The Legend of Oompa Loompa

We at Apple take security very seriously.
 - Mantra of Apple Computer

Get It Try It

Unless Apple faces up to the security issues its users face, its reputation for making secure operating systems, already damaged by its mishandling of these recently discovered vulnerabilities, will be further tarnished.
 - John Leyden, The Register May 2004

Prologue

This is not so much a story about Oompa Loompa as it is about the people who first encountered it. You're bound to run into a lot of laughs along the way; other things will have you popping your eyes in disbelief. Whatever: have a good time.

The Tags

A great part of the Maccie forum experience are the tags. You'll meet these people later; here for now are the tags they use, all to help you get a feeling for this kind of phenomenon.

[Also of note is the fact they're not hesitant in their praise of one another, giving away titles like 'demi-god', 'god', and 'demi-goddess'. How they measure up to such epithets remains to be seen below; for now, the tags.]

Back to Old Haunts

The story of Oompa Loompa starts right where Renepo left off: the Macintosh Underground.

It started on 10 February 2006. The world of Apple had been hit once before by a product from this site; now it was to start again.

r3d3pshun joined the forum on 10 February. He made a total of three posts there, all within two days, and hasn't been around since. The first post came at 16:00 local time.

<This may potentially contain malicious code; DO NOT OPEN IT IN FINDER WITH ADMIN PRIVILEDGES! I am leaving it up so others may check it out> ~bobxii

http://rapidshare.de/files/12985365/latestpics.gz.html

MacJunky is suspicious.

riiight, I would not open this file if I were you, there is no extension and it is only about 20k. Also, after a "get info" it looks as if the terminal or X11 would open it if double clicked.

I suspect something foul, so I will not open it.

*hums "Into the trash can it goes"

Phreak.net, a n00b at the time of Renepo, is still around.

It isn't anything. I opened it in Terminal, and it did nothing. I check the logs and the running processes, and there was nothing foul going on.

It never prompted for a password, so it really couldn't do much harm. Plus, it would have shown me if it was running anything in Terminal. I opened it in TextEdit first, and it wasn't a script or anything.

Anyway, this file is useless. If you actually want to post some pictures, do so.

MacJunky is back to explain where his sentiments really lie.

ah, k, I did not run it because I love my Macs too much and I don't want anything bad to happen to them.

Opressed_l33t has an astute observation.

far as I know TextEdit can open just about anything safely...

bobxii gets the first clue and passes on some good advice to Phreak.net.

Last login: Wed Feb 8 13:09:05 on console
Welcome to Darwin!
G5:~ Administrator$ login guest
Password:
Welcome to Darwin!
G5:~ guest$ /Volumes/Scratch/latestpics
-bash: /Volumes/Scratch/latestpics: Permission denied

<reset permissions of /Volumes/Scratch/latestpics to rwxrwxrwx>

G5:~ guest$ /Volumes/Scratch/latestpics
mv: rename /tmp/apphook to /Volumes/External/Archives/Library/InputManagers: No such file or directory
cp: /Volumes/Scratch/latestpics/..namedfork/rsrc: Permission denied
cp: /Applications/D-Vision 2.app/Contents/MacOS/D-Vision 2: Permission denied
cp: /Volumes/Scratch/latestpics/..namedfork/rsrc: Permission denied
cp: /Applications/Super Get Info.app/Contents/MacOS/Super Get Info: Permission denied
cp: /Volumes/Scratch/latestpics/..namedfork/rsrc: Permission denied
cp: /Alias/maya6.0/Maya.app/Contents/MacOS/Maya: Permission denied
cp: /Volumes/Scratch/latestpics/..namedfork/rsrc: Permission denied
cp: /Terragen Pro v0.8.1/Data/Terragen.app/Contents/MacOS/Terragen: Permission denied
cp: /Volumes/Scratch/latestpics/..namedfork/rsrc: Permission denied
cp: /World of Warcraft/World of Warcraft.app/Contents/MacOS/World of Warcraft: Permission denied
G5:~ guest$

Guessing it's just a compiled script. Not sure what it's for though. Also, notice I had to go to some lengths to even get it to run; it's not even packaged as an application for Finder to recognize.

Phreak, you may want to check your logs again...

Phreak.net is unswayed.

Everything looks alright. Checked it out again, and it's just gibberish in TextEdit. Teminal couldn't run it, as you found out Bob.

A meager attempt at hacking by a noob, perhaps?

Hackenslacker, also from the Renepo thread, interjects.

It isn't all gibberish in TextEdit. Look about half way through for the script.

And, as Bob showed, it does in fact run in Terminal, but gives errors if you are running a limited account.

Opressed_l33t starts losing it.

hey!..hey, r3d3pshun! The fuck is this supposed to be eh?

The guest of honour returns.

It's a virus for Mac OS X 1.4.x.

Milan fells another judgement based on vast experience in the field.

Highly improbable.

The net effect is that Phreak.net is phreaked.

Next time you want to spread a virus en masse, go to a Windows forum.

Siph0n might be onto something.

More like malcious script/program written in Perl and compiled with perlcc.

sparky25890 thinks he's got it all figured out.

theres a big difference between a virus and a malicious script asshole.

dr_springfield asks a somewhat relevant question.

