Where did I say it wasn't encryption? I said I'd like to submit it to my PCI auditor as _my_ method of encryption, much easier than proper applied crypto.
Perhaps my notation was a bit too terse. GF2(8) is a Galois field of order Pow(2, 8). The xor operation is addition in a Galois field, so 8-bit xor with 'M' is the same thing as a constant additive shift by 'M' in a Galois field of order Pow(2, 8). So, it's a Caesar shift cipher using the GF2(8) definition of byte addition rather than the standard modulo 256 definition.
Code size and unusualness/uniqueness are goals here, as they're for obfuscation, not strong encryption - the code needs to be small, hard for an AV to recognise with a heuristic (so tables and baked constants are bad) and ideally amenable to being passed through a polymorphic/metamorphic mutation engine.
All of the information I've seen about this "worm" comes from a single anti-virus vendor I've never heard of, and the information is painfully thin -- most critically, there is no information at all on how it's spread.
This particular headline (which, to be fair, does not come from the linked page) uses the word "exploit", but there is no evidence of what, if any, flaw is being exploited.
"Worm" has a rather specific meaning. It's malware that self-propagates through a network. Strictly construed, the only way this can happen is if there is a security flaw being exploited. A looser definition includes things like the infamous "ILOVEYOU" "worm", that automatically distributes itself, but requires user interaction to infect a target.
In this case, neither means of distribution is in evidence.
At this point, I'm skeptical that this "worm" exists at all.
Well, that's not what I'd call an "analysis", and if that's really about the same "worm", it's at least 22 months old, not "new".
First submission 2012-11-11 16:21:18 UTC ( 1 year, 10 months ago )
Last submission 2014-05-08 21:33:59 UTC ( 4 months, 3 weeks ago )
Sounds like a small-time vendor trying to make a name for itself by "dissecting" an old trojan. Maybe they want some extra revenue for christmas bonuses.
Viruses and the like are often named after words or snippets researchers find while doing an investigation. It is possible the original developer called the project "iWorm" and so that is how they named it.
In Linux, one way I protected my webserver in the past was to just do:
cd /; sudo git init; git add /etc /{bin,sbin,lib} /usr/{bin,sbin,lib,local} ... ; sudo git commit
git clone / into another remote server, and I can git diff from time to time to see if anyone/code mod my system.
One very nice side effect of this system is that I got to know in details what files were modded and added when ever I did an "apt-get install ..."
Questions for mac Guru:
1. Have anyone done this in Mac?
2. Any pro/con on why, why not do this?
3. Other than, /{bin,sbin,lib} /etc, /usr/{bin,sbin,lib},
What other dirs should I add?
What's best way to handle /Applications/ (25GB ) ?
4. What other dirs can a worm,virus, hide in my Mac?
Any good dtrace scripts to help monitor who/what is writing to those places?
Keep in mind that, if the attacker gets code execution on your box, everything the box says is a lie if he wants it to be. You may catch some dumb attackers who leave readily available evidence of compromise, but there exists off-the-shelf ratware which is not amenable to discovery via simply diffing.
As to where else a worm/virus can hide in your Mac: everywhere. Got a hard disk with writable firmware? It could be in the firmware. If you ask the firmware "Hey, apropos of nothing, do you contain a virus?" it will say "No, no, only totally authorized hard disk firmware here. Feel absolutely safe about reading executable instructions from me."
> Keep in mind that, if the attacker gets code execution on your box, everything the box says is a lie if he wants it to be.
Sure, but in real life that's extremely unlikely. I never seen such a 'rootkit', meaning a rk complete at every level that disguises EVERYTHING (processes, connections, evades anti-rk software, etc.). It's been many years since the last time I was interested in security so things might have changed, but given the amount, time and effort that such a rootkit would take (to target specific OSes/versions) I'd say that it's highly unlikely unless it's gov-founded.
I can only judge by what I see, I can't judge real life applications by theorising about what's possible and I remember playing around with rootkits since adore-ng (by TT), which was fairly sophisticated back in the day.
If you're going to judge, that implies you have at least looked for information on which to base a judgement. In this case, "looking" is not possible with a compromised OS, it requires booting from forensic media.
> I never seen such a 'rootkit', meaning a rk complete at every level that disguises EVERYTHING
Isn't that the same as saying you'd only notice an incompetent attack?
I've seen this twice (public web server running a student's exploitable PHP followed by a kernel 0-day) – once it was possible to see it due to a bug in the hiding logic (IIRC it compromised ps but not /proc) but the other was unnoticeable on the box itself. This was a decade ago and it was neither uncommon nor particularly sophisticated back then – the actual kernel exploit used to install it was novel but the rootkit code was widely available.
I caught both of these attacks quickly because they were foolish enough to use IRC as a control channel and our IDS immediately caught the traffic – want to bet against someone realizing there are stealthier ways to report home?
That's why I trust git more than anything else, especially compare to the typical "Anti-virus" software.
git is written by Linus, open source, whole algorithm is based on file content change detection, base on hashes, etc.
