Home page logo

fulldisclosure logo Full Disclosure mailing list archives

rubilyn-0.0.1.tar.gz - Mac OS X rootkit
From: Levent Kayan <levon.kayan () gmail com>
Date: Sat, 06 Oct 2012 13:22:39 +0200

Hi FD,

we are bored and wanted to share something with you:


64bit Mac OS-X kernel rootkit that uses no hardcoded address to hook the
BSD subsystem in all OS-X Lion & below. It uses a combination of syscall
hooking and DKOM to hide activity on a host. String resolution of
symbols no longer works on Mountain Lion as symtab is destroyed during
load, this code is portable on all Lion & below but requires re-working
for hooking under Mountain Lion.

currently supports:

* works across multiple kernel versions (tested 11.0.0+)
* give root privileges to pid
* hide files / folders
* hide a process
* hide a user from 'who'/'w'
* hide a network port from netstat
* sysctl interface for userland control
* execute a binary with root privileges via magic ICMP ping



noptrix & prdelka

Name: Levon 'noptrix' Kayan
E-Mail: noptrix () nullsecurity net
GPG key: 0xDCA45D42
Key fingerprint: 250A 573C CA93 01B3 7A34  7860 4D48 E33A DCA4 5D42
Homepage: http://www.nullsecurity.net/

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • rubilyn-0.0.1.tar.gz - Mac OS X rootkit Levent Kayan (Oct 07)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]