How to Remove Starfield

1) Kill the running process.

Using spotlight, type-in Activity Monitor and filter by searching starfieldUpdate and click Quit Process. Then, search offSyncService and click Quit Process.

If using Terminal, you may run the following command:

 

killall -9 offSyncService
killall -9 starfieldUpdate


2) Delete Starfield internet plugins and components.

Using Terminal, you may run the following command:

 

rm -rf ~/Library/Internet\ Plug-Ins/WbeTools64_14.plugin
rm -rf ~/Library/Internet\ Plug-Ins/fileEditTool64_15.plugin
rm -rf ~/Library/Preferences/com.starfield.update.plist
rm -rf ~/Library/Application\ Support/Mozilla/Extensions/\{ec8030f7-c20a-464f-9b0e-13a3a9e97384\}/wbepaste\@starfield
rm -rf ~/Library/Application\ Support/Mozilla/Extensions/\{ec8030f7-c20a-464f-9b0e-13a3a9e97384\}/zoomext\@starfield
rm -rf ~/Library/Application\ Support/Starfield/

 

3) It will require root password to remove the following files.

Using terminal, type in sudo su and authenticate, then continue:

 

rm -rf /Library/LaunchDaemons/com.starfield.backupservice.plist
rm -rf /Library/offsync
rm -rf /Applications/WBE\ Desktop\ Notifier.App
rm -rf /Applications/DesktopTools.App
rm -rf /Applications/Starfield
rm -rf /install.sh

 

This instruction removes all the traces of Starfield.  Stay safe!

**Note: If you find Starfield application useful, you may keep the ‘WBE Desktop Notified.App’ and ‘DesktopTools.App’.

Analysis of OSX Starfield

When you download an application or installer from legitimate website, you establish a level of trust expecting not to be tricked or deceived.

Distribution:

The installer is distributed by Starfield a technology and research branch of Go Daddy Group. If you are Go Daddy user, when you logged-in, this tool is available in the tool section as:

1)  Desktop Notified Installer

2) It is also offered as “Web-Based Email Tools plugin” promising that this tool will enable image paste.

It’s possible that this installer will be distributed elsewhere.

When you download the installer, you’ll notice two things:

1) It is telling you “Double-click to Install”

2) It is not the installer itself, instead it is a shortcut link.

Why?

It is a social engineering trick. It attempts to trigger user’s immediate impulse to respond based from a command or instruction.

Let’s check ACL using terminal:

 

$ ls -al /Volumes/install

total 8

 

drwxr-xr-x  7 test  staff  306 23 Dec 03:50 .
drwxrwxrwt@ 6 root  admin  204 12 Jan 23:42 ..
drwxr-xr-x  2 test  staff   68 23 Dec 03:50 .Trashes
lrwxr-xr-x  1 test  staff   20 23 Dec 03:49 Double-click to Install -> StarfieldInstall.app
drwxr-xr-x@ 3 test  staff  102 23 Dec 03:49 StarfieldInstall.app

 

The application is basically hidden. Obviously, It discourages user to inspect the package. Back in the terminal, let’s run this command to unhide:

 

$ defaults write com.apple.finder AppleShowAllFiles TRUE
$ killall Finder

Installation: What happens when you ‘double click’ it?  You’ll notice that it requires root privilege.

In this stage, it is already too late because even if you decide to discard or cancel the authorization, the tricky ‘StarfieldInstall.app’ has already installed itself as follows:

1)  It creates a ‘Starfield’ folder in the Application directory.  In this folder, you’ll find a copy of itself and an update component.

/Application/Starfield/StarfieldInstall.app

/Application/Starfield/starfieldupdate.app

2) It is set to run at login by adding ‘starfieldupdate’ in the Login Items.

3) It is always running in the background.

 

$ lsof -c Starfield
COMMAND   PID USER   FD     TYPE     DEVICE  SIZE/OFF    NODE NAME
Starfield 221 test  cwd      DIR       14,2      1394       2 /
Starfield 221 test  txt      REG       14,2     93668 1294527 /Applications/Starfield/starfieldupdate.app/Contents/MacOS/StarfieldUpdate
Starfield 221 test  txt      REG       14,2   1064960 2655251 /private/var/folders/ur/urE9xwfCE+a922ltbYjezk+++TU/-Caches-/com.apple.LaunchServices-025504.csstore
Starfield 221 test  txt      REG       14,2   1054960   25052 /usr/lib/dyld
Starfield 221 test  txt      REG       14,2 206983168 2609511 /private/var/db/dyld/dyld_shared_cache_i386
Starfield 221 test    0r     CHR        3,2       0t0     297 /dev/null
Starfield 221 test    1     PIPE 0x079a7640     16384         ->0x079a76a4
Starfield 221 test    2     PIPE 0x079a7640     16384         ->0x079a76a4
Starfield 221 test    3r     REG       14,2       163   42178 /private/etc/security/audit_control
Starfield 221 test    4u  KQUEUE                              count=1, state=0x2
Starfield 221 test    5r     REG       14,2     93668 1294527 /Applications/Starfield/starfieldupdate.app/Contents/MacOS/StarfieldUpdate
Starfield 221 test   66r     REG       14,2       611   42177 /private/etc/security/audit_class

