Leap.A (or Oompa-Loompa) is not a virus. Depending what you read, it’s either a worm or a trojan. You could call it a little bit of both.
And while a lot of Mac news sites have spent much of the day playing down its significance and pointing out that user action is required to run it and therefore infect each machine, I think it ought to make a lot of people stop and think for a minute.
A summary of Leap.A’s activities has been posted by the professional computer security team at F-Secure. I’m inclined to trust what F-Secure say about viruses, worms and other malware, because they have been conducting autopsies on harmful code for years now and they know what they are talking about.
There are two important things to note about Leap.A:
- it has to be executed by the user in order to get anywhere. This means that security-conscious users (probably most of Mac Devcenter’s readership) are less likely to be infected. But the vast majority of users, who don’t know or don’t care about computer security, are at risk.
- it propagates through iChat, invisibly sending itself from one computer to another.
This second feature is the one I find most worrying. For years now, people have grown accustomed to the idea of viruses arriving by email; some email applications on Windows have earned themselves a bad reputation simply because they allowed such viruses to spread too easily, too often.
This has happened so much, and been reported in the mainstream media so often, that the message has sunk into people’s brains: “Email can be dangerous - beware of viruses.”
But other means of malware propagation have not been so well understood by the general population, usually because mainstream media outlets don’t often allow the airtime or the printed space for their behaviors to be explained properly. Very few people have got the idea of web bugs, even though they’ve been around for some time now.
The same applies to instant messaging, a hugely popular use of computers, especially by young people. The idea that your computer might be infected via IM simply hasn’t sunk in to most people’s heads.
Viruses spread by exploiting holes in your system, cloning themselves and propagating automatically. Trojans, by definition, pretend to be something they are not, and therefore rely not on system insecurities but on user ignorance. I’m still convinced that OS X, on the whole, is a decently secure system — but that doesn’t prevent it being used by ignorant users.
That’s why this worm is not something we should be dismissing. It’s not a great threat in and of itself, but it is a sign of what might yet come.
Let’s be careful out there.
"I'm inclined to trust what F-Secure say about viruses, worms and other malware, because they have been conducting autopsies on harmful code for years now and they know what they are talking about."
I don't understand your reasoning here. Symantec, McAfee, etc. have been in the "anti-viral" business for years too, so, by your criteria, they should be just as trustworthy as F-Secure. Either trust them all or trust none of them, or tell us why F-Secure is unique! (Last time I looked, they were all in it for the money!)
It does require ignorant users. And there are probably a lot of those. But I don't see why this is a big deal. I could write an applescript that uses Address Book to send copies of itself via Mail/iChat/whatever, give it a custom jpeg icon, and package it up in a tarball in 10 minutes. This is social engineering, not OS X vulnerability.
Matt, MyDoom.A required a user to start it and didn't use any vulnerabilities. Was that a big deal? (Hint: it was one of the fastest spreading malwares at that point)
@ Jim M: I don't *distrust* Symantec or McAfee. I just like the way F-Secure communicates with people (especially the entertaining and informative "News from the lab" weblog: http://www.f-secure.com/weblog/). And of course, you're right: they are all in it for the money.
@ Matt: Yes, it is social engineering, that phrase is spot-on.
The F-Secure description was a little (heck, a LOT) short on details. I can sort of infer that it doesn't require admin access to work, and that an "InputManagers" folder suddenly appearing in your home directory is Bad News.
But the bottom line is: if your daughter receives one of these while she's idle, chances are she'll open it when she sees it (unless she's been forewarned). Me, I use Fire instead of iChat, but my daughter uses iChat. I guess I'd better tell her about it before she gets her iBook back (in for the infamous video glitch).
Rob, of course MyDoom.A was a big deal. It was so precisely because it spread like wildfire. It spread because (a) it was Windows virus and (b) it used similar social engineering techniques. This, however, was distributed at a Mac website, where presumably most users have Macs, and it still flopped like a bad J-Lo movie. Some washed-up hacker wrote a trojan horse/worm that doesn't even work properly, disguised it as lepoard screeshots, and a handful of people download and open it before it gets pulled off of the forum. Big deal.
Matt, remember this: it's only the first! Unfortunately!