« Botnets | Main | Recent PHP Worm Activity »
Two new OS X worms: Leap and Inqtana
Argh I hate Typepad. This post keeps getting lost when I switch windows.
This week saw two new OS X malware families break out. I had a chance to look at one (and I'm sorry, but I can't share the report) but not both.
The first is Leap.A, an IM worm. If you want to see a good description of what it dos have a look at the Ambrosia Software writeup in their forums. Ambrosia also makes some nice games. While technically Leap.A is a Trojan horse, it qualifies as an IM worm.
Leap is important for a few reasons. Firstly, it's the first time we have seen an IM worm not use a central distribution site to propagate the malware. Instead, the malicious file is transferred from one user to another via iChat instant messages. This makes eradication harder (ie you can't just shut down one site, you would have to stop all messages between users with the malicious content). We've been expecting this for a while now, and this can be done with MSN Messenger, AIM, etc ... Secondly, Leap.A shows a classic virus trick, namely modifying other applications using the InputManager on OS X. Crafty ... And thirdly it's the first OS X specific malware. If you want to see more AV vendor writeups, follow the links from the CME-4 entry (Leap.A has this CME identifier).
Now, fast forward a day and you'll see Inqtana.A, a Bluetooth worm for OS X. Because many Macs have Bluetooth installed, they're vulnerable to these sorts of attacks. Inqtana uses a specific vulnerability (the Obex Push vuln) to issue commands to a vulneable machine. Bluetooth worms have been all the rage in some circles for cell phone and PDAs, and this extends it to general purpose computers.
Both are proofs of concepts, and both show what we can expect this year in terms of malware.
February 18, 2006 in new worms | Permalink
Tell others: digg submit
|
del.icio.us this
|
Reddit
Comments
I see you're having trouble with TypePad. Try using Ecto as your blog editor. I switched to it recently, and it's really much nicer than in-browser editing.
Posted by: Gary W. Longsine | Feb 24, 2006 1:06:37 AM
and now typepad ate my comment, too. i hate crappy software ...
ecto doesn't have a feature i use a lot, namely futrue dated posts that correctly "appear" at the magic time i set. none of the desktop blogging tools i looked at seemed to support that, so i don't use them. that one feature is heavily used here on wormblog. i compose a batch of posts at times and then let them fire off automatically (ie papers i've been reading). i simply am too busy to log in every day and create a post.
Posted by: jose | Feb 26, 2006 9:08:51 AM
Type of bugs that can damage and ruin my computer.
If you are like me and tired many different scans in the past looking for something that will protect and clean your computer, give Search-and-destroy Antispyware a try. I found that the antispyware solution from Search-and-destroy (http://www.Search-and-destroy.com) is an excellent choice. It’s less expensive than many of the other scans I’ve tired but it finds the same type of bugs that can damage and ruin my computer. I am so happy with this scanner that I want to tell everyone about it so you can give it a try to. I’m sure you will love it.
Posted by: Chezy | May 1, 2009 1:17:37 PM
