Low-Threat Mac OS X Trojan Appears

A Trojan horse aimed at Apple’s Mac OS X operating system has appeared, purporting to be screenshots of the company’s forthcoming Mac OS X 10.5 “Leopard” operating system. Although the Trojan, dubbed “OSX/LeapA” by antivirus firms, can spread itself via the iChat instant messaging program and damage applications on a Mac OS X computer, unlike many Windows Trojans, it spreads by fooling users into launching it manually, rather than by leveraging security flaws in the operating system.

The Trojan was uploaded earlier this week to the MacRumors Forums site under the filename latestpics.tgz. Longtime Macintosh developer Andrew Welch of Ambrosia Software has posted a detailed analysis of the malware, which he initially dubbed “Oompa-Loompa.” When executed, the Trojan attempts to send itself to the user’s iChat contacts and damages applications on the user’s computer in attempts to spread itself. The trojan appears to attempt to spread itself through other applications as the user launches them, but, due to a bug, winds up damaging the applications, which then fail to launch.

The overall thread from OSX/LeapA is low. In order to be infected, users must:

  • acquire the Trojan, whether via download, email, iChat, or another means
  • manually decompress the file, and
  • manually open the decompressed file (which, for most users, will entail entering their administrator password)

The Trojan cannot spread between computers using a security loophole or other automatic mechanism: to be “infected,” a user must manually unarchive the file and deliberately open it.

Mac OS X users can easily protect themselves by simply not opening any archive they’re not expecting (especially via email or iChat, or if it’s called latestpics.tgz). Sophos and Symantec have already updated their virus definitions to detect OSX/LeapA, and are collecting information about the Trojan.