A leap in the dark

by Giles Turnbull

Leap.A (or Oompa-Loompa) is not a virus. Depending what you read, it's either a worm or a trojan. You could call it a little bit of both.



And while a lot of Mac news sites have spent much of the day playing down its significance and pointing out that user action is required to run it and therefore infect each machine, I think it ought to make a lot of people stop and think for a minute.



A summary of Leap.A's activities has been posted by the professional computer security team at F-Secure. I'm inclined to trust what F-Secure say about viruses, worms and other malware, because they have been conducting autopsies on harmful code for years now and they know what they are talking about.


7 Comments

Jim M.
2006-02-16 14:43:15
"I'm inclined to trust what F-Secure say about viruses, worms and other malware, because they have been conducting autopsies on harmful code for years now and they know what they are talking about."


I don't understand your reasoning here. Symantec, McAfee, etc. have been in the "anti-viral" business for years too, so, by your criteria, they should be just as trustworthy as F-Secure. Either trust them all or trust none of them, or tell us why F-Secure is unique! (Last time I looked, they were all in it for the money!)


Matt
2006-02-16 14:45:31
It does require ignorant users. And there are probably a lot of those. But I don't see why this is a big deal. I could write an applescript that uses Address Book to send copies of itself via Mail/iChat/whatever, give it a custom jpeg icon, and package it up in a tarball in 10 minutes. This is social engineering, not OS X vulnerability.
Rob
2006-02-16 15:59:29
Matt, MyDoom.A required a user to start it and didn't use any vulnerabilities. Was that a big deal? (Hint: it was one of the fastest spreading malwares at that point)
gilest
2006-02-17 00:12:03
@ Jim M: I don't *distrust* Symantec or McAfee. I just like the way F-Secure communicates with people (especially the entertaining and informative "News from the lab" weblog: http://www.f-secure.com/weblog/). And of course, you're right: they are all in it for the money.


@ Matt: Yes, it is social engineering, that phrase is spot-on.

FARfetched
2006-02-17 07:05:17
The F-Secure description was a little (heck, a LOT) short on details. I can sort of infer that it doesn't require admin access to work, and that an "InputManagers" folder suddenly appearing in your home directory is Bad News.


But the bottom line is: if your daughter receives one of these while she's idle, chances are she'll open it when she sees it (unless she's been forewarned). Me, I use Fire instead of iChat, but my daughter uses iChat. I guess I'd better tell her about it before she gets her iBook back (in for the infamous video glitch).

Matt
2006-02-17 07:12:04
Rob, of course MyDoom.A was a big deal. It was so precisely because it spread like wildfire. It spread because (a) it was Windows virus and (b) it used similar social engineering techniques. This, however, was distributed at a Mac website, where presumably most users have Macs, and it still flopped like a bad J-Lo movie. Some washed-up hacker wrote a trojan horse/worm that doesn't even work properly, disguised it as lepoard screeshots, and a handful of people download and open it before it gets pulled off of the forum. Big deal.
Helvecio
2006-02-17 10:52:58
Matt, remember this: it's only the first! Unfortunately!