Virus and malware protection

"Seeing a pattern?"

Exactly my point.

Eric,
Leap-A does the following (emphasis added):

"As Andrew Welch noted Thursday, when you try to launch the newly-infected application, an apparent bug (or is it a feature?) in the code prevents it [the application] from launching. But, behind the scenes, a lot just happened:
A new copy of latestpictures.tgz was copied to /tmp, if required. This brings the malware back to life after a reboot.
A new version of the input manager was installed, if required. So even if you manually erase this folder, it will come back if you run an infected application again.
A Spotlight search for the most-recently-used user-owned applications is run, and assuming that those apps are Cocoa apps, then up to four of those programs at a time are infected and will also break.
Now, the good news in all of this is the bug (feature?) that breaks the infected application. Since, in this example, OmniWeb is no longer working, you’ll be very unlikely to launch it again after that first “dead” double-click. Instead, you’ll probably just go download a clean version, which won’t be infected. If the bug (feature?) didn’t exist, then you’d never know that each launch of OmniWeb was also searching for other clean apps to infect, and your machine would become much more badly infected over time. That’s why I think this is a bug, not a feature. (It’s only a feature if the author’s intent is to only break all your installed applications.)
The above process will repeat each time you try to launch an infected application. Eventually, if you let this go on long enough, you’d find that all of the Cocoa applications that are owned by your user will no longer work. Hopefully, though, the non-functional applications would indicate to you that there was a problem. What do you do then?

Which makes it, strictly speaking, a virus by the very definition you cited.

The fact that it breaks applications doesn't change this: It is still " a self-replicating computer program that spreads by inserting copies of itself into other executable code."

-Wayne

Wayne, did you read the part in that article your cited that mentioned that the author had to call the people at Intego to find out how to force this "virus" to execute?

Wow, a virus that you have to debug in order to have it run. Sounds extremely dangerous to me - LOL! It took the author hours of work to deliberately force Leap-A to run.

It is not self-replicating if you have to open and run the program in order for it to do its damage.

I am not saying that there will never be a virus for Mac OS X. There is not a single virus for the Mac running OS X in the wild. Proof-of-concepts do not count. Hacking in when you know the password doesn't count either.

The steps required for a fool to get Leap-A to execute are well beyond what qualifies as a virus. If you jump through all those hoops and infect your Mac, then you certainly deserver whatever may happen.

Eric,
Cutting the Macworld quote for clarity:
" ...[W]hen you try to launch the newly-infected application, an apparent bug ... in the code prevents it [the application] from launching. But, ... a lot just happened:
...
A Spotlight search for the most-recently-used user-owned applications is run, and ... up to four of those programs at a time are infected...
...
The above process will repeat each time you try to launch an infected application."

The process described above IS SELF-REPLICATION. It fully conforms to the definition you provided; therefore, Leap-A is a virus.

That Rob runs as an ordinary user and knows how to protect his data does not change what the code is or does, nor does it make Leap-A any less a virus.

If there are some other "qualifications", and you can give us authoritative sources for them (NB: Each of the four preceding words links to a source with a definition that classifies Leap-A as a virus.), please specify those "extra" requirements and cite the sources. Otherwise...

-Wayne

OK, I can post links too.

MacWorld - "Welch is careful to point out that this should probably be considered a Trojan horse, rather than a virus, “because it doesn’t self-propagate externally.”

ArsTechnica says it is not a virus -

"Leap-A hardly marks any sort of advance in Mac malware, as it's less harmful than the May 2004 script and lacks the ability to self-propagate."

Mac Observer -

"Leap-A is merely an attempt to disguise an executable program as an image in effort to trick the recipient into launching the program. Launching a program in Mac OS X requires the user to enter their password, an indicator that should clue most users into the fact that it is not what it appears to be."

Tera Patricks at Mac 360 says -

"OS X Leap-A appears to be a poorly constructed Trojan Horse, which could be considered to be a poorly written Worm, or a non-virulent Virus. Since most of the security sites are labeling it as a minor threat, I’ll go with Trojan Horse, if only because of definition; ineffective Worm if you need to argue for the sake of argument."

ZD Net -

"This week's "Mac virus" scare turned out to be nothing more than a worm for Mac OS X that propagates through iChat and infects local Mac applications."

Mac Daily News -

"This example is not a virus. Leap-A will leave not leave anyone "shell-shocked." There are fewer anti-virus products for Macintosh than Windows because there are no Mac OS X viruses. Sophos themselves do not classify Leap-A as a "virus."

