EDITOR’S NOTE: This page contains content that screen readers might not properly read in the context of this article.
During the rise of computers in the early 2000s, a prevailing belief held that Mac computers were impervious to viruses. This notion, popularized by Apple’s marketing, attracted many to Apple stores, convinced that “Macs don’t get viruses.” For a while, this was true. Developers had nothing to gain from creating malicious code for macOS X’s much more obscure platform. Mac users had nothing to worry about. Until they received a private message in February of 2006. The word was spreading online through communities such as MacRumors that Apple was working on a new version of their Operating System, known as macOS X Leopard. Unfortunately, not much was known about it, keeping the loyal company’s fanbase under great suspense. So when a file was uploaded supposedly containing leaked images of the OS, their suspense grew even further. However, their blind perception of Mac’s safety failed to give them any second thoughts about any possible repercussions. Simply opening the message introduced problems for the user.
The “Oompa Loompa Virus.”
While not classified as a virus, “Oompa Loompa,” also known as “Leap-A,” was spreading across numerous Local Area Networks using Apple’s popular instant messaging service, iChat. This worm was able to spread due to the lack of judgment among many inexperienced Mac users who disregarded safety, and the ability to infect multiple machines simultaneously. Additionally, this worm would also render applications on the network unusable. This would lead to one of the most highly respected PC platforms to become the same overnight. This also asks, “How was this worm able to take one of the most secure Operating Systems and change all of its configurations with ease?” Most importantly, how did so many people still not know better? At the time, malware was created to render a PC or application unusable. Leap-A can be considered history repeating itself. Lessons we have learned from previous worms such as Melissa and LOVELETTER may seem to disappear altogether, however, the circumstances behind Leap-A seemed to enable users to give it the benefit of the doubt. This was because of clever marketing, false preconceived notions of Apple products, and most obviously the inevitable gullibility of the general public.
“Mac vs. PC” Debate.
Throughout the 2000s, Apple’s selling point for their computers was that their computers were better than the competing Windows PC brands at the time. The prominent Mac versus PC debate has been around since the release of the Macintosh in 1984. This would be revived around the late ’90s when Steve Jobs returned as Apple’s CEO. After the revival, Apple’s marketing strategy would change. That being to “think different.” Rather than persuading consumers to purchase a Mac, Apple would make an effort to convince consumers to purchase a Mac rather than a PC. Reasons included that more software is available to use, only one cord was required, and that it did not get any viruses. For some time, this was true to an extent. This was because of the concept known as “Security Through Obscurity.” Around this time, macOS X’s market share was very small in comparison to Windows. While there’s currently a large crowd of Mac users, that wasn’t the case in the early 2000s. In reality, there wasn’t an audience for malicious developers to create malware for the platform. Mac viruses exist, but they are not as significant or damaging enough to be considered alarming. With Apple portraying macOS as an Operating System that “doesn’t get viruses,” it started to become common knowledge among people who did or are considering switching to their products. However, “Oompa Loompa” is when that would all change. It wasn’t necessarily that the idea of getting a suspicious message from someone on your computer was a foreign concept. Because that was considered a problem for Windows users. Mac users did not have second thoughts or be suspicious because “Macs don’t get viruses.” However, not everyone had this mindset, and this was only the beginning. Otherwise, the worm wouldn’t have been able to spread to begin with. This is because you have to consider the general ignorance of online users.
Possible Origin & Operation.
Since the average person is more unsuspecting, they might not consider a worm to be a devastating virus. Regardless if others have issued warnings and PSAs about it, there would still be a select number of people who would still be victims. Additionally, you also had those anticipating more information about macOS X Leopard and allowing their ambition to take over their intuition. It begs the question of whether the developer considered this when creating it. This is unfortunately a question that cannot be answered because we are unsure who developed it, nor do we know its origins. It is still a mystery to date. However, the most likely case is that it originated from a link on RapidShare dated February 10th, 2006 which was posted on a series of Apple-related forums. This would start to gain popularity days later after it was posted to a thread on MacRumors when a user “lasthope” posted about the supposed screenshots of OS X Leopard. Other users would quickly figure out what it truly was and respond with great hostility. This would be the only time lasthope would ever post or log in. It is unknown whether all of the submissions were from the same person. However, based on the nature of how a worm spreads, these points of origin would make sense.
