Archive for April, 2010

RAT for Mac

RAT for Mac?

When there’s too much RAT (Remote Administration Tool) available for Windows, people wonder if there’s good and useful RAT for Mac as well.

The search and discussions about this topic goes on and on; at one point an online poll favored to continue the development:

A useful description of RATs that works in OSX can be found here.

The most recent/updated development is HellRaiser version 4.2, coded by DCHKG an Underground Mac Programming Team.

HellRaiser includes a configuration component, where the remote controller can specify the server parameters.

The server component is the application distributed to target OS X user. It requires manual execution to install and enable the server to run in background (hidden from dock). Once successful, the server component (or the slave) will report back to the master as shown below.

This is the same version that Intego recently discovered in-the-wild disguised as iPhoto installer.

How would I know if HellRaiser server is installed/running?

option 1: You may open network utility and activity monitor (/Applications/Utilities/) and kill the process.

option 2: You may open terminal, and type lsof -i (this will list running processes and its matching network/internet connection). Search dubious name and internet connection, take note of the PID, and in terminal type kill -9 <PID> (this will kill the process).

If you’re using Mac security scanner, then it’s best time to check for signature update! (most vendors detects this as OSX HellRTS)


A vulnerability has been reported in Apple Mac OS X, which can be
exploited by malicious people to compromise a user’s system.

The vulnerability is caused due to an indexing error in Apple Type
Services within the “TType1ParsingContext::SpecialEncoding()” method
in libFontParser.dylib when parsing embedded fonts. This can be
exploited to corrupt memory e.g. via a specially crafted PDF file
opened in Preview

Successful exploitation may allow execution of arbitrary code.

The vulnerability is reported in Mac OS X Server 10.5, Mac OS X 10.5,
Mac OS X 10.6, and Mac OS X Server 10.6.

Apply Security Update 2010-003.


Reference: CVE-2010-1120

Unspecified vulnerability in Safari 4 on Apple Mac OS X 10.6 allows remote attackers to execute arbitrary code via unknown vectors, as demonstrated by Charlie Miller during a Pwn2Own competition at CanSecWest 2010.