OS X/Leap-A: Virus, Worm, Or Trojan Horse?

At first, it was a Virus? Then, a Worm. Then, a Trojan Horse. Regardless of the definition, OS X/Leap-A is malware; one of the first for the Mac. More are on the way.

Just last week, mainstream media reported on the Mac’s first Virus. Security firms who watch such malware called it a Worm. The Mac community insists that the so-called OS X/Leap-A is a poorly constructed Trojan Horse.

What is it really? Does it mattter? Mac360 reported Leap-A to be a Trojan Horse, mostly by definitions (none of which appear to be etched in stone), and by the actions of the malware.

Since then, there has been quite a stir among Mac sites, Mac forums, even a few gloating Windows users, about the so-called “Mac Virus” in the wild.

There’s still plenty of confusion about this so-called Virus, Trojan, Worm—OS X Leap-A. The confusion probably stems from semantics; differences in definitions of Virus, Worm, and Trojan Horse, and in obtaining an accurate description of what OSX/Leap-A actually does and does not do—then applying the latter to the former, to reach a valid conclusion.

Emotions aside, there are both subtle and not-so-subtle differences between Virus, Worm, and Trojan Horse.

There’s also some discrepancy with Mac media reports as to what OS X/Leap-A actually does.

First, a few definitions are in order. Webopedia does a good job of clarifying the differences between Virus, Worm, and Trojan Horse.

All three are malware. All three can cause minor or major damage. All three are threats, though of varying degrees, depending on the action of the malware.

Virus - “... attaches itself to a program or file so it can spread from one computer to another, leaving infections as it travels… Almost all viruses are attached to an executable file, which means the virus may exist on your computer but it cannot infect your computer unless you run or open the malicious program. It is important to note that a virus cannot be spread without a human action, (such as running an infected program) to keep it going.”

By that definition, what we know of OSX/Leap-A could be considered a Virus, though it does not attach itself to an executable file.

Worm - “Worms spread from computer to computer, but unlike a virus, it has the ability to travel without any help from a person. A worm takes advantage of file or information transport features on your system, which allows it to travel unaided. The biggest danger with a worm is its ability to replicate itself on your system, so rather than your computer sending out a single worm, it could send out hundreds or thousands of copies of itself, creating a huge devastating effect. One example would be for a worm to send a copy of itself to everyone listed in your e-mail address book.”

Assuming OSX/Leap-A uses iChat’s buddy list and can send itself to other iChat users, it could be considered a Worm, though, from what I can tell, it still needs to be opened when received by each user. So, it’s not quite a full blown worm, because it needs help from a human.

Trojan Horse - “The Trojan Horse, at first glance will appear to be useful software but will actually do damage once installed or run on your computer.  Those on the receiving end of a Trojan Horse are usually tricked into opening them because they appear to be receiving legitimate software or files from a legitimate source.”

“Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate.”

What Does OS X/Leap-A Do? - To bring as much clarity as possible to the issue, we’re required to know what Leap-A does, and apply it to the above definitions. Easier said than done. Among others, the best account and definition of Leap-A action (and reported on in our original Mac360 article) is from Andrew of Ambrosia Software; his analysis seems to agree with others.

“You cannot be infected by this unless you do all of the following:

1) Are somehow sent (via email, iChat, etc.) or download the “latestpics.tgz” file

2) Double-click on the file to decompress it

3) Double-click on the resulting file to “open” it

...and then for non-Admin users, it fails to infect most applications.”

By definitions above, is Leap-A a traditional virus?

It doesn’t propagate externally, so no, it’s not a true Virus, as it does not attach itself to another file. It is what it is; disguised.

It’s not a Worm because it must travel computer to computer by using human intervention, right? Worms are automated.

What’s left? Trojan Horse. In this case, Leap-A does not infect other files, and, only because it’s poorly done, doesn’t have the ability to self-replicate.

It’s a Trojan Horse.

Until there’s a better argument, based on more accurate facts, OS X Leap-A appears to be a poorly constructed Trojan Horse, which could be considered to be a poorly written Worm, or a non-virulent Virus. Since most of the security sites are labeling it as a minor threat, I’ll go with Trojan Horse, if only because of definition; ineffective Worm if you need to argue for the sake of argument.

Regardless, it is malware, and should be treated as such. Let’s consider this a shot across the bow. More are on the way. Some will get through the weakest link, users. Others will become fully automated and exploit a security hole in OS X.

Is it serious? Yes, because it highlights what’s coming. More. More sophistication. More opportunity. More danger.

Click Here for a heated thread in the Mac360 Forums. Click Here for FrSIRT info on Leap-A. Symantec calls it a Worm, as does McAfee, and TrendMicro.

Finally, even the folks at Macworld were unimpressed with Leap-A, calling it buggy code which could have been much worse, and is more of a “proof of concept” malware. They also called it a “wake up call.” I agree.