UPDATE: There’s a lot of debate about whether this is a real worm, or merely an elaborate, executable script that the user is tricked into running. It appears to be a worm — it’s self-containing code that replicates itself over the Net (def.). But it also requires the user to agree to accept it as an iChat file transfer, which is a Trojan trait. It does not require the user to enter a password to be installed, like an OS X application. Nor does it warn the user they may be dealing with an executable file, as Safari does when downloading software off the Net. So it’s more than a simple script-kiddie Applescript. Also, it may be mostly harmless now, but will likely lead to much nastier versions in the future, according to this analysis from the programmers at Rixstep: “Future versions of the same worm or spin-offs from it are bound to be destructive and much more intrusive. By exploiting several weaknesses in Apple’s file system, (Leap-A) and its successors will work.”
One more thing: there was talk a while back that Apple’s move to Intel chips would make the platform more susceptible to malware like this. But Leap-A is a PowerPC worm. Does that make Intel-Macs invulnerable? Will it run in Rosetta?
Oh yeah, the graphic comes from the Symantec website.
The first Mac OS X malware has been spotted in the wild, but it appears to be something of a damp squib.
Called Leap-A by anti-virus companies, the worm appears as a JPEG file that spreads via iChat to contacts on the infected user’s buddy list.
According to a Symantec press release:
The worm makes use of the Spotlight search program, included in OSX, and will run each time the machine boots. It identifies any applications being started, and if iChat begins to run, the worm uses iChat to send the infected file — latestpics.tgz — to all contacts on the infected user’s buddy list. Those on the buddy list will then be asked to accept the file. If they do, the file will subsequently be saved to their hard drive. Files infected by OSX.Leap.A may be corrupted and may not run correctly.
There is some disagreement about what the worm does. Anti-virus firm Sophos says it deletes files and leaves other “non-infected” files on the computer. An email press release from Computer Malware Enumeration says it “prevents Macintosh OS X from working properly and infected applications from launching correctly.”
Nonetheless, Leap-A appears to be the first OS X malware “in the wild.” A previous OS X nasty — a Trojan horse dubed MP3Concept — turned out to be a proof of concept only.
Leap-A first appeared earlier this week as a link on the forums of Mac Rumors that purported to be spy screenshots of Mac OS X 10.5 (Leopard).
Symantec classes the worm is a low threat because it doesn’t automatically infect other’s machines. The company says it has infected less than 50 machines.
“… this worm will not automatically infect, but will ask users to accept the file, giving potential victims a heads up and the opportunity to avoid infection,” the company said. “The important piece of advice for any iChat users running OSX 10.4 is not to accept file transfers, even if they come from someone on a buddy list.”
However, as CME notes in its statement, the worm is a wake-up call for OS X users with a false sense of OS X’s invulnerability: “Now that Leap.A has been discovered in the wild, copycat media-craving individuals will likely launch similar attacks in 2006.”