Leap.A, The OS X Virus

I’ve been following the news on this one since it started on macrumors.com, and now F-Secure have classed this one as a virus. The file in question is named “latestpics.tgz”, and when it was initially posted is was advertised as being pictures of the upcoming “Mac OS X Leopard”, also known as “OS X 10.5″.

You can’t simply just get infected with this virus, there are certain things that you have to do for this to infect your Mac. Which is still a worry as a lot of people will be really interested in seeing the pictures of the new OS X, and will undoubtedly go through the following steps needed to infect you beloved Mac. If you somehow come across this file which either got sent to you via e-mail, ichat or you found somewhere to download it. DO NOT, perform these steps, otherwise you will become infected!

- Double-click on the file to decompress it
- Double-click on the resulting file to “open” it

If you are running as a non-admin user even if you do go the steps above, it will still infect some files, not as badly though as if you are running as an admin user OS X, as this needs to have admin rights to be able to infect certain files.

This is a brilliant attempt at social engineering more than anything, as the virus is not capable of self propagating at all, it relies solely on users actually going through the steps mentioned above. Another important note is that there is a bug in the code that prevents this virus from working as it was properly intended to do, which is good for anyone running OS X, but bad in the sense that it will stop certain applications from launching once you are infected. This virus does not exploit any security holes in OS X at all, as I mentioned above it purely relies on the user trying to see what’s in the compressed file.

A brief rundown on the contents of the file:

Once the file has been unzipped, tar will let you know that there are 2 files contained within, namely:
._latestpics
latestpics

The .latestpics file is actually the resource fork of the file, which has had it’s icon changed to reflect it as a jpeg file, therefore fooling users in to trying to open this file. The following from Andrew Welch gives a really decent breakdown on what exactly the virus does:

“1) It copies itself to /tmp as “latestpics”
2) It recreates its resource fork in /tmp (with the custom icon in it) from an internally stored gzip’d copy, then sets custom icon bit for the new file in /tmp
3) It then tar + gzips itself so a pristine copy of itself in .tgz format is left in /tmp
4) It renames itself from “latestpics.tar.gz” to “latestpics.tgz” then deletes the copied “latestpics” executable from /tmp

–This gives it a pristine copy of itself, for later transmission.–

5) It extracts an Input Manager called “apphook.bundle” that is embedded in the macho executable, and copies it to /tmp
6a) If your uid = 0 (you’re root), it creates /Library/InputManagers/ , deletes any existing “apphook” bundle in that folder, and copies “apphook” from /tmp to that folder
6b) If your uid != 0 (you’re not root), it creates ~/Library/InputManagers/ , deletes any existing “apphook” bundle in that folder, and copies “apphook” from /tmp to that folder
7) When any application is launched, MacOS X loads the newly installed “apphook” Input Manager automatically into its address space

–This allows it to have the code in the “apphook.bundle” injected into any subsequently launched application via the InputManager mechanism–

8a) When an application is subsequently launched, the “apphook.bundle” Input Manager then appears to try to send the pristine “latestpics.tgz” file in /tmp to people on your buddy list via iChat (who will then presumably download the file, double-click on it, and the cycle repeats).

8b) (It looks like the author intended to get it to send the “latestpics.tgz” file out via eMail as well, but never got around to writing that code)

–This lets it send itself to people on your buddy list via iChat; this appears to be the only way it self-propagates externally–

9) It then uses Spotlight to find the 4 most recently used applications on your machine that are not owned by root
10) In an apparent “Charlie and the Chocolate Factory” reference, it then checks to see if the xattr ‘oompa’ of the application executable is > 0… if so, it bails out, to prevent it from re-infecting an already infected application
11) If not, it sets the xattr ‘oompa’ of the application executable to be ‘loompa’ (this does nothing, it is just a marker that it has infected this app)
12) It then copies the application executable to its own resource fork, and replaces the application executable with the OSX/Oomp-A trojan

nb: If run via double-clicking on the file, and the user doesn’t have privileges to modify an application, it silently fails. If run via the command line, it will ask for the admin password if it encounters an application for which it doesn’t have privileges to modify.

