Worm Claimed For Apple OS X

SkiifGeek writes "Controversy is slowly building over the development of a claimed new worm that targets OS X systems, dubbed by its inventor Rape.osx. Using a currently undisclosed vulnerability in mDNSResponder, the worm is said to give access to root as it spreads across the local network. As with a number of recent Apple-related security discoveries, the author, InfoSec Sellout, is delaying reporting the vulnerability to Apple until after completing full testing of the worm. While the worm has yet to leave a testing environment (with 1,500 OS X systems), it is bound to join the likes of Inqtana and Leap as known OS X malware."

*ahem*

[Duncan3]

As with a number of recent Apple-related security discoveries, the author, InfoSec Sellout, is delaying reporting the vulnerability to Apple until after completing full testing of the worm.

If by fully testing you mean "auctioning it to the highest bidder" then yea.

I question the ethics, and my legality

[Swift2001]

First of all, if he's found a real vulnerability, he reports it. I don't care if it's Apple or Linux or even Windows. "Waiting until I finish it" is a disgusting excuse. Will he sell it to the bad guys? Is this free publicity for some jerk? I think the Slashdot world ought to have a serious discussion of this kind of jerk. I think Congress might to. If what he's doing isn't illegal now, maybe it should be.

Tipping the scales?

[dsdtzero]

The fact that the breaking news on slashdot is "someone found the third way to attack a mac machine" is a compelling argument to purchase a mac over a PC. Unless someone can explain to me how this is the seed of an impending snowball of mac-targeted malware.

Re:worm in apple?

[catwh0re]

While I have no doubt that worms etc can be created for OSX (or any OS, given enough time.) I'm not really fond of companies blowing their trumpet until they're certain. It's very rich to claim all that publicity without notifing the vendor, or even being 100% certain. Otherwise it comes across as yet another company that is trying to claim solely for the benefit of the massive attention that it will draw on the company. Whether it's a fiasco involving wifi hardware or an antivirus company claiming endless vulnerabilities to sell their "protection tools". The apple community is well versed in frauds and half-truths spun as a "massive vulnerability" who cry wolf.

Re:I question the ethics, and my legality

[Tobenisstinky]

Good idea. However, a serious discussion on /. is unlikely.

Okay... let me get this straight...

[Penguinisto]

Serious question here:

Somebody writes a worm for OSX that works across a specific test network (of which we have no clue as to settings, layout, patch levels, etc etc), and it's really, really, really big news. Media orgs around the planet sound the klaxon, and (nearly) everyone gets all hyper-ventilated. Claims of "OSX is just as vulnerable!!!1111!!" will fly off the pages.

Meanwhile, the next near-periodic iteration of MSFT-specific malware in-the-wild will get not so much as a grunt outside of security circles (such as SANS ISC and F-Secure's blog as ferinstances). It will likely subvert 40x as many victims in its first hour, and the media won't say so much as 'boo' about it.

Perspective (at least outside of security and some geek circles)? Never heard of it.

/P

Re:I question the ethics, and my legality

[Anonymous Coward]

I don't care if it's Apple or Linux or even Windows.

I want to give you the benefit of the doubt, but your post really reads like you're an irritated Mac fanboy. Congress? Illegal? Give me a fucking break!!

Re:I question the ethics, and my legality

[QuantumG]

Sounds like a great plan. Make it compulsory to report vulnerabilities eh? Maybe even ban the selling of vulnerabilities. Kinda makes you wonder why any third party would bother looking for them.

Re:Okay... let me get this straight...

[Aaron England]

The Apple fans can't eat their cake and have it too. If Apple is going to market their product as one that is a secure alternative to Windows, then they must accept being held to a higher standard and all the scrutiny that comes with it. In fact, they ought to welcome it.

Market share?

[Dan_Bercell]

I havent really looked at the market share percentages of OSes recently, has Apple really grown large enough for Virus makers to start targeting Apple?

