Slashdot Log In
Worm Claimed For Apple OS X
Posted by
kdawson
on Tue Jul 17, 2007 06:26 PM
from the apple-trees-have-roots-too dept.
from the apple-trees-have-roots-too dept.
SkiifGeek writes "Controversy is slowly building over the development of a claimed new worm that targets OS X systems, dubbed by its inventor Rape.osx. Using a currently undisclosed vulnerability in mDNSResponder, the worm is said to give access to root as it spreads across the local network. As with a number of recent Apple-related security discoveries, the author, InfoSec Sellout, is delaying reporting the vulnerability to Apple until after completing full testing of the worm. While the worm has yet to leave a testing environment (with 1,500 OS X systems), it is bound to join the likes of Inqtana and Leap as known OS X malware."
Related Stories
[+]
Mac Worm Author Gets Death Threats 244 comments
StonyandCher write(s) to spread news about the strange story of the reported Apple OS X worm, which is growing stranger by the day. The blog of the researcher who claimed to have created the malware reportedly received death threats. The blog was then hijacked, according to the researcher, who calls him/herself InfoSec Sellout. InfoSec blamed David Maynor for hacking the blog. For his part, Maynor apparently unmasked himself as "LMH" and InfoSec as Jon Ramsey. The post to the Fuzzing mailing list has not been independently confirmed.
Update: 07/19 13:48 GMT by KD : David Maynor wrote in and denies that he is LMH.
Update: 07/19 13:48 GMT by KD : David Maynor wrote in and denies that he is LMH.
[+]
IT: Worm Threat Forces Apple To Disable Software? 201 comments
SkiifGeek writes "After the debacle that surrounded the announcement and non-disclosure of a worm that targets OS X, the vulnerability in mDNSResponder may have forced Apple to remove support for certain mDNSResponder capabilities with the recently released Security Update 2007-007. 'Seeming to closely follow the information disclosed by InfoSec Sellout, Apple's mDNSResponder update addresses a vulnerability that can be exploited by an attacker on the local network to gain a denial of service or arbitrary code execution condition. Apple goes on to identify that the vulnerability that they are addressing exists within the support for UPnP IGD... and that an attacker can exploit the vulnerability through simply sending a crafted network packet across the network. With the crafted network packet triggering a buffer overflow, it passes control of the vulnerable system to the attacker. Rather than patching the vulnerability and retaining the capability, Apple has completely disabled support for UPnP IGD (though there is no information about whether it is only a temporary disablement until vulnerabilities can be addressed).'"
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
worm in apple? (Score:4, Funny)
Re:worm in apple? (Score:5, Funny)
Re:worm in apple? (Score:4, Funny)
(http://dotpavan.googlepages.com/home)
Re:worm in apple? (Score:4, Funny)
That's not true... (Score:3, Funny)
Re:That's not true... (Score:5, Funny)
(http://kestas.kuliukas.com/)
- It doesn't exist in the wild; this is because of OS X's stunning security features
- This vulnerability was probably placed into the system by Jobs himself. If there were no vulnerabilities in OS X people would realize Jobs was supernatural, so he has to put one in there from time to time.
- This vulnerability is probably the last vulnerability in OS X. Once Apple fixes this there'll be no more
- Way, way more vulnerabilities are found in Windows and Windows products; this is because of OS X's breathtaking security features
- This is probably a bug in BSD or Mach code, or one of the recent Intel chip bugs, or a Microsoft employee infiltrated the Cupertino campus. It's not Apple's fault.
- Microsoft spends its entire R&D budget looking for these elusive Apple holes just as a way of discrediting Apple. If the real number of Microsoft and Linux vulnerabilities were actually disclosed there would be no comparison.
- Apple puts the occasional vulnerability in its system because they know that Microsoft blindly copies anything Apple does. If Apple puts one bug into their system they know Microsoft will put 10 bugs in theirs.
- Microsoft worms spread spambots and steal credit card information, Apple worms are just a misguided attempt of a loyal Apple fan to spread the good vibes and let the community know he cares. With Mac OS X only your unquestioning loyalty is contagious.
Such a breathtaking OS on a rock solid foundation with over 1 million configurations. Say hello to OS X Panda. Starting at $99. Small sentence. Reinvented.Actually... (Score:5, Insightful)
(http://www.lkmc.ch/)
Here's an idea: Shut up, and let those who are interested in the article discuss it. Thanks.
*ahem* (Score:5, Insightful)
(http://www.mithral.com/~beberg/)
If by fully testing you mean "auctioning it to the highest bidder" then yea.
temporary work-around (Score:5, Informative)
sudo launchctl unload -w
Re:temporary work-around (Score:5, Informative)
also quite useless (Score:4, Insightful)
Isn't this kinda like working out a vulnerability in AppleTalk a month before they stopped using it?