If my server software is corrupted initially by XXX gov agency at the Debian website, well, I can't do anything about it. If someone did management to add any additional software to the server after I add all file contents to git and clone it to a different server, I have strong confident I can detect any changes happen in the system with ease.
Patio11, I have great respect for you works, blogs, etc. Assume you can hack/overwrite any piece of code in that server to anyway you want, what kind of changes can make so my git clone/backup system failed to detect your changes?
Even if you can hack the git executable to tell me nothing has changes, I think when I do a remote git pull with the original git binaries, I can see the modifications. Right?
You may want to send your syslog to the remote server too. Like patio11 said, after the web server gets hacked, you cannot trust it anymore to do a legit git diff or store the legit log files. If you have a remote syslog, you can at least do forensics. (Except if your log server got hacked too...)
With a kernel based rootkit, git would never see the hidden files or would see a pristine version of the file.
I've encountered this before on pentests. Not only was it easy to subvert, when I popped the version control server I got access to the data of a dozen or so other servers.
This is called intrusion detection, and there are a number of ready-made products that do it more efficiently. For an example, see tripwire. This will easily handle /Applications/.
On first run it gets a hash of all the files, and then you schedule subsequent runs in cron to see what has changed.
The problem with any approach like this is that if it were in common use that it'd be easy for the malware to change tripwire itself to stop it from detection. It also won't detect something that only infects running processes, infects firmware, or otherwise leaves the local filesystem alone. That's why you'd want to have defense in depth, such as having a separate box monitoring traffic, looking for anomalies.
I'm not sure what the appropriate approach would be on a end-user machine. Any security measure that's implemented in software on the machine itself is a arms race against the malware authors. This has been going on for a long time in the Windows world, and I don't think there is anything fundamentally different about Linux and OS X that would protect them if they received the same amount of attention from malware authors.
Because iWorm extracts into a folder on OS X, users can check if their Mac is infected by navigating to "Go > Go to Folder" from the OS X Finder menu and typing in /Library/Application Support/JavaW. If OS X cannot find the folder, the computer is clear. If the folder is found, however, users are urged to employ an anti-virus program to wipe iWorm from their hard drive.
Of course, compromised system, so all bets are off and anything else may be installed. Hope is not a plan, and using an antivirus is only asking for hopeful solutions. I fear for the return of the scareware.
Users are urged to reinstall OS X from scratch and restore only user data from a Time Machine backup from the user setup dialog.
Alright, now how does this spread? How would I get this piece of malware onto my computer? Do I need to browse the web? Do I need to install a piece of software that is vulnerable?
That's what I care about, how can I protect myself against this, and saying "Buy Anti Virus software" is NOT the right answer.
All I see so far from other reports is that you would have had to install software, bypass the signing requirement and that software had to come from a less than legitimate location to carry with it the malware ...
You probably don't work as a malware analyst. This is a perfectly fine analysis.
Malware has been spreading the same way it always has: phishing, social engineering, application exploits. It's very rare that you actually see a new infection mechanism or a new zero-day just for a particular piece of malware. That's what makes malware like Stuxnet extremely exceptional.
All the people I know that have a mac and are not related with IT in any way, try or had tried at least to install a pirate version of some software. There you go, easiest vector.
The reddit thread [1] explains that the worm was posting information on /r/minecraftserverlists, presumably as a way to easily, anonymously, and publicly store and retrieve information.
Just last week in the thread on the twitter image bots [2] someone postulated:
>I wonder if you could build some kind of distributed neural net on top of twitter or another social network. Find some way to get nodes with very little computation power hidden within a free app, webpage, screensaver or something[1], and use twitter as a communications channel instead of IRC or whatever.
Guys, this is such obvious scare propaganda to sell you their anti-virus software (which I would be more scared about installing).
Basically their pitch is: Be afraid, be a afraid, there is this malware we have no idea how it gets to your computer, but we have it and have analyzed what it does. And did you know that if you had our antivirus program you would be completely safe.
And as it turns out it's just another trojan horse that has to be installed by user to work.
43 comments
[ 3.4 ms ] story [ 91.7 ms ] threadEdit: seriously? The first example is a shift cipher and a one time pad of all 'M'.
learn something new every day.
Code size and unusualness/uniqueness are goals here, as they're for obfuscation, not strong encryption - the code needs to be small, hard for an AV to recognise with a heuristic (so tables and baked constants are bad) and ideally amenable to being passed through a polymorphic/metamorphic mutation engine.
This particular headline (which, to be fair, does not come from the linked page) uses the word "exploit", but there is no evidence of what, if any, flaw is being exploited.
"Worm" has a rather specific meaning. It's malware that self-propagates through a network. Strictly construed, the only way this can happen is if there is a security flaw being exploited. A looser definition includes things like the infamous "ILOVEYOU" "worm", that automatically distributes itself, but requires user interaction to infect a target.
In this case, neither means of distribution is in evidence.
At this point, I'm skeptical that this "worm" exists at all.
