First Ever Mac OSX "Virus"

The operating system by Apple named OS X is sometimes described as rarely having any kind of viruses, Trojans, or harmful software that targets it. A combination of having a lower market share and a secure system built on the Unix architecture results in OS X being a much smaller target for attacks. However, despite the operating system's optimized and reputable security, like everything else, it's not completely invulnerable.

On February 16, 2006 the first virus to ever infect the Mac OSX operating system spread via an instant messaging system known as iChat. The virus was in the form of a file called "latestpics.tgz" and would send itself to available contacts on the infected users' buddy list. The file was an archive which contained two other files, an executable and a resource file. The resource file, named "._latestpics" was a hidden file that disguised the executable file as a JPEG image. This is a commonly used exploit that allows attackers to attach harmful files to JPEG images and send them to unsuspecting users. In most cases, the users are tricked into clicking a link which downloads the archive file, which is disguised as a package containing harmless images.

This attack relies on the gullibility of a user to accept the receiving of suspicious files from others on their buddy list. Since the buddy list contains contacts that the user would normally trust, they are much more willing to click on any links sent to them. Especially if the link is disguised in a way to make it look harmless. In these types of attacks, the link is usually contained within a message that describes the file to be pictures the user might be interested in. The objective is to get the targetted user to be curious enough to click on the link, which is the first step in having the virus spread. In this particular case, the archive is disguised with a name that suggests it contains harmless images. Hence the use of the file name "latestpics". Users that post on Mac message boards reported that the original message described the link to contain images of the new OS X 10.5 operating system, which was unreleased at the time. It would be a message like this that would tempt unsuspecting users into clicking the link, activating the virus.

This virus, officially named "OSX/Leap-A" worked by attaching itself to recently executed programs. After the user clicks on the link and executes the file, it recreates the "apphook" subdirectory on the user's machine in the /Library/InputManagers/ directory. Inside the directory, it places the files "Info", "Info.plist" and "apphook", each in a particular subdirectory created by the virus. It also creates several temporary files in the /tmp/ directory such as "pic.gz" and "latestpics.tar". Any infected files contain an extended attribute, which contains the values "oompa" and "loompa" in the name and value fields.

The virus can infect users whether or not they are logged in as root. If the user is running as a non-root user, the virus creates the same directory, except with the "~" character appended at the beginning of the path. The biggest flaw of this virus is that it still requires user to activate it. The virus is not automatic, but still harmful whether or not the user is in a privileged mode. This particular attribute is interesting in that it shows the length at which an attack can go even without root access. With many operating systems, it is usually suggested that the user operate in a less-priveledged mode so that any third party application can't access sensitive areas of the operating system. If the virus has the potential to work around even this level of security, then there is a question of whether or not there may be possible openings to even worse threats in the future.

The extended damage of this virus is that it finds the user's iChat buddy list file and sends a copy of itself to other users. This is where it can be described as having the attributes of a worm. This same type of worm infection is used in conjunction with AOL Instant Messenger, which is part of the iChat program. Users who do not exercise caution when receiving files from other users are easily targeted by this worm. It works simliar to a phishing scam in which the attack requires the careless actions of the user to "activate" the worm, but in this case it infects the user's system, rather than stealing information. A user would need some kind of active anti-virus "shield" running in the background to catch the worm's prescence before it gets copied onto the system. It could also be scanned afterwards, since it still needs to be executed by the user in order for it to be effective.

According to the Mac community, there is criticism towards some sources use of the word "virus" to describe Leap-A when it is is not actually much of a virus, but some sort of malware. Macworld describes the Leap-A malware as "a potentially malicious program disguised as an image file" (Griffiths, McElhearn). Mac users have commented that the Leap-A "virus" is actually a very poorly constructed Trojan file with buggy code that could have resulted in much more damage. Despite this criticism, it was still noted that the Leap-A virus demonstrates an opening for potential threats in the future.

Kirck McElhearn, contributor to Macworld, concluded that "Due to a combination of bugs in its code and decisions made by the author, however, it's not nearly as malicious as it could have been. It really does seem like a 'proof of concept,' designed to show that such things are possible, without doing a great amount of damage." (Griffiths, McElhearn). The malicious program could have done more damage if it was designed in a more automated way. Fortunately for the victims, it was poorly constructed and contained various bugs. It uses methods like searching through the splotlight searching application to find programs to latch onto. The important lesson here is that not everything is invulnerable to malicious software. Even a system as supposedly secure as Mac OS X can still become a target for a much larger attack. This just goes to show that the more popular and widespread a system becomes, the more vulnerable and open it is to attacks. The Leap-A virus is the "wake-up" call for Mac OS X users that there may be more sophisticated attacks in the future. The Leap-A may have been poorly executed and resulted in a low level of threat, but it still serves as a starting point for which other possible attacks may improve upon.

The fix for this particular malware is to delete all the files associated with it and reinstall any possible infected applications. Fortunately, this particular malware doesn't dig deep into the operating system's files or processes and can be removed with relative ease. It is still important to remove all the files as well as the original compressed "latestpics.tgz" file. Another more advanced fix is to open up the Terminal and type in the commands $ cd /Applications and $find . -name '*MacOS*' -cmin 60. The first command switches to the Applications directory, and the second command checks modifications done to any applications in that folder within the last 60 minutes. This can be used to find which applications might need to be re-installed.

It is also recommended to users that they never open attachments from other users unless they are absolutely sure the other user can be trusted and that the file is safe. Many applications offer built in virus scanners that scan for viruses in attachment files, but this will not stop everything. This malware is not too harmful since it is not automated and requires a lot of user interaction, but it is still a good idea to maintain common sense and beware of suspicious files.