Since discovering the Oompa-Loompa Trojan horse, Intego has analyzed both the original Trojan horse and two variants that have been found in the wild, in order to determine the level of danger for Mac users. This document outlines the way this Trojan horse functions, how it transmits itself to other users, and how Mac users can protect themselves.
Currently, the best protection against this Trojan horse and its variants is Intego VirusBarrier X4, which provides total protection from all known viruses. “It is clear that antivirus software on a Macintosh computer is as essential as wearing a seat belt in a car,” says Intego CEO Laurent Marteau. “You only realize how valuable it is when you need it.”
Intego was the first to discover this Trojan horse early last week, and updated its virus definitions on February 14, 2006, to provide protection for users of VirusBarrier X and VirusBarrier X4. While the company did this as soon as the Trojan horse was found in the wild, it chose not to publicize the threat immediately, since it could have incited hackers to create variants that may act differently. Indeed, after news of this Trojan horse became public, two other variants were found in the wild. While this Trojan horse currently damages applications and transfers itself to other users via iChat over a local Bonjour network, future variants may have the power to do further damage.
Intego’s Virus Monitoring Center has examined the original Trojan horse and its variants and the following questions and answers explain how this Trojan horse works, how it infects Macintosh computers, how it propagates, and how Mac users can protect themselves from it.
What is the Oompa-Loompa Trojan Horse?
The Oompa-Loompa Trojan horse, also called OSX/Oomp-A or Leap.A, affects Macintosh computers running Mac OS X. The Oompa-Loompa Trojan horse infects applications on computers where it runs, enabling those applications to in turn spread the virus, and can propagate by sending itself to users’ iChat buddies on a local Bonjour network.
How can Mac users protect themselves from this Trojan horse?
Intego VirusBarrier X and VirusBarrier X4 eradicate the Oompa-Loompa Trojan horse, using its virus definitions dated February 14, 2006 and later, and Intego remains diligent to ensure that VirusBarrier X and VirusBarrier X4 will also eradicate any future Trojan horses that try to exploit this same technique.
Is there more than one version of this Trojan horse?
The Intego Virus Monitoring Center has isolated three versions of this Trojan horse so far, and is monitoring suspicious activity to ensure that there are no others.
What does this Trojan Horse look like?
Initially appearing in a compressed file called latestpics.tgz or latestpics.gz, this Trojan horse, after being decompressed, appears to be a graphic file. However, if other hackers alter the current version of this Trojan horse, the file may have a different name or resemble a different type of file.
How does this Trojan horse become active?
A user must either download the file from a web site, receive it as an e-mail attachment, or receive it via iChat from a buddy on a local Bonjour network. In the latter case, users are more likely to trust the source, even though the “sender” is not aware that the file has been sent. The user must double-click the file to decompress it, then double-click the resulting Trojan horse, which is disguised, via a custom icon, to resemble a graphic file.
Does this Trojan horse indicate its presence by asking for an administrator’s password?
No. This Trojan horse runs a script in a Terminal window, but gives no other indication of its actions. It does not need an administrator’s password, since it infects either the current user’s home folder, or, if the user is logged in as root, a system folder. In the first case, no password is required to add files to a user’s home folder. In the second, relatively rare case, a user logged in as root does not need to enter a password to install files in system folders.
How does this Trojan horse infect a Mac OS X system?
When a user double-clicks the uncompressed file, expecting to see a picture, the executable code in the file runs: a Terminal window opens showing a process that runs then exits. This process installs the Oompa-Loompa Trojan horse in two locations on a user’s Mac. The Trojan horse copies itself to the /tmp folder (used to store temporary files) and installs a file called apphook.bundle in the user’s InputManagers folder (in the user’s Library folder) which ensures that it is replicated in other Cocoa applications the user launches. (If a user is logged in as root, the Trojan installs itself in the system-level /Library/InputManagers folder.)
Using Spotlight, the Trojan horse searches for four recently used applications, then infects them with its own code. The apphook.bundle Input Manager attempts to send a copy of the original file, latestpics.tgz, to every person on a user’s iChat buddy list, if that user is logged in to a Bonjour (local) network. Since users see this file coming from friends and colleagues, they assume that it is safe, and therefore double-click the file a first time to decompress it, and a second time to attempt to “view” it. Also, when users run infected applications, the Oompa-Loompa code seeks out additional applications to infect.
Is this a Trojan horse, a virus, or a worm?
It is a combination of all three of these types of malware:
1. First, it is a Trojan horse: an executable hidden inside a file disguised as a graphic file, which tricks users into opening it. This is the first contact that any user will have with this malware.
2. Then it is a virus, as it replicates in other applications on a user’s computer, damaging those applications and adding its code to them.
3. Finally, it is a worm, when it sends a copy of itself to other users via iChat. At this point, users receiving the file now have a Trojan horse.
Some have suggested that users who take risks by downloading files from untrusted sources should act more responsibly. Is this how the Oompa-Loompa Trojan horse spreads?
To ensure that users can access the tremendous amount of information available on the Internet, it is essential that they be protected with efficient security software. Suggesting that users should not download anything takes away the value of the Internet, which provides so many programs and so much other information. Also, if this Trojan horse spreads via iChat on a Bonjour network, users will trust the sender, since they are probably used to receiving files from them. Many businesses use instant messaging regularly, and commonly send and receive files to and from colleagues.
Where did Intego first find out about this Trojan horse?
Intego received a copy of this Trojan horse on February 14, 2006, after an Intego user discovered it on a Macintosh forum. The user expected the file to contain pre-release pictures of a new operating system, but instead it infected his Mac. The user discovered this later when iChat buddies on his local network asked why he was sending them files; he also found that some of his applications no longer launched.
Has Intego informed Apple about this Trojan horse?
Yes, we informed Apple as soon as we examined this Trojan horse and discovered its dangers. We were the first security company to provide samples of this Trojan horse, and we have been in close contact with Apple to ensure that this Trojan horse is controlled as quickly as possible.
Can Intego provide samples of this Trojan horse to users who are curious to see how it functions?
No. Intego’s role is to protect its users, not to spread malware. We do send such files to other security companies, along with Apple, but not to anyone else.
Does this Trojan horse delete any files?
No, it currently only infects applications and then sends itself to other users via iChat on Bonjour networks. However, it may be possible for other hackers to change this Trojan horse to delete files.
Does this Trojan horse affect any Mac OS X system files?
No, it only affects applications, at least in its current version.
Does this Trojan horse affect Mac OS 9 or earlier versions of Mac OS X?
No, it only affects Mac OS X 10.4 (Tiger).
Does this Trojan horse affect new Macintosh computers running Intel processors?
On Macs running Intel processors, the Trojan horse executes in Rosetta emulation, infects application, but cannot spread via iChat.