About Oompa-Loompa and InputManagers
February 16, 2006
The Oompa-Loompa trojan has caused a bit of stir in the Mac community. Our first, self-replicating “virus”. (Although technically it requires multiple user actions, as opposed to say, simply inserting a floppy disk or reading an email).
Oddly enough, there was recently a hubub in the Mac community about Smart Crash Reports, an Input Manager that will send crash logs to developers if their app crashes on you. Some of this information can be used to combat Oompa-Loompa, an Input Manager based trojan.
Smart Crash Reports is useful for developers because, while Apple provides a nice “Do you want to submit a report to Apple?” third party developers who write many of the apps you use every day don’t see these reports. The people who can fix the problems never actually see the reports. Smart Crash Reports is a useful, if maybe overly aggressive, tool for software developers to use. It also had a habit of being silently installed by some applications (although the latest beta of Smart Crash Reports is much better about asking the user’s permission to install.)
Input Managers fundamentally change the environment of running applications. Like most things, this is usually used for good. Just not in the case of Oompa-Loompa.
Read more to find out various ways to make for a safer Input Manager experience, and combat applications installing them behind your back.
Oompa-Loompa is an application, with a custom icon to make it appear to be a picture, which, after the user launches it, installs an Input Manager on your system and then tries to transmit copies of itself via iChat.
Being an Input Manager, it can be stopped (or controlled) in various ways people thought of to keep applications from installing Smart Crash Reports:
-
Run As a normal user
Good advice in general: If you don’t know how to fix your machine when it breaks, you shouldn’t run as an Administrator. Begin Administrator means you can modify (aka: mess up) system level files, which, if you don’t know what you’re doing and can’t fix, is bad. As a normal user you only have access to read and write your own files. (Which is why backups are important - maybe you install a virus and it wipes out your Documents folder. You now have a machine that boots and runs fine, but all your work is gone.) -
Modify ~/Library/InputManagers to be owned by root
In the Terminal, enter the following commands (commands have the $ in front of them, the results have nothing in front of them)
`$ ls -l ~/Library/ | grep InputManager drwxr-xr-x 2 rpw rpw 68 Jan 17 18:23 InputManagers$ sudo chown root:aias ~/Library/InputManagers
$ ls -l ~/Library/ | grep InputManager drwxr-xr-x 2 root rpw 68 Jan 17 18:23 InputManagers` Notice how the third column is now “root” instead of “rpw”? That column is the “who owns me” column.
Once executed, those commands mean that nobody can modify your InputManager folder except root. When you try to move something into ~/Library/InputManager/ the Finder will ask you for your password. When an application tries to move something into InputManager it will either fail or ask you for your password. Never give strange dialogs your password. You should understand what is happening every time you enter your password. If you were running Software Update, and it asks you for your password to install some software, that’s expected. If you just updated your system and an app wants to update your keychain, yes, that makes sense. If you are just using the Finder and are suddenly prompted for your administrator username and password: Stop and think: Did I expect this?
-
Use a Folder Action
You can use Applescript’s Folder actions to be alerted every time a folder gets new items added to it. As a developer, I used to use this technique for ~/Library/Logs/CrashReports/, where the crash report log file is written. A tip on Macslash tells you how to set this up.
This information, along with a little caution, should keep your machine from harm. Defensive Driving isn’t just for the road, it’s for computers too.