The "apphook" plugin is the worm component responsible for replication via IM. It attempts to hook certain iChat functions and it will send a copy of the worm body to the user's buddies, using the same method as “Buddies -> Send File”.
After installing the "apphook" plugin, the main worm code will continue with the infection of local applications. It will use "Spotlight" to search for a list of the most commonly used applications and it will attempt to infect them. The infection routine is very simple: Leap overwrites the main executable with its code while saving the original application code in a resource fork.
When an infected application is run, the main worm code will run, and it will attempt to propagate as described above. Leap will also attempt to execute the original application; however, this will not happen due to a bug in the worm's code. This means that infected applications stop working - a very obvious sign of the infection.
Finally, it appears that the author of the worm was planning to add an email replication function. However, this was not finished before the code appeared on the MacRumors forum. Except for corrupting applications during infection (which seems to be unintentional), there is no sign of any other damaging payload in the worm's code.
On 18 February, 2006, another MacOS X worm appeared. Inqtana spreads via Bluetooth and propagates by sending an Object Exchange (OBEX) Push data transfer request to the potential victim machine. If the user accepts the request, the worm exploits a Bluetooth File and Object Exchange Directory Traversal vulnerability to gain access to locations outside the Bluetooth File and Object Exchange service path.
The worm drops two files, named com.openbundle.plist and com.pwned.plist to the LaunchAgents directory to ensure that it will be launched automatically when the victim machine is rebooted. w0rm-support.tgz, which contains the worm components, is dropped to /Users/.
Once the operating system has been restarted, com.openbundle.plist unpacks the worm components and com.pwned.plist executes the worm main binary. Inqtana than attempts to replicate by scanning for devices which have Bluetooth enabled. It will then send itself to any devices found that support Object Exchange (OBEX) Push requests.
It was later discovered that Inqtana was written by the security researcher Kevin Finisterre, who created the worm as a proof of concept.
On 21 February, two zero-day exploits targeting MacOS X appeared, Exploit.OSX.Safari.a was discovered by Michael Lehn, and Exploit.OSX.ScriptEx.a. was discovered by Kevin Finisterre (the author of Inqtana). Both exploits received extensive coverage within the IT media.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.