14 DAY TRIAL // Once again, the Internet is ablaze with news of the first OS X virus in the wild, infecting Macs all over the world. This is a perfect example of misinformation.
First, a bit of background information. The program in question, referred to as ?Leap-A?, ?OSX/Oompa-A? and the ?Ooompa Loompa Trojan Horse? was originally posted on a Mac rumors site, in an archived file, named ?latestpics.tgz?. This archive claimed to contain pictures of Mac OS X Leopard. Once downloaded, and opened, the archive would yield what looked like an image file, which, upon opening, would ask for the administrator password (if the user was already logged in as an administrator the password prompt would not take place). When provided with everything it needed the program would then place itself in a secure location on the users computer, propagate itself when other applications were opened and attempt to send itself out via the iChat buddy list. Sadly enough, the program cannot even accomplish this as a fault in it renders all infected application unusable.
The first issue to be addressed here is that this is not a virus, but rather a Trojan. ?Apple and outside analysts said the program, referred to as Leap-A, is not a ?virus? per se. Rather, it ?requires a user to download the application and execute the resulting file,?? Apple said in a statement to CNET News.com.
A computer virus, much like the biological version, infects the user without the user?s interaction or awareness, and then proceeds to replicate and spread without the user?s awareness and interaction. This program requires the user to download it, at which point, if using Safari, Apple?s own default Mac browser, you will be warned that you are downloading a program, and asked if you wish to continue. Then the user needs to open the archive. At this point the user is shown what appears to be a image file, but, when opened, it asks for a administrator password, something that only applications do. To continue the biological analogy it is the computer equivalent of going out and asking for a syringe, and having someone tell you: ?Be careful, this is a used syringe!? Ignoring the warning that the syringe is used, the user then proceeds to remove the plastic cover that hides the needle and then inserts that needle into his or her skin, thus becoming infected by a virus.
?Leap-A? is not a virus but a Trojan, it presents itself as something else, and fools the user into using it, It makes use of something referred to as ?Social Engineering?, and does not exploit any inherent weaknesses or vulnerabilities in OS X itself. It is the equivalent of a stranger waking up to you on the street and asking for your credit card details, if you are foolish enough to give a total stranger that information, it does not mean that the bank and credit card system is at fault for letting a total stranger make off with your money, the fault lies with the user for ignoring all the common sense warnings and giving a foreign application the right to do whatever it wants.
"It's not really news as far as threats go," said Ray Wagner, a senior vice president in Gartner's information security group. "It is news because it targets OS X, and as far as I know, it's certainly the first OS X malicious content in the wild that's been noted at this point."
The second issue to be addressed here is that this is not the first Trojan to have ever been available on OS X. There have been several, starting with one that was disguised as Office:Mac which was distributed through Peer2Peer file-sharing networks, which would erase the entire contents of a user?s home directory. These Trojans, much like the current one, did not exploit any inherent vulnerability in OS X, but rather the users gullibility. As far as OS X Trojans go, this is neither the first nor the last. The two reasons that so many call this the first major threat on OS X is because, indeed OS X is getting a lot more attention these days, and because such Trojans have never been able to spread and cause damage to any significant degree. The user cannot be ?infected? without his or her interaction, thus, the amount of damage such a Trojan can do is very limited indeed.
Of the ?OSX/Oompa-A? Trojan itself, Andrew Welch, of Ambrosia software reports on the investigative work of Ed Wynne and Glenn Anderson, verbatim from the Ambrosia Forums:
You cannot be infected by this unless you do all of the following: 1) Are somehow sent (via email, iChat, etc.) or download the "latestpics.tgz" file 2) Double-click on the file to decompress it 3) Double-click on the resulting file to "open" it ...and then for non-Admin users, it fails to infect most applications. You cannot simply "catch" the virus. Even if someone does send you the "latestpics.tgz" file, you cannot be infected unless you unarchive the file, and then open it.
A few important points -- This should probably be classified as a Trojan, not a virus, because it doesn't self-propagate externally (though it could arguably be called a very non-virulent virus) -- It does not exploit any security holes; rather it uses "social engineering" to get the user to launch it on their system -- If you're not running as an admin user, it will silently fail to infect most applications -- It doesn't actually do anything other than attempt to propagate itself via iChat -- It has a bug in the code that prevents it from working as intended, which has the side-effect of preventing infected applications from launching -- It's not particularly sophisticated
A good rule of thumb is: if your user account allows you to install an application without entering your password, then this trojan/virus can modify (infect) that application without you entering a password. Regardless, it can install the "apphook" InputManager portion of its payload no matter what type of user account you have (admin or non-admin).
