Malware Evolution: Mac OS X Vulnerabilities 2005 – 2006

This article looks at vulnerabilities detected in MacOS X in the first half of 2006. It compares these vulnerabilities to those detected in the first half of 2005, providing an overview of the evolution of threats targeting this increasingly popular platform.

The Apple Macintosh is becoming more and more popular. However, recent reports on Mac security have caused extensive discussion among security professionals. Those who have expressed concern about the increasing number of vulnerabilities detected in Mac OS X have been accused of overreacting. The other side of the coin is that those who do not take this viewpoint are accused of being lacking in common sense. This article examines several aspects of the recent evolution of threats for Max OS X in order to help readers understand the ongoing debate, how secure Macs really are and how secure they will remain.

I believe that out-of-the box machines running under Mac OS X are more secure than those running under other platforms. The Mac OS X *nix-like security model is, by default, configured to protect the system against threats common to other platforms where this kind of security and configuration is not standard. It could well be said that from the start, Mac OS X was designed with security in mind. However, although this approach seems to leave far less security flaws that can be exploited, assuming that there are no security issues at all is quite dangerous. Like any other platform, Mac OS X has software flaws. Such flaws inevitably draw the attention of malicious users, especially if users don’t think they need to take action to protect against possible threats.

One interesting aspect of the vulnerabilities identified is the components in which they are present. The number of vulnerabilities identified in components where remote attacks are possible increased in comparison to the same period last year. This clearly demonstrates that possible attack vectors are receiving more and more attention.

Statistics

Figure 1: A comparison for the number of vulnerabilities in MacOS X and related products for the first half (January – May) of 2005, first half of 2006
For instance, the number of vulnerabilities identified in the operating system kernel and related components is less than in 2005. However, the number of vulnerabilities affecting Safari and the Mail application – which can be used to conduct an attack via the Internet – has increased. The same is true for QuickTime, which was a popular subject for security researchers during the first half of 2006.

The graph above also includes a series of vulnerabilities found in third party products which run on MacOS X. This category includes applications which are installed by default on the operating system but which are not MacOS X-specific. For instance, several vulnerabilities were identified in Sun’s Java VM during this period, and these affect all operating systems capable of running Sun Java – not just MacOS X.

Interestingly, the number of core vulnerabilities in the MacOS X kernel (Mach) and related components / libraries has decreased compared to 2005. Still, a number of critical vulnerabilities have been found. The most popular was probably the local ‘passwd’ exploit (a zero day based exploit) reported on 03.02.06, which was used to hack the system of Dave Schroeder during the “rm-my-mac” competition.

Mac Malware

Malicious programs targeting Mac OS X are relatively uncommon. The Mac community was surprised when on February 13, 2006, the first worm for Mac OS X appeared. The worm was named OSX/Leap.A. Leap is an Instant Messaging (IM) worm which is also capable of infecting MacOS X applications. However, due to a bug in the virus code, infected programs will no longer run.

The worm was first spotted on the MacRumors (http://forums.macrumors.com/) forums, on the evening on Feb 13th, 2006. The original message read “Alleged screenshots of OS 10.5 Leopard”, an obvious attempt to lure unsuspecting users into running the malicious code.

The worm uses Apple’s IM application “iChat” to spread. Alternative ways of entering a system include the download and direct execution of the worm code by the user or by running an infected application from a remote location. Because the worm is not able to infect a system automatically, it has also been called a “Trojan”, although that is not entirely correct. A Trojan is unable to replicate, whereas “Leap.a” is.

The worm spreads in the form of a TAR.GZ archive named “latestpics.tgz”. If the user unpacks the archive (either using the command line tool ‘tar’ or by double-clicking it in Finder), s/he is presented with what seems to be a JPEG file:

In reality, this is a PowerPC executable, as it can be seen from the Finder “Get Info” dialogue:

The “latestpics” executable is a command line application and because of that, it will open a terminal window when run.

There have been some reports saying that at this point, if run by a normal user, the operating system will ask for administrative rights. In our tests, this didn’t happen – the worm execution proceeded in the same way as it would if run from an account with admin rights. However, it will only be able to infect applications to which the current user is allowed to write.

