Malware Evolution: Mac OS X Vulnerabilities 2005 - 2006
by Claudiu Dumitru - Kaspersky Lab/ - Tuesday, 25 July 2006.
The worm was first spotted on the MacRumors ( forums, on the evening on Feb 13th, 2006. The original message read "Alleged screenshots of OS 10.5 Leopard", an obvious attempt to lure unsuspecting users into running the malicious code.

The worm uses Apple's IM application "iChat" to spread. Alternative ways of entering a system include the download and direct execution of the worm code by the user or by running an infected application from a remote location. Because the worm is not able to infect a system automatically, it has also been called a "Trojan", although that is not entirely correct. A Trojan is unable to replicate, whereas "Leap.a" is.

The worm spreads in the form of a TAR.GZ archive named "latestpics.tgz". If the user unpacks the archive (either using the command line tool 'tar' or by double-clicking it in Finder), s/he is presented with what seems to be a JPEG file:

In reality, this is a PowerPC executable, as it can be seen from the Finder "Get Info" dialogue:

The "latestpics" executable is a command line application and because of that, it will open a terminal window when run.

There have been some reports saying that at this point, if run by a normal user, the operating system will ask for administrative rights. In our tests, this didn't happen - the worm execution proceeded in the same way as it would if run from an account with admin rights. However, it will only be able to infect applications to which the current user is allowed to write.

Next, the worm will extract an InputManager plugin from its main body, called "apphook". If the current user is an admin, it will copy this plugin into the "Library/InputManagers" folder. If the current user is not an admin, it will copy it to the user's "~/Library/InputManagers" folder. The difference between these two operations is that the InputManagers plugins from the root "/Library" folder will be loaded in applications run by all users while in the second case, it will only be loaded in the applications run by the current user.

The "apphook" plugin is the worm component responsible for replication via IM. It attempts to hook certain iChat functions and it will send a copy of the worm body to the user's buddies, using the same method as “Buddies -> Send File”.

After installing the "apphook" plugin, the main worm code will continue with the infection of local applications. It will use "Spotlight" to search for a list of the most commonly used applications and it will attempt to infect them. The infection routine is very simple: Leap overwrites the main executable with its code while saving the original application code in a resource fork.

When an infected application is run, the main worm code will run, and it will attempt to propagate as described above. Leap will also attempt to execute the original application; however, this will not happen due to a bug in the worm's code. This means that infected applications stop working - a very obvious sign of the infection.

Finally, it appears that the author of the worm was planning to add an email replication function. However, this was not finished before the code appeared on the MacRumors forum. Except for corrupting applications during infection (which seems to be unintentional), there is no sign of any other damaging payload in the worm's code.

On 18 February, 2006, another MacOS X worm appeared. Inqtana spreads via Bluetooth and propagates by sending an Object Exchange (OBEX) Push data transfer request to the potential victim machine. If the user accepts the request, the worm exploits a Bluetooth File and Object Exchange Directory Traversal vulnerability to gain access to locations outside the Bluetooth File and Object Exchange service path.


101,000 US taxpayers affected by automated attack on IRS app

The IRS has revealed more details about an attack it suffered last month, mounted by unknown individuals with the aim to file fraudulent tax returns and funnel the returned money to their own bank accounts.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Feb 10th