Have an account? Log in to leave your comments!
journal: mac
The truth about OS X/Leap.A
I’m sure you’ve heard a lot about the “First Mac OS X virus” that has generated a lot of buzz through the Mac community today. The FUD stops here. Here are the facts you need to know, the debunked myths, and the tips to prevent yourself from becoming a victim of malware.
What is OS X/Leap.A?
This little guy made its debut on February 13 in a thread entitled ”Alleged screenshots of OS 10.5 Leopard”. Curious readers downloaded a file called “latestpics.tgz,” expecting Leopard screenshots. Instead, as MacRumors forum poster “yankeefan24” (who may have been the first person affected by this malware) put it, “[when double-clicked] it opens in terminal. not right.” No kidding. If your are running an administrator account, you may not be asked to enter a password. Non-administrator accounts require the user to enter an administrator password to run the malware.
It is hard to classify what this is, exactly. Some call it a full-fledged OS X virus, some call it a worm, others call it a trojan horse. I will call it “malware.”
Andrew Welch of Ambrosia Software has written a more in-depth description of what this malware does.
Wait! I just bought a Mac because I thought there were no viruses! You mean the Mac is vulnerable to malware? *Hyperventilates*
Easy, buddy! There is no such thing as an impervious OS. Every operating system is vulnerable to Social engineering. This malware does not exploit any security flaws in OS X. Virus-free or no, the risk is much lower on OS X compared to Windows.
How dangerous is this?
Not particularly dangerous. This malware is best described as a proof-of-concept. It attempts to self-propagate through iChat. A bug in the code prevents any infected programs from running. It does not damage any files, however, so it is a nuisance, if anything.
How big of a risk of infection is there?
The risk of infection is relatively small. So far it has only appeared on MacRumors Forums, and was quickly removed by the forum’s moderator staff (well done, guys). Also, you must specifically double-click the file and run it; it will not run itself. If anything, this was a wake-up call to Mac users to start paying attention to security. Next time, it may be a real piece of destructive malware.
Would it affect my computer?
This malware affects PowerPC Macs running Mac OS X 10.4. Intel Macs are not impacted.
What do I do if I am infected?
First of all, don’t panic. As for removing it, I am looking into it; as soon as I find some instructions, I’ll link to them here. If you know where to find the removal instructions, post the link as a comment.
Is this the first piece of OS X malware?
No; there have been a handful of other isolated pieces of malware before. With the exception of a trojan that deleted a user’s home directory, the previous piece of known OS X malware was a proof-of-concept.
How can I prevent getting infected in the future?
Firstly, do not download files from an unknown source. Ever. Secondly, do not use an administrator account for everyday use. I need to break this habit.
A good idea would be to scan any downloaded files with The Iconfactory’s DownloadCheck, which will scan a folder you specify for any applications that may be hiding behind document icons.
Also, antivirus software wouldn’t hurt. If you’re not in the mood to spend money on antivirus software, give ClamXav a try. It’s free, but do donate to the developer if you find it helpful.
Thanks, I feel a little better.
No problem.
More Info
Articles and Sources
Alleged screenshots of OS 10.5 Leopard: the thread where this malware originated
Andrew Welch picks apart OS X/Leap.A
Apple’s suggestions for safe downloading
Tools
ClamXav
DownloadCheck
 |
9 | 4976 |
| Nick | comments | views |
thinkback
This malware affects PowerPC Macs running Mac OS X 10.4. Intel Macs are not impacted.
Question; Why are Intel Mac’s not impacted?
Isn’t that ironic that the Intel Mac isn’t affected? Ha!
And that’s real irony, as opposed to the “rain on your wedding day” nonsense. I mean, seriously, how can you write a whole song called “Ironic” and not have a single example of irony?
| Feb. 17, 2006 | ||
| 1:44 pm |
Apple’s advice is VERY dangerous. Read this to see why
Wow!
What an article.
What I don’t understand was why was the whole thing covered up so quickly?
It seemed more serious than it appears because it operates more like a virus/trojan than just malware.
From the AngryFrozenHead.com web page . . .
The recent Leap-A virus that’s been propagating among Apple’s loyal iChat users has made Apple defensive.
This seems a bit disingenuous and definitely misleading. There are but a handful of reports of Oompa-loompa which hardly qualifies as “propogating among Apple’s loyal iChat users.”
From what I understand, most, if not all, of the reports are from those who have actually sought out the “latestpics.tgz” file or manually downloaded the file from internet.
This guy makes it seem as if everyone who is using iChat has the bug or that everyone using iChat has ben offered the bug via iChat.
This is a serious issue which needs to be addressed (and I’m sure that it will be very quickly), but turning te Appalacians into the Himalayas and acting as if the bug has spread maliciously and like wild fire via iChat is not helping.
| Feb. 17, 2006 | |
| e:leaf | 5:16 pm |
Yeah, that article also didn’t make it clear that you have to launch it yourself (they only mention download) after you expand it and that it needs the admin to do it or the admin’s password.
| Feb. 17, 2006 | ||
| 6:21 pm |
I’d assume it’s a PPC executable that Rosetta does not support.
Oh no you didn’t!
Assume nothing. According to Symantec, “The worm will execute on Intel Macs, but cannot spread to other systems from these machines.”
http://securityresponse.symantec.com/avcent er/venc/data/osx.leap.a.html#technicaldetails
1.
Well written to dispel the FUD.