Archive

Archive for the ‘OS X’ Category

Drag and Drop

This is unfortunate for business, and a worrying attack vector. The Mac App store was easily bypassed and cracked by this simple drag and drop process. Evidently, you’ll find it ‘Installed’ when you open the app.

Please be reminded that ‘deceptive packaging’ takes advantage of legitimate software and application packaging to obscure the possible execution of malicious code;  and, this provides attacker a good opportunity.

iThreats ‘Home’

Welcome 2011!  I’m pleased to share iThreats ‘Home’.This is a library of sources, discussing the latest trends, publication, research work and analysis surrounding Apple security.

Let’s be reminded of the fundamental principle about digital security as introduced by Bruce Schneier that “Security is a process, not a product”. Lack of awareness and complacency can be dangerous. Thus, a greater discussion and awareness is better, it promotes understanding, identification and how response help protect our data, systems and digital life.

This website is made on Mac, so I recommend using Safari + QuickTime (Apple Download). For Mac, iPhone, and iPad users, the website theme provides smooth browsing experience.

Keep an eye for updates!

Just a note…

September 16, 2010 1 comment

RAT for Mac ‘Hellraiser 4.2’ will soon release v.4.4  this version will include a webcam support. An interesting note published in a hacking forum mentions about selling,  “Will be Selling the updated 4.4 Version for 15$ (that comes with TeamViewer Setup)”.

Other updates recently released by DCHKG (active member of the Underground  Mac Programming Team) are:

* Brutal Gift 5.0b9 : READ ME ; – brute force cracker.
* MotherWEB 1.8 : READ ME ; – utility to retrieve list URL.
* heirophant 4.3 : READ ME ; – network utility composed of five useful modules that can be run simultaneously : scan, nmap, telnet, ping, flood, web.
* mema 4.0 : READ ME.: powerful, fast, and destructive mail-bomber built for Mac OS X.

Related post: RAT for Mac

Another interesting work is lose/lose – the video game with real life consequence, which the author designed for an art project and showcased or displayed it in an exhibit (as shown from the picture below).

I assume the long printed list are the names and slaughtered aliens score – which basically are  Mac users who have just deleted random files from their Macs.  (“,

site:http://www.loselose.net/

Related post: Have you played Lose/Lose?

iOS Security Updates

iPod, iPhone and iPad users MUST immediately apply the security updates.

Visit Apple Security Updates for details.

Reference:

iPad http://support.apple.com/kb/HT4291;

iPhone and iPod http://support.apple.com/kb/HT4292

Why important?

This will protect you from in-the-wild drive-by download hack attack!

JailBreakMe by comex (et al.) demonstrated a serious security hole that allows users to jailbreak their iOS devices simply by just visiting a website and/or tapping a link. This security hole is very dangerous, by just browsing the web users could be exposed from abusive sites that may harvest their credentials and information.

How it work?

Safari browser loads a crafted PDF that exploits the following vulnerabilities:

First, it is triggered by unrecognized font, the Compact Font Format (CFFType 1C, which causes the second exploit code to execute. This vulnerability is referred as CVE-2010-1797.

<</Subtype /Type1C

Second, the value is too large for the integer data type to handle(refer example IOSurface property list below), resulting to execution of malicious code running as user to escalate to system or root privilege.

This vulnerability is referred as CVE-2010-2973.

So, an attacker entice a targeted user to open a URL. Upon opening the URL in Safari the PDF file will be automatically parsed and exploitation will occur. The file may also arrive as an email attachment.

Stay safe!

Recommended reading:

iPhone 4 / iPad: The Keys Out Of Prison by Axelle Apvrille

Technical Analysis on iPhone Jailbreaking by Matt Oh

0day: Apple Safari AutoFill

Description

Jeremiah Grossman has discovered a weakness in Apple Safari, which can be exploited by malicious people to disclose potentially sensitive information.

The weakness is caused due to the AutoFill feature being enabled to use information from the personal address book card by default. This can be exploited to secretly disclose personal information from the personal address book card when a user visits a specially crafted web page.

The weakness is confirmed in Safari version 5.0. Other versions may also be affected.

Impact :  Exposure of sensitive information

Reference : Secunia Advisory SA40664

Solution
Disable the AutoFill feature for address book card information.

How? Show Safari preferences (press Command-comma or ⌘,) and uncheck the autofill web form.

Further reading:

http://jeremiahgrossman.blogspot.com/2010/07/i-know-who-your-name-where-you-work-and.html

PoC : http://ha.ckers.org/weird/safari_autofill.html

Personal information exposed?   It depends on the data, here’s my browser result.

About Mac OS X v10.6.4 ‘XProtect’ Update

Pob of SophosLabs found this interesting update, please read this blog post Updated XProtect protects against OSX.HellRTS

Apple Mac OS X Snow Leopard Anti-Malware signature file ‘XProtect.plist’ has new definition detecting “OSX.HellRTS” in the latest Security Update 2010-004 / Mac OS X v10.6.4.

XProtect.plist is stored inside the Resources folder of a bundle called, CoreTypes.bundle.