Re:also quite useless (Score:4, Insightful)
Many of the major Windows worms and so forth target vulnerabilities which have already been fixed (and the fixes pushed out) months before. Not only will many not upgrade to Leopard, if the OS X userbase is similar to the Windows userbase (I'm not sure if it is, but still), many will simply not click the button to install the updates, and leave themselves vulnerable.
I question the ethics, and my legality (Score:4, Insightful)
Re:I question the ethics, and my legality (Score:5, Insightful)
Re:I question the ethics, and my legality (Score:5, Funny)
(http://www.walford.ca/)
I agree. We should also question the ethics of Theo de Raadt. After all, this guy published an exploit for OpenSSH. Who does this guy think he is? Hell, he should have given the problem to the developers of OpenSSH to fix it, not be out there releasing exploits and stuff.
Re:I question the ethics, and my legality (Score:5, Insightful)
(http://www.samkass.com/blog | Last Journal: Thursday May 12 2005, @02:40PM)
Re:I question the ethics, and my legality (Score:4, Insightful)
(http://rtfm.insomnia.org/~qg/ | Last Journal: Wednesday November 16 2005, @07:11AM)
Re:I question the ethics, and my legality (Score:4, Insightful)
Re:I question the ethics, and my legality (Score:4, Interesting)
(http://rtfm.insomnia.org/~qg/ | Last Journal: Wednesday November 16 2005, @07:11AM)
Apple and other software vendors have chosen a development model that maximizes their ability to hide defects in their software. If people are morally obliged to report any of the defects they independently find in the software then the vendor has no incentive to ensure the defects are found before the product hits the market. To put it another way, time to market is much more important to them than making a product free of defects. The only thing that motivates them to ensure their products are defect free is malware. As such, creation of malware actually *helps* to make the vendor take more responsibility for the defects in their product.
Re:I question the ethics, and my legality (Score:5, Insightful)
Maybe it shouldn't be. There are hundreds of
Neglecting to report a vulnerability is not remotely criminal, no matter how much you disagree with his motivation.
Re:I question the ethics, and my legality (Score:5, Insightful)
Tipping the scales? (Score:5, Insightful)
Re:Tipping the scales? (Score:5, Insightful)
(http://www.sff.net/people/Daniel.Dvorkin | Last Journal: Friday October 12, @01:42PM)
The author claims, "While it is nothing special compared to Windows based Malware it does prove a point -- Apple Computers are just as susceptible to Malware as Windows based ones." Oh, bullshit. The fact that this particular security vulnerability exists does not mean that OS X is just as much a wide-open target as Windows is.
In the "Classic" MacOS days, there was a fair amount of Mac malware -- never as much as in the PC world, of course, but plenty of it running around. Since OS X became the standard, this hasn't happened. The "vulnerability through popularity" argument just doesn't hold up to this fact.
Windows affected? (Score:5, Interesting)
Controversy? (Score:1)
Can this travel via "broader network segment"? (Score:2, Interesting)
It's my understanding that the daemon in question works only on the LAN and is part of Bonjour/Rendezvous/Zeroconf/Avahi.... if this is the case, assuming a decent firewall, aren't you only vulnerable within your own local network?
Re:Can this travel via "broader network segment"? (Score:5, Interesting)
Sure, get infected on the school's lab LAN. Bring your iBook oops MacBook to the coffee shop and get everyone else there. They all go home and infect their room-mate's machines. Who go to a different lab and it gets loose on the LAN there.
Most laptops aren't isolated to a single LAN these days; they move around. If there really is a flaw in mDNSResponder, then such a worm does have a chance to propagate. Especially if it is subtle and doesn't crash or overload machines, or do insane amounts of network I/O, or any of the other things that cause people to think something's wrong.
Okay... let me get this straight... (Score:5, Insightful)
(Last Journal: Friday March 26 2004, @02:46PM)
Somebody writes a worm for OSX that works across a specific test network (of which we have no clue as to settings, layout, patch levels, etc etc), and it's really, really, really big news. Media orgs around the planet sound the klaxon, and (nearly) everyone gets all hyper-ventilated. Claims of "OSX is just as vulnerable!!!1111!!" will fly off the pages.
Meanwhile, the next near-periodic iteration of MSFT-specific malware in-the-wild will get not so much as a grunt outside of security circles (such as SANS ISC and F-Secure's blog as ferinstances). It will likely subvert 40x as many victims in its first hour, and the media won't say so much as 'boo' about it.
Perspective (at least outside of security and some geek circles)? Never heard of it.