Anyone know what it actually *does*?

BTW, 18k is too large for a "malicious script." I'm tempted to run it, to see what, if anything, it does. Additionally, I tried running perlcc on a perl script that just printed "Hello".. the resulting binary was 100k and running "strings" on it resulted in many lines referring to Perl libraries, etc.

I would imagine this is a C program.

Milan expounds on the first principle of social engineering.

Cool, pics of the new MacBook Pro!
Dum di dum *loading*
Hmm, Safari says it's an application. But the guy on the Forums said this file are pictures. Safari is probably wrong.
20 KB? Wow, must be some really cool compression algorithm, JPEG 2006 maybe!
Hmm, no file extension. Let's get info on that. Ohh, it's an executable!
Well, then, let's run it so we can see the pictures!
Ohh, it doesn't have executive permissions. Yeah let's chmod and run it.
...

Come on, r3d3pshun, do you really think we are that stupid?

Yes he did and yes you were. Siph0n now concedes it may be a C program.

May very well be. Both would look similar since perlcc translates the perl script to C and then compiles it...(in a very high level sense...)

I'm just not giving him the benefit of the doubt.

Milan finally thinks of using a strings tool.

__dyld_mod_term_funcs
__dyld_make_delayed_module_initializer_calls
__dyld_image_count
__dyld_get_image_name
__dyld_get_image_header
__dyld_NSLookupSymbolInImage
__dyld_NSAddressOfSymbol
The kernel support for the dynamic linker is not present to run this program.
/..namedfork/rsrc
/usr/bin/tar -zxf /tmp/hook -C /tmp
/Library/InputManagers
/bin/rm -rf /Library/InputManagers/apphook
/bin/mv -f /tmp/apphook /Library/InputManagers
~/Library/InputManagers
/bin/rm -rf ~/Library/InputManagers/apphook
/bin/mv -f /tmp/apphook ~/Library/InputManagers
%s/Contents/MacOS/%s
/bin/cp '%s' '%s/..namedfork/rsrc'
/bin/cp -f '%s' '%s'
(kMDItemKind == 'Application') && (kMDItemLastUsedDate >= $time.this_month)
/usr/bin/ditto %s /tmp/latestpics
/usr/bin/gzip -f -q /tmp/latestpics

"%s"? Are those C-string format identifiers?

EDIT: I ran the script / program as a limited user. I get some "Permission denied" messages like bobxii, just about other applications.

Looks as though it's trying to copy some stuff. And a lot of f-options in there, those are normally about omitting confirmation/verification, right?

TSF

r3d3pshun tries the same thing at the Mac Security Forums on 11 February.

Check out these latest pics of the MacBook Pro internals (hosted on rapidshare):
Is that a TPM chip?

Oropix edits the post.

EDIT: hi, this is your friendly neighborhood Oropix reporting. this bumwipe decided to try to link us all to a nasty file. siph0n noticed it and notified me. thank you all for playing, that's all folks.

Siph0n came over earlier to warn people.

http://freaky.staticusers.net/ugboard/viewtopic.php?t=20181

Nice try asshat.

Don't open it.

Final Post

r3d3pshun's third and final post at the Macintosh Underground comes two days after the first at 19:50 local time.

Ok, I've addressed all your concerns. Check out the NEW latest pictures of um, Britney Spear's baby.

http://rapidshare.de/files/13150561/latestpics.tgz.html

And within the post a comment from Phreak.net.

WARNING: This file may contain malicious code. Open at your own risk. I'll leave this if anyone wants to mess with it. -Phreak

dr_springfield is amused.

heh...

Hackenslacker's using Finder to investigate.

Now, what's it do?

Milan's around to help.

I get the same output as before, so I guess it is supposed to do exactly the same thing as the "earlier version".

EDIT: It is different, though. Probably modified and recompiled.

NulModem, a n00b with only eighteen posts, suddenly sees and says things.

I don't know if it has been modified but it embbeds in it's data fork an apphook.tgz file at offset 0x3014 (Pi number for maths)

It has a resource fork with an icon to masquerade itself as a jpeg file.

The apphook is an InputManager copied into the user's input managers folder if uid not equal to 0.

Function names found:

_copySelf
_infectApps
_installHooks
_receive_samples
_hook
_infect

The first virus ever seen?

I didn't yet analyse the code, but I can say Idiot too.

Mac Users are powerfull users, they don't click on every pictures they found.

bobxii is back with a comment on web browsing.

This is probably the reason Safari downloads aren't executable immediately (they have to be packaged).

MacJunky scolds r3d3pshun.

r3d3pshun, you should properly test files like this on your own computer before posting them on forums and being shot down.

NulModem's back with further comments.

Maybe that's because he was the author of this little threat (it doesn't work when you launch it inside a folder name with spaces)

Bad coding practice guys, don't use system() call!

There's no chance it will generate a big thread imho.

It doesn't work on the new MacIntel machines too. (The inputmanagers is not loaded on those machines)

Siph0n makes a discovery.

