About | ACP | Buy | Forum | Industry Watch | Learning Curve | Search | Twitter | Xnews
Home » Industry Watch » The Technological

The Not So Sinister Finisterre

Only whiny babies play 'shoot the messenger'.


Buy It

Try It

'Probably just a lame variation on the Leap.A fiasco.'
 - 'mrgreen4242' at the MacRumors forums

'Until Symantec tell people exactly what it does and where it came from I'm calling this salesmanship.'
 - 'mrgreen4242' at the MacRumors forums

'I can't wait until this meaningless hooplah blows over.'
 - 'slb' at the MacRumors forums

'This is entirely a proof of concept. It hasn't been seen in the wild, and it expires on the 24th of this month. Anyway, I don't think it would be very successful. How many Macs are routinely around other Macs with bluetooth on (outside of multiple Macs owned by the same person)?'
 - 'mduser63' at the MacRumors forums


So speak the learned at the MacRumors forums. Of course others may remember how they react when they get hit themselves.

Don't feel like clicking through the link? OK, here's some choice tidbits.


'This is a VERY< VERY sad day for the Mac platform. I always hoped that this would not happen in my lifetime. I am almost in shock now, I can't believe this is reality. All because of this bastard with hi pics. I am extremely pissed, sad, and scared. This guy needs to pay. This is war IMO.'
 - CoMpX at the MacRumors forums

'I'm like shaking. Someone please comfort me.'
 - CoMpX at the MacRumors forums

'Stop. Calm down. Many of you are running around like the proverbial headless chicken.'
 - Shrikey at the MacRumors forums


The person causing this panic is Kevin Finisterre, author of the InqTana worm and author of the recently hyped iAdware exploit. Both programs exploit the same security hole in OS X. Coincidentally a hole that also the Oompa Loompa worm exploited.

It's called 'InputManagers' and it's been used by far more than Oompa Loompa, InqTana, and iAdware. It's been used as well by the ichatHack, mailHack, and safariHack exploits.

The reason security research on OS X is so interesting is that Apple take the injudicious move of branching off from tried and true Unix code to create something they're rather reluctant to call Unix anymore.

Unix has had a good thirty years to mature and more researchers inspecting it by an order of magnitude. Apple use a closed source model and they're venturing out into new territory where the risk for exploits grows geometrically.

And they're carrying with them legacy ideas from the birth of NeXT which predates the birth of the web.

And they don't listen.

The Opener hole was wide open for as much as eight years with Apple continually in denial, claiming it 'worked as designed'. The Oompa/InqTana/iAdware hole has been open as long or longer and Apple's official policy is the same - it 'works as designed'.

Some security researchers, more eager than others to get Apple to listen, have even traveled to the Cupertino campus at One Infinite Loop to make their pleas - and been typically and summarily dismissed.

Through the Eyes of Dr Frankenstein

In a paper titled 'InqTana Through the Eyes of Dr Frankenstein' Kevin Finisterre, author of InqTana and iAdware, explains the background to his research and comments on the media reaction.

'This sole intent of this paper is to address both FUD and rumours surrounding the release of detailed information about the InqTana proof of concept worm. After reading Internet based news over the past few days I have certainly seen my fair share of 'spin' and misconception regarding the results of my research', he writes.

'With regard to the incorrect data being provided about the exploit portion of the worm I must simply tell the reporters out there to DO YOUR HOMEWORK FIRST, then write your articles.'

The Bluetooth vulnerability Finisterre exploited was an old one first disclosed a year earlier. One of the catches was that although Apple had released a patch, successive updates to 10.4 Tiger didn't use it - that took a while longer to right itself.

'The reason security research on OS X is so interesting is that Apple take the injudicious move of branching off from tried and true Unix code to create something they're rather reluctant to call Unix anymore. Unix has had a good thirty years to mature and more researchers inspecting it by an order of magnitude. Apple use a closed source model and they're venturing out into new territory where the risk for exploits grows geometrically. And they're carrying with them legacy ideas from the birth of NeXT which predates the birth of the web. And they don't listen.'

Some people - at MacRumors would be a good guess - assumed that as there was a prompt written into the code such a prompt was necessary. Normally people wouldn't be this ridiculous, but we're talking about MacRumors zombies here.

'One thing I cannot stress enough is that I chose to make this worm prompt the user for interaction. It is NOT a required function. My intent was to prove a concept - not create a functional worm.'

And now he heads for the finish line.

'Putting all of that aside I think most people missed the point of this worm and its variants. The main focus was not on the usage of Bluetooth for the exploit medium or the vulnerability used. The focus should have been on the usage of built in OS X facilities to spread malicious code. OS X contains features which will certainly aid in the future of malware on OS X.'

He's talking about the InputManagers hole.

'Although little detail was provided on exactly how Leap.A hooked the functions of iChat it is very likely that swizzling was used. The Objective-C runtime effectively allows you to 'patch' methods in code you don't have the source to.'

'Rather than completely replacing the original method, swizzling lets your method make use of the original, almost like subclassing.'

'Once you combine this ability with an input manager you wind up with a recipe for instant malware. Even though input managers can have legit uses it is highly likely this facility will become a common malware vector.'

About | ACP | Buy | Forum | Industry Watch | Learning Curve | Search | Twitter | Xnews
Copyright © Rixstep. All rights reserved.