Oompa-Loompa Trojan (OSX/Oomp-A) [#3]: ClamXav virus definitions updated; When the trojan will ask for an administrator password
Oompa-Loompa Trojan (OSX/Oomp-A) [#3]: ClamXav virus definitions updated; When the trojan will ask for an administrator password
Earlier today we noted the discovery and description of a new piece of malware for Mac OS X dubbed the "Oompa-Loompa Trojan (OSX/Oomp-A)." [See previous coverage]
As previously noted, the malware was posted as "latestpics.tgz" to a Mac rumors web site, claiming to be pictures of "Mac OS X Leopard" (an upcoming version of Mac OS X. It propagates through iChat, and can cause applications to not work properly -- but requires an administrator password (when not using an administrator account, and in some cases when logged as an administrator -- see below) to enact its somewhat innocuous effects, making it a low-level threat.
ClamXav virus definitions updated The free graphical front-end to ClamXav has been updated to include a virus definition for the Oompa-Loompa Trojan (OSX/Oomp-A).
This is the recommended route for protecting against this potential threat -- it's free, and does not cause the issues apparent with some other virus protection utilities.
When the trojan will ask for an administrator password As we noted yesterday, the Oompa-Loompa trojan will ask for an administrator password on launch if the user is not an administrator (which is the recommended operating environment for daily tasks).
Under certain circumstances, the trojan will also ask for an administrator password when the logged-in user has admin status.
Since the malware infects the last four recently run applications, it looks at the permissions assigned to those applications. The executables of some applications have 775 (-rwxrwxr-x i.e. read, write and execute permissions for the owner and group, and read and execute permissions for others) permissions, meaning that an admin user can modify them without being prompted for a password. If all four targeted apps have 775 permissions, it is possible that no password will be requested.
MacFixIt reader Scott Buntin writes:
"Eventually, when one of the modified apps runs, and attempts to modify another set of four apps, I'd expect it to request the password.
"It wouldn't take much, I think, for a variant to look specifically for 775 executables only, thus avoiding the authentication dialog completely."
Feedback? Late-breakers@macfixit.com.
Previous coverage:
- Virus protection software makers respond to Oompa-Loompa trojan (OSX/Oomp-A); protective methods
- Mac OS X malware "OSX/Oomp-A" discovered -- effects seem innocuous
Resources