Bah shit.

http://digg.com/apple/First_Mac_OS_X_virus

sparky25890's back.

the moron didn't make any of it.
read this:
http://www.macrumors.com/pages/2006/02/20060216005401.shtml

Milan gets wit.

Lol, some people on the net claim that this malware has been written by Microsoft. At least that would explain the programming errors.

sparky25890's hard at work.

i got it

Creates the following files:

/tmp/latestpics
/tmp/latestpics.tgz
/tmp/latestpics.tar.gz
/tmp/hook
/tmp/apphook
/tmp/pic.gz
/tmp/apphook.tar
/tmp/pic

Deletes all files from the following folder:

~/Library/InputManagers

Copies /tmp/apphook to the following folder:

~/Library/InputManagers/apphook/apphook.bundle/Contents/MacOS

so that it runs every time an application starts.

Uses Spotlight to search for the four most recently used applications this month, which do not require root permissions.

Searches these files for the extended attribute oompa. If it does not find this attribute, it will infect the selected files.

Infects the selected files by copying the contents of the data fork to the resource fork of the selected file, and then copying itself to the data fork of the selected file.

Note: Due to a bug in the code, the infected files may be corrupted and may not run correctly.

Creates the extended attribute oompa and sets it to loompa.

Monitors all launched applications. Every time the iChat application is launched, the worm sends the file latestpics.tgz to all the iChat contacts.

Note: Due to a bug in the code, the worm may corrupt the file so that it appears larger than it actually is, and it may not be sent successfully.

someone already wrote a little app to stop it from infecting.

http://www.lambodev.co.uk/

justbrowsing notices something strange about the Oompa Stompa tool from the URL above.

The script in Oompa Stompa seems to only deal with the ~/Library/InputManagers not /Library/InputManagers...

It's 18 February now; they're still poking at it. Siph0n asks a question.

can prevent it from infecting you by doing

mkdir ~/Library/InputManagers /Library/InputManagers
sudo chown 0 ~/Library/InputManagers /Library/InputManagers
sudo chmod 000 ~/Library/InputManagers /Library/InputManagers

and not using the root account or possibly by just making those folders a symlink to say, your trash

ln -s ~/.Trash/ ~/Library/InputManagers && ln -s ~/.Trash/ /Library/InputManagers

Siph0n sees the news is spreading.

http://money.cnn.com/2006/02/17/technology/apple_virus.reut/

...ffs. He got on CNN.

Lambo, the author of Oompa Stompa, enters.

justbrowsing wrote:

The script in Oompa Stompa seems to only deal with the ~/Library/InputManagers not /Library/InputManagers...

I read some advisories, and apparently that's all it needs to deal with, but I'll add in the other InputManagers too, and upload an update to my site today.

Thanks for pointing that out

Siph0n invites people over to the Wiki.

Feel free to register and then add what you want here:

http://insanityflows.net/archive/index.php?title=Leap-A_Trojan

I got some stuff to do for now...

MacRumors

Everything has been leading up to this: so far two hacker forums were shown the exploit. People bought in limited quantities. Things were relatively calm. The one ruse was pictures of a MacBook Pro, the other a tongue in cheek promise of pictures of Britney Spears' offspring no one took seriously.

But now things change: the only AnnaK that works here is a promise of secret pictures of Apple's coming OS X 10.5 Leopard. r3d3pshun makes the post three days after he drops by the Macintosh Underground, registering as new member lasthope and making his one and only post the same day.

Chaos ensues.

yankeefan24 is first up.

it opens in terminal. not right.

Chaszmyr is next.

If this really has pics, someone post them here please.

swindmill follows.

The download is a unix executable file which opens in Terminal but is disguised as a jpeg.

Benjamindaines is furious.

Oh wow, this member should be banned. I downloaded the file and it comes up as a picture file then when I click on it it pops open Terminal and runs something. Looks like someone attempted to make a Mac virus...

Reported.

Chaszmyr is back.

It does seem so. Also looks like they failed (though I'm not sure because i didn't download it myself)

yankeefan24 waxes paranoid.

i noticed the same basic thing.

he is creating another thread (if you believe the public profile), watch for more virus attempts. if he is not banned by the time he finsihes.

Xephian too thinks lasthope is not a worthy member of the MacRumors community.

This guy should really be banned. Only one post and his first post is this. Thanks for the warnings people.

Laser47 reports.

lol, i downloaded it and ran it. Now if this was a pc, i would have already reformatted and reinstalled it. But since im on a mac right now im just like WTF. has anyone been able to find out what it does exactly. Probably not somthing harmful since you would have had to enter your password.

Edit: whats even funnier is that i was 'lucky' enough to download the file before it was changed by a mod. That person should be banned, even though he is less than likely to comeback.

Timepass tries to reassure everyone.

It would not of effect a PC. Virus made for a mac have no effect on a Windows computer. Same goes the other way. It is one of the few times it would of been better to look at it though a PC since it can not be effected by it.

But this could just be a started. I wouldnt be surpised to see a real virus for the mac enter this way. It would not be wide spred becaue it how it needs to be activated.

runninmac seems to have a handle on things.

Note to self, dont download things from ñ0ºBs

swindmill makes a discovery.

