Trojan przez iChat ?
#1
Napisano 16 lutego 2006 - 16:34
#2
Napisano 16 lutego 2006 - 16:58
...a najprawdopodobniej swego rodzaju trojan. Czytałem o tym popołudniu, ale stwierdziłem, że to jest "bicie piany" i wzbudzanie paniki, datego o tym nie pisałem.
Buahahahaa, jestem wirus, przyszedłem polożyć OSX na lopatki!
Jeśli podajesz hasło admina za każdym razem jak cię o to proszą bez znania przyczyny to proszę bardzo, nazwij to wirusem... Ja bym to nazwał niewiedzą/głupotą użyszkodnika.
To jest tak jakbyś napisał skrypt rozwalający system, dał koledze, i powiedział, wiesz, ten skrypt "doda to/zrobi to/itp", tylko podaj hasło root'a/admina - no i zgadnij co się stanie jak uruchomisz odpwiednio spreparowany skrypt.
[ Dodano: 2006-02-16, 17:02 ]
Pozatym, kto podaje hasło admina jak otwiera jpeg'a! Toż to samo przez się coś mówi...
#3
Napisano 16 lutego 2006 - 17:22
#4
Napisano 16 lutego 2006 - 17:27
Proponuje coś takiego: ten tekst wiele wyjaśnia, jak to jest z bezpieczenstwem mac'a, co jest aplikacją, a co skryptem, itp (wiem trzeba będzie przetłumaczyć, chętni?!):
A file called "latestpics.tgz" was posted on a Mac rumors web site http://www.macrumors.com/ , claiming to be pictures of "MacOS X Leopard" (an upcoming version of MacOS X, aka "MacOS X 10.5"). It is actually a Trojan (or arguably, a very non-virulent virus). We'll call it "Oompa-Loompa" (aka "OSX/Oomp-A") for reasons that will become obvious.
Unless you work for an anti-virus company, please don't email/message me asking for a copy of this trojan. It's not going to happen.
You cannot be infected by this unless you do all of the following:
1) Are somehow sent (via email, iChat, etc.) or download the "latestpics.tgz" file
2) Double-click on the file to decompress it
3) Double-click on the resulting file to "open" it
...and then for most users, you must also enter your Admin password.
You cannot simply "catch" the virus. Even if someone does send you the "latestpics.tgz" file, you cannot be infected unless you unarchive the file, and then open it.
A few important points
-- This should probably be classified as a Trojan, not a virus, because it doesn't self-propagate externally (though it could arguably be called a very non-virulent virus)
-- It does not exploit any security holes; rather it uses "social engineering" to get the user to launch it on their system
-- It requires the admin password if you're not running as an admin user
-- It doesn't actually do anything other than attempt to propagate itself via iChat
-- It has a bug in the code that prevents it from working as intended, which has the side-effect of preventing infected applications from launching
-- It's not particularly sophisticated
To be on the safe side...
DO NOT DOWNLOAD OR RUN THIS FILE
When unarchived (it is a gzip-compressed tar file), which can be done by simply double-clicking on the file, it appears to be a JPEG file because someone pasted the image of a JPEG file onto the file.
After it's been unzipped, tar will tell you there are two files in the archive:
._latestpics
latestpics
...the ._latestpics is just the resource fork of the file, which contains the pasted in custom icon meant to fool people into double-clicking on it to (in theory) open the JPEG file for viewing. In actuality, double-clicking on it will launch an executable file.
The file "latestpics" is actually a PowerPC-compiled executable program, with routines such as:
_infect:
_infectApps:
_installHooks:
_copySelf:
Here's what it does if a user double-clicks on the file, or otherwise executes it:
1) It copies itself to /tmp as "latestpics"
2) It recreates its resource fork in /tmp (with the custom icon in it) from an internally stored gzip'd copy, then sets custom icon bit for the new file in /tmp
3) It then tar + gzips itself so a pristine copy of itself in .tgz format is left in /tmp
4) It renames itself from "latestpics.tar.gz" to "latestpics.tgz" then deletes the copied "latestpics" executable from /tmp
--This gives it a pristine copy of itself, for later transmission.--
5) It extracts an Input Manager called "apphook.bundle" that is embedded in the macho executable, and copies it to /tmp
6a) If your uid = 0 (you're root), it creates /Library/InputManagers/ , deletes any existing "apphook" bundle in that folder, and copies "apphook" from /tmp to that folder
6b) If your uid != 0 (you're not root), it creates ~/Library/InputManagers/ , deletes any existing "apphook" bundle in that folder, and copies "apphook" from /tmp to that folder
7) When any application is launched, MacOS X loads the newly installed "apphook" Input Manager automatically into its address space
--This allows it to have the code in the "apphook.bundle" injected into any subsequently launched application via the InputManager mechanism--
8a) When an application is subsequently launched, the "apphook.bundle" Input Manager then appears to try to send the pristine "latestpics.tgz" file in /tmp to people on your buddy list via iChat (who will then presumably download the file, double-click on it, and the cycle repeats).
8b) (It looks like the author intended to get it to send the "latestpics.tgz" file out via eMail as well, but never got around to writing that code)
--This lets it send itself to people on your buddy list via iChat; this appears to be the only way it self-propagates externally--
9) It then uses Spotlight to find the 4 most recently used applications on your machine that are not owned by root
10) In an apparent "Charlie and the Chocolate Factory" reference, it then checks to see if the xattr 'oompa' of the application executable is > 0... if so, it bails out, to prevent it from re-infecting an already infected application
11) If not, it sets the xattr 'oompa' of the application executable to be 'loompa' (this does nothing, it is just a marker that it has infected this app)
12) It then copies the application executable to its own resource fork, and replaces the application executable with the OSX/Oomp-A trojan
--It has thus effectively injected its code in the host application--
13) When an infected application is launched from then on, the trojan code is executed, and it tries to re-infect and re-propagate itself to other applications
14) It then does an execv on the resource fork of the executable, which is the original application, so the application launches as it normally would (in theory... see below)
15) Due to a bug in it's code for executing the original app from it's resource fork, it is only allocating a buffer 4 bytes bigger than the path when appending "/..namedfork/rsrc" to the path, it will stop any app it infects from running. Instead of adding the length of the string, it errantly adds the length of the pointer to the string, which is always 4 bytes.
In the end, it doesn't appear to actually do anything other than try to propagate itself via iChat, and unintentionally prevent infected applications from running
It seems that this is more of a "proof of concept" implementation that could be utilized to actually do something in the future, depending on how successful it is, or it was simply done to garner attention/press. Which I'm sure it'll get.
.....
The executable itself has a number of interesting things embedded into various macho segments, including an entire Input Manager bundle called "apphook" (stored as "latestpics_hook.tar"); the string data is "protected" with a simple XOR to prevent easy reading of what it's doing. It's definitely trying to mask what it is doing in a number of ways, but is relatively simplistic in nature.
If you are a programmer, attached is the disassembly of the executable (it's just a plain text file) for your reading pleasure. This is just the main executable portion of the code, not the embedded "apphook" InputManager code.
>>> źródło <<< i dalsza dyskusja na ten temat, ciekawe
#5
Napisano 16 lutego 2006 - 21:48
...innymi słowy, często powtarzane rady Heidiego, odnośnie kilku użyszkodników na swoim kompie i nie pracowanie na koncie admina ma jak najbardziej kolejne uzasadnienie.
#7
Napisano 17 lutego 2006 - 17:30
#8
Napisano 18 lutego 2006 - 01:25
http://www.versiontr...fo/macosx/29175
"A simple AppleScript front-end to Terminal actions that change the permissions on the user InputManagers folder to root only. This should prevent Leap-A (a.k.a. "Oompa Loompa") malware and its derivatives from installing. Released free under the GPL. Source code available."
#9
Napisano 18 lutego 2006 - 02:44
Użytkownicy przeglądający ten temat: 1
0 użytkowników, 1 gości, 0 anonimowych