Let me introduce you to the new "Trojan kit," which is a member of the "…no, I don't require root privileges…" malicious code targeted toward Mac OS X. A while ago we received a sample of a new Trojan affecting the Apple operating system. OSX.Lamzev.A is the first sample we’ve seen from this threat family. It’s an easily customizable Trojan kit that could be the first of a long list of malicious code clones.
So, what do we mean by Trojan kit and what makes it stand out from the crowd? The only noteworthy feature is the way in which it infects clean applications—what this Trojan does is hijack a common feature that Mac OS X applications use to launch themselves—a smart but simple hack!
Initially, when the Trojan is run, a command prompt will appear, in which the attacker can configure the application that he or she wants to “Trojanize” (figure 1). The Trojan needs to be executed inside the same path as the targeted application.
Figure 1: What a waste of such an interesting command prompt!
The way that the Trojan manages to convert a clean application is by changing the CFBundleExecutable key inside the chosen application’s Info.plist file. So, what does this mean? “Plist” stands for Property List, and it's the main file used by OS X applications to hold user settings, as well as information related to the application itself. "CFBundleExecutable" is the key that identifies the bundle's main executable file that will be executed when you double-click on the application from Finder (or from the terminal: $ open Application.app). If an attacker changes that key and points it toward a malicious file, guess what the result is? Whenever the affected application is launched, first the back door will be executed, and then the original application will be started. Simple, but effective!
During the “Trojanizing” phase, the attacker is asked to choose an application that:
• Must reside in the same path as the Trojan executable.
• Must match a service name from /etc/services with a port higher than 1024 (no root privileges required).
At this point, the attacker only needs to type in the “hack” command (figure 2):
Figure 2
The Trojan will then perform the following actions to infect the application:
1. The target application’s info.plist file will be Trojanized (CFBundleExecutable)
2. File "1," which is the loader of the back door (see below), will be copied inside $ApplicationName.app/Contents/MacOS/. This file will be executed every time the Trojanized application is launched.
3. The bundle's original main executable will be renamed as file "2" inside the same directory ($ApplicationName.app/Contents/MacOS)
Up to this point we have talked about the Trojan component and the back door component, but where are these things on your system? Once the affected application is launched, the loader (file 1) will drop a plist file in /tmp and will then move it back to ~/Library/LaunchAgents. The LaunchAgents folder holds all the login items for the given user (or eventually for the system /Library/LaunchAgents). In this case, it will hold the property list for running /bin/sh listening on the port of the chosen service (supplied earlier – see screen shot above), named com.apple.DockSettings, which is why the Trojan requires a service name that matches /etc/services:
<key>SockServiceName</key>
<string>$ServiceName</string>
This will ensure that even after a reboot, the back door will still be running, thanks to
launchd. After all of this, the Trojanized application is ready to be run on system start-up or whenever the target application is launched.
OSX.Lamzev.A has nothing new to show to the anti-reversing/debugging scene, it is just using strip on the binaries in the same way as “all of the others.” The current version of this Trojan kit has several restrictions—the most important one is that somebody needs to be there on your machine, Trojanizing your application. In the future, one thing we could expect to see is an automated OSX.Lamzev.A.
In order to ensure the safety of your system, never trust an application if you don't know where it has come from. Also, keep your system patched with the latest security updates. For information on the removal of OSX.Lamzev.A, you can check out
our write-up here.
More and more malware has emerged for Mac OS X recently. All of the Mac OS-targeted malware we’ve seen is still affecting the BSD subsystem or are BSD-style infections. We haven’t yet seen anything that completely relies on the Mach Subsystem or Cocoa.
Certainly, the number of threats for the Mac OS are still small when compared to the hordes of families aimed at more traditional OS targets. However, at the moment, it seems as if more malware writers are seeing Mac OS as a world worthy of exploration. As they continue to push the boundaries of the threat landscape, we’ll be there to keep you informed!
Message Edited by SR Blog Moderator on 11-27-2008 02:52 AM