A Trojan Horse comes to OS X - not really a big deal; Bonus: How viruses work (roughly)

It appears that a trojan horse called usually called "latestpics.tgz" made it into the Mac OS X world, but it doesn't work like a typical Windows virus or Worm - though it attempts to spread itself through iChat.

It is called Oompa-Loompa or "OSX/Oomp-A" for now, as deemed by one Andrew in the Ambrosia Software forums. This forum thread has literally all the gory details of how it works. It has also been classified as OSX/Leap-A. It originally appeared on MacRumors.com as supposed "pictures of Mac OS X Leopard 10.5", and here is their look at it. The slashdot crowd says it's more FUD (Fear Uncertainty & Doubt) really. And i tend to agree. Notes from the Day in the Life of an Information Security Investigator. In the WaPo Brian Krebs reports on it. Those links should tell you everything. But if you want to hear my ramble on a bit more, follow along....

[this became a bit longer than I intended, but I hope it explains how viruses work generally - and why OS X works all right to prevent this shit. It is relevant to your life. And then you can get into the Matrix.]



I am by no means a professional expert, but I have to deal with this shit, and there are good reasons that Unix and Mac OS X are preferred to Windows by lots of security professionals.

The amount of damage that computer viruses do consists of one thing in particular: propagation: The technical method of reproduction and how it transmits. Duh ok. If it can copy itself without any humans 'clicking OK' on a dialog box, viruses can spread far and wide. If they exploit holes in the memory structure to avoid the safeguards, that's really the key method -- and is NOT the problem for Apple today.

The famous Nimda/Code Red worms, which infected millions of Windows computers running IIS webservers, worked because there were "magic request" that an infected computer could make towards the target IIS webserver -- this let the worm overflow the usual safeguards and insert the self-propagating code. [More details here]

Read on for some more about it.

It also hit email systems by tricking the user or Microsoft Internet Explorer to executing a binary file: Cert advisory:

any mail software running on an x86 platform that uses Microsoft Internet Explorer 5.5 SP1 or earlier (except IE 5.01 SP2) to render the HTML mail automatically runs the enclosed attachment and, as result, infects the machine with the worm. Thus, in vulnerable configurations, the worm payload will automatically be triggered by simply opening (or previewing) this mail message. As an executable binary, the payload can also be triggered by simply running the attachment.

A normal HTTP request - the bit of text that your browser sends a webserver in order to receive a webpage looks like so:

GET /farms/side_125x125/advertise_125x125.jpg

is a browser request for a JPEG. With me so far?

But the webserver viruses like Code Red used special GET commands that sneak through a flaw in the way that the Webserver handles that very command. The virus writers wrote a program that sent a huge GET command -- and the content of the command itself spills out of the memory location in the webserver RAM. Then the end of the command are actually instructions (machine code) that let the virus take over the computer. This repeats a million zillion times, and you get an epidemic.

The trick is that Microsoft forgot to make sure that the little memory container for the "GET" string didn't spill out of control - called a "buffer overflow" that isn't detected and stopped. That is the vulnerability enabling the method of propagation. When new buffer overflow methods are discovered, a flurry of viruses are written in the Windows world, yet somehow Mac OS X has been essentially immune from this. Why? One sec. First, the method Example from this HP Labs report on Code Red:

The Code Red payload..... is a HTTP GET request for filetype.ida. The .ida extension is mapped by IIS to cause the indexing service (IDA module) to run on that filetype. The vulnerability that the virus exploits is a buffer overflow. The “NNN” is padding to increase the size of the request in order to overflow the buffer, and the Unicode characters are machine code to coerce IIS into running the binary payload.

GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNN

NNNNNNNNNNNNNNNNNNNNNNNNNNNNN

NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN

NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN

NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN

NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN

NNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801

%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090

%u9090%u8190%u00c3%u0003%u8b00%u531

b%u53ff%u0078%u0000%u00=a

[binary payload] Figure 2: Code Red HTTP Request. It is a buffer overflow attack on the indexing service (default.ida)

And then these infected computers attack everyone else. I saw about a million of these hit hongpong.com when things were really bad. Here is a Dutch graphic from Funktionsprinzipien von Sabotagesoftware. Whatever that means. Just use your damn imagination.



But somehow this kind of shit never really fucks with Linux or OS X.
Why?

Well for one thing, in Linux people make custom programs - especially the Apache web server engine. When you compile Apache, your individual program is unique in how it's put together. This is like genetic diversity in a way. Plus the overflow bugs seemed to be taken care of better, and just don't appear in Linux as much as Windows.

But what about Desktops? Yah. OS X does not yet have any real viruses. A lot of the core of the system is protected, and before any programs can alter it, it asks you for your password. It is perfectly possible to write a program that will erase all your files and email itself to everyone, but OS X will still ask you for your password before the OS will erase itself.

This is assuming that the underlying instructions can't be tricked or misdirected, and in some ways, they can. For example, apparently a lot of legit OS X programs that DO need the admin password, expose the password through a part of the system that is visible to all the other programs, via the "ps" or "top" activity monitoring programs for example. [this is how it works]

Hypothetical exploit: Thus a little virus that was somehow already running could wait and listen for the password via 'ps', then it would have the root pass, and it could finally break all the way into your system. But that would be STILL rely on your password to get there -- and it is a pretty thin reed to rest a working virus on.

Ok... this is taking too long to not really explain anything. Finally, a big difference between Windows and OS X is that if you are a Windows administrator, programs can do a lot of shit without asking for your password. On OS X, it also asks you if it is OK to run programs you've never run.

Today's OS X Trojan: This Trojan does not sneak through a buffer overflow, like dangerous Windows viruses. If you agree to let this "latestpics.tgz" program - whose icon looks like a Jpeg - run, AND you type in your root password, THEN it will overwrite some applications - making them unlaunchable - and it will insert itself in some places on your computer. And try to propagate through iChat.

I mean, what the hell is the Operating system supposed to offer to protect itself, besides asking for your password?

If it could make itself run as soon as it appeared in OS X Mail, and send itself to everyone else, and infect iChat, without asking for your password, then it would be a threat. This requires people to "push it along" and even the average Mac user probably won't type in their password -- but then again, Mac users aren't used to catching this kind of thing.

But of course, warning pop-ups appear when your download executable files. This is crucial. As long as Apple continues to fix discovered buffer overflows and designs its OS in a way that denies random code from executing and sneaking into shit (the Big If) we'll be ok. And laughing at all the infected PCs.

Just look at the record. It's not bad. 60,000 viruses for Windows, 40 for the original Macintosh (pre-OS X), 40 for Linux. It is totally structural. It is not just because "no one tries" to make them for Linux or OS X.

Commenting on this Story is closed.

Tags for A Trojan Horse comes to OS X - not really a big deal; Bonus: How viruses work (roughly)