While analyzing the recent OSX.Iservice.B threat I noticed some interesting API calls that were dealing directly with the Mac OS X authorization mechanism. There are plenty of interesting analyses and discussion about Windows UAC, both regarding Vista (Ollie’s post) or the recent Windows 7 UAC.
The authentication mechanism is an important part of the overall OS security, especially when we’re talking about malicious code that tries to hide as real and safe applications in order to fool the end users. Before digging into details, I’d like to stress one fact: it’s not a vulnerability, but simply a feature of the OS that can be used and abused from a social...
Let me introduce you to the new "Trojan kit," which is a member of the "…no, I don't require root privileges…" malicious code targeted toward Mac OS X. A while ago we received a sample of a new Trojan affecting the Apple operating system. OSX.Lamzev.A is the first sample we’ve seen from this threat family. It’s an easily customizable Trojan kit that could be the first of a long list of malicious code clones.
So, what do we mean by Trojan kit and what makes it stand out from the crowd? The only noteworthy feature is the way in which it infects clean applications—what this Trojan does is hijack a common feature that Mac OS X applications use to launch themselves—a smart but simple hack!
Initially, when the Trojan is run, a command prompt will appear, in which the attacker can configure the application that he or she wants to “Trojanize” (figure 1). The Trojan needs to be...
