Press Releases

Browse our press release archive

16 Feb 2006

First ever virus for Mac OS X discovered

OSX/Leap-A worm spreads via iChat instant messaging software

Graham Cluley

We first published information about the discovery of the first Mac OS X virus in February 2006. Because of the large number of people visiting this webpage to investigate the malware threat on Apple Macintoshes, we have expanded the page to include information about other Mac threats.

Graham Cluley - Senior Technology Consultant

Podcast - Listen now

Big Mac attack or super-sized hype?

Or download the podcast instead.

Original article

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have announced the discovery of the first virus for the Apple Mac OS X platform. The virus, named OSX/Leap-A (also known as OSX/Oompa-A) spreads via instant messaging systems.

Free anti-virus for Mac

Why not download Sophos Anti-Virus for Mac Home Edition? It's free, easy and won't slow down your Mac.

The OSX/Leap-A worm spreads via the iChat instant messaging system, forwarding itself as a file called latestpics.tgz to contacts on the infected users' buddy list. When the latestpics.tgz archive file is opened on a computer it disguises its contents with a JPEG graphic icon in an attempt to fool people into thinking it is harmless.

Some owners of Mac computers have held the belief that Mac OS X is incapable of harboring computer viruses, but Leap-A will leave them shellshocked.

The worm uses the text "oompa" as an infection marker in the resource forks of infected programs to prevent it from reinfecting the same files.

"Some owners of Mac computers have held the belief that Mac OS X is incapable of harboring computer viruses, but Leap-A will leave them shellshocked, as it shows that the malware threat on Mac OS X is real," said Graham Cluley, senior technology consultant for Sophos. "Mac users shouldn't think it's okay to lie back and not worry about viruses."

Sophos customers have been automatically protected against the worm since 12:25 GMT, 16 February 2006.

"This is the first real virus for the Mac OS X platform," continued Cluley. "Apple Mac users need to be just as careful running unknown or unsolicited code on their computers as their friends and colleagues running Windows."

Sophos advises all computer users, whether running PCs or Macs, to practise safe computing and keep their anti-virus software updated.

Is Leap-A a virus or a Trojan?

Some members of the Apple Macintosh community have claimed that OSX/Leap-A is a Trojan horse, and not a virus or worm, because it requires user interaction (the user has to receive a file via iChat, and manually choose to open and run the file contained inside).

However, this is not the definition of a Trojan horse.

A Trojan horse is a seemingly legitimate computer program that has been intentionally designed to disrupt and damage computer activity. Importantly, Trojan horses do not replicate or have any mechanism of spreading themselves. They have to be deliberately planted on a website, or accidentally shared with another user, or spammed out to email addresses. There is nothing inside a Trojan's code to distribute themselves further to other victims.

Trojan horses do not contain any code to distribute or spread themselves, viruses and worms do.

OSX/Leap-A is programmed to use the iChat instant messaging system to spread itself to other users. As such, it is comparable to an email or instant messaging worm on the Windows platform. Worms are a sub category of the group of malware known as viruses.

Therefore, it is correct to call OSX/Leap-A a virus or a worm. It is not correct to call OSX/Leap-A a Trojan horse.

Mac virus timeline

1982: 15-year-old student Rich Skrenta wrote the Elk Cloner virus, capable of infecting the boot sector of Apple II computers, predating viruses for IBM PCs by some years.

1987: The nVIR virus began to infect Macs, spreading mainly by floppy disk. Source code was later made available, causing a rash of variants.

1988: HyperCard viruses emerged that could run on versions of Apple's Mac OS 9. One version showed the message "Dukakis for President" before self-destructing.

1990: The MDEF virus (aka Garfield) emerged, infecting application and system files on the Mac.

1995: Microsoft accidentally shipped the first ever Word macro virus, Concept, on CD ROM. It infected both Macs and PCs. Thousands of macro viruses followed, many affecting Microsoft Office for Mac.

1996: Laroux, the first Excel virus, was released. Mac users were unaffected until the release of Excel 98 meant Macs could become infected.

1998: Sevendust, also known as 666, infected applications on Apple Mac computers.

2004: The Renepo script worm attempted to disable Mac OS X security, downloaded hacking tools to affected computers, and gave criminals admin rights to the Apple Macintosh. Hackers also wrote a proof-of-concept program called Amphimix which demonstrated how executable code could be disguised as an MP3 music file on an Apple Mac.

2006: Leap-A, the first ever virus for Mac OS X was discovered. Leap-A can spread via iChat. The Inqtana worm and proof-of-concept virus soon followed.

2007: Sophos discovered an OpenOffice multi-platform macro worm capable of running on Windows, Linux and Mac computers. The BadBunny worm dropped Ruby script viruses on Mac OS X systems, and displayed an indecent JPEG image of a man wearing a rabbit costume. Sophos reported the first financial malware for Mac. The gang developed both Windows and Mac versions of their malware.

2008: Cybercriminals targeted Mac and PC users in equal measure, by planting poisoned adverts on TV-related websites. If accessed via an Apple Mac, surfers would be attacked by a piece of Macintosh scareware called MacSweeper. In June, the OSX/Hovdy-A Trojan horse was discovered that could steal passwords from Mac OS X users, open the firewall to give access to hackers, and disable security settings. Troj/RKOSX-A was discovered - a Mac OS X tool to assist hackers create backdoor Trojans, which can give them access and control over your Apple Mac computer. In November, Sophos warned of the Jahlav Trojan, and Apple issued a support advisory urging customers to run anti-virus software.

2009: In January 2009, hackers began to distribute the OSX/iWorkS-A Trojan horse via BitTorrent inside pirated versions of Apple's iWork '09 software suite. In the same month, a new variant of the Trojan was distributed in a pirated version of Adobe Photoshop CS4. In March, Sophos reported on how hackers were planting versions of the RSPlug Trojan horse on websites, posing as amn HDTV program called MacCinema. View a video of this attack here. In June, SophosLabs discovered a new version of the Tored email worm for Mac OS X, and hackers planted a version of the Jahlav Mac Trojan horse on a website posing as a portal for hardcore porn videos. Shortly afterwards, the Twitter account of celebrity blogger Guy Kawasaki had a malicious link posted onto it, claiming to point to a sex video of Gossip Girl actress Leighton Meester. In reality, however, the link lead unsuspecting users to malware which could infect Mac users.

About Sophos

More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing complete security solutions that are simple to deploy, manage, and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, mobile and network security solutions backed by SophosLabs - a global network of threat intelligence centers.

Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.