> From: Martin Hill <[EMAIL PROTECTED]> >> (2) unpack the tar.gz >> (3) run the shell script that is inside > > I understand these steps all happen automatically without requiring human > intervention. I don't think it negates the self-replicating dangers of the > beast.
Actually, thinking more about this (not being an iChat user much myself), you probably are correct on this count, the user would have to double-click the compressed file and then open the terminal script file manually with current versions of Mac OS X. I would hope Auto-decompress and auto-open shouldn't be enabled with iChat and the de-compression engine these days! As such you would hope this would give many users a warning that this is no ordinary file, but no password will be required normally and the self-replication vector is still there so I think this is still a serious issue. >> (4) type in an administrator password when the shell script asks for it. > > It also does NOT require a password if your account has admin privileges > (root privileges NOT required). Most Mac users I know are running with > admin privileges enabled (the default option when OS X is installed) so they > won't have the warning of having to type in a pwd. > >> hardly a virus , > > As various commentators have indicated, it is really a blended threat: > "Leap.A (CME-4) acts like a combination of a Trojan, virus and worm. It acts > like a Trojan because it masquerades as a JPEG file, a virus because it > attempts to infect executables, and a worm because it attempts to send > copies of itself to others via iCHAT. This last action is similar to that of > an instant messaging worm on the Windows platform." > > I wouldn't brush it off quite so quickly, particularly as it now provides a > platform for more nasties to use as a base to do worse things. > >> Malware..?, yes its malicious but not destructive, > > Corrupting any application you run is not destructive? It may not be as > nasty as deleting your home directory, but it still qualifies as destructive > in my book. > >> it >> requires so much user interaction, it looks like more of a social >> engineering exercise or a proof of concept like opener was. > > The only user interaction it requires is to accept the download of the file > in iChat from what I've read. If your trusted buddy on iChat sends you what > looks like a jpeg file with the title "Mac OS X 10.5 screen shots" the > chances are you will click accept. Yes? We're not talking email from some > unknown source here. > >> thoughts? > > I've been the first to set the record straight on false Mac virus scares in > the past, but it doesn't mean we should necessarily take this one lightly. > > The stats still stand at the following: > > Microsoft Windows: > Viruses and Worms = 140,000 (Symantec Security Focus) > Spyware and Adware programs = 78,000 (www.pestpatrol.com) > Burrowers = 40 (www.pestpatrol.com) > 80% of PCs infected with spyware (webroot.com) > 2004 alone: > - 500 new Trojans (www.pestpatrol.com) > - 500 new keyloggers (www.pestpatrol.com) > - 1,287 new adware apps (www.pestpatrol.com) > - 7,360 new viruses and worms (symantec.com) > > Mac OS X: > Viruses and Worms = 1 > Spyware programs = 0 > Adware = 0 > Keyloggers = 0 > Burrowers = 0 > Trojans = 3 (symantec.com) > 2004: > - 1 Rootkit (symantec.com) > > With many of the thousands of Windows viruses and worms being far more > nasty compared to this fairly innocuous Mac worm, it is by no means the end > of the world, but this is nonetheless the first truly credible > self-propagating threat to OS X. I think we should finally start looking at > firming up our malware strategies on the Mac just to be safe. > > -Mart > >> cheers >> >> Nat >> >> On Feb 17, 2006, at 9:18 AM, Martin Hill wrote: >> >>> Well it has finally happened after all these years of commentators >>> crying >>> wolf. >>> >>> The first bit of malware that attempts to spread itself to other Mac >>> users >>> has finally arrived on the scene. Note this is not technically a >>> virus as >>> many articles are saying but it is also not just a simple trojan as >>> some Mac >>> users are saying. >>> >>> To get infected a user has to click on what looks like a jpeg file in a >>> message sent through Apple's iChat program so it requires user >>> intervention, >>> but as it then attempts to infect other applications - they get >>> corrupted >>> due to a bug. It then attempts to send copies of itself to all users >>> in the >>> buddy list of the infected user if they use the iChat software. >>> >>> This malware also does not require the affected user to enter a >>> password if >>> they are an admin user (or if they are a root user) - it only asks for >>> a >>> password if they have been intentionally set up as a user without admin >>> privileges. As a default install of OS X automatically gives the main >>> user >>> admin privs, most users will not be asked for a password as this worm >>> installs itself. >>> >>> Although it does not delete files or do any other nasty things, it >>> looks >>> like other nasty hackers could modify this initial code to cause more >>> damage. >>> >>> Looks like we had all finally better start installing and using >>> anti-virus >>> software on our Macs (particularly if you use (Apple's iChat software). >>> >>> Symantec's Description of this worm (which they call "OSX.Leap.A" also >>> known >>> as the "Oompa Loompa" worm): >>> http://securityresponse.symantec.com/avcenter/venc/data/osx.leap.a.html >>> >>> The stats still stand at the following: >>> >>> Windows Viruses/worms = 140,000 >>> Mac OS X worms = 1 >>> >>> With many of the thousands of Windows viruses and worms particularly >>> nasty >>> compared to this fairly innocuous Mac worm, it is by no means the end >>> of the >>> world, but this is nonetheless the first truly credible threat to OS X. >>> >>> Here are the details from MacFixit: >>> http://www.macfixit.com/article.php?story=20060216075452766 >>> >>> "Protective method: Setting iChat to not automatically accept incoming >>> files >>> In order to protect against the unintended acquisition of this >>> malware, it >>> is recommended that you set iChat to notify the user before accepting a >>> file. This is accomplished by opening iChat's preferences, then >>> clicking the >>> "Messages" tab, and selecting "Confirm before sending files." This is >>> the >>> default setting for a fresh Mac OS X installation. >>> >>> And remember, be very cautious with supplying your administrator >>> password to >>> system prompts. You should never be asked to enter your administrator >>> password to open a .jpg file (as in the above case). Provide your >>> administrator password only to trusted applications. >>> >>> In fact, you should avoid being logged in as an administrator whenever >>> possible. Instead, use a standard user account for daily tasks. >>> >>> Andrew Welch of Ambrosia Software has discovered and described a new >>> piece >>> of malware for Mac OS X dubbed the "Oompa-Loompa Trojan (OSX/Oomp-A)" >>> >>> The malware was posted as "latestpics.tgz" to a Mac rumors web site, >>> claiming to be pictures of "Mac OS X Leopard" (an upcoming version of >>> Mac OS >>> X. >>> >>> Andrew writes: >>> >>> "When unarchived (it is a gzip-compressed tar file), which can be done >>> by >>> simply double-clicking on the file, it appears to be a JPEG file >>> because >>> someone pasted the image of a JPEG file onto the file. >>> >>> "After it's been unzipped, tar will tell you there are two files in the >>> archive: >>> >>> * ._latestpics >>> * latestpics >>> >>> "The ._latestpics is just the resource fork of the file, which >>> contains the >>> pasted in custom icon meant to fool people into double-clicking on it >>> to (in >>> theory) open the JPEG file for viewing. In actuality, double-clicking >>> on it >>> will launch an executable file. >>> >>> "The file 'latestpics' is actually a PowerPC-compiled executable >>> program, >>> with routines such as: >>> >>> * _infect: >>> * _infectApps: >>> * _installHooks: >>> * _copySelf: >>> >>> "A few important points >>> >>> * This should probably be classified as a Trojan, not a virus, >>> because >>> it doesn't self-propagate externally >>> * It does not exploit any security holes; rather it uses "social >>> engineering" to get the user to launch it on their system >>> * It requires the admin password if you're not running as an admin >>> user >>> * It doesn't actually do anything other than attempt to propagate >>> itself >>> via iChat >>> * It has a bug in the code that prevents it from working as >>> intended, >>> and has the side-effect of preventing infected applications from >>> launching >>> * It's not particularly sophisticated >>> >>> "Here's what it does if a user double-clicks on the file, or otherwise >>> executes it: >>> >>> 1. It copies itself to /tmp as "latestpics" >>> 2. It recreates its resource fork in /tmp (with the custom icon in >>> it) >>> from an internally stored gzip'd copy, then sets custom icon bit for >>> the new >>> file in /tmp >>> 3. It then tar + gzips