Virus creators begin knocking at Apple's core

Feb 25, 2006

By Glenn Fleishman

Special to The Seattle Times

Mac OS X got its first taste of real viruses and system compromises over the past two weeks, with three separate attacks cropping up within days of each other. They were all limited in scope and destructive capability, demonstrating that so far there's no easy route to infect Apple computers. But let's not act smug: Worse will come.

The three attacks have lots of provisos attached about how they work. Some experts dispute even calling them "viruses," because none of them purposely causes damage, and although they all attempt to propagate, none spreads well.

The first piece of malware, Leap-A (or "Oompa-Loompa"), attaches itself to programs written specifically for Mac OS X using Apple's Cocoa programming framework. It attempts to propagate through iChat, according to Macworld magazine, but only to users on the same local network using Bonjour. (Bonjour, previously known as Rendezvous, lets users of the same piece of software, like iChat, or of network resources, like a printer, connect by browsing across a local network.)

Leap-A is a kind of Trojan horse, disguising itself as a compressed image file named latestpics.tgz or latestpics.gz. When you launch an infected program, Leap-A tries to send a copy of itself to other users via iChat's file-sharing feature. Those users must accept the file, decompress it (by double-clicking), and then launch it (by double-clicking). That's three manual, affirmative actions to spread Leap-A.

A fourth action — entering an administrator password — is required if Leap-A infects programs in a Mac OS X user account that doesn't have the full administrative privileges. Most people who are the only user on their computer are set up as administrators; at least one user must be. This virus has prompted some to consider creating a second, less-privileged account, although it's not a security panacea.

A second virus, Inqtana.A, only works on computers with Bluetooth wireless network adapters running a version of Panther (10.3) or Tiger (10.4) that lack an update Apple released nearly a year ago to close the hole the virus exploits.

A machine infected with Inqtana.A tries to infect other computers after the computer is restarted. It can reach other computers only via Bluetooth. To become infected, you must have not patched your Panther or Tiger installation and accept files offered by a compromised computer via Bluetooth file transfer. Again, a threat is there, but it requires substantial user intervention to become infected.

The third assault isn't a virus, but might be used in the future as a worm to spread viruses. It is unnamed as I write this, and can affect your computer via Safari, if you visit Web pages with malicious content tailored for this attack or Apple's Mail program, which could receive virus-laden e-mail attachments.

The exploit relies on a problem with how Mac OS X processes certain kinds of files. In Safari or Mail — and potentially other Apple programs — files containing programming in a human-readable scripting language that's sent or encoded in a particular way could be executed, and used to launch programs and send instructions to programs already installed on your computer.

In Safari, Apple offers a feature that automatically opens what before this last week was called "safe" content, such as images, ZIP archives, and PDF files. This option can and should be turned off. Launch Safari, open Preferences from the Safari menu and click General. If the Open "Safe" Files After Downloading option is checked, click it to turn that feature off.

The vulnerability in Mail requires that you double-click a file you receive as an attachment containing this kind of virus from an unknown party.

When Windows virus and worm writers attempt to use this kind of technique, they often combine with phishers and spammers. Spammers spew out huge amounts of unsolicited e-mail with virus payloads or phishing messages that lead you to Web sites that attempt to push malicious files at your computer.

Apple made choices in OS X that offer dramatically fewer vectors for infection to spread. This has long been Windows' Achilles' heel: So many parts of the system prior to XP Service Pack 2 readily accepted input that could be exploited or executed programs and scripts without asking questions.

Without a vector that allows viruses to spread exponentially automatically, it's tricky to produce an outbreak. Each of these attacks requires a sequence of unusual, intentional behavior.

Apple also benefits from the increased use of Network Address Translation (NAT), used by broadband and Wi-Fi gateways to share incoming Internet access. NAT creates private addresses that can only be used within a local network, reducing the points of entry to computers.

The solution for receiving files via a Web site or e-mail that might be masked to contain a virus? As Windows owners have long known, you should never open a file if you're unsure of its contents or if it comes from someone you don't know. You can try opening a file from within the program that purported to create it.

For instance, open a JPEG within Preview (don't open within Safari, as that might simply launch the file). Anti-virus software from Intego, Symantec, and others can also examine suspicious files or block these files from ever opening.

Let's not smile that smug Mac-user smile too soon, though. Apple's prudence has set the bar very high, but the appearance of three attacks in quick succession — all of them poor or hard to take advantage of — signals interest by malware creators in wreaking havoc on the platform, even if they can't spread it to millions of computers.

Glenn Fleishman writes the Practical Mac column for Personal Technology and about technology in general for The Seattle Times and other publications. Send questions to gfleishman@seattletimes.com. More columns at www.seattletimes.com/columnists