Interestingly, the number of core vulnerabilities in the MacOS X kernel (Mach) and related components / libraries has decreased compared to 2005. Still, a number of critical vulnerabilities have been found. The most popular was probably the local 'passwd' exploit (a zero day based exploit) reported on 03.02.06, which was used to hack the system of Dave Schroeder during the “rm-my-mac” competition.
Malicious programs targeting Mac OS X are relatively uncommon. The Mac community was surprised when on February 13, 2006, the first worm for Mac OS X appeared. The worm was named OSX/Leap.A. Leap is an Instant Messaging (IM) worm which is also capable of infecting MacOS X applications. However, due to a bug in the virus code, infected programs will no longer run.
The worm was first spotted on the MacRumors (http://forums.macrumors.com/) forums, on the evening on Feb 13th, 2006. The original message read "Alleged screenshots of OS 10.5 Leopard", an obvious attempt to lure unsuspecting users into running the malicious code.
The worm uses Apple's IM application "iChat" to spread. Alternative ways of entering a system include the download and direct execution of the worm code by the user or by running an infected application from a remote location. Because the worm is not able to infect a system automatically, it has also been called a "Trojan", although that is not entirely correct. A Trojan is unable to replicate, whereas "Leap.a" is.
The worm spreads in the form of a TAR.GZ archive named "latestpics.tgz". If the user unpacks the archive (either using the command line tool 'tar' or by double-clicking it in Finder), s/he is presented with what seems to be a JPEG file:
In reality, this is a PowerPC executable, as it can be seen from the Finder "Get Info" dialogue:
The "latestpics" executable is a command line application and because of that, it will open a terminal window when run.
There have been some reports saying that at this point, if run by a normal user, the operating system will ask for administrative rights. In our tests, this didn't happen - the worm execution proceeded in the same way as it would if run from an account with admin rights. However, it will only be able to infect applications to which the current user is allowed to write.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.