Re:Okay... let me get this straight... (Score:5, Insightful)
(http://www.brainwrap.com/)
Major difference. In fact, every Mac user I know expects a "true" virus or two to show up for OS X sooner or later, but what of it? So the ratio will go from a bazillion to zero to a bazillion to one or two.
Apple has roughly a 2.5% worldwide market share--wake me when they have anywhere close to 2.5% as many viruses as Windows and I'll start being overly concerned.
Re:Okay... let me get this straight... (Score:4, Insightful)
(http://pyile.com/ | Last Journal: Tuesday December 19 2006, @01:33PM)
Is mDNS even routable? (Score:5, Interesting)
(http://www.foobarsoft.com/)
It's a bug, it's a problem, but it's no Blaster by a long shot.
Re:Is mDNS even routable? (Score:5, Insightful)
Re:Is mDNS even routable? (Score:5, Informative)
(http://127.21.29.13/index.html)
mDNS/bonjour/zeroconf detects if a packet has crossed a router by setting the originating TTL to 255. If a multicast packet crosses a router, the TTL is supposed to be decremented, and zeroconf is supposed to ignore the packet as it is no longer considered local. Many suppositions there, as implementations vary.
Worse, starting with a TTL of 255 means that the packets will be able to go anywhere on the internet where multicast packets can get routed. Better protected carriers will drop multicast packets with TTLs greater than 64 or 128, specifically to limit mDNS/zeroconf traffic while allowing reasonable traffic to flow. Most ISPs don't have the technical competence to deal with multicast, so they just block it, which will limit any spread of an mDNS worm.
However, just because mDNS/zeroconf will ignore packets with TTL less that 255, doesn't mean that a buffer overflow bug isn't being treated by the protocol stack. Take a wait and see attitude on this disclosure, as it appears to be an extortion attempt rather than something from legitimate sources.
the AC
Local network only - depends on mDNS (Score:4, Interesting)
(http://codemines.blogspot.com/ | Last Journal: Tuesday March 28 2006, @06:33PM)
Market share? (Score:3, Insightful)
Who's paying him? (Score:2)
(http://slashdot.org/)
They're the ones who challenged Joanna Rutkowska about her bluepill (see the "Hi Joanna" quote on the blog), and have had contact with infosec sellout in the past.
3 known exploits.... (Score:2)
Root Account Disabled... (Score:1)
Re:Root Account Disabled... (Score:4, Informative)
(http://www.hansprestige.com/ | Last Journal: Friday September 14, @04:25PM)
Have mDNSresponder run without root privileges (Score:5, Informative)
(http://www.userfriendly.org/static)
% sudo launchctl unload
% sudo chown nobody:wheel
% sudo chmod 4750
% sudo launchctl load
If someone wants an explanation of what the above commands accomplish, please read further.
1. launchctl is used to unload and load the mDNSResponder daemon.
2. We change the owner of the mDNSResponder to nobody and ensure that wheel is the group. The group is used to ensure that members of the wheel group may launch mDNSResponder and not other users of the system (with the exception of root and anything else running as nobody.)
3. We change the permissions of the mDNSResponder program to be setuid nobody. This means that mDNSResponder will run as nobody and only be able to affect files owned by that account or by files it may happen to have write privileges against.
BS alarm (Score:1, Troll)
Right.
1500 Test stations? (Score:5, Insightful)
Blog posting strange (Score:2)
Funny name... (Score:2, Funny)
(Last Journal: Monday November 28 2005, @09:58PM)
"Hi, I'm an apple..urrgh"
"unf unf unf"
Well it would be an interesting ad I guess.
as predicted (Score:1)
(http://www.nawcom.com/)
mines was on mDNS. $500 in the bank biatches.
Not funny or good (Score:2)
Dear Apple Inc (Score:3, Interesting)
(http://www.tehsprawl.net/)
I went to his site (Score:1)
How did this make the front page?
I felt this was worthy of its own post instead of being buried in the comments section. Everyone DIGG this so that the world can see how crazy some of these Apple Fanboys are.
EVERYONE LIKE ME! I AM TEH COOLEST! I AM TEH... BULLSHITTER!
Meh!
qz
From what I know... (Score:2)
If you have Adobe Version Cue CS3 then the Bonjour for Windows service is automatically installed, as it is used in that particular program and required for some of the functionality.
Is this "undisclosed vulnerability" in the Windows version as well? if so, a lot of production companies that use Version Cue may be in trouble as well.
