“This week’s ‘Mac virus’ scare turned out to be nothing more than a worm for Mac OS X that propagates through iChat and infects local Mac applications. OSX/Leap.A is a wake up call to Mac users that we’re not immune to all the nasties floating around on the Web,” Jason D. O’Grady blogs for ZDNet. “There was a story circulating this week that The First Virus For Mac OS X had arrived, but it turned out to only be a relatively innocuous worm embedded in a file called “latestpics.tgz” promising pictures of ‘MacOS X Leopard.’ The worm required the user to download, decompress and execute the file then enter their admin password to cause any damage.”
O’Grady writes, “The first rule of software downloads is obvious: never open a file or attachment from someone that you don’t know. The second is that if it’s too good to be true it probably is. If a download promises you screen shots of Mac OS 10.5 “Leopard” don’t believe it (after all, why not just post the pics?) but never, ever enter your Mac OS X admin password to install something from an unknown source, especially if you downloaded it surreptitiously.”
Full article here.
MacDailyNews Take: Tsk, tsk. So much ado about nothing. The old rules still apply: do not enter your Mac OS X admin password to install anything from an unknown and/or untrusted source.
MacDailyNews Note: We have been affected by a widespread power outage as a result of Friday’s windstorms in the U.S. northeast. We lost power at approximately 9:30am EST yesterday along with approximately 250,000 others. The blackout is still affecting over 120,000 residences and businesses as of this post. Due to our backups currently being unavailable due to other circumstances, we have driven out of the affected area in order to resume posts. The power company curently reports that they expect power to be restored by “Sunday night at the latest.” Thank you for your patience.
Advertisements:
• MacBook Pro. The first Mac notebook built upon Intel Core Duo with iLife ’06, Front Row and built-in iSight. Starting at $1999. Free shipping.
• iMac. Twice as amazing — Intel Core Duo, iLife ’06, Front Row media experience, Apple Remote, built-in iSight. Starting at $1299. Free shipping.
• iMac and MacBook Pro owners: Apple USB Modem. Easily connect to the Internet using dial-up service. Only $49.
• iPod Radio Remote. Listen to FM radio on your iPod and control everything with a convenient wired remote. Just $49.
• iPod. 15,000 songs. 25,000 photos. 150 hours of video. The new iPod. 30GB and 60GB models start at just $299. Free shipping.
• Connect iPod to your television set with the iPod AV Cable. Just $19.
Related MacDailyNews articles:
Apple: ‘Leap-A’ not a virus; only accept files from vendors and Web sites that you know and trust – February 16, 2006
Incorrect reports of ‘Mac OS X virus’ begin to circulate – February 16, 2006
New Mac OS X Trojan warning – February 16, 2006
This is the dumbest “virus” I’ve ever heard of. If it requires the user to accept the incoming bluetooth transfer, and since bluetooth requires the devices to be within several feet of each other to make a connection, how practical is this? Not very. Even if it didn’t require user intervention, it wouldn’t spread very far, if at all. Everybody in the mainstream tech press has been jizzing all over themselves that they can finally say “MAC OS X HAS A VIRUS!! MAC USERS ARE JUST AS VULNERABLE AS WINDOWS USERS! FEAR!! PANIC!! DREAD!!!!!”
<<< “The old rules still apply: do not enter your Mac OS X admin password to install anything from an unknown and/or untrusted source.” >>>
That goes double if it is from Sony!
How do we know waht is a trusted source. Is any thing on Version Tracker guarenteed safe for instance?
This thing, whether it be virus or not, can still run without asking for an admin password if the account you use on a day-to-day basis is an admin itself. By default, the first user on a Mac when OSX is installed is an Admin. Therefore, this piece of malware has uncovered a problem in OSX. Now that one malware writer knows about it, there will be others that come up with variants.
Until Apple figure out how to patch against this (and I’m sure it won’t be long until they do), you can either take extra caution on what you click on, or ensure that your day-to-day account is marked as standard.
Although if you have been running as an admin and decide to demote yourself, please remember that any software you have installed into /Applications will still have you as the owner, meaning the admin password prompt will once again not appear if malware attempts to write to it. You will need to correct this by either using the chown and chgrp commands or from the GUI if you have the patience.
I would recommend running your day-to-day account as standard anyway, but I can understand that some users find the restrictions it adds a bit of a chore. Each to their own.
