Mac Malware Concept Hits the Web
Mac Malware Concept Hits the Web
by , 9:25 AM EST, February 16th, 2006
What amounts to a proof-of-concept trojan horse application for the Mac started circulating around the Internet on Thursday. Ambrosia Software's Andrew Welch detailed the trojan, which he dubbed the "Oompa-Loompa Trojan," in the company's support forums. The malware-style application attempts to trick unsuspecting users into thinking that it is a JPEG image. If launched, the application requires administrator access before it can install files that attempt to send copies of itself to people that are in your iChat Buddy list.
This unsophisticated proof of concept is not a virus, and does not take advantage of any security flaws in Mac OS X. It also relies on features in Tiger (Mac OS X 10.4), so it is likely that certain parts of its code can't operate on Mac OS X 10.3 and earlier.
Computer security company, Sophos, has named the trojan horse "OSX/Leap-A," and is advising Mac users that use virus protection software to make sure that their virus definistions are up to date.
Trojan vs Virus
A trojan horse is an application that tricks users into thinking it is something other than what it really is. For example, someone could write an application that deletes the files from your Documents folder, but give it name and icon that leads you to believe it is a collection of photos from a friend, an application updater, or some other "friendly" application. Although a trojan horse can take advantage of security weaknesses in your computer's operating system or other applications, it doesn't necessarily have to.
A virus, in contrast, is a self-replicating application that attaches itself to documents, applications, or your operating system, and usually takes advantage of security flaws in your applications and operating system. In most cases, a virus is used maliciously to cause damage to your computer, or to use your computer for other acts without your knowledge. That can include stealing information from you and your data files, using your computer to launch attacks on other computers over the Internet, and to propagate itself to other computers.
Both Trojan horses and viruses are considered malware.
To date, there are no known viruses for Mac OS X.
Observer Comments
Thu Feb 16, 2006 12:39 pm Subject: Thank you for putting this scare in perspective.
Thu Feb 16, 2006 1:29 pm Subject: People are claiming it, falsely
Go to www.macsurfer.com and see all the misleading headlines. It's a joke. iChat has easy to configure user preferences so you can block incoming file transfers and actually only be contacted by people you know. This can prevent the spread of this TROJAN (which in itself actually requires the user to do something to enable the threat into the computer in the first place!).
Is it a threat, probably. Is it a horrendous threat? Not really considering the average mac user has an IQ over 80 and understands that security begins with the user, not the software.
Thu Feb 16, 2006 2:04 pm Subject: Contact Sophos Directly
I'd say we need to show Sophos we're not willing to put up with this kind of mis-catoragization crap.
This is their press contact page and Graham is listed first:
http://www.sophos.com/pressoffice/contacts/index.html
Be nice, but be obviously angered by their lack of the use of a dictionary. Don't want to go there? Email Graham here: gcluley@sophos.com
Ugh. Am I gonna have to add Sophos to my "cry wolf"/dubious credibility list? Proof-of-concept Trojan horses have been around for quite some time on OS X. And double-click social engineering is one of the oldest and easiest tricks in the book. But hey, whatever causes the most hysteria and spurs new sales of Sophos' product. (Which, amusingly, I couldn't/wouldn't buy anyway even if I wanted to, since they only seem to sell the software in "small business" client packs. Note to Sophos: If you're gonna do an Intego, at least offer single-client software so you can take full advantage of people.)
Many people seem to think this is a non-issue simply because it requires user intervention to execute. Well, I hate to break this to you, but there are Mac users out there that are clueless and will enter the password.
I have heard for years that “an educated user is your best defense.†Well you know what? It doesn’t work. People still open attachments from strangers no matter what you tell them and there will be some idiot that won’t think twice about typing their password when this thing prompts them.
Yes, this is a primitive trojan that I am sure will have minimal impact… but it does seem to indicate that our Macs are starting to attract attention and I don’t think this will be the last attempt… do no be complacent.
QuoteThen by definition they are NOT educated.Guest wrote:
I have heard for years that “an educated user is your best defense.†Well you know what? It doesn’t work. People still open attachments from strangers no matter what you tell them and there will be some idiot that won’t think twice about typing their password when this thing prompts them.
I'm not so sure that this should be classified as a trojan horse. There have been a number of Windows Viruses that reqiured user intervention to launch, but have then replicated themselves to other computers. Two particularly well publicised examples come to mind. VBS.LoveLetter was a visual basic script that came out in May 2000 and W97M.Melissa.A was a word macro that came out in April 1999. Both Viruses spread via e-mail and in both cases you had to open the attachment in order to launch the Virus. Both of these famous social engineering viruses masquaraded as desireable documents. The only difference I see between these worms and Oompa is that Oompa requires a two step process of the user of decompressing the file then opening it. Granted that extra step makes it much less likely that a user will be fooled, but I don't think that changes the classification. I think there is definately a precident for this kind of thing being called a worm.
"I have heard for years that “an educated user is your best defense.†Well you know what? It doesn’t work. People still open attachments from strangers no matter what you tell them and there will be some idiot that won’t think twice about typing their password when this thing prompts them.
Then by definition they are NOT educated."
So then when you kid touches the hot stove after you told him to, you did not educate him?
Thu Feb 16, 2006 4:48 pm Subject: Have you noticed…
Thu Feb 16, 2006 9:15 pm Subject: and the score is....
I am ChildOL from Spymac...
I am very disappointed that Apple allowed this, given the easy fix...but this is what they can do to completely fix this problem...
Show the user (regardles of the icon) that the file is an executable, a glow would be very good... Require admin password if an application/process/script is trying to modify ANY FILE OR FOLDER on the system that is not allready known to be modifiable by it. (maybe a database where every user that is created is added and ANY known processes/programs/scripts... Any NEW processes/programs/scripts(ANYTHING executable) should be able to modify the given files/folders AFTER you give it the authority to do so via admin password and then it is added to the database and it can THEN modify THOSE files etc.)
Should be simple for Apple to do and should have been done LONG ago.
we have had some wierd Mail behavior recently. I
had 15,737 unread messages appear in my INBOX yesterday..... mostly
stuff that I had read and/or trashed over the past several months.
Apparently had nothing to do with our ISP since we don't store messages
on their servers. I suppose there could be a connection to the malware
(it was Thursday as the message indicated) that you refer to but the
link says it is basically Tiger enabled and we have not gone to Tiger
yet... still on Panther.
Tom aka elkmtnman
All the more reason why I never log in under an admin account unless I am intentionally and knowingly doing system maintenance work. 99% of what I do doesn't require admin access. I assume if I were to get infected by this virus, at a minimum it would not be able to infect any applications without the system asking for an admin password (dead giveaway that something fishy is going on). But could it still use iChat to propagate itself? Could it even get installed in the first place? Doesn't the OS now ask everytime an application is run for the first time?
Comments are currently closed. Please email the author instead.
Recent Headlines - Updated November 7th
- Fri, 7:45 PM
- Rumor - Taiwan Leak Shows Verizon UTMS/CDMA iPhone for Q3 2010
- 6:40 PM
- News - iPhone Moves Into RadioShack
- 6:30 PM
- News - Apple to Open Stunning Paris Apple Store in Le Louvre on Saturday
- 5:43 PM
- Free on iTunes - Dictionary, Dictionary, Dictionary, And More
- 4:09 PM
- John Martellaro's Blog - Particle Debris (week ending 11/6) Failure IS an Option
- 3:32 PM
- Games - The Latest App Store Games: Gravity Sling, RocketBird, Ground Effect, Checkers!
- 2:25 PM
- Games - Star Soccer 2010 for Mac Puts Gamers in Role of Up-and-Coming Player
- 2:15 PM
- How-To - The Mysteries of Rosetta Housekeeping
- 1:33 PM
- News - iPhone Game Developer Sued for Collecting User’s Cell Numbers
- 1:17 PM
- Games - Warhammer Online Expands Trial Play Option
- 11:19 AM
- Rumor - Apple May Be Bringing RFID to the iPhone
- 10:39 AM
- News - Nokia Could Face Counter Suit from Apple
The Mac Observer Reader Specials
- TypeStyler For Mac OS X is Now Shipping! Download The Free Fully Functional 60 Day Tryout at www.typestyler.com
RamJet Memory: Mac Pro 8-core 8GB Kit $199.99, 4GB Kits $109.99! Sale on MacBook and MacBook Pro 8GB kits $549.99! New MacBook DDR3 2GB for $49.99. iMac and Mac mini 4GB Kits for $79.99! 1TB SATA Hard Drives for $109.99! Click here
OWC: Plug & Play Hardware RAID up to 8.0TB. High Performance, Data Redundant Solutions. FireWire 800, FireWire 400, USB2, or eSATA. Hot Swappable Bays, Data Rates over 200MB/s. Click here
If you're using a Mac, then you've gotta check out Full Tilt Poker for Mac. This Full Tilt Poker bonus code does the unthinkable, it actually rewards!For the latest Apple products use Ciao, a price comparison website, to find laptops like MacBook Air. Then find the best prices on MP3 players and use our comparison tool to evaluate mobile phones like the Apple iPhone.
Laptop Hardware Provided by TechRestore - Overnight Mac & iPod Repairs.
