By Rob Griffiths, MacworldFEB 15, 2006 4:00 pm PST
Q: What is this Leap-A / Oompa Loompa thing? A: Leap-A is a potentially malicious program that’s disguised as a simple image file. This method of delivery is known as a
trojan horse, becuase it’s one thing pretending to actually be something else. In its present form, the code is hiding in a file named latestpics.tgz, which purports to be a picture of something interesting (OS X 10.5 spy shots, for instance). After expanding the compressed archive, and then double-clicking what appears to be an image file, the Leap-A malware will be run, and install itself on your system.
Once installed, Leap-A does two things. First, it tries to send a version of itself to everyone on your iChat buddy list. All of your buddies will receive the standard iChat file transfer message, though you won’t see any activity on your end. Second, it will start infecting Cocoa applications on your machine, via an InputManager that it installs in your user’s directory. Each time you launch an infected Cocoa application, Leap-A will use Spotlight to find the four most-recently-used applications, and if they’re Cocoa apps, infect them as well.
A much deeper, better, and more technical explanation can be found
in this analysis, written by Ambrosia’s founder, Andrew Welch. He explains exactly what happens when you download, expand, and then run the program.
Q: How would this thing get on my machine? A: The only way you can get the Leap-A malware on your machine is if you take some action to put it there yourself. You might receive a file from a buddy in iChat, or download something from the net, or open an attachment to an email message. The program code is presently hiding in what claims to be pictures of OS X 10.5, Apple’s next major OS X upgrade. To get Leap-A on your machine, you must (a) receive the file, which is compressed; (b) expand the archive; and (c) double-click what appears to be an image file to execute the code. You cannot get the malware by simply browsing the net, reading email, or chatting with friends in iChat.
What makes it trickier to detect, of course, is the fact that it’s disguised as something else. Below we have some advice on how to avoid accidentally infecting your machine with Leap-A.
With that said, we went looking for Leap-A, in order to test on a secured machine. It wasn’t easy to find, and even when we did find a version, its behavior didn’t seem to match that described by Andrew Welch—our applications were not infected, and nothing was sent via iChat. So even though we were looking for it, it was hard to find. Of course, over time, other versions may be released with more widespread distribution, so this may not always be the case.
Q: Will this thing do bad things to my Mac? A: The code, in its current incarnation, doesn’t really do anything malicious. However, due to a bug in its code, it will prevent infected applications from running. The only solution to this problem is to install clean copies of the original applications. So your data isn’t at risk, at least as of now. Note that it will be relatively simple for variants of Leap-A to be released which could be much more malicious.
Q: Is this a virus, a worm, malware, or a trojan horse? A: Technically, it’s a bit of everything. It’s a
virus, in the sense that it attaches itself to other executable code on your Mac. It’s a
worm, in that it attempts to self-replicate and spread from machine to machine. It’s a piece of
malware, because it can do bad things to your computer. Basically, it’s a piece of malware that’s delivered via a trojan horse and then acts in both viral and wormy ways.
Q: In what manner is this a trojan horse? A: The program works through social engineering—it pretends to be a picture of something that lots of people would want to see, to entice them to open it. In this case, it was reported to be images of Leopard, Apple’s upcoming OS X 10.5 release.
Q: In what manner is this viral? A: A virus is a self-replicating program that spreads by inserting copies of itself into other running apps. Leap-A does just that, through the use of the InputManagers folder, as described in Andrew Welch’s analysis. Eventually, it will infect any Cocoa application you launch. And, due to a bug in its code, those infected apps will no longer run! However, it’s not a true virus, in that it cannot spread from machine to machine without human intervention.
Q: In what manner is this thing a worm? A: Leap-A’s only mission seems to be to try to spread itself to as many people as possible. The program creates a clean copy of itself, which it then tries to send to every user in your iChat buddy list. If those users accept the file, expand the archive, and then double-click the resulting image file, they will also be infected. Note again that human intervention is needed to help the worm spread.
Q: How can I protect myself from Leap-A? A: If you use Sophos, Symantec, or Intego’s anti-virus product, all of already been updated to prevent Leap-A from being installed on your system. Note that most anti-virus software will need to be updated for each version of an exploit, so make sure you keep your virus definitions current. If you are already infected, however, these programs may not eradicate the infection. See below for some steps to take to clean your system.
