The Oompa Loompa Trojan

by coelomic

Bug

There has been a furore in the mac community last week after the discovery of the so called “virus” with many an antivirus vendor donning the ” I told you so ” cap. Well, if something is to be learnt then it is the fact that despite being one of the safest computing platforms, OS X users have to be careful just like our windows brethren against socially engineered plots.

A trojan horse is a file that is sent manually and appears to be something good, but when run does something malicious. That is exactly what this does. Oompa-Loompa is an application, with a custom icon to make it appear to be a picture, which, after the user launches it, installs an Input Manager on your system and then tries to transmit copies of itself via iChat.

There are some ingenious ways in which you can stop this from happening. The age old adage, ” Dont open files that you are not familiar with” still applies and so does ” don’t give your admin password to unknown dialogs!”

Here is what you can do:

Modify ~/Library/InputManagers to be owned by root

In the Terminal, enter the following commands (commands have the $ in front of them, the results have nothing in front of them)
$ ls -l ~/Library/ | grep InputManager
drwxr-xr-x     2 rpw  rpw    68 Jan 17 18:23 InputManagers

$ sudo chown root:aias ~/Library/InputManagers

$ ls -l ~/Library/ | grep InputManager
drwxr-xr-x     2 root  rpw    68 Jan 17 18:23 InputManagers

Once executed, those commands mean that nobody can modify your InputManager folder except root. When you try to move something into ~/Library/InputManager/ the Finder will ask you for your password. When an application tries to move something into InputManager it will either fail or ask you for your password. Never give strange dialogs your password.

An alternate solution is to use Folder Actions. All it takes are a few steps (all in the Finder):

  • If it doesn’t exist already create the directory: ~/Library/InputManagers
  • Right click on the directory and select “Enable Folder Actions” (if it doesn’t appear, Folder Actions are already enabled).
  • Right click on the directory and select “Attach a Folder Action” this will bring up a file selection dialog with “/Library/Scripts/Folder Action Scripts/” as the default directory.
  • Select “add – new item alert” and click choose.

Thanks to Macslash.org and Wilcoxd.com for the info.

Technorati Tags: , , , ,