A Lesson Learned

'There's something here for everyone. Even us.'

Get It Try It

This story starts with a download. We'd discovered a 'localisation tool' mentioned at a developers site. We were curious and downloaded it. Naturally we had Tracker set to track everything. And that's what saved us. But it shouldn't have gone that far.

It matters not what program we downloaded. It's what was in the program that's the issue. The program was laden with the EWSMac framework from eSellerate.

The EWSMac framework is insidious. It's evil. It's intrusive and invasive. And it's sloppy as can be.

The Apple mantra is 'don't run unknown or untrusted software'. And at face value that seems impossible, outright ridiculous. But it's not. It's the best advice you'll ever get.

If you can't get a thorough report from someone else then you need to inspect everything you download. You need to do this before you run anything for the first time.

Lucky us we already had Tracker open. And it had previously been used to check things from root. As this application wasn't going to ask for a password we'd have been inclined to have Tracker only check /Library and the home area. And that would have been a mistake.

But we just let Tracker go. And that was lucky for us. What followed was an account of wanton destruction. The EWSMac framework was all over the place.

Changed
-------
/Library/Frameworks/EWSMac.framework/Versions/A/EWSMac80
/Library/Frameworks/EWSMac.framework/Versions/A/Resources/English.lproj/InfoPlist.strings
/Library/Frameworks/EWSMac.framework/Versions/A/Resources/EWSWindow.nib/classes.nib
/Library/Frameworks/EWSMac.framework/Versions/A/Resources/EWSWindow.nib/info.nib
/Library/Frameworks/EWSMac.framework/Versions/A/Resources/EWSWindow.nib/keyedobjects.nib
/Library/Frameworks/EWSMac.framework/Versions/A/Resources/Info.plist
/Library/Frameworks/EWSMac.framework/Versions/A/Resources/linkCursor.tif
/Library/Frameworks/EWSMac.framework/Versions/A/Resources/lock_disabled.png
/Library/Frameworks/EWSMac.framework/Versions/A/Resources/lock_initial.png
/Library/Frameworks/EWSMac.framework/Versions/A/Resources/lock_mousedown.png
/Library/Frameworks/EWSMac.framework/Versions/A/Resources/lock_mouseover.png
/Library/Frameworks/EWSMac.framework/Versions/A/Resources/rocket.gif
/private/var/tmp/folders.501
/private/var/tmp/folders.501/TemporaryItems/3317234539/EWSMac.framework/Versions/A/EWSMac80
/private/var/tmp/folders.501/TemporaryItems/3317234539/EWSMac.framework/Versions/A/Resources/English.lproj/InfoPlist.strings
/private/var/tmp/folders.501/TemporaryItems/3317234539/EWSMac.framework/Versions/A/Resources/EWSWindow.nib/classes.nib
/private/var/tmp/folders.501/TemporaryItems/3317234539/EWSMac.framework/Versions/A/Resources/EWSWindow.nib/info.nib
/private/var/tmp/folders.501/TemporaryItems/3317234539/EWSMac.framework/Versions/A/Resources/EWSWindow.nib/keyedobjects.nib
/private/var/tmp/folders.501/TemporaryItems/3317234539/EWSMac.framework/Versions/A/Resources/Info.plist
/private/var/tmp/folders.501/TemporaryItems/3317234539/EWSMac.framework/Versions/A/Resources/linkCursor.tif
/private/var/tmp/folders.501/TemporaryItems/3317234539/EWSMac.framework/Versions/A/Resources/lock_disabled.png
/private/var/tmp/folders.501/TemporaryItems/3317234539/EWSMac.framework/Versions/A/Resources/lock_initial.png
/private/var/tmp/folders.501/TemporaryItems/3317234539/EWSMac.framework/Versions/A/Resources/lock_mousedown.png
/private/var/tmp/folders.501/TemporaryItems/3317234539/EWSMac.framework/Versions/A/Resources/lock_mouseover.png
/private/var/tmp/folders.501/TemporaryItems/3317234539/EWSMac.framework/Versions/A/Resources/rocket.gif
/private/var/tmp/folders.501/TemporaryItems/3317234539/EWSMacCompress.tar.gz

