updated 01:30 pm EST, Thu February 16, 2006
New Mac OS X worm
A new malware program for Mac OS X is now circulating the internet. Ambrosia Software and some avid Mac users haved noted what appears to be a new trojan horse for Mac OS X. The program, named "latestpics.tgz," has been confirmed by Internet security software maker Intego and dubbed "Oompa-Loompa" by Ambrosia Software. Once unarchived, the file appears to be a JPEG image, but is in fact an executable PowerPC-compiled program. Once run, the application will create a pristine copy of itself in /tmp as "latestpics," which it later user to self-propegate via iChat. The malware infects other applications through the InputManager mechanism, inadvertently rendering them useless due to a bug in the malicious code. It uses Spotlight to find the four most recently used applications on the host machine that are not owned by root, after which it checks to see if the application has already been infected.
The program then copies the application executable to its own resource fork, replacing the executable with itself. "In the end, it doesn't appear to actually do anything other than try to propagate itself via iChat, and unintentionally prevent infected applications from running," according to Ambrosia Software. Ambrosia also notes that the program does not exploit any security holes, requires the admin password if the user is not already logged in as administrator, and has a bug in its code which prevents it from working as intended-- the bug has the side effect of preventing infected applications from launching.
According to Ambrosia, the program "checks to see if the xattr 'oompa' of the application executable is > 0... if so, it bails out, to prevent it from re-infecting an already infected application. If not, it sets the xattr 'oompa' of the application executable to be 'loompa' (this does nothing, it is just a marker that it has infected this app). It then copies the application executable to its own resource fork, and replaces the executable with itself... thus effectively inject[ing] its code in the host application."
There is some discrepancy as to whether the program should be labeled a trojan or a virus/worm. Sohpos-- virus, spyway, and spam analysts- have declared that the program be classified as a worm or virus, and not a Trojan, because it is programmed to use iChat to spread itself, and Trojan horses do not contain any code to distribute or spread themselves. Ambrosia software says that it should be called a trojan, not a virus, because it doesn't self-propagate externally.
Trojan or not
Wikipedia defines a Trojan horse as "a malicious program that is disguised as legitimate software... Trojan horse programs cannot replicate themselves, in contrast to some other types of malware, like viruses or worms. A Trojan horse can be deliberately attached to otherwise useful software by a cracker, or it can be spread by tricking users into believing that it is a useful program."
The Wikipedia definition states that "a virus is a self-replicating program that spreads by inserting copies of itself into other executable code or documents. A computer virus behaves in a way similar to a biological virus, which spreads by inserting itself into living cells... While viruses can be intentionally destructive (for example, by destroying data), many other viruses are fairly benign or merely annoying. Some viruses have a delayed payload, which is sometimes called a bomb."
"In a common parlance, the term virus is often extended to refer to worms, trojan horses and other sorts of malware; however, this can confuse computer users, since viruses in the narrow sense of the word are less common than they used to be, compared to other forms of malware. This confusion can have serious consequences, because it may lead to a focus on preventing one genre of malware over another, potentially leaving computers vulnerable to future damage. However, a basic rule is that computer viruses cannot directly damage hardware, but only software."
Intego offers protection
Intego also issued a warning: "this security threat affects Macintosh computers running Mac OS X on PowerPC processors. Replicating by sending itself to users' iChat buddies, the Oompa-Loompa trojan horse does not delete any files, but infects applications on computers where it runs, enabling those applications to in turn spread the virus."
The company says two versions of the intended virus exist, and that its virus definitions have already been updated to combat the threat.