{"id":3700,"date":"2006-02-16T08:47:29","date_gmt":"2006-02-16T16:47:29","guid":{"rendered":"http:\/\/michaelhans.com\/eclecticism\/2006\/02\/16\/first-confirmed-os-x-malware\/"},"modified":"2019-12-20T09:10:15","modified_gmt":"2019-12-20T17:10:15","slug":"first-confirmed-os-x-malware","status":"publish","type":"post","link":"https:\/\/michaelhans.com\/eclecticism\/2006\/02\/16\/first-confirmed-os-x-malware\/","title":{"rendered":"First Confirmed OS X Malware"},"content":{"rendered":"<div class='__iawmlf-post-loop-links' style='display:none;' data-iawmlf-post-links='[{&quot;id&quot;:6930,&quot;href&quot;:&quot;http:\\\/\\\/www.macrumors.com\\\/pages\\\/2006\\\/02\\\/20060216005401.shtml&quot;,&quot;archived_href&quot;:&quot;https:\\\/\\\/web-wp.archive.org\\\/web\\\/20080719181632\\\/http:\\\/\\\/www.macrumors.com\\\/pages\\\/2006\\\/02\\\/20060216005401.shtml&quot;,&quot;redirect_href&quot;:&quot;https:\\\/\\\/www.macrumors.com\\\/pages\\\/2006\\\/02\\\/20060216005401.shtml&quot;,&quot;checks&quot;:[{&quot;date&quot;:&quot;2026-03-26 08:12:02&quot;,&quot;http_code&quot;:206},{&quot;date&quot;:&quot;2026-03-30 07:46:11&quot;,&quot;http_code&quot;:206},{&quot;date&quot;:&quot;2026-04-04 03:25:44&quot;,&quot;http_code&quot;:200},{&quot;date&quot;:&quot;2026-04-26 21:03:38&quot;,&quot;http_code&quot;:200}],&quot;broken&quot;:false,&quot;last_checked&quot;:{&quot;date&quot;:&quot;2026-04-26 21:03:38&quot;,&quot;http_code&quot;:200},&quot;process&quot;:&quot;done&quot;},{&quot;id&quot;:6931,&quot;href&quot;:&quot;http:\\\/\\\/www.ambrosiasw.com\\\/forums\\\/index.php?showtopic=102379&quot;,&quot;archived_href&quot;:&quot;https:\\\/\\\/web-wp.archive.org\\\/web\\\/20190618094500\\\/http:\\\/\\\/www.ambrosiasw.com\\\/forums\\\/index.php?showtopic=102379&quot;,&quot;redirect_href&quot;:&quot;&quot;,&quot;checks&quot;:[{&quot;date&quot;:&quot;2026-03-09 16:10:05&quot;,&quot;http_code&quot;:503},{&quot;date&quot;:&quot;2026-03-26 08:12:08&quot;,&quot;http_code&quot;:503},{&quot;date&quot;:&quot;2026-03-30 07:46:17&quot;,&quot;http_code&quot;:503},{&quot;date&quot;:&quot;2026-04-04 03:25:32&quot;,&quot;http_code&quot;:503},{&quot;date&quot;:&quot;2026-04-12 05:26:43&quot;,&quot;http_code&quot;:503},{&quot;date&quot;:&quot;2026-04-26 21:03:42&quot;,&quot;http_code&quot;:503}],&quot;broken&quot;:true,&quot;last_checked&quot;:{&quot;date&quot;:&quot;2026-04-26 21:03:42&quot;,&quot;http_code&quot;:503},&quot;process&quot;:&quot;done&quot;},{&quot;id&quot;:6932,&quot;href&quot;:&quot;http:\\\/\\\/www.ambrosiasw.com&quot;,&quot;archived_href&quot;:&quot;&quot;,&quot;redirect_href&quot;:&quot;&quot;,&quot;checks&quot;:[],&quot;broken&quot;:false,&quot;last_checked&quot;:null,&quot;process&quot;:&quot;done&quot;},{&quot;id&quot;:6933,&quot;href&quot;:&quot;http:\\\/\\\/it.slashdot.org\\\/it\\\/06\\\/02\\\/16\\\/1322209.shtml&quot;,&quot;archived_href&quot;:&quot;https:\\\/\\\/web-wp.archive.org\\\/web\\\/20091015060926\\\/http:\\\/\\\/it.slashdot.org\\\/it\\\/06\\\/02\\\/16\\\/1322209.shtml&quot;,&quot;redirect_href&quot;:&quot;https:\\\/\\\/it.slashdot.org\\\/it\\\/06\\\/02\\\/16\\\/1322209.shtml&quot;,&quot;checks&quot;:[{&quot;date&quot;:&quot;2026-04-06 06:32:19&quot;,&quot;http_code&quot;:200},{&quot;date&quot;:&quot;2026-04-12 05:26:38&quot;,&quot;http_code&quot;:200}],&quot;broken&quot;:false,&quot;last_checked&quot;:{&quot;date&quot;:&quot;2026-04-12 