Worm Claimed For Apple OS X

← Back to Stories (view on slashdot.org)

Posted by kdawson on Tuesday July 17, 2007 @11:26AM from the apple-trees-have-roots-too dept.

SkiifGeek writes "Controversy is slowly building over the development of a claimed new worm that targets OS X systems, dubbed by its inventor Rape.osx. Using a currently undisclosed vulnerability in mDNSResponder, the worm is said to give access to root as it spreads across the local network. As with a number of recent Apple-related security discoveries, the author, InfoSec Sellout, is delaying reporting the vulnerability to Apple until after completing full testing of the worm. While the worm has yet to leave a testing environment (with 1,500 OS X systems), it is bound to join the likes of Inqtana and Leap as known OS X malware."

31 of 398 comments (clear)

worm in apple? by linuxmeltz · 2007-07-17 11:29 · Score: 4, Funny

Hey, there's a worm in my apple...
1. Re:worm in apple? by Anonymous Coward · 2007-07-17 11:37 · Score: 5, Funny
  
  ... which is much better than half a worm!
2. Re:worm in apple? by Anonymous Coward · 2007-07-17 13:52 · Score: 4, Funny
  
  Does that make Jobs the Snake? That does explain why he slithers.
Hey, be nice now! by Anonymous Coward · 2007-07-17 11:40 · Score: 4, Funny

It's not a flaw; it's a feature. Remember, things are a little different in the Apple world ;)
*ahem* by Duncan3 · 2007-07-17 11:44 · Score: 5, Insightful

As with a number of recent Apple-related security discoveries, the author, InfoSec Sellout, is delaying reporting the vulnerability to Apple until after completing full testing of the worm.

If by fully testing you mean "auctioning it to the highest bidder" then yea.

--
- Adam L. Beberg - The Cosm Project - http://www.mithral.com/
temporary work-around by mzs · 2007-07-17 11:45 · Score: 4, Informative

Disable mDNSResponder: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.mDNSRespon der.plist
1. Re:temporary work-around by dch24 · 2007-07-17 12:06 · Score: 4, Informative
  
  Very good. That might disable the security hole, if what has been disclosed so far is 100% accurate. If not, well, all you lose is Bonjour (useful for discovering iChat and iTunes connections on your local subnet).
I question the ethics, and my legality by Swift2001 · 2007-07-17 11:46 · Score: 4, Insightful

First of all, if he's found a real vulnerability, he reports it. I don't care if it's Apple or Linux or even Windows. "Waiting until I finish it" is a disgusting excuse. Will he sell it to the bad guys? Is this free publicity for some jerk? I think the Slashdot world ought to have a serious discussion of this kind of jerk. I think Congress might to. If what he's doing isn't illegal now, maybe it should be.
1. Re:I question the ethics, and my legality by Tobenisstinky · 2007-07-17 11:48 · Score: 5, Insightful
  
  Good idea. However, a serious discussion on /. is unlikely.
  
  --
  wha'? where am i?
2. Re:I question the ethics, and my legality by Mr.+Flibble · 2007-07-17 11:58 · Score: 5, Funny
  
  I think the Slashdot world ought to have a serious discussion of this kind of jerk. I think Congress might to. If what he's doing isn't illegal now, maybe it should be.
  
  I agree. We should also question the ethics of Theo de Raadt. After all, this guy published an exploit for OpenSSH. Who does this guy think he is? Hell, he should have given the problem to the developers of OpenSSH to fix it, not be out there releasing exploits and stuff.
  
  --
  Try to hack my 31337 firewall!
3. Re:I question the ethics, and my legality by QuietObserver · 2007-07-17 12:15 · Score: 4, Insightful
  
  From my point of view, the original argument never said anything about making vulnerability reporting compulsory, but that concealing a vulnerability is morally reprehensible, and claiming to keep a vulnerability secret until an exploit is finished is a disgusting excuse.
4. Re:I question the ethics, and my legality by fox1324 · 2007-07-17 12:17 · Score: 5, Insightful
  
  If what he's doing isn't illegal now, maybe it should be.
  
