PDA

View Full Version : Fears over new Mac OS X trojan unfounded


MacBytes
Feb 20, 2006, 10:23 PM
http://www.macbytes.com/images/bytessig.gif (http://www.macbytes.com)

Category: Mac OS X
Link: Fears over new Mac OS X trojan unfounded (http://www.macbytes.com/link.php?sid=20060220232357)
Description:: It's a fairly harmless bit of code, and some have described it as a proof of concept. Leap-A hardly marks any sort of advance in Mac malware, as it's less harmful than the May 2004 script and lacks the ability to self-propagate.

Posted on MacBytes.com (http://www.macbytes.com)
Approved by Mudbug

nagromme
Feb 20, 2006, 10:54 PM
Are there any reports of Leap-A actually spreading itself from on Mac to another in the wild?

I would think it likely that it never spread in the wild even once, since it can't transmit over the Internet, only by Bonjour (which is disabled by default).

Doctor Q
Feb 20, 2006, 11:35 PM
Leap-A was cut off before it got to many users and never really had a chance to try spreading itself. As we now know, it would have had a hard time going very far in any case.

But I wouldn't call it a "proof of concept" because it wasn't intended as a demonstration, but (apparently) as a real invasion that once activated would spread like a virus.

The ars technica is researched and well-written, while the one at be.sys-con.com with the misleading headline "First Mac OS X Worm, Virus Found" is not.

winmacguy
Feb 21, 2006, 02:46 AM
"It turns out that Leap-A will only send itself out via iChat under a very specific set of circumstances:

* You must be using Bonjour iChat, not Internet-based iChat. That’s right. If you're using iChat in the way that probably 99 percent of us do, you’ll never see this file being sent from an infected buddy. Leap-A will only send itself to others on your Bonjour buddy list. This is why Kirk and I were never able to get the malware to do its thing—we were not conversing via Bonjour. It sounds amazingly simple, but we spent quite a bit of time trying to figure this out before someone at Intego pointed out that it was limited to Bonjour networks."

"So it seems the “iChat transmission” aspect of the Leap-A malware has been greatly overstated—unless you use Bonjour iChat, you’ll never see it arriving on your machine in this manner."
Detailed test done here
http://www.macworld.com/news/2006/02/17/leapafollow/index.php?lsrc=mwrss

nagromme
Feb 21, 2006, 02:55 AM
And therefore, even if you DO have Bonjour enabled in iChat, you'll still never see it unless someone on your LAN manually downloaded and installed it... and has you in their Bonjour buddy list (not the main buddy list).

And both parties have numerous chances to catch the problem--especially when it gets sent. (A chat request from a friend... but they don't answer back?? And they've gzipped an image instead of just sending it??) The problem is even more obvious once the virus IS running: infected apps don't launch. You wouldn't be running this one blind and spreading it unawares.

To my understanding, here are the steps you must meet in order for Leap-A to spread to your computer:

1. You must be an iChat user, and iChat must be set to Available (sometimes you must set to Available repeatedly before the "virus" will even notice).

2. You must have activated Bonjour in iChat (which is off by default and used by very few people).

3. You must be connected to a LAN (Leap-A cannot spread over the Internet) and in the same subnet as other iChat Bonjour users who are currently online.

4. One of those users must have you on their Bonjour buddy list (not the main iChat buddy list).

5. One of those iChat buddies must have previously manually activated the virus themselves by these same steps.

6. The file the "virus" offers through Bonjour must not be corrupt. (The virus has a bug which sometimes corrupts its own file, rendering it harmless.)

7. You must accept the file that the "virus" offers via Bonjour: you must believe you are actually chatting with a buddy (even though the virus sends no message with the file), and believe the buddy has sent you a legitimate picture that you wish to view (even though the file is clearly an archive and not directly an image--it doesn't even have an image icon at this stage).

8. You must double-click the downloaded file to extract the program.

9. You must the double-click the program as well (dropping it into an image viewer or using Open With will not trigger it).

10. If you are not an admin user, you must provide the virus with an admin username and password when prompted.

11. The virus only attempts to infect the four apps most recently used when it launches.

12. Only apps owned by the currently logged-on user are infected. Applications owned by the system (such as those that came with the machine or those installed by the Apple installer) are immune.

13. Only Cocoa-based apps are infected. If none of the most recent four are Cocoa, no infection occurs. (And if they are Cocoa but already infected, the virus doesn't seem to look any further.)

If ALL of the above are true, the "virus" could in theory spread itself--with the help of you AND the sending party--to your Mac.

whooleytoo
Feb 21, 2006, 06:18 AM
The ars technica is researched and well-written, while the one at be.sys-con.com with the misleading headline "First Mac OS X Worm, Virus Found" is not.

I thought the Arstechnica article (unusually) was poorly written - the author seems to have no idea of the distinction between a worm, trojan and virus and interchangeably refers to Leap-A as all three.