|Home » Industry Watch
ARD Trojan: Anatomy
The actual source code analysed.
Brian Krebs has a copy of the ARD trojan. He says it was part of a collective effort to create a software package exploiting the remote desktop agent security hole.
Dino Dai Zovi also has a copy and he's gone over it with a fine tooth comb.
Visual Basic Sophistication
Dai Zovi says the sophistication of the ARD trojan is comparable to Visual Basic hacks seen eight years ago. Judging from the conversations at MacShadows where this development was to have taken place that seems a reasonable assessment.
But even crappy code written by n00bs can create havoc.
Dai Zovi says the trojan exploits an old hole dating all the way back to OpenStep which gives unprivileged user processes root access through a weakness in the way the system handles Mach exception ports.
Unix systems using the Mach kernel can use Mach ports to communicate with other processes including parent processes and the kernel itself. Exception ports are set by the crash reporter daemon to generate logs.
There's a specific design flaw in Mach architecture: it doesn't understand user IDs or consequently SUID processes. Once you gain access to process ports you own the process.
OpenStep and now Apple's OS allow SUID processes to inherit the exception processes of their parent processes. A parent process can modify thread contexts and process address spaces. Use one process to start another and raise an exception; get access to that other process; corrupt it. Simple recipe.
Step one is of course to find a SUID root executable you can crash. But (un)fortunately there are a number of them around on Apple's OS X today. at and rlogin will namely crash if fed bad command line arguments.
Apple officially fixed this hole with OS X version 10.4.8.
The trojan Brian Krebs and Dino Dai Zovi have is a bundle of goodies. It's designed to be bundled with any downloadable application.
'This could be bundled with any arbitrary application very easily', said Dai Zovi. 'Most people assume if something is going to do something dangerous it will ask you for your password first - but this won't.'
The trojan tries the two different exploits to gain control of the machine. If successful it drops the 'logkext' keystroke logger onto the machine, then sets up a VNC server to eavesdrop, then installs a web based PHP shell giving remote control through an ordinary web interface. The local machine is also configured to use dynamic DNS so it can be found if its IP changes.
'What this demonstrates is regardless of what the larger security community are focused on people are interested in writing malware for the Mac', says Dai Zovi.
Brian Krebs points out there's still no evidence it's in the wild.
Learning Curve: A Suggestion
Industry Watch: You're Root, Dude!
Industry Watch: You're Toast, Dude?
Learning Curve: The First Real Malware?
Learning Curve: Apple Redefine 'Epic FAIL'?
Industry Watch: It's Not New It Starts with 10.2
Apple Developer Connection: AppleScript Overview
Industry Watch: Huge, Crazy, Ridiculous OS X Security Hole
Apple Developer Connection: Apple Events Programming Guide