toggle

AAPL Stock: 97.13 ( + 0.1 )

Printed from http://www.macnn.com

New Mac OS X worm discovered

updated 01:30 pm EST, Thu February 16, 2006

New Mac OS X worm

A new malware program for Mac OS X is now circulating the internet. Ambrosia Software and some avid Mac users haved noted what appears to be a new trojan horse for Mac OS X. The program, named "latestpics.tgz," has been confirmed by Internet security software maker Intego and dubbed "Oompa-Loompa" by Ambrosia Software. Once unarchived, the file appears to be a JPEG image, but is in fact an executable PowerPC-compiled program. Once run, the application will create a pristine copy of itself in /tmp as "latestpics," which it later user to self-propegate via iChat. The malware infects other applications through the InputManager mechanism, inadvertently rendering them useless due to a bug in the malicious code. It uses Spotlight to find the four most recently used applications on the host machine that are not owned by root, after which it checks to see if the application has already been infected.

The program then copies the application executable to its own resource fork, replacing the executable with itself. "In the end, it doesn't appear to actually do anything other than try to propagate itself via iChat, and unintentionally prevent infected applications from running," according to Ambrosia Software. Ambrosia also notes that the program does not exploit any security holes, requires the admin password if the user is not already logged in as administrator, and has a bug in its code which prevents it from working as intended-- the bug has the side effect of preventing infected applications from launching.

According to Ambrosia, the program "checks to see if the xattr 'oompa' of the application executable is > 0... if so, it bails out, to prevent it from re-infecting an already infected application. If not, it sets the xattr 'oompa' of the application executable to be 'loompa' (this does nothing, it is just a marker that it has infected this app). It then copies the application executable to its own resource fork, and replaces the executable with itself... thus effectively inject[ing] its code in the host application."

There is some discrepancy as to whether the program should be labeled a trojan or a virus/worm. Sohpos-- virus, spyway, and spam analysts- have declared that the program be classified as a worm or virus, and not a Trojan, because it is programmed to use iChat to spread itself, and Trojan horses do not contain any code to distribute or spread themselves. Ambrosia software says that it should be called a trojan, not a virus, because it doesn't self-propagate externally.

Trojan or not

Wikipedia defines a Trojan horse as "a malicious program that is disguised as legitimate software... Trojan horse programs cannot replicate themselves, in contrast to some other types of malware, like viruses or worms. A Trojan horse can be deliberately attached to otherwise useful software by a cracker, or it can be spread by tricking users into believing that it is a useful program."

The Wikipedia definition states that "a virus is a self-replicating program that spreads by inserting copies of itself into other executable code or documents. A computer virus behaves in a way similar to a biological virus, which spreads by inserting itself into living cells... While viruses can be intentionally destructive (for example, by destroying data), many other viruses are fairly benign or merely annoying. Some viruses have a delayed payload, which is sometimes called a bomb."

"In a common parlance, the term virus is often extended to refer to worms, trojan horses and other sorts of malware; however, this can confuse computer users, since viruses in the narrow sense of the word are less common than they used to be, compared to other forms of malware. This confusion can have serious consequences, because it may lead to a focus on preventing one genre of malware over another, potentially leaving computers vulnerable to future damage. However, a basic rule is that computer viruses cannot directly damage hardware, but only software."

Intego offers protection

Intego also issued a warning: "this security threat affects Macintosh computers running Mac OS X on PowerPC processors. Replicating by sending itself to users' iChat buddies, the Oompa-Loompa trojan horse does not delete any files, but infects applications on computers where it runs, enabling those applications to in turn spread the virus."

The company says two versions of the intended virus exist, and that its virus definitions have already been updated to combat the threat.




by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

  1. crayola

    Joined: Dec 1969

    -1

    .

    all your trojans are belong to us

  1. Monstermind

    Joined: Dec 1969

    -1

    Please.

