Helpful Mac OS X worms?

Here's a news flash: All software contains some form of security flaw -- but if you discover a flaw, should you tell the world about it?

If you're a Mac security researcher, apparently the answer is yes. While Apple is pretty good at patching its systems -- in fact, Apple has just released 20 new patches for OS X, including those exploited by the Leap.a virus -- the latest patches do not completely address the concerns of one security researcher. By creating three proof-of-concept worms last week, Kevin Finisterre started a public dialogue over Mac OS X security. But he also opened a Pandora's box, giving script kiddies techniques that could be used in future Mac OS X viruses.

The debate is old. Should researchers go public with threats they perceive to be critical when the vendor stonewalls? I've written about this before, and when it comes to Microsoft, the software giant would prefer that researchers keep the vulnerabilities to themselves until Microsoft can patch them. That sounds fine until you realise that Microsoft has, in the recent past, waited up to three years to patch rather serious flaws within Internet Explorer. Sometimes going public is the only way a frustrated researcher can force a software vendor to own up to a flaw. Sometimes, however, the "vulnerability" is minor -- and the researcher just wants publicity.

Kevin Finisterre has started a public dialogue over Mac OS X security. But he has also opened a Pandora's box, giving script kiddies techniques that could be used in future Mac OS X viruses.

Bluetooth: red herring
Kevin Finisterre is a 25-year-old, high-school-educated, DeVry dropout who has worked as a Unix system administrator. The Apple Mac OS X operating system is based heavily on the Unix architecture, so Finisterre took his interest in Unix to the Mac OS X 10.3 operating system and became interested in a Bluetooth vulnerability he first wrote about in DMA [2005-0502a]. Apple issued a workaround in its Security Update 2005-05 on May 3, 2005, but wasn't able to add it to the April 28, 2005, Apple Mac Tiger 10.4 release until recently. In an interview published on SecurityFocus, Finisterre said he started to experiment with ways to exploit the Bluetooth flaw.

The result was InqTana, a proof-of-concept worm that posed no threat to the general public. Unfortunately, a real threat, Leap.a, had just been released. Suddenly, mainstream newspapers began to write about multiple Mac threats. Leap.a, a virus that used Apple's iChat to send an infected file to others, was a legitimate threat, circulating among Mac OS X users. But InqTana was not. Yet some thought that Bluetooth-enabled Macs were vulnerable to this worm. According to Finisterre, that's nonsense.

The real danger
InqTana, according to its creator, was designed to show Apple some underlying methods that could be used by less scrupulous researchers to spread malware among Mac OS X users. The interesting part of InqTana wasn't its Bluetooth flaw, which Apple had already patched, but the means by which it came to be. Said Finisterre, writing in his own white paper, "MethodSwizzling lets your method make use of the original, almost like subclassing." In other words, MethodSwizzling allows a malware writer to "patch" an existing Apple method with malicious code. Combined with InputManager, said Finisterre, MethodSwizzling can be used to jump-start malware on a Mac.

After Leap came out, however, Finisterre said he tinkered with his creation again and released InqTana.b, then InqTana.c (according to the interview, he said he's finished creating InqTanas). In InqTana.b, he used another method, Launchd, to show how more malware could be built within Mac OS X 10.4. In InqTana.c, he used dyld, again, specific to Mac OS X 10.4.

Antivirus response...sucked
Finisterre said he finished InqTana on Valentine's Day. He claimed no malicious intent on his part and said the code was an "academic" or what is called in the antivirus community a "zoo virus," something that is sent directly to the antivirus research community and not released "in the wild." Because of this, he feels that he's broken no laws.

His first code was named on February 17, 2006, by F-Secure as InqTana (antivirus vendors change the given names of viruses, in part, to deny virus writers the satisfaction of seeing their creation in the wild). In the SecurityFocus interview, Finisterre claimed no one from F-Secure contacted him directly, nor did anyone from McAfee or Apple bother to respond. Only Symantec responded, but that was because of a preexisting contact.

Since changes in the underlying code of Mac OS X may not be forthcoming from Apple, simply patching your system might not be enough to guard against new Mac OS X worms.

Saint or sinner?
Finisterre considers his creations as nematodes, helpful worms designed to shine a light on underlying code that could facilitate new malware. He stressed in both his interview and white paper that he intentionally crippled the InqTana worms so that they would not spread, or if they did, they would require a user to accept various prompts in the installation. He also stressed that one would have to get hold of his source code and make a few changes before a malicious worm could be released from his work.

However, by stating that InqTana is not a Bluetooth worm but a means to publicise the underlying methods he used, Finisterre has also (perhaps unwittingly) given Mac malware writers a sense of direction to pursue new MethodSwizzling- or Launchd- or dyld-based worms in the near future. In his interview, he said antivirus vendors should now have heuristics in place to guard against new such worms, but he neglected to acknowledge that a great many Mac users simply do not have antivirus protection. Since changes in the underlying code of Mac OS X may not be forthcoming from Apple, simply patching your system might not be enough to guard against new Mac OS X worms.

Has Kevin Finisterre legitimately contributed to the security of Mac OS X, or has he unwittingly enabled script kiddies to do their worst? Talk back to me.