|Feb 20, 2006, 10:23 PM||#1|
Fears over new Mac OS X trojan unfounded
Category: Mac OS X
Link: Fears over new Mac OS X trojan unfounded
Description:: It's a fairly harmless bit of code, and some have described it as a proof of concept. Leap-A hardly marks any sort of advance in Mac malware, as it's less harmful than the May 2004 script and lacks the ability to self-propagate.
Posted on MacBytes.com
Approved by Mudbug
|Feb 20, 2006, 10:54 PM||#2|
Are there any reports of Leap-A actually spreading itself from on Mac to another in the wild?
I would think it likely that it never spread in the wild even once, since it can't transmit over the Internet, only by Bonjour (which is disabled by default).
|Feb 20, 2006, 11:35 PM||#3|
Leap-A was cut off before it got to many users and never really had a chance to try spreading itself. As we now know, it would have had a hard time going very far in any case.
But I wouldn't call it a "proof of concept" because it wasn't intended as a demonstration, but (apparently) as a real invasion that once activated would spread like a virus.
The ars technica is researched and well-written, while the one at be.sys-con.com with the misleading headline "First Mac OS X Worm, Virus Found" is not.
Oh do pay attention 007. In the wrong hands, this 12-core Mac Pro with three 4K displays, FirePro graphics, and Thunderbolt 2 could be very dangerous.
|Feb 21, 2006, 02:46 AM||#4|
"It turns out that Leap-A will only send itself out via iChat under a very specific set of circumstances:
* You must be using Bonjour iChat, not Internet-based iChat. That’s right. If you're using iChat in the way that probably 99 percent of us do, you’ll never see this file being sent from an infected buddy. Leap-A will only send itself to others on your Bonjour buddy list. This is why Kirk and I were never able to get the malware to do its thing—we were not conversing via Bonjour. It sounds amazingly simple, but we spent quite a bit of time trying to figure this out before someone at Intego pointed out that it was limited to Bonjour networks."
"So it seems the “iChat transmission” aspect of the Leap-A malware has been greatly overstated—unless you use Bonjour iChat, you’ll never see it arriving on your machine in this manner."
Detailed test done here
With Windows iWork, with Apple iCreate
Last edited by winmacguy; Feb 21, 2006 at 03:39 AM.
|Feb 21, 2006, 02:55 AM||#5|
And therefore, even if you DO have Bonjour enabled in iChat, you'll still never see it unless someone on your LAN manually downloaded and installed it... and has you in their Bonjour buddy list (not the main buddy list).
And both parties have numerous chances to catch the problem--especially when it gets sent. (A chat request from a friend... but they don't answer back?? And they've gzipped an image instead of just sending it??) The problem is even more obvious once the virus IS running: infected apps don't launch. You wouldn't be running this one blind and spreading it unawares.
To my understanding, here are the steps you must meet in order for Leap-A to spread to your computer:
1. You must be an iChat user, and iChat must be set to Available (sometimes you must set to Available repeatedly before the "virus" will even notice).
2. You must have activated Bonjour in iChat (which is off by default and used by very few people).
3. You must be connected to a LAN (Leap-A cannot spread over the Internet) and in the same subnet as other iChat Bonjour users who are currently online.
4. One of those users must have you on their Bonjour buddy list (not the main iChat buddy list).
5. One of those iChat buddies must have previously manually activated the virus themselves by these same steps.
6. The file the "virus" offers through Bonjour must not be corrupt. (The virus has a bug which sometimes corrupts its own file, rendering it harmless.)
7. You must accept the file that the "virus" offers via Bonjour: you must believe you are actually chatting with a buddy (even though the virus sends no message with the file), and believe the buddy has sent you a legitimate picture that you wish to view (even though the file is clearly an archive and not directly an image--it doesn't even have an image icon at this stage).
8. You must double-click the downloaded file to extract the program.
9. You must the double-click the program as well (dropping it into an image viewer or using Open With will not trigger it).
10. If you are not an admin user, you must provide the virus with an admin username and password when prompted.
11. The virus only attempts to infect the four apps most recently used when it launches.
12. Only apps owned by the currently logged-on user are infected. Applications owned by the system (such as those that came with the machine or those installed by the Apple installer) are immune.
13. Only Cocoa-based apps are infected. If none of the most recent four are Cocoa, no infection occurs. (And if they are Cocoa but already infected, the virus doesn't seem to look any further.)
If ALL of the above are true, the "virus" could in theory spread itself--with the help of you AND the sending party--to your Mac.
|Feb 21, 2006, 06:18 AM||#6|
Mac <- Macintosh <- McIntosh apples <- John McIntosh <- McIntosh surname <- "Mac an toshach" <- "Son of the Chief"
|Thread Tools||Search this Thread|
|thread||Thread Starter||Forum||Replies||Last Post|
|I require a Mac keylogger/trojan/monitoring tool||Jethryn Freyman||Mac Applications and Mac App Store||3||Jun 19, 2014 04:29 AM|
|Bitcoin-Stealing OS X Trojan Now Masquerading as 'Angry Birds' and Other Popular Mac Apps||MacRumors||MacRumors.com News Discussion||127||Mar 4, 2014 03:23 PM|
|Bitcoin-Stealing Mac OS X Trojan Discovered||MacRumors||Mac Blog Discussion||34||Feb 19, 2014 12:50 PM|
|New Apple Mac Trojan Called OSX/CoinThief Discovered||BDM STUDIOS NL||OS X Mavericks (10.9)||3||Feb 10, 2014 10:53 AM|
|Did i get a trojan from mac rumors site?||mattg3||Site and Forum Feedback||6||Sep 1, 2012 11:17 AM|
All times are GMT -5. The time now is 04:08 AM.