Leap (computer worm)

Last updated
Leap
Common nameOompa-Loompa
Technical nameLeap.A
Aliases
ClassificationUnknown
Type Worm
Subtype Malware
Point of origin[Unknown]

The Oompa-Loompa malware, also called OSX/Oomp-A or Leap.A, is an application-infecting, LAN-spreading worm for Mac OS X, discovered by the Apple security firm Intego on February 14, 2006. [1] Leap cannot spread over the Internet, and can only spread over a local area network reachable using the Bonjour protocol. On most networks this limits it to a single IP subnet. [2]

Contents

Delivery and infection

The Leap worm is delivered over the iChat instant messaging program as a gzip-compressed tar file called latestpics.tgz. For the worm to take effect, the user must manually invoke it by opening the tar file and then running the disguised executable within.

The executable is disguised with the standard icon of an image file, and claims to show a preview of Apple's next OS. Once it is run, the worm will attempt to infect the system.

For non-"admin" users, it will prompt for the computer's administrator password in order to gain the privilege to edit the system configuration. It doesn't infect applications on disk, but rather when they are loaded, by using a system facility called "apphook".

Leap only infects Cocoa applications, and it does not infect applications owned by the system (including the apps that come pre-installed on a new machine), but only apps owned by the user who is currently logged in. Typically, that means apps that the current user has installed by drag-and-drop, rather than by Apple's installer system. When an infected app is launched, Leap tries to infect the four most recently used applications. If those four don't meet the above criteria, then no further infection takes place at that time.

Payload

Once activated, Leap then attempts to spread itself via the user's iChat Bonjour buddy list. It does not spread using the main iChat buddy list, nor over XMPP. (By default, iChat does not use Bonjour and thus cannot transmit this worm.)

Leap does not delete data, spy on the system, or take control of it, but it does have one harmful effect: due to a bug in the worm itself, an infected application will not launch.[ citation needed ] This is helpful in that it prevents people from continuing to launch the infected program.

Protection and recovery

A common method of protecting against this type of Computer Worm is avoiding launching files from untrusted sources. An existing admin account can be "declawed" by unchecking the box "Allow this user to administer this computer." (At least one admin account must remain on the system in order to install software and change vital system settings, even if it is an account created solely for that purpose.)

Recovering after a Leap infection involves deleting the worm files and replacing infected applications with fresh copies.[ citation needed ] It does not require re-installing the OS, since system-owned applications are immune. [3]

Related Research Articles

macOS Operating system for Apple computers

macOS is an operating system developed and marketed by Apple Inc. since 2001. It is the primary operating system for Apple's Mac computers. Within the market of desktop and laptop computers, it is the second most widely used desktop OS, after Microsoft Windows and ahead of Linux.

<span class="mw-page-title-main">Bonjour (software)</span> Computer networking technology

Bonjour is Apple's implementation of zero-configuration networking (zeroconf), a group of technologies that includes service discovery, address assignment, and hostname resolution. Bonjour locates devices such as printers, other computers, and the services that those devices offer on a local network using multicast Domain Name System (mDNS) service records.

Mobile malware is malicious software that targets mobile phones or wireless-enabled Personal digital assistants (PDA), by causing the collapse of the system and loss or leakage of confidential information. As wireless phones and PDA networks have become more and more common and have grown in complexity, it has become increasingly difficult to ensure their safety and security against electronic attacks in the form of viruses or other malware.

<span class="mw-page-title-main">MacScan</span>

MacScan is anti-malware software for macOS developed by SecureMac.

<span class="mw-page-title-main">Mac OS X Snow Leopard</span> Seventh major version of macOS, released in 2009

Mac OS X Snow Leopard is the seventh major release of macOS, Apple's desktop and server operating system for Macintosh computers.

Koobface is a network worm that attacks Microsoft Windows, Mac OS X, and Linux platforms. This worm originally targeted users of networking websites like Facebook, Skype, Yahoo Messenger, and email websites such as GMail, Yahoo Mail, and AOL Mail. It also targets other networking websites, such as MySpace, Twitter, and it can infect other devices on the same local network. Technical support scammers also fraudulently claim to their intended victims that they have a Koobface infection on their computer by using fake popups and using built-in Windows programs.

The RSPlug Trojan horse, a form of DNSChanger, is malware targeting the Mac OS X operating system. The first incarnation of the trojan, OSX.RSPlug.A, was discovered on October 30, 2007 by Mac security researchers at Intego.

<span class="mw-page-title-main">Genieo</span> Israeli company specializing in Mac malware

Genieo Innovation is an Israeli company, specializing in unwanted software which includes advertising and user tracking software, commonly referred to as a potentially unwanted program, adware, privacy-invasive software, grayware, or malware. They are best known for Genieo, an application of this type. They also own and operate InstallMac which distributes additional 'optional' search modifying software with other applications. In 2014, Genieo Innovation was acquired for $34 million by Somoto, another company which "bundles legitimate applications with offers for additional third party applications that may be unwanted by the user". This sector of the Israeli software industry is frequently referred to as Download Valley.

<span class="mw-page-title-main">OS X Lion</span> Eighth major release of Mac OS X

OS X Lion, also known as Mac OS X Lion, is the eighth major release of macOS, Apple's desktop and server operating system for Mac computers.

Mac Defender is an internet rogue security program that targets computers running macOS. The Mac security firm Intego discovered the fake antivirus software on 2 May 2011, with a patch not being provided by Apple until 31 May. The software has been described as the first major malware threat to the Macintosh platform. However, it is not the first Mac-specific Trojan, and is not self-propagating.

<span class="mw-page-title-main">OS X Mountain Lion</span> Ninth major release of OS X

OS X Mountain Lion is the ninth major release of macOS, Apple Inc.'s desktop and server operating system for Macintosh computers. OS X Mountain Lion was released on July 25, 2012, for purchase and download through the Mac App Store, as part of a switch to releasing OS X versions online and every year, rather than every two years. Named to signify its status as a refinement of the previous OS X version, Lion, Apple's stated aims in developing Mountain Lion were to allow users to more easily manage and synchronise content between multiple Apple devices and to make the operating system more familiar.

<span class="mw-page-title-main">Gatekeeper (macOS)</span> Security feature of macOS

Gatekeeper is a security feature of the macOS operating system by Apple. It enforces code signing and verifies downloaded applications before allowing them to run, thereby reducing the likelihood of inadvertently executing malware. Gatekeeper builds upon File Quarantine, which was introduced in Mac OS X Leopard and expanded in Mac OS X Snow Leopard. The feature originated in version 10.7.3 of Mac OS X Lion as the command-line utility spctl. A graphical user interface was originally added in OS X Mountain Lion (10.8) but was backported to Lion with the 10.7.5 update.

OSX.FlashBack, also known as the Flashback Trojan, Fakeflash, or Trojan BackDoor.Flashback, is a Trojan horse affecting personal computer systems running Mac OS X. The first variant of Flashback was discovered by antivirus company Intego in September 2011.

XcodeGhost are modified versions of Apple's Xcode development environment that are considered malware. The software first gained widespread attention in September 2015, when a number of apps originating from China harbored the malicious code. It was thought to be the "first large-scale attack on Apple's App Store", according to the BBC. The problems were first identified by researchers at Alibaba, a leading e-commerce firm in China. Over 4000 apps are infected, according to FireEye, far more than the 25 initially acknowledged by Apple, including apps from authors outside China.

<span class="mw-page-title-main">KeRanger</span> MacOS ransomware

KeRanger is a ransomware trojan horse targeting computers running macOS. Discovered on March 4, 2016, by Palo Alto Networks, it affected more than 7,000 Mac users.

macOS malware includes viruses, trojan horses, worms and other types of malware that affect macOS, Apple's current operating system for Macintosh computers. macOS is said to rarely suffer malware or virus attacks, and has been considered less vulnerable than Windows. There is a frequent release of system software updates to resolve vulnerabilities. Utilities are also available to find and remove malware.

macOS Sierra Thirteenth major release of macOS

macOS Sierra is the thirteenth major release of macOS, Apple Inc.'s desktop and server operating system for Macintosh computers. The name "macOS" stems from the intention to unify the operating system's name with that of iOS, iPadOS, watchOS and tvOS. Sierra is named after the Sierra Nevada mountain range in California and Nevada. Its major new features concern Continuity, iCloud, and windowing, as well as support for Apple Pay and Siri.

OSX.Keydnap is a MacOS X based Trojan horse that steals passwords from the iCloud Keychain of the infected machine. It uses a dropper to establish a permanent backdoor while exploiting MacOS vulnerabilities and security features like Gatekeeper, iCloud Keychain and the file naming system. It was first detected in early July 2016 by ESET researchers, who also found it being distributed through a compromised version of Transmission Bit Torrent Client.

macOS Ventura 19th major version of the macOS operating system

macOS Ventura is the nineteenth major release of macOS, Apple's operating system for Macintosh computers. The successor to macOS Monterey, it was announced at WWDC 2022 on June 6, 2022, and launched on October 24, 2022. macOS Ventura is succeeded by macOS Sonoma, which was released on September 26, 2023.

References

  1. New Mac OS X Trojan Horse: Oompa-Loompa, also called OSX/Oomp-A or Leap.A, Intego, 2006-02-14, retrieved 2012-01-20
  2. "First ever virus for Mac OS X discovered".
  3. "First ever virus for Mac OS X discovered".
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.