Re: First self-propagating worm targeting Mac OS X

Sat, 18 Feb 2006 11:05:32 +0800 

Hi Mart,
i Dont think this is the motherload virus the Apple community has been dreading, i think its alot of the same hype we have seen before with opener et al, as i have stated previously, it requires alot of user interaction for a *virus* and i hesitate to call it that., by and large i would expect that Apple will patch this thing pretty quickly: 


as for antivius software: i like Clam AV, run it on 5 of my Servers 
here at Elproducto, it has a low overhead and is patched and updated 
regularly, i have also run it on Machines when i was at ECU, all in all 
i'm not convinced the CME-4, OSX/Leap trojan/worm/virus thing is 
anything new or anything to be overly concerned about, i would be more 
concerned that other malicious code writers will see all the hype and 
media about this thing and start to work out ways to exploit OS X, and 
during that process somebody will actually write something that is very 
dangerous and does serious damage to an OS X system.


from the ambrosia site:

You cannot be infected by this unless you do all of the following:


1) Are somehow sent (via email, iChat, etc.) or download the 
"latestpics.tgz" file


2) Double-click on the file to decompress it

3) Double-click on the resulting file to "open" it

...and then for non-Admin users, it fails to infect most applications.


You cannot simply "catch" the virus. Even if someone does send you the 
"latestpics.tgz" file, you cannot be infected unless you unarchive the 
file, and then open it.


A few important points


-- This should probably be classified as a Trojan, not a virus, because 
it doesn't self-propagate externally (though it could arguably be 
called a very non-virulent virus)



-- It does not exploit any security holes; rather it uses "social 
engineering" to get the user to launch it on their system



-- If you're not running as an admin user, it will silently fail to 
infect most applications



-- It doesn't actually do anything other than attempt to propagate 
itself via iChat, and then only via Bonjour! (it does not sent itself 
over the Internet, rather just to your local Bonjour user list)



-- It has a bug in the code that prevents it from working as intended, 
which has the side-effect of preventing infected applications from 
launching


-- It's not particularly sophisticated


cheers

Nat

On Feb 17, 2006, at 3:31 PM, Martin Hill wrote:


Nat, as I mentioned, I agree with some of your points (though we might 
agree
to disagree on the corruption vs destruction point!), but I think the 
main

point is that here is the first evidence of Mac OS X malware that:
- does NOT in most cases need a password to run,
- that infects (and then because of a bug corrupts) other applications
- that attempts to self-replicate using Apple-specific IM software (the

virus author also apparently planned to implement eMail propagation as 
well,

"but never got around to writing that code")

and thus displays some of the features of a virus and a worm as well 
as a

trojan horse.


Whether it is terribly effective or not I think the fact remains that 
this
represents a significant new development in the small world of malware 
for
OS X.  We are now not talking about a simple trojan which lacks an 
automated

infection vector.

As such, I have finally decided to install Nortons AV on my Mac (it's 
site
licensed software here at Curtin) and realise that although the 
chances of
being infected by OS X malware is very low, the chances are now not 
zero

(particularly if you use iChat at the moment).


More to the point, proof-of-concept code such as this can be modified 
to

carry a much nastier payload down the road, so I think we need to be a

little more cautious now as Mac users - though of course we needn't be 
as

paranoid as PC users need to be.


Unfortunately we can't now brag that OS X has Zero Viruses/worms 
because it
is not really true anymore (semantic arguments notwithstanding!).  
However
we *can* brag about the 140,000 to 1 ratio of such malware when 
comparing
Windows to OS X and the fact that there are still zero recorded 
instances of
spyware and adware which all still adds up to a huge selling point for 
the

Mac.

-Mart


From: subscribe <[EMAIL PROTECTED]>
Date: Fri, 17 Feb 2006 14:22:51 +0800
To: WAMUG Mailing List <[email protected]>
Subject: Re: First self-propagating worm targeting Mac OS X

Mart

the only self mounting compressed files are SEA from OS9 and .dmg OS X


this only affects PPC running 10.4, it does not effect 10.3 or Core 
Duo

based machines


and it self propagates to other users in the iChat buddy list *if*  
its

shell script is executed

it does not destroy or modify anything, nor does it delete anything,
degrade performance, cause system instability or compromise any
security settings

so no i would not agree that  corrupting any application you run is
destructive

when you crash an application on OS X, is that destructive???

thats corruption, its different


cheers

Nat

On Feb 17, 2006, at 1:11 PM, Martin Hill wrote:


From: Martin Hill <[EMAIL PROTECTED]>

(2) unpack the tar.gz
(3) run the shell script that is inside


I understand these steps all happen automatically without requiring
human
intervention.  I don't think it negates the self-replicating dangers
of the
beast.


