Apple IM hit by 'first ever' OS X malware

Apple and outside analysts said the program, referred to as Leap-A, is not a 'virus', per se. Rather, it "requires a user to download the application and execute the resulting file," Apple said in a statement to CNET.co.uk's sister site News.com. The company provided no further comment on the nature of the program.

The malicious software, which has also been dubbed OSX/Oompa-A and the Ooompa Loompa Trojan Horse by other security experts, appears to have spread minimally so far and has achieved low-level threat classifications from McAfee and Symantec.

But security experts cautioned Macintosh users to view the incident as a wake-up call that all operating systems have vulnerabilities.

"It's not really news as far as threats go," said Ray Wagner, a senior vice president in Gartner's information security group. "It is news because it targets OS X, and as far as I know, it's certainly the first OS X malicious content in the wild that's been noted at this point."

Classified as both a worm and a Trojan, Leap-A appears to have begun its movement earlier this week after it was posted at a forum for Mac-related rumours. The file appeared as an external link promising pre-release screenshots of the upcoming Mac OS X 10.5, also known as Leopard.

Leap-A, which appears to affect only the OS X 10.4 platform, spreads primarily via the Apple iChat instant-messaging program. The program forwards itself as a compressed file called 'latestpics.tgz' to all the contacts on the infected user's buddy list each time the program starts up.

But it's up to the person to download the file, which shows up as an attachment to a conversation thread. If downloaded, the self-executable file masquerades with an icon typically reserved for image files but does not activate itself unless opened.

"It exhibits the same behaviour as a Trojan in that it requires user interaction and a mass mailer in that it's going through the contact list of that particular iChat client," said Dean Turner, senior manager of Symantec Security Response. "And it's a worm because it's replicating on its own once the system has become infected."

An analysis by UK-based security firm Sophos said it attempts to infect recently used applications by overwriting the original application with a copy of the worm. According to Symantec, "files infected by OSX.Leap.A may be corrupted and may not run correctly."

A number of security companies -- including Symantec, McAfee, Sophos and Intego -- have released updated definitions to guard against the threat. Apple directed customers to a safety guide at its site and said it "always advises Macintosh users to only accept files from vendors and Web sites that they know and trust."

Andy McCue of silicon.com contributed to this report.