To be on the safe side... DO NOT DOWNLOAD OR RUN THIS FILE
When unarchived (it is a gzip-compressed tar file), which can be done by simply double-clicking on the file, it appears to be a JPEG file because someone pasted the image of a JPEG file onto the file. After it's been unzipped, tar will tell you there are two files in the archive:
._latestpics latestpics
...the ._latestpics is just the resource fork of the file, which contains the pasted in custom icon meant to fool people into double-clicking on it to (in theory) open the JPEG file for viewing. In actuality, double-clicking on it will launch an executable file.
The file "latestpics" is actually a PowerPC-compiled executable program, with routines such as: _infect: _infectApps: _installHooks: _copySelf:
Here's what it does if a user double-clicks on the file, or otherwise executes it: 1) It copies itself to /tmp as "latestpics" 2) It recreates its resource fork in /tmp (with the custom icon in it) from an internally stored gzip'd copy, then sets custom icon bit for the new file in /tmp 3) It then tar + gzips itself so a pristine copy of itself in .tgz format is left in /tmp 4) It renames itself from "latestpics.tar.gz" to "latestpics.tgz" then deletes the copied "latestpics" executable from /tmp --This gives it a pristine copy of itself, for later transmission.-- 5) It extracts an Input Manager called "apphook.bundle" that is embedded in the macho executable, and copies it to /tmp 6a) If your uid = 0 (you're root), it creates /Library/InputManagers/ , deletes any existing "apphook" bundle in that folder, and copies "apphook" from /tmp to that folder 6b) If your uid != 0 (you're not root), it creates ~/Library/InputManagers/ , deletes any existing "apphook" bundle in that folder, and copies "apphook" from /tmp to that folder 7) When any application is launched, MacOS X loads the newly installed "apphook" Input Manager automatically into its address space --This allows it to have the code in the "apphook.bundle" injected into any subsequently launched application via the InputManager mechanism-- 8a) When an application is subsequently launched, the "apphook.bundle" Input Manager then appears to try to send the pristine "latestpics.tgz" file in /tmp to people on your buddy list via iChat (who will then presumably download the file, double-click on it, and the cycle repeats). 8b) (It looks like the author intended to get it to send the "latestpics.tgz" file out via eMail as well, but never got around to writing that code) --This lets it send itself to people on your buddy list via iChat; this appears to be the only way it self-propagates externally-- 9) It then uses Spotlight to find the 4 most recently used applications on your machine that are not owned by root 10) In an apparent "Charlie and the Chocolate Factory" reference, it then checks to see if the xattr 'oompa' of the application executable is > 0... if so, it bails out, to prevent it from re-infecting an already infected application 11) If not, it sets the xattr 'oompa' of the application executable to be 'loompa' (this does nothing, it is just a marker that it has infected this app) 12) It then copies the application executable to its own resource fork, and replaces the application executable with the OSX/Oomp-A trojan nb: If run via double-clicking on the file, and the user doesn't have privileges to modify an application, it silently fails. If run via the command line, it will ask for the admin password if it encounters an application for which it doesn't have privileges to modify. --It has thus effectively injected its code in the host application-- 13) When an infected application is launched from then on, the trojan code is executed, and it tries to re-infect and re-propagate itself to other applications 14) It then does an execv on the resource fork of the executable, which is the original application, so the application launches as it normally would (in theory... see below) 15) Due to a bug in it's code for executing the original app from it's resource fork, it is only allocating a buffer 4 bytes bigger than the path when appending "/..namedfork/rsrc" to the path, it will stop any app it infects from running. Instead of adding the length of the string, it errantly adds the length of the pointer to the string, which is always 4 bytes.
In the end, it doesn't appear to actually do anything other than try to propagate itself via iChat, and unintentionally prevent infected applications from running It seems that this is more of a "proof of concept" implementation that could be utilized to actually do something in the future, depending on how successful it is, or it was simply done to garner attention/press. Which I'm sure it'll get.