The first Mac OS X malware has been spotted in the wild, but it appears to be something of a damp squib.
Called Leap-A by anti-virus companies, the worm appears as a JPEG file that spreads via iChat to contacts on the infected user's buddy list.
According to a Symantec press release:
The worm makes use of the Spotlight search program, included in OSX, and will run each time the machine boots. It identifies any applications being started, and if iChat begins to run, the worm uses iChat to send the infected file latestpics.tgz to all contacts on the infected users buddy list. Those on the buddy list will then be asked to accept the file. If they do, the file will subsequently be saved to their hard drive. Files infected by OSX.Leap.A may be corrupted and may not run correctly.
There is some disagreement about what the worm does. Anti-virus firm Sophos says it deletes files and leaves other "non-infected" files on the computer. An email press release from Computer Malware Enumeration says it "prevents Macintosh OS X from working properly and infected applications from launching correctly."
Nonetheless, Leap-A appears to be the first OS X malware "in the wild." A previous OS X nasty -- a Trojan horse dubed MP3Concept -- turned out to be a proof of concept only.
Leap-A first appeared earlier this week as a link on the forums of Mac Rumors that purported to be spy screenshots of Mac OS X 10.5 (Leopard).
Symantec classes the worm is a low threat because it doesn't automatically infect other's machines. The company says it has infected less than 50 machines.
"... this worm will not automatically infect, but will ask users to accept the file, giving potential victims a heads up and the opportunity to avoid infection," the company said. "The important piece of advice for any iChat users running OSX 10.4 is not to accept file transfers, even if they come from someone on a buddy list."
However, as CME notes in its statement, the worm is a wake-up call for OS X users with a false sense of OS X's invulnerability: "Now that Leap.A has been discovered in the wild, copycat media-craving individuals will likely launch similar attacks in 2006.
SOURCE: Wired.com
Called Leap-A by anti-virus companies, the worm appears as a JPEG file that spreads via iChat to contacts on the infected user's buddy list.
According to a Symantec press release:
The worm makes use of the Spotlight search program, included in OSX, and will run each time the machine boots. It identifies any applications being started, and if iChat begins to run, the worm uses iChat to send the infected file latestpics.tgz to all contacts on the infected users buddy list. Those on the buddy list will then be asked to accept the file. If they do, the file will subsequently be saved to their hard drive. Files infected by OSX.Leap.A may be corrupted and may not run correctly.
There is some disagreement about what the worm does. Anti-virus firm Sophos says it deletes files and leaves other "non-infected" files on the computer. An email press release from Computer Malware Enumeration says it "prevents Macintosh OS X from working properly and infected applications from launching correctly."
Nonetheless, Leap-A appears to be the first OS X malware "in the wild." A previous OS X nasty -- a Trojan horse dubed MP3Concept -- turned out to be a proof of concept only.
Leap-A first appeared earlier this week as a link on the forums of Mac Rumors that purported to be spy screenshots of Mac OS X 10.5 (Leopard).
Symantec classes the worm is a low threat because it doesn't automatically infect other's machines. The company says it has infected less than 50 machines.
"... this worm will not automatically infect, but will ask users to accept the file, giving potential victims a heads up and the opportunity to avoid infection," the company said. "The important piece of advice for any iChat users running OSX 10.4 is not to accept file transfers, even if they come from someone on a buddy list."
However, as CME notes in its statement, the worm is a wake-up call for OS X users with a false sense of OS X's invulnerability: "Now that Leap.A has been discovered in the wild, copycat media-craving individuals will likely launch similar attacks in 2006.
SOURCE: Wired.com