itself so a pristine copy of itself in .tgz >>> format >>> is left in /tmp >>> 4. It renames itself from "latestpics.tar.gz" to "latestpics.tgz" >>> then >>> deletes the copied "latestpics" executable from /tmp (This gives it a >>> pristine copy of itself, for later transmission) >>> 5. It extracts an Input Manager called "apphook.bundle" that is >>> embedded >>> in the macho executable, and copies it to /tmp >>> 6. If your uid = 0 (you're root), it creates >>> /Library/InputManagers/ , >>> deletes any existing "apphook" bundle in that folder, and copies >>> "apphook" >>> from /tmp to that folder; If your uid != 0 (you're not root), it >>> creates >>> ~/Library/InputManagers/ , deletes any existing "apphook" bundle in >>> that >>> folder, and copies "apphook" from /tmp to that folder >>> 7. When any application is launched, Mac OS X loads the newly >>> installed >>> "apphook" Input Manager automatically into its address space (This >>> allows it >>> to have the code in the "apphook.bundle" injected into any subsequently >>> launched application via the InputManager mechanism) >>> 8. When an application is subsequently launched, the >>> "apphook.bundle" >>> Input Manager then appears to try to send the pristine >>> "latestpics.tgz" file >>> in /tmp to people on your buddy list via iChat (who will then >>> presumably >>> download the file, double-click on it, and the cycle repeats) (It >>> looks like >>> the author intended to get it to send the "latestpics.tgz" file out via >>> eMail as well, but never got around to writing that code) -- This lets >>> it >>> send itself to people on your buddy list via iChat; this appears to be >>> the >>> only way it self-propagates externally >>> 9. It then uses Spotlight to find the 4 most recently used >>> applications >>> on your machine that are not owned by root >>> 10. In an apparent "Charlie and the Chocolate Factory" reference, it >>> then >>> checks to see if the xattr 'oompa' of the application executable is > >>> 0... >>> if so, it bails out, to prevent it from re-infecting an already >>> infected >>> application >>> 11. If not, it sets the xattr 'oompa' of the application executable >>> to be >>> 'loompa' (this does nothing, it is just a marker that it has infected >>> this >>> app) >>> 12. It then copies the application executable to its own resource >>> fork, >>> and replaces the executable with itself -- It has thus effectively >>> injected >>> its code in the host application >>> 13. When an application is launched from then on, the trojan code is >>> executed, and it tries to re-infect and re-propagate every time that >>> application is launched >>> 14. It then does an execv on the resource fork of the executable, >>> which is >>> the original application, so the application launches as it normally >>> would >>> (in theory... see below) >>> >>> [...] >>> >>> "In the end, it doesn't appear to actually do anything other than try >>> to >>> propagate itself via iChat, and unintentionally prevent infected >>> applications from running >>> >>> "It seems that this is more of a 'proof of concept' implementation that >>> could be utilized to actually do something in the future, depending on >>> how >>> successful it is, or it was simply done to garner attention/press. >>> Which I'm >>> sure it'll get. >>> >>> As noted by Andrew, this particular piece of malware requires >>> user-initiated >>> action to run, and also requires the user to enter an administrator >>> password >>> (if you are logged in as a non-admin user) -- something that should >>> never be >>> required for opening a .jpg file. Its effects also seem to be >>> innocuous." >>> >>> -Mart >>> >>> >>> >>> >>> -- The WA Macintosh User Group Mailing List -- >>> Archives - <http://www.wamug.org.au/mailinglist/archives.shtml> >>> Guidelines - <http://www.wamug.org.au/mailinglist/guidelines.shtml> >>> Unsubscribe - <mailto:[EMAIL PROTECTED]> >>> >>> WAMUG is powered by Stalker CommuniGatePro >> >> >> -- The WA Macintosh User Group Mailing List -- >> Archives - <http://www.wamug.org.au/mailinglist/archives.shtml> >> Guidelines - <http://www.wamug.org.au/mailinglist/guidelines.shtml> >> Unsubscribe - <mailto:[EMAIL PROTECTED]> >> >> WAMUG is powered by Stalker CommuniGatePro >> >> > > > > -- The WA Macintosh User Group Mailing List -- > Archives - <http://www.wamug.org.au/mailinglist/archives.shtml> > Guidelines - <http://www.wamug.org.au/mailinglist/guidelines.shtml> > Unsubscribe - <mailto:[EMAIL PROTECTED]> > > WAMUG is powered by Stalker CommuniGatePro > >
