Forums | MacLife

It may not be a virus in the true sense of the word, but it should serve as a warning of potential things to come.

Time to stop taking security for granted.

And you're not running as an admin user.

Right?

An Applescript needs to be 200k to run rm -rf ~/ ?

MattElmore wrote:

An Applescript needs to be 200k to run rm -rf ~/ ?

There was obviously a lot of commenting.

Hey guys, check out these pictures

Sophos claims to have detected first OS X worm 3:57PM
Security specialist Sophos has reported what it says is the first OS X worm.

The OSX/Leap-A worm spreads via the iChat instant messaging application, forwarding itself as a file called 'latestpics.tgz' (masquerading as screenshots of OS X 10.5) to contacts on the infected users' buddy list. When the archive file is opened on a computer it disguises its contents with a JPEG graphic icon in an attempt to convince people that it is harmless.

The worm uses the text 'oompa' as an infection marker in the resource forks of infected programs to prevent it from reinfecting the same files but doesn't appear to do any damage.

However resource forks are largely a thing of the past - a legacy from OS 9 - suggesting that few files on up-to-date systems will be infected.

Graham Cluley, senior technology consultant for Sophos which makes anti-virus software for OS X said that Mac users should no longer think that they do not have to worry about viruses.

'Some owners of Mac computers have held the belief that Mac OS X is incapable of harbouring computer viruses, but Leap-A will leave them shellshocked, as it shows that the malware threat on Mac OS X is real,' he said.

He added that, 'Apple Mac users need to be just as careful running unknown or unsolicited code on their computers as their friends and colleagues running Windows,' although there is nothing in this alert to suggest anything of the sort.

Users who have encountered the virus - though not via iChat but by downloading the file - report that it attempts to execute code via the Terminal, but fails, though another thread suggests that it does appear to be able to replicate itself. It will not run at all if the user does not launch it via the Finder.

As ever, the message to users is not to open a file unless you are sure of its provenance.

http://www.pcpro.co.uk/news/83595/sopho … virus.html

Bold mine.

MattElmore wrote:

At least you commented out the really nasty bit

I forgot I left that in there. That is a carryover from v0.1b1

peepl_r_dum wrote:

The story even made the local news here in Alberta. I personally think it's a bunch of BS. Any virus or trojan that needs you password to be affective is not a very big threat. Not even worth an OS update.

Thats just it - it doesn't need your password if you run as an admin.

I personally, and most of the mac users I personally know also run as admin. For us this has been okay, despite persons warning us that we should be using an unprivileged account. For most things, you can only really screw your own user account over unless you put in your admin password. THIS is the first trojan I've heard of where an admin user can screw everyone on the machine over without said password.

smilr wrote:

peepl_r_dum wrote:

The story even made the local news here in Alberta. I personally think it's a bunch of BS. Any virus or trojan that needs you password to be affective is not a very big threat. Not even worth an OS update.

Thats just it - it doesn't need your password if you run as an admin.

I personally, and most of the mac users I personally know also run as admin. For us this has been okay, despite persons warning us that we should be using an unprivileged account. For most things, you can only really screw your own user account over unless you put in your admin password. THIS is the first trojan I've heard of where an admin user can screw everyone on the machine over without said password.

Mmmm, I must have misunderstood. Oh well, I don't run in admin mode anyhow.

funny, I was expecting AAPL stock to take a hit after this, but it's up today.

Some info for the sky-is-falling-people who don't bother to RTFM.

You cannot be infected by this unless you do all of the following:

1) Are somehow sent (via email, iChat, etc.) or download the "latestpics.tgz" file

2) Double-click on the file to decompress it

3) Double-click on the resulting file to "open" it

...and then for non-Admin users, it fails to infect most applications.

You cannot simply "catch" the virus. Even if someone does send you the "latestpics.tgz" file, you cannot be infected unless you unarchive the file, and then open it.


A few important points

-- This should probably be classified as a Trojan, not a virus, because it doesn't self-propagate externally (though it could arguably be called a very non-virulent virus)

-- It does not exploit any security holes; rather it uses "social engineering" to get the user to launch it on their system

-- If you're not running as an admin user, it will silently fail to infect most applications

-- It doesn't actually do anything other than attempt to propagate itself via iChat

-- It has a bug in the code that prevents it from working as intended, which has the side-effect of preventing infected applications from launching

-- It's not particularly sophisticated

underhand is more of a trojan than this... at least underhand has a nice payload (trojan proxy server)