OSDev.org

Hi guys,

I was just wondering if anyone knows of any easy ways to get a virus onto a Mac - one of my friends is totally obsessive over how great Apple is (pathetic) and I feel like showing them that the Mac does crash, can get viruses, and suffers from much the same problems as any PC.

Of course this is with malicious intentions

Even if it's not to actually get the virus onto their PC, just some proof that it can happen would be really nice

Do you really want to get involved with that sort of thing? security auditing is one thing... showing off is another.

If you have a computer on the same network segment you can sniff for a DNS request, and since you are so close (able to beat the latency of the real DNS server easily) you can send a fake DNS reply with your machine as the IP address for resolving the domain name.

Then, build or use a proxy which will transparently forward the HTTP requests. Apon, getting a HTTP request for a certain file you can send them the wanted executable instead of the requested file, but only do this for the first request of the needed file type and then every other X requests.

Boils down to DNS poisoning and HTTP tunneling with injection.

If the executable can send a signal such as a rouge 803.2 frame, then you could actually know then the process has completed and stop poisoning the client with DNS replies.

Kevin McGuire wrote:If you have a computer on the same network segment you can sniff for a DNS request, and since you are so close (able to beat the latency of the real DNS server easily) you can send a fake DNS reply with your machine as the IP address for resolving the domain name.

Then, build or use a proxy which will transparently forward the HTTP requests. Apon, getting a HTTP request for a certain file you can send them the wanted executable instead of the requested file, but only do this for the first request of the needed file type and then every other X requests.

Boils down to DNS poisoning and HTTP tunneling with injection.

If the executable can send a signal such as a rouge 803.2 frame, then you could actually know then the process has completed and stop poisoning the client with DNS replies.

Doesn't this mean that you have to wait until they download an executable that they want to run? Or could this work with other types of files? I don't exactly think that hijacking HTML could do that much harm unless you could get it to take advantage of a known weakness in the browser or execute a file transparently. Maybe I missed something?

Yes. You would have to wait until they downloaded a executable that they wanted to run -- there are still hundreds of ways left..

I would even imagine that there is a way to do a man in the middle attack for HTTPS connections to Windows Update where you could inject arbitrary code in real time into some or all components being downloaded.

It would just be a matter or re-emitting the PE32 (and/or DLL) headers for the files being downloaded by inserting a alternate start routine for when a DLL or PE32 was loaded and then having that call the real routine since all DLL will execute a routine when loaded into memory to allow them to initialize which is exactly like a PE32 with out a DLL header.

I am not sure if Windows Update uses HTTPS, but the point is still the same no matter what they use.

LOL... As Kevin's replies suggest, while it is possible to p0wn a Mac, it is not necessarily easy.

If you really want to carry this thought experiment through, try to replicate these conditions:

• The Mac must be infected from a machine outside your local network (on the other side of your firewall).
• The Mac must be infected with no intervention from the end user (remember how the Outlook preview pane used to run ActiveX controls linked by HTML e-mails?). If that's too difficult, try to sneak it in an e-mail attachment that the user can't resist opening. First, see how hard it is for users of Mail.app to actually do this by accident.
• Your virus must be able to p0wn the entire machine, not just delete some of the user's own files. In other words, get it to run as root (good luck with that).

IMO you will have a much easier time fulfilling all these conditions while trying to infect Windows than Mac OS X (although in theory Vista should be much more secure than XP, as long as UAC is on... oh wait, everybody turns UAC off because it's bloody annoying. ).

@Colonel Kernel: you're biased...

Anyways, I'll just have to live with the "apple is so much better than anything else" until I can start selling my OS

pcmattman wrote:@Colonel Kernel: you're biased...

I never said I wasn't.

My point was that showing that you can exploit some vulnerability under some highly constrained circumstances is a pretty hollow victory.

Anyways, I'll just have to live with the "apple is so much better than anything else" until I can start selling my OS

That's the spirit!

Colonel Kernel wrote:My point was that showing that you can exploit some vulnerability under some highly constrained circumstances is a pretty hollow victory.

Depends, what sort of firewall does the Mac have. Assuming I have the IP of the person, would it work across the net or do I have to be on the same LAN?

pcmattman wrote:

Colonel Kernel wrote:My point was that showing that you can exploit some vulnerability under some highly constrained circumstances is a pretty hollow victory.

Depends, what sort of firewall does the Mac have.

It's based on ipfw.

Assuming I have the IP of the person, would it work across the net or do I have to be on the same LAN?

Depends on whether they're using NAT or not. But how often are Windows machines hacked from within the same LAN? IMO the vast majority of breaches happen over the net. You're not making much of a point if you can't duplicate the same conditions as your typical Windows p0wnage...

Colonel Kernel wrote:You're not making much of a point if you can't duplicate the same conditions as your typical Windows p0wnage...

I try to hack machines on my own network. We use Norton Internet Security on each one and I am yet to figure out how to get past its firewall...

As far as I know someone who wants to gain access to a certain machine would normally start far away and move closer to that machine.

Such that from what I have seen they start with a router that is maybe on the ISP, then move forward in a attempt to gain more ground by sooner or later getting on the same network segment as the actual target machine.

You know if someone can approximate the DNS sequence number then they can send spoofed DNS replies from over the internet using UDP to poison a remote computer's cache, if I am correct.

I have no idea how hard it is, but I do know that it is possible.

from somthing i read a long time ago. this was back in like 2002 or 2003 that the hardest firewall to get throu was blackice. as far as getting through the firewall all you have to do is wait for them to download and executable, or send them an email with a link to a sppofed website that they could not resist.

Ninjarider wrote:from somthing i read a long time ago. this was back in like 2002 or 2003 that the hardest firewall to get throu was blackice. as far as getting through the firewall all you have to do is wait for them to download and executable, or send them an email with a link to a sppofed website that they could not resist.

ZoneAlarm is pretty darn good.