02/16/2006, 1:30pm, EST
Thursday, February 16th
New Mac OS X worm discovered
The program then copies the application executable to its own resource fork, replacing the executable with itself. "In the end, it doesn't appear to actually do anything other than try to propagate itself via iChat, and unintentionally prevent infected applications from running," according to Ambrosia Software. Ambrosia also notes that the program does not exploit any security holes, requires the admin password if the user is not already logged in as administrator, and has a bug in its code which prevents it from working as intended-- the bug has the side effect of preventing infected applications from launching.
According to Ambrosia, the program "checks to see if the xattr 'oompa' of the application executable is > 0... if so, it bails out, to prevent it from re-infecting an already infected application. If not, it sets the xattr 'oompa' of the application executable to be 'loompa' (this does nothing, it is just a marker that it has infected this app). It then copies the application executable to its own resource fork, and replaces the executable with itself... thus effectively inject[ing] its code in the host application."
There is some discrepancy as to whether the program should be labeled a trojan or a virus/worm. Sohpos-- virus, spyway, and spam analysts- have declared that the program be classified as a worm or virus, and not a Trojan, because it is programmed to use iChat to spread itself, and Trojan horses do not contain any code to distribute or spread themselves. Ambrosia software says that it should be called a trojan, not a virus, because it doesn't self-propagate externally.
Trojan or not
Wikipedia defines a Trojan horse as "a malicious program that is disguised as legitimate software... Trojan horse programs cannot replicate themselves, in contrast to some other types of malware, like viruses or worms. A Trojan horse can be deliberately attached to otherwise useful software by a cracker, or it can be spread by tricking users into believing that it is a useful program."
The Wikipedia definition states that "a virus is a self-replicating program that spreads by inserting copies of itself into other executable code or documents. A computer virus behaves in a way similar to a biological virus, which spreads by inserting itself into living cells... While viruses can be intentionally destructive (for example, by destroying data), many other viruses are fairly benign or merely annoying. Some viruses have a delayed payload, which is sometimes called a bomb."
"In a common parlance, the term virus is often extended to refer to worms, trojan horses and other sorts of malware; however, this can confuse computer users, since viruses in the narrow sense of the word are less common than they used to be, compared to other forms of malware. This confusion can have serious consequences, because it may lead to a focus on preventing one genre of malware over another, potentially leaving computers vulnerable to future damage. However, a basic rule is that computer viruses cannot directly damage hardware, but only software."
Intego offers protection
Intego also issued a warning: "this security threat affects Macintosh computers running Mac OS X on PowerPC processors. Replicating by sending itself to users' iChat buddies, the Oompa-Loompa trojan horse does not delete any files, but infects applications on computers where it runs, enabling those applications to in turn spread the virus."
The company says two versions of the intended virus exist, and that its virus definitions have already been updated to combat the threat.
Filed under: troubleshooting
, 
, 9
, 
, 
, 
, 
, 
Top
subscribe to comments
for this article
Difference is... viruses can self-execute on a Windows PC making them easy to spread... Mac users have to shoot themselves in the foot before they crash their system.
But, call me stupid if you like, how would I tell the difference between a dialogue that was from Safari asking for this information, and one from a malicious JavaScript/application that passed the information entered back to a hacker, etc?
Where you have multiple applications asking for passwords in different ways, and where you have applications able to masquerade as generic (non-executable) files, then you are always going to have a problem with Trojans.
Unless you're an admin user (which most mac users are, because that's the default install in OS X), in which NO password is required. Gee, its just like Windows!
Difference is... viruses can self-execute on a Windows PC making them easy to spread... Mac users have to shoot themselves in the foot before they crash their system.
Its amazing how stupid some people are. Viruses on ANY platform can self-execute. You don't need windows to do that. Its the freakin' definition of a virus! This is a Trojan Horse, to start with, because it has to be launched, just like most of the later 'viruses' on windows, which are more "Hey, open this file!" kind, not a spreading virus kind.
And note that this apparently tries to propagate through iChat, so it might spread on its own, anyway (if it worked).
[url=http://en.wikipedia.org/wiki/Computer_worm]Computer Worm[/url]
The fact that the worm propagates itself internally still qualifies it as being a [b]worm[/b]. Though it does not do so externally, there are still no Trojans with the ability to self-replicate.
I will have to agree with Sophos Anti-Virus on this one.
Computer Worm
The fact that the worm propagates itself internally still qualifies it as being a worm. Though it does not do so externally, there are still no Trojans with the ability to self-replicate.
I will have to agree with Sophos Anti-Virus on this one.