About | Buy Stuff | News | Products | Rants | Search | Security
Home » Resources » Rants

Oompa Loompa

Week of 19 February, 2006

An unlucky 13th for Apple.


On 13 February 2006 someone posted a link at the MacRumors forums. It was to be a zipped archive of the latest super-secret screen shots of Apple's coming Leopard operating system OS X 10.5. It wasn't. Instead it was a trojan.

The GNU zipped tar 'latestpics.tgz' expanded into what appeared to be a JPEG file. Apple's file manager Finder displayed the customary JPEG icon. The file was really a Unix command line executable that set a clever set of events into motion.

The ability to disguise an executable as a JPEG file dates back to the previous 'MacOS' which preceded the NeXTSTEP/FreeBSD system in use today. Old 'MacOS', using the HFS file system, can set a number of strange flags picked up primarily by the default file manager Finder, one of which is for display of a custom icon.

Apple engineers are undoubtedly knocking their heads into the walls in Cupertino over this one right now.

The icon itself was embedded in a so called 'resource fork', similar to the streams found in NTFS. The 'custom icon' flag tells the file manager to look for a display icon in the otherwise inaccessible and unseen resource fork. The file manager shows a JPEG icon. The user double-clicks the icon, hoping to see advanced screen shots of Leopard. But gets something else entirely.

Oompa Loompa as it's called does a hefty bit of defty dancing. It installs what is known as an 'input manager' - an auxiliary module to help with keyboard input - which in fact directs the proliferation of the 'worm'. It makes a copy of itself in the otherwise for ordinary users inaccessible 'temporary directory', ready to send out. It relies (this time at least) on what is known as 'Bonjour instant messaging' to propagate. And it then interfaces with the Spotlight desktop search module to find the four most recently run 'Cocoa' applications not owned by the superuser root.

Using a relatively new feature of Unix known as 'extended attributes', Oompa now looks inside the four executables of these applications for the extended attribute 'oompa'. If it finds the value 'loompa', then it knows it's already corrupted that application and chooses another one instead. If not, it itself creates the extended attribute 'oompa' with the value 'loompa' to mark the fact that the application is now corrupted.

It then copies the entire application executable to itself - it doesn't overwrite any of its own code but hides this executable inside its own resource fork. It then takes its own executable and overwrites the application's executable with it.

The net effect is the same as an ordinary virus. When the infected application starts, the virus code runs first, does its dirty, then turns control over to the actual application code. Oompa Loompa gets control through its input manager, gets the central module up and running by virtue of the fact that the corrupt application is in fact Oompa Loompa itself, then extracts the hidden code in the resource fork and runs it - and the user is supposedly none the wiser.

And every time it's activated it makes sure that extra copy in the inaccessible temporary directory is all right and ready to go.

An exploit like this will not work on vanilla Unix. Unix uses no resource forks. There is no way to hide phantom executables undercover. GUIs other than NeXTSTEP won't be using input managers. And that first hurdle - getting the user to double-click that program file that looks like a JPEG - is directly reliant on yesterday's MacOS and its associated file system HFS.

Oompa Loompa is not a Unix exploit - it's an Apple exploit. The great open source community can do nothing to help.

People are running around like chickens without heads, despite the fact that Oompa Loompa only hit about fifty computers [sic] and carried no payload. They're panicky because they suddenly see that their iron clad operating system is not so impervious to attack after all. But they also see that were it the vanilla Unix it once was, this would never have happened.

This has other implications as well. The open source community is an incredible brain trust, and whenever any hole opens up they're all there at the same time to patch it. They have an infinitely better operating system to start with, but getting to the disaster area and patching when nooks and crannies are found is essential too and all Unix platforms can benefit from the strength of this collaboration. All that is except Apple.

Because Apple have gone their own way, even gone so far as to corrupt ancient sacred Unix source code to appease their older MacOS and HFS demands, they can get help from no one. Oompa Loompa is not a Unix exploit - it's an Apple exploit. The great open source community can do nothing to help.

And this is precisely the development method both Eric Raymond and Microsoft's own Halloween Documents have proven will never work in the long run.

Apple users still have the most accessible alternative to Windows; OS X is still the flashiest operating system for the desktop found anywhere; but fears are that Apple are going to be in denial just like Microsoft were at the outbreak of the far more destructive Love Bug worm six years earlier. [The Love Bug caused an estimated $5.5 billion in damages.]

As a result, concerned OS X users are starting to look at alternative platforms. Apple hardware might be the BMW of the industry, but security holes put everything in a totally different perspective. And the risk is a lot more Oompa Loompas are on their way and these new Oompa Loompas won't be as nice.

About | Buy | News | Products | Rants | Search | Security
Copyright © Radsoft. All rights reserved.