Mac OS X Virus/Trojan Summary

[mdavey]

DONT U JUST LOV THE MAC COMMUNITY!!! and done for FREE!!!!

(Of course, if more of Mac OS X were open source, the community would havehad a patch for iChat, apphook bundles and a new feature for disk utility to search and remove OSX/Oomp-A by now )

Sorry to be cynical but I should trust this Terminal script why?

Very wise to be cynical. However, the author claims that the source code is available. If this is true, it will be easy for several programmers to independently verify the application is not malicious.

 

[manu chao]

you're best bet is to tell people there's never been an OS X virus that could function without the user's help.

There has never been on any OS a virus that could function without the user's help since a virus that would do so would not be a virus anymore, it would be a worm.

 

[manu chao]

Leap.A is a VIRUS not a Trojan and not a Worm, let me explain..

There are three MAIN malwares in the computing world, with the ones above overriding the lower types based on function. (If it has worm qualities then it's a worm even if it has other qualities below it)

1. Worm (worse than a virus or trojan) (spreads over a network without any user interaction usually by exploiting a vulnerability)

2. Virus (worse than a trojan) (infects programs, files, and usually self propagates at least partly by user action)

3. Trojan (a program that acts like something that it's not, usually what the user wants, but instead has malicious intent)

Leap.A fits the bottom two (Which means it is a Virus), it fools the user into opening it by pretending to be something else like a trojan, and then self propagates and "infect" other programs like a virus (Which by the way does so without ANY prompts as soon as you open it if you are like most people and are logged in as an administrator).

At last somebody who is not spreading nonsense, I am all with you.

 

[TrenchMouth]

woohoo they found another one!

http://www.securitypronews.com/insiderreports/insider/spn-49-20060217MacOSXViralInfections.html

side note: about a month ago there was a thread about Macs and viruses. In it, i suggested that as the Mac marketshare grows that a surge of people with nothing better to do will start coding less than nice software.

in response, one gentleman said the following:

MacOS X 10 is secure by design. There are zero (0) MacOS X viruses. Marketshare has virtually nothing to do with it. If MacOS X increases its marketshare, its design will not change (except for normal evolution). In that event, expect no increase in viruses.

another individual pointed me in the direction of a blog that "proved" the market share theory doesnt work for Macs (concerning viruses)....

To those nice people....I solute you. Enjoy your day.

 

[nagromme]

Few of the suggestions about how to change how Apple and OS X does things and having pop up windows appear before running executable are going to work and stop the spread of these worms (or trojans or sudo virus programs. What ever you want to call them).

You can never STOP lies (= Trojans) But isn't it worth REDUCING them? Education is important, I agree, but you must agree that steps like these would help people and make a better OS. It's not about fault or who's stupid, it's about helping people. And if you claim that under no circumstance would any Trojan ever fool you, not even on a bad day or in a hurry, then I can't claim the same--and I'm a pretty tech-savvy user. So I won't complain if/when Apple implements some non-intrusive reminders. Which will also have the benefit of saving me time: manually implementing cautionary measures is fine, but automatic would be much appreciated. (One of the things I like about OS X is the time I DON'T have to spend on security and privacy, compared to Windows users.)

Sorry to be cynical but I should trust this Terminal script why?

You shouldn't... until 1000 or so other guinea pigs on VersionTracker have tried the SAME version before you and used it for several days That is how I implement VersionTracker as part of my security Give it until Monday and if it's still there with no comments about ill effects, it's probably fine.

Trojan Part = The part where the user actually clicked download or execute program... or typed admin password

Virus/Worm Part = Sending through AIM... which still needs the other user to accept because thats how AIM works... if it were to bypass this, then its a worm.

There's no one definition of virus--Microsoft calls ANYTHING a virus pretty much--ANY Trojan horse or harmful app at all. On the other end of the scale, by most people's definition, only a worm is a true virus (because you can catch a worm without having to do anything to help it) and so when they see a headline about the first Mac virus, many of them are misled by that. So you can say this is a virus or not--pick your definition. But the most distinct, technical definitions (see Wikipedia for instance) would say that the virus part of this is when it attaches itself to applications.

It has no worm part: that would be the ability to spread without user action to help it.

woohoo they found another one!.

That's a Bluetooth exploit that was patched by Apple before 10.4.2. (It does have one distinction that Oomp-A/Leap-A does not: it exploits a flaw in the code.)

Seems as though this trojan is even less dangerous than was thought. It will not propagate via internet iChat at all. This "virus" is becoming more flimsy by the hour...

Link to Macworld Story

So Oomp-A can't even propagate over the Internet?? Bonjour operates on a LAN. Thanks for the link--and to Macworld for actually testing rather than assuming:

"You must be using Bonjour iChat, not Internet-based iChat. That’s right. If you're using iChat in the way that probably 99 percent of us do, you’ll never see this file being sent from an infected buddy."

OK, so Oomp-A is annoying and it's a step someone could take further. It's a useful reminder that nobody--not even Mac users--should trust unknown anonymous files. And it's led to some great discussion of ways in which Apple could remind people of those situations. But it does not exploit any hole in the OS. It does not delete or damage data. It does not spy on or harvest data. It does not take control of your system. It does not open a back door for further exploitation. It does not run, spread, or do anything else on its own, only with user help. It cannot infect the applications that came with the computer, nor Cocoa apps, nor system-owned apps, nor apps owned by other users. It does not disguise its filename or extension. It does not require anti-virus or other software to prevent or remove it. Removal does not require re-installing the OS, nor use of the command line. It does no damage that can't be completely reversed. It does not hide from detection, nor require special tools to detect. It does not spread via infected web pages or email. It cannot even spread over iChat the way most people use it. In fact, it apparently has no way to spread over the Internet at ALL. It has no way to operate secretly without the user seeing a problem (apps failing to launch). And of course it did not successfully reach any significant number of users. In short, it was not a Windows-style successful virus attack the way some writers made it out to be, and the way many readers will now falsely assume.

If Oomp-A had been the first Windows-style "virus" on Mac OS X, that still beats having thousands. OS X is still a far more secure design than Winows (and yes, low target size is a good thing too, and we'll be a smaller target for many years). But unless you pick a definition that (while technically accurate) will mislead a lot of people, it wasn't even that.

Even if you define virus that way, we can still take comfort in the fact that OS X has never had a successful virus (one that could spread over the Internet and did harm to a significant number of people). And that OS X has never had a worm, which is what many people mean by virus. And that we're never going to face the flood of trouble and constant patching on the scale that Windows has seen.


PS, have there been any estimates about the scale of this "infection?" Greater or fewer than a dozen users? EDIT: Days later, I see that Symantec says less than 50! So much smoke... so little fire....

 

[Les Kern]

I will be willing to put my money where my mouth is: The day Macs suffer the same debilitating damage, loss of productivity and the inevitable increase in money needed to keep my computer working, is the day I get the hell out of this business. Besides, 20+ years is damned long enough for anything.

 

[nagromme]

Looking at the Macworld article, if they're right that Oomp-A/Leap-A/Oompa-Loompa can't spread itself on the Internet, it's clear why this is far from a successful virus. Here are the steps, as I understand them (please add corrections), which you must meet in order for Oomp-A to spread to your computer:

1. You must be an iChat user, and iChat must be set to Available (sometimes you must set to Available repeatedly before the virus will notice).

2. You must have activated Bonjour in iChat (off by default).

3. You must be connected to a LAN (Oomp-A cannot spread over the Internet) and in the same subnet as other iChat Bonjour users who are currently online.

4. One of those users must have you on their Bonjour buddy list (not the main iChat buddy list).

5. One of those iChat buddies must have previously manually activated the virus themselves by these same steps.

6. The file the "virus" offers through Bonjour must not be corrupt. (The virus has a bug which sometimes corrupts its own file, rendering it harmless.)

7. You must accept the file that the "virus" offers via Bonjour: you must believe you are actually chatting with a buddy (even though the virus sends no message with the file), and believe the buddy has sent you a legitimate picture that you wish to view (even though the file is clearly an archive and not directly an image--it doesn't even have an image icon at this stage).

