First recorded Mac OS X worm meets a well-prepared user community

Cupertino (CA) - If Macintosh users worldwide have one more thing to congratulate themselves for today, it's for not panicking in the face of a potential threat that may just serve as one more indication of the platform's resurgent strength. An instant messaging worm, code-named OSX/Leap-A by security engineers, that poses as a JPEG image being shared on the iChat service, is being recognized for what it is by thousands of Mac users: not a major threat, specifically because Mac users recognize it.

According to Sophos Labs, the worm spreads itself by distributing copies of its compressed payload to users in an infected system's buddy list. Once uncompressed, the payload disguises itself as a JPEG image by fooling the system into utilizing a JPEG icon - a more difficult trick, arguably, than for a Windows attachment masquerading as an image.

When the user double-clicks on the image, the user is given a username and password screen, as though the folder containing this image required administrator privileges to run. Only when the user supplies these items can the payload successfully install itself in the user's Macintosh, and begin infecting application files from there.

According to MacWorld, the worm proceeds to infect applications that run on the Cocoa platform, the Mac's counterpart to Windows' .NET Framework. Using a common API call, the worm finds the four most recently used applications, and infects their files. The infection appears at this point to be non-destructive beyond that level.

In a statement today, Sophos Labs' senior technology consultant Graham Cluley advised, "Some owners of Mac computers have held the belief that Mac OS X is incapable of harboring computer viruses, but Leap-A will leave them shell-shocked, as it shows that the malware threat on Mac OS X is real...Apple Mac users need to be just as careful running unknown or unsolicited code on their computers as their friends and colleagues running Windows."

Late yesterday, the blog A Wildnerness of Monkeys ran with the headline, "First Ever Virus for Mac OS X Discovered! Now it's a real operating system..."

Perhaps being unaccustomed to the notion of having their computers infected, the discussion among the Mac community today has been what to call this thing - is it a virus, a worm, a Trojan Horse? Everyone has a different opinion, it seems, but the resolution to this matter seems almost as urgent as thwarting the threat itself, especially if Mac users are going to continue comparing their own affairs with the Windows users with whom they must share the planet. MacWorld this morning attacked the question by saying, "Technically, it's a bit of everything," before concluding that it should be called "malware" and let it stick with that.

A self-proclaimed amateur programmer who runs the BeginnerCode.com blog writes:

Is this such a mutation that we can't define if it's malware, a virus, or a trojan? I'm getting kind of confused here myself. Good thing I run a PC.

The debate today has been centering around whether malware is a Trojan horse simply because it offers the user something as a disguise for a malicious payload. Sophos stated today that while a worm may masquerade itself as a more attractive kind of file, "Trojan horses do not replicate or have any mechanism of spreading themselves." For that reason, states Sophos, OSX/Leap-A should be elevated to the level of a worm, and treated more seriously.

For Clayton's Sci-Tech this morning, the author who uses the moniker "Clayton Forrester" (after the scientist from the 1953 movie version of War of the Worlds) takes up Sophos' cause, believing this virus should be treated very seriously indeed:

I personally love Apple's Mac OSX and I have great admiration for Apple's software and hardware engineering; their bewildering abandonment of the superior PowerPC architecture notwithstanding. But Apple, indeed anyone who distributes a computer operating system, must start focusing on the security of those systems. It's not only a matter of personal security. It is also a matter of national security.

But in Pause. Stop. Rewind. Play., blogger Wil Cheung states that Mac users are already more conscientious about things that could possibly breach their architecture, and as a result, such a worm doesn't really have a chance.

...Most of the Mac community understands that when a JPEG asks your permission to access your entire computer in order to view it, it probably isn't what it says it is. Compared to how malicious some of the viruses Windows users have to deal with, with their self-execution and easy exploitation of the OS itself, Leap-A is just a gentle reminder to Mac users not to immediately believe anything we download is what it says it is.

Meanwhile, network architect Irwin Lazar writes for his blog that it may be irresponsible for anyone in the press or elsewhere to characterize this malware as a virus, or anything similar. Lazar believes that no Mac-based anti-virus protection is necessarily any better than the user's own vigilance:

I'm still not going to pay for anti-virus protection for my Mac because I don't download and install unknown software, and I certainly don't grant any application installation routine administrator privileges unless I know darn well what it does.

So what do you think? Is the distinction between a virus, a worm, and a Trojan horse important in the context of this brave new world with so few malware in it? There are messages on this topic on TG Forumz now, if you care to join us with your thoughts.

  • Sandra_95
    My PC is running like new.
    I was having trouble with my new computer running slow after I had only had it for a few months. I was upset thinking it was something wrong with my computer until I realized that I needed a good scan to clean out those bugs and viruses that was the real problem. When I started using Search-and-destroy Antispyware it took care of this problem and now my PC is running like new again. The antispyware solution from Search-and-destroy, which you can find at http://www.Search-and-destroy.com, has made a big difference for me and I’m sure you’ll be happy with it too.
    Reply