Utility software

Leap-A malware: what you need to know

The worst thing you can do whenever a virus scare hits is to panic. The second worst thing you can do is not keep yourself informed.

With reports of the Leap-A program infecting some Macs, it’s important to keep the news in perspective. While Leap-A has the potential for mischief, it’s not anything like a crippling Windows virus that periodically brings the rest of the computing world to its knees. More important, as explained below, this incident doesn’t expose a security hole in the Mac operating system. Rather, it’s a piece of malware that can be easily rebuffed by vigilant Mac users.

That said, it pays to keep on top of potentially harmful things like Leap-A. After a day of research and testing the malware for ourselves, here’s what you need to know about Leap-A.

What is Leap-A?

Leap-A—or Oompa Loompa, as it’s also known—is a potentially malicious program that’s disguised as a simple image file. This method of delivery is known as a Trojan horse, because it’s one thing pretending to actually be something else. In its present form, the code is hiding in a file named latestpics.tgz , which purports to be a picture of something interesting (OS X 10.5 spy shots, in this case). After expanding the compressed archive, and then double-clicking what appears to be an image file, the Leap-A malware will launch and install itself on your system.

Once installed, Leap-A does two things. First, it tries to send a version of itself to everyone on your iChat buddy list. All of your buddies will receive the standard iChat file transfer message, though you won’t see any activity on your end. Second, Leap-A will start infecting Cocoa applications on your machine, via an InputManager that it installs in your user’s directory. Each time you launch an infected Cocoa application, Leap-A will use OS X 10.4’s Spotlight search feature to find the four most-recently-used applications. If they’re Cocoa apps, Leap-A will infect them as well.

(If you’re not familiar with what exactly a Cocoa application is, Cocoa is a development environment for OS X applications. Most of Apple’s applications, and quite a few third-party programs, are written in Cocoa. Safari, Mail, Address Book, iCal, Terminal are some of Apple’s Cocoa applications; Camino, OmniWeb, and OmniGraffle are examples of third-party applications written in Cocoa.)

You’ll find a much deeper and more technical explanation of Leap-A in this analysis from Ambrosia Software founder Andrew Welch. He explains exactly what happens when you download, expand, and then run the program.

You said Leap-A uses Spotlight. What if I’m not using OS X 10.4 yet?

Leap-A will only work on systems running Tiger, due to its use of Spotlight.

How would this thing get on my machine?

The only way you can get the Leap-A malware on your machine is if you take some action to put it there yourself. You might receive a file from a buddy in iChat, or download something from the Internet, or open an attachment to an e-mail message. The program code is presently hiding in what claims to be pictures of OS X 10.5, Apple’s next major OS X upgrade. To get Leap-A on your machine, you must (a) receive the file, which is compressed; (b) expand the archive; and (c) double-click what appears to be an image file to execute the code. You cannot get the malware by simply browsing the Internet, reading e-mail, or chatting with friends in iChat.

What makes Leap-A trickier to detect, of course, is the fact that it’s disguised as something else. We have some advice below on how to avoid accidentally infecting your machine with Leap-A.

That said, I went looking for Leap-A to test how it behaves on a secured machine. It wasn’t easy to find, and even when I did find a version, its behavior didn’t seem to match that described by Andrew Welch. My applications were not infected, and nothing was sent via iChat. Of course, over time, other versions may be released with more widespread distribution, so my inability to readily find Leap-A may not always be the case.

Will Leap-A do bad things to my Mac?

In its current incarnation, the code doesn’t really do anything malicious, such as deleting files, changing permissions, or moving around applications. However, due to a bug in its code, Leap-A will prevent infected applications from running. The only solution to this problem is to install clean copies of the original applications. So your data isn’t at risk, at least as of now. Note that it will be relatively simple for variants of Leap-A to be released which could be much more malicious.

Is this a virus, a worm, malware, or a Trojan horse?

Technically, it’s a bit of everything. It’s a virus, in the sense that it attaches itself to other executable code on your Mac. It’s a worm, in that it attempts to self-replicate and spread from machine to machine. It’s a piece of malware, because it can do bad things to your computer. Basically, it’s a piece of malware that’s delivered via a Trojan horse and then acts in both viral and wormy ways.

In what manner is this a Trojan horse?

The program works through social engineering—it pretends to be a picture of something that lots of people would want to see to entice them to open it. In this case, it was reported to be images of Leopard, Apple’s upcoming OS X 10.5 release.

In what manner is this viral?

A virus is a self-replicating program that spreads by inserting copies of itself into other running apps. Leap-A does just that, through the use of the InputManagers folder, as described in Andrew Welch’s analysis. Eventually, it will infect any Cocoa application you launch. And, due to a bug in its code, those infected apps will no longer run! However, Leap-A is not a true virus, in that it cannot spread from machine to machine without human intervention.

In what manner is this thing a worm?

Leap-A’s only mission seems to be to try to spread itself to as many people as possible. The program creates a clean copy of itself, which it then tries to send to every user in your iChat buddy list. If those users accept the file, expand the archive, and then double-click the resulting image file, they will also be infected. Note again that human intervention is needed to help the worm spread.

How can I protect myself from Leap-A?