8. You must double-click the downloaded file to extract the program.

9. You must the double-click the program as well (dropping it into an image viewer or using Open With will not trigger it).

10. If you are not an admin user, you must provide the virus with an admin username and password when prompted.

11. The virus only attempts to infect the four apps most recently used when it launches.

12. Only apps owned by the currently logged-on user are infected. Applications owned by the system (such as those that came with the machine or those installed by the Apple installer) are immune.

13. Only Cocoa-based apps are infected. If none of the most recent four are Cocoa, no infection occurs. (And if they are Cocoa but already infected, the virus doesn't seem to look any further.)

If ALL of the above are true, the "virus" can spread itself to your Mac. But it can only spread further (even to more apps on your own Mac) when you later run an infected application. And even then it can't happen in secret--there are at least FIVE warnings (some blatant even for basic users) that things are amiss:

1. Although it looks like an iChat Bonjour buddy is offering a file, there is no chat message explaining the file--it's a mystery arrival. And when you try to chat with them, they of course fail to reply or know nothing about it.

2. When you're asked to download the file, it doesn't even have the icon of an image: it's in gzip form with an archive icon, which makes no sense as a way to send an image over a LAN.

3. Then, after downloading and assuming you double-click the mysterious "gzip" file, the extracted "virus" application gets a JPEG icon, but still NOT a JPEG name.

4. When you double-click it, a Terminal window appears showing the virus running, not the expected image.

5. Infected applications refuse to launch. So it's impossible to keep using them and triggering the virus unaware of a problem.


Just for some perspective compare to the recent exploits of the Windows WMF flaw found in every version of Windows from 3.0 up--including Vista, Server 2003, and the lastest fully-patched service pack of Windows XP. Steps required to be infected:

1. Visit an infected web page using Internet Exlorer.

Or 1. View an infected email. (Or is this one of the ones where you can be infected by receiving a message and not even viewing it?)

Or 1. Index a hard disk with Google Desktop.

Or 1. Click a link in MSN messenger.

Etc.

I'm thinking Mac users shouldn't feel too bad... One (1) LAN "virus" that can't operate without a very rare set of conditions? That's what worries us? We are indeed spoiled But it's still good to be reminded of potential issues. Awareness will always be vital, and no OS will ever be perfect. The theory that this "virus" was created benevolently as a reminder is actually plausible to me.

And Mac OS X still has zero Internet viruses, and zero worms.

 

[kalisphoenix]

....

Good summary, and does make me feel better.

Is there a Spotlight plugin or system event on the addition of a new file that could trigger a script? If so, perhaps something like the following might be good SOP:

1. A Bash script or Applescript or Safari plugin or Firefox plugin checks the UNIX permissions on the file you just downloaded (perhaps in ~/Documents/Downloads to avoid b0rking the system) against a custom (?) list of extensions: bmp, doc, gif, jpe, jpeg, jpg, pdf, png, psd, txt, zip (just to name a few from the window I'm currently looking at).

2. If the file has one of those extensions, it chmod -x 's the file.

3. Voila! File is no longer a UNIX executable. Double-click it and you stare in bewilderment as Preview says the image is not a valid jpg.

IANAG (I Am Not A Guru), so I can't make a recommendation on the bash script or applescript with which to do this. It seems to me like it'd be fairly simple, knowing what I do of the power of the CLI tools, and I can't imagine where it would go wrong (provided that the list of extensions is comprehensive). The worst thing is that it might change something that needs to be an executable -- why that would be the case is beyond me.

Questions? Comments? Concerns? Why wouldn't this work? What am I overlooking? Would it necessarily check every changed file immediately whenever it's changed, and thus murder your hard drive?

I'm not saying that this is a substitute for common sense, and it shouldn't be, but you wouldn't believe the **** my mother will do to her computer Basically, this is for protecting the grandmas and Joe Sixpacks. Would it work 99% of the time? What if we used the OS X system compilation of extensions? It knows which extensions are shell scripts or Aqua programs, and which shouldn't be. Can we do this?

I hope to hear back -- I'm sure I don't have the final solution here, but I'd like to think it's at least a step in the right direction.