Modified
--------
/dev/console
/dev/null
/Library/Caches/com.apple.ATS/501/annex.db
/Library/Caches/com.apple.ATS/501/annex_aux
/Library/Caches/com.apple.ATS/501/fonts.db
/Library/Frameworks
/Library/Frameworks/EWSMac.framework
/Library/Frameworks/EWSMac.framework/EWSMac80
/Library/Frameworks/EWSMac.framework/Resources
/Library/Frameworks/EWSMac.framework/Versions
/Library/Frameworks/EWSMac.framework/Versions/A
/Library/Frameworks/EWSMac.framework/Versions/A/Resources
/Library/Frameworks/EWSMac.framework/Versions/A/Resources/English.lproj
/Library/Frameworks/EWSMac.framework/Versions/A/Resources/EWSWindow.nib
/Library/Frameworks/EWSMac.framework/Versions/Current
/private/tmp
/private/tmp/hsperfdata_rixstep
/private/tmp/hsperfdata_rixstep/1930
/private/tmp/hsperfdata_root
/private/tmp/hsperfdata_root/1931
/private/var/log/asl.log
/private/var/log/system.log
/private/var/log/windowserver.log
/private/var/tmp/folders.501/TemporaryItems
/private/var/tmp/folders.501/TemporaryItems/3317234539
/private/var/tmp/folders.501/TemporaryItems/3317234539/EWSMac.framework
/private/var/tmp/folders.501/TemporaryItems/3317234539/EWSMac.framework/EWSMac80
/private/var/tmp/folders.501/TemporaryItems/3317234539/EWSMac.framework/Resources
/private/var/tmp/folders.501/TemporaryItems/3317234539/EWSMac.framework/Versions
/private/var/tmp/folders.501/TemporaryItems/3317234539/EWSMac.framework/Versions/A
/private/var/tmp/folders.501/TemporaryItems/3317234539/EWSMac.framework/Versions/A/Resources
/private/var/tmp/folders.501/TemporaryItems/3317234539/EWSMac.framework/Versions/A/Resources/English.lproj
/private/var/tmp/folders.501/TemporaryItems/3317234539/EWSMac.framework/Versions/A/Resources/EWSWindow.nib
/private/var/tmp/folders.501/TemporaryItems/3317234539/EWSMac.framework/Versions/Current
/System/Library/Frameworks/JavaVM.framework/Versions/1.4.2/Home/lib
/System/Library/Frameworks/JavaVM.framework/Versions/1.4.2/Home/lib/jvm.cfg
/System/Library/Frameworks/JavaVM.framework/Versions/1.4.2/Libraries
/System/Library/Frameworks/JavaVM.framework/Versions/1.4.2/Libraries/classes.jsa
/System/Library/Frameworks/JavaVM.framework/Versions/1.4.2/Libraries/classlist

Even things in the root-protected JavaVM framework got borked - and this without a password. Something inside the app (or the EWSMac framework) tickled something in the JavaVM framework which in turn dropped a few turds inside its own bundle. Ostensibly with root access.

We were able to check the inodes with Tracker's info sheet and with Xstamp's HFS create time stamps (which can't be programmatically modified from user land) to see this wasn't a question of something being modified - this was a question of new files being created. In a root protected area without anyone authenticating for privilege escalation.

The culprit application also littered over the 'Application Support' directory. And this without our ever succeeding in doing anything with the app. We fired it up, read a EULA, looked for a file it needed to run, couldn't find it, and exited. And still wound up with a boatload of crap.

Thirty four files were dumped here and the app did nothing useful at all.

A Lesson Learned

There's a lesson to be learned here. For everyone. The BitTorrent trojans were easy enough to thwart: Installer.app packages come with explicit instructions in plain text that explain what's going to happen.

Preflight, postflight, pre-this, post-that: it's all there in plain text to read.

But ordinary Cocoa application bundles are a different matter entirely. They're not going to have 'giveaway' text files. It takes more work to see what's going to happen before it happens.

You literally have to dig inside each and every new software bundle you acquire before you run it. You have to go looking for anything that looks out of the ordinary or suspicious. You have to flag compressed archive files. You certainly have to flag anything from eSellerate.

And you should do a string search on executable binaries as well. It doesn't take root privileges for an app to 'phone home'. You have to check for embedded URLs and references to other packages in the bundle itself.

Quite simply: you have to be paranoid. A counterspy. A Deckert. You'll be running unknown and untrusted software and it's best you know it.

We got off lucky this time. We were fortunate. And normally we are exceptionally careful. And without Tracker it would have been 'lights out'.

That's a lesson everyone can take home this evening.

 - JC/TS