–It has thus effectively injected its code in the host application–

13) When an infected application is launched from then on, the trojan code is executed, and it tries to re-infect and re-propagate itself to other applications
14) It then does an execv on the resource fork of the executable, which is the original application, so the application launches as it normally would (in theory… see below)
15) Due to a bug in it’s code for executing the original app from it’s resource fork, it is only allocating a buffer 4 bytes bigger than the path when appending “/..namedfork/rsrc” to the path, it will stop any app it infects from running. Instead of adding the length of the string, it errantly adds the length of the pointer to the string, which is always 4 bytes.

In the end, it doesn’t appear to actually do anything other than try to propagate itself via iChat, and unintentionally prevent infected applications from running.”

Here
is a disassembly of the executable if you’re interested, this is only the main executable portion of the code, not the embedded “apphook” InputManager code.

  • Share
    • http://www.f-secure.com/weblog Mikko

      Hi, this is Mikko from F-Secure.

      Comment on this comment: “It seems rather odd that F-Secure is labelling this as a virus as it really is more of a trojan than a virus, or a virus with rather non-virulent properties at best.”

      Trojan horses do not spread. Leap.A does. The way it spreads over iChat makes it a worm. And all worms are a subgroup of a larger group of malware that self-replicates, ie. viruses.

      So Leap.A is a virus. Apple fans and Apple themselves are trying to cry out that it’s not not a virus – because they don’t like the idea that OS X now has viruses. But it does.

      Mikko

    • http://www.xyberpix.com xyberpix

      Hey Mikko,

      Ok, I do see your point, and I agree with you. But this will only propagate if the user has ever used iChat, or has any iChat addresses in the Addressbook.app is that not correct?
      So in the case of a user using Messenger or Gaim, then there is no way that this would propogate, and therefore would be reduced to a trojan status, is that not correct or have I missed something? Thanks for the comment btw. ;-)

    • http://www.f-secure.com/weblog Mikko

      If iChat replication doesn’t work for any reason (for example, if user doesn’t have it at all), Leap.A would still be a virus.

      It searches for programs on the local drive and replaces the main executable of those applications with itself and saves the original file to a resource fork with the same filename.

      Such an infection would spread to other Mac OS X computers when users would share programs (ie. here’s a copy of this game for you on a USB stick/email attachment/CD-ROM/whatever).

      This is exactly the same way old PC viruses (like CIH) used to work.

    • http://www.xyberpix.com xyberpix

      Hey Mikko,

      Ok, now that all makes sense, thank you for clearing that up. Going to edit the post now, based on the info that you’ve given. So anyone reading this now, the original entry has been modified, as I was incorrect in saying that this is more a trojan than a virus.
      If this being compared to old PC viruses, then things could get interesting in time. F-Secure AV for OS X?
      Thanks again, really appreciate it.

    • rta

      xyberpix,

      I would think that a piece of malware should not be categorized based on what programs a user has on their computer. I’d base its category on what it’s capabilities are. If it doesn’t propogate because certain things are needed on the host but aren’t there, that doesn’t mean that it couldn’t on another system that does have the required components.

    • http://www.xyberpix.com xyberpix

      Yeah ok, I asked for it ;-)
      rta, seriously though I didn’t mean to clasify it based on what programs a user has installed, I realized that I could have worded that a hell of a lot better than I did. What I meant was that on that computer it would be reduced to trojan status. I see your point though.

    • http://www.angryfrozenhead.com/ Robert

      Apple’s advice is VERY dangerous. Read this to see why

    • All

      Hi,
      I just wonder about latest virus, which effectively shut down all online activity of Chase Manhattan Bank. In total disregard of Chase attempts to keep it inside news, it still gets out to the public
      How this will affect us coverage in general?
      Thanks