Malware Evolution - MacOS X Vulnerabilities 2005 - 2006

Malware Evolution: MacOS X Vulnerabilities 2005 - 2006
Jul 24 2006
Claudiu Dumitru, Kaspersky Lab
This article looks at vulnerabilities detected in MacOS X in the first half of 2006. It compares these vulnerabilities to those detected in the first half of 2005, providing an overview of the evolution of threats targeting this increasingly popular platform.
Introduction
The Apple Macintosh is becoming more and more popular. However, recent reports on Mac security have caused extensive discussion among security professionals. Those who have expressed concern about the increasing number of vulnerabilities detected in Mac OS X have been accused of overreacting. The other side of the coin is that those who do not take this viewpoint are accused of being lacking in common sense. This article examines several aspects of the recent evolution of threats for Max OS X in order to help readers understand the ongoing debate, how secure Macs really are and how secure they will remain.
I believe that out-of-the box machines running under Mac OS X are more secure than those running under other platforms. The Mac OS X *nix-like security model is, by default, configured to protect the system against threats common to other platforms where this kind of security and configuration is not standard. It could well be said that from the start, Mac OS X was designed with security in mind. However, although this approach seems to leave far less security flaws that can be exploited, assuming that there are no security issues at all is quite dangerous. Like any other platform, Mac OS X has software flaws. Such flaws inevitably draw the attention of malicious users, especially if users don't think they need to take action to protect against possible threats.
One interesting aspect of the vulnerabilities identified is the components in which they are present. The number of vulnerabilities identified in components where remote attacks are possible increased in comparison to the same period last year. This clearly demonstrates that possible attack vectors are receiving more and more attention.
Statistics

Figure 1: A comparison for the number of vulnerabilities in MacOS X and related products for the first half (January - May) of 2005, first half of 2006
For instance, the number of vulnerabilities identified in the operating system kernel and related components is less than in 2005. However, the number of vulnerabilities affecting Safari and the Mail application - which can be used to conduct an attack via the Internet - has increased. The same is true for QuickTime, which was a popular subject for security researchers during the first half of 2006.
The graph above also includes a series of vulnerabilities found in third party products which run on MacOS X. This category includes applications which are installed by default on the operating system but which are not MacOS X-specific. For instance, several vulnerabilities were identified in Sun's Java VM during this period, and these affect all operating systems capable of running Sun Java - not just MacOS X.
Interestingly, the number of core vulnerabilities in the MacOS X kernel (Mach) and related components / libraries has decreased compared to 2005. Still, a number of critical vulnerabilities have been found. The most popular was probably the local 'passwd' exploit (a zero day based exploit) reported on 03.02.06, which was used to hack the system during the rm-my-mac?competition.
Mac Malware
Malicious programs targeting Mac OS X are relatively uncommon. The Mac community was surprised when on February 13, 2006, the first worm for Mac OS X appeared. The worm was named OSX/Leap.A. Leap is an Instant Messaging (IM) worm which is also capable of infecting MacOS X applications. However, due to a bug in the virus code, infected programs will no longer run.
The worm was first spotted on the MacRumors (http://forums.macrumors.com/) forums, on the evening on Feb 13th, 2006. The original message read "Alleged screenshots of OS 10.5 Leopard", an obvious attempt to lure unsuspecting users into running the malicious code.
The worm uses Apple's IM application "iChat" to spread. Alternative ways of entering a system include the download and direct execution of the worm code by the user or by running an infected application from a remote location. Because the worm is not able to infect a system automatically, it has also been called a "Trojan", although that is not entirely correct. A Trojan is unable to replicate, whereas "Leap.a" is.
The worm spreads in the form of a TAR.GZ archive named "latestpics.tgz". If the user unpacks the archive (either using the command line tool 'tar' or by double-clicking it in Finder), s/he is presented with what seems to be a JPEG file:

In reality, this is a PowerPC executable, as it can be seen from the Finder "Get Info" dialogue:

The "latestpics" executable is a command line application and because of that, it will open a terminal window when run.
There have been some reports saying that at this point, if run by a normal user, the operating system will ask for administrative rights. In our tests, this didn't happen - the worm execution proceeded in the same way as it would if run from an account with admin rights. However, it will only be able to infect applications to which the current user is allowed to write.
Next, the worm will extract an InputManager plugin from its main body, called "apphook". If the current user is an admin, it will copy this plugin into the "Library/InputManagers" folder. If the current user is not an admin, it will copy it to the user's "~/Library/InputManagers" folder. The difference between these two operations is that the InputManagers plugins from the root "/Library" folder will be loaded in applications run by all users while in the second case, it will only be loaded in the applications run by the current user.
The "apphook" plugin is the worm component responsible for replication via IM. It attempts to hook certain iChat functions and it will send a copy of the worm body to the user's buddies, using the same method as buddies -> Send File?
After installing the "apphook" plugin, the main worm code will continue with the infection of local applications. It will use "Spotlight" to search for a list of the most commonly used applications and it will attempt to infect them. The infection routine is very simple: Leap overwrites the main executable with its code while saving the original application code in a resource fork.
When an infected application is run, the main worm code will run, and it will attempt to propagate as described above. Leap will also attempt to execute the original application; however, this will not happen due to a bug in the worm's code. This means that infected applications stop working - a very obvious sign of the infection.
Finally, it appears that the author of the worm was planning to add an email replication function. However, this was not finished before the code appeared on the MacRumors forum. Except for corrupting applications during infection (which seems to be unintentional), there is no sign of any other damaging payload in the worm's code.
On 18 February, 2006, another MacOS X worm appeared. Inqtana spreads via Bluetooth and propagates by sending an Object Exchange (OBEX) Push data transfer request to the potential victim machine. If the user accepts the request, the worm exploits a Bluetooth File and Object Exchange Directory Traversal vulnerability to gain access to locations outside the Bluetooth File and Object Exchange service path.
The worm drops two files, named com.openbundle.plist and com.pwned.plist to the LaunchAgents directory to ensure that it will be launched automatically when the victim machine is rebooted. w0rm-support.tgz, which contains the worm components, is dropped to /Users/.
Once the operating system has been restarted, com.openbundle.plist unpacks the worm components and com.pwned.plist executes the worm main binary. Inqtana than attempts to replicate by scanning for devices which have Bluetooth enabled. It will then send itself to any devices found that support Object Exchange (OBEX) Push requests.
It was later discovered that Inqtana was written by the security researcher Kevin Finisterre, who created the worm as a proof of concept.
On 21 February, two zero-day exploits targeting MacOS X appeared, Exploit.OSX.Safari.a was discovered by Michael Lehn, and Exploit.OSX.ScriptEx.a. was discovered by Kevin Finisterre (the author of Inqtana). Both exploits received extensive coverage within the IT media.
Exploit.OSX.Safari is an exploit which targets Apple's web browser safari? Due to a certain feature in Safari, it's possible to create certain types of ZIP files which, when they are downloaded from the Internet, will result in code being executed. This vulnerability was patched in Apple Security Update 2006-001.
Exploit.OSX.ScriptEx.a is an exploit for a vulnerability in the Apple Mail application for Mac OS X. It is triggered if a specially-crafted attachment is sent via email. The vulnerability itself is a buffer overflow which can be triggered when the Real Name component of the MIME Encapsulated Macintosh file is parsed. A careful choice of Real Name size and content can lead to arbitrary code being executed, which can then be used to install a Trojan or other malware on the victim machine. It can also be used to take total control of the victim machine. This issue was fixed by the Apple Security Update 2006-002.
On 19 April, Tom Ferris, a security researcher, disclosed another six zero-day vulnerabilities which would enable a remote malicious user to crash or hijack the victim machine.
Conclusion
Overall, malware has evolved enormously over the last couple of years. In the past, most authors of malicious code were seeking a place in the headlines. Today, they are looking for financial gain. Apple's small share of the global personal computer market has, until now, protected Macs from the unwanted attention of malware authors. However, as Apple systems become more popular, this will change; once critical mass is reached, more malware will undoubtedly start to appear. Even though malware like IM-Worm.OSX.Leap.a and Worm.OSX.Inqtana.A and exploits like Exploit.OSX.Safari.a and Exploit.OSX.Script-Ex were all proof of concept code, and had no obvious malicious payload, these proof of concept programs showed that Mac OS X does contain security flaws, and that these can be used to compromise the system.
Whether the proof of concept code covered in this article will be used for financial gain in the near future remains to be seen. History, however, shows that once vulnerabilties are identified, malware writers are never far behind.
References:
1. List of security updates for MacOS X
http://docs.info.apple.com/article.html?artnum=61798
2. KL report - - 005: *nix Malware Evolution?Worm.OSX.Inqtana.a - full description in the KL Virus Encyclopaedia
http://www.viruslist.com/en/viruses/encyclopedia?virusid=112895
3. IM-Worm.OSX.Leap.a - full description in the KL Virus Encyclopaedia
http://www.viruslist.com/en/viruses/encyclopedia?virusid=112726
4. Tom Ferris
http://security-protocols.com/index.php
5. Michael Lehn
http://www.mathematik.uni-ulm.de/numerik/staff/lehn
6. Kevin Finisterre
http://www.digitalmunition.com/
7. rm-my-mac competition
http://www.rm-my-mac.wideopenbsd.org/
Source:
Kaspersky Lab

Founded in 1997, Kaspersky Lab rapidly became a world leader in information security software and antivirus software. We leverage our expertise to provide cutting-edge protection against all majorcyber threats: viruses, hackers and spam. Today we have 10 regional offices and partners in over 50 countries creating a global network. Wherever you may be located, Kaspersky Lab will protect your PCs, PDAs and networks.
Article Source: The FREE Article Distribution Center

Enter your search terms Submit search form

Hot Topics In Computers

Choosing a Laptop Computer Based on Hardware and Software Needs

Laptop computers are one of the most desirable techie gadgets. A laptop is a portable computer that could comfortably be used while on a person's lap - hence the name. It contains all the basic and ne...

How To Properly Install A New Video Card

Your video card is one of those components in your computer you want to both learn as much about it as possible and to learn how to remove the old one and install a new card quickly.Playing those awes...

Why CRM Projects Fail

1 Overview

This articles looks at some of the human? i.e. people-related factors that can cause a CRM project to fail. We then look at why, for those businesses already utilising Microsoft Outlook f...

Three Things All Affiliate Marketers Need To Survive On The Internet

When it comes to being an affiliate marketer, every single one of them are searching for the highest paying market. Occasionally, they tend to think there is some formula available that is pure magic ...

Why Easy To Use Software Is Putting You At Risk

Title
-----
Why Easy To Use Software Is Putting You At Risk

Can Easy To Use Software Also Be Secure
----------------------------
Anyone who has been working with computers for a long tim...

Tips On How To Choose A Satellite Internet Service Provider

Satellite internet access is one of the ways that you can have a broadband internet connection that will allow you to surf the web at high speeds. But not only that, it's also the only broadband inter...

How to Use Computer Data Recovery Software

Often our computer files are messed up because our computers will write our files when we are done using them wherever there is available space. This is why it is important to use computer data recove...

The Solution To Finding Your Lost Files - Data Recovery Companies

When the worst happens to your computer and all your files disappear, never worry! There are a number of quality data recovery companies that are able to restore your critical files quickly and easily...

How To Make Money In Computer Repair

Every home seems to have a computer or computer-related product these days, so the idea that you can make money as a computer repair technician isn't so far-fetched. Computer repair is a necessary ser...

Finding Your Niche To Get Started In Affiliate Marketing

Getting started in affiliate marketing is really quite easy, but too often, many people mistakenly think it's a lot easier than it actually is. In most cases, the only thing you need to do to join an ...

Office Help is Just a Click Away

"The Internet has revolutionized many business sectors and has single-handedly created one - virtual assistance." ("More firms use virtual assistance" by Nick Eason, CNN.com)

For many years busine...

Adware Removal Tips

Have you tried (and failed) to remove those annoying pop-ups known as adware? There may be reason. You can manually remove adware components one by one, but there is a good chance you would miss some ...

• Can Spyware Really Put Your Personal Information at Risk?
• HP iPAQ HX2795 Pocket PC - Is This The PDA You've Been Looking For?
• Who Else Wants To Tweak Windows XP For A Faster PC.
• Coping with a Serious Data Loss from your Computer Hard Drive
• Laptop Hardware Repair
• How to Use Computer Data Recovery Software
• Release The Power Of The PSP Gigapack
• Simple Tips to Clear Spyware off your Computer
• The Solution To Finding Your Lost Files - Data Recovery Companies
• How Email Is One Of The Greatest Causes Of Stress
• Who Else Wants To Tweak Windows XP For A Faster PC.
• Keep Your Computer Cool
• Backup Data to Tape Drive, Network Attached or a Virtual Tape Library?
• Understanding Your Air Conditioner
• How Computers Add - A Logical Approach
• Cleaning and Organizing Your Computer
• Why Should I Train For A Microsoft Certification?
• Cyberbegging
• Think About Buying A Decent Computer Desk Furniture
• The Right Writer

• IT
• Computer Game
• Spyware Remover
• Web Design
• Web Site Design

• Some Easy Ways To Get Your Data From Crashed Hard Disk
• COMPUTER SECURITY SYSTEMS
• How Is Lost Data Recovered From Storage Media?

• Computers
• Games
• Technology

• Dell Computers Online
• Apple Computer Inc.
• Gateway Computers & Home Electronics: Laptops, Notebooks, Computer ...
• Google Directory - Computers

Computers