Advanced Mac OS X rootkit tools released
Summary: Security researcher Dino Dai Zovi (of Pwn2Own fame) has released a suite of tools to demonstrate how to load an advanced rootkit on Mac OS X machines.The tools were first discussed at this year's Black Hat security conference where Dai Zovi (right) presented techniques to manipulate the way the Mach micro-kernel uses RPC calls to create hidden system calls or create kernel threads.
Security researcher Dino Dai Zovi (of Pwn2Own fame) has released a suite of tools to demonstrate how to load an advanced rootkit on Mac OS X machines.
The tools were first discussed at this year's Black Hat security conference where Dai Zovi (right) presented techniques to manipulate the way the Mach micro-kernel uses RPC calls to create hidden system calls or create kernel threads.
[ SEE: Dino Dai Zovi: How Snow Leopard can save Mac OS X from malware attacks ]
On his Trail of Bits blog, Dai Zovi released an inject-bundle tool to demo the steps need to use injected memory and threads to load a Mach-O bundle into another task. He also posted injectable bundles to demonstrate how to capture an image using the Mac's iSight camera, how to log instant messages from iChat and how to log SSL traffic sent through the Apple Security Transport API.
Dai Zovi's rootkit, dubbed Machiavelli, is capable of using Mach RPC proxying to transparently perform Mach RPC to a remote host.
Dai Zovi described the tools as "non-hostile proof of concept" that are not suitable for use in actual rootkit or offensive tools.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
AHA!! This proves that OS X is immune
Aha!! This proves that OS X is immune to rootkits.
So, just so we can bask in your knowledge
MACH RPC is used to inject system calls, and what is done with
injected packets.
Here's a clue, NZ, you have NO technical expertise at all, and you are
NOT qualified to be offering your opinions on this or any other thread
involving technical matters. This includes Windows oriented threads,
BTW.
Dai Zovi made an interesting presentation re: MACH, modification of
network kernel extensions, using vm_alloc(), thread_create(), and
other MACH RPC calls to inject code into running preocesses, using
MiG generated client RPC stubs, and using the Machiavelli kit to form
an RPC bridge to allow tasks on two different machines to pass RPC
bidirectionally. Importantly, the MACH kernel kits operate on the user
layer, and as of yet do NOT allow for privilege escalation, and require
local access to the machine.
Is this an issue? Yes, sure. Is it the beginning of a flood of OSX
malware, as hinted at by the silly trolling from you and others on this
thread (who, BTW, CLEARLY don't have enough technical knowledge or
expertise to actually understand Dai Zovi's presentation, let alone
provide commentary)?
The answer is an undeniable "no," but you would be incapable of
following even a rudimentary summary of his presentation, let alone
an explanation of why this is the case.
Too bad
Shazam
Stop the presses.
That's it?
Let me guess
exploit. Because you desperately wanted it to be so.
Of course OS X isn't immune. Nothing is.
'researcher', huh...
shoot for fame by hurting others.
Research implies that you discover something new and
valuable to others - not that you take apart and try
to destroy what others have built.
Releasing the destructive work so that criminals and
other foolish youth can use it is no way to contribute
in a real world.
Narr vi
Read for comprehension
They are researching new and valuable things -- they're finding holes that can be fixed; and often one proof of concept leads to other fixes.
They're not hurting anyone; they're helping secure our operating systems.
well, not really.
weaponize this 'crippled' version? Or copy its
moves?
If it demonstrates the actionable opportunity,
it has to disclose the way to use it.
I do admit to being tired of the self-
aggrandizement, funny names, and power beards
etc. of this group of young, besides their
activities, and I will think more about whether
to feel so is a flaw to be remedied.
Narr Vi
RE: Advanced Mac OS X rootkit tools released
Also this prove there is no such thing as an invulnerable system.
I really like the name...
Machiavelli"...[/i]
One of my favorite Chianti's is a
"Machiavelli"....
It will be interesting to see if anything comes
from this...
This is where all the MS Trolls get to worry
about market share... LOL
hehe
"Here come the mac zealots/fanbois/eejits/fickwuts/tards" posts all with
bated (or more accurately, bating) breath.
Oh grow up and wait for the real trolls to arrive ;-)
Tick...tick...tick...tick...
RE: Advanced Mac OS X rootkit tools released
In an unrelated story on the same page ...
"Ryan Naraine: Security researchers are raising an alarm for a potent malware cocktail -- backdoor Trojans and password stealers -- being pushed to Windows users from about 55,000 hacked Web sites"
'nuff said ...
RE: Advanced Mac OS X rootkit tools released
Funny
Windows and Macs were safe to use. The fans of
both sides were lying in wait to see if the other side
had even a hint of trouble and would erupt in a
dance of finger pointing when anything whatsoever
even seemed possible. Meanwhile, most of the
regular users had long since lost interest in the
other side's problems and went on with their lives.
RE: Advanced Mac OS X rootkit tools released
Cui Bono?
looking forward to hackers getting onto the Mac. Drool is
dripping from my screen.
Dai Zovi is a gift from the Lord above, if he wasn't there
you'd have to invent him. You'd have to pay someone to be
him. Not saying somebody did. Sadly for most of these
things, one Apple software update can wipe out these
dreams in an instant.
The other observation is this: You don't need a rootkit to
spread malware on the Mac, a simple program would do -
add some social engineering ("Scarlett Naked!!"), spread via
email, and done. No one expects this on the Mac so you'd
easily find tens of thousands of gullible Mac users clicking
on it. And unlike a rootkit, software updates would not
help here.