So, when you thought it’s gone, it’s not because ‘StarfieldInstall’ sleeps and activates again to request your password. It will continue to annoy you with repeated request until it gets authorized.

On a sidenote, ‘StarfieldUpdate.app’ gets the following information:
  • OS version and CPU Type
  • Local user
  • Previous installation
  • Starfield installation component versions

And performs the following:

  • Checks user privilege on the system by checking if user is admin or if the user can be elevated to admin.
  • StarfieldInstall launches ‘starfieldupdate.app’ which is kept in the background.
  • ‘starfieldupdate.app’ is responsible for initial installation (first run) and updates.
  • The initial installation path of Starfield would be:
/Applications/Starfield
/Library/Application Support/Starfield
/Library/Internet Plug-ins/
/Library/Application Support/Mozilla/Extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
  • Dumps data log of its activity especially the installation. Notice the name ‘starfield’ in the ~/Library/Logs/ folder.

 

Launch.cpp(18): Launching /Applications/Starfield/StarfieldUpdate.app runme
StarfieldInstall.cpp(862): Starting v1.0.4.9 with command: -psn_0_1011959
StarfieldInstall.cpp(879): OS Version 10.6 x86
StarfieldInstall.cpp(880): Local user test (test)
StarfieldInstall.cpp(881): User can become administrator.
StarfieldUpdate.cpp(90): Starting v1.0.3.3 with command: -psn_0_1007862
StarfieldUpdate.cpp(119): launchargs runme
StarfieldUpdate.cpp(144): Local user test
StarfieldUpdate.cpp(145): User can become administrator.
StarfieldUpdate.cpp(162): Launching /Applications/Starfield/StarfieldInstall.app
Launch.cpp(18): Launching /Applications/Starfield/StarfieldInstall.app

Payload:

The payload is mainly handled by ‘StarfieldInstall.app’. When the user inputs the password, the installation continues by sending a HTTP request to the server as follows:

GET /moduleinfo HTTP/1.1
User-Agent: StarfieldInstall/1.0
Host: na.secureserver.net
Accept: *.*

‘Moduleinfo’ is a JSON text which ‘StarfieldInstall.app’ parses and evaluating the content of a JSON string. For example, it reads and evaluate which package appropriate to the user: Windows or Mac.


{ "win" :

, "mac" :

It also evaluates the installation requirement, example:

 

, "mac" :
[ { "file" : "StarfieldInstall.App"
, "version" : 4
, "source" : "starfieldinstall.zip"
, "app" : "*"
, "type" : "util"
, "adminRequired" : false
, "osMin" : [10,4]
}

‘StarfieldInstall’ compares this requirement defined by JSON file ‘moduleinfo’ before it downloads, extracts and run the latest package resulting to installation of the following:

starfieldinstall.zip

starfieldupdate.zip

fileedittool64.plugin.zip

fileedittool.zip

WBETools14.plugin

wbetools64.zip

copypaste.xpi

zoomext.xpi

offdavhelper_mac4.zip

offdavhelper_mac.zip

offsettings.bundle.zip

wbesettings.bundle.zip

drivemapreconnect.zip

backupstatus.zip

offsync_mac.zip

desktoptools.zip

wbedesktopnotifier.zip

So far we have 17 files here and 4 of these files do not require root password. It is important to take note that  ‘StarfieldUpdate.app’ is always running in the background and launch ‘StarfieldInstall.app’ to perform the following:

– Evaluating JSON text ‘moduleinfo’ for update

– Download and installation of latest versions

– Discovery of products installed

– Running privileged shell command

It installs two Firefox extensions and plugins, which is persistent. It means that you can’t just click ‘uninstall’ to remove it . In Firefox, click Tools and Addons to view the installed Extensions and Plugins as shown below:

Another notable process created is ‘OffSyncService’ which is always running in the background .

In conclusion, this is a nasty and abusive application that performs remote activities and installation of unwanted plugins and application without user consent. It is a bloatware and a backdoor.

