Register FAQ / Rules Forum Spy Search Today's Posts Mark Forums Read
Go Back   MacRumors Forums > Archive > Archives of Old Posts > MacBytes.com News Discussion

 
 
Thread Tools Search this Thread Display Modes
Old Feb 20, 2006, 10:23 PM   #1
MacBytes
macrumors bot
 
Join Date: Jul 2003
Fears over new Mac OS X trojan unfounded




Category: Mac OS X
Link: Fears over new Mac OS X trojan unfounded
Description:: It's a fairly harmless bit of code, and some have described it as a proof of concept. Leap-A hardly marks any sort of advance in Mac malware, as it's less harmful than the May 2004 script and lacks the ability to self-propagate.

Posted on MacBytes.com
Approved by Mudbug
MacBytes is offline   0
Old Feb 20, 2006, 10:54 PM   #2
nagromme
macrumors G4
 
nagromme's Avatar
 
Join Date: May 2002
Are there any reports of Leap-A actually spreading itself from on Mac to another in the wild?

I would think it likely that it never spread in the wild even once, since it can't transmit over the Internet, only by Bonjour (which is disabled by default).
nagromme is offline   0
Old Feb 20, 2006, 11:35 PM   #3
Doctor Q
Administrator
 
Doctor Q's Avatar
 
Join Date: Sep 2002
Location: Los Angeles
Leap-A was cut off before it got to many users and never really had a chance to try spreading itself. As we now know, it would have had a hard time going very far in any case.

But I wouldn't call it a "proof of concept" because it wasn't intended as a demonstration, but (apparently) as a real invasion that once activated would spread like a virus.

The ars technica is researched and well-written, while the one at be.sys-con.com with the misleading headline "First Mac OS X Worm, Virus Found" is not.
__________________
Oh do pay attention 007. In the wrong hands, this 12-core Mac Pro with three 4K displays, FirePro graphics, and Thunderbolt 2 could be very dangerous.
Doctor Q is offline   0
Old Feb 21, 2006, 02:46 AM   #4
winmacguy
macrumors 68020
 
winmacguy's Avatar
 
Join Date: Nov 2003
Location: New Zealand
"It turns out that Leap-A will only send itself out via iChat under a very specific set of circumstances:

* You must be using Bonjour iChat, not Internet-based iChat. That’s right. If you're using iChat in the way that probably 99 percent of us do, you’ll never see this file being sent from an infected buddy. Leap-A will only send itself to others on your Bonjour buddy list. This is why Kirk and I were never able to get the malware to do its thing—we were not conversing via Bonjour. It sounds amazingly simple, but we spent quite a bit of time trying to figure this out before someone at Intego pointed out that it was limited to Bonjour networks."

"So it seems the “iChat transmission” aspect of the Leap-A malware has been greatly overstated—unless you use Bonjour iChat, you’ll never see it arriving on your machine in this manner."
Detailed test done here
http://www.macworld.com/news/2006/02...php?lsrc=mwrss
__________________
With Windows iWork, with Apple iCreate

Last edited by winmacguy; Feb 21, 2006 at 03:39 AM.
winmacguy is offline   0
Old Feb 21, 2006, 02:55 AM   #5
nagromme
macrumors G4
 
nagromme's Avatar
 
Join Date: May 2002
And therefore, even if you DO have Bonjour enabled in iChat, you'll still never see it unless someone on your LAN manually downloaded and installed it... and has you in their Bonjour buddy list (not the main buddy list).

And both parties have numerous chances to catch the problem--especially when it gets sent. (A chat request from a friend... but they don't answer back?? And they've gzipped an image instead of just sending it??) The problem is even more obvious once the virus IS running: infected apps don't launch. You wouldn't be running this one blind and spreading it unawares.

To my understanding, here are the steps you must meet in order for Leap-A to spread to your computer:

1. You must be an iChat user, and iChat must be set to Available (sometimes you must set to Available repeatedly before the "virus" will even notice).

2. You must have activated Bonjour in iChat (which is off by default and used by very few people).

3. You must be connected to a LAN (Leap-A cannot spread over the Internet) and in the same subnet as other iChat Bonjour users who are currently online.

4. One of those users must have you on their Bonjour buddy list (not the main iChat buddy list).

5. One of those iChat buddies must have previously manually activated the virus themselves by these same steps.

6. The file the "virus" offers through Bonjour must not be corrupt. (The virus has a bug which sometimes corrupts its own file, rendering it harmless.)

7. You must accept the file that the "virus" offers via Bonjour: you must believe you are actually chatting with a buddy (even though the virus sends no message with the file), and believe the buddy has sent you a legitimate picture that you wish to view (even though the file is clearly an archive and not directly an image--it doesn't even have an image icon at this stage).

8. You must double-click the downloaded file to extract the program.

9. You must the double-click the program as well (dropping it into an image viewer or using Open With will not trigger it).

10. If you are not an admin user, you must provide the virus with an admin username and password when prompted.

11. The virus only attempts to infect the four apps most recently used when it launches.

12. Only apps owned by the currently logged-on user are infected. Applications owned by the system (such as those that came with the machine or those installed by the Apple installer) are immune.

13. Only Cocoa-based apps are infected. If none of the most recent four are Cocoa, no infection occurs. (And if they are Cocoa but already infected, the virus doesn't seem to look any further.)

If ALL of the above are true, the "virus" could in theory spread itself--with the help of you AND the sending party--to your Mac.
nagromme is offline   0
Old Feb 21, 2006, 06:18 AM   #6
whooleytoo
macrumors 603
 
whooleytoo's Avatar
 
Join Date: Aug 2002
Location: Cork, Ireland.
Send a message via AIM to whooleytoo
Quote:
Originally Posted by Doctor Q
The ars technica is researched and well-written, while the one at be.sys-con.com with the misleading headline "First Mac OS X Worm, Virus Found" is not.
I thought the Arstechnica article (unusually) was poorly written - the author seems to have no idea of the distinction between a worm, trojan and virus and interchangeably refers to Leap-A as all three.
__________________
Mac <- Macintosh <- McIntosh apples <- John McIntosh <- McIntosh surname <- "Mac an toshach" <- "Son of the Chief"
whooleytoo is offline   0


 
MacRumors Forums > Archive > Archives of Old Posts > MacBytes.com News Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
I require a Mac keylogger/trojan/monitoring tool Jethryn Freyman Mac Applications and Mac App Store 3 Jun 19, 2014 04:29 AM
Bitcoin-Stealing OS X Trojan Now Masquerading as 'Angry Birds' and Other Popular Mac Apps MacRumors MacRumors.com News Discussion 127 Mar 4, 2014 03:23 PM
Bitcoin-Stealing Mac OS X Trojan Discovered MacRumors Mac Blog Discussion 34 Feb 19, 2014 12:50 PM
New Apple Mac Trojan Called OSX/CoinThief Discovered BDM STUDIOS NL OS X Mavericks (10.9) 3 Feb 10, 2014 10:53 AM
Did i get a trojan from mac rumors site? mattg3 Site and Forum Feedback 6 Sep 1, 2012 11:17 AM

Forum Jump

All times are GMT -5. The time now is 04:08 AM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC