Leap-A malware: what you need to know
The worst thing you can do whenever a virus scare hits is to panic. The second worst thing you can do is not keep yourself informed.
With reports of the Leap-A program infecting some Macs, it’s important to keep the news in perspective. While Leap-A has the potential for mischief, it’s not anything like a crippling Windows virus that periodically brings the rest of the computing world to its knees. More important, as explained below, this incident doesn’t expose a security hole in the Mac operating system. Rather, it’s a piece of malware that can be easily rebuffed by vigilant Mac users.
That said, it pays to keep on top of potentially harmful things like Leap-A. After a day of research and testing the malware for ourselves, here’s what you need to know about Leap-A.
What is Leap-A?
Leap-A—or Oompa Loompa, as it’s also known—is a potentially malicious program that’s disguised as a simple image file. This method of delivery is known as a Trojan horse, because it’s one thing pretending to actually be something else. In its present form, the code is hiding in a file named latestpics.tgz , which purports to be a picture of something interesting (OS X 10.5 spy shots, in this case). After expanding the compressed archive, and then double-clicking what appears to be an image file, the Leap-A malware will launch and install itself on your system.
Once installed, Leap-A does two things. First, it tries to send a version of itself to everyone on your iChat buddy list. All of your buddies will receive the standard iChat file transfer message, though you won’t see any activity on your end. Second, Leap-A will start infecting Cocoa applications on your machine, via an InputManager that it installs in your user’s directory. Each time you launch an infected Cocoa application, Leap-A will use OS X 10.4’s Spotlight search feature to find the four most-recently-used applications. If they’re Cocoa apps, Leap-A will infect them as well.
(If you’re not familiar with what exactly a Cocoa application is, Cocoa is a development environment for OS X applications. Most of Apple’s applications, and quite a few third-party programs, are written in Cocoa. Safari, Mail, Address Book, iCal, Terminal are some of Apple’s Cocoa applications; Camino, OmniWeb, and OmniGraffle are examples of third-party applications written in Cocoa.)
You’ll find a much deeper and more technical explanation of Leap-A in this analysis from Ambrosia Software founder Andrew Welch. He explains exactly what happens when you download, expand, and then run the program.
You said Leap-A uses Spotlight. What if I’m not using OS X 10.4 yet?
Leap-A will only work on systems running Tiger, due to its use of Spotlight.
How would this thing get on my machine?
The only way you can get the Leap-A malware on your machine is if you take some action to put it there yourself. You might receive a file from a buddy in iChat, or download something from the Internet, or open an attachment to an e-mail message. The program code is presently hiding in what claims to be pictures of OS X 10.5, Apple’s next major OS X upgrade. To get Leap-A on your machine, you must (a) receive the file, which is compressed; (b) expand the archive; and (c) double-click what appears to be an image file to execute the code. You cannot get the malware by simply browsing the Internet, reading e-mail, or chatting with friends in iChat.
What makes Leap-A trickier to detect, of course, is the fact that it’s disguised as something else. We have some advice below on how to avoid accidentally infecting your machine with Leap-A.
That said, I went looking for Leap-A to test how it behaves on a secured machine. It wasn’t easy to find, and even when I did find a version, its behavior didn’t seem to match that described by Andrew Welch. My applications were not infected, and nothing was sent via iChat. Of course, over time, other versions may be released with more widespread distribution, so my inability to readily find Leap-A may not always be the case.
Will Leap-A do bad things to my Mac?
In its current incarnation, the code doesn’t really do anything malicious, such as deleting files, changing permissions, or moving around applications. However, due to a bug in its code, Leap-A will prevent infected applications from running. The only solution to this problem is to install clean copies of the original applications. So your data isn’t at risk, at least as of now. Note that it will be relatively simple for variants of Leap-A to be released which could be much more malicious.
Is this a virus, a worm, malware, or a Trojan horse?
Technically, it’s a bit of everything. It’s a virus, in the sense that it attaches itself to other executable code on your Mac. It’s a worm, in that it attempts to self-replicate and spread from machine to machine. It’s a piece of malware, because it can do bad things to your computer. Basically, it’s a piece of malware that’s delivered via a Trojan horse and then acts in both viral and wormy ways.
In what manner is this a Trojan horse?
The program works through social engineering—it pretends to be a picture of something that lots of people would want to see to entice them to open it. In this case, it was reported to be images of Leopard, Apple’s upcoming OS X 10.5 release.
In what manner is this viral?
A virus is a self-replicating program that spreads by inserting copies of itself into other running apps. Leap-A does just that, through the use of the InputManagers folder, as described in Andrew Welch’s analysis. Eventually, it will infect any Cocoa application you launch. And, due to a bug in its code, those infected apps will no longer run! However, Leap-A is not a true virus, in that it cannot spread from machine to machine without human intervention.