It's an IM client

ITASOR's right there.

I'm surprised this hasn't happened more on here...it's so easy to write an applescript file and disguise it as anything...scary!

So is Peace.

Man why do I always miss out on all the fun!

I didnt see the terminal app that was run or anything but by descriptions it sounds like the noob was trying to get into a users computer via a chat app.

So is LimeiBook86.

Wow, out of all the places, I'd never expect that to happen here. Ban the user and his IP address, that's definitely the kind of people we don't need here. I hope this doesn't start something big. I'm just glad I didn't download anything


But still, yeah, BAN HIM (Rebel scum...)

Superdrive adds to that.

Filthy scum. Too bad there is no physical payment to take vengeance upon these morons.

Will stick foot in mouth if a real image turns up...

Timepass shares a tidbit of wisdom.

ah one of the many reason why my windows box is set up to show all file extentions. Not just the unknows. Makes it a lot harder to hide it since I can just look down to the last one to see what it is

Benjamindaines is back after a nap.

hmm... just discovered something else about this... it copied to every computer on my Bonjour network. I went on the PowerMac and it popped up as an incoming file transfer. So he succeeded in something.

Mods: PLEASE ban this member, attempting to distribute a Trojan horse on MacRumors is unacceptable.

yankeefan24 starts another thread and it's not about baseball.

just made a thread about this. link:
http://forums.macrumors.com/showthread.php?t=180323

illegal has a great idea.

somebody trace his IP and post it

A Mac Virus?!?!? (180323)

yankeefan24 starts it all off - after all, he's entitled: it's his thread.

If anyone remembers last night, when lasthope spread that picture that opened in terminal. I just turned on my other computer and it said it had an incoming file, from my computer, which was the latest pics file. Any help. I have already secure deleted it off of my harddrive, but how do i know that it will not come back. Any help is appreciated.

link to lasthopes thread:
http://forums.macrumors.com/showthre...=1#post2142507

Benjamindaines is ready to bust a gut.

Same thing happened over here (as you see from my post in the other thread) and everything seems to be fine but we have no way of telling because [rant] APPLE DOESN'T INCLUDE ****ING VIRUS PROTECTION IN THE .MAC ANY MORE!!!!!!!!! [/rant]

Something's added to the bottom of his post.

Last edited by Rower_CPU : 02-15-2006 at 11:22 AM. Reason: don't circumvent the profanity filter

GFLPraxis gets down to it. Define what it is. That's very important.

Sounds like a trojan, not a virus.

Originally Posted by Benjamindaines
Same thing happened over here (as you see from my post in the other thread) and everything seems to be fine but we have no way of telling because [rant] APPLE DOESN'T INCLUDE ****ING VIRUS PROTECTION IN THE .MAC ANY MORE!!!!!!!!! [/rant]

Um...dude, virus protection only looks for known viruses and trojans, it wouldn't find a newly released one anyway until Apple updated it to look for it. And since there are no Mac viruses anyway, it's perfectly fine for Apple to not include it.

Laser47 isn't worried about propagation.

I ran it, opened terminal and then closed it. Dont know about sending messages to other computers though because i have the only mac in my house.

Timepass thinks AV is more effective than GFLPraxis.

No it can find new ones. Normally covered on a bloodhound like feature (basicly it looks for virus like chars and quantitines the file) now it will not be able to remove the virus and cure it. But it will prevent access to it and protect the rest of the system from it.

cemorris recommends open source.

Give this a try and see if it can detect this virus/trojan.

http://www.clamxav.com/

Mr Mister makes one point, loses another.

Mac OS X is very specific about making installing viruses a thing that the user has a very large part in. Don't impulsively type your system password when a dialogue box pops up and you should be fine.

Thread leader yankeefan24's back.

well what it did, was when you opened the file disguesed as a jpeg, it would open terminal and run a script. no passwords or anything.

Benjamindaines thinks they're safe.

but for what it was trying to do it DID need a password, that's why the permission was denied and we're "safe"

yankeefan24 isn't so sure.

but permission was not denied for me. it ran a full script, (but i closed terminal and deleted it before screenshots) without any permissions being denied.

yankeefan24's flustered. Things are looking really really bad.

The trojan still exists on this computer. Does anyone know where the file would be located on my HDD.

Unlike benjamin, mine somehow got permission to do whatever it had to do. I have the file mirrored (i think thats the right term) on a seperate site, so if anyone wants to reverse engineer it, you can do that. just remember that you are downloading a known trojan (because the downloader knows that it is trojan (you can't get past that on the site), i think i am allowed to give it out, just PM me so i am sure).

The virus is still alive on my computer despite secure deleting the script (it tried to get itself to my sisters computer), so any help is appreciated, and i hope this isn't worse than it seems. But it didn't require a password so i believe that it can't do anything very bad, but why would someone make a trojan just to spread it, so he can say he made the first mac virus (i know its not a virus, but that might be what the guy was aiming for). All help is appreciated.

I did scan my home library folder with the above linked app.

BTW, i think that lasthope should be banned, and tell exactly what it does.

CoMpX speculates, slowly working up to uncontrolled hysteria.

