Black-hat hackers often use a bundle of tools called a rootkit to secure access to your machine and cover their tracks. When working on your computer, they need to store files and be sure that you will not stumble across them and get suspicious. Peter Hickman explains how this works.
To read all comments associated with this story, please click here.
Member since:Yes, and a lot of OS X boxes are being used in spam botnets. A lot of the eBay phishing scams that come from Postfix MTAs are actually originating from OS X and OS X Servers. The vector is poorly chosen user id and passwords, but the rootkit appears to be Apple-centric, based on the commonality of the spam.
Member since:I should say, "installed toolkit" is Apple-centric, rather than the rootkit. The files that are installed that make the OS X box a spam zombie seem to originate from the same toolkit, based on the common behavior, although I am not sure exactly what files they are. Something is making them zombies, and there is a central controller server communicating with them.
Return-Path: <robert@localhost.localhost>
Received: from [host redacted] [xxx.xxx.xxx.xxx] by 192.168.10.23; Sat, 30 Jul 2005 12:19:17 -0400
Received: by localhost (Postfix, from userid 1029)id 292A78ED04; Sat, 30 Jul 2005 12:11:27 -0400 (EDT)
Message-Id: <20050730161127.292A78ED04@localhost>
From: aw-confirm@ebay.com <aw-confirm@ebay.com>
To: []@[].com
Subject: Open now and verify your email at eBay
Date: Sat, 30 Jul 2005 12:11:27 -0400
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Net7300# nmap -P0 -O xxx.xxx.xxx.xxx Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-07-30 16:52 UTC
Interesting ports on xxx.xxx.xxx.xxx:
(The 1643 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp filtered http
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
311/tcp open asip-webadmin
427/tcp open svrloc
445/tcp filtered microsoft-ds
548/tcp open afpovertcp
593/tcp filtered http-rpc-epmap
625/tcp open unknown
1080/tcp filtered socks
3128/tcp filtered squid-http
4444/tcp filtered krb524
5900/tcp open vnc
6588/tcp filtered analogx
8080/tcp filtered http-proxy
Device type: general purpose
Running: Apple Mac OS X 10.3.X
OS details: Apple Mac OS X 10.3.0 - 10.3.3
I've found about ten of these and someone I'm working with in Germany has found four others, all from receiving spam emails originating from the hosts. The OS sig is accurate.
Member since:
First off the ethics of a "hacker" does not imply what type of tools they will use. Yes there are possible situations where a good "hacker" might have to bust out a rootkit. Such wide generalizations as only good or bad hackers use tool X are just foolish. Well you could generalize on skill level, as generally someone who knows what they are doing might use hping2. I still find it utterly ridiculous to break an entire community down to good/bad/neutral. Hackers are not ethics machines, pre-programmed to think in one way and arrive to either good/bad/neutral solutions.
Also this article doesn't go into how to detect a modern rootkit. It just goes through finding local (so called old skool) rootkits, not kernel memory only kits. Old skool rootkits are well known and there are plenty of tools to deal with them, chkroot (as mentioned in the article) and tripwire like tools. I would like to see something similar to http://www.securityfocus.com/infocus/1811, but in relation to OSX. I really don't want to see the quality of OSX related articles fall to some point-and-click level.