In what manner is this thing a worm?
Leap-A’s only mission seems to be to try to spread itself to as many people as possible. The program creates a clean copy of itself, which it then tries to send to every user in your iChat buddy list. If those users accept the file, expand the archive, and then double-click the resulting image file, they will also be infected. Note again that human intervention is needed to help the worm spread.
How can I protect myself from Leap-A?
If you use Sophos Anti-Virus, Symantec’s Norton AntiVirus, or Intego’s VirusBarrier X4, all of those programs have already been updated to prevent Leap-A from being installed on your system. Remember that most anti-virus software will need to be updated for each version of an exploit, so make sure you keep your virus definitions current. If you are already infected, however, these programs may not eradicate the infection.
How can I tell if I have the Leap-A malware on my machine?
Open your user’s Library folder, then the InputManagers folder, and look for a folder named apphook . If it’s there, you have it. Note that future versions of the malware may change this name, so it might be worth noting what’s installed there now, just in case. Note that this folder is not a standard part of OS X, and you’ll only have it if you’ve installed certain add-on programs such as SafariStand, Sogudi, or Chax.
How do I get rid of it?
Delete the folder named apphook from your user’s Library/InputManagers folder. In the Finder, use Go: Go to Folder, and enter
/tmpas your destination. When this folder opens, delete latestpics.tgz from the folder. So much for the easy parts.
If you have infected applications that will not launch (although I couldn’t replicate this problem in my tests), your best bet is to reinstall those applications from their source CD or DVD—not from a backup, in case those apps were already infected.
All of my applications seem to be working, but I have the apphook folder. What should I do?
In theory, this means your machine is infected. However, based on my experiments, if your iChat buddies are not complaining about your sending them an unrequested file, your machine isn’t fully executing the program. On my test machine, the applications do not seem to be modified by Leap-A, so you’re done if you’ve removed apphook and the data file on /tmp.
What does Apple have to say about all this?
Here’s what the company told my colleague Peter Cohen:
Leap-A is not a virus, it is malicious software that requires a user to download the application and execute the resulting file. Apple always advises Macintosh users to only accept files from vendors and Web sites that they know and trust. We have a guide to safely handling files received from the Internet .
How else can I protect myself from Leap-A and its ilk?
Beyond using an anti-virus application, here are some simple things you can do to prevent infection:
Finally, you could take the step of changing the ownership on the InputManagers folder. This wouldn’t prevent the damage to the programs in the Application folder, but it would prevent the program from attempting to replicate via iChat. The easiest way to do this is to use Terminal, in Applications: Utilities. First, we need to make sure this folder exists, as it’s not installed by default. So just type
mkdir ~/Library/InputManagersand press Return. You’ll either get back the command prompt with no message, meaning the folder was created, or Terminal will tell you that the file already exists. In either case, you’re now ready for the next command:
sudo chown root:admin ~/Library/InputManagers
When you press Return, you’ll be asked for your admin user’s password. Enter it, and your InputManagers folder is now effectively blocked from access—by Leap-A, or any other piece of code that wants to place something there. If you plan on installing add-ons such as SafariStand or Sogudi for Safari, or Chax for iChat, you’ll need to temporarily return this folder to your ownership to do so. Before running those programs’ installers, do this in Terminal:
sudo chown your_user:your_user ~/Library/InputManagers
your_userwith your user’s short username. Now you can run the installer, then re-run the first command to switch ownership back to root. Since nothing else should be writing to this folder, this should not cause any day-to-day inconvenience, and seems like a good method of protection from this particular exploit.
In my testing, the script failed with an error when it tried to install its piece in the now-protected InputManagers folder, and didn’t seem to then run the remainder of the script. As noted above, however, I didn’t see the same behaviors that Andrew Welch saw, even though we were both running the same version of Leap-A.
The bottom line
If you practice “safe downloading,” then there’s really not much to worry about with this particular piece of code. However, it is a good reminder that you do need to be vigilant, as there are people out there who wish to do bad things to your machine. The good news is that Leap-A hasn’t revealed a security hole in OS X. Rather, it’s just a piece of software that does evil things after it tricks you into installing it on your machine.
The Leap-A malware does not mean that OS X is any less safe from viruses than it was prior to its release. Socially-engineered malware has always been possible, and will always be possible. If you can get a user to run something, then clearly, you can choose to do whatever you wish while your code is executing. While there are some things Apple can do to make us all even safer (for instance, InputManagers should not be installable without explicit permission), I still believe OS X is a very secure operating system, and I have no concerns about using it on a daily basis. Neither should you.