Malware descriptions

“Leap” of Faith

Although we’ve seen malware compiled for MacOSX in the past, there hasn’t been any major outbreak of Mac malware, yet.

Earlier today there have been a couple of reports about a MacOSX trojan on the MacRumors forum. We’ve been able to obtain a sample and take a look.

OSX/Leap.A is a native PowerPC malware which is distributed in the form of a TAR-Gzipped archive called “latestpics.tgz”. Once the archive has been expanded (by a simple double-click in MacOSX) the user is presented with an application called “latestpics”, 39596 bytes in size. It looks like this:

Executing it activates the worm code, which attempts to infect other applications on disk and replicate to other computers using iChat.

Infection of local applications is performed in a classic way – by saving the original binary in its resource fork, then by overwriting the application code with the 39596-bytes long “latestpics” executable. In our tests, this didn’t quite work well and infected applications no longer seem to work. The worm uses a special method to gain control whenever a new application is executed – it drops an InputManager extension in the ~Library/InputManagers directory of MacOSX, in the form of a 18884 bytes long “apphook”. Whenever a new application is started, the “apphook” extension will also get executed, initiating the infection procedure.

The author seems to have been working on e-mail replication as well, but this part of the worm doesn’t seem to be complete yet. This might arrive in a future version though.

With Apple’s transition to Intel hardware and aggresive price policy, it was just a matter of time until Macs become popular not only between users, but also as a target for malware authors. Based on our previous experiences, there is no doubt that what we are seeing today is only the beginning.

“Leap” of Faith

Your email address will not be published. Required fields are marked *



APT trends report Q1 2024

The report features the most significant developments relating to APT groups in Q1 2024, including the new malware campaigns DuneQuixote and Durian, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox