Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: [botnets] re MAC trojan (fwd)
From: reepex <reepex () gmail com>
Date: Thu, 1 Nov 2007 22:35:54 -0500

seriously dude wtf ... have you even put any research or thought into this
topic? All you have done is paste other peoples sayings, links, and research
and spam them to mailing lists to get your name on this topic just like the
sendmail, solaris ftp, vnc, and every other bug that comes out.

Get a fucking life and learn how to do your own research. Why do you even
partake in the lists - we could easily replace you with a bot that forwards
mails between lists and then we would have to read your (stolen) crap all
the time.

On Nov 1, 2007 7:55 PM, Gadi Evron <ge () linuxbox org> wrote:

There have been many threads on this subject, but I believe this post
below covers what some of us are trying to say on why this issue is
significant.

Obviously some people are far more articulate than me.


---------- Forwarded message ----------
Date: Thu, 1 Nov 2007 16:47:17 -0400
From: PinkFreud <pf-botnets () mirkwood net>
To: Gary Flynn <flynngn () jmu edu>
Cc: botnets () whitestar linuxbox org
Subject: Re: [botnets] re MAC trojan

To report a botnet PRIVATELY please email: c2report () isotf org
----------
[My apologies if this has already been covered - I started this email a
few hours ago, and haven't had a chance to finish it until now.]


I think the point Gadi (and Alex of Sunbelt Software, in his original
blog entry) is trying to make is that professional malware authors have
begun to take notice of Apple.  As a piece of malware goes, this trojan
is nothing remarkable in itself, other than the fact that it's aimed at
Mac users.

As Gadi mentioned, there are a number of known issues that Apple has
yet to address.  If the professional malware authors are now taking aim
at Mac users, Apple appears to be making it easy for them.

There are a few comments that I've seen in this thread that are rather
worrisome:

::: Interspace System Department
Relax. MAC users are not that stupid as MS users...

Are you a Mac user?  If so, you just proved yourself wrong with that
statement.  :)</flame>

Users are users, and their knowledge of computers varies greatly from
one to the next.  I've supported a number of Mac users who tend to be
clueless when it comes to computers, and I've supported Mac users who
know quite a bit about the machines they use.  Like any Windows or *nix
user, Mac users can - and will - fall prey to this kind of scheme.

Again, the trojan is not what's important here.  The fact that it was
written for Macs is particularly noteworthy, however.


::: Jeremy Chatfield
InfoSec is there to make sure that I can run my business, not as an end
in
itself. It *prevents* profit making activity by having effort expended
on
internal needs. So if the Mac hasn't *needed* higher level of security
hoops, previously, that's good. So long as weaknesses are fixed *when
needed*, I'm a happy bunny. If there's a Day Zero attack that hits a
Mac,
I'll be disappointed, but it's not a uniquely Mac situation to be in...
If
the failure was an obvious weakness, I'm actually still pretty sanguine,
because it hasn't yet been exploited, despite being "well known".

Security issues should be fixed as soon as feasable, not 'when needed'.
If all security vulnerabilities were fixed 'when needed', the malware
authors would be having a field day (which, of course, implies they're
not already... hmmmm.).

Apple has a history of badly-written software.  As far as recent
examples go, take a look at tar and rsync on Tiger (10.4) - they've
been modified to support extended attributes like ACLs and resource
forks, and they're quite broken - extended attribute support introduces
a serious memory leak.

If that doesn't quite hit home, you can get a further idea of how their
software is written by taking a look at the man page for sharing(1), on
OS X Server (for those of you without access to OS X Server, take a
look at

http://developer.apple.com/DOCUMENTATION/Darwin/Reference/ManPages/man1/sharing.1.html
).  Pay particular attention to the description for the -s, -g, and -i
options - do their developers (or tech writers) know the difference
between AND and OR?  :)



On Thu, Nov 01, 2007 at 08:56:22AM -0400, Gary Flynn babbled thus:
This is nothing more than simple downloadable malware exacerbated
somewhat by permissive configuration settings. It exploits no
security defects.

As I understand it, the operator is given multiple opportunities
to refuse the program:

http://www.jmu.edu/computing/security/#macmalware

(I'm only subscribed to the archive so I apologize if this
  has been already pointed out or already proven incorrect
  today)

--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

--
PinkFreud
Chief of Security, Nightstar IRC network
irc.nightstar.net | www.nightstar.net
Server Administrator - Blargh.CA.US.Nightstar.Net
Unsolicited advertisements sent to this address are NOT welcome.
_______________________________________________
To report a botnet PRIVATELY please email: c2report () isotf org
All list and server information are public and available to law
enforcement upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault