Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
    Digg this story   Add to  
OS X Trojan appears
Published: 2006-02-16

A new Trojan for Apple's OS X computers has appeared. While neither a virus nor the first appearance of malicious code on Mac OS X, the incident is receiving major attention from the Apple community. Additionally, the Trojan has been neither widespread as a worm nor particularly effective, but should be an eye-opener to Apple users that no modern computer system is safe from the potential for viruses, worms and malicious code.

An external link to the malicious code was provided in the popular Mac Rumors message forum. The Trojan was first publicly disassembled and documented by Andrew Welsh, who has given it the name OSX/Oomp-A. Known to antivirus companies as OSX/Leap-A, Security giant Symantec categorizes it as a low-risk level 1 worm for 10.4-only systems (SecurityFocus is owned by Symantec Corporation), and McAfee similarly calls it a low-profiled worm. Antivirus firm F-Secure has a description of OSX/Leap-A as well. Sophos appears to be the only antivirus firm calling this malicious code a virus.

The malicious code uses social engineering tactics to infect a user's system, and does not exploit any security holes in OS X. The Trojan tries to disguise itself as screenshots of Apple's next generation operating system, OS X "Leopard" 10.5, using the filename "latestpics.tgz". The Trojan does attempt to self-propagate using the user's iChat instant-messaging application, but does not harm the infected system. The Trojan's self-propagating nature enables it to fit in the common sub-category of malicious code known as an Internet worm.

There are also a number of steps that require user interaction for a system to be infected: the user must first be sent the infected file (manually by email, or automated via iChat instant messaging), then the user must double-click and decompress the image, open the image, and finally provide his administrator account and password for the code to be installed. Once installed, the malicious code attempts to hook the launching of any application in a user's application library, and then inject code into application executables. However, a bug in the virus' coding prevents the launching of any application executable after infection.

The steps required to install the worm highlight the fact that a default install of OS X finds the average user running without administrator privileges, and therefore malicious code must trick the user into manually installing it. In comparison, most users of the more popular Microsoft Windows system are still logged in as an administrator, where worms, viruses, spyware and other malicious code are extremely common. Additionally, administrator-level access on the OS X GUI does not provide access to traditional superuser 'root' access inside Darwin, the BSD-based underpinnings that run Apple's UNIX-based computers. Root access is disabled by default on all Apple OS X systems.

As major media outlets scramble to label this new malicious code as the first virus for OS X, the poorly-written Trojan is in fact not a true virus. It is also not the first example of malicious code to appear on modern Macs, but is perhaps the most virus-like malicious code that the Apple community has seen this decade. Nearly six years after Apple first released OS X, the popular operating system remains virus free - the only question is, for how much longer.

Update: removed "proof-of-concept" from the article title, as the Trojan/worm was found in the wild.

Posted by: Kelly Martin
    Digg this story   Add to  
Comments Mode:
OS X proof-of-concept Trojan appears 2006-02-16
Anonymous (1 replies)
Sophos uses names virus and worm 2006-02-17
Juha-Matti Laurio
OS X Trojan appears 2006-02-17
OS X Trojan appears 2006-02-17
Juha-Matti Laurio
Message to Security World: "Duh"... 2006-02-17
Penguinisto (1 replies)


Privacy Statement
Copyright 2009, SecurityFocus