Wow (Score:4, Funny)
(Last Journal: Tuesday August 08 2006, @03:45PM)
This just in (Score:3, Funny)
(Last Journal: Monday June 02 2003, @07:32AM)
A Disguised Sales Pitch? (Score:1)
Covered in shit? (Score:4, Insightful)
(http://www.apptree.net/)
"I'm not going to use Mac because while it may be clean now, I could get covered in shit at any time!"
"But you're already covered in shit".
"Errr... yes. But I'm sorta used to it..."
10.4.10 (Score:4, Interesting)
(http://www.djahz.com/)
Re:10.4.10 (Score:4, Interesting)
CVE-ID: CVE-2007-2386
Available for: Mac OS X v10.4.9, Mac OS X Server v10.4.9
A remote attacker may be able to cause a denial of service or arbitrary code execution
Description: A buffer overflow vulnerability exists in the UPnP IGD (Internet Gateway Device Standardized Device Control Protocol) code used to create Port Mappings on home NAT gateways in the OS X mDNSResponder implementation. By sending a maliciously crafted packet, a remote attacker can trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation when processing UPnP protocol packets. This issue does not affect systems prior to Mac OS X v10.4. Credit to Michael Lynn of Juniper Networks for reporting this issue.
mDNSResponder is OSS, not? (Score:3, Interesting)
(http://www.van-steenbeek.net/)
Anyone knows if this might provide a way to write a FreeBSD worm?
I love... (Score:1)
"Are you sure you want to install this virus"?
The first virus for Mac OS X has been discovered (Score:1)
Apple vs. Windows (Score:1)
Worm for OS X (Score:1)
Hey, be nice now! (Score:4, Funny)
Re:rape.osx is fitting (Score:2)
(http://www.miscz.pl/)
It doesn't (Score:4, Interesting)
Re:Apple Coded (Score:5, Informative)
(http://pyile.com/ | Last Journal: Tuesday December 19 2006, @01:33PM)
Re:rape.osx is fitting (Score:3, Interesting)
Re:rape.osx is fitting (Score:4, Insightful)
(http://theravensnest.org/ | Last Journal: Sunday October 07, @07:05AM)
Re:pfft (Score:5, Insightful)
Re:Apple Coded (Score:2)
(http://jo-ham.com/)
Re:But I don't understand... (Score:2)
(http://66.249.93.104/ | Last Journal: Monday November 20 2006, @09:27AM)
Take ActiveX as one of the main examples: it enables you to do some tricks easily because you can run executable code from a browser, but the security for it sucks (as evidenced by the number of patches/security updates that were always being released for it a few years ago). A proper developer would try to design a system that was first of all secure, and then build the cool features from that solid base, rather than design a system that lets you do whatever you want, then try to tack on security as an afterthought. It's sickening how much MS is getting away with. I'm not saying that you're wrong to bash mac fanboi's (I like Macs, have done since I used them as a kid in the 80s, but most of the fanbois have only been around since the iMac/iPod I guess), but I have no doubt that OSX is more secure than Windows - how could it not be? Maybe a silly attitude since I don't know much about BSD, or what Apple changed to make the OS more user friendly (maybe they added in something equivalent to ActiveX that gives nice fancy features but poor security?), but I find it hard to believe that any recent OS could be worse than the mess that is Windows. And I hope there never will be..
Re:Surprise, sur-bloody-prise (Score:2, Informative)
The code for mDNSResponder is open source [apple.com] already (under an Apache 2.0 license).
Enjoy [apple.com].
Closed source software like Sendmail and PHP? (Score:4, Interesting)
(http://www.scarydevil.com/~peter/ | Last Journal: Monday September 26 2005, @06:53PM)
The biggest UNIX webserver security holes are due to PHP.
The biggest problem is not "closed" vs "open" source. It's design. Is the API secure (that is, if the implementation is perfect, would the resulting system be perfectly secure)? Does the API fail "open" or "closed"? Is there a mechanism to request trusted access from *outside* the trusted domain? If so, is that enabled by default?
If the answers are "yes", "closed", "no", and "no" then you may have built a secure system.
Surprise, surprise, there's a lot of open source software that isn't secure by that standard, including the much-lauded Firefox. Now don't get me wrong, the surface area Firefox's XPI and the XPI install mechanism exposes to attack is like the radar signature of a stealth fighter, where Internet Explorer's "insecurity" zones and ActiveX give it the radar signature of a flock of 747s, but it's not necessary for either exposure to exist at all.
Open Source doesn't create secure systems. It's a hell of a mitigating factor, yes, but the real source of long-lasting security holes (and we don't know if this is one or not, because the soi-disant "researcher" responsible isn't being open about the vulnerability he's found) is insecure design and a preference for patching particular attack vectors rather than fixing the insecure design. And that isn't limited to closed source systems.