World's first OS X virus hits Apple

TechWorld.com ^ | 2/16/2006 | News Story by John E. Dunn

[Swordmaker]

Leap-A is believed to have originally been posted on a Web site for Apple users, posing as a software update.

"Believed" by whom??? This is an example of the FUD written by people who really don't know what they are talking about. A cursory investigation would have revealed that we know exactly WHERE Leap.A was first seen and by whom... and it was NOT as a "software update." It was masquerading as a zipped set of supposed JPEG images of the next incarnation of OSX, Leopard.

[Swordmaker]

More hyperventilating from the ignorant press about Leap.A or Oomp.A Trojan for Mac OS X. PING!

This one ads even more mis-information.

If you want on or off the Mac Ping List, Freepmail me.

[Behind Liberal Lines]

With all due respect this was bound to happen. With increasing market share and Mac users constantly bragging about how their computers didn't get viruses, it was only a matter of time before some hacker decided to meet the challenge.

[Doohickey]

Relax. Malware happens, and it shouldn't reduce the enjoyment you derive from your platform of choice. Are you on the payroll or something?

[N3WBI3]

Clicking on the file allows the malware to install and disguise itself as a harmless-seeming .jpeg icon.

SO inother words the use installs something that does bad stuff, this is a trojan not a virus.

[anonymous_user]

Thanks for the updates! New Mac Ping icon for you if you'd like. :)

[tubebender]

Has anyone have any first hand experience with this...

[sergeantdave]

Bring out your dead!

Bring out your dead!

The end is near!

[js1138]

The fact is that most viruses now require permission from the user to install, and no operating system can be completely immune from user permissions.

[Richard Kimball]

I ran the test. The virus opened terminal and launched the calculator. Turn off automatic opening of trusted files in Safari to solve the problem. If you move terminal to a different location, the program doesn't know where to find it, and thus cannot execute.

They noted that instant messaging is the new target of choice, and I think that everyone should be aware that every time a new program type comes out, there will be vulnerabilities, especially for the first little while.

[Doohickey]

Sure it's a trojan. It's an executable disguised as something seemingly innocuous that would entice the user to open it. The very definition of trojan.

[tubebender]

Thanks. I use FireFox as my primary browser. Are there any issues there?

[Richard Kimball]

Firefox gives you an option on download of saving to disk or opening with the default application. Select download to disk. This will keep you from accidentally opening a file thinking you were clicking on a link. It won't necessarily protect you if you deliberately download a zip file and then double click it to open it. As has been pointed out on this thread, many of th MS "viruses" actually get on the system by social engineering. They convince the user to install it. The best protection, AFAIC, is to be careful about downloading and installing programs. Especially, if anything asks for a password, and it's not a program you intend to install, don't give it. No media or information file (jpeg, mov, avi, psd, pdf, doc, etc.) should need a system password. Oh, if I am going to a non-trusted site, I shut off java and javascript.

[opticks]

Well, sort of. Firefox shows the file as a tar.gz file and then downloads it to your directory of choice. You still have to double-click on the file to execute the shell script.

[Swordmaker]

With increasing market share and Mac users constantly bragging about how their computers didn't get viruses, it was only a matter of time before some hacker decided to meet the challenge.

But he hasn't "met the challenge"... this is far from a self replicating, self propagating virus... it is a Trojan and not the first of that breed for the Mac OS X.

[Swordmaker]

I like... thanks. I will incorporate it in the next Mac Ping list Ping... nice job, Anonymous.

Swordmaker

[Swordmaker]

They noted that instant messaging is the new target of choice, and I think that everyone should be aware that every time a new program type comes out, there will be vulnerabilities, especially for the first little while.

This one is even more limited than that... it only "works" on "Bonjour" iChat... a local network protocol. I put the word "works" in quotes because it took two MacWorld Macintosh experts with the assistance of a security company four hours to get it to send itself from one computer to another. And that's with the recipient WANTING to accept it! It's not very virulent, is it.

[Swordmaker]

Sure it's a trojan. It's an executable disguised as something seemingly innocuous that would entice the user to open it. The very definition of trojan.

And that makes it not a virus.. and it's not even the first Mac OS X trojan. That dis-honor goes to a 400k file that surfaced a couple of years ago pretending to be a compressed copy of the Microsoft Office for Mac Install CD. That one actually did some damage to the two or three greedy Mac users who downloaded it and ran it... it wiped their user directories... something they richly deserved.

[Swordmaker]

Thanks. I use FireFox as my primary browser. Are there any issues there?

Yes. You can still download the gZipped file and manually uncompress it and click on the supposed JPEG file thereby executing the payload. Like any trojan, it relies on tricking a user into installing and running it. Social Engineering. The Nigerians use the same approach to empty some foolish peoples' bank accounts.

I could create a similar Terminal script attach a .MOV icon to it and post it as a picture of Hillary Clinton cuddling with Vincent Foster... and trick people into clicking on it.

The fault here is that on OS X, the Icon and .extension do not necessarily denote the real type of file. That is determined by metadata in the file itself. Apple needs to insert routines to compare icon type to metadata before allowing a file to appear in the Finder. At least a warning should appear that says "WARNING: File type and Extension do not Match".

[TheBattman]

Bound to happen? You mean ONE proof-of-concept that is not "in the wild" as virus gurus like to call it (despite what has been reported, it is not on the loose)?

This is the same stale news, reprinted with even more wrong information.... looks like those in the technology media industry are no better at fact-checking or even doing a little research on their own than the Lame-stream media sources.

I will be the first to admit when I feel ANY threat to my computers. That time has yet to come (and I don't expect it any time soon).

And yes, I know what you really meant - that someone would finally take a stab at MacOS X simply because of it's reputation (even if it's a "limited" market).