 

[Doctor Q]

Nice summary, nagromme, and it makes a good point.

I will add one final note to your summary:

* Even if all conditions are met and your system is infected, the damage can be reversed with no net harm to the system.

We're still well below the threshold where Macs suffer a widespread infection causing widespread damage. A lot of time and money are not being spent dealing with malware, rebuilding systems damaged by worms, recovering data from backups, or dealing with the loss of unrecoverable files. And for us Mac users that's still money in our pocket.

 

[ilikeiBook]

You know what pisses me off? One poorly constructed virus for OS X and the media goes into a frenzy, saying that OS X is losing its satus of being the most secure OS. Yet there are thousands of viruses for Windows that cause more damage, not to mention spyware programs that reveal your personal information.

 

[unixfool]

This thing doesn't function correctly in that regard. Really, it's barely a trojan in my definition, since I believe a trojan takes advantage of some security flaw that causes auto-execution, and there is no security flaw being taken advantage of here. In this case, the user has to download it and run it, ignoring any prompts or warnings. This isn't even spreading around in the wild across the 'net or anything.

Again, no security flaw in OS X being exploited. The user has to run it--a social engineering attack.

Here's my take on things.

In my line of work as an IT security consultant, this is definitely a trojan.

Worms are the worst of the three. Worms usually have no underlying 'intelligence' and will blindly attempt to propagate. Worms such as Blaster, Nachi, and SQL-Slammer usually take networks down because they're network hogs, usually searching for prime hosts to infect. Kelvir is another pervasive one. The scanning and propagation attempts are usually worse than the machines being infected themselves.

Viruses take advantage of vulnerabilities/holes in OS or application security. Even if a person were logged in as non-admin, and they execute the file, the file will attempt to execute...it doesn't care if if there's success or not in the execution of itself. Prime example: Viruses usually make blind attempts, although there are a few viruses in the wild that will check to see if a host is already infected BEFORE attempting to infest that host. They usually aren't as blatant about propagating as worms are.

Trojans, OTOH, take advantage of the low IQ of a user...basically relying on good 'ole social engineering. "Click this file to open Safari!" then BAM, your system has a backdoor. Most spyware use the social engineering approach. The enticement to execute the file in question, in the hope that the system's security condition is favorable for successful trojan deployment, is independent of the system OS or system security. Also, trojans usually have some control vector and, for the most part, have some type of human interaction controlling the cracked machine, which is usually called a 'zombie'.

In the case of LEAP, it seems that someone was targeting the fact that Mac OSX by default has the admin account as the default account (which *could* be considered a vulnerability but definitely *not* a bonifide security hole). This is not indicative of a worm or trojan or virus in itself. It's usually the mechanisms in which initial propagation was made that decides what class of badness it is. It's more of a trojan than a virus, IMO, because the only fault with OSX is that it primarily tries to take advantage of stupid users and stupid developers who seem to think running as admin is fine. Unless I'm sorely missing something, iChat doesn't have any gaping programming bugs that LEAP is trying to take advantage of.

EDIT:

From http://www.symantec.com/avcenter/venc/data/osx.leap.a.html

9. Monitors all launched applications. Every time the iChat application is launched, the worm sends the file latestpics.tgz to all the iChat contacts.

OK, the above puts it in the worm category but its still relying on social engineering as an initial vector. Kelvir also does this and is also considered a worm. I'd call it a hybrid.

 

[Lancetx]

From http://www.symantec.com/avcenter/venc/data/osx.leap.a.html

9. Monitors all launched applications. Every time the iChat application is launched, the worm sends the file latestpics.tgz to all the iChat contacts.

Actually, this is not really correct and Symantec needs to amend their information. As the Macworld article points out, the trojan attempts to send the file latestpics.tgz only to your local bonjour based iChat contacts (and not to any of your AIM and other internet based iChat contacts). If you have not enabled bonjour chat (which is turned off in iChat by default), nothing happens with iChat at all.

That fact alone makes this a far less serious threat than what Symantec and others would like for you to believe. The bottom line is that this trojan does not propagate itself over the internet in any form or fashion at all.

 

[nagromme]

Actually, this is not really correct and Symantec needs to amend their information. As the Macworld article points out, the trojan attempts to send the file latestpics.tgz only to your local bonjour based iChat contacts (and not to any of your AIM and other internet based iChat contacts). If you have not enabled bonjour chat (which is turned off in iChat by default), nothing happens with iChat at all.

That fact alone makes this a far less serious threat than what Symantec and others would like for you to believe. The bottom line is that this trojan does not propagate itself over the internet in any form or fashion at all.

True--and so I'll keep telling people quite truthfully that there are no Internet viruses for OS X (although there is something that fits the profile of a pre-Internet virus).

Also, by most definitions it's not a worm because it requires user intervention to let it onto your system. (I know these terms have meanings that not everyone agrees upon. And I know Symantec has reasons why the always sound alarmist )

I did find some new details at Symantec, though, which I'll use shortly to update my post above.

For instance, note their comment: "Note: Due to a bug in the code, the worm may corrupt the file so that it appears larger than it actually is, and it may not be sent successfully."

So even if "all the planets align" to make this propagate (on your subnet), it still may not spread? If this "virus" gets any weaker I'll almost WANT to catch it

EDIT: Symantec estimates the scale of the infection is.... drumroll... 0 - 49 computers! And how many locations/organizations were affected? 0 - 2! (I'll guess on the low end of that range )

And I'll further speculate that, since it's nearly impossible for this "virus" to spread even when you TRY to spread it... that ZERO of the handful of infected machines actually spread it to each other. They all probably downloaded it from these forums If anyone knows of a single Mac user getting Oomp-A by its own action--in other words without directly downloading it from a place it was posted--I'd be interested to hear the tale.

I will add one final note to your summary:

* Even if all conditions are met and your system is infected, the damage can be reversed with no net harm to the system.

Good point--I'll add it since I'm saving the post in case I need it again

 

[yamabushi]

admin vs user

I think it is a good idea to set up a user account on every computer you use and reserve your admin account for tasks that require repeated use of an administrator password. That way you can still do everything you need to do on a daily basis but maintain greater security.

If you want to keep your current desktop settings then just create a new admin user account and then log into that account and downgrade your original account to a standard user.

I always use a standard user account unless I am playing with network settings or installing several new applications. It costs nothing and doesn't slow down your computer yet provides some additional protection from trojans and other malware.

 

[ezekielrage_99]

You know what pisses me off? One poorly constructed virus for OS X and the media goes into a frenzy, saying that OS X is losing its satus of being the most secure OS. Yet there are thousands of viruses for Windows that cause more damage, not to mention spyware programs that reveal your personal information.

Yeah I agree

Millions of Windows viruses = no media frenzy
One poorly written virus for Mac OSX = media frenzy

I think people have more expectation of Mac OS than of Windows, lets face it when a Windows machine gets a virus it's like so who really cares?

 

[Passante]

I think it is a good idea to set up a user account on every computer you use and reserve your admin account for tasks that require repeated use of an administrator password. That way you can still do everything you need to do on a daily basis but maintain greater security.

If you want to keep your current desktop settings then just create a new admin user account and then log into that account and downgrade your original account to a standard user.

I always use a standard user account unless I am playing with network settings or installing several new applications. It costs nothing and doesn't slow down your computer yet provides some additional protection from trojans and other malware.

Thanks Yamabushi for this tip. I know its obvious but I didn't know how to make this change without loosing access to all my files.

Now running on my laptop as a non-administrator!

 

[nagromme]

If you want to keep your current desktop settings then just create a new admin user account and then log into that account and downgrade your original account to a standard user.

You don't even have to log into the new account I don't think: I just unchecked "Adminster" for my main account while still logged in as that same main account. As long as there IS another account that can admin, it lets you do that.

 

[great high wolf]

And I know Symantec has reasons why the always sound alarmist

Symantec, or at least the guy I heard on the news once, came over as being totally up themselves and believing all Mac users are total idiots that will bring down the Internet by refusing to buy their rubbish AV programs....

Up with clamXav! I have it watch my desktop. The moment anything hits it form the internet, it is instantly virus-scanned. Sweet.