  Maybe it shouldn't be. There are hundreds of /. threads filled up with complaints about the US government and legal system. Our rights are constantly eroded by attempts to 'legislate morality'. Repeat with me: just because something is unethical or immoral does NOT mean it needs to be illegal. Ethics and morals are nothing more than opinions, and they vary greatly from person to person.
  Neglecting to report a vulnerability is not remotely criminal, no matter how much you disagree with his motivation.
5. Re:I question the ethics, and my legality by samkass · 2007-07-17 12:44 · Score: 4, Insightful
  
  I'm sure you're trying to be sarcastic, but it would DEFINITELY be a good idea to include everyone from your random teenage mom's basement hacker to Theo de Raadt in the discussion. Just because someone has done great things for the community it doesn't mean he's going about addressing exploits in the best way.
  
  --
  E pluribus unum
6. Re:I question the ethics, and my legality by MadMidnightBomber · 2007-07-17 19:27 · Score: 4, Insightful
  
  Because Congress is well known for its mature and insightful discussion of computer and network security issues.
  
  --
  "It doesn't cost enough, and it makes too much sense."
Tipping the scales? by dsdtzero · 2007-07-17 11:46 · Score: 5, Insightful

The fact that the breaking news on slashdot is "someone found the third way to attack a mac machine" is a compelling argument to purchase a mac over a PC. Unless someone can explain to me how this is the seed of an impending snowball of mac-targeted malware.
1. Re:Tipping the scales? by Daniel+Dvorkin · 2007-07-17 12:05 · Score: 4, Insightful
  
  Yes, exactly. Three proofs of concept vs. thousands, maybe millions, of vulnerabilities in the wild.
  
  The author claims, "While it is nothing special compared to Windows based Malware it does prove a point -- Apple Computers are just as susceptible to Malware as Windows based ones." Oh, bullshit. The fact that this particular security vulnerability exists does not mean that OS X is just as much a wide-open target as Windows is.
  
  In the "Classic" MacOS days, there was a fair amount of Mac malware -- never as much as in the PC world, of course, but plenty of it running around. Since OS X became the standard, this hasn't happened. The "vulnerability through popularity" argument just doesn't hold up to this fact.
  
  --
  The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
Windows affected? by nuckin+futs · 2007-07-17 11:49 · Score: 5, Interesting

exactly what vulnerability in mDNSResponder is it exploiting? Since mDNSResponder also runs on windows if you install bonjour for Windows, does that mean it can possibly be affected too?
Okay... let me get this straight... by Penguinisto · 2007-07-17 11:53 · Score: 4, Insightful

Serious question here:
Somebody writes a worm for OSX that works across a specific test network (of which we have no clue as to settings, layout, patch levels, etc etc), and it's really, really, really big news. Media orgs around the planet sound the klaxon, and (nearly) everyone gets all hyper-ventilated. Claims of "OSX is just as vulnerable!!!1111!!" will fly off the pages.
Meanwhile, the next near-periodic iteration of MSFT-specific malware in-the-wild will get not so much as a grunt outside of security circles (such as SANS ISC and F-Secure's blog as ferinstances). It will likely subvert 40x as many victims in its first hour, and the media won't say so much as 'boo' about it.
Perspective (at least outside of security and some geek circles)? Never heard of it.
/P

--
Quo usque tandem abutere, Nimbus, patientia nostra?
1. Re:Okay... let me get this straight... by BlueDjinn · 2007-07-17 12:15 · Score: 5, Insightful
  
  I don't know of a single Mac user or vendor who has ever claimed that OS X is *COMPLETELY* invulnerable to viruses/etc, only that there hasn't been a demonstrable, malicious, in-the-wild true OS X virus released YET, which is true.
  
  Major difference. In fact, every Mac user I know expects a "true" virus or two to show up for OS X sooner or later, but what of it? So the ratio will go from a bazillion to zero to a bazillion to one or two.
  
