“Leap” of Faith

Although we’ve seen malware compiled for MacOSX in the past, there hasn’t been any major outbreak of Mac malware, yet.

Earlier today there have been a couple of reports about a MacOSX trojan on the MacRumors forum. We’ve been able to obtain a sample and take a look.

OSX/Leap.A is a native PowerPC malware which is distributed in the form of a TAR-Gzipped archive called “latestpics.tgz”. Once the archive has been expanded (by a simple double-click in MacOSX) the user is presented with an application called “latestpics”, 39596 bytes in size. It looks like this:

Executing it activates the worm code, which attempts to infect other applications on disk and replicate to other computers using iChat.

Infection of local applications is performed in a classic way – by saving the original binary in its resource fork, then by overwriting the application code with the 39596-bytes long “latestpics” executable. In our tests, this didn’t quite work well and infected applications no longer seem to work. The worm uses a special method to gain control whenever a new application is executed – it drops an InputManager extension in the ~Library/InputManagers directory of MacOSX, in the form of a 18884 bytes long “apphook”. Whenever a new application is started, the “apphook” extension will also get executed, initiating the infection procedure.

The author seems to have been working on e-mail replication as well, but this part of the worm doesn’t seem to be complete yet. This might arrive in a future version though.

With Apple’s transition to Intel hardware and aggresive price policy, it was just a matter of time until Macs become popular not only between users, but also as a target for malware authors. Based on our previous experiences, there is no doubt that what we are seeing today is only the beginning.