Weapox

'The Macintosh community has been relatively unaffected by recent malware.'
 - Peter Ferrie, Symantec

Bela Lugosi made some scary movies. Some people like a good scary movie. Some people are even afraid of vampires. But what most people don't know is that vampires are actually a really polite lot.

Not that politesse would matter if you met a bloodsucker on the street, but in your home - that's a different matter. Vampires never come in unless you invite them. Never.

And that's a fact.

Now they might try some trickery, or skulduggery, or legerdemain, but that's a different story. If someone rings your doorbell and says they're from FedEx and need you to sign for a package, leave them standing outside while you sign - never invite them in. It could be a vampire. Best to be safe.

Sophos and Symantec are at it again. With scare tactics about OS X that is. It works like this: a 'scientist' from Symantec writes a paper on the new highly dangerous situation for OS X and has it published at an 'independent' site. The site in question is 'Virus Bulletin'. Guess who owns it?

% whois -h geektools.com virusbtn.com
Checking server [whois.crsnic.net]
Checking server [whois.totalregistrations.com]
Registrant:
   SOPHOS plc
   The Pentagon
   Abingdon Science Park
   Abingdon
   Oxon
   OX14 3YP
   UK

So much for independence. But what does Peter Ferrie have to say? There's a new vampire on the block, says Ferrie, and its name is Weapox. It's based on something called 'adorebsd', a rootkit.

A root kit is a set of tools used by an intruder after cracking a computer system.
 -Wikipedia

Note the word 'after' in the above quote. A rootkit is something that's used only after a system is compromised - in itself it has absolutely no capability of doing the compromising itself. It's only used to wipe tracks and maintain a hidden presence.

Make no mistake about it: rootkits are mean buggers and an administrator's nightmare. But they don't come in by themselves: you have to invite them in.

The source code to Weapox makes it clear what's up: it contains brief instructions how to set it up once it's built and ready to run. Nothing is automated - you have to open the door yourself.

Weapox runs as a kernel extension. It hooks into a number of standard Unix calls and sends back 'modified' data to keep the presence of the rootkit hidden. Listings of directories are fudged by hooking getdirentries, listings of processes are fudged by hooking sysctl, and so forth.

The program comes with a special control module (which can also be hidden) which toggles visibility, runs special programs, and so forth.

But for any of this to run - for a kernel extension to be installed - one must have root access. The control module assumes it already has this root access: there is no mechanism for achieving it - there is no attack vector whatsoever.

In other news, Symantec reveal that the virus business on Windows is thriving.

Virus writers upped their production lines to release 10,866 new Windows virus and worm variants in the first six months of this year.
 - Symantec

Also:

Websites that specialise in distributing source code and tools for malicious bots and botnets helped fuel the creation of multiple copies of Spybot with 6,361 new variants of the malware created in the first half of 2005, a 48 per cent increase over the 4,288 new variants documented in the second half of 2004.
 - Symantec

So when Ferrie claims OS X has been relatively unaffected by recent malware, he's perfectly right.