Actually, thinking more about this (not being an iChat user much
myself),
you probably are correct on this count, the user would have to
double-click
the compressed file and then open the terminal script file manually
with
current versions of Mac OS X.  I would hope Auto-decompress and
auto-open
shouldn't be enabled with iChat and the de-compression engine these
days!

As such you would hope this would give many users a warning that this
is no
ordinary file, but no password will be required normally and the
self-replication vector is still there so I think this is still a
serious
issue.


(4) type in an administrator password when the shell script asks 
for

it.


It also does NOT require a password if your account has admin
privileges
(root privileges NOT required).  Most Mac users I know are running
with
admin privileges enabled (the default option when OS X is installed)
so they
won't have the warning of having to type in a pwd.


hardly a virus ,



As various commentators have indicated, it is really a blended 
threat:

"Leap.A (CME-4) acts like a combination of a Trojan, virus and worm.
It acts
like a Trojan because it masquerades as a JPEG file, a virus because
it

attempts to infect executables, and a worm because it attempts to 
send

copies of itself to others via iCHAT. This last action is similar to
that of
an instant messaging worm on the Windows platform."

I wouldn't brush it off quite so quickly, particularly as it now
provides a
platform for more nasties to use as a base to do worse things.


Malware..?, yes its malicious but not destructive,



Corrupting any application you run is not destructive?  It may not 
be

as
nasty as deleting your home directory, but it still qualifies as
destructive
in my book.


it
requires so much user interaction, it looks like more of a social
engineering exercise or a proof of concept like opener was.


The only user interaction it requires is to accept the download of
the file
in iChat from what I've read.  If your trusted buddy on iChat sends
you what

looks like a jpeg file with the title "Mac OS X 10.5 screen shots" 
the

chances are you will click accept.  Yes?  We're not talking email
from some
unknown source here.


thoughts?


I've been the first to set the record straight on false Mac virus
scares in
the past, but it doesn't mean we should necessarily take this one
lightly.

The stats still stand at the following:

Microsoft Windows:
Viruses and Worms = 140,000 (Symantec Security Focus)
Spyware and Adware programs = 78,000 (www.pestpatrol.com)
Burrowers = 40 (www.pestpatrol.com)
80% of PCs infected with spyware (webroot.com)
2004 alone:
-  500 new Trojans (www.pestpatrol.com)
-  500 new keyloggers (www.pestpatrol.com)
-  1,287 new adware apps (www.pestpatrol.com)
-  7,360 new viruses and worms (symantec.com)

Mac OS X:
Viruses and Worms = 1
Spyware programs = 0
Adware = 0
Keyloggers = 0
Burrowers = 0
Trojans = 3  (symantec.com)
2004:
-  1 Rootkit (symantec.com)


With many of the thousands of Windows viruses and worms being far 
more

nasty compared to this fairly innocuous Mac worm, it is by no means
the end
of the world, but this is nonetheless the first truly credible
self-propagating threat to OS X.  I think we should finally start
looking at
firming up our malware strategies on the Mac just to be safe.

-Mart


cheers

Nat

On Feb 17, 2006, at 9:18 AM, Martin Hill wrote:


Well it has finally happened after all these years of commentators
crying
wolf.


The first bit of malware that attempts to spread itself to other 
Mac

users
has finally arrived on the scene.  Note this is not technically a
virus as

many articles are saying but it is also not just a simple trojan 
as

some Mac
users are saying.

To get infected a user has to click on what looks like a jpeg file
in a
message sent through Apple's iChat program so it requires user
intervention,
but as it then attempts to infect other applications - they get
corrupted
due to a bug.  It then attempts to send copies of itself to all
users
in the
buddy list of the infected user if they use the iChat software.

