Save $$$. Deals on Lenovo Ideapad
Virus protection software makers respond to Oompa-Loompa trojan (OSX/Oomp-A); protective methods
Earlier today we noted the discovery and description of a new piece of malware for Mac OS X dubbed the "Oompa-Loompa Trojan (OSX/Oomp-A)." [See previous coverage]
As previously noted, the malware was posted as "latestpics.tgz" to a Mac rumors web site, claiming to be pictures of "Mac OS X Leopard" (an upcoming version of Mac OS X. It propogates through iChat, and can cause applications to not work properly -- but requires an administrator password to enact its somewhat innocuous effects, making it a low-level threat.
Several makers of Mac OS X anti-virus software have now chimed in with their assessment and response to the new malware.
Symantec is calling the malware "OSX.Leap.A," and says it is currently categorized as a Level 1 threat (on a scale of 1 to 5, with 5 being most severe).
Symantec represetnatives told MacFixIt:
"The worm makes use of the Spotlight search program, included in OSX, and will run each time the machine boots. It identifies any applications being started, and if iChat begins to run, the worm uses iChat to send the infected file â?? latestpics.tgz â?? to all contacts on the infected userâ??s buddy list. Those on the buddy list will then be asked to accept the file. If they do, the file will subsequently be saved to their hard drive. Files infected by OSX.Leap.A may be corrupted and may not run correctly."
"Symantec currently provides definitions to protect against OSX.Leap.A. The Symantec Security Response Web site provides additional details at: http://securityresponse.symantec.com/"
Intego, makers of the VirusBarrier software, added:
"Two versions of this Trojan horse exist, and the Intego Virus Monitoring Center immediately developed updated virus definitions, which it released on February 14, 2006, as soon as it discovered this threat, ensuring that VirusBarrier X and VirusBarrier X4 eradicate the Oompa-Loompa Trojan horse. All Intego VirusBarrier X and VirusBarrier X4 users should make sure that their virus definitions are up to date by using the NetUpdate preference pane in the Mac OS X System Preferences.
"Initially appearing in a compressed file called latestpics.tgz, this Trojan horse, after being decompressed, appears to be a graphic file. When a user double-clicks it, expecting to see a picture, the program inserts a file called apphook.bundle in the userâ??s InputManagers folder which then ensures that it is replicated in all other Cocoa applications the user launches. Using Spotlight, the Trojan horse searches for the four most recently used applications, then infects them. The apphook.bundle Input Manager attempts to send a copy of the original file, latestpics.tgz, to every person on a userâ??s iChat buddy list. Since users see this file coming from friends and colleagues, they are inclined to assume that it is safe, and therefore double-clicks the file a first time to decompress it, and a second time to attempt to 'view' it.
"Intego usually advises all Macintosh users to only download and open files and applications from trusted sources. In this case, however, users receive the Trojan horse via iChat from their buddies and are therefore likely to assume it is legitimate. So users should be additionally careful when receiving an unexpected attachment via iChat from someone in their buddy list. All users should update their virus definitions and never open files received by e-mail or iChat unless they are sure that these files are safe.
Protective method: Setting iChat to not automatically accept incoming files In order to protect against the unintended acquisition of this malware, it is recommended that you set iChat to notify the user before accepting a file. This is accomplished by opening iChat's preferences, then clicking the "Messages" tab, and selecting "Confirm before sending files." This is the default setting for a fresh Mac OS X installation.
And remember, be very cautious with supplying your administrator password to system prompts (for which you will be prompted if you are a non-admin user and attempt to open the infected .jpg). You should never be asked to enter your administrator password to open a .jpg file (as in this case). Provide your administrator password only to trusted applications.
In fact, you should avoid being logged in as an administrator whenever possible. Instead, use a standard user account for daily tasks.
Feedback? Late-breakers@macfixit.com.
Resources
;%20protective%20methods%20%7C%20MacFixIt%20-%20CNET%20Reviews&srcUrl=http://reviews.cnet.com/8301-13727_7-10332941-263.html){kind=small}
► Apple commented on the release of the code in a statement
provided to Macworld.
?Leap-A is not a virus, it is malicious
software that requires a user to download the application and execute the
resulting file,? said Apple. ?Apple always advises Macintosh users to only
accept files from vendors and Web sites that they know and trust. We have a
guide to safely handling files received from the Internet at http://
docs.info.apple.com/article.html?artnum=108009.?
"It propogates through iChat, and can cause applications to not work properly -- but requires an administrator password to enact its somewhat innocuous effects, making it a low-level threat."
My understanding is, however, that an admin password is required only if the user is not already an admin. Since Mac OSX's default user is an admin user, most people will not be prompted for a password in order for this program to operate.
I think it's important to make this crystal clear.
Not true. Applications that require privileges to run will prompt for an
administrator password, even if an administrative user is already logged in.
This is similar to how many command-line apps require sudo to work
effectively, and sudo will prompt for an administrative password even when
an administrator is logged in.
The administrative user in OS X is not the same thing as 'root' or the
superuser, which is disabled by default in OS X. If you're logged in as the
superuser, then every application run by that user is maximally privileged.
This is true, because by default, the /Applications folder and stuff inside it (and several others) are writable by any 'admin'.
More annoyingly, setting custom permissions (group unwriteable to everything in /Applications) causes 'repair permissions' to complain about every file in every app (thousands!).
OSX's entire security model is supposed to be that you can do anything you want with an admin password, but not otherwise. I suspect apple makes /Applications group-writable for user-friendliness (and Proteus used to crash if you couldn't write to it), but that goes against the entire security model.
- by Macsure February 17, 2006 10:37 PM PST
- Not everyone thinks this is such a "little thing" - at least not in terms of what
- Like this Reply to this comment
-
(5 Comments)opened the door and in terms of future vulnerability for OS X and all Unix-
type systems.
Here's a rather more caustic view from Rixstep.com (quote):
There are so many instructive things with the OS X Oompa Loompa worm it's
not funny.
First off, we have a worm that doesn't want root access. Specifically it does
not. That's got to be a first.
Second, it's able to operate anyhow.
Third, it shows incredible ingenuity in finding a way to trojanise a system and
spread like a virus.
Fourth - and this is most important: it wouldn't have a chance of spreading if
Apple hadn't screwed up the Unix they were given on a silver platter.
NeXTSTEP wouldn't be vulnerable; Debian wouldn't be vulnerable; neither
would Fedora, Red Hat, SuSE, Mandrake, Gentoo, Linspire, OpenBSD, FreeBSD,
NetBSD, AIX, Slackware, or Solaris. Not a one.
What do Apple say? 'Don't open attachments.' Sounds a bit like Microsoft
anno 2000 doesn't it?
Jay Beale, head of Bastille-Linux, says Apple simply don't get it when it comes
to security. They haven't audited their code. They respond well to bug reports
but at the end of the day neither understand Unix nor like it - and they seem
to count on Unix nevertheless saving the day - despite the fact they're openly
ruining it.
No one's ever tried ruining Unix before - much less dared. If it had to
happen, it almost had to be Apple doing it.
We have too long trusted in Apple when we knew better. We trusted in them
because they inherited the brilliant NeXTSTEP. We felt secure in the
knowledge Apple would have over three hundred NeXT engineers under the
roof in Cupertino.
We forgot to use logic. We forgot to remember there were thousands of Apple
engineers already there.
We hoped NeXTSTEP (and Unix) would emerge. We knew precious little about
Apple then and today we know too much. [End Quote]
--------------------------------------
Add to that some comments I've recieved from long-time Mac techs, which
say, "Tiger sucks" - verbatim quote. The intended meaning is that Rixstep is
correct in saying that Apple has "lost it" when dealing with and protecting the
very things which make OS X such a value to serious users.