worm blog: Two new OS X worms: Leap and Inqtana

« Botnets | Main | Recent PHP Worm Activity »

Two new OS X worms: Leap and Inqtana

Argh I hate Typepad. This post keeps getting lost when I switch windows.

This week saw two new OS X malware families break out. I had a chance to look at one (and I'm sorry, but I can't share the report) but not both.

The first is Leap.A, an IM worm. If you want to see a good description of what it dos have a look at the Ambrosia Software writeup in their forums. Ambrosia also makes some nice games. While technically Leap.A is a Trojan horse, it qualifies as an IM worm.

Leap is important for a few reasons. Firstly, it's the first time we have seen an IM worm not use a central distribution site to propagate the malware. Instead, the malicious file is transferred from one user to another via iChat instant messages. This makes eradication harder (ie you can't just shut down one site, you would have to stop all messages between users with the malicious content). We've been expecting this for a while now, and this can be done with MSN Messenger, AIM, etc ... Secondly, Leap.A shows a classic virus trick, namely modifying other applications using the InputManager on OS X. Crafty ... And thirdly it's the first OS X specific malware. If you want to see more AV vendor writeups, follow the links from the CME-4 entry (Leap.A has this CME identifier).

Now, fast forward a day and you'll see Inqtana.A, a Bluetooth worm for OS X. Because many Macs have Bluetooth installed, they're vulnerable to these sorts of attacks. Inqtana uses a specific vulnerability (the Obex Push vuln) to issue commands to a vulneable machine. Bluetooth worms have been all the rage in some circles for cell phone and PDAs, and this extends it to general purpose computers.

Both are proofs of concepts, and both show what we can expect this year in terms of malware.

February 18, 2006 in new worms | Permalink
Tell others: digg submit | del.icio.us this | Reddit

Comments

I see you're having trouble with TypePad. Try using Ecto as your blog editor. I switched to it recently, and it's really much nicer than in-browser editing.

Posted by: Gary W. Longsine | Feb 24, 2006 1:06:37 AM

and now typepad ate my comment, too. i hate crappy software ...

ecto doesn't have a feature i use a lot, namely futrue dated posts that correctly "appear" at the magic time i set. none of the desktop blogging tools i looked at seemed to support that, so i don't use them. that one feature is heavily used here on wormblog. i compose a batch of posts at times and then let them fire off automatically (ie papers i've been reading). i simply am too busy to log in every day and create a post.

Posted by: jose | Feb 26, 2006 9:08:51 AM

Type of bugs that can damage and ruin my computer.
If you are like me and tired many different scans in the past looking for something that will protect and clean your computer, give Search-and-destroy Antispyware a try. I found that the antispyware solution from Search-and-destroy (http://www.Search-and-destroy.com) is an excellent choice. It’s less expensive than many of the other scans I’ve tired but it finds the same type of bugs that can damage and ruin my computer. I am so happy with this scanner that I want to tell everyone about it so you can give it a try to. I’m sure you will love it.

Posted by: Chezy | May 1, 2009 1:17:37 PM

The most conspicuous specialization of segments is in the head. The four major groups of arthropods – Chelicerata (includes spiders and scorpions), Crustacea (shrimps, lobsters, crabs, etc.),

Posted by: Generic Viagra | Apr 14, 2010 12:05:28 PM

I see you're having trouble with TypePad. Try using Ecto as your blog editor. I switched to it recently, and it's really much nicer than in-browser editing.

Posted by: Jerseys | Jul 19, 2010 7:27:45 AM

I have always felt that blogging has been an art where people express their experiences in the best manner.This is something that is very informational.I must appreciate your article writing skills.Every time i come here i see something very new.Thanks for sharing the information.I love when you share your views through the best articles.Keep sharing and posting articles like these.This article has helped me a lot.Keep posting this stuff.

Posted by: Viagra | Nov 1, 2010 1:16:11 AM

so wonderful articles! i agree with your view point very much. Maybe we will become very good friend in the future.thank you so much!

Posted by: kamagra online | Nov 10, 2011 4:36:02 AM

I just came by your article and it get my attention. i thought I'd leave my first comment just to appreciate the hard work you done.

Posted by: buy viagra | Nov 10, 2011 4:43:18 AM

so wonderful articles! i agree with your view point very much. Maybe we will become very good friend in the future.thank you so much!

Posted by: viagra without prescription | Nov 10, 2011 4:44:17 AM

Thanks for sharing these tricks. I'm having problem unblocking keygens with AVG on my OS. Any suggestions please?

Posted by: Køb hersolution | Nov 23, 2011 5:20:41 AM

The new worm follows the Leap Trojan that was discovered recently. I heard however that it is quite unlikely that Inqtana would be any kind of threat. I hope so.

Posted by: cell phone tracker | Dec 22, 2011 4:28:26 AM

The comments to this entry are closed.