The Chocolate Tunnel

Oompa Loompa hits OS X.

Variously called Leap-A and Leap.A, Oomp-A is a real virus/worm spreading on OS X machines through iChat. As such it's the first real exploit against OS X ever.

On 13 February 2006 a post appeared on the MacRumors website promising screen dumps of Apple's upcoming 10.5 Leopard in a file called 'latestpics.tgz'.

The archive contained no graphics - only a worm. Because some people were fooled, the worm can now spread via their iChat clients to other OS X computers.

Preliminary reports say the infection is low (under 50 computers at time of writing) but that's hardly the point.

Unzipping

When 'latestpics.tgz' is unzipped it appears to be an image file because an appropriate image is embedded in a resource fork. Of course a double-click will in fact run the executable in the data fork instead.

The 'latestpics' executable is a PowerPC program which performs a number of operations.

• Propagate itself.
• Find suitable target executables on disk and corrupt them.
• Install an input manager into an appropriate location.
• Send a ready-made copy of itself out via iChat.

In all but one of these tasks Oomp-A performs admirably. A common programming blooper (which will of course be corrected in future revisions) hampers the full functionality of the worm.

In Operation

When a user double-clicks what looks like an image file, 'latestpics' does the following.

1. It copies itself to /tmp.
2. It creates a resource fork in /tmp and puts its image file icon in it.
3. It creates a tar/gz with these two forks.
4. It destroys the source used to make the tar/gz.
5. It extracts an input manager from its own executable and copies it to /tmp as 'apphook.bundle'.
6. It checks your user ID. If you're root, it creates /Library/InputManagers, deletes any existing 'apphook.bundle' found, and copies in 'apphook.bundle' from /tmp.
7. If you are not root, it creates ~/Library/InputManagers and does otherwise as above.
8. It now uses Spotlight to find the four most recently run applications not owned by root. For each application found it checks to see if the extended attribute 'oompa' is found. Applications with this attribute are already infected. When it has four uninfected applications not owned by root, it sets the extended attribute 'oompa' of each to the value 'loompa'.
9. Here is where it gets clever: it now copies the target application executable into its own resource fork and overwrites the application executable with its own trojan [sic].

When applications are subsequently launched, 'apphook.bundle' will attempt to send its copy of itself to everyone on the iChat buddy list.

In addition, infected applications will attempt to propagate to other applications.

When that's over, Oomp-A does an 'execv' on the resource fork of the executable (which contains the original application executables).

Stealth

Oomp-A makes a token effort to disguise what it's doing. The 'apphook.bundle' is stored as 'latestpics_hook.tar'; string data is obfuscated with an XOR operation.

Due to a rather common blooper, string management is incorrect and results in infected applications being completely disabled.

Proof of Concept

Oomp-A doesn't have a payload per se - it's a 'proof of concept' worm. And as such, OS X's first worm ever has proven its concept. Future versions of the same worm or spin-offs from it are bound to be destructive and much more intrusive. By exploiting several weaknesses in Apple's file system, Oomp-A and its successors will work.

Portent of the Future?

But what Oomp-A lacks in carefully crafted coding it more than makes up for in incisive analysis of the inherent weaknesses in OS X. Future work on this model is sure to produce 'satisfactory' results unless Apple finally get their act together - by which time pigs might be going supersonic.

See Also
New MacOS X trojan-virus alert
Peeking Inside the Chocolate Tunnel