| |
bimmher
|
First virus hits Mac OS X
Chris Jenkins
FEBRUARY 17, 2006
ANTIVIRUS companies are reporting what they say is the first virus to attack Apple's OS X operating system.
Known as "Leap.A", "Leap-A" or "OSX/Oompa-A", the virus spreads via Apple's iChat instant messaging application, carried by a message attachment labelled "latestpics.tgz".
Users must accept reciept of the attachment for the virus to work.
Leap.A then attempts to resend itself to all iChat contacts, anti virus group Symantec reported. The virus would only run on computers running OS X 10.4, Symantec said.
Security group Sophos described Leap.A as "the first real virus for the Mac OS X platform".
Sophos said that while it had been argued that the requirement for user intervention meant Leap.A should be classified a trojan, its mechanism to replicate itself brought it under the classification of worms and viruses.
While the Unix-based OS X has often been touted as a safer alternative to Microsoft's Windows, flaws in the operating system have been discovered and experts have warned that as OS X became more popular, it would increasingly become a target for virus writers.
Critics of the anti-virus companies argue they have talked up the potential threat in an attempt to extend sales to a new OS X market.
Leap showed "that the malware threat on Mac OS X is real", Sophos senior technology consultant Graham Cluley said.
"Some owners of Mac computers have held the belief that Mac OS X is incapable of harbouring computer viruses, but Leap-A will leave them shellshocked," he said.
Rival Symantec rated the worm a low-risk security threat.
http://australianit.news.com.au/articles/0,7204,18176910%5E15306%5E%5Enbv%5E,00.html
__________________________________
Still it is a low risk compared to all the high risk PC ones out there but still something to take note of.
bimmher
|
Thai Girls : Meet Sexy Thai Girls
Posted on: 11:48 pm on Feb. 16, 2006
|
|
Mr Alan
|
Now that Mac has defected to the dark side (Intel), I am sure that many will be motivated to write viruses/worms that will make their way into OS X.
|
Bangkok Women : Meet Sensual Bangkok Women
Posted on: 12:24 am on Feb. 17, 2006
|
|
Skip
|
Quote: from Mr Alan on 2:11 pm on Feb. 17, 2006
Now that Mac has defected to the dark side (Intel), I am sure that many will be motivated to write viruses/worms that will make their way into OS X.
Yawn. Let them try.  They'll have to be a helluva lot smarter than the average Windoze script kiddy to tarnish the armor OS X sports.
Then too, it did manage to make enough of an impression to garner its very own Symantec Security Response page. See:
http://securityresponse.symantec.com/avcenter/venc/data/osx.leap.a.html
Threat level: 1 on a scale of 1 to 5. 
If I recall correctly, this now brings the number of known malware bugs affecting OS X up to a whopping 6. 
|
Thai Girls : Meet Sexy Thai Girls
Posted on: 3:40 am on Feb. 17, 2006
|
|
Skip
|
http://www.macworld.com/news/2006/02/16/leapafaq/index.php?pf=1
Macworld
Leap-A malware: what you need to know
By Rob Griffiths
The worst thing you can do whenever a virus scare hits is to panic. The second worst thing you can do is not keep yourself informed.
With reports of the Leap-A program infecting some Macs, it’s important to keep the news in perspective. While Leap-A has the potential for mischief, it’s not anything like a crippling Windows virus that periodically brings the rest of the computing world to its knees. More important, as explained below, this incident doesn’t expose a security hole in the Mac operating system. Rather, it’s a piece of malware that can be easily rebuffed by vigilant Mac users.
That said, it pays to keep on top of potentially harmful things like Leap-A. After a day of research and testing the malware for ourselves, here’s what you need to know about Leap-A.
What is Leap-A?
Leap-A—or Oompa Loompa, as it’s also known—is a potentially malicious program that’s disguised as a simple image file. This method of delivery is known as a Trojan horse, because it’s one thing pretending to actually be something else. In its present form, the code is hiding in a file named latestpics.tgz, which purports to be a picture of something interesting (OS X 10.5 spy shots, in this case). After expanding the compressed archive, and then double-clicking what appears to be an image file, the Leap-A malware will launch and install itself on your system.
Once installed, Leap-A does two things. First, it tries to send a version of itself to everyone on your iChat buddy list. All of your buddies will receive the standard iChat file transfer message, though you won’t see any activity on your end. Second, Leap-A will start infecting Cocoa applications on your machine, via an InputManager that it installs in your user’s directory. Each time you launch an infected Cocoa application, Leap-A will use OS X 10.4’s Spotlight search feature to find the four most-recently-used applications. If they’re Cocoa apps, Leap-A will infect them as well.
