Word has recently broken about the first confirmed piece of malware for OS X, a file that was originally distributed via a post to Mac Rumors, and has been disassembled by Ambrosia Software’s Andrew Welch.

Key points: this is not a virus, rather, it’s a trojan horse; it’s buggy (doesn’t perform all the intended actions); and for most people, activating the payload involves entering their password, which should tip most people off that something’s not right.

Here’s Andrew’s summary of the situation:

> A file called “latestpics.tgz” was posted on a Mac rumors web site http://www.macrumors.com/, claiming to be pictures of “MacOS X Leopard” (an upcoming version of MacOS X, aka “MacOS X 10.5”). It is actually a Trojan (or arguably, a very non-virulent virus). We’ll call it “Oompa-Loompa” (aka “OSX/Oomp-A”) for reasons that will become obvious. > > Unless you work for an anti-virus company, please don’t email/message me asking for a copy of this trojan. It’s not going to happen. > > You cannot be infected by this unless you do all of the following: > > 1. Are somehow sent (via email, iChat, etc.) or download the “latestpics.tgz” file > > 2. Double-click on the file to decompress it > > 3. Double-click on the resulting file to “open” it > > …and then for most users, you must also enter your Admin password. > > You cannot simply “catch” the virus. Even if someone does send you the “latestpics.tgz” file, you cannot be infected unless you unarchive the file, and then open it. > > A few important points: > > * This should probably be classified as a Trojan, not a virus, because it doesn’t self-propagate externally (though it could arguably be called a very non-virulent virus) > > * It does not exploit any security holes; rather it uses “social engineering” to get the user to launch it on their system > > * It requires the admin password if you’re not running as an admin user > > * It doesn’t actually do anything other than attempt to propagate itself via iChat > > * It has a bug in the code that prevents it from working as intended, which has the side-effect of preventing infected applications from launching > > * It’s not particularly sophisticated > > To be on the safe side… > > DO NOT DOWNLOAD OR RUN THIS FILE > > When unarchived (it is a gzip-compressed tar file), which can be done by simply double-clicking on the file, it appears to be a JPEG file because someone pasted the image of a JPEG file onto the file. > > After it’s been unzipped, tar will tell you there are two files in the archive: > > ._latestpics > latestpics > > …the ._latestpics is just the resource fork of the file, which contains the pasted in custom icon meant to fool people into double-clicking on it to (in theory) open the JPEG file for viewing. In actuality, double-clicking on it will launch an executable file. > > The file “latestpics” is actually a PowerPC-compiled executable program, with routines such as: > > _infect: > _infectApps: > _installHooks: > _copySelf:

The rest of Andrew’s post goes on to detail the exact methods used by the attack.

Again: this is not going to be a concern for most people. Not only is this a relatively low-impact attack, but it’s been identified quickly. Admittedly, it’s a shame that neither Slashdot nor The Register are mentioning this fact, preferring to use the Chicken Little approach to news reporting (at least The Register correctly identifies it as a trojan).

However, even given that this is a fairly low risk trojan, it is the first confirmed OS X trojan. Too many people have fallen into the trap of believing that OS X is immune to viruses or trojans. It’s not — there just haven’t been any until now, and due to the architecture of OS X, any attack is limited in the amount of damage it can do. But as OSX/Oomp-A (or Lamp-A, as Sophos named it) shows, we’re certainly not immune.

iTunesBeen Up Long (Falsedawn)” by Prodigy, The from the album Always Outsiders Never Outdone (2004, 4:28).

[See also: First OS X exploit: Concept | Mac OS X Word 2004 Demo Trojan | Solutions for MP3Concept | SoBig virus source found | No more virus alerts ]

« iTunes Essentials: Goth | The Last Trip I Took »