InfiniteMac OSx86  
  #11  
Old 04-21-2009, 10:02 PM
Taisto's Avatar
Taisto Taisto is offline
 
Join Date: Jan 2008
Location: TriCity, Poland
Posts: 517
If you know that there is something which shouldnt be there - for example the known thing with iWork, than yes, maybe you can avoid itd. But usually users dont know that there might be some extra package with malicious software inside - thats the bad thing. I wonder how it will develop - Mac users are quite easy target for this kind of things as most of them are 100% sure that Macs are resistant to all "bad windows things" what well, is not true...


www.ultimae.com
Panoramic music, for panoramic people.

AMD Phenom II X6 3.5Ghz
AMD 990FX Chipset
Kingston HyperX 16GB 1600Mhz
AMD Radeon HD6850 X2 CrossFire
Seagate Barracuda Green 2TB
Reply With Quote
  #12  
Old 04-21-2009, 11:01 PM
naquaada's Avatar
naquaada naquaada is offline
 
Join Date: Jan 2008
Location: Germany
Posts: 1,216
Viruses are everywhere. I even had one on my C64! Normally you type LOAD"$",8 to get the directory of a floppy disk, if you do this on an infected disk you got a reverse bar LOAD">",8,1 diplayed, like a normal disk command. If you load this, you'll get the directory shown. If you examine the disk with GEOS or an directory editor you'll find two additional files, named < and >. If you delete one of these files you couldn't read the directory with LOAD"$",8 anymore. I'm not sure, but I had a feeling this thing copied itself on other disks.The directory of C64 disks is very easy to manipulate, you can save ascii control codes in normal filenames, so if you save a BASIC program with the command SAVE"HI"+CHR$(147),8 every time the screen will be cleared if you're listing the directory. Another thing is, the Commodore floppy drives have it's own CPU, ROM and RAM which is independent from the computer. So it's always possible that the computer's RAM is virus-free, but the memory of the disk station is still infected.

A friend had the one-half-virus on this DOS machine, I think it was a 486. This nasty virus installed one half in the MBR, the other half was attached to any other file which was found. If the MBR was rewritten, f.e. by a virus prog which only checks the MBR, then all files on the harddisks aren't readable anymore...

On the Amiga viruses were mostly in the bootblocks on the disks which was 1K in size. Normally they didn't do any harm, but it was nasty, and the viruses spreaded heavily because at these times the disk copying and sharing was very common in school. The Amiga has an extreme good capability for reset-proof memory, so a virus could stay all the day in the RAM. Another Virus was the SADDAM virus which infected L: Disk-Validator, a tool which checked the integrity of a disk or harddisk. This tool was on any disk, so this virus wasn't funny at all. Since Kickstart 2.0 the DIsk-Validator was stored in the ROM, so the virus was outdated.

At these times viruses had cool names, Byte Bandit, Lamer Exterminator... today its mostly a stupid Win32/somethingelse.

2 Opteron systems: OSx86 10.5.8, Andy's 9.8.0 kernel, Asus A8N-SLI Premium, Opteron 185 o'clocked @ 2 x 2,95 GHz (2nd system 2.6 GHz), ATI Radeon HD2600XT 256MB Dual-Monitor 2x HP L2035, 4 GB RAM, Griffin FireWave as main audio device, Marvell + nForce LAN, Asus U3S6 USB3/SATA6 card, 5,5 TB harddisk, Firewire 800 card, Apple Remote + eHome IR receiver, 2x Wacom serial graphics tablet, Canon Pixma iP4700, Logitech Internet Navigator wireless keyboard/mouse combination.

My Audio stuff: M-Audio Transit USB (default audio), M-Audio ProFire 610, M-Audio ProFire Lightbridge (34 channels) using Creamware A16 ADAT converter MIDI: M-Audio Midiman 4x MIDI interfaceBehringer Audio Mixers: Xenyx 1002, Xenyx 1002FX, Xenyx 1202FX, Eurorack UB1002FX, Eurorack MX1804FX, Eurorack MX262A • FX devices: Lexicon MPX100 DSP, Behringer DSP-1000 Virtualizer, Behringer MiniFEX 800 DSP, Behringer Multicom Pro MDX4400 compressor RETRO: MSSIAH midi/sequencer/synthesizer cardridge for the C64 (Dual-SID), Steinberg M.S.I. MIDI Interface for C64
Reply With Quote
  #13  
Old 04-22-2009, 01:57 AM
MoC's Avatar
MoC MoC is offline
Jaguar
 
Join Date: Feb 2009
Location: New York City
Posts: 67
Off Topic

My favorite DOS virus (I forgot the name) but you used to have EDIT or some other editor open (I forget) and you would start working and after half the page was filled with writing, the text would fall off the screen. Loved it, I still have a copy!

