Subscribe

First Mac OS X worm detected

Martin Czernowalow
By Martin Czernowalow, Contributor.
Johannesburg, 17 Feb 2006

Global cyber security experts this week discovered the first virus, called Leap-A, for the Apple Mac OS X platform, which spreads via the iChat instant messaging system.

SophosLabs explains that the worm forwards itself as a file called latestpics.tgz to contacts on an infected user`s "buddy" list. When opened on a computer, the file disguises itself with a JPEG graphic icon in an attempt to fool users that it`s harmless.

The worm, says SophosLabs, uses the text "oompa" as an infection marker in the resource forks of infected programs to prevent it from re-infecting the same files.

Brett Myroff, CEO of local Sophos distributor Netxactics, says the increased uptake of the Mac OS X platform has prompted it to be targeted by malware, and urges users of all operating systems not to be complacent.

"Leap-A shows that the malware threat on Mac OS X is real," he says.

Popular worldwide

"With the Mac platform becoming more popular worldwide, it`s only natural that virus writers will target these users to a much larger degree. Mac OS X users should not believe it`s okay to be unconcerned about viruses."

Myroff states this is the first real instance where Mac users are facing the same threats as PC users, who constantly have to be vigilant of emerging hybrid threats.

"Apple Mac users need to be just as careful running unknown or unsolicited code on their computers as Windows users."

He speculates that more attacks could be expected as the platform gains popularity.

The Rapid Response Team says in a statement that at least one source reported the worm prevents Macintosh OS X from working properly and infected applications from launching correctly.

Wake-up call

Rapid Response Team director Ken Dunham notes that on 13 February an unknown user posted a link to an external file on a MacRumors forum, claiming it was the latest Leopard Mac OS X 10.5 screenshots.

"The file was reportedly named 'latestpics.tgz`. Latestpics.tgz is a compressed file that contains what appears to be JPEG files on Mac OS X: However, these files are manipulated to make the latestpics executable appear with a JPEG file icon," says Dunham.

"While not likely to impact a Macintosh computer today, Leap-A is an important wake-up call for the Macintosh community regarding new threats that will likely emerge against the OS in coming years. Mac OS X has implemented significant changes to the operating system that hindered historical Macintosh malcode."

Dunham explains that Leap-A acts like a combination of a Trojan, virus and worm. The last major threat that Macintosh users faced was the AutoStart worm in 1998.

"It acts like a Trojan because it masquerades as a JPEG file, a virus because it attempts to infect executables, and a worm because it attempts to send copies of itself to others via iChat. This last action is similar to that of an instant messaging worm on the Windows platform."

Apple Mac spokesman RJ van Spaandonk this morning refused to comment on the virus, saying he had not received confirmation whether the worm really existed.

When asked if he would follow up on the matter, Van Spaandonk stated: "I will not be confirming anything; this is not something I`m going to comment on."

Share