Malware Evolution: Mac OS X Vulnerabilities 2005 - 2006
by Claudiu Dumitru - Kaspersky Lab/ - Tuesday, 25 July 2006.
The worm drops two files, named com.openbundle.plist and com.pwned.plist to the LaunchAgents directory to ensure that it will be launched automatically when the victim machine is rebooted. w0rm-support.tgz, which contains the worm components, is dropped to /Users/.

Once the operating system has been restarted, com.openbundle.plist unpacks the worm components and com.pwned.plist executes the worm main binary. Inqtana than attempts to replicate by scanning for devices which have Bluetooth enabled. It will then send itself to any devices found that support Object Exchange (OBEX) Push requests.

It was later discovered that Inqtana was written by the security researcher Kevin Finisterre, who created the worm as a proof of concept.

On 21 February, two zero-day exploits targeting MacOS X appeared, Exploit.OSX.Safari.a was discovered by Michael Lehn, and Exploit.OSX.ScriptEx.a. was discovered by Kevin Finisterre (the author of Inqtana). Both exploits received extensive coverage within the IT media.

Exploit.OSX.Safari is an exploit which targets Apple's web browser “Safari”. Due to a certain feature in Safari, it’s possible to create certain types of ZIP files which, when they are downloaded from the Internet, will result in code being executed. This vulnerability was patched in Apple Security Update 2006-001.

Exploit.OSX.ScriptEx.a is an exploit for a vulnerability in the Apple Mail application for Mac OS X. It is triggered if a specially-crafted attachment is sent via email. The vulnerability itself is a buffer overflow which can be triggered when the Real Name component of the MIME Encapsulated Macintosh file is parsed. A careful choice of Real Name size and content can lead to arbitrary code being executed, which can then be used to install a Trojan or other malware on the victim machine. It can also be used to take total control of the victim machine. This issue was fixed by the Apple Security Update 2006-002.

On 19 April, Tom Ferris, a security researcher, disclosed another six zero-day vulnerabilities which would enable a remote malicious user to crash or hijack the victim machine.


Overall, malware has evolved enormously over the last couple of years. In the past, most authors of malicious code were seeking a place in the headlines. Today, they are looking for financial gain. Apple’s small share of the global personal computer market has, until now, protected Macs from the unwanted attention of malware authors. However, as Apple systems become more popular, this will change; once critical mass is reached, more malware will undoubtedly start to appear. Even though malware like IM-Worm.OSX.Leap.a and Worm.OSX.Inqtana.A and exploits like Exploit.OSX.Safari.a and Exploit.OSX.Script-Ex were all proof of concept code, and had no obvious malicious payload, these proof of concept programs showed that Mac OS X does contain security flaws, and that these can be used to compromise the system.

Whether the proof of concept code covered in this article will be used for financial gain in the near future remains to be seen. History, however, shows that once vulnerabilties are identified, malware writers are never far behind.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th