Alas, “Much ado about nothing”. Or not?
So, if in the last 24 hours you were not buried somewhere you have heard that a some sort of malware for OsX has surfaced. Oh my! “It’s the end of the world as we know it!”.
C’mon. ** Reality check. **
Nothing is collapsing.
Instead, many things are getting better. More on this later on.
Let’s look into the facts (please note that I’m referring to the analysis done by Andrew, which could be wrong, but sounds reasonable)
- On Feb, 14th a file named latestpics.tgz was linked on a popular Mac-oriented forum, claiming to contain pictures interesting for the Mac community (a sneak preview of 10.5). By itself, this alone should have looked odd: why on earth are you supposed to share a .tgz — packaged, compressed — file for sharing an handful of jpg? Myself, I’d have tried something more stealth, like a self-extracting ppc executable. Unusual format: BAD.
- Some users report that after opening the file and double clicking on the expanded version one thing, unexpected to say the least, did start happening: the same file was sent to all iChat users present in the buddy list without user intervention. User Intervention: BAD. Anyway, it looks smart using resource forks to hide the real payload of the object. Standard OS Resources: GOOD. Knowledge of the OS: GOOD.
- By that moment, our little piece of software had been busy rebuilding a good copy of itself, and adding a small
/Library/InputManagers/depending if you are an administrative user (read, the nearest to root a user can get under OsX) or in your
$HOME/Library/InputManagers/otherwise. Given that the first user that gets created installing OsX is given administrative rights, I safely assume that around 90% of the clicking users were demi-gods on their machines.Based on common practices: GOOD. Using standard OS application to spread: GOOD. Faking a known buddy, thus bypassing some diffidence: GOOD.
- And then? Any application (located in your
$HOMEor under the
/) run in the last month (found using SpotLight) would get replaced by an “infected” executable, with the original moved to a resource fork. Almost untouched executables: GOOD.
- “And then?” you’ll be asking, used to I Love You, Slammer, Blaster, Welchia. Nothing. That’s all. Pretty boring, uh?
Very,very, VERY BAD.
Now, I see two possibilities:
- All in all, the stuff we’re talking about is something more a “pre-beta-proof-of-concept” than one of those shiny and deadly effective Win32 viruses/worms. This POC fails or does not (still) implement many things still in the mind of his writer, like the e-mail part Andrew is talking about
- Andrew’s analysis falls short, and this entity is doing things still undiscovered. Time will tell.
- it’s just a sort of heads-up POC. It is not intended to do any harm. (I can’t count, did you notice?)
All this looks strange to me: you’re on a full-fledged UNIX machine, you have demonstrated a fairly good knowledge of the underlying OS, you can do (or at least try) so much things to 0wn it from the kernel up and you do none?
You’re not a 13 year old boy who wants to go bragging with your friends in IRC, so why stopping there? Why “obfuscating” part of your code using XOR? OMG…
You could start opening connections to somewhere to obtain a backshell, getting command files from the Internet and then executing them… you cold push your code inside executables, you may even have a full compiler and you don’t even look if it’s there?
Neither you try a small kernel module to hide your files and/or your processes? Adore dates back to six years ago…
Too many things don’t fit.
Anyway: at least now Mac users know they may get “infected”, and this is EXTREMELY GOOD, as most security is in the hands of the end users and we simply have no technical solution to human stupidity.
I expect many more “real” viruses and trojans coming for Mac OsX in the next 12-16 months, starting to exploit local buffer overflows, escalating privileges, and doing all the stuff we’re accustomed to. Even in Universal Binary form. :)
So, let’s turn the brain on and click on that Apple again.
I see this post is much longer than I intended it to be: please bear with me :)