05:26:38&quot;,&quot;http_code&quot;:200},&quot;process&quot;:&quot;done&quot;},{&quot;id&quot;:6934,&quot;href&quot;:&quot;http:\\\/\\\/www.theregister.co.uk\\\/2006\\\/02\\\/16\\\/mac_os-x_virus&quot;,&quot;archived_href&quot;:&quot;&quot;,&quot;redirect_href&quot;:&quot;https:\\\/\\\/www.theregister.com\\\/2006\\\/02\\\/16\\\/mac_os-x_virus&quot;,&quot;checks&quot;:[],&quot;broken&quot;:false,&quot;last_checked&quot;:null,&quot;process&quot;:&quot;done&quot;},{&quot;id&quot;:6935,&quot;href&quot;:&quot;http:\\\/\\\/www.sophos.com\\\/virusinfo\\\/analyses\\\/osxleapa.html&quot;,&quot;archived_href&quot;:&quot;&quot;,&quot;redirect_href&quot;:&quot;&quot;,&quot;checks&quot;:[],&quot;broken&quot;:false,&quot;last_checked&quot;:null,&quot;process&quot;:&quot;done&quot;},{&quot;id&quot;:6221,&quot;href&quot;:&quot;http:\\\/\\\/click.linksynergy.com\\\/fs-bin\\\/click?id=xLsJkztrnNY&amp;offerid=78941.10000170&amp;type=4&amp;subid=0&quot;,&quot;archived_href&quot;:&quot;&quot;,&quot;redirect_href&quot;:&quot;&quot;,&quot;checks&quot;:[],&quot;broken&quot;:false,&quot;last_checked&quot;:null,&quot;process&quot;:&quot;done&quot;}]'><\/div>\n<p>Word has recently broken about the first confirmed piece of malware for OS X, a file that was originally distributed via a post to <a href=\"http:\/\/www.macrumors.com\/pages\/2006\/02\/20060216005401.shtml\" title=\"Mac Rumors: The First Mac OS X Virus? (A New OS X Trojan)\">Mac Rumors<\/a>, and has <a href=\"http:\/\/www.ambrosiasw.com\/forums\/index.php?showtopic=102379\" title=\"Ambrosia Software Web Board: New MacOS X trojan\/virus alert, developing...\">been disassembled<\/a> by <a href=\"http:\/\/www.ambrosiasw.com\/\" title=\"Ambrosia Software\">Ambrosia Software<\/a>&#8216;s Andrew Welch.<\/p>\n<p>Key points: this is <em>not<\/em> a virus, rather, it&#8217;s a trojan horse; it&#8217;s buggy (doesn&#8217;t perform all the intended actions); and for most people, activating the payload involves entering their password, which should tip most people off that something&#8217;s not right.<\/p>\n<p>Here&#8217;s <a href=\"http:\/\/www.ambrosiasw.com\/forums\/index.php?showtopic=102379\" title=\"Ambrosia Software Web Board: New MacOS X trojan\/virus alert, developing...\">Andrew&#8217;s summary of the situation<\/a>:<\/p>\n<blockquote><p>\n  A file called &#8220;<strong>latestpics.tgz<\/strong>&#8221; was posted on a Mac rumors web site <a href=\"http:\/\/www.macrumors.com\/pages\/2006\/02\/20060216005401.shtml\" title=\"Mac Rumors: The First Mac OS X Virus? (A New OS X Trojan)\">http:\/\/www.macrumors.com\/<\/a>, claiming to be pictures of &#8220;MacOS X Leopard&#8221; (an upcoming version of MacOS X, aka &#8220;MacOS X 10.5&#8221;). It is actually a Trojan (or arguably, a very non-virulent virus). We&#8217;ll call it &#8220;<strong>Oompa-Loompa<\/strong>&#8221; (aka &#8220;<strong>OSX\/Oomp-A<\/strong>&#8220;) for reasons that will become obvious.<\/p>\n<p>  Unless you work for an anti-virus company, please don&#8217;t email\/message me asking for a copy of this trojan. It&#8217;s not going to happen.<\/p>\n<p>  <strong>You cannot be infected by this unless you do all of the following:<\/strong><\/p>\n<ol>\n<li>Are somehow sent (via email, iChat, etc.) or download the &#8220;latestpics.tgz&#8221; file<\/p>\n<\/li>\n<li>\n<p>Double-click on the file to decompress it<\/p>\n<\/li>\n<li>\n<p>Double-click on the resulting file to &#8220;open&#8221; it<\/p>\n<\/li>\n<\/ol>\n<p>&#8230;and then for most users, you must also enter your Admin password.