I really hope this guy gets what he deserved. I also hope that this doesn't get worse as we find out more about it. It already has the ability to spread to every mac on the network. Good thing I downloaded the file and then just decided to delete it. What if I opened it at school?? Every Mac in the school would have this "thing" on it!

Benjamindaines demonstrates why the trojan was designed as it was.

It also spreads through AIM in iChat, I just IMed someone and the file popped up.

yankeefan24 expresses his concern for the rest of the computing world.

well i have alerted my mac friend (its amazing how many people i know who use windows) about it. I just hope it doesn't spread to windows. Ok then, i am switching to my other computer now (my old 1 GHz TiBook) until i learn more about this or someone finds a solution.

CoMpX is absolutely positively fucking flabbergasted.

You mean the file tried to go to their computer? Was it a Mac? This is getting kinda serious. Passing the file through AIM opens of a whole new door of possibilities for this thing. Why in God's name has the poster of this file not been banned yet?

yankeefan24 hears his nerves go squish.

I have a BAD feeling that this is only going to get worse. I just have to recommend everyone who downloaded this file and uncompressed it to BACKUP RIGHT NOW! if this is going to spread like it seems to be doing (bonjour and aim) i think this is a delayed reaction type thing. I'll get back to you after i reverse engineer it. (im going to create a new account and then download it off of my mirror and then see what apps its affecting. if its something minor i will uninstall and reinstall, but if its an apple app (such as finder or ichat) we might all have a problem.

CoMpX concurs from the heights of simpering demi-godness.

Unfortunately, I agree with you. It seems like this thing is more advanced than we thought, and it seems to be revealing its capabilities to us as it goes along. Good luck in reverse engineering it. If you can find out what makes it run we might be able to stop it before it becomes too widespread.

Benjamindaines trembles and shakes.

I THINK I've removed it off my laptop, it embeds it's self in the UNIX file system of random apps. To find what apps its in download the file again (should be in your history) and it will ask if you want to overwrite (choose no) and it will tell you all the apps its in. When you try to run most of the apps that are effected they wont run. Just trash the apps that it's embedded in. This seems to have worked and my laptop seems fast again. In a few days we will see if it's still around when it tries (or doesn't) to send to other people again.

EDIT: yankeefan24 has already posted what will come up when you run it. You must run it in new account to find out what apps its in.

yankeefan24's puzzled by a small detail.

the only thing is that the apps that it gave me were all random added apps. not everyone will have those. i'm creating another account and will give you another update with a new clean download.

iMeowbot makes a public service announcement.

This might be a good time for a little public service announcement. It's not the best idea to do everything from your default Mac user account (the admin one). If you poke around in your applications folder, you may notice that you have write access to many of those files, no password required. Installers could and should do a better job here, but they don't.

Set up a second, non-privileged account, and do your day-to-day stuff from there.

Benjamindaines complements yankeefan24's earlier observation.

It just gives you the same list. Unless you have already removed the infected apps, then it picks all new ones.

yankeefan24's noticed it too.

yes, i removed skype and it gave me another game.

yankeefan24's right back with another thought.

i think i have a side note. i still believe that it is going to be something big, and will be hard (if possible) to remove. It is putting itself into the apps scripts to make sure that it is not removed. I tried to uninstall it, but it came up again. I believe that something big is going to happen. Backup your drive EXTERNALLY and then stop using any chatting apps on your infected computer. The fact that it came as a tar file (i know nothing about it) suggests that there may be an extra file somewhere hidden within the computer.

CoMpX is now shaking and needs comforting bad.

I am currently backing up RELIGIOUSLY everything on all of the computers in the house to my external. Then I'm going to disconnect my external so it doesn't get infected. My Mac is not infected yet *knocks on wood* but I cannot afford to lose any data. Right now, I am genuinely scared as to what is going to become of this.

I wonder what the mods are doing about this? Are they aware of it? This guy might be punished by law if anything serious happens like data loss. I'm like shaking. Someone please comfort me.

Benjamindaines tries to take deep breaths. Breathe in, breathe out, breathe in, breathe out.

Alright guys, I am VERY relived to discover that my laptop is the only computer of mine infected. I am running ClamXav during the night to see what comes up (I am also running it on the other computers just incase). I have backed everything up but there isn't anything important on my laptop. So I am dedicating my laptop to the effort of removing this virus and to find out what exactly it does (if i can't / haven't get rid of it)

yankeefan24 points out that some games are away games but his team should still win.

I LOVE THE COURT OF LAW, except we don't know if he is in the US or the UK (the only confirmed places i have heard this virus exists), so if he is in india or russia or china, we have to rely on extradition (probably to the US because that is where this site is hosted), and if their mysterious government doesn't comply, we have a problem. But if he IS in the US/UK, i guess when we press charges (if we) he has a real problem.

This is a what if situation, btw.

CoMpX returns, still shaking and in need of comfort, but with an academic question.

This might be a n33b question, but can this be officially called the first Mac virus?

