Black-hat hackers often use a bundle of tools called a rootkit to secure access to your machine and cover their tracks. When working on your computer, they need to store files and be sure that you will not stumble across them and get suspicious. Peter Hickman explains how this works.
Hey are they joking.
There are already kernel extension rootkits for macosx. The first I’ve seen working was alraedy 3 years ago.
I mean, yeah, people do use OSX, that include hackers and coders, and guess what, they like having fun with their systems. They code rootkits – for fun and discovering new things – !
But thoses works and can be found in compromised systems later.
It’s rare that the programs themselves are modified anymore. And in that case, they make sure that there is no visible remote fingerprinting. If it’s local, your script will be disabled or haxored. I mean, you think you’re the only one who sees the logs ?
No.. this “technic” will only work against “kiddies” who are not taking care of anything, or maybe the neighbourg son who wants to have his fun. But you don’t have to fear for your data then. Only for the relay you provide, but you’ll notice it anyway, else you wouldn’t be reading such news sites.
Well all this to make you feel secure while it’s rather useless in fact
First off the ethics of a “hacker” does not imply what type of tools they will use. Yes there are possible situations where a good “hacker” might have to bust out a rootkit. Such wide generalizations as only good or bad hackers use tool X are just foolish. Well you could generalize on skill level, as generally someone who knows what they are doing might use hping2. I still find it utterly ridiculous to break an entire community down to good/bad/neutral. Hackers are not ethics machines, pre-programmed to think in one way and arrive to either good/bad/neutral solutions.
Also this article doesn’t go into how to detect a modern rootkit. It just goes through finding local (so called old skool) rootkits, not kernel memory only kits. Old skool rootkits are well known and there are plenty of tools to deal with them, chkroot (as mentioned in the article) and tripwire like tools. I would like to see something similar to http://www.securityfocus.com/infocus/1811, but in relation to OSX. I really don’t want to see the quality of OSX related articles fall to some point-and-click level.
Yes, and a lot of OS X boxes are being used in spam botnets. A lot of the eBay phishing scams that come from Postfix MTAs are actually originating from OS X and OS X Servers. The vector is poorly chosen user id and passwords, but the rootkit appears to be Apple-centric, based on the commonality of the spam.
I should say, “installed toolkit” is Apple-centric, rather than the rootkit. The files that are installed that make the OS X box a spam zombie seem to originate from the same toolkit, based on the common behavior, although I am not sure exactly what files they are. Something is making them zombies, and there is a central controller server communicating with them.
Return-Path: <[email protected]>
Received: from [host redacted] [xxx.xxx.xxx.xxx] by 192.168.10.23; Sat, 30 Jul 2005 12:19:17 -0400
Received: by localhost (Postfix, from userid 1029)id 292A78ED04; Sat, 30 Jul 2005 12:11:27 -0400 (EDT)
Message-Id: <20050730161127.292A78ED04@localhost>
From: [email protected] <[email protected]>
To: []@[].com
Subject: Open now and verify your email at eBay
Date: Sat, 30 Jul 2005 12:11:27 -0400
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Net7300# nmap -P0 -O xxx.xxx.xxx.xxx Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-07-30 16:52 UTC
Interesting ports on xxx.xxx.xxx.xxx:
(The 1643 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp filtered http
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
311/tcp open asip-webadmin
427/tcp open svrloc
445/tcp filtered microsoft-ds
548/tcp open afpovertcp
593/tcp filtered http-rpc-epmap
625/tcp open unknown
1080/tcp filtered socks
3128/tcp filtered squid-http
4444/tcp filtered krb524
5900/tcp open vnc
6588/tcp filtered analogx
8080/tcp filtered http-proxy
Device type: general purpose
Running: Apple Mac OS X 10.3.X
OS details: Apple Mac OS X 10.3.0 – 10.3.3
I’ve found about ten of these and someone I’m working with in Germany has found four others, all from receiving spam emails originating from the hosts. The OS sig is accurate.
not hackers
Even if initially incorrect, overwhelmingly common usage dictates that it is correct after all
(comparison: see ‘egregious’ and the word it’s derived from: ‘egregius’. Hardly anyone would argue that using egregious as a synonym for ‘Conspicuously bad or offensive’ is incorrect)
The Oxford dictionary is not always defined by common usage, and common usage is to be changed when broken.
This attitude of simply letting words lose meanings is losing us one of the most vocabularily powerful languages (English). People use so many words as if they’re interchangeable when they’re not.
Hacker does not mean someone who breaks into systems. It means someone who performs hacks, a verb which has a variety of meaning none of which focus on the action being immoral/inethical/illegal.
In this case, common usage was destroyed by the media in the 80’s. As long as thousands (if not millions) of people happily refer to themselves as hackers under a different meaning than the “common” one (in which case these commoners fulfill the meaning of the word idiot) the word will still mean what those “hackers” say it means.
If everyone thought the president was a guy who gives speeches and has no real power he’d still have all the same powers; they’d just be idiots.
The Oxford dictionary is not always defined by common usage, and common usage is to be changed when broken.
What a bunch of nonsense. From the wikipedia entry for OED :
“The OED is the most comprehensive record of the English language; its policy is to attempt to record all known uses and variants of a word in all varieties of English, worldwide, past and present”
What did the the first dictionary, and every version since, do but record the usage of words ?
Also you seem to have ignored that the author explicitely adresses the usage of “hacker” in his article in the first paragraph of the article. You have been trolled, you lose 😉
Irregardless, the average person could care less. It seems that the population has decided on mass that, for all intensive purposes, “hacker” means someone who breaks into computers. Of course, died in the whool geeks will protest that defining terms by common opinion is taking the easy rowt.
I kind of liked the article. I am just curious, is there a rootkit that is inteligent enough to even compromize mtree? Is there a rootkit so advanced that is not detectable? Also I liked the link to the kernel module rootkits. I am wondering how common these attacks are. Any kind of statistics? I guess I am a little naive about these things
If you’re really worried about this, couldn’t you just set the filesystem ‘immutable flag’ for selected files so they couldn’t be changed, or would a kernel module be able to get around that too ?