If you haven't been reading any tech news lately, there is a new piece of maleware out that targets Mac OS X. It's a Trojan type maleware that really doesn't do anything harmful because of poor coding.
It comes packaged in a file called "latestpics.tgz" which supposedly contains the latest images from Apple's upcoming Leopard release (OS X 10.5). Here's what you have to do to get the virus…
- Download the file from somebody
- Double-click it to extract the files
- Double-click the "image" file.
- Enter your administrator password
So, if you're at all knowledgeable about computers, you can see one major flaw in the design of this maleware — you must enter your administrator password to "view an image". You should never have to do this.
What does the Trojan do? Well, it's actually pretty lame.
- The maleware copies itself to the /tmp directory
- It makes a pristine copy of itself for an attempt at replicating
- It extracts a new Input Manager and creates a directory called ~/Library/InputManagers and copies the new Input Manager to that folder
- When an application is launched, the new Input Manager is invoked.
- The Input Manager then tries to send the pristine copy of the virus to your buddy list in iChat
- The virus writer intended to send it via email as well, but never wrote the code.
- It then spotlights the 4 last used applications and checks to see if the attribute 'oompa' is larger than 0 ('oompa' is an arbitrary attribute that is added to the file to see if the maleware has infected a specific application or not)
- If the value is 0, it changes 'oompa' to equal 'loompa', copies the application to its resource fork and replaces it with a copy of the OSX/Oompa-A Trojan (the Trojan we're discussing)
- When the infected application is double-clicked, the virus attempts to propagate itself and infect more applications
- It then attempts to run the application from its new home, but fails and the application never opens
The maleware doesn't actually do anything except prevent infected applications from starting. This is why programmers should always double and triple check their code.
Anyway, my gripe with the recent coverage is not that there's a Mac OS X maleware that doesn't work properly, but rather that it is being dubbed the first Mac OS X Maleware. This is not the case at all.
In 2004 (I think) there was a rootkit type of maleware introduced for Mac OS X called Opener. Here's what Opener does (quoted from MacInTouch Reader Reports)
- Opener tries to install ohphoneX, a teleconferencing program - for spying
on you through your webcam I'm sure. - It kills LittleSnitch before every Internet connection it makes
- It installs a keystroke recorder
- Allows backdoor access in case someone deletes the hidden account
- Grabs the open-firmware password
- Installs OSXvnc
- Grabs your office 2004 PID (serial number), as well as serial numbers for
Mac OS XServer, adobe registrations, VirtualPC 6, Final Cut Pro, LittleSnitch,
Apple Pro Apps, your DynDNS account, Timbuk2, and webserver users to name a few. - It tries to decrypts all the MD5 encrypted user passwords
- Decrypts all users keychains.
- Grabs your AIM logs, and tons of other settings and preferences with info you probably don't want folks to have… even your bash (terminal) history
- Grabs stuff from your Classic preferences
- Changes your Limewire settings to max out your upload and files.
- The hidden user account is called LDAP-daemon instead of the name hacker used in earlier versions. Looks more innocent than hacker.
- Even has your daily cron task try to get your password from the virtual memory swapfile
- It installs an app called John The Ripper - a password cracker that uses a dictionary method to crack passwords
- installs dsniff to sniff for passwords…
Now doesn't that sound a lot more spooky than the OSX/Oompa-A Trojan? I think it does…
The reason Opener is classified as a Rootkit is that it actually hides processes and network activity from the operating system.
The problem with Opener is that the permissions on the disk have to be ignored for it to be installed. It has to be installed using optional boot media, i.e. a CD/DVD, Firewire Drive, etc. The only way a user could be infected is by booting to infected media.
In short, the OSX/Oompa-A Trojan is not the first OS X Maleware, nor is it the most dangerous; however, it is the first to attempt to propagate itself over the Internet, assuming a user is stupid enough to enter their administrator password when trying to view an image file.
Moral of the story: Don't enter your administrator password unless you are absolutely sure you are installing something that is safe for your machine.