The real threat of the Oompa-Loompa Trojan horse, Intego.Q & A For Mac Users To Protect Themselves From Oompa-Loompa (Also Called Osx/Oomp-A Or Leap JV) Intego was the first to discover this Trojan horse See Trojan. Trojan Horse hollow horse concealed soldiers, enabling them to enter and capture Troy. [Gk. Myth.: Iliad] See : Deceit (application, security) Trojan horse , and updated its virus definitions on February 14,2006, to provide protection for users of VirusBarrier X and VirusBarrier X4. While the company did this as soon as the Trojan horse was found in the wild, it chose not to publicize pub·li·cize tr.v. pub·li·cized, pub·li·ciz·ing, pub·li·ciz·es To give publicity to. publicize or -cise Verb [-cizing, -cized] the threat immediately, since it could have incited hackers to create variants that may act differently. Indeed, after news of this Trojan horse became public, two other variants were found in the wild. While this Trojan horse currently damages applications and transfers itself to other users via iChat over a local Bonjour network, future variants may have the power to do further damage. Intego's Virus Monitoring Center has examined the original Trojan horse and its variants and the following questions and answers explain how it infects Macintosh computers, how it propagates, and how Mac users can protect themselves against it. What is the Oompa-Loompa Trojan Horse The Oompa-Loompa Trojan horse, also called OSX/Oomp-A or Leap.A, affects Macintosh computers running Mac OS X. The Oompa-Loompa Trojan horse infects applications on computers where it runs, enabling those applications to in turn spread the virus, and can propagate prop·a·gate v. 1. To cause an organism to multiply or breed. 2. To breed offspring. 3. To transmit characteristics from one generation to another. 4. by sending itself to users' iChat buddies on a local Bonjour network. How can Mac users protect themselves from this Trojan horse? What does this Trojan Horse look like? Initially appearing in a compressed file called latestpics.tgz or latestpics.gz, this Trojan horse, after being decompressed, appears to be a graphic file. However, if other hackers alter the current version of this Trojan horse, the file may have a different name or resemble a different type of file. How does this Trojan horse become active? A user must either download the file from a web site, receive it as an e-mail attachment A file that rides along with an e-mail message. The attached file can be of any type. E-mail programs make it easy to attach a file. For example, in Eudora, all you do is select Attach from the Message menu, browse through the folder hierarchy to find the file you want and then double , or receive it via iChat from a buddy on a local Bonjour network. In the latter case, users are more likely to trust the source, even though the "sender" is not aware that the file has been sent. The user must double-click the file to decompress To restore compressed data back to its original size. (compression, data) decompress - To reverse the effects of data compression. it, then double-click the resulting Trojan horse, which is disguised, via a custom icon, to resemble a graphic file. Does this Trojan horse indicate its presence by asking for an administrator's password? No. This Trojan horse runs a script in a Terminal window, but gives no other indication of its actions. It does not need an administrator's password, since it infects either the current user's home folder, or, if the user is logged in as root, a system folder The hard disk folder (directory) that contains the operating system. In Windows, it is typically the \Windows or \Winnt folder. In the Mac, it is called the System folder. See system file and system disk. . In the first case, no password is required to add files to a user's home folder. In the second, relatively rare case, a user logged in as root does not need to enter a password to install files in system folders. How does this Trojan horse infect infect /in·fect/ (in-fekt´) 1. to invade and produce infection in. 2. to transmit a pathogen or disease to. in·fect v. 1. a Mac OS X system? When a user double-clicks the uncompressed file, expecting to see a picture, the executable code Software in a form that can be run in the computer. It typically refers to machine language, which is comprised of native instructions the computer carries out in hardware. Executable files in the DOS/Windows world use .EXE and . in the file runs: a Terminal window opens showing a process that runs then exits. This process installs the Oompa-Loompa Trojan horse in two locations on a user's Mac. The Trojan horse copies itself to the /tmp folder (used to store temporary files) and installs a file called apphook.bundle in the user's InputManagers folder (in the user's Library folder) which ensures that it is replicated in other Cocoa Cocoa, city, United States Cocoa, city (1990 pop. 17,722), Brevard co., E Fla., on the Indian River (a lagoon), a segment of the Intracoastal Waterway; inc. 1895. It is a tourist and arts center in a region where citrus fruits are grown. An 8-mi (12. applications the user launches. (If a user is logged in as root, the Trojan installs itself in the system-level/Library/InputManagers folder.) Using Spotlight, the Trojan horse searches for four recently used applications, then infects them with its own code. The apphook. bundle Input Manager attempts to send a copy of the original file, latestpics.tgz, to every person on a user's iChat buddy list A list of colleagues, workgroup members, friends, etc., that you might wish to communicate with via instant messaging. See instant messaging. , if that user is logged in to a Bonjour (local) network. Since users see this file coming from friends and colleagues, they assume that it is safe, and therefore double-click the file a first time to decompress it, and a second time to attempt to "view" it. Also, when users run infected in·fect tr.v. in·fect·ed, in·fect·ing, in·fects 1. To contaminate with a pathogenic microorganism or agent. 2. To communicate a pathogen or disease to. 3. To invade and produce infection in. applications, the Oompa-Loompa code seeks out additional applications to infect. Intego VirusBarrier X and VirusBarrier X4 eradicate Eradicate To completely do away with something, eliminate it, end its existence. Mentioned in: Smallpox the Oompa-Loompa Trojan horse, using its virus definitions dated February 14,2006 and later, and Intego remains diligent dil·i·gent adj. Marked by persevering, painstaking effort. See Synonyms at busy. [Middle English, from Old French, from Latin d to ensure that VirusBarrier X and VirusBarrier X4 will also eradicate any future Trojan horses It may never be fully completed or, depending on its its nature, it may be that it can never be completed. However, new and revised entries in the list are always welcome.