  Apple has roughly a 2.5% worldwide market share--wake me when they have anywhere close to 2.5% as many viruses as Windows and I'll start being overly concerned.
Is mDNS even routable? by MBCook · 2007-07-17 11:58 · Score: 4, Interesting

I was under the impression that mDNS was not routable (and specifically designed not to be routed). If that is true, doesn't that restrict this to propagating to computers on the same subnet? This could effect a business, or a computer lab (say at a university), but this fact should prevent it from spreading around the internet at large (as various Windows worms have).
It's a bug, it's a problem, but it's no Blaster by a long shot.

--
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
1. Re:Is mDNS even routable? by dch24 · 2007-07-17 12:09 · Score: 4, Insightful
  
  Bundle it with a Windows worm. Exploit Macs on the same subnet as Windows boxes. Then the infected Macs scan for vulnerable Windows boxes and spread the infection. Every vector is useful in an attacker's bad of tricks.
2. Re:Is mDNS even routable? by anticypher · 2007-07-17 12:55 · Score: 4, Informative
  
  Multicast packets are routable, if the upstream routers support dealing with multicast packets correctly.
  
  mDNS/bonjour/zeroconf detects if a packet has crossed a router by setting the originating TTL to 255. If a multicast packet crosses a router, the TTL is supposed to be decremented, and zeroconf is supposed to ignore the packet as it is no longer considered local. Many suppositions there, as implementations vary.
  
  Worse, starting with a TTL of 255 means that the packets will be able to go anywhere on the internet where multicast packets can get routed. Better protected carriers will drop multicast packets with TTLs greater than 64 or 128, specifically to limit mDNS/zeroconf traffic while allowing reasonable traffic to flow. Most ISPs don't have the technical competence to deal with multicast, so they just block it, which will limit any spread of an mDNS worm.
  
  However, just because mDNS/zeroconf will ignore packets with TTL less that 255, doesn't mean that a buffer overflow bug isn't being treated by the protocol stack. Take a wait and see attitude on this disclosure, as it appears to be an extortion attempt rather than something from legitimate sources.
  
  the AC
  
  --
  Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
Re:Apple Coded by Trillan · 2007-07-17 12:40 · Score: 5, Informative

mDNSResponder is open source.
Re:Can this travel via "broader network segment"? by greed · 2007-07-17 12:49 · Score: 5, Interesting

Sure, get infected on the school's lab LAN. Bring your iBook oops MacBook to the coffee shop and get everyone else there. They all go home and infect their room-mate's machines. Who go to a different lab and it gets loose on the LAN there.
Most laptops aren't isolated to a single LAN these days; they move around. If there really is a flaw in mDNSResponder, then such a worm does have a chance to propagate. Especially if it is subtle and doesn't crash or overload machines, or do insane amounts of network I/O, or any of the other things that cause people to think something's wrong.
Have mDNSresponder run without root privileges by e.+boaz · 2007-07-17 13:15 · Score: 5, Informative

If this is a real concern, there is a workaround to have mDNSResponder run without root privileges. Part of the claim is that they can deliver root payloads - this is likely because mDNSResponder runs as the root user and they might be using a buffer overflow exploit [NOTE: I have not analyzed the mDNSResponder code - this is a guess.]

% sudo launchctl unload /System/Library/LaunchDaemons/com.apple.mDNSRespon der.plist
% sudo chown nobody:wheel /usr/sbin/mDNSResponder
% sudo chmod 4750 /usr/sbin/mDNSResponder
% sudo launchctl load /System/Library/LaunchDaemons/com.apple.mDNSRespon der.plist

If someone wants an explanation of what the above commands accomplish, please read further.
1. launchctl is used to unload and load the mDNSResponder daemon.
2. We change the owner of the mDNSResponder to nobody and ensure that wheel is the group. The group is used to ensure that members of the wheel group may launch mDNSResponder and not other users of the system (with the exception of root and anything else running as nobody.)
3. We change the permissions of the mDNSResponder program to be setuid nobody. This means that mDNSResponder will run as nobody and only be able to affect files owned by that account or by files it may happen to have write privileges against.
1500 Test stations? by theolein · 2007-07-17 13:26 · Score: 4, Insightful

Apart from the claim by infosec sellout sounding less than adult - he says the payload was "weaponised" - and his claim that Apple will somehow not fix the "root cause" of the vulnerability if he gives it to them now - extortion anyone? mDNSResponder is Open Source - I seriously question how some independent reearcher can have, as he claims, a test base of 1500 systems. A big company with $1million to throw around might have that, or a university, but I seriously doubt he has the place or resources to afford a test base of this size unless he is using a local university or school, and judging by his spelling and grammar, he is either not English native or he is a teenager, or both. That says nothing about the veracity (truth) of his claim but it is somewhat juvenile, the whole thing.
Re:That's not true... by kestasjk · 2007-07-17 14:25 · Score: 4, Funny
That's impossible! It's possible, but:
- It doesn't exist in the wild; this is because of OS X's stunning security features
- This vulnerability was probably placed into the system by Jobs himself. If there were no vulnerabilities in OS X people would realize Jobs was supernatural, so he has to put one in there from time to time.
- This vulnerability is probably the last vulnerability in OS X. Once Apple fixes this there'll be no more
- Way, way more vulnerabilities are found in Windows and Windows products; this is because of OS X's breathtaking security features
- This is probably a bug in BSD or Mach code, or one of the recent Intel chip bugs, or a Microsoft employee infiltrated the Cupertino campus. It's not Apple's fault.
- Microsoft spends its entire R&D budget looking for these elusive Apple holes just as a way of discrediting Apple. If the real number of Microsoft and Linux vulnerabilities were actually disclosed there would be no comparison.
- Apple puts the occasional vulnerability in its system because they know that Microsoft blindly copies anything Apple does. If Apple puts one bug into their system they know Microsoft will put 10 bugs in theirs.
- Microsoft worms spread spambots and steal credit card information, Apple worms are just a misguided attempt of a loyal Apple fan to spread the good vibes and let the community know he cares. With Mac OS X only your unquestioning loyalty is contagious.
Such a breathtaking OS on a rock solid foundation with over 1 million configurations. Say hello to OS X Panda. Starting at $99. Small sentence. Reinvented.
--
// MD_Update(&m,buf,j);
Re:pfft by Divebus · 2007-07-17 17:05 · Score: 4, Insightful

The Windows camp has nothing to gloat about as long as I'm getting a hundred spam messages a day from compromised Windows machines.

--

Most of the stuff on /. won't survive first contact with facts.
10.4.10 by djahz · 2007-07-17 20:03 · Score: 4, Interesting

10.4.10 isn`t on the affected systems list.
1. Re:10.4.10 by fplinn · 2007-07-17 20:56 · Score: 4, Interesting
  
  wasn't this patched in may ? http://docs.info.apple.com/article.html?artnum=305 530
  mDNSResponder
  CVE-ID: CVE-2007-2386
  Available for: Mac OS X v10.4.9, Mac OS X Server v10.4.9
  A remote attacker may be able to cause a denial of service or arbitrary code execution
  Description: A buffer overflow vulnerability exists in the UPnP IGD (Internet Gateway Device Standardized Device Control Protocol) code used to create Port Mappings on home NAT gateways in the OS X mDNSResponder implementation. By sending a maliciously crafted packet, a remote attacker can trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation when processing UPnP protocol packets. This issue does not affect systems prior to Mac OS X v10.4. Credit to Michael Lynn of Juniper Networks for reporting this issue.
Actually... by LKM · 2007-07-17 23:38 · Score: 4, Insightful

The only people I always see spouting such crap are the people who claim to hate Apple fanboys. I've never seen an Apple fanboy make absurd claims like yours. This is like a fucking self-fullfilling prophecy. Every damn article about Apple is run over by stupid Anti-Apple trolls who write hundreds of comments laughing about imaginary Apple fanboys and the imaginary stupid things they say.

Here's an idea: Shut up, and let those who are interested in the article discuss it. Thanks.