Virus protection software makers respond to Oompa-Loompa trojan (OSX/Oomp-A); protective methods

Earlier today we noted the discovery and description of a new piece of malware for Mac OS X dubbed the "Oompa-Loompa Trojan (OSX/Oomp-A)." [See previous coverage]

As previously noted, the malware was posted as "latestpics.tgz" to a Mac rumors web site, claiming to be pictures of "Mac OS X Leopard" (an upcoming version of Mac OS X. It propogates through iChat, and can cause applications to not work properly -- but requires an administrator password to enact its somewhat innocuous effects, making it a low-level threat.

Several makers of Mac OS X anti-virus software have now chimed in with their assessment and response to the new malware.

Symantec is calling the malware "OSX.Leap.A," and says it is currently categorized as a Level 1 threat (on a scale of 1 to 5, with 5 being most severe).

Symantec represetnatives told MacFixIt:

"The worm makes use of the Spotlight search program, included in OSX, and will run each time the machine boots. It identifies any applications being started, and if iChat begins to run, the worm uses iChat to send the infected file â?? latestpics.tgz â?? to all contacts on the infected userâ??s buddy list. Those on the buddy list will then be asked to accept the file. If they do, the file will subsequently be saved to their hard drive. Files infected by OSX.Leap.A may be corrupted and may not run correctly."

"Symantec currently provides definitions to protect against OSX.Leap.A. The Symantec Security Response Web site provides additional details at: http://securityresponse.symantec.com/"

Intego, makers of the VirusBarrier software, added:

"Two versions of this Trojan horse exist, and the Intego Virus Monitoring Center immediately developed updated virus definitions, which it released on February 14, 2006, as soon as it discovered this threat, ensuring that VirusBarrier X and VirusBarrier X4 eradicate the Oompa-Loompa Trojan horse. All Intego VirusBarrier X and VirusBarrier X4 users should make sure that their virus definitions are up to date by using the NetUpdate preference pane in the Mac OS X System Preferences.

"Initially appearing in a compressed file called latestpics.tgz, this Trojan horse, after being decompressed, appears to be a graphic file. When a user double-clicks it, expecting to see a picture, the program inserts a file called apphook.bundle in the userâ??s InputManagers folder which then ensures that it is replicated in all other Cocoa applications the user launches. Using Spotlight, the Trojan horse searches for the four most recently used applications, then infects them. The apphook.bundle Input Manager attempts to send a copy of the original file, latestpics.tgz, to every person on a userâ??s iChat buddy list. Since users see this file coming from friends and colleagues, they are inclined to assume that it is safe, and therefore double-clicks the file a first time to decompress it, and a second time to attempt to 'view' it.

"Intego usually advises all Macintosh users to only download and open files and applications from trusted sources. In this case, however, users receive the Trojan horse via iChat from their buddies and are therefore likely to assume it is legitimate. So users should be additionally careful when receiving an unexpected attachment via iChat from someone in their buddy list. All users should update their virus definitions and never open files received by e-mail or iChat unless they are sure that these files are safe.

Protective method: Setting iChat to not automatically accept incoming files In order to protect against the unintended acquisition of this malware, it is recommended that you set iChat to notify the user before accepting a file. This is accomplished by opening iChat's preferences, then clicking the "Messages" tab, and selecting "Confirm before sending files." This is the default setting for a fresh Mac OS X installation.

And remember, be very cautious with supplying your administrator password to system prompts (for which you will be prompted if you are a non-admin user and attempt to open the infected .jpg). You should never be asked to enter your administrator password to open a .jpg file (as in this case). Provide your administrator password only to trusted applications.

In fact, you should avoid being logged in as an administrator whenever possible. Instead, use a standard user account for daily tasks.

Feedback? Late-breakers@macfixit.com.

Resources