 

[yamabushi]

You don't even have to log into the new account I don't think: I just unchecked "Adminster" for my main account while still logged in as that same main account. As long as there IS another account that can admin, it lets you do that.

That is true. However, I still think it is a good idea to log in to the new account first. Mostly this just verifies that you have the correct password. I have known people to switch around user accounts only to forget their new password minutes later.

 

[Doctor Q]

Millions of Windows viruses = no media frenzy
One poorly written virus for Mac OSX = media frenzy

Millions of Windows viruses = dog bites man
One poorly written virus for Mac OSX = man bites dog

Perhaps it's a good sign that any purported chink in the Mac armor makes headlines. After you get past the headline, there's a good chance of seeing a reminder how much viruses plague Windows users, which has always been a good reason to choose Macs.

 

[Randall]

Same here. I feel a lot better now, though. This exploit definitely did open my eyes to security flaws and how to protect myself from them. While there is no real Mac "virus", this trojan certainly had a lot of Mac users on the edges of their seats. To tell you the truth, I can see another trojan like this one happening, but in a more serious fashion. The instructions were practically unveiled to the public... no offense to MacRumors.

But hey, this isn't scary. If you have common sense and take precaution, a future trojan can be easily avoidable. I'm sure Apple will release some sort of patch to aid users in the future.

I'm still relieved it isn't an actual virus... if it was, then I'd be scared.

Actually this is not just a simple trojan, since it does self propigate with the help of some user intervention, it is in fact a virus. I don't wanna get into the whole worm/virus/trojan thing with you here but since you've set it up so nicely I will. The three main types of malware are as you already know:

1. Worm (worse than a virus or trojan) (spreads over a network without any user interaction usually by exploiting a vulnerability)

2. Virus (worse than a trojan) (infects programs, files, and usually self propagates at least partly by user action)

3. Trojan (a program that acts like something that it's not, usually what the user wants, but instead has malicious intent)

Leap.A fits the bottom two (Which means it is a Virus), it fools the user into opening it by pretending to be something else like a trojan, and then self propagates and "infect" other programs like a virus (Which by the way does so without ANY prompts as soon as you open it if you are like most people and are logged in as an administrator).

 

[nagromme]

Well, to muddy the waters more, if it were up to ME to clearly divide things into Trojan/virus/worm (and accepting that something can be more than one), I would go with the following:

1. Tojan: fools the user into thinking it's something else.

2. Virus: attaches itself to other executables.

3. Worm: propagates to other machines via some kind of network.

In other words, a virus need not propagate outside the current machine AT ALL (except possibly on physical media). But a worm does, and EVEN if user help is needed, network propagation is still a worm.

By that definition, Leap-A is all three! But completely ineffective, starting with being unable to traverse the Internet. A virus and worm in name only, and a Trojan quite clearly, but not a real-world threat regardless.

I have seen few discussions that break things down quite that way (although parts of those definitions are found all over). But it appeals to my sense of tidy categories

I still won't use those definitions without disclaimer: people mean so many things by "virus" and "worm" that failing to be specific will only mislead your audience.

 

[1dterbeest]

So even if "all the planets align" to make this propagate (on your subnet), it still may not spread? If this "virus" gets any weaker I'll almost WANT to catch it

EDIT: Symantec estimates the scale of the infection is.... drumroll... 0 - 49 computers! And how many locations/organizations were affected? 0 - 2! (I'll guess on the low end of that range )

My friend Jeremy got it sent to his iChat
but he knew better than to open it.

 

[nagromme]

Interesting. Was he on a college campus? A college dorm is one situation where I can imagine Bonjour might be used with iChat--and according to MacWorld, Leap-A can only be sent to you from a computer on the same LAN as you, it can't come from the Internet. Maybe a friend of Jeremy's downloaded Leap-A when it was briefly posted to these forums? And then under just the right circumstances it could have reached someone else on the LAN. Good thing your friend was suspicious.

My may be able to narrow the range down to 1-49 now...

 

[1dterbeest]

I doubt anyone here would have got it from Mac Rumors.

This is a college of less than 1000 people, and less than
600 living on campus. I go to Judson College in Elgin, IL.