{"id":116,"date":"2006-02-18T02:15:01","date_gmt":"2006-02-18T00:15:01","guid":{"rendered":"http:\/\/www.kill-9.it\/blog\/index.php\/2006\/02\/18\/osx-virustrojanthats-not-the-relevant-thing\/"},"modified":"2006-02-18T02:38:18","modified_gmt":"2006-02-18T00:38:18","slug":"osx-virustrojanthats-not-the-relevant-thing","status":"publish","type":"post","link":"https:\/\/www.kill-9.it\/blog\/index.php\/2006\/02\/18\/osx-virustrojanthats-not-the-relevant-thing\/","title":{"rendered":"OsX Virus\/Trojan\/that&#8217;s-not-the-relevant-thing"},"content":{"rendered":"<p>Alas, &#8220;Much ado about nothing&#8221;. Or not?<\/p>\n<p>So, if in the last 24 hours you were not buried somewhere you have heard that a some sort of malware for OsX has surfaced. Oh my! &#8220;It&#8217;s the end of the world as we know it!&#8221;.<br \/>\nC&#8217;mon. <strong>** Reality check. **<\/strong><br \/>\nNothing is collapsing.<br \/>\nInstead, many things are getting better. More on this later on.<\/p>\n<p>Let&#8217;s look into the facts (please note that I&#8217;m referring to the analysis done by <a href=\"http:\/\/www.ambrosiasw.com\/forums\/index.php?showtopic=102379\">Andrew<\/a>, which could be wrong, but sounds reasonable)<\/p>\n<ul>\n<li>On Feb, 14th a file named <em>latestpics.tgz<\/em> was linked on a popular Mac-oriented forum, claiming to contain pictures interesting for the Mac community (a sneak preview of 10.5). By itself, this alone should have looked odd: why on earth are you supposed to share a .tgz &#8212; packaged, compressed &#8212; file for sharing an handful of jpg? Myself, I&#8217;d have tried something more stealth, like a self-extracting ppc executable. <strong>Unusual format: BAD.<\/strong><\/li>\n<li>Some users report that after opening the file and <strong>double clicking on the expanded version<\/strong> one thing, unexpected to say the least, did start happening: the same file was sent to all iChat users present in the buddy list without user intervention. <strong>User Intervention: BAD.<\/strong> Anyway, it looks smart using resource forks to hide the real payload of the object. <strong>Standard OS Resources: GOOD. Knowledge of the OS: GOOD.<\/strong><\/li>\n<li>By that moment, our little piece of software had been busy rebuilding a good copy of itself, and adding a small <code>apphook.bundle<\/code> into <code>\/Library\/InputManagers\/<\/code> depending if you are an administrative user (read, <em>the nearest to root a user can get under OsX<\/em>) or in your <code>$HOME\/Library\/InputManagers\/<\/code> otherwise. Given that the first user that gets created installing OsX is given administrative rights, I safely assume that around 90% of the clicking users were demi-gods on their machines.<strong>Based on common practices: GOOD. Using standard OS application to spread: GOOD. Faking a known buddy, thus bypassing some diffidence: GOOD.<\/strong><\/li>\n<li>And then? Any application (located in your <code>$HOME<\/code> or under the <code>\/<\/code>) run in the last month (found using SpotLight) would get replaced by an &#8220;infected&#8221; executable, with the original moved to a resource fork. <strong>Almost untouched executables: GOOD.<\/strong>\n<\/li>\n<li>&#8220;And then?&#8221; you&#8217;ll be asking, used to I Love You, Slammer, Blaster, Welchia. Nothing. That&#8217;s all. Pretty boring, uh?\n<p><em>Coitus interruptus<\/em><\/p>\n<p><strong>Very,<em>very<\/em>, VERY BAD<\/strong>.<\/li>\n<\/ul>\n<p>Now, I see two possibilities:<\/p>\n<ul>\n<li>\nAll in all, the stuff we&#8217;re talking about is something more a &#8220;pre-beta-proof-of-concept&#8221; than one of those shiny and deadly effective Win32 viruses\/worms. This POC fails or does not (still) implement many things still in the mind of his writer, like the e-mail part Andrew is talking about<\/li>\n<p><strong>OR<\/strong><\/p>\n<li>Andrew&#8217;s analysis falls short, and this entity is doing things still undiscovered. Time will tell.\n<\/li>\n<p><strong>OR<\/strong><\/p>\n<li>it&#8217;s just a sort of heads-up POC. It is <em>not intended<\/em><em> to do any harm.<\/em> (I can&#8217;t count, did you notice?)<\/li>\n<\/ul>\n<p>All this looks strange to me: you&#8217;re on a full-fledged UNIX machine, you have demonstrated a fairly good knowledge of the underlying OS, you can do (or at least try) so much things to 0wn it from the kernel up and you do none?<br \/>\nYou&#8217;re not a 13 year old boy who wants to go bragging with your friends in IRC, so why stopping there? Why &#8220;obfuscating&#8221; part of your code using XOR? OMG&#8230;<br \/>\nYou could start opening connections to somewhere to obtain a backshell, getting command files from the Internet and then executing them&#8230; you cold push your code inside executables, you may even have a full compiler and you don&#8217;t even look if it&#8217;s there?<br \/>\nNeither you try a small kernel module to hide your files and\/or your processes? Adore dates back to six years ago&#8230;<br \/>\nToo many things don&#8217;t fit.<\/p>\n<p>Anyway: at least now <strong>Mac users know they may get &#8220;infected&#8221;<\/strong>, and this is <strong>EXTREMELY GOOD<\/strong>, as most security is in the hands of the end users and we simply have no technical solution to human stupidity.<\/p>\n<p>I expect many more &#8220;real&#8221; viruses and trojans coming for Mac OsX in the next 12-16 months, starting to exploit local buffer overflows, escalating privileges, and doing all the stuff we&#8217;re accustomed to. Even in Universal Binary form. :)<\/p>\n<p>So, let&#8217;s turn the brain on and click on that Apple again.<\/p>\n<p><em>I see this post is much longer than I intended it to be: please bear with me :)<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Alas, &#8220;Much ado about nothing&#8221;. Or not? So, if in the last 24 hours you were not buried somewhere you have heard that a some sort of malware for OsX has surfaced. Oh my! &#8220;It&#8217;s the end of the world as we know it!&#8221;. C&#8217;mon. ** Reality check. ** Nothing is collapsing. Instead, many things &hellip; <a href=\"https:\/\/www.kill-9.it\/blog\/index.php\/2006\/02\/18\/osx-virustrojanthats-not-the-relevant-thing\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;OsX Virus\/Trojan\/that&#8217;s-not-the-relevant-thing&#8221;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,3,4],"tags":[],"class_list":["post-116","post","type-post","status-publish","format-standard","hentry","category-english","category-geek","category-security"],"_links":{"self":[{"href":"https:\/\/www.kill-9.it\/blog\/index.php\/wp-json\/wp\/v2\/posts\/116","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kill-9.it\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kill-9.it\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kill-9.it\/blog\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kill-9.it\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=116"}],"version-history":[{"count":0,"href":"https:\/\/www.kill-9.it\/blog\/index.php\/wp-json\/wp\/v2\/posts\/116\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.kill-9.it\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=116"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kill-9.it\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=116"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kill-9.it\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=116"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}