<\/p>\n<p>  You <strong>cannot<\/strong> simply &#8220;catch&#8221; the virus. Even if someone does send you the &#8220;latestpics.tgz&#8221; file, you cannot be infected unless you unarchive the file, and then open it.<\/p>\n<p>  <strong>A few important points:<\/strong><\/p>\n<ul>\n<li>This should probably be classified as a Trojan, not a virus, because it doesn&#8217;t self-propagate externally (though it could arguably be called a very non-virulent virus)<\/p>\n<\/li>\n<li>\n<p>It does not exploit any security holes; rather it uses &#8220;social engineering&#8221; to get the user to launch it on their system<\/p>\n<\/li>\n<li>\n<p>It requires the admin password if you&#8217;re not running as an admin user<\/p>\n<\/li>\n<li>\n<p>It doesn&#8217;t actually do anything other than attempt to propagate itself via iChat<\/p>\n<\/li>\n<li>\n<p>It has a bug in the code that prevents it from working as intended, which has the side-effect of preventing infected applications from launching<\/p>\n<\/li>\n<li>\n<p>It&#8217;s not particularly sophisticated<\/p>\n<\/li>\n<\/ul>\n<p>To be on the safe side&#8230;<\/p>\n<p>  <strong>DO NOT DOWNLOAD OR RUN THIS FILE<\/strong><\/p>\n<p>  When unarchived (it is a gzip-compressed tar file), which can be done by simply double-clicking on the file, it appears to be a JPEG file because someone pasted the image of a JPEG file onto the file.<\/p>\n<p>  After it&#8217;s been unzipped, tar will tell you there are two files in the archive:<\/p>\n<pre><code>._latestpics\nlatestpics\n<\/code><\/pre>\n<p>  &#8230;the <code>._latestpics<\/code> is just the resource fork of the file, which contains the pasted in custom icon meant to fool people into double-clicking on it to (in theory) open the JPEG file for viewing. In actuality, double-clicking on it will launch an executable file.<\/p>\n<p>  The file &#8220;latestpics&#8221; is actually a PowerPC-compiled executable program, with routines such as:<\/p>\n<pre><code>_infect:\n_infectApps:\n_installHooks:\n_copySelf:\n<\/code><\/pre>\n<\/blockquote>\n<p>The rest of <a href=\"http:\/\/www.ambrosiasw.com\/forums\/index.php?showtopic=102379\" title=\"Ambrosia Software Web Board: New MacOS X trojan\/virus alert, developing...\">Andrew&#8217;s post<\/a> goes on to detail the exact methods used by the attack.<\/p>\n<p>Again: this is <em>not<\/em> going to be a concern for most people. Not only is this a relatively low-impact attack, but it&#8217;s been identified quickly. Admittedly, it&#8217;s a shame that neither <a href=\"http:\/\/it.slashdot.org\/it\/06\/02\/16\/1322209.shtml\" title=\"\/.: First OS X Virus?\">Slashdot<\/a> nor <a href=\"http:\/\/www.theregister.co.uk\/2006\/02\/16\/mac_os-x_virus\/\" title=\"The Register: 'First' Mac OS X Trojan Sighted\">The Register<\/a> are mentioning this fact, preferring to use the Chicken Little approach to news reporting (at least The Register correctly identifies it as a trojan).<\/p>\n<p>However, even given that this is a fairly low risk trojan, it <em>is<\/em> the first confirmed OS X trojan. Too many people have fallen into the trap of believing that OS X is immune to viruses or trojans. It&#8217;s <em>not<\/em> &#8212; there just haven&#8217;t been any until now, and due to the architecture of OS X, any attack is limited in the amount of damage it can do. But as OSX\/Oomp-A (or <a href=\"http:\/\/www.sophos.com\/virusinfo\/analyses\/osxleapa.html\" title=\"Sophos virus analysis: OSX\/Leap-A\">Lamp-A<\/a>, as Sophos named it) shows, we&#8217;re certainly not immune.