First worm for Mac OS X discovered Security experts say Leap-A isn't a particularly threatening worm. But it's...
significant in one way: It's the first piece of malware to target Apple Computer Inc.'s Mac OS X operating system, which many users consider a more secure alternative to Microsoft Windows.
"Some owners of Mac computers have held the belief that Mac OS X is incapable of harboring computer viruses, but Leap-A will leave them shell-shocked, as it shows that the malware threat on Mac OS X is real," Graham Cluley, senior technology consultant for UK-based AV firm Sophos, said in a statement. "Mac users shouldn't think it's okay to lie back and not worry about viruses."
Leap-A, also known as Oompa-A, spreads through the iChat instant messaging system, Sophos said. It forwards itself as a file called latestpics.tgz to contacts on the infected users' buddy list.
"When the latestpics.tgz file is opened on a computer it disguises itself with a .jpg graphic icon in an attempt to fool people into thinking it is harmless," Sophos said in its online analysis. "The worm uses the text 'oompa' as an infection marker in the resource forks of infected programs to prevent it from re-infecting the same files."
While the appearance of a Mac OS X worm is unfortunate, Cupertino, Calif.-based AV firm Symantec Corp. gave reasons why this particular worm is fairly easy to neutralize.
"This first Macintosh OS X threat is an example of the continuing spread of malicious code onto other platform," Vincent Weafer, senior director of Symantec Security Response, said in a statement. "However, this worm will not automatically infect, but will ask users to accept the file, giving potential victims a heads up and the opportunity to avoid infection. The important piece of advice for any iChat users running OSX 10.4 is not to accept file transfers, even if they come from someone on a buddy list."
He said it's also possible to set iChat to ask for permission before sending a file. "Setting up this option will alert users to unusual behavior because the user will be asked to confirm the sending of all files," Weafer said, adding that users should also be sure to keep their AV, firewall and operating system software updated.
Exploits surface for latest Microsoft flaws
As expected, exploit code has surfaced for one of the security holes Microsoft patched Tuesday. The Bethesda, Md.-based SANS Internet Storm Center (ISC) warned of the exploit code on its Web site Thursday.
"The proof-of-concept exploit for MS06-005 has been released," the ISC said. "The exploit craft[s] a malicious .bmp file to perform buffer overflow in Media Player. Keeping in mind as Microsoft has pointed out that the exploiting factor can include other graphics file[s] as well (such as .wmp), it's a good idea to get it patched ASAP."
MS06-005 patches a remote code execution vulnerability in Media Player. According to Microsoft's TechNet Web site, the flaw exists because of the way the player handles processing bitmap files. An attacker could construct a malicious bitmap file (.bmp) that could potentially allow remote code execution if a user visited a malicious Web site or viewed a malicious e-mail message. The bulletin notes that significant user interaction is required to exploit this vulnerability.
NH probes breach of state computer system
Officials in the Granite State are investigating a security breach affecting online and in-person transactions at motor vehicle offices, the Veterans Home in Tilton, N.H., and Liquor Commission and state liquor stores.
So far, the New Hampshire attorney general's consumer protection bureau has yet to uncover evidence that debit or credit card numbers were taken in the breach, discovered Wednesday. Richard Head, who leads the bureau, told The Associated Press (AP) Thursday that 26 calls from concerned residents had come in, but nobody has reported unusual activity on their credit accounts. State IT administrators discovered the breach Wednesday when they spotted a variation of legitimate "Cain and Abel" software in the system. Rick Bailey, the state's chief information officer, told the AP that the illegal software, which may have been installed for six months, allows a hacker to watch transactions in real time but not to recover earlier records. He said Social Security numbers were probably not at risk because they don't appear on credit cards.
Only about 10% of liquor purchases are believed to have gone through the affected computer server, but that still adds up to thousands of credit or debit cards that could have been exposed, the AP reported. The news agency noted that state liquor stores handled about 13,000 credit or debit payments per day in December and 6,800 per day in January, a more typical month.
People who used their debit cards with any of the affected agencies are advised to contact their banks to get advice on protecting their accounts. Credit and debit card users are asked to report suspicious purchases to the consumer protection bureau at 1-888-468-4454.