Nat, I have likewise poo-pooed many of the earlier "virus" scares in the past as a case of crying wolf. However, the thing that makes this one different is it does have a self-propagation vector and is thus not a simple trojan like the earlier occurrences.
> So you have to: > > (1) accept the file in iChat This is the social engineering bit, and the only stage that needs a user to interact. > (2) unpack the tar.gz > (3) run the shell script that is inside I understand these steps all happen automatically without requiring human intervention. I don't think it negates the self-replicating dangers of the beast. > (4) type in an administrator password when the shell script asks for it. It also does NOT require a password if your account has admin privileges (root privileges NOT required). Most Mac users I know are running with admin privileges enabled (the default option when OS X is installed) so they won't have the warning of having to type in a pwd. > hardly a virus , As various commentators have indicated, it is really a blended threat: "Leap.A (CME-4) acts like a combination of a Trojan, virus and worm. It acts like a Trojan because it masquerades as a JPEG file, a virus because it attempts to infect executables, and a worm because it attempts to send copies of itself to others via iCHAT. This last action is similar to that of an instant messaging worm on the Windows platform." I wouldn't brush it off quite so quickly, particularly as it now provides a platform for more nasties to use as a base to do worse things. > Malware..?, yes its malicious but not destructive, Corrupting any application you run is not destructive? It may not be as nasty as deleting your home directory, but it still qualifies as destructive in my book. >it > requires so much user interaction, it looks like more of a social > engineering exercise or a proof of concept like opener was. The only user interaction it requires is to accept the download of the file in iChat from what I've read. If your trusted buddy on iChat sends you what looks like a jpeg file with the title "Mac OS X 10.5 screen shots" the chances are you will click accept. Yes? We're not talking email from some unknown source here. > thoughts? I've been the first to set the record straight on false Mac virus scares in the past, but it doesn't mean we should necessarily take this one lightly. The stats still stand at the following: Microsoft Windows: Viruses and Worms = 140,000 (Symantec Security Focus) Spyware and Adware programs = 78,000 (www.pestpatrol.com) Burrowers = 40 (www.pestpatrol.com) 80% of PCs infected with spyware (webroot.com) 2004 alone: - 500 new Trojans (www.pestpatrol.com) - 500 new keyloggers (www.pestpatrol.com) - 1,287 new adware apps (www.pestpatrol.com) - 7,360 new viruses and worms (symantec.com) Mac OS X: Viruses and Worms = 1 Spyware programs = 0 Adware = 0 Keyloggers = 0 Burrowers = 0 Trojans = 3 (symantec.com) 2004: - 1 Rootkit (symantec.com) With many of the thousands of Windows viruses and worms being far more nasty compared to this fairly innocuous Mac worm, it is by no means the end of the world, but this is nonetheless the first truly credible self-propagating threat to OS X. I think we should finally start looking at firming up our malware strategies on the Mac just to be safe. -Mart > cheers > > Nat > > On Feb 17, 2006, at 9:18 AM, Martin Hill wrote: > >> Well it has finally happened after all these years of commentators >> crying >> wolf. >> >> The first bit of malware that attempts to spread itself to other Mac >> users >> has finally arrived on the scene. Note this is not technically a >> virus as >> many articles are saying but it is also not just a simple trojan as >> some Mac >> users are saying. >> >> To get infected a user has to click on what looks like a jpeg file in a >> message sent through Apple's iChat program so it requires user >> intervention, >> but as it then attempts to infect other applications - they get >> corrupted >> due to a bug. It then attempts to send copies of itself to all users >> in the >> buddy list of the infected user if they use the iChat software. >> >> This malware also does not require the affected user to enter a >> password if >> they are an admin user (or if they are a root user) - it only asks for >> a >> password if they have been intentionally set up as a user without admin >> privileges. As a default install of OS X automatically gives the main >> user >> admin privs, most users will not be asked for a password as this worm >> installs itself. >> >> Although it does not delete files or do any other nasty things, it >> looks >> like other nasty hackers could modify this initial code to cause more >> damage. >> >> Looks like we had all finally better start installing and using >> anti-virus >> software on our Macs (particularly if you use (Apple's iChat software). >> >> Symantec's Description of this worm (which they call "OSX.Leap.A" also >> known >> as the "Oompa Loompa" worm): >> http://securityresponse.symantec.com/avcenter/venc/data/osx.leap.a.html >> >> The stats still stand at the following: >> >> Windows Viruses/worms = 140,000 >> Mac OS X worms = 1 >> >> With many of the thousands of Windows viruses and worms particularly >> nasty >> compared to this fairly innocuous Mac worm, it is by no means the end >> of the >> world, but this is nonetheless the first truly credible threat to OS X. >> >> Here are the details from MacFixit: >> http://www.macfixit.com/article.php?story=20060216075452766 >> >> "Protective method: Setting iChat to not automatically accept incoming >> files >> In order to protect against the unintended acquisition of this >> malware, it >> is recommended that you set iChat to notify the user before accepting a >> file. This is accomplished by opening iChat's preferences, then >> clicking the >> "Messages" tab, and selecting "Confirm before sending files." This is >> the >> default setting for a fresh Mac OS X installation. >> >> And remember, be very cautious with supplying your administrator >> password to >> system prompts. You should never be asked to enter your administrator >> password to open a .jpg file (as in the above case). Provide your >> administrator password only to trusted applications. >> >> In fact, you should avoid being logged in as an administrator whenever >> possible. Instead, use a standard user account for daily tasks. >> >> Andrew Welch of Ambrosia Software has discovered and described a new >> piece >> of malware for Mac OS X dubbed the "Oompa-Loompa Trojan (OSX/Oomp-A)" >> >> The malware was posted as "latestpics.tgz" to a Mac rumors web site, >> claiming to be pictures of "Mac OS X Leopard" (an upcoming version of >> Mac OS >> X. >> >> Andrew writes: >> >> "When unarchived (it is a gzip-compressed tar file), which can be done >> by >> simply double-clicking on the file, it appears to be a JPEG file >> because >> someone pasted the image of a JPEG file onto the file. >> >> "After it's been unzipped, tar will tell you there are two files in the >> archive: >> >> * ._latestpics >> * latestpics >> >> "The ._latestpics is just the resource fork of the file, which >> contains the >> pasted in custom icon meant to fool people into double-clicking on it >> to (in >> theory) open the JPEG file for viewing. In actuality, double-clicking >> on it >> will launch an executable file. >> >> "The file 'latestpics' is actually a PowerPC-compiled executable >> program, >> with routines such as: >> >> * _infect: >> * _infectApps: >> * _installHooks: >> * _copySelf: >> >> "A few important points >> >> * This should probably be classified as a Trojan, not a virus, >> because >> it doesn't self-propagate externally >> * It does not exploit any security holes; rather it uses "social >> engineering" to get the user to launch it on their system >> * It requires the admin password if you're not running as an admin >> user >> * It doesn't actually do anything other than attempt to propagate >> itself >> via iChat >> * It has a bug in the code that prevents it from working as >> intended, >> and has the side-effect of preventing infected applications from >> launching >> * It's not particularly sophisticated >> >> "Here's what it does if a user double-clicks on the file, or otherwise >> executes it: >> >> 1. It copies itself to /tmp as "latestpics" >> 2. It recreates its resource fork in /tmp (with the custom icon in >> it) >> from an internally stored gzip'd copy, then sets custom icon bit for >> the new >> file in /tmp >> 3. It then tar + gzips itself so a pristine copy of itself in .tgz >> format >> is left in /tmp >> 4. It renames itself from "latestpics.tar.gz" to "latestpics.tgz" >> then >> deletes the copied "latestpics" executable from /tmp (This gives it a >> pristine copy of itself, for later transmission) >> 5. It extracts an Input Manager called "apphook.bundle" that is >> embedded >> in the macho executable, and copies it to /tmp >> 6. If your uid = 0 (you're root), it creates >> /Library/InputManagers/ , >> deletes any existing "apphook" bundle in that folder, and copies >> "apphook" >> from /tmp to that folder; If your uid != 0 (you're not root), it >> creates >> ~/Library/InputManagers/ , deletes any existing "apphook" bundle in >> that >> folder, and copies "apphook" from /tmp to that folder >> 7. When any application is launched, Mac OS X loads the newly >> installed >> "apphook" Input Manager automatically into its address space (This >> allows it >> to have the code in the "apphook.bundle" injected into any subsequently >> launched application via the InputManager mechanism) >> 8. When an application is subsequently launched, the >> "apphook.bundle" >> Input Manager then appears to try to send the pristine >> "latestpics.tgz" file >> in /tmp to people on your buddy list via iChat (who will then >> presumably >> download the file, double-click on it, and the cycle repeats) (It >> looks like >> the author intended to get it to send the "latestpics.tgz" file out via >> eMail as well, but never got around to writing that code) -- This lets >> it >> send itself to people on your buddy list via iChat; this appears to be >> the >> only way it self-propagates externally >> 9. It then uses Spotlight to find the 4 most recently used >> applications >> on your machine that are not owned by root >> 10. In an apparent "Charlie and the Chocolate Factory" reference, it >> then >> checks to see if the xattr 'oompa' of the application executable is > >> 0... >> if so, it bails out, to prevent it from re-infecting an already >> infected >> application >> 11. If not, it sets the xattr 'oompa' of the application executable >> to be >> 'loompa' (this does nothing, it is just a marker that it has infected >> this >> app) >> 12. It then copies the application executable to its own resource >> fork, >> and replaces the executable with itself -- It has thus effectively >> injected >> its code in the host application >> 13. When an application is launched from then on, the trojan code is >> executed, and it tries to re-infect and re-propagate every time that >> application is launched >> 14. It then does an execv on the resource fork of the executable, >> which is >> the original application, so the application launches as it normally >> would >> (in theory... see below) >> >> [...] >> >> "In the end, it doesn't appear to actually do anything other than try >> to >> propagate itself via iChat, and unintentionally prevent infected >> applications from running >> >> "It seems that this is more of a 'proof of concept' implementation that >> could be utilized to actually do something in the future, depending on >> how >> successful it is, or it was simply done to garner attention/press. >> Which I'm >> sure it'll get. >> >> As noted by Andrew, this particular piece of malware requires >> user-initiated >> action to run, and also requires the user to enter an administrator >> password >> (if you are logged in as a non-admin user) -- something that should >> never be >> required for opening a .jpg file. Its effects also seem to be >> innocuous." >> >> -Mart >> >> >> >> >> -- The WA Macintosh User Group Mailing List -- >> Archives - <http://www.wamug.org.au/mailinglist/archives.shtml> >> Guidelines - <http://www.wamug.org.au/mailinglist/guidelines.shtml> >> Unsubscribe - <mailto:[EMAIL PROTECTED]> >> >> WAMUG is powered by Stalker CommuniGatePro > > > -- The WA Macintosh User Group Mailing List -- > Archives - <http://www.wamug.org.au/mailinglist/archives.shtml> > Guidelines - <http://www.wamug.org.au/mailinglist/guidelines.shtml> > Unsubscribe - <mailto:[EMAIL PROTECTED]> > > WAMUG is powered by Stalker CommuniGatePro > >