Wikipedia sez: “Trojan horse programs cannot operate autonomously, in contrast to some other types of malware, like viruses or worms. Just as the Greeks needed the Trojans to bring the horse inside for their plan to work, Trojan horse programs depend on actions by the intended victims. As such, if trojans replicate and even distribute themselves, each new victim must run the program/trojan. Therefore their virulence is of a different nature, depending on successful implementation of social engineering concepts rather than flaws in a computer system’s security design or configuration. …
“Trojans of recent times also contain functions and strategies that enable their spreading. This moves them closer to the definition of computer viruses which operate by spreading on their own and infecting executable files, and it becomes difficult to clearly distinguish such mixed programs between Trojan horses and viruses. However, the defining characteristic of trojans is that they require some user action, and cannot function entirely on their own.”
Have I missed something. They don’t mention any popup aking for admin password during the deliberate infection here!!!
Can this program really install without the admin password. If so, THAT is worrying…
http://www.macworld.com/news/2006/02/17/leapafollow/index.php
neomonkey
Yes, apparently this is just for Tiger. Good job I’m not the panicky type, as I eBayed my Panther install disks together with my old iMac.
As for that stupid flamebait above that everyone will now switch to Windows, I can’t see anyone who ditches a UNIX based platform going back to Redmond’s hacked together pile of steaming mess. Even if the Mac does find ourselves under a virus onslaught, it just means more Linux installations.
Either way, crappy old Symantec isn’t going to get a penny.
mh
I refer the Honourable gentleman to the answer I gave some moments ago.
Sorry about the totally pants grammar. Too much Pinot Grigio.
Tip of the iceberg my friends, tip of the freakin’ iceberg. As the Mac gains in popularity more will come. Obscurity a myth? Yeah, that’s why taggers put their stuff in little know hidden places, huh?
These sick bastards write these things to have their handy work seen, and as the Mac OS becomes more and more prevalent it becomes a more tempting target.
Storm clouds on the horizon, time to head for the storm cellar.
goddammit…
A worm is not a virus, unless someone has conveniently redefined “virus” in recent years (which wouldn’t surprise me).
There are three major types of malware:
Virus — a virus is code which propagates by inserting itself into files, which are then shared between computers. Very few true viruses exist anymore.
Worm — a worm is malware which spreads automatically from computer to computer via a network. Internet worms and email worms are the two main types. Email worms require minor intervention by the user, but only in the form of opening an attachment. Most problem malware these days are worms, NOT viruses.
Trojan — a trojan (horse) is an malicious application pretending to be something else. It requires the user to explicitly run it.
Leap.A is most definitely NOT a virus. It does infect files, sort of, but not in a way that could be used for propagation. In fact, it’s stretching the definition a little to call it a worm. Yes, it propagates over a network, but it requires significant trojan-style user-interaction at each stop. It would best be classified as a “self-replicating trojan”.
So please, stop with the arrogant “admit it” bull$#!+. You don’t know what you’re talking about.
(I swear, the idea that people wouldn’t switch from Windows because of this makes me think of a man in a burning building who won’t leave because it’s hot outside.)
Is Leap-A a virus or a Trojan?
Some members of the Apple Macintosh community have claimed that OSX/Leap-A is a Trojan horse, and not a virus or worm, because it requires user interaction (the user has to receive a file via iChat, and manually choose to open and run the file contained inside).
However, this is not the definition of a Trojan horse.
A Trojan horse is a seemingly legitimate computer program that has been intentionally designed to disrupt and damage computer activity. Importantly, Trojan horses do not replicate or have any mechanism of spreading themselves. They have to be deliberately planted on a website, or accidentally shared with another user, or spammed out to email addresses. There is nothing inside a Trojan’s code to distribute themselves further to other victims.
Trojan horses do not contain any code to distribute or spread themselves, viruses and worms do.
OSX/Leap-A is programmed to use the iChat instant messaging system to spread itself to other users. As such, it is comparable to an email or instant messaging worm on the Windows platform. Worms are a sub category of the group of malware known as viruses.
Therefore, it is correct to call OSX/Leap-A a virus or a worm. It is not correct to call OSX/Leap-A a Trojan horse.