CoreTypes.bundle contains specifications that allow Mac OS X uniquely identify data types, file format, associated icons and UTIs (Uniform Type Identifiers) as defined in the Info.plist file.

In this update (Mac OS X v10.6.4), there are two major update for Mac OS X detection feature (Quarantine and Anti-Malware):

1) Risk assessment for Safari extensions(.safariextz) is unsafe, which triggers Mac OS X quarantine feature and displays a warning “..Are you sure you want to open it?”.

This assessment is reflected to an XML file called System which contains risk definitions for certain file types and extensions. The risk assessment has 3 categories:

<key>LSRiskCategorySafe</key>
<key>LSRiskCategoryMayContainUnsafeExecutable</key>
<key>LSRiskCategoryUnsafeExecutable</key>

As shown below, Safari extensions (.safariextz) was added under LSRiskCategoryUnsafeExecutable key.

Apple recently released Safari  5 with support for browser extensions, and this security update make sure that nothing gets executed without a warning.

System file location:

/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/System

2) Mac OS X Anti-Malware signature file “XProtect.plist” now includes detection for  HellRaiser version 4.2 server application.

There are 3 definitions for OSX.HellRaiser. As highlighted in the screenshot above, it’s detecting 2 components namely: rbframework.dylib and RBShell.rbx_0.129.dylib, and searches defined hex strings for a pattern matching the Hellraiser server auto launch entry (adding login items) command.

The latest XProtect.plist time stamp suggest that it was updated on 24th of April, just couple days after the discovery HellRaiser 4.2 server (in-the-wild). Unfortunately, it seems that it has to wait for the combo update as released on 15th of June.

XProtect.plist location:

/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist

Btw, it is important to take note, this security feature is not capable to detect when the server is already running in background.
Have a nice weekend!

“PremierOpinion” Spyware Now in Mac OS X

From Intego security advisory today:

——————————————————————————————————–

Malware: OSX/OpinionSpy

Risk: High

Description: Intego has discovered a spyware application that is installed by a number of freely distributed Mac applications and screen savers found on a variety of websites.

OSX/OpinionSpy is installed by a number of applications and screen savers that are distributed on sites such as MacUpdateVersionTracker and Softpedia.
——————————————————————————————————–

Who’s PremierOpinion?

PremierOpinion is part of an online market research community with over 2 million members worldwide. PremierOpinion relies on its members to gain valuable insight into Internet trends and behavior. In exchange for participating in periodic surveys on topics of interest to the Internet community, and for having their Internet browsing and purchasing activity monitored, PremierOpinion sponsors select software that its members can enjoy for free.

Website: http://www.premieropinion.com/Home.aspx

So, who’s the partner?

“PremierOpinion” Mac OS X Spyware are distributed by 7art-screensavers and published in this link: http://7art-screensavers.com/Mac_OS_X.shtml

Intego blog published detailed list of “PremierOpinion” Mac OS X Spyware.[here]

There are 48 screensaver Mac OS X apps in this source, and there are two different packages.

How to spot “PremierOpinion” Mac OS X Spyware?

1. It uses IzPack “Package once. Deploy everywhere.” software installer generator. You’ll notice from a package inspection (press control+click on the application and from the pop-up menu choose ‘Show Package Contents’), the icons are different7art while the other izpack.icns.

2. IzPack generated installers are in Java Archive (.JAR) file.

3. 7art screen savers installation do NOT require root password. While, PremierOpinion sponsored free software or application requires root password. Why? Because it installs spyware, which will track and monitor users’ browsing behaviour, scans and gather information from the disk and sends back to its remote server. This is very persistent spyware, meaning it does NOT want to be uninstalled.

4. Spyware installs software without user’s consent or notification.   It is often bundled with other clean application to misleads users of its true purpose and gain access to users’ system. So, in this case, if you click “Cancel”, the IzPack installer will still continue by two pop-up screen: 1) PremierOpinion survey (screenshot) 2) 7art screen saver installation (screenshot).

“Package once. Deploy everywhere.”

This sneaky Mac OS X threat could be everywhere bundled and distributed in the internet.

Be cautious and stay safe!

——–> Threat Info FYI

File Name: poinstaller

File Type: Mach-O executable i386

File Size: 470,352 bytes

Threat Type: Backdoor, Downloader, Sniffer, Stealer,

Installation Requirement:  root

Remote Activity: Installation of other threats

Remote Download File: Rule14.xml

Remote Download: PermissionResearch.zip

Installation: RunPermissionResearch.sh

Package Name: PermissionResearch.app

File Name: PermissionResearch

File Type: Mach-O executable i386

File Size: 4.1 MB
Resource Package Name: InjectCode.app
File Name: InjectCode
File Type:
Mach-O executable i386
Mach-O 64-bit executable x86_64
File Size: 34,088 bytes
Resource Package Name: macmeterhk.bundle
File Name: macmeterhk
File Type:
Mach-O executable i386
Mach-O 64-bit executable x86_64
File Size:  894,836 bytes