Is there more than one version of this Trojan horse? The Intego Virus Monitoring Center has isolated three versions of this Trojan horse so far, and is monitoring Is this a Trojan horse, a virus, or a worm? It is a combination of all three of these types of malware (MALicious softWARE) Software designed to destroy, aggravate and otherwise make life unhappy. See crimeware, virus, worm, logic bomb, macro virus and Trojan. : First, it is a Trojan horse: an executable hidden inside a file disguised as a graphic file, which tricks users into opening it. This is the first contact that any user will have with this malware. Then it is a virus, as it replicates in other applications on a user's computer, damaging those applications and adding its code to them. Finally, it is a worm, when it sends a copy of itself to other users via iChat. At this point, users receiving the file now have a Trojan horse. Some have suggested that users who take risks by downloading files from untrusted sources should act more responsibly. Is this how the Oompa-Loompa Trojan horse spreads? To ensure that users can access the tremendous amount of information available on the Internet, it is essential that they be protected with efficient security software. Suggesting that users should not download anything takes away the value of the Internet, which provides so many programs and so much other information. Also, if this Trojan horse spreads via iChat on a Bonjour network, users will trust the sender, since they are probably used to receiving files from them. Many businesses use instant messaging Exchanging text messages in real time between two or more people logged into a particular instant messaging (IM) service. Instant messaging is more interactive than e-mail because messages are sent immediately, whereas e-mail messages can be queued up in a mail server for seconds or regularly, and commonly send and receive files to and from colleagues. Where did Intego first find out about this Trojan horse? Intego received a copy of this Trojan horse on February 14,2006, after an Intego user discovered it on a Macintosh forum. The user expected the file to contain pre-release pictures of a new operating system operating system (OS) Software that controls the operation of a computer, directs the input and output of data, keeps track of files, and controls the processing of computer programs. , but instead it infected his Mac. The user discovered this later when iChat buddies on his local network asked why he was sending them files; he also found that some of his applications no longer launched. Has Intego informed Apple about this Trojan horse? Yes, we informed Apple as soon as we examined this Trojan horse and discovered its dangers. We were the first security company to provide samples of this Trojan horse, and we have been in close contact with Apple to ensure that this Trojan horse is controlled as quickly as possible. Can Intego provide samples of this Trojan horse to users who are curious to see how it functions? No. Intego's role is to protect its users, not to spread malware. We do send such files to other security companies, along with Apple, but not to anyone else. Does this Trojan horse delete any files? No, it currently only infects applications and then sends itself to other users via iChat on Bonjour networks. However, it may be possible for other hackers to change this Trojan horse to delete files See file wipe and delete. . Does this Trojan horse affect any Mac OS X system files? No, it only affects applications, at least in its current version. Does this Trojan horse affect Mac OS 9 or earlier versions of Mac OS X? No, it only affects Mac OS X 10.4 (Tiger). Does this Trojan horse affect new Macintosh computers running Intel processors? On Macs running Intel processors, the Trojan horse executes in Rosetta emulation, infects application, but cannot spread via iChat About Intego Intego develops and sells desktop Internet security ''This article or section is being rewritten at Internet security is the process of protecting data and privacy of devices connected to internet from information robbery, hacking, malware infection and unwanted software. and privacy software for Macintosh. |
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion