Is Mac OS X Rape worm deadly serious?

A blogger claiming to have written a worm -- called Rape.osx -- for Apple Mac OS X has received death threats.

Last weekend in the US, someone using the name Infosec Sellout posted on the BugTraq mailing list news of a worm exploiting a vulnerability in mDNSResponder -- a component of Apple's Bonjour automatic network service.

Apple patched the mDNSResponder vulnerability in May, but the author claims there remains an unpatched vulnerability. They also claim to have a proof-of-concept worm ready to go but says he won't release it. In a security vendor blog, McAfee quotes the author as saying he was compensated for this work.

The author suffered harsh criticism from security colleagues for hiding behind a pseudonym, and for not providing any proof of the worm. He also reportedly received death threats in reader posts to his blog site.

In response, Infosec Sellout says in a blog post that he removed all prior postings on his blog site. Yet, last night in the US someone else claiming to be Infosec Sellout claims the site in question, called Security Information, is not the real Infosec Sellout blog site, but a hijacked site, hence the lack of prior posts.

One of the names thought to be behind the hijack of Infosec Sellout is David Maynor of Errata Security, who might be using the name "LMH".

Last summer, during BlackHat USA, security researchers David Maynor and Johnny Cache disclosed a wireless vulnerability using an Apple Computer Macbook. The team found that malformed network traffic could allow the laptop to be compromised, and they provided a video of the attack.

The researchers did use a third-party wireless card for their video demonstration, but said repeatedly that the Apple Airport wireless driver was also vulnerable. Two months after BlackHat, Apple quietly released a patch which, if the vulnerability that was fixed had been exploited, could have compromised the Airport wireless drivers in MacBooks.

This morning in a post on the Fuzzing mailing list, someone calling himself David Maynor responded. In a post called "The Truth", the author using the name LMH says he is David Maynor and then proceeds to confess that after last summer he needed to hide behind the name "LMH" to get the word out about new vulnerablities.

Yet if you go over to the Errata Security blog site, the real David Maynor says the Fuzzing mailing list post is a sham, and cites several factual errors.

ZDNet Australia's sister site CNET News.com took the text and put it through Hacker Factor Solutions Gender Guesser and it appears a male did indeed write the Fuzzing plot.

Yet, based on the words chosen and sentence length, the tool also suggests it was a male European who wrote it. David Maynor has been based near Atlanta, Georgia for years.

Despite the intrigue, the malware threat to Mac customers is growing. Apple has plugged around 100 vulnerabilities in OS X so far this year.

Software vendor CA's VP of development, Eugene Dozortsev, in a video interview with ZDNet Australia last month said: "... the Mac is as vulnerable as everything else ... Don't make any false assumptions that there are no viruses on Mac. A lot of things like trojans and e-mail worms [affect the Mac] the same as they would in the PC world."

Dr Jan Hruska, who co-founded antivirus firm Sophos and was one of the first ever PC antivirus experts, agreed that Apple Mac's are not a virus-free platform. "Viruses on the Mac are here and now. They are available and they are moving around -- it is not as though the Mac is in some miraculous way a virus free environment," he said in a video interview early last month.

A recent threat, for example, that affected some Mac users was called Badbunny, which was a worm that threatened OpenOffice documents. However, it was attacking the open source office productivity suite rather than the Apple platform itself.

ZDNet Australia's Munir Kotadia contributed to this report.

• Related stories

• Alerts

Add your opinion

Curious Anonymous -- 20/07/07

Can we mac users get a list of these virus that are here and now and moving around??

Sure would be super.

• Reply to comment
• Reply to story
• Report offensive content

Rubbish journalism Jeremy -- 20/07/07 (in reply to #320083135)

Curious that a "journalist" would let a comment like "a Mac is vulnerable as everything else" and not ask say, "could you name any in the wild viruses?" So in a effort to actually inform your readers rather than just FUD them. Here's the names of some Mac viruses:

There yah go. So 20million + MacOSX users and 7 years and counting we come up with 0 viruses and malware. It's not safe because it's obscure, it's safe because of design. It's not about numbers of vulnerabilities patched, it's about numbers that are _exploited_. Mac 0 PC 10,000+

So all those worried PC users who worry about opening emails, worry about web browsing and hey doing just about anything on a PC. Come over and join us. The water is fine. Just feel sorry for a PC industry and the "journalists" who rely on that industry to sustain them and who for years have propped up the lie that Windows is attacked because it's popular, and not because it sucks. And hey, we can sell you this great anti-virus software. Right, listen to those people when you buy a new PC.

thank you and good night

• Reply to comment
• Report offensive content

By Design... Wilbert -- 22/07/07 (in reply to #320083156)

IM-Worm.OSX.Leap
Virus.OSX.Macarena
Worm.OSX.Inqtana.A
Exploit.OSX.Safari.a
Exploit.OSX.Script-Ex
Rootkit.Mac.Weapox.a
Rootkit.OSX.Weapox.b

So all these vulnerabilities are by design... you say.

• Reply to comment
• Report offensive content

Your joking right? Jeremy -- 22/07/07 (in reply to #320083225)

Macarena and the rootkits had to be _installed_ by hand. You had to download them manually, unstuff them, run the executeable, type in ok to run them for the first time, then type in the admin password. And after all that they didn't work because the root account on OSX isn't enabled by default.

They aren't viruses, they're proof of concept Trojans and were not released into the wild. Viruses self propagate without user interaction. And those Trojans couldn't even propagate, each infection had to be manually installed. The only one that _may_ have actually infected someone is the Leap virus. That one also had to be run and installed manually as well. It tried to self propagate via iChat but failed. All the remaining ones were "proof of concept" and never released into the wild and have since been patched. Some of those are over 3 years old now anyway.
Updates on the mac are automatically downloaded, so any future vulnearabilites are quickly patched and eliminated if/when they appear. So to be vulnerable _now_ to those attacks you'd have had to be disconnected from the net for the past 3 years. And if you did reconnect you'd be vulnerable only as long as it took to downlod the updates. Say a half hour? And didn't go thru the 5 step process to manually install the trojans by hand.

Compare that to the 160,000 and counting Windows viruses, trojans, worms and adware on the PC. On a PC everything runs as root and viruses just hijack the many open ports and the lame scripting system to tell the PC to do whatever it likes without user interaction.

On every other multi user/permissions based OS out there you need user interaction to install and run software and each executeable has differing levels of permissions. So that even if something gets installed it's limited in the damage it can do.

Windows was never designed to be a multi-user or network accessible OS. As such it never had sensible security built in from the beginning, just bolted on haphazardly afterwards and with more regard for crushing competition rather user safety. The current situation with the Windows security nightmare is the result.

Windows has only ever been "good enough". Is that good enough when your security, privacy and bank details are at stake?

The sad thing is because of articles like the above it gives the impression that all computers are just as insecure as Windows. And the industry seems determined to keep that myth alive.

thank you and good night

• Reply to comment
• Report offensive content

No, I'm not joking Wilbert -- 23/07/07 (in reply to #320083226)

"They aren't viruses, they're proof of concept Trojans and were not released into the wild. "

You're making a confusing argument;

a) they're safe (in other words, invulnerable) 'because of design'

b) a proof of concept vulnerability doesn't prove a vulnerability.

c) such vulnerabilities (are these the ones that don't exist?) are patched automatically on a monthly patch cycle.

An exploited vulnerability is, you are correct, a more serious occurrence than an unexploited vulnerability.

As Apple increases their market share more people will work on exploiting these vulnerabilities - without the manners to prove the concept first.

In your first post you asked for the name of a vulnerability and attacked the journalist - despite the one named in the headline - you could at least make your own argument internally consistent before doing so.

• Reply to comment
• Report offensive content

e-mail Worms? Juan de Dios Santander Vela -- 20/07/07

I guess this is an e-mail that needs the user to open it and do something —if not using Outlook Express— in order to fire itself…

This is not the same between e-mail apps, so saying this is the same between Mac, Linux and Windows is a bit inaccurate, at best…

• Reply to comment
• Reply to story
• Report offensive content

Attacks against the MAC. Anonymous -- 05/03/08

It is true that the MAC is not a "miraculous virus free environment".
Just like it's true that those who deploy malicious code are also themselves susceptible to attack.
Remember that cyber war is a two way street.
Good luck in the land of milk and honey pots!

• Reply to comment
• Reply to story
• Report offensive content

• Just In

• Most Popular

• Most Discussed

Reader Services

Popular Topics

Essentials