Next, the worm will extract an InputManager plugin from its main body, called “apphook”. If the current user is an admin, it will copy this plugin into the “Library/InputManagers” folder. If the current user is not an admin, it will copy it to the user’s “~/Library/InputManagers” folder. The difference between these two operations is that the InputManagers plugins from the root “/Library” folder will be loaded in applications run by all users while in the second case, it will only be loaded in the applications run by the current user.

The “apphook” plugin is the worm component responsible for replication via IM. It attempts to hook certain iChat functions and it will send a copy of the worm body to the user’s buddies, using the same method as “Buddies -> Send File”.

After installing the “apphook” plugin, the main worm code will continue with the infection of local applications. It will use “Spotlight” to search for a list of the most commonly used applications and it will attempt to infect them. The infection routine is very simple: Leap overwrites the main executable with its code while saving the original application code in a resource fork.

When an infected application is run, the main worm code will run, and it will attempt to propagate as described above. Leap will also attempt to execute the original application; however, this will not happen due to a bug in the worm’s code. This means that infected applications stop working – a very obvious sign of the infection.

Finally, it appears that the author of the worm was planning to add an email replication function. However, this was not finished before the code appeared on the MacRumors forum. Except for corrupting applications during infection (which seems to be unintentional), there is no sign of any other damaging payload in the worm’s code.

On 18 February, 2006, another MacOS X worm appeared. Inqtana spreads via Bluetooth and propagates by sending an Object Exchange (OBEX) Push data transfer request to the potential victim machine. If the user accepts the request, the worm exploits a Bluetooth File and Object Exchange Directory Traversal vulnerability to gain access to locations outside the Bluetooth File and Object Exchange service path.

The worm drops two files, named com.openbundle.plist and com.pwned.plist to the LaunchAgents directory to ensure that it will be launched automatically when the victim machine is rebooted. w0rm-support.tgz, which contains the worm components, is dropped to /Users/.

Once the operating system has been restarted, com.openbundle.plist unpacks the worm components and com.pwned.plist executes the worm main binary. Inqtana than attempts to replicate by scanning for devices which have Bluetooth enabled. It will then send itself to any devices found that support Object Exchange (OBEX) Push requests.

It was later discovered that Inqtana was written by the security researcher Kevin Finisterre, who created the worm as a proof of concept.

On 21 February, two zero-day exploits targeting MacOS X appeared, Exploit.OSX.Safari.a was discovered by Michael Lehn, and Exploit.OSX.ScriptEx.a. was discovered by Kevin Finisterre (the author of Inqtana). Both exploits received extensive coverage within the IT media.

Exploit.OSX.Safari is an exploit which targets Apple’s web browser “Safari”. Due to a certain feature in Safari, it’s possible to create certain types of ZIP files which, when they are downloaded from the Internet, will result in code being executed. This vulnerability was patched in Apple Security Update 2006-001.

Exploit.OSX.ScriptEx.a is an exploit for a vulnerability in the Apple Mail application for Mac OS X. It is triggered if a specially-crafted attachment is sent via email. The vulnerability itself is a buffer overflow which can be triggered when the Real Name component of the MIME Encapsulated Macintosh file is parsed. A careful choice of Real Name size and content can lead to arbitrary code being executed, which can then be used to install a Trojan or other malware on the victim machine. It can also be used to take total control of the victim machine. This issue was fixed by the Apple Security Update 2006-002.

On 19 April, Tom Ferris, a security researcher, disclosed another six zero-day vulnerabilities which would enable a remote malicious user to crash or hijack the victim machine.

Conclusion

Overall, malware has evolved enormously over the last couple of years. In the past, most authors of malicious code were seeking a place in the headlines. Today, they are looking for financial gain. Apple’s small share of the global personal computer market has, until now, protected Macs from the unwanted attention of malware authors. However, as Apple systems become more popular, this will change; once critical mass is reached, more malware will undoubtedly start to appear. Even though malware like IM-Worm.OSX.Leap.a and Worm.OSX.Inqtana.A and exploits like Exploit.OSX.Safari.a and Exploit.OSX.Script-Ex were all proof of concept code, and had no obvious malicious payload, these proof of concept programs showed that Mac OS X does contain security flaws, and that these can be used to compromise the system.

Whether the proof of concept code covered in this article will be used for financial gain in the near future remains to be seen. History, however, shows that once vulnerabilties are identified, malware writers are never far behind.

References:

Source: Kaspersky Lab and VirusList.com