Skip to content

More on Leap-A/Oompa Loompa

I was frustrated after writing my Leap-A Q&A for Macworld yesterday, as I couldn't get Oompa Loompa to do what it was supposed to do--it wasn't infecting my files, and it wasn't sending itself out over iChat. So today, my friend and coworker Kirk McElhearn and I spent the better part of the day testing Oompa Loompa on a couple of controlled Macs. We wanted to figure out exactly what it did, or did not, do, and what to do about it if you found it on your machine.

You can read the results of our efforts in the article titled Digging deeper into the Leap-A malware. It took quite a while, but we think we finally figured out exactly how it works (and doesn't work), and offer some advice on removal. Among the more surprising findings was that it will not attempt to send itself out over Internet iChat, only Bonjour iChat. It also won't affect applications that are system-owned, only those that have been installed by a user (and are therefore user-owned). Both of these are why I wasn't seeing the behavior I expected to see yesterday. My test machine had only Apple's stock Tiger applications on it, and Kirk and I were testing with an Internet iChat.

I am now officially very sick of Leap-A, having spent probably 18 hours on it over the last two days. The short summary is that it's a bad piece of malware that could have been worse...but it's far from the self-propagating internet-spreading virus/worm that's been described on other sites. At the end of the day, it's really just a good reminder to be very careful about what you download and install on your Mac.

Have a nice weekend everyone!



4 thoughts on “More on Leap-A/Oompa Loompa”

  1. Hehe (Perceval claimed authorship in an email to me). Actually, I think I now know who wrote it originally (or at least, the email alias they're hiding behind). There's a section of the article where Kirk and I discuss the fact that infected applications break. We're still not clear if this is a bug or a feature, but I made a statement that I thought it was a bug -- if this code is to spread widely, it would make more sense that the applications continue to work, instead of breaking.

    So this morning, I open my email to find the following flame, with the subject line of "Re: 'That's why I think this is a bug, not a feature:'"

    You really should leave the programming and technical details to people adequately skilled and educated to handle them. As things stand, you're only making a blundering fool out of yourself. Money isn't everything, Griffiths. Neither is fame.

    Zowie. All that over a short paragraph expressing my opinion? Given the tone of the above email, I suspect it's from the original author of the malware, who is upset that I made a guess as to whether something is a bug or a feature. I emailed him back, but I doubt I'll receive a response.

    As for the fame and the forune bit. Let's see, fame...well, if Macworld would let me write anonymously, I would gladly do so--I'd get many fewer emails like the above! And the fortune...I wonder if he thinks it's possible that I was simply doing what my boss asked me to do? So yes, in that sense, it was about fortune--I have a desire to continue to receive my salary, so I do those things I'm asked to do :).


  2. I think that getting flamed is a part of blogging. It seems like there's always someone out there that just has to tell you how much you suck just so they can feel better about themselves or something. I run a video blog, and one of my videos got some press from Make Magazine. We did an activity where we lifted an adult human off the ground using only helium party balloons, which was in my opinion, really cool to see! Man did I get flamed!! No, we didn't send the person up to 20,000 feet (although she would have taken off had we let go of the lines), that wasn't the point. The point was to get someone off the ground and over a 10' obsticle using party ballooons, which we did, but some people out there just had to tell me how lame that was. I believe that whenever you expose yourself to the public, you will be scrutinized, and probably for reasons you never even thought of!


Comments are closed.