18 February 2006
Second Mac OS X worm spreads via Bluetooth vulnerability
http://www.sophos.com/pressoffice/news/articles/2006/02/inqtana.html
18 February 2006
Second Mac OS X worm spreads via Bluetooth vulnerability
http://www.sophos.com/pressoffice/news/articles/2006/02/inqtana.html
18 February 2006
Second Mac OS X worm spreads via Bluetooth vulnerability
http://www.sophos.com/pressoffice/news/articles/2006/02/inqtana.html
18 February 2006
Second Mac OS X worm spreads via Bluetooth vulnerability
http://www.sophos.com/pressoffice/news/articles/2006/02/inqtana.html
@ Sam City:
Come on and please read the articles next time. We and the mainstream press are not talking about the Bluetooth vulnerability. That is very very very minor news which only garnered a passing mention from The Register.
We are talking about the Leap/A piece of malware (I refuse to call it a virus or worm myself). Don’t start hyperventilating.
Pathetic… when something shows up that runs without our knowledge and infects our osx then thats news. Look up the definition of virus. For your own pathetic sake, look it up. The lengths that one must go to for this to actually work is obsurd. These security companies number one priority is profit. Use some common sense. And please Windows users, be safe. Theres over 100,000 viruses out there for you, and as far as I’m concerned and most anybody with a bit of intelligence, theres are still no osx viruses. Period.
“OSX/Leap-A is programmed to use the iChat instant messaging system to spread itself to other users. As such, it is comparable to an email or instant messaging worm on the Windows platform.”
Except that Leap-A DOES NOT propagate itself via iChat to internet contacts. Therefore, it is NOT comparable to an e-mail or instant messaging worm on the Windows platform…
http://www.macworld.com/news/2006/02/17/leapafollow/index.php
“Second Mac OS X worm spreads via Bluetooth vulnerability”
Which was patched by the 10.4.2 update many, many months ago.
For those that have obviously been too lazy to read up on this, here you go courtesy of Macworld online…
It turns out that Leap-A will only send itself out via iChat under a very specific set of circumstances:
You must be using Bonjour iChat, not Internet-based iChat. That’s right. If you’re using iChat in the way that probably 99 percent of us do, you’ll never see this file being sent from an infected buddy. Leap-A will only send itself to others on your Bonjour buddy list. This is why Kirk and I were never able to get the malware to do its thing—we were not conversing via Bonjour. It sounds amazingly simple, but we spent quite a bit of time trying to figure this out before someone at Intego pointed out that it was limited to Bonjour networks.
Even on a Bonjour network, you have to work a bit to get the file to send itself. It requires one (or more) status changes on either (or both?) of the Macs involved. In my case, I tested this by activating Bonjour chat on my G5-based desktop. For me, this was the only status change required to activate the file transfer function. But for Kirk, who already had Bonjour running, he had to change his status message on the target machine a couple times before the infected Mac noticed and then tried to send him the file. However, Kirk’s son Perceval, not being warned that this dangerous activity was occurring on the home network, turned on his iBook, logging in to iChat automatically. Since he logs into both AIM and Bonjour, this triggered the “hot” machine to send files to both the iBook and Kirk’s iMac.
You still have to manually accept the file (then expand it and then double-click it) to infect your machine. Clearly, this thing is not going to spread like wildfire via iChat.
So it seems the “iChat transmission” aspect of the Leap-A malware has been greatly overstated—unless you use Bonjour iChat, you’ll never see it arriving on your machine in this manner.
Why is everyone downplaying this whole thing and acting like it’s nothing?
Yes, this is news… Call it what you want, trojan, virus, worm.. Whatever you call it, This is the first documented attack on OSX.. Sure, it’s only a level one threat and yes, it requires user interaction, but it CAN do harm… And on an infected machine it can anonymously pop up on every person in that users iChat friends list..
No one is claiming that OSX is not any safer now than Windows, all these reports are saying is, there has been a first attack on our beloved platform.
This is the FIRST, there will be more.. Accept it!
Actually there has already been a second..
http://www.sophos.com/pressoffice/news/articles/2006/02/inqtana.html
Albeit minor, we’ve had two attacks on OSX in a week. They will become more sophisticated.
This is the third time that I’ve seen news sources running headlines gleefully proclaiming that the first Mac virus has arrived.
As nobody noticed this one either, they can have another go at running the ‘First Mac virus’ headline at some point in the future.
All the MacHaters will be in our face – ad infinitum – bla bla bla bla bla.
In THEIR world: 1 Mac malware = 100,000 Windows malwares
–
MacHater: Jeez, get a real PC. Why do you continue to use that Crapintosh, anyway?
MacUser: Because it annoys people like you so much.
–
Apple Computer, going out of business since 1984. Annoyed yet?
Whatever…
Thats because in their world 90% marketshare = our world 4% marketshare.