Slashdot Mirror
Two Trojans For Mac OS X
I Don't Believe in Imaginary Property writes "F-Secure is reporting that there are two new Mac OS X trojans. The first is just a proof-of-concept from the MacShadows people that takes advantage of the unpatched ARDAgent vulnerability to get root access when run by the user. The second relies on social engineering: it's a poker game that requests the user's password, claiming to have detected a 'corrupt preference file.' It then takes control of the computer. Now that the source of the proof-of-concept is publicly available, we can expect that future trojans won't just politely request your password."
At risk of being called a troll... The adage does actually apply but I will spell it out a bit. If you're going to attack then your goal is to do as much damage as you can as efficiently as you can. The vast majority of users are still using Windows. The vast majority of business data is still being transported on Windows based machines. You are as unlikely to find mass-effect malware for a Mac as you are for RiscOS, Amiga, Solaris, BSD, or Linux. The ends don't justify the means from a realistic view and if anyone thinks that malware authors are out there doing it just to "show the man" or for "fame" these days hasn't actually paid attention to the malware scene for the past five years. Today it is about blended threats, specific highly targeted attacks, gaining information as opposed to causing destruction and the goal isn't geekiness nor fame but rather is about money. Mac users are just as likely to type in their password as are Windows users. (As *NIX is not aimed at the mainstream I'd argue that *NIX users are less likely to do so, and yes, I use all the above OSes when required or have used them to play with them.)
"So long and thanks for all the fish."
However, once you have convinced the user to download and attempt to run the program, it is a short step to getting them to approve administrator access.
By "seriously limiting the functionality of legitimate programs" I was referring to systems such as Bitfrost which, while providing strong protection against Trojans, also makes certain classes of application almost impossible to implement (i.e. a mass Flickr uploader or an FTP client).
It's more the impersonation I was talking about.
In windows you can launch a process impersonating a windows user if you want to run under different credentials. So with the string value from the "Enter Pa33w0rd n00b" window, you could in XP, for instance run a new process under "root" privs, and hose the system however you wanted (assuming the password was ok). In Vista this is impossible.
throw new NoSignatureException();
You're almost right, but not quite.
Today there is government backing behind state of the art malware, and it is a lot more sophisticated than you give it credit for. Todays black hats are guns for hire, owning vast botnets, often they are only loosely affiliated with government agencies.
The effectiveness of botnets is primarily measured by their ability to infiltrate and function WITHOUT doing any detectable harm. The vast percentage of compromised machines are dormant, and do NO HARM, they are only a very occasionally test fired to assess their operational status.
The primary purpose of botnets is NOT monetary, it is political. They are rarely used to directly make money.
Just take a look at what happened to Estonia for example...
http://www.guardian.co.uk/world/2007/may/17/topstories3.russia [guardian.co.uk]
Back in the 60's when the components that make up the internet were designed, the main concern was designing a network of computers that could communicate even when under attack during a time of war. Today governments have the exact opposite concern.
The only defense mechanisms that work against todays malware are distributed ones, short of disconnecting themselves from the internet, individuals have no hope, you just simply won't suspect the mechanism that will be used to comprimise your machine.
This is something white hats are only just coming to grips with.
Todays hackers will be looking to gain deep penetration into aspiring OS platforms as early as they possibly can, to ensure they are in there from day one. Macs are easily popular enough to attract the interest of black hats, if you're on any machine directly or indirectly connected to the internet you should be worried about malware, Macs are definitely not immue.
Let me tell you a story. Fresh out of university I got my first full time job. I worked in an office. Worked was actually a bit of misnomer, we were all so bored the guy next to me confessed to being so concerned about not having anything to do he typed ps -aux on his Sun occasionally to 'make shit scroll past when the boss walked past'. Someone else said 'you pop a lot of brain cells working here'.
Everyone wore suits to work, no one did any work as far as I could tell, and no one trusted anyone else. One guy came in with a new, slimline and expensive briefcase. All my coworkers crowded around him saying how cool it was. The boss walked in and headed for the middle of the crowd. He looked at the briefcase and said it was pretty cool. Then he looked at the hinges. They were actually a bit shoddy. He said something like 'I'd be happy if I got something like that in a Christmas cracker, but in something this expensive it's a bit of a disappointment'. The guy with the briefcase looked a bit crestfallen and I think he stopped bringing it to work after a couple of weeks. Especially since the only thing he had to put in it was a sandwich for lunch, which didn't fit as the boss pointed out.
Now do you understand?
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
Even if you think of it, the potential for profit is just too great. If you can harvest 20,000 credit cards, and only take $5 from each one (call it a service charge or something), will the people notice? If you can do it with 20,000, why not a million? Can you not imagine that this would be tempting to people? It is. Horribly tempting.
Another example we had on slashdot here a few years ago was a story about botnets being used to DDOS offshore gambling sites, and then ask extortion money to stop the attack. Here, check it out. There are many ways to make money with a botnet. Of course spam is another common way. Hacking is big business.
Qxe4
I wrote this a few years ago. Can you see how it works?
#!/usr/bin/perl
use strict;
use warnings;
($,,$",$_,@_)=reverse qw(164 163 165 112),",\n",split '','\ ';
my $music='Art';
my($swing,$rock)=q
s/hacker/performer/; # another creator of art...
my $blues=~/^.(\w+).*#\s(\w+)/;
my $jazz=substr((grep m($music)=>qx($^X$,-v))[$[],$?,scalar @_);
my $pop=eval qq("\\@_");
print $pop, $rock, $jazz, $swing;
print;
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;