Malware descriptions

“Leap” of Faith

Although we’ve seen malware compiled for MacOSX in the past, there hasn’t been any major outbreak of Mac malware, yet.

Earlier today there have been a couple of reports about a MacOSX trojan on the MacRumors forum. We’ve been able to obtain a sample and take a look.

OSX/Leap.A is a native PowerPC malware which is distributed in the form of a TAR-Gzipped archive called “latestpics.tgz”. Once the archive has been expanded (by a simple double-click in MacOSX) the user is presented with an application called “latestpics”, 39596 bytes in size. It looks like this:

Executing it activates the worm code, which attempts to infect other applications on disk and replicate to other computers using iChat.

Infection of local applications is performed in a classic way – by saving the original binary in its resource fork, then by overwriting the application code with the 39596-bytes long “latestpics” executable. In our tests, this didn’t quite work well and infected applications no longer seem to work. The worm uses a special method to gain control whenever a new application is executed – it drops an InputManager extension in the ~Library/InputManagers directory of MacOSX, in the form of a 18884 bytes long “apphook”. Whenever a new application is started, the “apphook” extension will also get executed, initiating the infection procedure.

The author seems to have been working on e-mail replication as well, but this part of the worm doesn’t seem to be complete yet. This might arrive in a future version though.

With Apple’s transition to Intel hardware and aggresive price policy, it was just a matter of time until Macs become popular not only between users, but also as a target for malware authors. Based on our previous experiences, there is no doubt that what we are seeing today is only the beginning.

“Leap” of Faith

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q3 2024

The report features the most significant developments relating to APT groups in Q3 2024, including hacktivist activity, new APT tools and campaigns.

Subscribe to our weekly e-mails

The hottest research right in your inbox