Slashdot Mirror
Worm Claimed For Apple OS X
SkiifGeek writes "Controversy is slowly building over the development of a claimed new worm that targets OS X systems, dubbed by its inventor Rape.osx. Using a currently undisclosed vulnerability in mDNSResponder, the worm is said to give access to root as it spreads across the local network. As with a number of recent Apple-related security discoveries, the author, InfoSec Sellout, is delaying reporting the vulnerability to Apple until after completing full testing of the worm. While the worm has yet to leave a testing environment (with 1,500 OS X systems), it is bound to join the likes of Inqtana and Leap as known OS X malware."
Hey, there's a worm in my apple...
That's impossible!
It's not a flaw; it's a feature. Remember, things are a little different in the Apple world ;)
As with a number of recent Apple-related security discoveries, the author, InfoSec Sellout, is delaying reporting the vulnerability to Apple until after completing full testing of the worm.
If by fully testing you mean "auctioning it to the highest bidder" then yea.
- Adam L. Beberg - The Cosm Project - http://www.mithral.com/
Disable mDNSResponder:
/System/Library/LaunchDaemons/com.apple.mDNSRespon der.plist
sudo launchctl unload -w
First of all, if he's found a real vulnerability, he reports it. I don't care if it's Apple or Linux or even Windows. "Waiting until I finish it" is a disgusting excuse. Will he sell it to the bad guys? Is this free publicity for some jerk? I think the Slashdot world ought to have a serious discussion of this kind of jerk. I think Congress might to. If what he's doing isn't illegal now, maybe it should be.
The fact that the breaking news on slashdot is "someone found the third way to attack a mac machine" is a compelling argument to purchase a mac over a PC. Unless someone can explain to me how this is the seed of an impending snowball of mac-targeted malware.
exactly what vulnerability in mDNSResponder is it exploiting? Since mDNSResponder also runs on windows if you install bonjour for Windows, does that mean it can possibly be affected too?
While InfoSec Sellout states that the worm only seeks out other systems on the same network for infection, they point out that it is not going to take much extra work for the worm to attack a much broader network segment.
It's my understanding that the daemon in question works only on the LAN and is part of Bonjour/Rendezvous/Zeroconf/Avahi.... if this is the case, assuming a decent firewall, aren't you only vulnerable within your own local network?
Somebody writes a worm for OSX that works across a specific test network (of which we have no clue as to settings, layout, patch levels, etc etc), and it's really, really, really big news. Media orgs around the planet sound the klaxon, and (nearly) everyone gets all hyper-ventilated. Claims of "OSX is just as vulnerable!!!1111!!" will fly off the pages.
Meanwhile, the next near-periodic iteration of MSFT-specific malware in-the-wild will get not so much as a grunt outside of security circles (such as SANS ISC and F-Secure's blog as ferinstances). It will likely subvert 40x as many victims in its first hour, and the media won't say so much as 'boo' about it.
Perspective (at least outside of security and some geek circles)? Never heard of it.
Quo usque tandem abutere, Nimbus, patientia nostra?
It's a bug, it's a problem, but it's no Blaster by a long shot.
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
Doesn't mean you can't build them. Just means none are released in the wild, true to this date.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
So, not quite like the Internet-spanning, DDOS-producing Windows worms we've come to know and hate. I'm not too surprised the vulnerability was in MDNSResponder, though. Someone I work with found a few problems in the code when running it on Linux.
I havent really looked at the market share percentages of OSes recently, has Apple really grown large enough for Virus makers to start targeting Apple?
not necessarily. In 2002, there was a zlib vulnerability found (involving memory being freed twice). Windows was not affected since it safeguards against double freeing memory.
Do you even lift?
These aren't the 'roids you're looking for.
mDNSResponder is open source.
If this is a real concern, there is a workaround to have mDNSResponder run without root privileges. Part of the claim is that they can deliver root payloads - this is likely because mDNSResponder runs as the root user and they might be using a buffer overflow exploit [NOTE: I have not analyzed the mDNSResponder code - this is a guess.]
/System/Library/LaunchDaemons/com.apple.mDNSRespon der.plist /usr/sbin/mDNSResponder /usr/sbin/mDNSResponder /System/Library/LaunchDaemons/com.apple.mDNSRespon der.plist
% sudo launchctl unload
% sudo chown nobody:wheel
% sudo chmod 4750
% sudo launchctl load
If someone wants an explanation of what the above commands accomplish, please read further.
