First Confirmed OS X Malware

Word has recently broken about the first confirmed piece of malware for OS X, a file that was originally distributed via a post to Mac Rumors, and has been disassembled by Ambrosia Software‘s Andrew Welch.

Key points: this is not a virus, rather, it’s a trojan horse; it’s buggy (doesn’t perform all the intended actions); and for most people, activating the payload involves entering their password, which should tip most people off that something’s not right.

Here’s Andrew’s summary of the situation:

A file called “latestpics.tgz” was posted on a Mac rumors web site http://www.macrumors.com/, claiming to be pictures of “MacOS X Leopard” (an upcoming version of MacOS X, aka “MacOS X 10.5”). It is actually a Trojan (or arguably, a very non-virulent virus). We’ll call it “Oompa-Loompa” (aka “OSX/Oomp-A“) for reasons that will become obvious.

Unless you work for an anti-virus company, please don’t email/message me asking for a copy of this trojan. It’s not going to happen.

You cannot be infected by this unless you do all of the following:

1. Are somehow sent (via email, iChat, etc.) or download the “latestpics.tgz” file

2. Double-click on the file to decompress it

3. Double-click on the resulting file to “open” it

…and then for most users, you must also enter your Admin password.

You cannot simply “catch” the virus. Even if someone does send you the “latestpics.tgz” file, you cannot be infected unless you unarchive the file, and then open it.

A few important points:

• This should probably be classified as a Trojan, not a virus, because it doesn’t self-propagate externally (though it could arguably be called a very non-virulent virus)

• It does not exploit any security holes; rather it uses “social engineering” to get the user to launch it on their system

• It requires the admin password if you’re not running as an admin user

• It doesn’t actually do anything other than attempt to propagate itself via iChat

• It has a bug in the code that prevents it from working as intended, which has the side-effect of preventing infected applications from launching

• It’s not particularly sophisticated

To be on the safe side…

DO NOT DOWNLOAD OR RUN THIS FILE

When unarchived (it is a gzip-compressed tar file), which can be done by simply double-clicking on the file, it appears to be a JPEG file because someone pasted the image of a JPEG file onto the file.

After it’s been unzipped, tar will tell you there are two files in the archive:

._latestpics
latestpics

…the ._latestpics is just the resource fork of the file, which contains the pasted in custom icon meant to fool people into double-clicking on it to (in theory) open the JPEG file for viewing. In actuality, double-clicking on it will launch an executable file.

The file “latestpics” is actually a PowerPC-compiled executable program, with routines such as:

_infect:
_infectApps:
_installHooks:
_copySelf:

The rest of Andrew’s post goes on to detail the exact methods used by the attack.

Again: this is not going to be a concern for most people. Not only is this a relatively low-impact attack, but it’s been identified quickly. Admittedly, it’s a shame that neither Slashdot nor The Register are mentioning this fact, preferring to use the Chicken Little approach to news reporting (at least The Register correctly identifies it as a trojan).

However, even given that this is a fairly low risk trojan, it is the first confirmed OS X trojan. Too many people have fallen into the trap of believing that OS X is immune to viruses or trojans. It’s not — there just haven’t been any until now, and due to the architecture of OS X, any attack is limited in the amount of damage it can do. But as OSX/Oomp-A (or Lamp-A, as Sophos named it) shows, we’re certainly not immune.

“Been Up Long (Falsedawn)” by Prodigy, The from the album Always Outsiders Never Outdone (2004, 4:28).