This malware also does not require the affected user to enter a
password if
they are an admin user (or if they are a root user) - it only asks
for
a
password if they have been intentionally set up as a user without
admin
privileges.  As a default install of OS X automatically gives the
main
user
admin privs, most users will not be asked for a password as this
worm
installs itself.

Although it does not delete files or do any other nasty things, it
looks
like other nasty hackers could modify this initial code to cause
more
damage.

Looks like we had all finally better start installing and using
anti-virus
software on our Macs (particularly if you use (Apple's iChat
software).

Symantec's Description of this worm (which they call "OSX.Leap.A"
also
known
as the "Oompa Loompa" worm):
http://securityresponse.symantec.com/avcenter/venc/data/
osx.leap.a.html

The stats still stand at the following:

Windows Viruses/worms = 140,000
Mac OS X worms = 1


With many of the thousands of Windows viruses and worms 
particularly

nasty
compared to this fairly innocuous Mac worm, it is by no means the
end
of the
world, but this is nonetheless the first truly credible threat to
OS X.

Here are the details from MacFixit:
http://www.macfixit.com/article.php?story=20060216075452766

"Protective method: Setting iChat to not automatically accept
incoming
files
In order to protect against the unintended acquisition of this
malware, it
is recommended that you set iChat to notify the user before
accepting a
file. This is accomplished by opening iChat's preferences, then
clicking the
"Messages" tab, and selecting "Confirm before sending files." This
is
the
default setting for a fresh Mac OS X installation.

And remember, be very cautious with supplying your administrator
password to
system prompts. You should never be asked to enter your
administrator
password to open a .jpg file (as in the above case). Provide your
administrator password only to trusted applications.

In fact, you should avoid being logged in as an administrator
whenever
possible. Instead, use a standard user account for daily tasks.


Andrew Welch of Ambrosia Software has discovered and described a 
new

piece
of malware for Mac OS X dubbed the "Oompa-Loompa Trojan
(OSX/Oomp-A)"


The malware was posted as "latestpics.tgz" to a Mac rumors web 
site,

claiming to be pictures of "Mac OS X Leopard" (an upcoming version
of
Mac OS
X.

Andrew writes:

"When unarchived (it is a gzip-compressed tar file), which can be
done
by
simply double-clicking on the file, it appears to be a JPEG file
because
someone pasted the image of a JPEG file onto the file.


"After it's been unzipped, tar will tell you there are two files 
in

the
archive:

    * ._latestpics
    * latestpics

"The ._latestpics is just the resource fork of the file, which
contains the
pasted in custom icon meant to fool people into double-clicking on
it
to (in
theory) open the JPEG file for viewing. In actuality,
double-clicking
on it
will launch an executable file.

"The file 'latestpics' is actually a PowerPC-compiled executable
program,
with routines such as:

    * _infect:
    * _infectApps:
    * _installHooks:
    * _copySelf:

"A few important points

    * This should probably be classified as a Trojan, not a virus,
because
it doesn't self-propagate externally

    * It does not exploit any security holes; rather it uses 
"social

engineering" to get the user to launch it on their system
    * It requires the admin password if you're not running as an
admin
user
    * It doesn't actually do anything other than attempt to
propagate
itself
via iChat
    * It has a bug in the code that prevents it from working as
intended,
and has the side-effect of preventing infected applications from
launching
    * It's not particularly sophisticated

"Here's what it does if a user double-clicks on the file, or
otherwise
executes it:

   1. It copies itself to /tmp as "latestpics"
   2. It recreates its resource fork in /tmp (with the custom icon
in
it)

from an internally stored gzip'd copy, then sets custom icon bit 
for

the new
file in /tmp
   3. It then tar + gzips itself so a pristine copy of itself in
.tgz
format
is left in /tmp

   4. It renames itself from "latestpics.tar.gz" to 
"latestpics.tgz"

then

deletes the copied "latestpics" executable from /tmp (This gives 
it

a
pristine copy of itself, for later transmission)
   5. It extracts an Input Manager called "apphook.bundle" that is
embedded
in the macho executable, and copies it to /tmp
   6. If your uid = 0 (you're root), it creates
/Library/InputManagers/ ,
deletes any existing "apphook" bundle in that folder, and copies
"apphook"
from /tmp to that folder; If your uid != 0 (you're not root), it
creates

~/Library/InputManagers/ , deletes any existing "apphook" bundle 
in

that
folder, and copies "apphook" from /tmp to that folder
   7. When any application is launched, Mac OS X loads the newly
installed
"apphook" Input Manager automatically into its address space (This
allows it
to have the code in the "apphook.bundle" injected into any
subsequently
launched application via the InputManager mechanism)
   8. When an application is subsequently launched, the
"apphook.bundle"
Input Manager then appears to try to send the pristine
"latestpics.tgz" file
in /tmp to people on your buddy list via iChat (who will then
presumably
download the file, double-click on it, and the cycle repeats) (It
looks like

the author intended to get it to send the "latestpics.tgz" file 
out

via
eMail as well, but never got around to writing that code) -- This
lets
it

send itself to people on your buddy list via iChat; this appears 
to

be
the
only way it self-propagates externally
   9. It then uses Spotlight to find the 4 most recently used
applications
on your machine that are not owned by root

  10. In an apparent "Charlie and the Chocolate Factory" 
reference,

it
then

checks to see if the xattr 'oompa' of the application executable 
is



0...
if so, it bails out, to prevent it from re-infecting an already
infected
application
  11. If not, it sets the xattr 'oompa' of the application
executable
to be
'loompa' (this does nothing, it is just a marker that it has
infected
this
app)

  12. It then copies the application executable to its own 
resource

fork,
and replaces the executable with itself -- It has thus effectively
injected
its code in the host application

  13. When an application is launched from then on, the trojan 
code

is

executed, and it tries to re-infect and re-propagate every time 
that

application is launched

  14. It then does an execv on the resource fork of the 
executable,

which is

the original application, so the application launches as it 
normally

would
(in theory... see below)

[...]

"In the end, it doesn't appear to actually do anything other than
try
to
propagate itself via iChat, and unintentionally prevent infected
applications from running

"It seems that this is more of a 'proof of concept' implementation
that

could be utilized to actually do something in the future, 
depending

on
how
successful it is, or it was simply done to garner attention/press.
Which I'm
sure it'll get.

As noted by Andrew, this particular piece of malware requires
user-initiated

action to run, and also requires the user to enter an 
administrator

password

(if you are logged in as a non-admin user) -- something that 
should

never be
required for opening a .jpg file. Its effects also seem to be
innocuous."

-Mart




-- The WA Macintosh User Group Mailing List --
Archives - <http://www.wamug.org.au/mailinglist/archives.shtml>

Guidelines - 
<http://www.wamug.org.au/mailinglist/guidelines.shtml>

Unsubscribe - <mailto:[EMAIL PROTECTED]>

WAMUG is powered by Stalker CommuniGatePro



-- The WA Macintosh User Group Mailing List --
Archives - <http://www.wamug.org.au/mailinglist/archives.shtml>
Guidelines - <http://www.wamug.org.au/mailinglist/guidelines.shtml>
Unsubscribe - <mailto:[EMAIL PROTECTED]>

WAMUG is powered by Stalker CommuniGatePro






-- The WA Macintosh User Group Mailing List --
Archives - <http://www.wamug.org.au/mailinglist/archives.shtml>
Guidelines - <http://www.wamug.org.au/mailinglist/guidelines.shtml>
Unsubscribe - <mailto:[EMAIL PROTECTED]>

WAMUG is powered by Stalker CommuniGatePro






-- The WA Macintosh User Group Mailing List --
Archives - <http://www.wamug.org.au/mailinglist/archives.shtml>
Guidelines - <http://www.wamug.org.au/mailinglist/guidelines.shtml>
Unsubscribe - <mailto:[EMAIL PROTECTED]>

WAMUG is powered by Stalker CommuniGatePro



-- The WA Macintosh User Group Mailing List --
Archives - <http://www.wamug.org.au/mailinglist/archives.shtml>
Guidelines - <http://www.wamug.org.au/mailinglist/guidelines.shtml>
Unsubscribe - <mailto:[EMAIL PROTECTED]>

WAMUG is powered by Stalker CommuniGatePro






-- The WA Macintosh User Group Mailing List --
Archives - <http://www.wamug.org.au/mailinglist/archives.shtml>
Guidelines - <http://www.wamug.org.au/mailinglist/guidelines.shtml>
Unsubscribe - <mailto:[EMAIL PROTECTED]>

WAMUG is powered by Stalker CommuniGatePro