows users I share files with.

    If I’m required to accept a file to download, decrompress it, open it, double click on it, type in my admin password, sacrifice a chicken to Foghorn Leghorn, do the Hokey Pokey and bowl a perfect 300….IT AIN’T A VIRUS. And it sure as hell isn’t going to fool 99% of Mac Users.

    Sorry, I’m just in a pissy mood this morning and this didn’t help much. (>_<)

  4. Although it is more of a Trojan than a virus, that is pointless hair splitting. It can be propogated by naive users – thats a key reason WIndows Trojans propogate – people love to click on an image (and this file reprecsents itself as an image).
    A lot of windows nasties have not particularly targeted OS flaws but just user stupidity, e.g. knowing if they email a user what *appears” to be an image with a suitably worded message in the email then a certain proportion of users will click that image and launch the Trojan.
    Such a thing will not spread like wildfire in the way a virus that needs no human intervention will (e.g. windows nimda / code red) but it will spread and disproportionately affect the most naive / trusting users. Simplistic social engineering always gets some easy victims.

    Raised apple profile means inevitably more mac exploits, get used to it, do not take a hide your head in the sand approach. Past “safety” on mac does not mean you should not take a paranoid approach to files / emails you receive.

  5. For everybody who hasn’t been following this since the 13th when it was released, here is the information on it. (First an formost Sophos never discovered this. It was released as a file on the macrumors forum by a user know as “lasthope”. The original post can be found here http://forums.macrumors.com/showthread.php?t=180066.

    This has been a hot topic on the macrumors forum for some time and the experts have been working to see how dangerous this truely is.

    One thing that is missleading is that uses Bonjour to send itself (due to zero-networking) although it can be sent via iChat/AIM.

    Andrew, Forum Adminstrator, over at Ambrosia Software has be disassembling the file and this is what he has to say:

    ————————————
    http://www.ambrosiasw.com/forums/index.php?showtopic=102379
    ————————————

    —cont.

  6. —Contiuned

    A file called “latestpics.tgz” was posted on a Mac rumors web site http://www.macrumors.com/ , claiming to be pictures of “MacOS X Leopard” (an upcoming version of MacOS X, aka “MacOS X 10.5”). It is actually a Trojan (or arguably, a very non-virulent virus). We’ll call it “Oompa-Loompa” (aka “OSX/Oomp-A”) for reasons that will become obvious.

    Unless you work for an anti-virus company, please don’t email/message me asking for a copy of this trojan. It’s not going to happen.

    You cannot be infected by this unless you do all of the following:

    1) Are somehow sent (via email, iChat, etc.) or download the “latestpics.tgz” file

    2) Double-click on the file to decompress it

    3) Double-click on the resulting file to “open” it

    …and then for most users, you must also enter your Admin password.

    You cannot simply “catch” the virus. Even if someone does send you the “latestpics.tgz” file, you cannot be infected unless you unarchive the file, and then open it.

    A few important points

    — This should probably be classified as a Trojan, not a virus, because it doesn’t self-propagate externally (though it could arguably be called a very non-virulent virus)

    — It does not exploit any security holes; rather it uses “social engineering” to get the user to launch it on their system

    — It requires the admin password if you’re not running as an admin user

    — It doesn’t actually do anything other than attempt to propagate itself via iChat

    — It has a bug in the code that prevents it from working as intended, which has the side-effect of preventing infected applications from launching

    — It’s not particularly sophisticated

    To be on the safe side…

    DO NOT DOWNLOAD OR RUN THIS FILE

    When unarchived (it is a gzip-compressed tar file), which can be done by simply double-clicking on the file, it appears to be a JPEG file because someone pasted the image of a JPEG file onto the file.

    After it’s been unzipped, tar will tell you there are two files in the archive:

    ._latestpics
    latestpics

    …the ._latestpics is just the resource fork of the file, which contains the pasted in custom icon meant to fool people into double-clicking on it to (in theory) open the JPEG file for viewing. In actuality, double-clicking on it will launch an executable file.

    The file “latestpics” is actually a PowerPC-compiled executable program, with routines such as:

    _infect:
    _infectApps:
    _installHooks:
    _copySelf:

    Here’s what it does if a user double-clicks on the file, or otherwise executes it:

    1) It copies itself to /tmp as “latestpics”
    2) It recreates its resource fork in /tmp (with the custom icon in it) from an internally stored gzip’d copy, then sets custom icon bit for the new file in /tmp
    3) It then tar + gzips itself so a pristine copy of itself in .tgz format is left in /tmp
    4) It renames itself from “latestpics.tar.gz” to “latestpics.tgz” then deletes the copied “latestpics” executable from /tmp

    –This gives it a pristine copy of itself, for later transmission.–

    5) It extracts an Input Manager called “apphook.bundle” that is embedded in the macho executable, and copies it to /tmp
    6a) If your uid = 0 (you’re root), it creates /Library/InputManagers/ , deletes any existing “apphook” bundle in that folder, and copies “apphook” from /tmp to that folder
    6b) If your uid != 0 (you’re not root), it creates ~/Library/InputManagers/ , deletes any existing “apphook” bundle in that folder, and copies “apphook” from /tmp to that folder
    7) When any application is launched, MacOS X loads the newly installed “apphook” Input Manager automatically into its address space

    —-cont.

  7. —–Continued

    –This allows it to have the code in the “apphook.bundle” injected into any subsequently launched application via the InputManager mechanism–

    8a) When an application is subsequently launched, the “apphook.bundle” Input Manager then appears to try to send the pristine “latestpics.tgz” file in /tmp to people on your buddy list via iChat (who will then presumably download the file, double-click on it, and the cycle repeats).

    8b) (It looks like the author intended to get it to send the “latestpics.tgz” file out via eMail as well, but never got around to writing that code)

    –This lets it send itself to people on your buddy list via iChat; this appears to be the only way it self-propagates externally–

    9) It then uses Spotlight to find the 4 most recently used applications on your machine that are not owned by root
    10) In an apparent “Charlie and the Chocolate Factory” reference, it then checks to see if the xattr ‘oompa’ of the application executable is > 0… if so, it bails out, to prevent it from re-infecting an already infected application
    11) If not, it sets the xattr ‘oompa’ of the application executable to be ‘loompa’ (this does nothing, it is just a marker that it has infected this app)
    12) It then copies the application executable to its own resource fork, and replaces the application executable with the OSX/Oomp-A trojan

    –It has thus effectively injected its code in the host application–

    13) When an infected application is launched from then on, the trojan code is executed, and it tries to re-infect and re-propagate itself to other applications
    14) It then does an execv on the resource fork of the executable, which is the original application, so the application launches as it normally would (in theory… see below)
    15) Due to a bug in it’s code for executing the original app from it’s resource fork, it is only allocating a buffer 4 bytes bigger than the path when appending “/..namedfork/rsrc” to the path, it will stop any app it infects from running. Instead of adding the length of the string, it errantly adds the length of the pointer to the string, which is always 4 bytes.

    In the end, it doesn’t appear to actually do anything other than try to propagate itself via iChat, and unintentionally prevent infected applications from running

    It seems that this is more of a “proof of concept” implementation that could be utilized to actually do something in the future, depending on how successful it is, or it was simply done to garner attention/press. Which I’m sure it’ll get.

    …..

    The executable itself has a number of interesting things embedded into various macho segments, including an entire Input Manager bundle called “apphook” (stored as “latestpics_hook.tar”); the string data is “protected” with a simple XOR to prevent easy reading of what it’s doing. It’s definitely trying to mask what it is doing in a number of ways, but is relatively simplistic in nature.

    If you are a programmer, attached is the disassembly of the executable (it’s just a plain text file) for your reading pleasure. This is just the main executable portion of the code, not the embedded “apphook” InputManager code.

    Thanks to Ed Wynne for his crucial help in uncovering the true nature of this trojan, Glenn Anderson for his southern-hemisphere hacking help, and other “smart friends”.

  8. “Apple Mac OS X users need to be careful running unknown or unsolicited code on their computers.”

    Not all, but many Windows viruses proliferate because naive users willingly run unsafe code on their computers.

    As the Mac marketshare increases expect the level of naive users to rise accordingly.

    Where we stand, lack of education is the biggest security threat by far.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.