Thursday, February 16, 2006

Rumor Has It; The 1st Mac Virus Is In Town

It's a slow news time for Apple websites ... so ... it's time to start making up news.

While we're at it, why don't we just make it controversial?

Late last night, MacRumors posted the following:

On the evening of the 13th, an unknown user posted an external link to a file on MacRumors Forums claiming to be the latest Leopard Mac OS X 10.5 screenshots. The file was named "latestpics.tgz"

The resultant file decompresses into what appears to be a standard JPEG icon in Mac OS X but is actually a compiled Unix executable in disguise. An initial disassembly (from original discussion thread) reveals evidence that the application is virus-like or was designed to give that impression. Routines listed include:


The exact consequences of the application are unclear, but according to the users that originally executed the application have noted that it appeared to self propogate:

If anyone remembers last night, when lasthope [a poster on the macrumors website] spread that picture that opened in terminal. I just turned on my other computer and it said it had an incoming file, from my computer, which was the latest pics file. Any help. I have already secure deleted it off of my harddrive, but how do i know that it will not come back.

Andrew Welch who had done some of the initial disassembly is posting updates to this thread.

According to the initial investigation, the application uses Spotlight to find the other applications on the infected machine and subsequently inserts a stub of code into each application executable.

Update: It appears that there is some debate about the classification of this application, and as it does require user activation, it appears to fall into the Trojan classification, rather than self-propogating through any particular vulnerability in OS X.

Looks to me that it's just a terminal executable disguised with a different icon that types "suspicious words" ... there are no such commands for the terminal ... so how could they spread ... even if they are inserted into the code of other applications?

Further, this would only happen if the user has a Mac that has no password. Users who are on the internet with no password are foolish and in my opinion may actually deserve a virus. <----- eventhough this IS >>> NOT A VIRUS OR TROJAN <<<!

Because of this hubbub, The Register UK who has almost zero journalistic integrity and is having a slow news time, picked up on the story with the following:

Mac OS X virus sighted

Look before you Leap
By John Leyden
Published Thursday 16th February 2006 2:11AM

Antivirus researchers have discovered what's claimed to be the first computer virus to infect Apple Mac OS X computers. The malware, dubbed Leap-A, spreads via the iChat instant messaging system as a file called latestpics.tgz that infected machines send to contacts on an infected user's buddy list.

The malicious file is disguised as a jpeg, and users who open it will find their machines infected. Mac viruses were relatively common at the dawn of personal computing, but these days the overwhelming majority of viruses are Windows specific. Leap-A shows other platforms are also vulnerable.

"Mac viruses were relatively common at the dawn of personal computing, but these days the overwhelming majority of viruses are Windows specific."

Mac viruses were common?

And are they using their source as the MacRumors forum and calling the forum comments "Antivirus researchers"?

Gimme a break!

I am really disappointed in the MacRumors staff for this story!

More examples of poor reporting:

Another favorite site of mine called DeepThought posts this at the end of their report/rehash:

"I know that Mac users like myself can get complacent since we’re not usually the target of malware, but be careful out there, surf safely, and don’t panic."

"...not usually the target of malware"? When have Mac users EVER been the target of malware?

DeepThought also posts that this "malware/virus" asks for your admin password ... interesting ... how dumb do you have to be to view a picture to type in your password. That's almost like someone coming up behind you at a bank teller machine and saying:

"Can I see how you type in your secret code, I don't know how to use an ATM?"

See FYT related stories:

A Jacked Up Virus

Mac Fanatics cause iVirus


Anonymous said...

Theres a good writeup over at the Forums for Ambrosia where Andrew Welch president of Ambrosia Software is disassembling the file

Anonymous said...

" "...not usually the target of malware"? When have Mac users EVER been the target of malware?"

I was referring to the days prior to OS X, when there were actual Mac viruses.


FYT said...

What Mac viruses before OSX?

There has NEVER been a mac virus?

Middle-agedman said...

Years and years ago, Mac viruses were a minor issue in Mac maintenance. We're talking the System 6 and 7 old days here. Symantec Anti-Virus was the premier app at the time, referred to as SAM. Mac viruses like nVir typically infected the System file by making it large and cumbersome and a real memory hog so as to cause big system slowdown.

It has been many years since I have encounered any kind of Mac virus and they were never as pervasive or destructive as any PC virus.

They did, however, technically exist at one time and have inspired the perpetuation of the various Mac "anti-virus" apps that have come since.

Alan said...

Good thing Mac users had Disinfectant!

FYT said...

Don't confuse yourself ...

PC Viruses have always been able to transmit via a Mac ... they still can and still do on a daily basis.

I still don't understand, even after reading the detailed report from Andrew at Ambrosia ... how this is even a proof of concept.

Programs do this sort of thing when installed ... it's funny that no one has noticed this. The words and names for each are the only thing malicious.

Someone did this as a hoax.

And for anyone who says there has been an Apple platform virus, can someone please point to a forum containing such? I would possibly consider another reference section that dealt specifically with this topic.

Did anyone see that Intego issued a "PATCH" for this? ROFL

FYT said...

I managed to find this:

Again ... I think there is a common misconception about viruses and trojans and porrly written programs. These two: MacMag and Nvir were the results of poor coding ... THIS IS MALWARE.

Malware, by definition is just a poorly written program.