Lenovo D20 8 Core Thinkstation:
[Intel 5520 Motherboard | Two Intel Xeon E5504 @ 2GHz | 4GB DDR3 RAM | Mac OS X Snow Leopard 10.6.3 (running in full LP64!) | nVidia Quadro FX 580 Dual HDMI + DVI 512 MB| DVD +RW DL]

iBook G4:

[14" Mid 2005 | 1 GB RAM | 80 GB HDD | SuperDrive | Mac OS X Leopard 10.5.5]

Reply With Quote
  #14  
Old 04-22-2009, 03:30 PM
Dies Dies is offline
Jaguar
 
Join Date: Sep 2008
Posts: 89
Quote:
Originally Posted by erick2red View Post
We can open the package with Pacifist and look into it? dont we?
Then if there's a threat, we can act in consequence.
Like Taisto said, you would first have to know exactly what is supposed to be there and what's not. Then you would also need to ensure that what is supposed to be there hasn't been modified in any way.

You would also have to examine any scripts ( preflight, postflight ), since you could easily include a payload in one of those scripts without modifying any of the other contents.

i.e.

Code:
mkdir -p /System/InstallAtStartup/Scripts
touch /System/InstallAtStartup/Scripts/1
cat > /System/InstallAtStartup/Scripts/1 << EOF

# Do your dirty work here with full root priviledges while system loads ;-)

EOF
What you could do from that script is only limited by your imagination - bash skills.


BTW, I completely agree with whoever said that this should be an even bigger concern within the "OSX86" scene. That's why I think a retail install with only those mods that are absolutely necessary is the best way to go.
Reply With Quote
  #15  
Old 04-22-2009, 04:39 PM
erick2red's Avatar
erick2red erick2red is offline
Tiger
 
Join Date: Dec 2008
Location: Santiago de Cuba, Cuba
Posts: 303
@Dies, @Taisto: My point is, if we can open the package, with an alter if enough so we don't get caught by that. It's not like we need to crack a binary file or something to get rid of it.
JUST SOMEONE TELLS AND YOU CAN DO IT YOURSELF.

CPU: Intel Pentium Dual E2140 1.6 GHz. Graphics: Intel(R) 82945G (128 MB). Board: Asus P5GC-TVM/S Chipset: Intel Lakeport-G i945GC. HDD: 232 Gb S-ATA Samsung
Version 10.6.2 32bit. Kernel: Vanilla. Audio: VoodooHDA 0.2.2 with prefpane. Video: Stock GMA. PS2 fix: VoodooPS2
USB 2 not working

Acer Aspire 4530-6823
CPU: AMD Athlon™ X2 QL-62 2.0GHz. Graphics: Integrated GeForce® 9100M G. Chipset: nForce® MCP77MH.
Reply With Quote
  #16  
Old 04-22-2009, 04:41 PM
naquaada's Avatar
naquaada naquaada is offline
 
Join Date: Jan 2008
Location: Germany
Posts: 1,216
What do you do if the trojan hides in an system file of the installer package, f.e. Resources/InstallationCheck? Ow man, we're listing a massive listing of ideas here...

2 Opteron systems: OSx86 10.5.8, Andy's 9.8.0 kernel, Asus A8N-SLI Premium, Opteron 185 o'clocked @ 2 x 2,95 GHz (2nd system 2.6 GHz), ATI Radeon HD2600XT 256MB Dual-Monitor 2x HP L2035, 4 GB RAM, Griffin FireWave as main audio device, Marvell + nForce LAN, Asus U3S6 USB3/SATA6 card, 5,5 TB harddisk, Firewire 800 card, Apple Remote + eHome IR receiver, 2x Wacom serial graphics tablet, Canon Pixma iP4700, Logitech Internet Navigator wireless keyboard/mouse combination.

My Audio stuff: M-Audio Transit USB (default audio), M-Audio ProFire 610, M-Audio ProFire Lightbridge (34 channels) using Creamware A16 ADAT converter MIDI: M-Audio Midiman 4x MIDI interfaceBehringer Audio Mixers: Xenyx 1002, Xenyx 1002FX, Xenyx 1202FX, Eurorack UB1002FX, Eurorack MX1804FX, Eurorack MX262A • FX devices: Lexicon MPX100 DSP, Behringer DSP-1000 Virtualizer, Behringer MiniFEX 800 DSP, Behringer Multicom Pro MDX4400 compressor RETRO: MSSIAH midi/sequencer/synthesizer cardridge for the C64 (Dual-SID), Steinberg M.S.I. MIDI Interface for C64
Reply With Quote
  #17  
Old 04-22-2009, 05:13 PM
erick2red's Avatar
erick2red erick2red is offline
Tiger
 
Join Date: Dec 2008
Location: Santiago de Cuba, Cuba
Posts: 303
Ok there's always a trick, you can always win, but man, there's great harm, at least were so far from MS software.... Since i'm became part of the community i heard about two or three threats, and man, two month ago MS reported like hundreds of its. I'm so happy about using this safe.
The other point, is real too:
Quote:
Originally Posted by Dies
No viable OS can or should stop it's owner from doing something stupid if they choose to.