It does exist, and it is detected by several vendors, not just Dr.Web.
http://www.reddit.com/user/vtnhiaovyd
As to where else a worm/virus can hide in your Mac: everywhere. Got a hard disk with writable firmware? It could be in the firmware. If you ask the firmware "Hey, apropos of nothing, do you contain a virus?" it will say "No, no, only totally authorized hard disk firmware here. Feel absolutely safe about reading executable instructions from me."
Sure, but in real life that's extremely unlikely. I never seen such a 'rootkit', meaning a rk complete at every level that disguises EVERYTHING (processes, connections, evades anti-rk software, etc.). It's been many years since the last time I was interested in security so things might have changed, but given the amount, time and effort that such a rootkit would take (to target specific OSes/versions) I'd say that it's highly unlikely unless it's gov-founded.
Edit: to downvoter, you may want to read Phrack April 2014, http://www.phrack.org/papers/revisiting-mac-os-x-kernel-root...
Isn't that the same as saying you'd only notice an incompetent attack?
I've seen this twice (public web server running a student's exploitable PHP followed by a kernel 0-day) – once it was possible to see it due to a bug in the hiding logic (IIRC it compromised ps but not /proc) but the other was unnoticeable on the box itself. This was a decade ago and it was neither uncommon nor particularly sophisticated back then – the actual kernel exploit used to install it was novel but the rootkit code was widely available.
I caught both of these attacks quickly because they were foolish enough to use IRC as a control channel and our IDS immediately caught the traffic – want to bet against someone realizing there are stealthier ways to report home?
git is written by Linus, open source, whole algorithm is based on file content change detection, base on hashes, etc.
If my server software is corrupted initially by XXX gov agency at the Debian website, well, I can't do anything about it. If someone did management to add any additional software to the server after I add all file contents to git and clone it to a different server, I have strong confident I can detect any changes happen in the system with ease.
Patio11, I have great respect for you works, blogs, etc. Assume you can hack/overwrite any piece of code in that server to anyway you want, what kind of changes can make so my git clone/backup system failed to detect your changes?
Even if you can hack the git executable to tell me nothing has changes, I think when I do a remote git pull with the original git binaries, I can see the modifications. Right?
Then you have a few log servers listening for those packets.
Even if the server gets hacked, you will get other ones with the full, correct, log.
Probably a good idea to make sure that at least one of them is on a read-only network port, too.
I've encountered this before on pentests. Not only was it easy to subvert, when I popped the version control server I got access to the data of a dozen or so other servers.
Would adding them to the git help detect this?
On first run it gets a hash of all the files, and then you schedule subsequent runs in cron to see what has changed.
The problem with any approach like this is that if it were in common use that it'd be easy for the malware to change tripwire itself to stop it from detection. It also won't detect something that only infects running processes, infects firmware, or otherwise leaves the local filesystem alone. That's why you'd want to have defense in depth, such as having a separate box monitoring traffic, looking for anomalies.
I'm not sure what the appropriate approach would be on a end-user machine. Any security measure that's implemented in software on the machine itself is a arms race against the malware authors. This has been going on for a long time in the Windows world, and I don't think there is anything fundamentally different about Linux and OS X that would protect them if they received the same amount of attention from malware authors.
Because iWorm extracts into a folder on OS X, users can check if their Mac is infected by navigating to "Go > Go to Folder" from the OS X Finder menu and typing in /Library/Application Support/JavaW. If OS X cannot find the folder, the computer is clear. If the folder is found, however, users are urged to employ an anti-virus program to wipe iWorm from their hard drive.
Users are urged to reinstall OS X from scratch and restore only user data from a Time Machine backup from the user setup dialog.
Looks like you have to install an unsigned app plus give it admin permissions, so not a worm.
That's what I care about, how can I protect myself against this, and saying "Buy Anti Virus software" is NOT the right answer.
All I see so far from other reports is that you would have had to install software, bypass the signing requirement and that software had to come from a less than legitimate location to carry with it the malware ...
Malware has been spreading the same way it always has: phishing, social engineering, application exploits. It's very rare that you actually see a new infection mechanism or a new zero-day just for a particular piece of malware. That's what makes malware like Stuxnet extremely exceptional.
https://docs.google.com/document/d/1YOfXRUQJgMjJSLBSoLiUaSZf...
Just last week in the thread on the twitter image bots [2] someone postulated:
>I wonder if you could build some kind of distributed neural net on top of twitter or another social network. Find some way to get nodes with very little computation power hidden within a free app, webpage, screensaver or something[1], and use twitter as a communications channel instead of IRC or whatever.
...
> Or a botnet, if you're feeling evil.
[1]http://www.reddit.com/r/news/comments/2i6rte/hackers_have_fo...
[2]https://news.ycombinator.com/item?id=8377985
Basically their pitch is: Be afraid, be a afraid, there is this malware we have no idea how it gets to your computer, but we have it and have analyzed what it does. And did you know that if you had our antivirus program you would be completely safe.
And as it turns out it's just another trojan horse that has to be installed by user to work.
http://www.thesafemac.com/iworm-method-of-infection-found/