(If you’re not familiar with what exactly a Cocoa application is, Cocoa is a development environment for OS X applications. Most of Apple’s applications, and quite a few third-party programs, are written in Cocoa. Safari, Mail, Address Book, iCal, Terminal are some of Apple’s Cocoa applications; Camino, OmniWeb, and OmniGraffle are examples of third-party applications written in Cocoa.)
You’ll find a much deeper and more technical explanation of Leap-A in this analysis from Ambrosia Software founder Andrew Welch. He explains exactly what happens when you download, expand, and then run the program.
You said Leap-A uses Spotlight. What if I’m not using OS X 10.4 yet?
Leap-A will only work on systems running Tiger, due to its use of Spotlight.
How would this thing get on my machine?
The only way you can get the Leap-A malware on your machine is if you take some action to put it there yourself. You might receive a file from a buddy in iChat, or download something from the Internet, or open an attachment to an e-mail message. The program code is presently hiding in what claims to be pictures of OS X 10.5, Apple’s next major OS X upgrade. To get Leap-A on your machine, you must (a) receive the file, which is compressed; (b) expand the archive; and (c) double-click what appears to be an image file to execute the code. You cannot get the malware by simply browsing the Internet, reading e-mail, or chatting with friends in iChat.
What makes Leap-A trickier to detect, of course, is the fact that it’s disguised as something else. We have some advice below on how to avoid accidentally infecting your machine with Leap-A.
That said, I went looking for Leap-A to test how it behaves on a secured machine. It wasn’t easy to find, and even when I did find a version, its behavior didn’t seem to match that described by Andrew Welch. My applications were not infected, and nothing was sent via iChat. Of course, over time, other versions may be released with more widespread distribution, so my inability to readily find Leap-A may not always be the case.
Will Leap-A do bad things to my Mac?
In its current incarnation, the code doesn’t really do anything malicious, such as deleting files, changing permissions, or moving around applications. However, due to a bug in its code, Leap-A will prevent infected applications from running. The only solution to this problem is to install clean copies of the original applications. So your data isn’t at risk, at least as of now. Note that it will be relatively simple for variants of Leap-A to be released which could be much more malicious.
Is this a virus, a worm, malware, or a Trojan horse?
Technically, it’s a bit of everything. It’s a virus, in the sense that it attaches itself to other executable code on your Mac. It’s a worm, in that it attempts to self-replicate and spread from machine to machine. It’s a piece of malware, because it can do bad things to your computer. Basically, it’s a piece of malware that’s delivered via a Trojan horse and then acts in both viral and wormy ways.
In what manner is this a Trojan horse?
The program works through social engineering—it pretends to be a picture of something that lots of people would want to see to entice them to open it. In this case, it was reported to be images of Leopard, Apple’s upcoming OS X 10.5 release.
In what manner is this viral?
A virus is a self-replicating program that spreads by inserting copies of itself into other running apps. Leap-A does just that, through the use of the InputManagers folder, as described in Andrew Welch’s analysis. Eventually, it will infect any Cocoa application you launch. And, due to a bug in its code, those infected apps will no longer run! However, Leap-A is not a true virus, in that it cannot spread from machine to machine without human intervention.
In what manner is this thing a worm?
Leap-A’s only mission seems to be to try to spread itself to as many people as possible. The program creates a clean copy of itself, which it then tries to send to every user in your iChat buddy list. If those users accept the file, expand the archive, and then double-click the resulting image file, they will also be infected. Note again that human intervention is needed to help the worm spread.
How can I protect myself from Leap-A?
If you use Sophos Anti-Virus, Symantec’s Norton AntiVirus, or Intego’s VirusBarrier X4, all of those programs have already been updated to prevent Leap-A from being installed on your system. Remember that most anti-virus software will need to be updated for each version of an exploit, so make sure you keep your virus definitions current. If you are already infected, however, these programs may not eradicate the infection.
How can I tell if I have the Leap-A malware on my machine?
Open your user’s Library folder, then the InputManagers folder, and look for a folder named apphook. If it’s there, you have it. Note that future versions of the malware may change this name, so it might be worth noting what’s installed there now, just in case. Note that this folder is not a standard part of OS X, and you’ll only have it if you’ve installed certain add-on programs such as SafariStand, Sogudi, or Chax.
How do I get rid of it?
Delete the folder named apphook from your user’s Library/InputManagers folder. In the Finder, use Go: Go to Folder, and enter /tmp as your destination. When this folder opens, delete latestpics.tgz from the folder. So much for the easy parts.
If you have infected applications that will not launch (although I couldn’t replicate this problem in my tests), your best bet is to reinstall those applications from their source CD or DVD—not from a backup, in case those apps were already infected.
All of my applications seem to be working, but I have the apphook folder. What should I do?
