Rixstep
	`About \| ACP \| Buy \| Industry Watch \| Learning Curve \| News \| Products \| Search \| Substack`

Home » Products » Reviews » The Very Ugly » Undercover 0.1

Undercover 0.1: How It Works

What thief could possibly resist?

Undercover 0.1 comes as undercover.dmg, a 1.6 MB download, and mounts under /Volumes and contains the Installer packages LaunchDaemon.pkg and UndercoverApp.pkg.

In both cases Installer requires your admin password.

LaunchDaemon installs either in /Library/LaunchDaemons or ~/Library/LaunchDaemons. (The configuration data is contradictory in this regard.) UndercoverApp.pkg installs in /private/etc [sic]. The install paths may not be altered and reboot is required.

LaunchDaemon's objective seems to be to launch UndercoverApp.pkg on startup.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.orbicule.undercover</string>
    <key>OnDemand</key>
    <false/>
    <key>ProgramArguments</key>
    <array>
        <string>/private/etc/uc.app/Contents/MacOS/uc</string>
    </array>
</dict>
</plist>

Undercover.app uses NSTimer and Dan Woods' CURLHandle.framework to at regular intervals download data from the Orbicule website. The current contents of the two files accessed are as follows (hijack.plist and trace.plist respectively). They contain nothing at the present, but the idea is owners of stolen computers will submit data and then the client computers will be able to find themselves in the lists.

Why the program 'phones home' in this fashion on a continual basis, throughout ordinary use and regardless of whether the computer is stolen or not, must place Undercover in a software design hall of fame.

<http://www.orbicule.com/UCservices/hijack.plist>
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>//</key>
    <string>x</string>
</dict>
</plist>

<http://www.orbicule.com/UCservices/trace.plist>
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>//</key>
    <string>x</string>
</dict>
</plist>

The Undercover ID is hidden in /Users/Shared/.ucreg [sic]. When in 'trace mode' Undercover will regularly access checkip.dyndns.org to get the computer's current IP if possible [sic] and format and send a message to the Orbicule website [sic]. [Yes it makes more sense to carry coals to Newcastle.]

http://www.orbicule.com/UCservices/traceMail.php?intip=%@&mac=%@&ext=%@
An Undercover alert will be sent for the Mac with MAC-address: %@
http://checkip.dyndns.org
<html><head><title>Current IP Check</title></head>
/Library/Preferences/SystemConfiguration/NetworkInterfaces.plist
Interfaces
IOMACAddress

The screen is also captured at regular intervals using /usr/sbin/screencapture and placed in /Users/Shared. It is sent via FTP to Orbicule.

-[ScreenshotSender uploadFile:toDirectoryOnHost:]
-[ScreenshotSender takeScreenshotWithPath:]
-[ScreenshotSender takeScreenshotAndSend]

The username and password needed for this FTP access are baked into Undercover and give full access to add, change, and delete anything found there. [<-- Read that again.]

Subterfuge

It is now Undercover turns the tables on the villains. Exiting iTunes if it is running, Undercover sends a short and sweet script to Finder (which hopefully is running) as follows. And just for the fun of it, it cranks up the volume. Poor embarrassed villains!

quit application "iTunes"
tell application "Finder"
set volume 7
say "Help. Help. Help. I'm a stolen macintosh computer..."
end tell

If that doesn't get the thieves to turn themselves in, what will? But in case the CIA, FBI, MI6, Surete, and NSA aren't within earshot when the poor computer starts wailing, there's another trick waiting.

Messenger
Mac OS X detected a logic board failure
It is recommended to take this computer to an authorized Apple support center.
[SMART ERROR CODE -432]

And then the thief, blissfully unaware there are tracking programs available, will dutifully take the hot box to precisely where he can be picked up and put away. As it's an Apple and not a Wintel piece of junk, the thief will not think twice about just tossing the computer and going out and stealing a new one - no: Apple computers, stolen or not, have to be repaired.

Undercover 0.1: Bottom Line »