If you use Sophos Anti-Virus, Symantec’s Norton AntiVirus, or Intego’s VirusBarrier X4, all of those programs have already been updated to prevent Leap-A from being installed on your system. Remember that most anti-virus software will need to be updated for each version of an exploit, so make sure you keep your virus definitions current. If you are already infected, however, these programs may not eradicate the infection.

How can I tell if I have the Leap-A malware on my machine?

Open your user’s Library folder, then the InputManagers folder, and look for a folder named apphook . If it’s there, you have it. Note that future versions of the malware may change this name, so it might be worth noting what’s installed there now, just in case. Note that this folder is not a standard part of OS X, and you’ll only have it if you’ve installed certain add-on programs such as SafariStand, Sogudi, or Chax.

How do I get rid of it?

Delete the folder named apphook from your user’s Library/InputManagers folder. In the Finder, use Go: Go to Folder, and enter

/tmp
as your destination. When this folder opens, delete latestpics.tgz from the folder. So much for the easy parts.

If you have infected applications that will not launch (although I couldn’t replicate this problem in my tests), your best bet is to reinstall those applications from their source CD or DVD—not from a backup, in case those apps were already infected.

All of my applications seem to be working, but I have the apphook folder. What should I do?

In theory, this means your machine is infected. However, based on my experiments, if your iChat buddies are not complaining about your sending them an unrequested file, your machine isn’t fully executing the program. On my test machine, the applications do not seem to be modified by Leap-A, so you’re done if you’ve removed apphook and the data file on /tmp.

What does Apple have to say about all this?

Here’s what the company told my colleague Peter Cohen:

Leap-A is not a virus, it is malicious software that requires a user to download the application and execute the resulting file. Apple always advises Macintosh users to only accept files from vendors and Web sites that they know and trust. We have a guide to safely handling files received from the Internet .

How else can I protect myself from Leap-A and its ilk?

Beyond using an anti-virus application, here are some simple things you can do to prevent infection:

  • Only download software from known and trusted sites, such as MacUpdate and VersionTracker. Even when using sites such as these, however, take the time to read comments from other posters before downloading a new application.
  • After expanding any archive, look at its icon in the Finder before launching the expanded program. In this case, you’d see something like the picture at right (though you might see an actual preview of the JPEG, instead of the generic OS X image icon). Notice that the Kind row states that this is a Unix executable, even though the Finder seems to show that it’s an image. This should be a tip off to not open this file!
  • Running as a non-admin user would also work—to a point. The way this particular program works, as soon as you enter your admin user’s password for any task, the code will be able to execute. So to be 100-percent safe, you’d have to run as a non-admin user, and then physically login to the admin account whenever you wanted to do something admin-like. Entering your password as the non-admin will grant admin-level access to the code (for the next five minutes, due to the built-in OS X timeout on admin access), which will always be running when you’ve got a Cocoa application open. So if you’re going to run as a non-admin, you’ll have to do it 100-percent of the time, and never provide the admin password when asked. This could prove difficult in daily practice, though OS X’s fast user-switching feature makes it somewhat easier.
  • Finally, you could take the step of changing the ownership on the InputManagers folder. This wouldn’t prevent the damage to the programs in the Application folder, but it would prevent the program from attempting to replicate via iChat. The easiest way to do this is to use Terminal, in Applications: Utilities. First, we need to make sure this folder exists, as it’s not installed by default. So just type

    mkdir ~/Library/InputManagers
    and press Return. You’ll either get back the command prompt with no message, meaning the folder was created, or Terminal will tell you that the file already exists. In either case, you’re now ready for the next command:

    sudo chown root:admin ~/Library/InputManagers

    When you press Return, you’ll be asked for your admin user’s password. Enter it, and your InputManagers folder is now effectively blocked from access—by Leap-A, or any other piece of code that wants to place something there. If you plan on installing add-ons such as SafariStand or Sogudi for Safari, or Chax for iChat, you’ll need to temporarily return this folder to your ownership to do so. Before running those programs’ installers, do this in Terminal:

    sudo chown your_user:your_user ~/Library/InputManagers

    Replace

    your_user
    with your user’s short username. Now you can run the installer, then re-run the first command to switch ownership back to root. Since nothing else should be writing to this folder, this should not cause any day-to-day inconvenience, and seems like a good method of protection from this particular exploit.

    In my testing, the script failed with an error when it tried to install its piece in the now-protected InputManagers folder, and didn’t seem to then run the remainder of the script. As noted above, however, I didn’t see the same behaviors that Andrew Welch saw, even though we were both running the same version of Leap-A.

    The bottom line

    If you practice “safe downloading,” then there’s really not much to worry about with this particular piece of code. However, it is a good reminder that you do need to be vigilant, as there are people out there who wish to do bad things to your machine. The good news is that Leap-A hasn’t revealed a security hole in OS X. Rather, it’s just a piece of software that does evil things after it tricks you into installing it on your machine.

    The Leap-A malware does not mean that OS X is any less safe from viruses than it was prior to its release. Socially-engineered malware has always been possible, and will always be possible. If you can get a user to run something, then clearly, you can choose to do whatever you wish while your code is executing. While there are some things Apple can do to make us all even safer (for instance, InputManagers should not be installable without explicit permission), I still believe OS X is a very secure operating system, and I have no concerns about using it on a daily basis. Neither should you.

    recommended for you

    Leap-A FAQ

    Read more »

    Subscribe to the Help Desk Newsletter

    Comments