HOME

TheInfoList



Click Here for Items Related To - Leap (computer Worm)
OR:
Leap (computer Worm) on:   [Wikipedia]   [Google]   [Amazon]

The Oompa-Loompa malware, also called OSX/Oomp-A or Leap.A, is an application-infecting,
LAN Lan or LAN may also refer to: Science and technology * Local asymptotic normality, a fundamental property of regular models in statistics * Longitude of the ascending node, one of the orbital elements used to specify the orbit of an object in sp ...
-spreading
worm Worms are many different distantly related bilateral animals that typically have a long cylindrical tube-like body, no limbs, and no eyes (though not always). Worms vary in size from microscopic to over in length for marine polychaete worm ...
for
Mac OS X macOS (; previously OS X and originally Mac OS X) is a Unix operating system developed and marketed by Apple Inc. since 2001. It is the primary operating system for Apple's Mac computers. Within the market of desktop and lapt ...
, discovered by the
Apple An apple is an edible fruit produced by an apple tree (''Malus domestica''). Apple trees are cultivated worldwide and are the most widely grown species in the genus '' Malus''. The tree originated in Central Asia, where its wild ances ...
security firm
Intego Intego is a Mac and Windows security software company founded in 1997 by Jean-Paul Florencio and Laurent Marteau. The company creates Internet security software for macOS and Windows, including: Antivirus software, antivirus, Firewall (computin ...
on February 14, 2006. Leap cannot spread over the
Internet The Internet (or internet) is the global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a ''internetworking, network of networks'' that consists ...
, and can only spread over a
local area network A local area network (LAN) is a computer network that interconnects computers within a limited area such as a residence, school, laboratory, university campus or office building. By contrast, a wide area network (WAN) not only covers a larger ...
reachable using the
Bonjour Bonjour is a French word meaning (literally translated) "good day", and is commonly used as a greeting. Bonjour may also refer to: People * Laurence BonJour (born 1943), epistemologist and professor of philosophy at the University of Washington * ...
protocol. On most networks this limits it to a single IP
subnet A subnetwork or subnet is a logical subdivision of an IP network. Updated by RFC 6918. The practice of dividing a network into two or more networks is called subnetting. Computers that belong to the same subnet are addressed with an identical ...
.


Delivery and infection

The Leap worm is delivered over the
iChat iChat (previously iChat AV) is a discontinued instant messaging software application developed by Apple Inc. for use on its Mac OS X operating system. It supported instant text messaging over XMPP/Jingle or OSCAR ( AIM) protocol, audio and vid ...
instant messaging Instant messaging (IM) technology is a type of online chat allowing real-time text transmission over the Internet or another computer network. Messages are typically transmitted between two or more parties, when each user inputs text and trigge ...
program as a
gzip gzip is a file format and a software application used for file compression and decompression. The program was created by Jean-loup Gailly and Mark Adler as a free software replacement for the compress program used in early Unix systems, and ...
-compressed
tar Tar is a dark brown or black viscosity, viscous liquid of hydrocarbons and free carbon, obtained from a wide variety of organic matter, organic materials through destructive distillation. Tar can be produced from coal, wood, petroleum, or peat. ...
file called . For the worm to take effect, the user must manually invoke it by opening the tar file and then running the disguised executable within. The executable is disguised with the standard icon of an image file, and claims to show a preview of Apple's next OS. Once it is run, the worm will attempt to infect the system. For non-"admin" users, it will prompt for the computer's administrator password in order to gain the privilege to edit the system configuration. It doesn't infect applications on disk, but rather when they are loaded, by using a system facility called "apphook". Leap only infects
Cocoa Cocoa may refer to: Chocolate * Chocolate * ''Theobroma cacao'', the cocoa tree * Cocoa bean, seed of ''Theobroma cacao'' * Chocolate liquor, or cocoa liquor, pure, liquid chocolate extracted from the cocoa bean, including both cocoa butter and ...
applications, and it does not infect applications owned by the system (including the apps that come pre-installed on a new machine), but only apps owned by the user who is currently logged in. Typically, that means apps that the current user has installed by drag-and-drop, rather than by Apple's installer system. When an infected app is launched, Leap tries to infect the four most recently used applications. If those four don't meet the above criteria, then no further infection takes place at that time.


Payload

Once activated, Leap then attempts to spread itself via the user's
iChat iChat (previously iChat AV) is a discontinued instant messaging software application developed by Apple Inc. for use on its Mac OS X operating system. It supported instant text messaging over XMPP/Jingle or OSCAR ( AIM) protocol, audio and vid ...
Bonjour buddy list. It does not spread using the main iChat buddy list, nor over
XMPP Extensible Messaging and Presence Protocol (XMPP, originally named Jabber) is an open communication protocol designed for instant messaging (IM), presence information, and contact list maintenance. Based on XML (Extensible Markup Language), ...
. (By default, iChat does not use Bonjour and thus cannot transmit this worm.) Leap does not delete data, spy on the system, or take control of it, but it does have one harmful effect: due to a bug in the worm itself, an infected application will not launch. This is helpful in that it prevents people from continuing to launch the infected program.


Protection and recovery

A common method of protecting against this type of Computer Worm is avoiding launching files from untrusted sources. An existing admin account can be "declawed" by unchecking the box "Allow this user to administer this computer." (At least one admin account must remain on the system in order to install software and change vital system settings, even if it is an account created solely for that purpose.) Recovering after a Leap infection involves deleting the worm files and replacing infected applications with fresh copies. It does not require re-installing the OS, since system-owned applications are immune.


References

{{Reflist


External links


Intego Analysis - OSX/Leap.A aka OSX/Oompa-Loompa



Macworld test of Leap A, with recovery tips


Computer worms MacOS malware