Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have announced the discovery of the first virus for the Apple Mac OS X platform. The virus, named OSX/Leap-A (also known as OSX/Oompa-A) spreads via instant messaging systems.
The OSX/Leap-A worm spreads via the iChat instant messaging system, forwarding itself as a file called latestpics.tgz to contacts on the infected users' buddy list. When the latestpics.tgz archive file is opened on a computer it disguises its contents with a JPEG graphic icon in an attempt to fool people into thinking it is harmless.
The worm uses the text "oompa" as an infection marker in the resource forks of infected programs to prevent it from reinfecting the same files. "Some owners of Mac computers have held the belief that Mac OS X is incapable of harboring computer viruses, but Leap-A will leave them shellshocked, as it shows that the malware threat on Mac OS X is real," said Graham Cluley, senior technology consultant for Sophos. "Mac users shouldn't think it's okay to lie back and not worry about viruses."
View: Detals on OSX/Leap-A Virus
News source: Sophos Antivirus
The OSX/Leap-A worm spreads via the iChat instant messaging system, forwarding itself as a file called latestpics.tgz to contacts on the infected users' buddy list. When the latestpics.tgz archive file is opened on a computer it disguises its contents with a JPEG graphic icon in an attempt to fool people into thinking it is harmless.
The worm uses the text "oompa" as an infection marker in the resource forks of infected programs to prevent it from reinfecting the same files. "Some owners of Mac computers have held the belief that Mac OS X is incapable of harboring computer viruses, but Leap-A will leave them shellshocked, as it shows that the malware threat on Mac OS X is real," said Graham Cluley, senior technology consultant for Sophos. "Mac users shouldn't think it's okay to lie back and not worry about viruses."
View: Detals on OSX/Leap-A Virus News source: Sophos Antivirus
This virus does, I never disputed that. I point was that you could have a virus very much like this able to do very nasty things to your data without needing the admin password. Not only could it use iChat, as the post above me pointed out, it could open arbitrary TCP connections to "call home" and send whatever interesting information it found on your computer.
The only reason this virus requires the admin password is because it tries to register its self as an application; which in my option was a mistake made by the creator. It wouldn't take much tweaking for it not to require the admin password.
If it does try to propagate through iChat, Bonjour has to be enabled (which it isn't, by default) and even then it can only spread over a LAN network, so there's not much chance of any mass-infection.
"it could open arbitrary TCP connections to "call home" and send whatever interesting information it found on your computer"
Not really, that's not what this virus/worm/trojan/(whatever we're calling it) does.
"The only reason this virus requires the admin password is because it tries to register its self as an application; which in my option was a mistake made by the creator. It wouldn't take much tweaking for it not to require the admin password."
Be Apple's guest, try to make it so. Tell us when you succeed.
Care to explain how it's restricted to a LAN?
Nice fud, if you want to bring facts with you then perhaps people will care what you have to say. The fact is that Code-Red was the last virus able to infect a fully patched Windows system without user intervention and it pre-dates Windows XP. The Blaster and other similar viruses where written by people who analyzed published patches to figure out what was fixed and then try to exploit unpatched systems. The Blaster was 2 1/2 years ago and it was only able to infect computers over a month out of date and not using a firewall.
This is my point. Yes, there are a lot of viruses going around for Windows, but they don't exploit a security hole, the exploit gullible users, just as this Mac virus attempts to do.
Trojan.Leap.A made it into ClamAV's virus definitions. Update your definitions now to enable ClamXav to detect it
Plus weren't people complaning when there WAS Apple news in the main section?
Anyway, I don't see it as much as a threat, seeing as it doesn't actually do anything. (Plus you have to type in your password just to "run" it)
I'll be glad when the hype about this very low risk dies down...
Do you actually believe what you're writing?
its not like there arent mac os x antiviruses.
true, they are intended to stop viruese on other platforms, but im sure definitions can be easily updated to catch this.
if u work for a business, ask to see if they offer mcafee virex.
1) Are somehow sent (via email, iChat, etc.) or download the "latestpics.tgz" file
2) Double-click on the file to decompress it
3) Double-click on the resulting file to "open" it
...and then for most users, you must also enter your Admin password.
It does not exploit any security holes; rather it uses "social engineering" to get the user to launch it on their system. It requires the admin password if you're not running as an admin user. It doesn't actually do anything other than attempt to propagate itself via iChat. It has a bug in the code that prevents it from working as intended, which has the side-effect of preventing infected applications from launching. It's not particularly sophisticated.
Mac OS X virus count: 0
PS. It is good to not run a computer as an admin, but do fool yourself into thinking that makes you safe. A program (such as a virus) doesn't need admin rights to do things such as access all the files in your home directory (or anyware else on the drive you have access to), use the TCP/IP stack or interact with other programs running under your username.
"Apple released a patch against the vulnerability in mid 2005..."
So basically the second "virus" (not really a virus, since it too needs the Admin password, which should never be given to unknown programs) won't do anything, especially considering it uses bluetooth to spread. So now we have two malicious programs that won't do anything if the user is smart enough not to decompress it, open it, and type in the admin password. Ooooooo, so dangerous.
I decided to read them to give you a chance, but your arguements aren't great, specifically your definition of a virus seems a bit off.
The existences of a virus really has nothing to do with the security of an OS. the job of an OS is to run the programs its user asks it to, it its user asks it to run code that does bad things then it will do just that.
Yes, there have been a few self-replicating viruses for Windows which represented security flaws in the OS. I can only think of two big ones in the last 6 years, and one of those (the Blaster) only worked on computers which didn't have the latest patches installed. Neither of them would have worked if the user was running a firewall.
Of course, an OSX fanboy may come up with something like "the day this 1 virus came out for OSX, 500 came out for Windows", which would also be irrelevant, as about ZERO of those 500 viruses would affect a fully patched XP SP2 system, just as this worm affects a marginal amount of OSX users that know what they're doing.
I know a few who have OSX based computers; all of them on admin accounts and yes, they know their stuff. It isnt about the OS; Its about the user running it using the account that was giving to them when it was sold. n00bs wont know whats a admin/restricted account so they'll just go back to the store and bitch about how OSX wont let them install X program and techs will just make the account with admin rights and be done with it.
Apple isn't secure because it lacks users. Windows Vista was still in the private beta stages with only 10 000 users when it got it's first virus. Apple has over 20 000 000 users right now, at the time when this so-called 'virus' came out. Security via obscurity? I think not.
MajinDark: "Whether or not this leads to more severe malware being written to exploit vulnerabilities that have not been patched yet..."
You can't exactly patch peoples' stupidity. That's the 'vulnerability' here. And not having a patched system and giving the admin password to an unknown program are not the same thing, not even close.
10,000 users now, billions in 2 years. Don't you think it makes sense from a spammer / VXer point of view to start researching now, given the potential user base (maybe potential is the wrong word, as it's almost a given that it will be huge).
As several people have told you, this is no different from the majority of windows based malware, social engineer is powerful (just call me Kevin).
I would also argue that having an unpatched system and giving an untrusted app any password are actually probably both indicative of a less skilled user; given both XP SP2 and OS X 10.4 have frequently scheduled automatic updates out of the box, so if it's failed it means either they've turned it off, they've trusted some kid who thinks he knows it all, or it's an unpatched vulnerability. The latter is pretty rare comparatively, thanks to responsible disclosure.
But enough about that, let's look at this logically. Apple has... 5% of the computer market? Who knows, statistics are usually off anyway. We'll assume 5%. Even if Apple has only 5% of users, and it's market share is increasing while Microsoft's is slowly decreasing, shouldn't Apple have about 5% of the malware? If not at least 1%, then? 1% of all malware seems reasonable for a 5%-market share OS. But for some reason it doesn't. It doesn't even have 0.1% of all malware. Sure, there's been 'proof-of-concept' prototype-like malware, but nobody's ever done anything with it other than say "the potential is there, buy our security software". Can you explain any of it, logically?
Hmmm... If I was a 'malware' writer would I want to infect 5% of the market of 95% of the market...
and likewise... If I was a 'malware' writer wouldn't it be wise to plan ahead and write malware for Vista...
The way I see it - more people use Windows and thus more people target Windows
And your second paragraph.. yes it can be explained logically....... Apple OS X has stricter permissions control (amung other things) than Windows XP. It makes a far trickier target. Where exactly do you see me denying that? Is your high horse so comfortable that you refuse to get down?
Again I'll restate: You are FAR too defensive, there's no need... we are all on the same side here believe it or not.
Last edited by Jon on 21 Feb 2006 - 10:18
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.