Ars Technica: Fears over new Mac OS X ‘Leap-A’ trojan pointless

Leap-A is “a fairly harmless bit of code, and some have described it as a proof of concept. In fact, antivirus firm Symantec designated it a ‘Level 1’ threat, which is at the bottom of the scale for malicious code. Despite the trojan’s harmlessness, a number of sites are seizing on this, calling it the first Mac OS X virus to be discovered,” Eric Bangeman writes for Ars Technica “In fact, that distinction goes to another Trojan Horse, found in April 2004 by French firm Intego. After the hype machines slowed down, it was determined that the malware was nothing more than a proof-of-concept, illustrating that Mac OS X can be vulnerable to certain types of malware. In May 2004, another malicious script emerged that would delete the home directories of extremely gullible users. Leap-A hardly marks any sort of advance in Mac malware, as it’s less harmful than the May 2004 script and lacks the ability to self-propagate.”

“Mac OS X has a solid record so far when it comes to viruses and other malware, and many Mac users don’t bother with antivirus software,” Bangeman writes. “Leap-A hardly qualifies as a great leap forward in Mac OS X malware. But Mac users along with everyone else will be safer as long as they practice skeptical computing.”

Full article here.

MacDailyNews Note: Symantec’s OSX.Leap.A page states, “Number of infections: 0 – 49.” Why do the number of news articles outnumber the absurdly low number of “infected” machines by something like 100-1? Some of these “writers” who are banging out “Mac cultists smug no more, Macs just as porous as Windows, Mac plagued by viruses, Mac this, Mac that” articles are going to need new keyboards due to excessive drool. Who benefits from the proliferation of the impression that “Macs have viruses” that’s being misstated everywhere from Buffalo to Bangalore?

A couple of additional notes courtesy of MacDailyNews reader “PoPa” about Leap-A:
• Leap-A can’t transmit itself over the Internet, only over LAN.
• The default config of a Mac is immune even if were on an infected LAN. (It can’t spread on a LAN unless a lot of factors come together, including the user enabling Bonjour in iChat, which is very seldom done.)

Again, as Apple has already stated, “Leap-A is not a virus, it is malicious software that requires a user to download the application and execute the resulting file. Apple always advises Macintosh users to only accept files from vendors and Web sites that they know and trust.” Apple provides a guide to safely handling files received from the Internet here.

Advertisements:
MacBook Pro. The first Mac notebook built upon Intel Core Duo with iLife ’06, Front Row and built-in iSight. Starting at $1999. Free shipping.
iMac. Twice as amazing — Intel Core Duo, iLife ’06, Front Row media experience, Apple Remote, built-in iSight. Starting at $1299. Free shipping.
iMac and MacBook Pro owners: Apple USB Modem. Easily connect to the Internet using dial-up service. Only $49.
iPod Radio Remote. Listen to FM radio on your iPod and control everything with a convenient wired remote. Just $49.
iPod. 15,000 songs. 25,000 photos. 150 hours of video. The new iPod. 30GB and 60GB models start at just $299. Free shipping.
Connect iPod to your television set with the iPod AV Cable. Just $19.

Related MacDailyNews articles:
Atlanta Journal-Constitution asks: Is ‘Mac virus’ all just propaganda from Mac haters? – February 20, 2006
Datamonitor: ‘Mac OS is just as vulnerable to malware as Windows’ – February 20, 2006
Patched in mid-2005 by Apple, Symantec warns ‘Inqtana-A’ worm could be ‘beginning of a trend’ – February 20, 2006
OSX.Leap.A: a near miss for Mac users – February 18, 2006
Apple: ‘Leap-A’ not a virus; only accept files from vendors and Web sites that you know and trust – February 16, 2006
‘Highly critical’ flaw in discovered in Symantec AntiVirus for Mac OS X – December 21, 2005
Why Symantec’s ‘scare tactics’ don’t worry Mac users – September 28, 2005
$500 bounty offered for proof of first Apple Mac OS X virus – September 27, 2005
Symantec details flaws in its antivirus software – March 30, 2005
Motley Fool writer: ‘I’d be surprised if Symantec ever sells a single product to a Mac user again’ – March 24, 2005
Symantec cries wolf with misplaced Mac OS X ‘security’ warning – March 23, 2005
Symantec’s Mac OS X claims dismissed as nonsense, FUD – March 22, 2005
Symantec warns about Mac OS X security threat – March 21, 2005
FBI: Viruses, spyware, other computer-related crimes cost U.S. businesses $67.2 billion per year – February 01, 2006
Windows virus threatens 170-year-old Toldeo newspaper’s perfect record, Apple Macs save the day – January 27, 2006
Symantec: 10,866 new Microsoft Windows virus and worm variants in first half 2005 – September 19, 2005
Hackers already targeting viruses for Microsoft’s Windows Vista – August 04, 2005
97,467 Microsoft Windows viruses vs. zero for Apple Mac’s OS X – April 05, 2005
Cybersecurity advisor Clarke questions why anybody would buy from Microsoft – February 18, 2005
Apple: ‘Opener’ is not a virus, Trojan horse, or worm – November 02, 2004

29 Comments

  1. Not to YORK it, but I don’t think enabling Bonjour in iChat should be considered “uncommon”. On a local office network, it is a totally legit way of discovering inneroffice computers.

  2. Now wait. Using iChat – this thing comes out of nowhere? is it a link in the current chat window? The iChat user thinks it is from the other party? That is certainly someone to be trusted. And when it is clicked it asks for Admin password to install? I can think of about 4 people that I iChat with that think the file is from me and go ahead and enter the admin password.-
    This social malware should not be taken lightly – the more MacOSX users think they are invulnerable the more they become vulnerable. “When u least expect it – expect it” kind of thinig.

    No – is not a virus – Yes is a concern if it is this simple.

  3. -> to me: yes, iChat is a legit way to share office files… but face it, offices that employ iChat in their workflow ARE “uncommon.”

    -> to kerrazyjoe: it doesn’t come out of nowhere–it doesn’t come at all! it can’t transmit over the internet! you say you chat with people who would trust you. how many of them are on your LAN? how many of them are on the same subnet (like the same dorm on a campus)? even if you caught the virus (which you can’t), you couldn’t spread it to those people if they’re not on your same LAN and subnet.

    But say you’re on an infected LAN (of which the world contains zero) AND a bunch of other conditions are met (it’s NOT simple) then it could arrive and look like it’s from a friend. but there’s all kinds of warning. Your friend sends you a chat request with a file… but doesn’t answer back when you try to chat? that’s suspicious. it’s not a link, it’s a special window offering a file. then you’ve got to go through steps uncompressing and clicking to install the thing. and if you do, what harm is done? probably none at all. but if anything bad results, it’s just a few apps failing to launch–and you can easily fix that.

    it’s not simple to get this virus. it is, essentially, impossible.

  4. Amazing what reality prevails when people who KNOW the technical side of things write about them instead of these hack ‘journalists’ who probably held a previous position of covering dog shows or local rock bands.

  5. Might as well treat this dialog as a support forum – I am nervous not for my sake – for the sake of all those people who I have converted to MacOSX and who will click things without discern.

    It seems like first you have to download this thing from somewhere. It does not popup on an iChat. You download it from a click on a Website perhaps. Warning! is a Program YES – Warning! needs admin password. OK now it is here. Now it spreads via Bonjour.

    OK this wont happen in my environment or my friends – OK.

    But these things that are disguised as one thing and actually are another – wow – those are hard to defend.

  6. Also note another reason it’s not a virus, in particular it’s supposed reproduction. It doesn’t reproduce like a virus. Leap-A merely advertises itself. That’s it. That’s all. Just because you read a BMW ad in a magazine doesn’t mean that BMW will be in your garage the next time you look.

    At worst, it’s SPIM (instant messaging spam). It doesn’t get transmitted to another computer until the user accepts it, hence it’s also not self-transmitting, only self-advertising: “please accept me”.

    Admittedly, the so-called email viruses that you have to click hyperlinks are also just advertisements, hence trojan horse emails (says it’s one thing when it’s really another). Even the emails with attachments are practically mere advertisements (like AOL discs in the snail-mail) because you still have to open the attachments, otherwise nothing happens.

    A long time ago, circa 2000, Microsoft’s Outlook email program would automatically open any attachment, including programs that were attached, e.g. viruses. Nowadays, it’s practically unheard of for an email program to open an attachment that is a program. Usually it’s just images or PDFs. So, effective email viruses don’t really exist anymore.

    Also admittedly, a lot of the so-called viruses for Microsoft’s Windows OSes are mostly trojan horse types. Although, it seems to be the actual self-replicating and self-transimitting viruses that get attention on that side of the computing spectrum. So it’s probably more accurate to refer to almost 100,000 malware instead of 100,000 viruses. Besides, the variety suggested by malware is much more impressive. ” width=”19″ height=”19″ alt=”wink” style=”border:0;” />

    It’s quite telling to have a simple trojan horse type (i.e. merely self advertising as SPIM, hence neither self-replicating nor self-transmitting without user interaction) get so much attention on the Mac side. Not to mention most of the attention is given by people who have not been affected by it (since nobody’s been affected except for intentional guinea pigs), and most of those people aren’t even using an Apple computer. In contrast, the difference in attention is quite weird.

    And keep in mind this isn’t the first. The first bit of malware for Mac OS X occurred a few years ago, followed by a couple more bits of malware soon after. Interesting most people don’t mention that, since that tells a lot about those people’s lack of experience with Mac OS X, lack of research, and excess of overreaction.

  7. Another interesting question: Where does this thing came from in the first place?

    I mean: With some really malevolous viri the FBI catched the guy and put him in jail. This Leap-A or whatever the name may be a proof-of-concept but, Who did it? Was this thing created by a hacker or by an anti-virus company so they can raise their MacOS X division sales of anti-virus?

    And, if this is a proof-of-concept then somebody is trying to develop a virus for the Mac OS X or what?

    MW TRUE

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.