1. launchctl is used to unload and load the mDNSResponder daemon.
2. We change the owner of the mDNSResponder to nobody and ensure that wheel is the group. The group is used to ensure that members of the wheel group may launch mDNSResponder and not other users of the system (with the exception of root and anything else running as nobody.)
3. We change the permissions of the mDNSResponder program to be setuid nobody. This means that mDNSResponder will run as nobody and only be able to affect files owned by that account or by files it may happen to have write privileges against.
No, just because you can't log into the account doesn't mean it doesn't exist. Type "sudo sh" and enter your password - presto, you're running a shell as root. Exploit any service running as superuser and you can do the same thing.
Visual IRC: Fast. Powerful. Free.
Apart from the claim by infosec sellout sounding less than adult - he says the payload was "weaponised" - and his claim that Apple will somehow not fix the "root cause" of the vulnerability if he gives it to them now - extortion anyone? mDNSResponder is Open Source - I seriously question how some independent reearcher can have, as he claims, a test base of 1500 systems. A big company with $1million to throw around might have that, or a university, but I seriously doubt he has the place or resources to afford a test base of this size unless he is using a local university or school, and judging by his spelling and grammar, he is either not English native or he is a teenager, or both. That says nothing about the veracity (truth) of his claim but it is somewhat juvenile, the whole thing.
All unix requires the root account, it's not really that accurate to say disabled. More like "inaccessible", or to say that "logging in as root is disabled". The password hash starts set to a value to which nothing can hash to, and so there is no valid password to login as root. To "enable root" is simply to set a legal password for it so you can login as root. 99% of mac users will never enable root, and most of them don't even know it exists to enable.
To do root level things uses "su" (substitute user) - you can "su root" meaning do something with root's privs, so in that perspective root is always enabled, but only administrators can su, and that requires one to enter their administrator password, which a virus would have a tough time with.
So yes, it would have to take over an account that had aministrator rights, and use that to do whatever. For all practical intents, an administrator can be root anytime they want to, so there is no need to get root. Getting an admin would be enough.
The OS X Server (as opposed to the Client which many think is all that exists) has root enabled by default, with its password set to the same password as the first administrator you create. Not sure why they do this, it's not really necessary. They probably assume that almost every sysadmin will want root enabled and will be close to first on the order of business if it were not the default.
I work for the Department of Redundancy Department.
Seriously, sit down with this guy. Put a suitcase full of large bills on the table, and tell him it's his if he can prove it works. And then, give the guy some incentive to continue to disclose his so-called "root causes". He is CLEARLY a total whore for cash, which means he is easily bought. You have pockets deep enough, you just sold a bojillion iphones, so buy this guy. If he's full of crap, make the fact that you wanted his "root cause" and he couldnt show you it publicly known, then he gets shamed into STFU and stops spreading FUD. If he does show the root cause, then great, put him on retainer and continue to have a fantastic OS. I know jobs likes to do things all secretive and on his own terms, but this is a public perception issue, it needs to be handled in the public eye. Get on the private jet and go see this guy in person, use the RDF to mess with him and get this shit cleared up. Microsoft got into the situation they're in now by ignoring things like this and pulling the secretive garbage, you don't wanna go down that road, otherwise this crap will get out of hand.
IMO the really funny thing is that this joker decided to use a Bonjour vulnerability to work on, when everything I've heard indicates a major reworking of the Bonjour code in Leopard anyway.
Isn't this kinda like working out a vulnerability in AppleTalk a month before they stopped using it?
3 hypothetical worms in seven years. At this rate, I may have to switch to Linux next century!
You don't have to be smart to use a Mac, you just have to be smart enough to buy one
Hopefully that will change sometime soon. I like to think there is a push coming that is going to make vendors think differently about software security.
But maybe that's just over-optimistic.
How we know is more important than what we know.
One down, 140,000 to go until he catches up. Good thing mDNS doesn't work on the open Internet, though.
Most of the stuff on
The Windows camp has nothing to gloat about as long as I'm getting a hundred spam messages a day from compromised Windows machines.
Most of the stuff on
Researchers say that safes are not completely immune to attack. Some off-the-shelf "safes" can be cracked in less than 5 minutes! They advise that a cardboard box is a more cost-effective way to store valuables, as "people will get in anyway".
Languages aren't inherently fast -- implementations are efficient
I frequently hear the old chestnut that the only reason Macs aren't infested with malware is their lack of market share. Whether true or not, it's a funny argument, especially if the person using it is defending their choice of Windows.
"I'm not going to use Mac because while it may be clean now, I could get covered in shit at any time!"
"But you're already covered in shit".
"Errr... yes. But I'm sorta used to it..."
10.4.10 isn`t on the affected systems list.
If it is, this might be patches relatively soon (allthough it might take a while before Apple approves and deploys the fix). It might also mean that more systems could be affected by this vulnerability. I know FreeBSD uses mDNSResponder (the laptop I'm typing this on is actively using it right now).
Anyone knows if this might provide a way to write a FreeBSD worm?
Free beer is never free as in speech. Free speech is always free as in beer.
This could be a big problem on some university campuses, however. Mine, for example, has a huge flat-topology network that was deployed in the '80s (maybe before) and has been upgraded piecemeal without anyone really knowing how the whole thing fits together anymore. When I plug my laptop in, I get around 10KB/s of background traffic sent to the broadcast address hitting me. Running tcpdump shows that most of this is iTunes DAAP. Does this exploit also run on Windows? Apple bundle MDNSResponder with iTunes on Windows, so if that's where the exploit is then it could also be a problem there. It might also be a problem on other *NIX systems that bundle it, since Apple have released it under an Apache 2.0 license (cue all the 'Apple just takes from Open Source and never gives anything back' trolls).
I am TheRaven on Soylent News
The only people I always see spouting such crap are the people who claim to hate Apple fanboys. I've never seen an Apple fanboy make absurd claims like yours. This is like a fucking self-fullfilling prophecy. Every damn article about Apple is run over by stupid Anti-Apple trolls who write hundreds of comments laughing about imaginary Apple fanboys and the imaginary stupid things they say.
Here's an idea: Shut up, and let those who are interested in the article discuss it. Thanks.
Sigh.
The code for mDNSResponder is open source already (under an Apache 2.0 license).
Enjoy.
The "Internet Worm" targeted Sendmail. Which has proceeded to become notorious for security holes.
The biggest UNIX webserver security holes are due to PHP.
The biggest problem is not "closed" vs "open" source. It's design. Is the API secure (that is, if the implementation is perfect, would the resulting system be perfectly secure)? Does the API fail "open" or "closed"? Is there a mechanism to request trusted access from *outside* the trusted domain? If so, is that enabled by default?
If the answers are "yes", "closed", "no", and "no" then you may have built a secure system.
Surprise, surprise, there's a lot of open source software that isn't secure by that standard, including the much-lauded Firefox. Now don't get me wrong, the surface area Firefox's XPI and the XPI install mechanism exposes to attack is like the radar signature of a stealth fighter, where Internet Explorer's "insecurity" zones and ActiveX give it the radar signature of a flock of 747s, but it's not necessary for either exposure to exist at all.
Open Source doesn't create secure systems. It's a hell of a mitigating factor, yes, but the real source of long-lasting security holes (and we don't know if this is one or not, because the soi-disant "researcher" responsible isn't being open about the vulnerability he's found) is insecure design and a preference for patching particular attack vectors rather than fixing the insecure design. And that isn't limited to closed source systems.
Even assuming he hasn't made up that bit, I'm sure some of the real, ethical researchers looking at the mDNSresponder source code right now will figure out what he's hinting at.
From the things I read, Mac OS X is just as vulnerable and dangerous as Windows.
You need to read deeper.
OSX: No routed open ports by default. All services can be bound to localhost only. All IP-based services can be disabled. Conventional browser that requires applications to install extensions. Can be run securely with no firewall in place, the optional firewall is "defense in depth". It's not perfect, but the "surface area" exposed to remote attacks is small and can be eliminated.
Windows: Routed open ports by default, most services are promiscuous, and some listening services are required for normal operation of the OS. Browser built around embedded code, and the ability to run remotely provided embedded code can not be removed without disabling the browser and parts of required utilities. Firewall is enabled by default because it's required to close *most* direct remote attacks (but not all, and not attacks through the HTML control). Even with the firewall in place Windows has a larger surface area to exploits than any other OS in use, and you can't eliminate it without disabling basic OS functionality.