A virus on the Mac. Gadzooks, what’s next? Spyware? Ug. Meanwhile, can you tell us a bit more about this code, how it works and how we can avoid being infected?
It’s amazing how the hype machine works in the computer industry, actually. When I’m using my PC, I am constantly exposed to viruses, spyware, adware and other malicious applications, scripts and attachments, but when someone releases a pretty lame virus on the Mac – if it’s even that at all – and suddenly Chicken Little pops out of the woodwork and tells us that the sky is falling.
It’s not. In fact, this isn’t much of a virus, more of a trojan horse and a “social engineering” experiment at that, because what you would see is a compressed tar archive (filename suffix “.tgz”) that contains an executable script that simply has a JPEG graphic icon associated with it.
Let’s have a look!
First off, you’d have to actively download or otherwise save the file that contains this executable, masquerading as a JPEG file. Here’s how it would look to the Finder as a package and once it’s unpacked:
I admit, it’s pretty legitimate looking, but if you’re a reasonably safe computer user, you’d either drop this graphic onto your graphics program or try to open it in same: Here’s what happens when GraphicConverter tries to open this “JPEG” image:
Hmmm… it’s greyed out, so I can’t select it. Most strange!
Let’s have a look at the file’s Get Info box instead:
So there’s the warning bell: it’s a Unix Executable File not a “JPEG” graphic image at all.
Now, to be fair, I have been known to just double-click on a JPEG image to open it up, and that would cause trouble in this case. But I never open up attachments from strangers and don’t even visit unknown sites without using a rarely-launched browser, etc.
By this point, you should be completely paranoid about this: any executable that’s masquerading as a JPEG image is clearly up to no good, so rather than opening it, your best bet is to drag it to the trash and then empty the trash ASAP to ensure you don’t have any problems down the road.
Rather than talk about how this works, a topic that’s very well covered by Andrew Welch over at Ambrosia SW, I’d just like to highlight that when you download even the most innocuous files from discussion boards, get attachments from unknown parties, or even get email with attachments from people you know with oddly succinct message bodies like “check this out”, be suspicious.
If nothing else, use our friend Get Info in the Finder to check out the details of the attachment and never, never, never run random executables that aren’t from a known and trusted source.
And yes, at this point it might well be useful to get some sort of antivirus application for your Mac, unfortunately, and at the least, make sure you aren’t running as the “admin” user for your day-to-day activities on the ‘net.
Read more about the Mac OS X Leap.A virus / worm / trojan horse:
• Andrew Welch @ Ambrosia SW
• Rob Griffiths and Kirk McElhearn @ Macworld
• F-Secure’s official page on Leap.A
• Symantec’s Threat Information Page on OSX.Leap.A