Re:Tipping the scales?

[Daniel Dvorkin]

Yes, exactly. Three proofs of concept vs. thousands, maybe millions, of vulnerabilities in the wild.

The author claims, "While it is nothing special compared to Windows based Malware it does prove a point -- Apple Computers are just as susceptible to Malware as Windows based ones." Oh, bullshit. The fact that this particular security vulnerability exists does not mean that OS X is just as much a wide-open target as Windows is.

In the "Classic" MacOS days, there was a fair amount of Mac malware -- never as much as in the PC world, of course, but plenty of it running around. Since OS X became the standard, this hasn't happened. The "vulnerability through popularity" argument just doesn't hold up to this fact.

Re:Okay... let me get this straight...

[Trillan]

I don't see any suggestions this be buried, only that it be kept in perspective. (Which, I'll grant, is impossible.)

Re:Is mDNS even routable?

[dch24]

Bundle it with a Windows worm. Exploit Macs on the same subnet as Windows boxes. Then the infected Macs scan for vulnerable Windows boxes and spread the infection. Every vector is useful in an attacker's bad of tricks.

Re:Okay... let me get this straight...

[BlueDjinn]

I don't know of a single Mac user or vendor who has ever claimed that OS X is *COMPLETELY* invulnerable to viruses/etc, only that there hasn't been a demonstrable, malicious, in-the-wild true OS X virus released YET, which is true.

Major difference. In fact, every Mac user I know expects a "true" virus or two to show up for OS X sooner or later, but what of it? So the ratio will go from a bazillion to zero to a bazillion to one or two.

Apple has roughly a 2.5% worldwide market share--wake me when they have anywhere close to 2.5% as many viruses as Windows and I'll start being overly concerned.

Re:I question the ethics, and my legality

[QuietObserver]

From my point of view, the original argument never said anything about making vulnerability reporting compulsory, but that concealing a vulnerability is morally reprehensible, and claiming to keep a vulnerability secret until an exploit is finished is a disgusting excuse.

Re:I question the ethics, and my legality

[fox1324]

If what he's doing isn't illegal now, maybe it should be.

Maybe it shouldn't be. There are hundreds of /. threads filled up with complaints about the US government and legal system. Our rights are constantly eroded by attempts to 'legislate morality'. Repeat with me: just because something is unethical or immoral does NOT mean it needs to be illegal. Ethics and morals are nothing more than opinions, and they vary greatly from person to person.

Neglecting to report a vulnerability is not remotely criminal, no matter how much you disagree with his motivation.

Re:I question the ethics, and my legality

[samkass]

I'm sure you're trying to be sarcastic, but it would DEFINITELY be a good idea to include everyone from your random teenage mom's basement hacker to Theo de Raadt in the discussion. Just because someone has done great things for the community it doesn't mean he's going about addressing exploits in the best way.

Re:worm in apple?

[Maniac-X]

If by "well versed in frauds and half-truths" you mean well versed in spreading their own brand of propoganda and half-truths, then yes, you are correct.

Re:I question the ethics, and my legality

[Anonymous Coward]

Finding a bug in software and reporting it I think of as similar to the situation where you are walking down the street and you see someone drop something of theirs and they don't notice, being a person of good ethics, you inform that person that they dropped it, and maybe get it for them and return it to them. Same here, he found a bug and has gone and shown off that he got it, he should really explain it instead of flaunting knowledge. There is certainly no need to rush, but it would of course be nice if he shared his findings with those who (I assume so anyway) worked hard to make the software.

Re:Tipping the scales?

[NatasRevol]

I really think this argument should be given a name, something along the lines of Godwin's law.

Perhaps Paterson's folly?

1500 Test stations?

[theolein]

Apart from the claim by infosec sellout sounding less than adult - he says the payload was "weaponised" - and his claim that Apple will somehow not fix the "root cause" of the vulnerability if he gives it to them now - extortion anyone? mDNSResponder is Open Source - I seriously question how some independent reearcher can have, as he claims, a test base of 1500 systems. A big company with $1million to throw around might have that, or a university, but I seriously doubt he has the place or resources to afford a test base of this size unless he is using a local university or school, and judging by his spelling and grammar, he is either not English native or he is a teenager, or both. That says nothing about the veracity (truth) of his claim but it is somewhat juvenile, the whole thing.

Re:That's not true...

[Anonymous Coward]

That's impossible!

Actually, it is unsubstantiated. So the truth value is unknown. Based on prior experience with false reports in this arena, it is not something I would wager anything of value on. Unless you are wagering against. Then you might want to lay down a lot of money.

it is bound to join the likes of Inqtana and Leap as known OS X malware

Anyone else who uses a Mac every day (or anyone else in general) ever heard of these so-called malware?

also quite useless

[Jeremy_Bee]

IMO the really funny thing is that this joker decided to use a Bonjour vulnerability to work on, when everything I've heard indicates a major reworking of the Bonjour code in Leopard anyway.

Isn't this kinda like working out a vulnerability in AppleTalk a month before they stopped using it?

Re:Dear Apple Inc

[Anonymous Coward]

Why give any encouragement to a kid who writes garbage like this:

Apparently the word "bullshit" is an expletive to a CEO of a company full of drunks who have shit on every conference they have attended.

This is not a kid who should be encouraged with corporate cash.

Re:Okay... let me get this straight...

[aesiamun]

http://www.apple.com/getamac/ads/ [apple.com]

here, look for Viruses...

Quote:
PC: Better stand back this one's a doosy.

Mac: That's ok I'll be fine.

PC: No, no not be a hero. Last year there were 114,000 known viruses for PCs.

Mac: PCs, but not Macs, so...

Where does it say that Macs are invulnerable to viruses?

Re:I question the ethics, and my legality

[Sparks23]

Oh, please. Most sensible Mac users recognize that while OS X is /more/ secure out-of-the-box than your average XP installation, and segments permissions better, there's still plenty of ways for things to mess up an OS X box. It's stupid to think any OS is invulnerable; Linux isn't, FreeBSD isn't, Mac OS X isn't, Windows sure as heck isn't. It's just harder to target an out-of-box configuration, and so people generally don't bother. (Which, I grant, doesn't mean some Mac users won't be up in arms and claiming this is impossible. They're wrong, if they do, but still.)

HOWEVER, you don't have to be a fan of any specific platform to find the way the guy handles this to be extremely unprofessional.

The /proper/ way to handle a vulnerability -- on ANY platform -- is to report it to the vendor/developer in a timely manner before trumpeting it to the world. Exploits should be released (not leastwise because developers can learn from each others' mistakes), but they should be reported first. This

Meanwhile, this guy is proclaiming a vulnerability (but disclosing no details for anyone to learn from or judge the severity of), while simultaneously saying he has not yet -- and does not yet plan to -- report the vulnerability to the vendor. It's basically a shameless grab for publicity with vague information, rather than someone demonstrating that they take security research seriously.

The nature of the exploit, or the platform it affects, is not relevant to the guy's behavior; it's just plain irresponsible of any security researcher to act this way. It would be equally irresponsible to find some serious, significant exploit in Linux and trumpet 'ZOMG, I just discovered that there's a way for any program to steal root through a specific exploit in the current version of KDE! But I'm not going to tell the KDE folks anything about it until I've finished testing.' (Also, the guy would get eaten ALIVE by the Slashdot community for pulling a stunt like that, but I digress.)

Security researches are respected and taken seriously by vendors and developers (rather than being thought of as malicious hackers) specifically /because/ they handle exploit information in a professional and cooperative manner. This guy is not doing so, and THAT is the problem. Not what OS he's claiming an exploit in.

That's my $0.02, anyway.

Re:pfft

[Divebus]

The Windows camp has nothing to gloat about as long as I'm getting a hundred spam messages a day from compromised Windows machines.

Covered in shit?

[GrahamCox]

I frequently hear the old chestnut that the only reason Macs aren't infested with malware is their lack of market share. Whether true or not, it's a funny argument, especially if the person using it is defending their choice of Windows.

"I'm not going to use Mac because while it may be clean now, I could get covered in shit at any time!"

"But you're already covered in shit".

"Errr... yes. But I'm sorta used to it..."

Re:I question the ethics, and my legality

[MadMidnightBomber]

Because Congress is well known for its mature and insightful discussion of computer and network security issues.

Re:also quite useless

[zootm]

Many of the major Windows worms and so forth target vulnerabilities which have already been fixed (and the fixes pushed out) months before. Not only will many not upgrade to Leopard, if the OS X userbase is similar to the Windows userbase (I'm not sure if it is, but still), many will simply not click the button to install the updates, and leave themselves vulnerable.

Re:But I don't understand...

[Anonymous Coward]

Take ActiveX as one of the main examples: it enables you to do some tricks easily because you can run executable code from a browser, but the security for it sucks (as evidenced by the number of patches/security updates that were always being released for it a few years ago).

Erm, what do you think browser plugins using NSAPI do?

I have no doubt that OSX is more secure than Windows - how could it not be? Maybe a silly attitude since I don't know much about BSD, or what Apple changed to make the OS more user friendly (maybe they added in something equivalent to ActiveX that gives nice fancy features but poor security?), but I find it hard to believe that any recent OS could be worse than the mess that is Windows. And I hope there never will be.

OS X probably is more secure, at least than XP if not Vista, because of obscurity. On a technical level, browser plug-ins are technically similar to Active X, in that they give nice features, but allow foreign code to execute it the browser process (ie the plug-in code), so if there's a bug in that code, a malicious website can potentially take advantage of it to hijack the browser process, and then do anything that process can do (which on OS X is, I think, anything the owning user can do -- Vista runs at least IE processes with more restricted security, so hijacking the browser process is of limited value).

Re:rape.osx is fitting

[TheRaven64]

This could be a big problem on some university campuses, however. Mine, for example, has a huge flat-topology network that was deployed in the '80s (maybe before) and has been upgraded piecemeal without anyone really knowing how the whole thing fits together anymore. When I plug my laptop in, I get around 10KB/s of background traffic sent to the broadcast address hitting me. Running tcpdump shows that most of this is iTunes DAAP. Does this exploit also run on Windows? Apple bundle MDNSResponder with iTunes on Windows, so if that's where the exploit is then it could also be a problem there. It might also be a problem on other *NIX systems that bundle it, since Apple have released it under an Apache 2.0 license (cue all the 'Apple just takes from Open Source and never gives anything back' trolls).

Actually...

[LKM]

The only people I always see spouting such crap are the people who claim to hate Apple fanboys. I've never seen an Apple fanboy make absurd claims like yours. This is like a fucking self-fullfilling prophecy. Every damn article about Apple is run over by stupid Anti-Apple trolls who write hundreds of comments laughing about imaginary Apple fanboys and the imaginary stupid things they say. [crazyapplerumors.com]

Here's an idea: Shut up, and let those who are interested in the article discuss it. Thanks.

Assuming he hasn't made up that bit...

[argent]

Even assuming he hasn't made up that bit, I'm sure some of the real, ethical researchers looking at the mDNSresponder source code right now will figure out what he's hinting at.

Re:also quite useless

[Gilmoure]

Read how Apple's Quicktime 7.2 update [macfixit.com] went and caused issues on Intel based Macs. It broke some PPC apps on some machines. Also, Apple's pulled a DVD drive firmware update [macfixit.com], after it hosed some hardware. Now, I'm a Mac tech and have only owned Macs, except for my old TI 99/4A but you can't paint Apple in polished gold all the time. They screw up things just like any other computer company.