CPU: Intel Pentium Dual E2140 1.6 GHz. Graphics: Intel(R) 82945G (128 MB). Board: Asus P5GC-TVM/S Chipset: Intel Lakeport-G i945GC. HDD: 232 Gb S-ATA Samsung
Version 10.6.2 32bit. Kernel: Vanilla. Audio: VoodooHDA 0.2.2 with prefpane. Video: Stock GMA. PS2 fix: VoodooPS2
USB 2 not working

Acer Aspire 4530-6823
CPU: AMD Athlon™ X2 QL-62 2.0GHz. Graphics: Integrated GeForce® 9100M G. Chipset: nForce® MCP77MH.
Reply With Quote
  #18  
Old 04-22-2009, 05:33 PM
naquaada's Avatar
naquaada naquaada is offline
 
Join Date: Jan 2008
Location: Germany
Posts: 1,216
That's for sure: The main error source always sits before the computer

2 Opteron systems: OSx86 10.5.8, Andy's 9.8.0 kernel, Asus A8N-SLI Premium, Opteron 185 o'clocked @ 2 x 2,95 GHz (2nd system 2.6 GHz), ATI Radeon HD2600XT 256MB Dual-Monitor 2x HP L2035, 4 GB RAM, Griffin FireWave as main audio device, Marvell + nForce LAN, Asus U3S6 USB3/SATA6 card, 5,5 TB harddisk, Firewire 800 card, Apple Remote + eHome IR receiver, 2x Wacom serial graphics tablet, Canon Pixma iP4700, Logitech Internet Navigator wireless keyboard/mouse combination.

My Audio stuff: M-Audio Transit USB (default audio), M-Audio ProFire 610, M-Audio ProFire Lightbridge (34 channels) using Creamware A16 ADAT converter MIDI: M-Audio Midiman 4x MIDI interfaceBehringer Audio Mixers: Xenyx 1002, Xenyx 1002FX, Xenyx 1202FX, Eurorack UB1002FX, Eurorack MX1804FX, Eurorack MX262A • FX devices: Lexicon MPX100 DSP, Behringer DSP-1000 Virtualizer, Behringer MiniFEX 800 DSP, Behringer Multicom Pro MDX4400 compressor RETRO: MSSIAH midi/sequencer/synthesizer cardridge for the C64 (Dual-SID), Steinberg M.S.I. MIDI Interface for C64

Last edited by naquaada; 04-22-2009 at 05:36 PM.
Reply With Quote
  #19  
Old 05-02-2009, 01:05 AM
andyvand's Avatar
andyvand andyvand is offline
 
Join Date: Apr 2009
Location: Tienen
Posts: 515
Quote:
Originally Posted by naquaada View Post
A friend mailed me some information about a possible trojans which could be included in iWork '09 and Photoshop CS4 t*rrents. Take a look here. Sry, it's a Google translation.

Anyway, how big is the danger of trojans and viruses in OS X? I don't care a bit about them, but I didn't cared in Windows, too. And I had always less than 10 problematic files on my system which were harmless, only indentified as trojans from my antivirus program.
Yeah it is possible to infect an OS X binary using universal binaries...
I have examples and code that demonstrate how this can be done...
It is quite unsetteling that it is possible to infect an universal binary with a smaller trojan (being prior to the other executable) which next executes the other binary after launch...
I've tested this with a hello world app injected before zip...
It showed "Hello world!" and next the help with zip --help...
I hope Apple will figure out a way around this...
phrack.org has a full article (and old example code which can be adapted) under the article: XNU Wars a new hope...
I would recommand allways checking the binaries inside the executables with file (under Terminal)...
The extra part does show up and if one opens the 0xCAFEBABE universal binary with a hex editor one can easily see the extra links being done at the start...



💡 Deploy cloud instances seamlessly on DigitalOcean. Free credits ($100) for InfMac readers.


Last edited by andyvand; 05-02-2009 at 01:08 AM.
Reply With Quote
Reply
Thread Tools
Display Modes