Vulnerabilities / Threats
7/30/2009
04:59 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Black Hat: Mac OS X Rootkit Debuts

The development of a proof-of-concept rootkit for Mac OS X reinforces the fact that security concerns aren't just for Windows users.

At the Black Hat security conference on Wednesday, security researcher Dino Dai Zovi revealed a proof-of-concept rootkit that runs on Apple's Mac OS X operating system, underscoring the fact that all software has flaws.

Rootkit software is designed to covertly run code, typically malicious, on affected systems. It can be used to steal information or control a compromised system. Rootkits are typically installed by other malware.

Apple users have enjoyed a relatively malware-free existence, at least compared to Windows users, and Apple has made much of that fact in its television commercials. But there are holes to be found in Apple's software, too. There just aren't a lot of cybercriminals focused on a platform that's less than 10% of the market.

That's been changing slowly, with the spread of the OS X-based iPhone, and the popularity of iTunes among Windows users. Security vendors, eager to sell Mac users security software, suggest the situation is changing quickly.

Thanks to the work of Dai Zovi, author of The Mac Hacker's Handbook, and other security researchers focused on the Mac, like Charlie Miller, the vulnerabilities in Apple's software are better understood. In theory, such work makes computer users safer by encouraging companies to fix disclosed vulnerabilities.

Apple did not respond to a query about whether it had patched its software to block Dai Zovi's attack.

Dai Zovi's proof-of-concept rootkit is called Machiavelli, a reference to the Mach kernel that underpins Mac OS X.

"Machiavelli consists of a Mach proxy server on the local controlling host and a number of remote agent servers that run on remote compromised hosts," Dai Zovi explains in a technical paper that describes his work. "On the controlling host, rootkit management utilities obtain a proxy Mach port from the proxy server and use it just as a normal application would use a local Mach port."

With his presentation complete, Dai Zovi plans soon to release several Mac software tools related to his research on his Web site. These include: Inject Bundle, for data injection; iChatSpy, code for logging instant messages; SSLSpy, for logging SSL traffic; iSightSpy, for capturing a single frame from any Apple iSight camera; Machiavelli, for remotely controlling a compromised system; and Uncloak, a rootkit identification tool.

Black Hat is owned by TechWeb, which publishes InformationWeek.

InformationWeek Analytics has published an independent analysis on data-loss prevention. Download the report here (registration required).

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8370
Published: 2015-01-29
VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.5, VMware Fusion 6.x before 6.0.5, and VMware ESXi 5.0 through 5.5 allow host OS users to gain host OS privileges or cause a denial of service (arbitrary write to a file) by modifying a configuration file.

CVE-2015-0236
Published: 2015-01-29
libvirt before 1.2.12 allow remote authenticated users to obtain the VNC password by using the VIR_DOMAIN_XML_SECURE flag with a crafted (1) snapshot to the virDomainSnapshotGetXMLDesc interface or (2) image to the virDomainSaveImageGetXMLDesc interface.

CVE-2015-1043
Published: 2015-01-29
The Host Guest File System (HGFS) in VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.5, and VMware Fusion 6.x before 6.0.5 and 7.x before 7.0.1 allows guest OS users to cause a guest OS denial of service via unspecified vectors.

CVE-2015-1044
Published: 2015-01-29
vmware-authd (aka the Authorization process) in VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.5, and VMware ESXi 5.0 through 5.5 allows attackers to cause a host OS denial of service via unspecified vectors.

CVE-2015-1422
Published: 2015-01-29
Multiple cross-site scripting (XSS) vulnerabilities in Gecko CMS 2.2 and 2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) horder[], (2) jak_catid, (3) jak_content, (4) jak_css, (5) jak_delete_log[], (6) jak_email, (7) jak_extfile, (8) jak_file, (9) jak_hookshow[], (10) j...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.