Beyond using an anti-virus application, here are some simple things you can do to prevent infection:
Only download software from known and trusted sites, such as
VersionTracker. Even when using sites such as these, however, take the time to read comments from other posters before downloading a new application.
After expanding any archive, look at its icon in the Finder before launching the expanded program. In this case, you’d see something like the picture at right (though you might see an actual preview of the JPEG, instead of the generic OS X image icon). Notice that the Kind row states that this is a Unix executable, even though the Finder seems to think it’s an image. This should be a tip off to not open this file!
Running as a non-admin user would also work—to a point. The way this particular program works, as soon as you enter your admin user’s password for any task, the code will be able to execute. So to be 100% safe, you’d have to run as a non-admin user, and then physically login to the admin account whenever you wanted to do something admin-like. Entering your password as the non-admin will grant admin-level access to the code (for the next five minutes, due to the built-in OS X timeout on admin access), which will always be running when you’ve got a Cocoa application open. So if you’re going to run as a non-admin, you’ll have to do it 100% of the time, and never provide the admin password when asked. This could prove difficult in daily practice, though fast user switching makes it somewhat easier.
Finally, you could take the step of changing the ownership on the InputManagers folder. This wouldn’t prevent the initial damage to the programs in the Application folder, but it would prevent the infection of additional programs. With the InputManagers folder blocked, Leap-A would not be able to install the Input Manager which then infects other programs. You would wind up with at most four infected Cocoa applications. The easiest way to do this is to use Terminal, in Applications -> Utilities. First, we need to make sure this folder exists, as it’s not installed by default. So just type mkdir ~/Library/InputManagers and press Return. You’ll either get back the command prompt with no message, meaning the folder was created, or Terminal will tell you that the file already exists. In either case, you’re now ready for the next command:
sudo chown root:admin ~/Library/InputManagers
When you press Return, you’ll be asked for your admin user’s password. Enter it, and your InputManagers folder is now effectively blocked from access—by Leap-A, or any other piece of code that wants to place something there. If you plan on installing add-ons such as SafariStand or Sogudi for Safari, or Chax for iChat, you’ll need to temporarily return this folder to your ownership to do so. Before running those programs’ installers, do this in Terminal:
Replace your_user with your user’s short username. Now you can run the installer, then re-run the first command to switch ownership back to root. Since nothing else should be writing to this folder, this should not cause any day-to-day inconvenience, and seems like a good method of protection from this particular exploit.
In our testing, the script failed with an error when it tried to install its piece in the now-protected InputManagers folder, and didn’t seem to then run the remainder of the script. As noted above, however, we didn’t seem to have the same version that Andrew Welch was testing, so this may not be the case for other variants of Leap-A.
Q: How can I tell if I have the Leap-A malware on my machine? A: Open your user’s Library folder, then the InputManagers folder, and look for a folder named apphook . If it’s there, you have it.
Q: If I have the Leap-A malware on my machine, how do I get rid of it? A: Delete the folder named apphook from your user’s Library/InputManagers folder. In the Finder, use Go: Go to Folder, and enter /tmp as your destination. When this folder opens, delete latestpics.tgz from the folder. So much for the easy parts.
If you have infected applications that will not launch (note we were unable to replicate this issue), your best bet is to reinstall them from their source CD or DVD—not from a backup, in case those apps were already infected. If all of your applications seem to be working, but you have the apphook folder, what should you do? In theory, this means your machine is infected. However, based on our experiments, if your iChat buddies are not complaining about your sending them an unrequested file, you probably have the same variant that we found. In this particular version, the applications do not seem to be modified by Leap-A, so you’re done if you’ve removed apphook and the data file on /tmp.
The Bottom Line
If you practice ‘safe downloading,’ then there’s really not much to worry about with this particular piece of code. However, it is a good reminder that you do need to be vigilant, as there are people out there who wish to do bad things to your machine. The good news is that Leap-A hasn’t revealed a security hole in OS X. Rather, it’s just a piece of software that does evil things after it tricks you into installing it on your machine.
The Leap-A malware does not mean that OS X is any less safe from viruses than it was prior to its release. Socially-engineered malware has always been possible, and will always be possible. If you can get a user to run something, then clearly, you can choose to do whatever you wish while your code is executing. While there are some things Apple can do to make us all even safer (for instance, InputManagers should not be installable without explicit permission), I still believe OS X is a very secure operating system, and I have no concerns about using it on a daily basis.