Symantec - OSX.Inqtana.A – New Mac Worm
Symantec Security Response has today identified a new proof-of-concept worm, OSX.Inqtana.A, that targets users of the
Macintosh OS X operating system. Currently categorized as a Level 1 threat (on a scale of 1 to 5, with 5 being most
severe), this worm spreads through a vulnerability in the operating system called the Apple Mac OS X BlueTooth Directory
Traversal Vulnerability. A patch for this vulnerability is available.
This threat follows the OSX.Leap.A worm discovered February 16, 2006. According to analysis by Symantec security
experts, OSX.Inqtana.A does not appear to have been developed in response to OSX.Leap.A but was created on a parallel
timeline.
"We have speculated that attackers would turn their attention to other platforms, and two back-to-back examples of
malicious code targeting Macintosh OS X this week illustrates this emerging trend," said Vincent Weafer, senior director
at Symantec Security Response.
The OSX.Inqtana.A worm attempts to use Bluetooth connections to spread itself by searching for other Bluetooth-enabled
devices that will accept requests when the computer is restarted. If a Bluetooth connection is found, the worm attempts
to send itself to those remote computers. However, OSX.Inqtana.A attempts to spread by using a time limited demo version
of the Avetana library, which is bound to a Bluetooth address. As a result of this, the worm may not be able to spread
successfully.
"While this particular worm is not fully functional, the source code could be easily modified by a future attacker to do
damage," added Weafer. "Macintosh users should be diligent about installing patches to their operating systems as this
will prevent attacks of this type."
Symantec recommends that users of Macintosh OS X keep antivirus and firewall software, as well as operating systems,
should be kept up-to-date, to provide maximum levels of security. Users can obtain additional information on updating
Macintosh OS X software at: http://docs.info.apple.com/article.html?artnum=106704
Symantec currently provides definitions to protect against OSX.Inqtana.A. The Symantec Security Response Web site
provides additional details at: http://securityresponse.symantec.com/
ENDS