A 'n33b' question? yankeefan24 feels qualified to respond.

that's wat i am calling it. It might be more technically a mac TROJAN but the same concept. any one who receives it from iChat/AIM/whatever would indeed have the first mac VIRUS. so its a split. i am calling it a virus.

yankeefan24 responds to a gesture by Benjamindaines.

glad you are dedicating your laptop to the cause. i am basicly doing the same with mine, just don't know as much as you probably do. i tried to do a full hdd scan with ClamXav and it said it couldn't, but i am pretty sure that my TiBook doesn't have it.

CoMpX still needs comfort. Time for some casual sabre rattling.

This is a VERY< VERY sad day for the Mac platform. I always hoped that this would not happen in my lifetime. I am almost in shock now, I can't believe this is reality. All because of this bastard with hi pics. I am extremely pissed, sad, and scared. This guy needs to pay. This is war IMO.

iMeowbot has something to say about that.

There have been Mac viruses in the past, before OS X. This program falls more in between a worm and trojan horse. This incident does, however, provide a wonderful opportunity to tell overly complacent Mac users "I told you so." Stuff like this, and not classical viruses, is how most Windows malware spreads.

Laser47 has an idea.

Maybe someone should email the file to symantec or another antivirus company so they can analyise it.

If it is the first mac virus then I can proudly say "I was one of the first people to get a mac virus"

Also has anyone tried Pm'ing an admin to see what they say about it.

The other day after I got the virus, before the 10.4.5 update I reinstalled the OS. 1. to get the virus off my ibook, and 2. because my KB was acting up again and wanted to see if it would fix it (It didint), but all is good because apple is sending me a new one.

Also a quick question for those who got the virus. At the time I ran the file i had my external hard drive connected which has some apps on it, along with my backups. Does this only propigate in the main drive or everywhere an app exists.

Airforce wants a clarification from CoMpX.

Did you just proclaim war over this? lol...

furryrabidbunny comes in from Mesa.

But reading this thread is giving me a headache. Can someone simply spell out a few things: How do you become infected? How do you know your infected? How do you treat?

Benjamindaines emits a witticism.

Well if we think of the positive side, one of us can now have the honour of posting to SlashDot the first Mac Trojan / Virus...

I have sent a threatening PM to lasthope and have forwarded the PM to DoctorQ as well. I have also asked DoctorQ for the users email address or if he can't release that for him to forward my message to it as well. Of course I have asked that lasthope be banned.

CoMpX has another uncomfortable thought.

Has anyone contacted Apple about this? Someone with more knowledge than me should really contact Apple and let them know that this is becoming serious and many people are becoming infected. Maybe they will know what to do or release a patch or something.

Laser47 posts a pic.

Chundles goes off the deep end.

Gee I'm glad I didn't download this.

Where are the mods? Who's talking to Apple?

Answers people, we need answers!!!

arn - a FULL god and not just any ordinary scruffy demi-god - gets in.

still trying to piece it all together.

Has anyone analyzed the file? is it a terminal script?

arn

Timepass speaks out.

I hope this problem with this is fix quickly. Also I hoping the total damage is pretty minor.

Best case of the out come of this virus is it becomes a wake up call to Mac users that even though you use a mac, one still needs to pratice safe online computing. Big one is dont open files or attachments that you are not sure what they do. Some mac users have it in there head that because they use a mac they are invincible. They are a lot safer than most windows users but far from invincible. Something that is IMPOSSIBLE. Well it is possible but it would require the computer just staying in the box and never being turn on.....

Laser47 straightens everyone out.

The file itself was a terminal script, but the creator changed the icon so that it would look like a jpeg, so when it was downloaded it looked just like a picture but when executed it opened terminal.

telecomm makes an observation.

To have the file appear as a jpg (or whatever you'd like) all you have to do is change the extension.

plinden is hot on the scent.

I'm not sure how this came originally, but the file I was pointed to is a tgz - a gzipped tar file.

The tar file contains two executables (not scripts) probably compiled with gcc, containing a function (among others) called infectApps.

One executable is "latestpics" which would show up and another called ._latestpics, which because of the initial . would be hidden to view.

This isn't much to go on so far, but I'll take another look when I have time.

Edit: my mistake, ._latestpics is not an executable - it's read only. Probably the payload or some data file.

Edit 2: latestpics has another function called copySelf

The rabbit's back and finds the others all ears.

Seems like a simple solution would be to show file extensions

moki (Andrew Welch) gets credit for the understatement of the century.

Folks... the file "latestpics.tgz" is definitely up to no good, or at least wants to appear that it is up to no good. When unarchived, the file appears to be a JPEG file because someone pasted the image of a JPEG file onto the file.

The file is actually a Unix executable, with routines such as:

_infect:
_infectApps:
_installHooks:
_copySelf:

I have not looked at it in complete detail yet, but it does indeed appear to be opening files, changing file attributes, and potentially doing damage.

DO NOT DOWNLOAD OR RUN THIS FILE

Mod Doctor Q has a request.

MacRumors asks that nobody post the original URL of the file in question or copies of the files in question. Let's not take chances while there are unknowns.

Thank you.

iBlue, a demi-goddess with a Gandolfini av, wants to hug CoMpX.

that is seriously depressing. i am officially shaken from my nice little warm fuzzy macintosh lull.

WildCowboy auditions for the choir.

