Slashdot Mirror

← Back to Stories (view on slashdot.org)

Worm Claimed For Apple OS X

Posted by kdawson on from the apple-trees-have-roots-too dept.

SkiifGeek writes "Controversy is slowly building over the development of a claimed new worm that targets OS X systems, dubbed by its inventor Rape.osx. Using a currently undisclosed vulnerability in mDNSResponder, the worm is said to give access to root as it spreads across the local network. As with a number of recent Apple-related security discoveries, the author, InfoSec Sellout, is delaying reporting the vulnerability to Apple until after completing full testing of the worm. While the worm has yet to leave a testing environment (with 1,500 OS X systems), it is bound to join the likes of Inqtana and Leap as known OS X malware."

11 of 398 comments (clear)

  1. Re:worm in apple? by Anonymous Coward · · Score: 5, Funny

    ... which is much better than half a worm!

  2. *ahem* by Duncan3 · · Score: 5, Insightful

    As with a number of recent Apple-related security discoveries, the author, InfoSec Sellout, is delaying reporting the vulnerability to Apple until after completing full testing of the worm.

    If by fully testing you mean "auctioning it to the highest bidder" then yea.

    --
    - Adam L. Beberg - The Cosm Project - http://www.mithral.com/
  3. Tipping the scales? by dsdtzero · · Score: 5, Insightful

    The fact that the breaking news on slashdot is "someone found the third way to attack a mac machine" is a compelling argument to purchase a mac over a PC. Unless someone can explain to me how this is the seed of an impending snowball of mac-targeted malware.

  4. Re:I question the ethics, and my legality by Tobenisstinky · · Score: 5, Insightful

    Good idea. However, a serious discussion on /. is unlikely.

    --
    wha'? where am i?
  5. Windows affected? by nuckin+futs · · Score: 5, Interesting

    exactly what vulnerability in mDNSResponder is it exploiting? Since mDNSResponder also runs on windows if you install bonjour for Windows, does that mean it can possibly be affected too?

  6. Re:I question the ethics, and my legality by Mr.+Flibble · · Score: 5, Funny

    I think the Slashdot world ought to have a serious discussion of this kind of jerk. I think Congress might to. If what he's doing isn't illegal now, maybe it should be.


    I agree. We should also question the ethics of Theo de Raadt. After all, this guy published an exploit for OpenSSH. Who does this guy think he is? Hell, he should have given the problem to the developers of OpenSSH to fix it, not be out there releasing exploits and stuff.
    --
    Try to hack my 31337 firewall!
  7. Re:Okay... let me get this straight... by BlueDjinn · · Score: 5, Insightful

    I don't know of a single Mac user or vendor who has ever claimed that OS X is *COMPLETELY* invulnerable to viruses/etc, only that there hasn't been a demonstrable, malicious, in-the-wild true OS X virus released YET, which is true.

    Major difference. In fact, every Mac user I know expects a "true" virus or two to show up for OS X sooner or later, but what of it? So the ratio will go from a bazillion to zero to a bazillion to one or two.

    Apple has roughly a 2.5% worldwide market share--wake me when they have anywhere close to 2.5% as many viruses as Windows and I'll start being overly concerned.

  8. Re:I question the ethics, and my legality by fox1324 · · Score: 5, Insightful
    If what he's doing isn't illegal now, maybe it should be.


    Maybe it shouldn't be. There are hundreds of /. threads filled up with complaints about the US government and legal system. Our rights are constantly eroded by attempts to 'legislate morality'. Repeat with me: just because something is unethical or immoral does NOT mean it needs to be illegal. Ethics and morals are nothing more than opinions, and they vary greatly from person to person.

    Neglecting to report a vulnerability is not remotely criminal, no matter how much you disagree with his motivation.

  9. Re:Apple Coded by Trillan · · Score: 5, Informative

    mDNSResponder is open source.

  10. Re:Can this travel via "broader network segment"? by greed · · Score: 5, Interesting

    Sure, get infected on the school's lab LAN. Bring your iBook oops MacBook to the coffee shop and get everyone else there. They all go home and infect their room-mate's machines. Who go to a different lab and it gets loose on the LAN there.

    Most laptops aren't isolated to a single LAN these days; they move around. If there really is a flaw in mDNSResponder, then such a worm does have a chance to propagate. Especially if it is subtle and doesn't crash or overload machines, or do insane amounts of network I/O, or any of the other things that cause people to think something's wrong.

  11. Have mDNSresponder run without root privileges by e.+boaz · · Score: 5, Informative

    If this is a real concern, there is a workaround to have mDNSResponder run without root privileges. Part of the claim is that they can deliver root payloads - this is likely because mDNSResponder runs as the root user and they might be using a buffer overflow exploit [NOTE: I have not analyzed the mDNSResponder code - this is a guess.]

    % sudo launchctl unload /System/Library/LaunchDaemons/com.apple.mDNSRespon der.plist
    % sudo chown nobody:wheel /usr/sbin/mDNSResponder
    % sudo chmod 4750 /usr/sbin/mDNSResponder
    % sudo launchctl load /System/Library/LaunchDaemons/com.apple.mDNSRespon der.plist

    If someone wants an explanation of what the above commands accomplish, please read further.
    1. launchctl is used to unload and load the mDNSResponder daemon.
    2. We change the owner of the mDNSResponder to nobody and ensure that wheel is the group. The group is used to ensure that members of the wheel group may launch mDNSResponder and not other users of the system (with the exception of root and anything else running as nobody.)
    3. We change the permissions of the mDNSResponder program to be setuid nobody. This means that mDNSResponder will run as nobody and only be able to affect files owned by that account or by files it may happen to have write privileges against.