<\/p>\n<p><a href=\"http:\/\/click.linksynergy.com\/fs-bin\/click?id=xLsJkztrnNY&amp;offerid=78941.10000170&amp;type=4&amp;subid=0\" title=\"Get iTunes\"><img loading=\"lazy\" decoding=\"async\" alt=\"iTunes\" border=\"0\" width=\"61\" height=\"15\" src=\"http:\/\/images.apple.com\/itunesaffiliates\/logos\/iTunes_sm_bdg61x15.png\" \/><\/a><img loading=\"lazy\" decoding=\"async\" border=\"0\" width=\"1\" height=\"1\" src=\"http:\/\/ad.linksynergy.com\/fs-bin\/show?id=xLsJkztrnNY&amp;bids=78941.10000170&amp;type=4&amp;subid=0\" alt=\"\" \/> &#8220;<a href=\"http:\/\/click.linksynergy.com\/fs-bin\/stat?id=xLsJkztrnNY&amp;offerid=78941&amp;type=3&amp;subid=0&amp;tmpid=1826&amp;RD_PARM1=itms%253A%252F%252Fphobos.apple.com%252FWebObjects%252FMZSearch.woa%252Fwa%252Fcom.apple.jingle.search.DirectAction%252FadvancedSearchResults%253FartistTerm%253DProdigy, The%2526songTerm=Been Up Long (Falsedawn)%26partnerId%3D30\" title=\"Search for 'Been Up Long (Falsedawn)' on the iTMS\">Been Up Long (Falsedawn)<\/a>&#8221; by <a href=\"http:\/\/click.linksynergy.com\/fs-bin\/stat?id=xLsJkztrnNY&amp;offerid=78941&amp;type=3&amp;subid=0&amp;tmpid=1826&amp;RD_PARM1=itms%253A%252F%252Fphobos.apple.com%252FWebObjects%252FMZSearch.woa%252Fwa%252Fcom.apple.jingle.search.DirectAction%252FadvancedSearchResults%253FartistTerm%253DProdigy, The%26partnerId%3D30\" title=\"Search for 'Prodigy, The' on the iTMS\">Prodigy, The<\/a> from the album <em><a href=\"http:\/\/click.linksynergy.com\/fs-bin\/stat?id=xLsJkztrnNY&amp;offerid=78941&amp;type=3&amp;subid=0&amp;tmpid=1826&amp;RD_PARM1=itms%253A%252F%252Fphobos.apple.com%252FWebObjects%252FMZSearch.woa%252Fwa%252Fcom.apple.jingle.search.DirectAction%252FadvancedSearchResults%253FartistTerm%253DProdigy, The%2526albumTerm=Always Outsiders Never Outdone%26partnerId%3D30\" title=\"Search for 'Always Outsiders Never Outdone' on the iTMS\">Always Outsiders Never Outdone<\/a><\/em> (2004, 4:28).<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Key points: this is _not_ a virus, rather, it&#8217;s a trojan horse; it&#8217;s buggy (doesn&#8217;t perform all the intended actions); and for most people, activating the payload involves entering their password, which should tip most people off that something&#8217;s not right.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2039],"tags":[65],"class_list":["post-3700","post","type-post","status-publish","format-standard","hentry","category-apple","tag-technology"],"_links":{"self":[{"href":"https:\/\/michaelhans.com\/eclecticism\/wp-json\/wp\/v2\/posts\/3700","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/michaelhans.com\/eclecticism\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/michaelhans.com\/eclecticism\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/michaelhans.com\/eclecticism\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/michaelhans.com\/eclecticism\/wp-json\/wp\/v2\/comments?post=3700"}],"version-history":[{"count":0,"href":"https:\/\/michaelhans.com\/eclecticism\/wp-json\/wp\/v2\/posts\/3700\/revisions"}],"wp:attachment":[{"href":"https:\/\/michaelhans.com\/eclecticism\/wp-json\/wp\/v2\/media?parent=3700"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/michaelhans.com\/eclecticism\/wp-json\/wp\/v2\/categories?post=3700"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/michaelhans.com\/eclecticism\/wp-json\/wp\/v2\/tags?post=3700"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}