2013-06-19

iMac Mountain Lion infected by Vmware Fusion Ubuntu

19: mis.cyb/mac.vmware/freeze with black screen:
. the usual:
I'm running vmware on a 2008 imac,
my virtual machine is running ubuntu;
I'm using firefox with noscript,
and my editor is komodo edit;
then a freeze requires a hard reset .
but this time,
I catch a keylogger or something ...
[@] mis.cyb/mac/fake log-in after crash
mis.cyb/mac/fake log-in after crash:

. after the mac crash I unplugged the keyboard
to have it for use with a chromebook
while waiting for the mac to restart .
. when the mac was ready for a log in,
it wouldn't tell me I had no keyboard;
and it usually always does that,
so I suspected that the sign-in screen was
not actually the mac in charge
but instead was some keylogger malware
that had found its way in during that last crash;
so, I tried restarting again
to see if mac would show up this time,
and the next sign-in screen asked for a keyboard,
so I gave it my password and logged in .

. vmware said it had a problem with
a needed file being read-only?
have disk utility check permissions .

. I've noticed permissions many times,
and this is the first time I've seen
this:
Warning: SUID file "System/Library/CoreServices/
RemoteManagement/ARDAgent.app/
Contents/MacOS/ARDAgent"
has been modified and will not be repaired.

. that's quite a coincidence:
I had a crash leading to a possible keylogger,
and for the first time on my mac
something has changed with ARDAgent.app
which, in 2008, was known for being
a rootkit (and keylogger) vulnerability .

. yesterday I was pointing out
intel computer chips likely have a backdoor;
and today it seems
my cracker associates are reminding me,
there are so many vulnerabilities in a
typical non-true microkernel like OS X,
that we hardly need an intel backdoor
to p0wn your box .

mac has some updates for me too:

18 June: Java for OS X 2013-004 and Mac OS X v10.6 Update 16
04 June: Safari 6.0.5
04 June: OS X Mountain Lion v10.8.4 and Security Update 2013-002
2008 ARDAgent security hole:
 Intego identifies the ARDAgent
as a key to "root privilege escalation" . 
System/Library/CoreServices/RemoteManagement
ARDAgent  is a (no dock icon, no windows)
helper application for Apple Remote Desktop.
. Since this code runs as root,
it can install things in places you can’t easily see,
and disguise the fact that those things are running,
making them very hard to find and remove.
. drag ARDAgent to the trash can .
Jun 19, 2008, 04:38 AM       #4  Phil A.
. it is a massive [security] hole
and Apple should hang their heads in shame.
ARDAgent [shouldn't] have the SUID bit set
when it can run shell scripts .
It would be trivial to use this exploit
to install a trojan with root privileges
and without secondary authentication .
fix the OSAScript/setuid root vulnerability:
. remove the ARDAgent.app bundle from
/System/Library/CoreServices/RemoteManagement
permission problems:
. "this problem, dating back to Leopard,
has not been addressed in Mountain Lion,
fully five years later."
Apple says that problem is trivial:
You can safely ignore these messages:
...
Warning: SUID file "System/Library/CoreServices/
RemoteManagement/ARDAgent.app/
Contents/MacOS/ARDAgent"
has been modified and will not be repaired.
. but the point is
ARDAgent is a source of malware
any time crackers find a hole in it .
. so what are these changes about?

1 comment:

Philip Torrance (ADDN) said...

. it might have just been slow at
bringing up the no-keyboard-attached dialog;
the next time it freezes,
I will wait an hour for that dialog .
. today's freeze brought me again to
a lack of no-keyboard dialog;
so, I hardreset a 2nd time,
and it still didn't show the dialog;
but then I waited for 5minutes,
and it did show ...
maybe the crackers understand now
they need to show this dialog,
and it takes them a while to find it?
maybe mac is just busy checking the filesystem
after I rudely did a hard reset ?
. anyway besides my mac user acct login,
all my other passes are auto-inserted by firefox
except for banking done in a different vm ...
. can my mac really have a rootkit with a keylogger? ...
maybe I'll start doing banking in the chromebook .