|Home » Industry Watch
The Chocolate Tunnel
Oompa Loompa hits OS X.
Variously called Leap-A and Leap.A, Oomp-A is a real malware strain (worm) spreading on OS X machines through iChat. As such it's the first real (and successful) exploit ever against OS X.
Thanks to Apple's unique resource forks (and despite the hardy architecture of FreeBSD/Darwin) it's able to operate as well as a virus, something otherwise unheard of.
On 13 February 2006 a post appeared on the MacRumors website promising screen dumps of Apple's upcoming 10.5 Leopard in a file called 'latestpics.tgz'.
The archive contained no graphics - only a worm. Because some people were fooled, the worm can now spread via their iChat clients to other OS X computers.
Preliminary reports say infection is low (under 50 computers at time of writing) but that's hardly the point.
When 'latestpics.tgz' is unzipped it appears to be an image file because an appropriate image is embedded in a resource fork. Of course a double-click will in fact run the binary in the data fork instead.
The 'latestpics.tgz' binary is a PowerPC executable that performs a number of operations.
- Propagates itself on your system.
- Finds suitable target binaries on your system and 'recruits' them.
- Installs an input manager into an appropriate location.
- Sends a ready-made copy of itself out to your contacts via iChat.
Oomp-A performs admirably in all but one of these tasks. A common programming blooper (which will of course be corrected in future revisions) hampers the full functionality of the worm.
When a user double-clicks what looks like an image file, 'latestpics' does the following.
- It copies itself to /tmp.
- It creates a resource fork in /tmp and puts its image file icon in it.
- It creates a tar.gz archive with these two forks.
- It destroys the source used to make the tar.gz archive.
- It extracts an input manager from its own binary and copies it to /tmp as 'apphook.bundle'.
- It checks your user ID. If you're root, it creates /Library/InputManagers, deletes any existing 'apphook.bundle' found, and copies in 'apphook.bundle' from /tmp.
- If you are not root, it creates ~/Library/InputManagers and does otherwise as above.
- It now uses Spotlight to find the four most recently run applications not owned by root. For each application found it checks to see if the extended attribute 'oompa' is found. Applications with the attribute are already infected. When it has four uninfected applications not owned by root, it sets the extended attribute 'oompa' of each to the value 'loompa'.
- Here's where it gets clever: it now copies the target application binary into its own resource fork and overwrites the application binary with its own trojan!
When applications are subsequently launched, 'apphook.bundle' will attempt to send its copy of itself to everyone on the iChat buddy list.
In addition, infected applications will attempt to propagate to other applications.
When that's over, Oomp-A does an 'execv' on the resource fork of the binary (which contains the original application binaries).
Oomp-A makes a token effort to disguise what it's doing. The 'apphook.bundle' is stored as 'latestpics_hook.tar'; the string data is obfuscated with an XOR operation.
Due to a rather common blooper, string management is flawed and results in infected applications being completely disabled.
Proof of Concept
Oomp-A doesn't have a payload - it's a 'proof of concept' worm. And it's proven its concept. Future versions (or spin-offs) are bound to be destructive and more intrusive. By exploiting several weaknesses in Apple's file system, Oomp-A and its successors will succeed.
Portent of the Future?
But what Oomp-A lacks in carefully crafted coding it more than makes up for in incisive analysis of the inherent weaknesses in the OS X file system. Future work on this model is sure to produce 'satisfactory' results unless Apple finally get their act together, by which time pigs might finally be going supersonic.
ACP Products-Tracker: Why Chance It?
Industry Watch: The Legend of Oompa Loompa
Ambrosia Software: New OS X trojan-virus alert
Learning Curve: Peeking Inside the Chocolate Tunnel