OSX/Leap-A

From Mac Guides

Jump to: navigation, search

OSX/Leap-A, also known as OSX/Oomp-A, is what some say is the first virus for Mac OS X, although there is debate about what type of malware it should be classified as. OSX/Leap-A is not very destructive, at worst making some applications unusable, and is not very prevalent.

Contents

History

On February 13 2006, a user called lasthope created a thread in the MacRumors forums containing a link to a file called "latestpics.tgz", claiming that it contained screenshots of Apple's upcoming Mac OS X revision, Mac OS X 10.5 (Leopard). Several people downloaded it, decompressed it and opened it. However, when opened, it opened the Terminal and produced some output, rather than displayed an image file. It was originally unclear what exactly it did.

The following day, user yankeefan24 posted a new thread, reporting that the file had tried to spread to another computer on his network. This indicated that the program was much more serious than first thought. Within the following two days, Ambrosia Software president Andrew Welch provided a disassembly of how the program works, and a story about the malware was posted on the front page of MacRumors.com. News of the program quickly spread in the media, and most antivirus firms were quick to update their virus definitions.

Workings

Once uncompressed, the malware is shown with the icon of an image file, however it is actually an application. When run, it does the following:

  1. Creates a copy of itself in /tmp, ready to be transmitted at a later time.
  2. Creates an "apphook" in either /Library/InputManagers/ or ~/Library/InputManagers/, so that when an application is launched the "apphook" is loaded and can inject its code into the application.
  3. Infected applications will then attempt to send the "latestpics.tgz" file to people on the user's iChat buddy list. The propagated file must be run manually by the user on the other end, it does not run automatically.
  4. It then uses Spotlight to infect the 4 most recently used applications not owned by root.
  5. When these applications are run, the malware code is executed and it tries to spread itself further.

Due to a bug in the program's code, infected applications will not run their original code.

It should also be noted that OSX/Leap-A cannot run without an administrator password on standard account types, but can when run in an administrator account. The main user account is by default an administrator account.

Classification

Their is debate as to whether OSX/Leap-A should be classified as a trojan horse or a virus. Some people, such as Andrew Welch, call it a trojan horse because it requires user intervention to run. However others, such as SophosLabs, call it a virus since it is able to infect other applications and spread itself over instant messaging.

Links