And the final word from Apple in the MacWorld article.

Quote - “Leap-A is not a virus, it is malicious software that requires a user to download the application and execute the resulting file.”

Let me spell it out one last time in all caps so that the point is not missed.

IT IS NOT A VIRUS!

It does not self-launch. It requires user interaction. It does not self-replicate as it needs your input to do so. It requires you to first launch the "virus" and then needs you to launch apps for them to be affected. Perhaps my definition was incomplete, but by the definition of many more respected Mac authorities, it is not a virus in any way, shape, or form.

This is still an interesting concept as it does prove that human stupidity can overcome any anti-virus precautions that are taken. Once again, if you download this, launch it, and put in your password, you deserve whatever happens. Software cannot prevent this from happening if you do not use common sense and think about it for a minute before blindly typing your password in.

Can we be done with this already? We can spit in the wind as long as we would like, but OP has obviously moved on and feels as comfortable with his decision as I am with mine.

Eric,

Computer viruses do not spring pregnant from the forehead of Zeus: Virus programs require some level of human interaction to install and execute. Otherwise infection would not take place. It has never been a requirement for a computer virus to propagate over networks, either.

Replication means that an infected program infects other, uninfected, programs when it is executed, which Leap-A DOES. Leap-A inserts itself into the executables of up to four programs whenever an infected program is launched.

I requested a definition of virus that Leap-A doesn't meet, from an authoritative source. I even linked sources for you, including the very first in the field.

What did I get in return? Opinion pieces from MacWorld, Mac Observer, Mac 360, Mac Daily News, and Apple's marketing department, which, to say the least, are not authoritative sources. Nor are opinion pages from ArsTechnica and ZD Net.

I gave you solid, respected academic sources. I even accepted the definition you offered as valid.

YOU HAVE STILL NOT OFFERED A SINGLE VALID DEFINITION OF VIRUS THAT LEAP-A DOES NOT MEET.

THEREFORE, LEAP-A IS A VIRUS.

NB: Trojan horse is simply a program that is not what it seems. The term was used in computer science literature more than a decade before Cohen defined and wrote the first examples of computer virus.
Worm, which also predates computer virus, is a program that propagates over networks.
These categories of software are NOT mutually exclusive.

-Wayne

"What did I get in return? Opinion pieces from MacWorld, Mac Observer, Mac 360, Mac Daily News, and Apple's marketing department, which, to say the least, are not authoritative sources. Nor are opinion pages from ArsTechnica and ZD Net."

You are probably the only person I have known that does not think the sources I cite - including Apple themselves - are not reputable.

If Apple says it is not a virus, if Intego - a company that makes AV software - says it is not a virus, and the gurus at Ars Technica say it is not a virus - it is simply not a virus.

It is a poorly diguised executable file - nothing more. It is a trojan. A trojan appears to be one things, but actually does damage when launched. Not all trojans are viruses. You seem to have trouble understanding this distinction.

My sources are every bit as authoritative as yours.

I am done arguing semantics. This horse it dead.

Eric,

There's a difference between respectable/reputable and authoritative. For the latter, I favor academia's definition, which is backed up by 22 years of academic research and literature. This is the authoritative foundation that supports my interpretation and classification of the program as a virus.

Intego and ArsTechnica (you cited an opinion piece, not a technical analysis), like Apple's marketing department, have an agenda. Technical definitions do not.

I appreciate the opportunity you just gave me to clarify:
Trojan horse - a disguised program.
Worm - a program that propagates through networks.
Virus - a program that infects programs by modifying them (adding copies of themselves to other programs, infecting them). Infected programs, in turn, are able to infect uninfected programs and files on the machine.

Or, as Alan Fedeli of IBM is reported to have said:
"Virus: a program which, when executed, can add itself to other program, without permission, and in such a way that the infected program, when executed, can add itself to still other programs.
Worm: a program which copies itself into nodes in a network, without permission.
Trojan: a program which masquerades as a legitimate program, but does something other than what was intended (as in the deceptive wooden horse used by the Greek army to achieve the fall of Troy)."

Please note that these categories are not mutually exclusive.

Leap-A could be called a failed worm, since it attempts to send copies of itself to other nodes on the network - your buddy list in Bonjour iChat.

Since it is disguised as screen shots of OS X.5, it is most certainly a Trojan horse. No dispute there.

However, since what Leap-A does specifically meets the requirements for classification as a virus: i.e., it infects files without asking permission to access or change them; and the infected files, in turn, infect other files when executed, Leap-A is a virus.

-Wayne