Drag and Drop

This is unfortunate for business, and a worrying attack vector. The Mac App store was easily bypassed and cracked by this simple drag and drop process. Evidently, you’ll find it ‘Installed’ when you open the app.

Please be reminded that ‘deceptive packaging’ takes advantage of legitimate software and application packaging to obscure the possible execution of malicious code;  and, this provides attacker a good opportunity.

iThreats ‘Home’

Welcome 2011!  I’m pleased to share iThreats ‘Home’.This is a library of sources, discussing the latest trends, publication, research work and analysis surrounding Apple security.

Let’s be reminded of the fundamental principle about digital security as introduced by Bruce Schneier that “Security is a process, not a product”. Lack of awareness and complacency can be dangerous. Thus, a greater discussion and awareness is better, it promotes understanding, identification and how response help protect our data, systems and digital life.

This website is made on Mac, so I recommend using Safari + QuickTime (Apple Download). For Mac, iPhone, and iPad users, the website theme provides smooth browsing experience.

Keep an eye for updates!

Just a note…

September 16, 2010 1 comment

RAT for Mac ‘Hellraiser 4.2’ will soon release v.4.4  this version will include a webcam support. An interesting note published in a hacking forum mentions about selling,  “Will be Selling the updated 4.4 Version for 15$ (that comes with TeamViewer Setup)”.

Other updates recently released by DCHKG (active member of the Underground  Mac Programming Team) are:

* Brutal Gift 5.0b9 : READ ME ; – brute force cracker.
* MotherWEB 1.8 : READ ME ; – utility to retrieve list URL.
* heirophant 4.3 : READ ME ; – network utility composed of five useful modules that can be run simultaneously : scan, nmap, telnet, ping, flood, web.
* mema 4.0 : READ ME.: powerful, fast, and destructive mail-bomber built for Mac OS X.

Related post: RAT for Mac

Another interesting work is lose/lose – the video game with real life consequence, which the author designed for an art project and showcased or displayed it in an exhibit (as shown from the picture below).

I assume the long printed list are the names and slaughtered aliens score – which basically are  Mac users who have just deleted random files from their Macs.  (“,

site:http://www.loselose.net/

Related post: Have you played Lose/Lose?

iOS Security Updates

iPod, iPhone and iPad users MUST immediately apply the security updates.

Visit Apple Security Updates for details.

Reference:

iPad http://support.apple.com/kb/HT4291;

iPhone and iPod http://support.apple.com/kb/HT4292

Why important?

This will protect you from in-the-wild drive-by download hack attack!

JailBreakMe by comex (et al.) demonstrated a serious security hole that allows users to jailbreak their iOS devices simply by just visiting a website and/or tapping a link. This security hole is very dangerous, by just browsing the web users could be exposed from abusive sites that may harvest their credentials and information.

How it work?

Safari browser loads a crafted PDF that exploits the following vulnerabilities:

First, it is triggered by unrecognized font, the Compact Font Format (CFFType 1C, which causes the second exploit code to execute. This vulnerability is referred as CVE-2010-1797.

<</Subtype /Type1C

Second, the value is too large for the integer data type to handle(refer example IOSurface property list below), resulting to execution of malicious code running as user to escalate to system or root privilege.

This vulnerability is referred as CVE-2010-2973.

So, an attacker entice a targeted user to open a URL. Upon opening the URL in Safari the PDF file will be automatically parsed and exploitation will occur. The file may also arrive as an email attachment.

Stay safe!

Recommended reading:

iPhone 4 / iPad: The Keys Out Of Prison by Axelle Apvrille

Technical Analysis on iPhone Jailbreaking by Matt Oh

0day: Apple Safari AutoFill

Description

Jeremiah Grossman has discovered a weakness in Apple Safari, which can be exploited by malicious people to disclose potentially sensitive information.

The weakness is caused due to the AutoFill feature being enabled to use information from the personal address book card by default. This can be exploited to secretly disclose personal information from the personal address book card when a user visits a specially crafted web page.

The weakness is confirmed in Safari version 5.0. Other versions may also be affected.

Impact :  Exposure of sensitive information

Reference : Secunia Advisory SA40664

Solution
Disable the AutoFill feature for address book card information.

How? Show Safari preferences (press Command-comma or ⌘,) and uncheck the autofill web form.

Further reading:

http://jeremiahgrossman.blogspot.com/2010/07/i-know-who-your-name-where-you-work-and.html

PoC : http://ha.ckers.org/weird/safari_autofill.html

Personal information exposed?   It depends on the data, here’s my browser result.