In theory, this means your machine is infected. However, based on my experiments, if your iChat buddies are not complaining about your sending them an unrequested file, your machine isn’t fully executing the program. On my test machine, the applications do not seem to be modified by Leap-A, so you’re done if you’ve removed apphook and the data file on /tmp.
What does Apple have to say about all this?
Here’s what the company told my colleague Peter Cohen:
Leap-A is not a virus, it is malicious software that requires a user to download the application and execute the resulting file. Apple always advises Macintosh users to only accept files from vendors and Web sites that they know and trust. We have a guide to safely handling files received from the Internet.
How else can I protect myself from Leap-A and its ilk?
Beyond using an anti-virus application, here are some simple things you can do to prevent infection:
* Only download software from known and trusted sites, such as MacUpdate and VersionTracker. Even when using sites such as these, however, take the time to read comments from other posters before downloading a new application.
* After expanding any archive, look at its icon in the Finder before launching the expanded program. In this case, you’d see something like the picture at right (though you might see an actual preview of the JPEG, instead of the generic OS X image icon). Notice that the Kind row states that this is a Unix executable, even though the Finder seems to show that it’s an image. This should be a tip off to not open this file!
* Running as a non-admin user would also work—to a point. The way this particular program works, as soon as you enter your admin user’s password for any task, the code will be able to execute. So to be 100-percent safe, you’d have to run as a non-admin user, and then physically login to the admin account whenever you wanted to do something admin-like. Entering your password as the non-admin will grant admin-level access to the code (for the next five minutes, due to the built-in OS X timeout on admin access), which will always be running when you’ve got a Cocoa application open. So if you’re going to run as a non-admin, you’ll have to do it 100-percent of the time, and never provide the admin password when asked. This could prove difficult in daily practice, though OS X’s fast user-switching feature makes it somewhat easier.
Finally, you could take the step of changing the ownership on the InputManagers folder. This wouldn’t prevent the damage to the programs in the Application folder, but it would prevent the program from attempting to replicate via iChat. The easiest way to do this is to use Terminal, in Applications: Utilities. First, we need to make sure this folder exists, as it’s not installed by default. So just type mkdir ~/Library/InputManagers and press Return. You’ll either get back the command prompt with no message, meaning the folder was created, or Terminal will tell you that the file already exists. In either case, you’re now ready for the next command:
sudo chown root:admin ~/Library/InputManagers
When you press Return, you’ll be asked for your admin user’s password. Enter it, and your InputManagers folder is now effectively blocked from access—by Leap-A, or any other piece of code that wants to place something there. If you plan on installing add-ons such as SafariStand or Sogudi for Safari, or Chax for iChat, you’ll need to temporarily return this folder to your ownership to do so. Before running those programs’ installers, do this in Terminal:
sudo chown your_user:your_user ~/Library/InputManagers
Replace your_user with your user’s short username. Now you can run the installer, then re-run the first command to switch ownership back to root. Since nothing else should be writing to this folder, this should not cause any day-to-day inconvenience, and seems like a good method of protection from this particular exploit.
In my testing, the script failed with an error when it tried to install its piece in the now-protected InputManagers folder, and didn’t seem to then run the remainder of the script. As noted above, however, I didn’t see the same behaviors that Andrew Welch saw, even though we were both running the same version of Leap-A.
The bottom line
If you practice “safe downloading,” then there’s really not much to worry about with this particular piece of code. However, it is a good reminder that you do need to be vigilant, as there are people out there who wish to do bad things to your machine. The good news is that Leap-A hasn’t revealed a security hole in OS X. Rather, it’s just a piece of software that does evil things after it tricks you into installing it on your machine.
The Leap-A malware does not mean that OS X is any less safe from viruses than it was prior to its release. Socially-engineered malware has always been possible, and will always be possible. If you can get a user to run something, then clearly, you can choose to do whatever you wish while your code is executing. While there are some things Apple can do to make us all even safer (for instance, InputManagers should not be installable without explicit permission), I still believe OS X is a very secure operating system, and I have no concerns about using it on a daily basis. Neither should you.
|
Bangkok Girls : Meet Sexy Bangkok Girls
Posted on: 3:48 am on Feb. 17, 2006
|
|
bimmher
|
Like I posted it is a low risk and one of a very few compared to the PC however it also shows whatever system you are using to alwasy be carefull.
Just some you have to be a lot more careful with then others 
Having said that I have only had one virus on any of my PC's and that was when I clicked install even after my virus software told me it was a virus  (no do not ask why I did that stupid thing)
bimmher
|
Thai Women : Meet Matured Thai Women
Posted on: 5:29 am on Feb. 17, 2006
|
|
DaffyDuck
|
Quote: from bimmher on 1:36 pm on Feb. 17, 2006
Still it is a low risk compared to all the high risk PC ones out there but still something to take note of.
