A malicious file uploaded early this week to the MacRumors Forums site is a Trojan horse designed to fool Mac users into thinking they’ll get to see preview pictures of Mac OS X 10.5 Leopard, the next version of Apple’s operating system software. Instead, the file, named "latestpics.tgz," attempts to send itself to the user’s iChat contacts, and damages applications on the user’s computer. Your computer can’t be infected unless you open the file.
Andrew Welch of Ambrosia Software appears to be the first to post a thorough analysis of the malware, which he dubbed "Oompa-Loompa," or "OSX/Oomp-A" in the standard taxonomy. Both Sophos and Symantec appear to be using the name "OSX/Leap-A," and both are offering definition downloads.
Welch says Leap-A appears to try, but fail, to spread itself through other applications the user launches. The resulting damage to these applications renders them unusable.
The easiest thing you can do to protect your computer is not download and open "latestpics.tgz" or any other archive you’re not expecting. If you receive a file via email or instant message that you’re not expecting, even from someone you know, always ask before opening it. This malware can’t spread itself; it relies on a "social engineering" to trick users into activating it. (See "Are Input Managers the Work of the Devil?" elsewhere in this issue for more on the vulnerability that Leap-A is exploiting.)
If you run anti-virus software, make sure it is set to obtain updates automatically at least weekly, or check manually for updates over the next few days. Dan Adinolfi of Cornell University’s IT Security Office has provided the first two links to Sophos’s and Symantec’s pages, which offer a growing set of info about the Trojan horse. Macworld has also posted a Leap-A FAQ.
Shortly after Leap-A made headlines, a second piece of malware appeared. Inqtana-A is described as a Java-based proof of concept that takes advantage of an old Bluetooth vulnerability in Mac OS X. If you’ve applied the Apple Security Update 2005-006 for Mac OS X 10.3.9 and Mac OS X 10.4.1 or the general Mac OS X 10.4.1 release, then your Mac is unaffected by Inqtana-A.
Although both threats are minimal – especially compared to far more dangerous malware that Microsoft Windows users encounter – they’ve served as a reminder to the Mac community that no computer system is entirely immune to Trojans, worms, and viruses.