Author Claims Mac OS X Worm Ready to Go

The same troll who claimed to have intercepted and reverse-engineered Dino Dai Zovis QuickTime exploit from the Mac Pwn-to-Own contest at CanSecWest said over the weekend that he or she now has a Mac OS X worm loaded and ready to go.

Infosecsellout said on his or her blog that an unspecified mDNSResponder bug lets remote users gain root privileges and execute arbitrary code on a target system by sending specially crafted data. The post has since been stripped of detail, sans explanation.

/zimages/3/28571.gifClick hereto read about a new worm that is targeting portable memory drives.

On July 15, though, the original post was frank about the worm authors motivations: “I wrote this for my own purposes and it will be demonstrated to those who asked me to engage in this work,” Infosecsellout wrote. “Yes, I am being compensated for this (Hi Joanna).”

When youre talking security, theres only one Joanna: Joanna Rutkowska, founder of Invisible Things Lab, based in Warsaw, Poland, and the prominent researcher behind the “100 percent undetectable” rootkit called Blue Pill.

Rutkowska, however, told eWEEK that she “[doesnt] know this guy” and “I really dont know what he meant. My company is not paying … anybody to write worms.”

Perhaps it is a coincidence, but the disappearance of worm details from Infosecsellouts site coincides with the hacker apparently getting outed on Cutaway Securitys blog on July 17. According to an informant in a chat room, Infosecsellout is an individual known as LMH, associated with the Phrack High Council (the link for which is broken, but the site is mirrored here).

The allegation is not provable. It wouldnt be surprising if it were true, however, given that the PHCs mandate is to mess with the information security industry. Its war cry, from 2005: “Its the WHITEHAT HOLOCAUST! WHITEHATS, STEP INTO MY OVEN!!!!” (Note, though, that Cutaways full post gives a less clear-cut representation of PHCs purpose.)

At any rate, Infosecsellout said in the original post that he or she would “eventually” show Apple the work. “NO I will not send you the PoC [proof-of-concept code] or any related details,” he said. “I wrote this for my own purposes and it will be demonstrated to those who asked me to engage in this work.”

/zimages/3/28571.gifRead morehereabout a worm that made a comeback because of out-of-date security software.

That modus operandi is consistent with the trolls CanSecWest escapade. When asked to show proof of the QuickTime exploits interception at that time, Infosecsellout demurred.

Infosecsellouts worm, if it actually exists, uses an unpatched variation of the mDNSResponder vulnerability, fixed by Apple in May, according to McAfee, based in Santa Clara, Calif. Infosecsellout claims that the worm gives remote root access, compromises its first system, places a text file on the desktop and moves on to compromise other systems on the same network.

If the worm exists, its oh-so three years ago.

“[Infosecsellout] talks about exploiting a vulnerability, dropping a file and going to exploit another [system],” said Dave Marcus, security research and communications manager for MacAfees Avert Labs. “Thats a classic worm: going from machine to machine.”

The trend on the Windows side of the house has been much more data-centric, Marcus said. Infosecsellouts PoC instead is a classic worm, which researchers dont see anymore, he said. Its only point is to replicate itself—a process thats noisy, noticeable and contrary to current profit-motivated malware, which works stealthily.

Regardless of the threats quaintness, Avert Labs will monitor bulletin boards and port activity for signs of the potential Mac OS X worm, Marcus said, even though Infosecsellout sounds like he or she is once again merely making a pitch for street cred.

“Hes definitely walking the walk and talking the talk,” Marcus said. “When my researchers take it seriously, I take it seriously.”

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.