We first published
information about the discovery of the first Mac OS X virus in
February 2006. Because of the large number of people visiting this
webpage to investigate the malware threat on Apple Macintoshes, we
have expanded the page to include information about other Mac
threats.
Graham Cluley - Senior
Technology Consultant
Podcast - Listen now
Big Mac attack or super-sized hype?
Or download
the podcast instead.
Original article
Experts at SophosLabs™, Sophos's global
network of virus, spyware and spam analysis centers, have announced
the discovery of the first virus for the Apple Mac OS X platform.
The virus, named OSX/Leap-A (also known as OSX/Oompa-A) spreads via
instant messaging systems.
Free anti-virus for Mac
Why not download Sophos Anti-Virus for Mac Home
Edition? It's free, easy and won't slow down your Mac.
The OSX/Leap-A
worm spreads via the iChat instant messaging system, forwarding
itself as a file called latestpics.tgz to contacts on the infected
users' buddy list. When the latestpics.tgz archive file is opened
on a computer it disguises its contents with a JPEG graphic icon in
an attempt to fool people into thinking it is harmless.
Some owners of Mac computers have
held the belief that Mac OS X is incapable of harboring computer
viruses, but Leap-A will leave them shellshocked.
The worm uses the text "oompa" as an infection marker in the
resource forks of infected programs to prevent it from reinfecting
the same files.
"Some owners of Mac computers have held the belief that Mac OS X
is incapable of harboring computer viruses, but Leap-A will leave
them shellshocked, as it shows that the malware threat on Mac OS X
is real," said Graham
Cluley, senior technology consultant for Sophos. "Mac users
shouldn't think it's okay to lie back and not worry about
viruses."
Sophos customers have been automatically protected against the
worm since 12:25 GMT, 16 February 2006.
"This is the first real virus for the Mac OS X platform,"
continued Cluley. "Apple Mac users need to be just as careful
running unknown or unsolicited code on their computers as their
friends and colleagues running Windows."
Sophos advises all computer users, whether running PCs or Macs,
to practise safe computing and keep their anti-virus software
updated.
Is Leap-A a virus or a Trojan?
Some members of the Apple Macintosh community have claimed that
OSX/Leap-A is a Trojan horse, and not a virus or worm, because it
requires user interaction (the user has to receive a file via
iChat, and manually choose to open and run the file contained
inside).
However, this is not the definition of a Trojan horse.
A Trojan horse is a seemingly legitimate computer program that
has been intentionally designed to disrupt and damage computer
activity. Importantly, Trojan horses do not replicate or have any
mechanism of spreading themselves. They have to be deliberately
planted on a website, or accidentally shared with another user, or
spammed out to email addresses. There is nothing inside a Trojan's
code to distribute themselves further to other victims.
Trojan horses do not contain any code to distribute or spread
themselves, viruses and worms do.
OSX/Leap-A is programmed to use the iChat instant messaging
system to spread itself to other users. As such, it is comparable
to an email or instant messaging worm on the Windows platform.
Worms are a sub category of the group of malware known as
viruses.
Therefore, it is correct to call OSX/Leap-A a virus or a worm.
It is not correct to call OSX/Leap-A a Trojan horse.
Free anti-virus for Mac
Why not download Sophos Anti-Virus for Mac Home
Edition? It's free, easy and won't slow down your Mac.
Free anti-virus for Mac
Why not download Sophos Anti-Virus for Mac Home
Edition?
Mac virus timeline
15-year-old student Rich
Skrenta wrote the Elk Cloner virus, capable of infecting the boot
sector of Apple II computers, predating viruses for IBM PCs by some
years.
The
nVIR
virus began to infect Macs, spreading mainly by floppy disk. Source
code was later made available, causing a rash of variants.
HyperCard viruses emerged that
could run on versions of Apple's Mac OS 9. One version showed the
message "Dukakis for President" before self-destructing.
The
MDEF
virus (aka Garfield) emerged, infecting application and system
files on the Mac.
Microsoft accidentally shipped
the first ever Word macro virus,
Concept,
on CD ROM. It infected both Macs and PCs. Thousands of macro
viruses followed, many affecting Microsoft Office for Mac.
Laroux,
the first Excel virus, was released. Mac users were unaffected
until the release of Excel 98 meant Macs could become
infected.
Sevendust,
also known as 666, infected applications on Apple Mac
computers.
Leap-A,
the first ever virus for Mac OS X was discovered. Leap-A can spread
via iChat. The
Inqtana
worm and proof-of-concept virus soon followed.
Sophos discovered an OpenOffice
multi-platform macro worm capable of running on Windows, Linux and
Mac computers. The
BadBunny
worm dropped Ruby script viruses on Mac OS X systems, and displayed
an indecent JPEG image of a man wearing a rabbit costume. Sophos
reported the
first
financial malware for Mac. The gang developed both Windows and
Mac versions of their malware.
Cybercriminals targeted Mac and
PC users in equal measure, by planting
poisoned
adverts on TV-related websites. If accessed via an Apple Mac,
surfers would be attacked by a piece of Macintosh scareware called
MacSweeper.
In June, the
OSX/Hovdy-A
Trojan horse was discovered that could steal passwords from Mac
OS X users, open the firewall to give access to hackers, and
disable security settings.
Troj/RKOSX-A was discovered - a Mac OS X tool to assist hackers
create backdoor Trojans, which can give them access and control
over your Apple Mac computer. In November, Sophos warned of the
Jahlav Trojan, and Apple
issued a support
advisory urging customers to run anti-virus software.
In January 2009, hackers began
to distribute the OSX/iWorkS-A Trojan horse via BitTorrent inside
pirated versions of Apple's iWork '09 software suite. In the
same month, a
new variant of the Trojan was distributed in a pirated version
of Adobe Photoshop CS4. In March, Sophos reported on how hackers
were planting versions of the RSPlug Trojan horse on websites,
posing as amn HDTV program called MacCinema.
View a video of this attack here. In June, SophosLabs
discovered
a new version of the Tored email worm for Mac OS X, and hackers
planted a version of the Jahlav Mac Trojan horse on a website
posing as a portal for hardcore porn videos. Shortly afterwards,
the Twitter account of celebrity blogger Guy Kawasaki had a
malicious link posted onto it, claiming to point to a
sex video of Gossip Girl actress Leighton Meester. In reality,
however, the link lead unsuspecting users to malware which could
infect Mac users.