Definitely not a good day for Mac users, and I'm looking forward to seeing an analysis of what it actually does. Wake up Mac users...you are not safe by any means.

easy4lif poses a question and congratulates Doctor Q for swift action.

does anyone think apple could patch this or would want to see this virus for themselves. it would surely help them to combat peoblems that are to come. oh yea, this guy lasthope made that one post before being banned, I'm sure he wanted to see if his virus is headed in the right direction. Good job on banning him

macrumors12345 thinks it might be the browser.

So, didn't Safari automatically warn people that they were downloading an executable/application, which should immediately raise big red flags (given that the file was supposed to be a picture)??

Or were the users who got infected with these files using Firefox or some alternative browser? I'm very curious to know...

Ripmixburn has exclusive inside information which will remain unchallenged for now.

I have worked at an Apple Store. I can tell you for a fact that there will be at very least a dozen people looking into this. I bet they'll have a fix / explanation in no time.

easy4lif is also confident.

i have to agree with this. th last thing apple needs right now is for all this wild fire about viruses coming out during the intel transition. Tomorrow Steve jobs is going to yell at a lot of engineers to get this fixed fast cause thier jobs depend on. I see mac patch in 5 days

MacFan782040 is ecstatic at this news.

Yay for Apple police!

wankle doesn't like Ripmixburn.

Oh God, shut up. The fact that you worked at an Apple Store means nothing, get over yourself. "At least a dozen people" HAHA yeah OK, you want to tell me you didn't pull that completely out of your butt?

Is there really anything you can do to patch this kind of thing? If I write an application that has an icon like a jpg and deletes everything on your disk afer asking for your admin password... how exactly would you patch for that kind of thing?

This reminds me a LOT of the old joke about the Unix virus.

generik's got an answer no one's thought of before.

Catfish_Man knows people who know people who've heard of Renepo.

Just for reference: this is not the first Mac trojan horse. There was one that masqueraded as a Microsoft Office Installer, and another proof-of-concept that pretended to be an mp3 file. It's also not a virus, as it doesn't appear to be able to spread itself.

There's also a rootkit (called Opener). I saw it installed on my parent's machine (they were running without a password).

MrCannon's up on his definitions and tells everyone so.

You guys act like the world has ended because of some little piece of code. Realistically it seems like this 'outbreak' could be easily quarantined as it seems to have affected only a small number of users.

Edit: Also since the definitions of trojan, virus and worm seem to be quite fuzzy with just about everyone, I think this would classify as a trojan since it takes the user downloading it to propagate from machine to machine.

Shrikey scolds.

I saw this on Digg, and after reading this far, I have to say you guys are in a world of FUD.

Stop. Calm down. Many of you are running around like the proverbial headless chicken.

First off, as a few others have mentioned, EVEN IF THIS QUALIFIES AS A VIRUS, THIS WOULD NOT BE THE FIRST. Nothing has changed. Today is not a "Dark day for Apple". Stop with the frikkin melodrama.

Rocksaurus goes out on a limb and backs up wankle in his attack on Ripmixburn.

I'm going to have to agree 100% with this. I worked at an Apple Store. They're idiots, to be completely blunt. Months after the world knows about this virus if you go in there and ask an employee directly all but a few will tell you "There are no viruses for Mac!" THere are a few exceptions, of course.

dejo comes with conceit but asks Shrikey for enlightenment.

Okay, please enlighten us as to what all the previous OS X viruses are...

Benjamin, with the cutest icon of the bunch, puts his best foot forward to help Shrikey in his crusade to enlighten curmudgeon dejo.

Well I know of at least this one, might not be as destructive as iBlue's but this has been around for awhile... I don't endorse the use of this 'Virus". YOU HAVE NOW RECEIVED THE UNIX VIRUS This virus works on the honor system: If you're running a variant of unix or linux, please forward this message to everyone you know and delete a bunch of your files at random.

Bringing up the rear, noface comes in to audition for scout leader.

Look guys, whether it is the first virus(it is a damn virus) or the last......
A little solidarity wouldn't go astray OK.
If you are on this forum this could theoretically affect you.
So stop the bickering.
"Killhopelast"..... hasn't spread (other than to networked macs) so far.... this is a good sign no?

shadowmoses follows right behind.

This isnt a virus its a little executable file which runs terminal, it was just a matter of time before someone wrote something like this and spread it....Besides in order for it to do any damage you would have to log in as root by entering your password, so long as you dont do that the damage it can cause is minimal at best...

Wasnt there something simular to this with the release of 10.4, I remember a virus/trojan spreading through a widget??

Shadow

Shrikey scratches his head.

I remember seeing a similar trojan back during 10.2

3fingersalute wins everyone over with a single post.

Virus, Trojan, whichever it gets classified as, the bottom line is that mac's have been targeted and exploited. Mac users are getting all fired up over this, and that is what viruses and trojans are all about, so I bet OS X gets targeted hardcore now.

So if mac's are not immune to viruses anymore, that leaves zero reasons to own a mac.

Day Se7en

It is now 16 February and the year is still 2006 and SpookTheHamster comes in early to establish law and order.

