Apple Computer Inc’s Mac OS X has been targeted by malware writers for the first time, with two pieces of malicious code designed for the operating system appearing in as many days late last week.
The first, known as Leap, is either a worm or a Trojan, depending on whose definitions you want to believe. It spreads via the iChat instant messaging network, but requires the user to download, extract and execute it before it can do any harm.
As such, it is expected to not spread very quickly or very far. Apple users may not be accustomed to receiving malware via iChat, but they’re not generally stupid.
Once installed, Leap hooks itself into the iChat program, so that whenever anyone on the infected user’s buddy list changes her status, it attempts to spread itself to that user. It also replaces recently used executables with a copy of itself.
The second program, known as Inqtana, spreads via a known vulnerability in Mac OS X 10.4’s implementation of the Bluetooth stack.
The vulnerability evades security precautions in the software, enabling files to be written outside the designated folder. It was discovered and patched last May, and has the common vulnerability and exposure reference CVE-2005-1333.
Inqtana itself is a proof-of-concept worm, meaning it is not known to be in the wild. It has no overtly malicious payload. It just spreads itself.
It has always been accepted wisdom that Mac OS is just as vulnerable to malware as Windows or Unix-based operating systems, and that Mac users have escaped unscathed largely because bad actors choose to ignore them.
These two programs seem to prove that hypothesis.
Whether or not the existence of this malware should be taken as evidence that Apple computers are gaining mind or market share in a broader sense is a matter of interpretation, although it certainly is a possibility.
What is less doubtful is that the social engineering used, if not to spread Leap then at least to seed it, played on the Mac users’ own peculiar brand of fandom, as well as Apple’s own overly secretive corporate nature.
Leap was seeded to the MacRumors web site purporting to be an archive of screen-grabs of an unreleased update to the operating system. It’s difficult to imagine that technique working with Windows users.
That said, it’s not a particularly sophisticated social attack, hearkening back to simplistic highly effective engineering used in the I Love You and Kournikova worms that hit Windows users in the late 1990s.