Shostack + Friends Blog Archive

 

LEAP.A Mac Trojan

There seems to be a trojan out for the Mac. See New MacOS X trojan/virus alert, developing…. There’s some interesting tidbits:

6a) If your uid = 0 (you’re root), it creates /Library/InputManagers/ , deletes any existing “apphook” bundle in that folder, and copies “apphook” from /tmp to that folder
6b) If your uid != 0 (you’re not root), it creates ~/Library/InputManagers/ , deletes any existing “apphook” bundle in that folder, and copies “apphook” from /tmp to that folder
7) When any application is launched, MacOS X loads the newly installed “apphook” Input Manager automatically into its address space

Name is from F.Secure. See my “The Approaching Apple OSX86 Security Nightmare” for my prior thoughts. If any reader has an archived copy, I’d like one so I can do some analysis.

First thought: It’s not attacking that nice, secure, BSD Unix base, but the Apple-designed parallel bits that help make the Mac so beautiful, usable, and extensible.

[Update: Second thought: there’s a lot of Mac-specific code here. Its not simply a port of a UNIX trojan.]
[2nd Update: The wording above implies a contrast between secure and usable; I meant only to acknowledge Apple’s longstanding focus on making a polished product.]