    Give me five minutes with Wikipedia. I'll have the definition for BOTH changed to "what's between Hillary Clinton's legs" - and I'd hazard a guess it would be no less accurate.

  1. MacWizard x

    Joined: Dec 1969

    +1

    Here's an idea...

    This worm/trojan is absolutely no issue to any mac user who doesn't enter their admin password and execute the initial file... in other words.. don't open a file that blatantly looks like a virus to anyone who doesn't have their head up their a**...

    Difference is... viruses can self-execute on a Windows PC making them easy to spread... Mac users have to shoot themselves in the foot before they crash their system.

  1. Clive

    Joined: Dec 1969

    +1

    Re: here's an idea

    The problem here is that who knows what process is asking for the admin password? A few days ago I kept getting dialogues in Safari asking for my password. There was no particular reason why, and I was wary of it - it turned out that the preferences had become corrupted, and after password entry the problem went away.

    But, call me stupid if you like, how would I tell the difference between a dialogue that was from Safari asking for this information, and one from a malicious JavaScript/application that passed the information entered back to a hacker, etc?

    Where you have multiple applications asking for passwords in different ways, and where you have applications able to masquerade as generic (non-executable) files, then you are always going to have a problem with Trojans.

  1. LouZer

    Joined: Dec 1969

    -1

    Re: here's an idea

    This worm/trojan is absolutely no issue to any mac user who doesn't enter their admin password and execute the initial file... in other words.. don't open a file that blatantly looks like a virus to anyone who doesn't have their head up their a**...

    Unless you're an admin user (which most mac users are, because that's the default install in OS X), in which NO password is required. Gee, its just like Windows!

    Difference is... viruses can self-execute on a Windows PC making them easy to spread... Mac users have to shoot themselves in the foot before they crash their system.

    Its amazing how stupid some people are. Viruses on ANY platform can self-execute. You don't need windows to do that. Its the freakin' definition of a virus! This is a Trojan Horse, to start with, because it has to be launched, just like most of the later 'viruses' on windows, which are more "Hey, open this file!" kind, not a spreading virus kind.

    And note that this apparently tries to propagate through iChat, so it might spread on its own, anyway (if it worked).

  1. tombertram

    Joined: Dec 1969

    0

    Antivirus

    I still wont purchase any anti-virus software until there's actually some decent stuff which runs seamlessly with Mac OS X, they just don't seem to offer the same level of integration as in Windows. So tough luck if I get a virus really.

  1. JoeE

    Joined: Dec 1969

    -1

    Worm Definition...

    ...courtesy of Wikipedia:

    [url=http://en.wikipedia.org/wiki/Computer_worm]Computer Worm[/url]

    The fact that the worm propagates itself internally still qualifies it as being a [b]worm[/b]. Though it does not do so externally, there are still no Trojans with the ability to self-replicate.

    I will have to agree with Sophos Anti-Virus on this one.

  1. JoeE

    Joined: Dec 1969

    0

    worm definition...

    ...courtesy of Wikipedia:

    Computer Worm

    The fact that the worm propagates itself internally still qualifies it as being a worm. Though it does not do so externally, there are still no Trojans with the ability to self-replicate.

    I will have to agree with Sophos Anti-Virus on this one.

  1. MacPC

    Joined: Dec 1969

    0

    OS X is still an OS

    I love OS X, but an OS is an OS, given enough market shares, someone will do bad things to it. So diehard Mac users, wake up and face the reality.

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Razer Taipan mouse

The list of gaming devices is growing larger with each passing day. A large number of companies have entered the gaming input arena, a ...

Cambridge Audio DacMagic XS

Every computer with a microphone or headphone port has one -- a digital to analog converter (DAC). There are nearly as many chipsets a ...

D-Link Wi-Fi Smart Plug

Home automation fans have been getting their fair share of gadgets and accessories in the last few years. Starting with light bulbs, a ...

toggle

Most Commented