This worm behaves similarly to previous worms such as Mellissa and LOVELETTER. However, Oompa Loompa does not spread through the internet. Rather it spreads through Local Area Networks (LANs) or Intranets, private networks which are typically limited to one area. Some examples of LANs are corporate offices, schools, and conference centers. If the worm were to replicate itself across multiple machines, it could only do so within the confines of that network. In that case, the MacRumors theory would likely make the most sense as it would describe how the worm was able to affect multiple LANs instead of one. Instead of using Microsoft Outlook, Oompa Loompa used iChat, Apple’s version of AOL Instant Messager. This would spread using Bonjour Protocol, allowing LAN connections through Apple devices. This starts when a Mac user receives a message from someone they know within their iChat Bonjour List. Similar to other worms, a hook allows users to activate it to begin with. In this case, it is a message claiming to have screenshots of the upcoming macOS X Leopard, containing the file “latestpics.tgz.” TGZ is a suffix used for tar archive files, being a compressed version of one or more files, similar to a zip file. After the file is opened, users are presented with pictures that may seem convincing. Rather than being a traditional jpeg, however, it is a UNIX Executable Script that stealthily displays the Mac’s default image icon.
UNIX Executables & macOS X’s Spotlight Feature.
Since Macs at this time typically hid file extensions by default, users would not be skeptical that this was an image until it was opened. From that point, it was too late, as a Terminal window would open. Similar to other worms, everyone in the victim’s iChat Bonjour List would also receive the same message with the file coming from the victim. This is done by duplicating the document and placing it in your “/temp” directory, which is then used to send to everyone else. Lastly, it would use macOS X’s Spotlight feature to locate your four most recently used Cocoa-developed applications and then infect them by adding extended attributes with the Name “Oompa” and the Value “Loompa.” As a result, several people were unable to open these applications. They were now corrupt, leaving users no choice but to reinstall. People might think that the severity of this worm wasn’t bad considering this worm did not transmit itself across the internet and it was mostly hearsay, which is understandable. Articles covering the story were sensationalistic, claiming that all iChat users were in danger. But as mentioned above with its use of Bonjour Protocol, it was more complicated. Users reported corrupt applications, but many said otherwise. However, there was a reason behind this. The worm only infected Cocoa applications users installed rather than applications that came preloaded, meaning applications that were already installed on the Mac were not affected. Furthermore, users had to be signed in to an administrator account or be given admin privileges. In that case, you would have to type in your password to open the file. Since it is common practice to type in your password to even install applications on macOS X, someone may likely have entered their password to open the file without speculation, as it was routine for users.
Oompa Loompa’s Impact on Mac Users & Apple’s Brand Image.
This is why the file was able to configure a robust Operating System so easily because the user would grant permission. Overall, the worm is harmless unless only under specific circumstances. Those who are inexperienced with technology and who have an iChat account were probably safe. Whereas a system administrator working for a large firm who relies on manually installed Cocoa applications is considered more valuable. The virus was discovered as a confirmed threat by Intego, one of Apple’s firms. It was eventually contained by spreading the word about its deceiving nature. The level at which the worm thankfully did not spread as extensively compared to Melissa or LOVELETTER. However, it was enough to cause concern and emphasize that this was the end of an era for the Mac. However, Apple would continue marketing the Mac as a virus-immune computer. But it didn’t matter for some people. This worm took away that facade. It was a gesture that the Mac was no longer exclusive or special, it wasn’t a flex to own one anymore. Its fanbase was growing, and it was slowly becoming more of the same. The Oompa Loompa Worm led by example, and many other malicious programs would follow. It was one of many indications that Apple was different from 10 years prior. It was only growing as a company, but there was more to come.
