|Home » Learning Curve
Mac Worm X
Welcome to the world's first self-replicating miasma for the Macintosh™.
This hasn't been done, but given the enormous help offered by Dashboard, it will be - and soon. This is how it will work.
- The Address Book is accessible. This is an easy API used by many.
- You can send mail without the user knowing.
- You make a package - zipped. It is a Dashboard widget. You put it in a mail message. It says 'Hi! I found this great Dashboard widget! Try it out!'
- The victim extracts the widget. The widget however has a plugin. The plugin does the following.
- Immediately renames itself so it's at the end of the list and can't easily be seen.
- Copies itself to the same location with other names and tries to copy itself everywhere else too. ~/Library/Widgets, /Library/Widgets and so forth. It also makes backup copies in exotic locations your ordinary user won't go near, like Application Support, Preferences/ByHost, Sounds, places like that, using funny names that seem all right.
- It uses a funky name for an empty file in /private/tmp to see if it's already running. Works like a mutex.
- It assembles a list of all your mail addresses. Using the Mail Delivery API of OS X, it can now send messages to everyone on the list and you will never know it. The sender address is always your default address, so the new victims will think the messages are coming from you and trust them.
- The plugin has a Resources directory and in that directory is a complete copy of the widget and plugin in archived form just like you received. The plugin creates an NSAttributedString, puts in a little message like 'Hi! I found this great Dashboard widget! Try it out!', then creates an NSTextAttachment and puts the copy of the widget and plugin in compressed form into the attachment, puts the attachment onto the NSAttributedString*, and then uses the string as the message to be sent out. And it goes to each one (To:) individually on the list.
This of course is trivial and 'nasty' only. It will spread like wildfire. The ramifications of course are worse. It's patently easy to download a spam list and then use CPU to send spam to everyone on the list.
It's also patently easy to sit and lurk and wait for one of the shakers to put your admin password on a command line; then when the password has been found, 'phone home' - and in so doing, build up a successful 'zombie army' where the servers are continually probed for remote root login access and the like.
Of course the worm will also have to uniquely identify you so that the connection between root password and machine is solid, but this is hardly a challenge: not only is your MAC number already on disk (/var/db/SystemConfiguration/preferences.xml) but it's eminently accessible through the 'Carbon' Core Foundation API.
As long as the plugin is running, the worm can do anything.
Aaron Harnly at Columbia has demonstrated how much more evil the Dashboard can be made to behave.
According to Aaron - who seems to prove his point adequately - there are at least three major systemic flaws in Dashboard.
- Widget Auto-Install. By default Safari not only unarchives compressed widgets but also copies them into ~/Library/Widgets.
- Widget bundle identifiers. The same system in use with Cocoa applications (Info.plist) is used; there are no precautions against name conflicts, and as widgets in the home area load last, they can effectively pose as approved widgets from Apple.
- Total access. Widgets are supposed to be isolated from the local machine but in practice are not, nor are warnings issued for suspect widgets as they should be.
Aaron also points out that the 'piggyback escalation exploit' (wait for a sudo time stamp and then coast on in) can be used at any time.
With Apache and the Apple address book the exploit can self-replicate like Mac Worm X.