To: 'hip' Re: iMac_Sux.dmg

--
Recently a reader nicked as 'hip' sent me the URL to an evil crapware file entitled 'iMac_Sux.dmg'. Here is his full message with the exclusion of the URL for downloading the file:

Wanna crash an iMac?
Just mount this .dmg file, then have a look at what MassStorageCamera is doing.
It will be consuming all RAM and processors!!

I am not providing the URL in order to avoid being accused of distributing the thing.

Thank you 'hip'! I checked out the website where the file is located and enjoyed it. I particularly enjoyed the page quotations from The Hipcrime Vocab by Chad C. Mulligan. The insights are refreshing after living amidst the Neo-Con-Job / Tea Party / FuxNews / News Corp / Rupert Murdock Regime gibberish age within the USA where intelligent thoughts and verifiable facts are out of fashion.

I ran the .dmg and it did exactly as expected, without crashing my MacBook 2 GHz from 2006-11. It also auto-opened the 'CameraWindow' application that I installed for my Canon camera. I checked through the code within the .dmg and am going to 'guestimate' that the resource scripting near the end is instructing Mac OS X to treat the entire boot volume as a camera image volume. I was too bizy and lazy to dig further.

Clearly this is a very simple call being made within the .dmg that fools Mac OS X into thinking the opening .dmg volume is a camera. Fascinating. The fault of course is in MassStorageCamera for being allowed to eat your Mac alive. As I've pointed out previously, even Intego's VirusBarrier application has race condition bugs.

My POV: I've studied coding as well as code project management. Coding these days is typically for applications, etc., that are so vast that no single human being can comprehend them. The result is coding-by-committee which in and of itself is a guaranteed mess. There is also the eternal pressure of 'Do Less With Less' from clueless biznizz management and nagging clients, none of whom comprehend the escalating difficulties of coding. Then there is the basic crappiness of the archaic coding languages we still use these days. Anything based on 'C' coding is going to have plenty of problems if only from buffer overflows, the single largest coding plague of our day. We're also stuck with ECMAScript for Internet scripting (which incorporates LiveScript/JavaScript, the JScript abomination from Microsoft and the ActiveScript mess from Adobe). Java continues to FAIL to live up to the hype, causing its own security and memory problems. Then there are the eternal security holes in PHP and SMB on and on.

I'm not at all surprised that Apple missed the bug inherent in the 'iMac_Sux.dmg' file. I can easily see them being aware of it and tossing it on the back burner if only because it does not represent a security or major crashing problem. Similar CPU and RAM devouring buggy code has been around for many years. What sucks most is when system calls can crash the entire computer. Not having an iMac around to play with, I can't verify that this file crashes the machine. But I am going to guess that with current Intel iMacs it does not.

Dr. Charlie Miller and Dino Dai Zovi have the current best Mac hacking & cracking & pwning etc. book available for Mac OS X entitled 'The Mac Hacker's Handbook'. Both of them have Twitter accounts to follow. Both are very amusing to read. Dr. Miller is brilliant at coming up with methods for testing and breaking into Mac OS X. This past spring he won yet another Pwn2Own contest. He gave a presentation at Black Hat this last week where, among other things, he revealed yet-another security hole in Adobe Acrobat and Reader.

Here is a fun interview with Dr. Miller from March:

http://www.oneitsecurity.it/01/03/2010/interview-with-charlie-miller-pwn2own/

CONCLUSION: Expect security holes. Expect coding errors. There is no such thing as a perfect coder. There is no such thing as a perfect application or operating system.

I'll also add my usual coda: The only people I've ever heard or read saying that 'Macs never have security problems' are either NEWBIES or TROLLS. One of course never takes seriously the word of either of these species of human. It is well worth keeping track of Mac security. It is also well worth sorting out Mac security FUD from FACT.

BTW: Considering all of the above, what are the chances that humans will ever create Turing Test verifiable Artificial Intelligence? Not in my lifetime! No SkyNet worries.
;-D
--

Pwn2Own Browsers Hacked: IE 8, "Safari" and "Firefox"

--
This time of year is now one of traditional contention. It's time for Pwn2Own at CanSecWest. It is a fun contest held among security experts to crack the chosen subjects for each year. This year a selection of web browsers was used.

Of course after the contest there is lots of snickering and gossip. But for better or worse, what exactly happened at the contest is rarely revealed, meaning that the specific cracks used are not allowed to be published so they can be provided to the programmers of the cracked software for consideration and patching.

Questionable aspect of this year's contest: Windows 7ista was used in PC testing. It's in beta.

Losers so far this year:

1) "Safari" for Mac. I use quotes as I have not been able to find what version was used. Presumably it is the latest public release, and not the version 4 beta. It was cracked within 2 minutes. How cracked? Unstated. My speculation: That hell hole known as "JavaScript" which these days includes JScript, a holey mess perpetrated by Microsoft. Apple have consistently had JavaScript security problems, starting with QuickTime in 2006 over at MySpace.

2) "Firefox". Again I use quotes as I have not found the version number. Neither do I know which platform, which may well mean both Mac and PC. How cracked? Unstated.

3) Internet Explorer 8.0. This browser was JUST released. Oops. It should have stayed in beta. Again, specifics of the crack have not been made public.

For further details, keep an eye on the Security Watch blog at PC Magazine and the TippingPoint DVLabs blog. You can also follow TippingPoint's Twittering. The contest will conclude later today (Friday, 2009-03-20).
--

Update: The State Of Trojan OSX.RSPlug, aka the 'Porno Trojan'

The net-cracker effort to bring the 'RSPlug' Trojan horse from Windows over to Mac OS X continues apace. As of this week we are now up to version E, aka Trojan OSX.RSPlug.E. Again, this Trojan is showing up at scam pornography websites.

The difference with variants D and E, however, are particularly nefarious. Instead of the Trojan itself being the full payload of malware, it downloads the actual payload from the Internet. This means the Trojan can install literally anything into your system. It's not just for DNS forwarding phishing scams any more.

Of course, it will be possible to kill off the payload Internet sites one by one as sub-variants of D & E pop up. But once infected, a Mac could theoretically become zombied, which these days is the prime goal of net-crackers. Botnets can make big money. As was popularly reported last week, the taking down of one particular bot wrangler killed off as much as 70% of SPAM distribution for a few days. That's a massive botnet. Imagine the profit the bot wrangler was pulling in. Sadly, the botnet involved remained intact and another bot-wrangler stepped in to take advantage of it, restoring SPAM to its usual blasting volume.

You can read the details about Trojan OSX.RSPlug.E over at Intego's website.

One hilarious flagging giveaway of this Trojan is the continued laziness of the developers' social engineering method. Instead of altering their tease line to potential wetware victims, they left it exactly the same as the Windows version. This means that anyone who is both Mac and Windows savvy will realize immediately that something screwy is going on. The blunder is the tease line "Video ActiveX Object Error". For those who don't know, ActiveX is a scripting monstrosity perpetrated by Microsoft several years back. Yeah, it was another of their attempts to make the Internet proprietary. ActiveX is entirely irrelevant on Mac OS X, thank goodness, as it is a gigantic, wide open door for malware infection on Windows. The only web browser on Mac capable of running ActiveX rubbish is FireFox, and you have to specifically install an ActiveX extension. Therefore, for the moment, if you run into a "Video ActiveX Object Error" on a website, you have just run into an attempt to infect you with the Trojan OSX.RSPlug.
--