Just to throw in my $0.02 - This is NOT a virus. Technically, it's a Trojan Horse, if you want to call it that.
What's the difference?
- A Virus is a piece of malicious malware that spreads to your computer, because some other idiot clicked on a file, on a banner, or simply had his PC running without any protection.
- A Trojan Horse is a piece of malicious malware that executes on your computer, because you are an idiot.
How so?
A Trojan Horse, as the name implies (if you had any kind of education) is a malicious program that impersonates something innocuous, but desirable, and thus uses the users as it's delivery method, by getting the user to launch it, enter any needed passwords, and spread the infection. Lots of users are plenty dumb, so that's usually easy. It's also more 'social engineering' than any sort of programming prowess.
A virus is a piece of software that takes advantage of inherent vulnerabilities in an operating system (say, uhm, Windows), and spreads itself automatically, not requiring any particular interaction with the user, or any help from the user of the given machine. Thanks to Windows' architecture of VBS, and not ever requiring any authentication when executing system-level instructions, virii can gleefully spawn and spread on the Windows platform. In fact, leave a virgin installation of a PeeCee hooked up to the internet for less than 10 minutes, and you end up with a dozen virii without any interaction on your part.
This is not possible on Mac OS X, as any sort of action requires entering an administrator password to proceed. If you're dumb enough to enter an administrator password, when you open a file that claims to be a picture.... well...
Thus, there are *no* virii for the Mac OS X platform. The only things currently out are 'proof of concept' concept Trojan Horses, that are neither 'in the wild' nor really capable of spreading.
Also, a point to note would be that all of these proof-of-concepts have been designed and brought to the media's attention by various anti-virus product publishers -- who, I guess, feel they need to sell more on the Mac platform.
You do the math.
Quote: from Mr Alan on 2:11 pm on Feb. 17, 2006
Now that Mac has defected to the dark side (Intel), I am sure that many will be motivated to write viruses/worms that will make their way into OS X.
A common myth-assumption, that denies the nature and design of the Mc OS X platform. It's not the processor, dummy, it's the architecture. Windows comes with the Virus COnstruction Kit known as VBS. Macs do not.
Quote: from Skip on 5:28 pm on Feb. 17, 2006
Then too, it did manage to make enough of an impression to garner its very own Symantec Security Response page. See:
http://securityresponse.symantec.com/avcenter/venc/data/osx.leap.a.html
Threat level: 1 on a scale of 1 to 5.
If I recall correctly, this now brings the number of known malware bugs affecting OS X up to a whopping 6.
Skip's got it right -- not only is the threat level nearly non-existing, but bear in mind that Symantec's the company that kept spreading FUD about Mac virii and how everyone needs their Anti-Virus, until it came out (and they acknowledged) that their own product renders the Mac insecure.
Oh yeah, a total of 6 proof-of-concept virii on the Mac -- the sky must be falling. COmparing that to Windows 'more than 40,000 known vulnerabilities and virii, it's pretty obvious that the Windows users have the far superior operating system.... Makes me smile whenever Windows users brag about their various machines.
|
Bangkok Women : Meet Beautiful Thai Girls
Posted on: 4:44 pm on Feb. 17, 2006
|
|
DaffyDuck
|
Quote: from bimmher on 7:16 pm on Feb. 17, 2006
Having said that I have only had one virus on any of my PC's and that was when I clicked install even after my virus software told me it was a virus (no do not ask why I did that stupid thing)
Because it promised nekkid pix of girlies?
|
Bangkok Girls : Meet Attractive Thai Girls
Posted on: 4:47 pm on Feb. 17, 2006
|
|
bimmher
|
Quote: from DaffyDuck on 11:35 pm on Feb. 17, 2006
Quote: from bimmher on 7:16 pm on Feb. 17, 2006
Having said that I have only had one virus on any of my PC's and that was when I clicked install even after my virus software told me it was a virus (no do not ask why I did that stupid thing)
Because it promised nekkid pix of girlies?
No that could be forgiven I was so stupid I actually thought the virus software was wrong
bimmher
|
Thai Girls : Meet Active Thai Girls
Posted on: 5:40 am on Feb. 18, 2006
|
|
bimmher
|
Quote: from DaffyDuck on 11:31 pm on Feb. 17, 2006
In fact, leave a virgin installation of a PeeCee hooked up to the internet for less than 10 minutes, and you end up with a dozen virii without any interaction on your part.
Yes and No. I have done that and correct ended up with a virus in less!!!!! then a minute however if you have all the updates installed that is not correct you will not get a virus.
Of course you have to hook up to the internet to get those f***ing updates so that is the problem
bimmher
|
Thai Women : Meet Matured Thai Women
Posted on: 5:46 am on Feb. 18, 2006
|
|
| |
|
