First Mac OS X Worm a Wake-Up Call



UPDATE: There’s a lot of debate about whether this is a real worm, or merely an elaborate, executable script that the user is tricked into running. It appears to be a worm — it’s self-containing code that replicates itself over the Net (def.). But it also requires the user to agree to accept it as an iChat file transfer, which is a Trojan trait. It does not require the user to enter a password to be installed, like an OS X application. Nor does it warn the user they may be dealing with an executable file, as Safari does when downloading software off the Net. So it’s more than a simple script-kiddie Applescript. Also, it may be mostly harmless now, but will likely lead to much nastier versions in the future, according to this analysis from the programmers at Rixstep: “Future versions of the same worm or spin-offs from it are bound to be destructive and much more intrusive. By exploiting several weaknesses in Apple’s file system, (Leap-A) and its successors will work.”

One more thing: there was talk a while back that Apple’s move to Intel chips would make the platform more susceptible to malware like this. But Leap-A is a PowerPC worm. Does that make Intel-Macs invulnerable? Will it run in Rosetta?

Oh yeah, the graphic comes from the Symantec website.

The first Mac OS X malware has been spotted in the wild, but it appears to be something of a damp squib.

Called Leap-A by anti-virus companies, the worm appears as a JPEG file that spreads via iChat to contacts on the infected user’s buddy list.

According to a Symantec press release:

The worm makes use of the Spotlight search program, included in OSX, and will run each time the machine boots. It identifies any applications being started, and if iChat begins to run, the worm uses iChat to send the infected file — latestpics.tgz — to all contacts on the infected user’s buddy list. Those on the buddy list will then be asked to accept the file. If they do, the file will subsequently be saved to their hard drive. Files infected by OSX.Leap.A may be corrupted and may not run correctly.

There is some disagreement about what the worm does. Anti-virus firm Sophos says it deletes files and leaves other “non-infected” files on the computer. An email press release from Computer Malware Enumeration says it “prevents Macintosh OS X from working properly and infected applications from launching correctly.”

Nonetheless, Leap-A appears to be the first OS X malware “in the wild.” A previous OS X nasty — a Trojan horse dubed MP3Concept — turned out to be a proof of concept only.

Leap-A first appeared earlier this week as a link on the forums of Mac Rumors that purported to be spy screenshots of Mac OS X 10.5 (Leopard).

Symantec classes the worm is a low threat because it doesn’t automatically infect other’s machines. The company says it has infected less than 50 machines.

“… this worm will not automatically infect, but will ask users to accept the file, giving potential victims a heads up and the opportunity to avoid infection,” the company said. “The important piece of advice for any iChat users running OSX 10.4 is not to accept file transfers, even if they come from someone on a buddy list.”

However, as CME notes in its statement, the worm is a wake-up call for OS X users with a false sense of OS X’s invulnerability: “Now that Leap.A has been discovered in the wild, copycat media-craving individuals will likely launch similar attacks in 2006.”


Daily round-ups or a weekly refresher, straight from Cult of Mac to your inbox.

  • The Weekender

    The week's best Apple news, reviews and how-tos from Cult of Mac, every Saturday morning. Our readers say: "Thank you guys for always posting cool stuff" -- Vaughn Nevins. "Very informative" -- Kenly Xavier.

21 responses to “First Mac OS X Worm a Wake-Up Call”

  1. Small Paul says:

    Hmmm. Doesn’t the user have to type in their administrator password to install an input manager?

  2. Trent Lapinski says:

    Paul, indeed. Thats why this “virus/trojan/worm” is crap. Also, if you are using Safari (which uhm most Mac users do), it tells you it is an application being downloaded. You are then prompted for a password if you do decide to launch it.

    This is basically just like those AppleScripts people use to make in the 90s that would rearrange the stuff on your desktop, and stuff like that. My friends and I would have AppleScript wars with each other all the time. This is slightly more advanced, but just slightly.

    The solution? Don’t be stupid.

  3. Chris Heschong says:

    Yesterday, Symantec had 72,068 viruses in their database. Only 72,067 more viruses before we catch up with Microsoft!

  4. Small Paul says:

    Trent: hmm, apparently most users (i.e. those whose account is an administrator account) don’t have to type in their password to allow an inputManager to be installed (….

    However, as I understand it, latestpics.tgz contains a file that:

    – has a jpg icon

    – has no file extension (i.e. no .jpg or .app)

    – is actually “a PowerPC program” (,…

    Now, if the file is actually “a PowerPC program” (i.e. an application? That would normally have the .app extension?), wouldn’t the user get a warning saying something like “The application latestpics is attempting to run for the first time”?

  5. T.D. Shadow says:

    Don’t warn of vamipres when there’s a werewolf around.

    Don’t cry “worm” when it’s a trojan horse.

    Worms require NO human action to do what it does, and to spread.

  6. Trent Lapinski says:

    Paul, my bad, you are correct. If you are using an Admin account (primary system account) it will not prompt you for a password. Only if it isn’t an admin account then it will ask for a password.

    – correct it has a jpg icon (anyone can do this, get info and copy and paste the icon)

    – from what I’ve read this is the case, which is not entirely that big a deal

    – correct

    If you are using Apple’s Safari then yes it should warn you this is an application, also OS X should say you are opening this application for this first time if its trying to execute something system wise. I didn’t bother infecting myself so I can’t confirm the latter.

    Leander, I realize this worm is more complicated than AppleScript, I was just pointing out this “application” doesn’t really do any damage to ones actual system or files. All it can do is mess up an application or two. Of which you just need to reinstall said applications. This will not be infecting any large number of people. In fact, from what I understand only a few people even attempted to download the file and discovered the “application.” The admins at Macrumors quickly caught on, and it was then reported. So to say this was even out in the wild is a bit of a misconception as well for really this was pretty much contained to a few users of a single website. While they have my condolences, the fact is this strain won’t be getting on your Mac or mine any time soon.

    I do however fear the potential of a copycat application designed to do some damage.

    –Trent Lapinski

  7. imarkG5 says:

    i’m pretty tired of you blowing stuff out of proportion. it makes your blog & credibility questionable & almost worthless. now i’m off to tell my girlfirend not pick me up your Mac & iPod book.

  8. Victor Agreda, Jr. says:

    The steady drumbeat of proof-of-concept malware for OS X should be a wake up call. Remember the complacency IBM felt when a little startup called Microsoft offered to “license” them an OS? Funnily enough, CNN chose that stupid Bluetooth “virus” story instead of this Trojan…

    Now, as for the Intel macs might be more vulnerable. That is crap. Most malware targets the OS, not the hardware. Besides, what are you going to do to a chip? Viruses, Trojans and the like can delete stuff, change things, etc. You have to be pretty damned determined to target a chip instead of an OS, that’s all I’m saying…

  9. Monkey Fan says:

    Looks like SecurityMonkey wrote up a piece on Sophos and mentions this trojan (….

    Unfortunately the media gives the anti virus companies far, far too much credit as ‘experts’.


  10. Carroll Morgan says:

    Concerning “You are executing xxx for the first time”… My system -used- to do that, but does no longer. (I’ve experimented with brand-new downloads, have deleted various caches etc — no warnings any more, ever).

    Does anyone know the precise conditions for the warning, end whether they’re still enabled in 10.4.5?


  11. Carroll Morgan says:

    Concerning “You are executing xxx for the first time”… My system -used- to do that, but does no longer. (I’ve experimented with brand-new downloads, have deleted various caches etc — no warnings any more, ever).

    Does anyone know the precise conditions for the warning, end whether they’re still enabled in 10.4.5?