Well it has finally happened after all these years of commentators
crying
wolf.
The first bit of malware that attempts to spread itself to other Mac
users
has finally arrived on the scene. Note this is not technically a
virus as
many articles are saying but it is also not just a simple trojan as
some Mac
users are saying.
To get infected a user has to click on what looks like a jpeg file
in a
message sent through Apple's iChat program so it requires user
intervention,
but as it then attempts to infect other applications - they get
corrupted
due to a bug. It then attempts to send copies of itself to all
users
in the
buddy list of the infected user if they use the iChat software.
This malware also does not require the affected user to enter a
password if
they are an admin user (or if they are a root user) - it only asks
for
a
password if they have been intentionally set up as a user without
admin
privileges. As a default install of OS X automatically gives the
main
user
admin privs, most users will not be asked for a password as this
worm
installs itself.
Although it does not delete files or do any other nasty things, it
looks
like other nasty hackers could modify this initial code to cause
more
damage.
Looks like we had all finally better start installing and using
anti-virus
software on our Macs (particularly if you use (Apple's iChat
software).
Symantec's Description of this worm (which they call "OSX.Leap.A"
also
known
as the "Oompa Loompa" worm):
http://securityresponse.symantec.com/avcenter/venc/data/
osx.leap.a.html
The stats still stand at the following:
Windows Viruses/worms = 140,000
Mac OS X worms = 1
With many of the thousands of Windows viruses and worms particularly
nasty
compared to this fairly innocuous Mac worm, it is by no means the
end
of the
world, but this is nonetheless the first truly credible threat to
OS X.
Here are the details from MacFixit:
http://www.macfixit.com/article.php?story=20060216075452766
"Protective method: Setting iChat to not automatically accept
incoming
files
In order to protect against the unintended acquisition of this
malware, it
is recommended that you set iChat to notify the user before
accepting a
file. This is accomplished by opening iChat's preferences, then
clicking the
"Messages" tab, and selecting "Confirm before sending files." This
is
the
default setting for a fresh Mac OS X installation.
And remember, be very cautious with supplying your administrator
password to
system prompts. You should never be asked to enter your
administrator
password to open a .jpg file (as in the above case). Provide your
administrator password only to trusted applications.
In fact, you should avoid being logged in as an administrator
whenever
possible. Instead, use a standard user account for daily tasks.
Andrew Welch of Ambrosia Software has discovered and described a new
piece
of malware for Mac OS X dubbed the "Oompa-Loompa Trojan
(OSX/Oomp-A)"
The malware was posted as "latestpics.tgz" to a Mac rumors web site,
claiming to be pictures of "Mac OS X Leopard" (an upcoming version
of
Mac OS
X.
Andrew writes:
"When unarchived (it is a gzip-compressed tar file), which can be
done
by
simply double-clicking on the file, it appears to be a JPEG file
because
someone pasted the image of a JPEG file onto the file.
"After it's been unzipped, tar will tell you there are two files in
the
archive:
* ._latestpics
* latestpics
"The ._latestpics is just the resource fork of the file, which
contains the
pasted in custom icon meant to fool people into double-clicking on
it
to (in
theory) open the JPEG file for viewing. In actuality,
double-clicking
on it
will launch an executable file.
"The file 'latestpics' is actually a PowerPC-compiled executable
program,
with routines such as:
* _infect:
* _infectApps:
* _installHooks:
* _copySelf:
"A few important points
* This should probably be classified as a Trojan, not a virus,
because
it doesn't self-propagate externally
* It does not exploit any security holes; rather it uses "social
engineering" to get the user to launch it on their system
* It requires the admin password if you're not running as an
admin
user
* It doesn't actually do anything other than attempt to
propagate
itself
via iChat
* It has a bug in the code that prevents it from working as
intended,
and has the side-effect of preventing infected applications from
launching
* It's not particularly sophisticated
"Here's what it does if a user double-clicks on the file, or
otherwise
executes it:
1. It copies itself to /tmp as "latestpics"
2. It recreates its resource fork in /tmp (with the custom icon
in
it)
from an internally stored gzip'd copy, then sets custom icon bit for
the new
file in /tmp
3. It then tar + gzips itself so a pristine copy of itself in
.tgz
format
is left in /tmp
4. It renames itself from "latestpics.tar.gz" to "latestpics.tgz"
then
deletes the copied "latestpics" executable from /tmp (This gives it
a
pristine copy of itself, for later transmission)
5. It extracts an Input Manager called "apphook.bundle" that is
embedded
in the macho executable, and copies it to /tmp
6. If your uid = 0 (you're root), it creates
/Library/InputManagers/ ,
deletes any existing "apphook" bundle in that folder, and copies
"apphook"
from /tmp to that folder; If your uid != 0 (you're not root), it
creates
~/Library/InputManagers/ , deletes any existing "apphook" bundle in
that
folder, and copies "apphook" from /tmp to that folder
7. When any application is launched, Mac OS X loads the newly
installed
"apphook" Input Manager automatically into its address space (This
allows it
to have the code in the "apphook.bundle" injected into any
subsequently
launched application via the InputManager mechanism)
8. When an application is subsequently launched, the
"apphook.bundle"
Input Manager then appears to try to send the pristine
"latestpics.tgz" file
in /tmp to people on your buddy list via iChat (who will then
presumably
download the file, double-click on it, and the cycle repeats) (It
looks like
the author intended to get it to send the "latestpics.tgz" file out
via
eMail as well, but never got around to writing that code) -- This
lets
it
send itself to people on your buddy list via iChat; this appears to
be
the
only way it self-propagates externally
9. It then uses Spotlight to find the 4 most recently used
applications
on your machine that are not owned by root
10. In an apparent "Charlie and the Chocolate Factory" reference,
it
then
checks to see if the xattr 'oompa' of the application executable is
>
0...
if so, it bails out, to prevent it from re-infecting an already
infected
application
11. If not, it sets the xattr 'oompa' of the application
executable
to be
'loompa' (this does nothing, it is just a marker that it has
infected
this
app)
12. It then copies the application executable to its own resource
fork,
and replaces the executable with itself -- It has thus effectively
injected
its code in the host application
13. When an application is launched from then on, the trojan code
is
executed, and it tries to re-infect and re-propagate every time that
application is launched
14. It then does an execv on the resource fork of the executable,
which is
the original application, so the application launches as it normally
would
(in theory... see below)
[...]
"In the end, it doesn't appear to actually do anything other than
try
to
propagate itself via iChat, and unintentionally prevent infected
applications from running
"It seems that this is more of a 'proof of concept' implementation
that
could be utilized to actually do something in the future, depending
on
how
successful it is, or it was simply done to garner attention/press.
Which I'm
sure it'll get.
As noted by Andrew, this particular piece of malware requires
user-initiated
action to run, and also requires the user to enter an administrator
password
(if you are logged in as a non-admin user) -- something that should
never be
required for opening a .jpg file. Its effects also seem to be
innocuous."
-Mart
-- The WA Macintosh User Group Mailing List --
Archives - <http://www.wamug.org.au/mailinglist/archives.shtml>
Guidelines - <http://www.wamug.org.au/mailinglist/guidelines.shtml>
Unsubscribe - <mailto:[EMAIL PROTECTED]>
WAMUG is powered by Stalker CommuniGatePro