Can we stop with the hysteria, people?

There have been OS X trojans available for quite some time, and I'm amazed that it's taken so long for someone to post one like this, that lures other people into downloading it. It's just like the many that try to spread via MSN (you know, the "I know who's blocking me!!!!" one).

I'm assuming it started on these forums, so most of the people who are infected should know better than to trust someone claiming to have pictures of 'Leopard'. I mean, would you trust someone you'd never met when they offered you something for free? I'd expect that sort of behavior from a 12 year old girl, not people on a Mac forum with a reputation for being well knowledged.

I don't know about most of you, but one of the first things I did was set file extensions to 'on' when I got my Mac (I got fed up with different files having the same icon), and I'd be extremely wary of opening any 'pictures' without a .jpg extension.

Many of us have come from Windows backgrounds, and we shouldn't let the fact we're on a more secure OS go to our heads and change how we act, no matter how secure an operating system is, it's worth nothing if the system operator is a moron.

We've established what it does, now let's get rid of it. Nobody has a good reason for wanting to look at it, there's an in-depth post about it on ambrosia software. I recommend that everyone who's been infected reinstalls OS X, and we all get on with our lives (with more common sense)

Mr Mister says it has to be a virus for exactly the same reason someone previously insisted it had to be a trojan.

Seeing as it requires user authentication, it's just as much of a virus as somebody formatting their own damned hard drive.

WildCowboy does not agree the worm's innocuous.

It doesn't require any sort of authentication if the user has admin privileges...it just goes.

yeshua1984 too likes file extensions.

I completely agree, file extensions are good. What as a teen you never tried to send your pc friends viruses claiming to be something else?

It's just common sense people, glad im not working at the university computer store anymore, would be fun telling people to think about what they are clicking on

MrMacMan who's read easy4lif's post about a patch from Apple in five days is dubious.

Patch what?
Stupidity?

Look I suppose mac users are usually careless about downloads and open files they don't and open the enclosed files because the worst thing they believe could happen is they install a windows virus... which wouldn't affect them but people need to watch out legitimately about everything. You don't double click a script file just because -- heck it might actually be a unix command to delete your hard drive (forget admin password needed anyway)

So far we know it uses AIM to propagate itself (slowly) and since it doesn't really exploit any 'holes' in the OS (besides I suppose allowing to open executables... oh wait modern OS have to allow programs and scripts to run).

Since we haven't found out what the 'payload' of this Trojan has...
[If you say this is a virus you don't know how viruses work on windows computers... exploiting system holes, ect.
Can you classify as a virus? Yes I suppose since it tries to get across using AIM but still it uses AIM as a medium which is exactly what trojans try to do -- find a back door]
We can't find or create a solution to fix it.

Does it have a keylogger?
Is your computer a zombie waiting for instructions?
Is it used on a DDoS/DoS attack?

We don't know and until we do -- its a program that could be dangerous but thats really what it is, a malicious and deceptive script created by someone who tried to trick you (social engineering at its most basic)

--MrMacMan

P.S:
GITANAJAVA -- Check your active processes and kill any process that has iChat in it. Clearly the program installs it own stripped down version of iChat to try to propagate itself to others.
You can use the terminal command -top or activity monitor in your utilities folder to 'stop' or 'kill' the hidden programs this program may be trying to run to infect others.

FFTT starts fftting around.

This proof of concept attack is exactly why I've been promoting the use of a secondary LIMITED Super User Account for all your normal daily activities.

The best way to prevent something like this from happening is to use your primary administrative account ONLY for installs and maintenance from known sources.

OraclePhoenix wants to summarise.

From what I read online from different sites, here is what I have summarized. It started here on macrumors with the lastest leopard screenshot post. It install via terminal. It then scans using spotlight for the recently used apps and creates scripts/attachs to those apps and when they are activated it uses those apps to spread itself. Some site say they create duplicates of all the app it attaches to. Some say its a script, while some say its a unix shell. It only works on 10.4.5 and only infects PowerPC or was that only Intels. correct me if I am wrong or I have missed any points.

P.S. My 2 cent is that it logs in to the root account(because the root account name is root and the password is root) and install the program.

Doctor Q has a comment right away on the shell/script comment by OraclePhoenix.

"Script" = "shell script" = program written in a shell's language = program that runs in a Unix shell. It's all the same thing.

Example shell and its language: bash

Terminal is the application in Mac OS X for running shells interactively and for running shells scripts.

The thread ends with this comment by OraclePhoenix. No one else could have done it finer.

As far as I can tell it has only infected PowerPC, there are not reports of infected Intel Core Dous. Is this Apples way of converting people to Intel?

Epilogue

A week after a week after, people like above were already shrugging off Oompa Loompa, calling it 'FUD', and priding themselves in debunking yet another 'OS X exploit myth'.

If they do so in the future, they need only return to this URL to see how they reacted at the time.

r3d3pshun gets the final word, contacting this site in late February / early March.

I didn't write it for the press - although I knew that was coming. It was more just because I was annoyed with all the fanboys.

See Also
Industry Watch: The Chocolate Tunnel
Learning Curve: Peeking Inside the Chocolate Tunnel