Article:		Mac Security: Identifying Changes to the File System
Subject:		Mac OS X Rootkits
Date:		2005-10-09 06:21:54
From:		peterhickman
Response to: Mac OS X Rootkits
To be honest I never thought that opener was a rootkit as it did very little to evade detection. The problem for OS X rootkits is that they all seem to require the the victim to install the devtools and run stuff as root. Can't quite work out why osxrk supplies a version of nc as it is already provided , at least in Tiger. To give a feel for the lack of development we have this from the Togroot README. Once loaded, Togroot will give you the ability to obtain root access simply by typing "/givemeroot" and typing "su", for example. ... cp -R /path/to/togroot.kext /system/library/extensions/togroot.kext Add sudo to the beginning if you are not currently root. So to install a rootkit to give you root access to a system you require root access, deeply flawed in my mind. One day there will be a credible rootkit for OS X, but today I am not too worried.

Showing messages 1 through 2 of 2.

• Mac OS X Rootkits
  2005-10-12 16:38:18  hard-mac [View]
  
  
  Opener never was a rootkit, very correct. Just a small POC to show what could happen on the OSX platform. It doesn't have to be installed locally as you say. NetCat was included because OS X never used to have a copy and the version it includes currently is still crippled.
  
  peterhickman wrote: "So to install a rootkit to give you root access to a system you require root access, deeply flawed in my mind."
  
  This is what a rootkit is, it is designed to keep root access on a box once you have it already. Not to get root, other exploits are used for this.
  
  
  peterhickman wrote: "One day there will be a credible rootkit for OS X, but today I am not too worried."
  
  
  As for real rootkits, Togroot is a pretty sad example. Have you looked at WeaponX yet. It's fairly powerful.
  
  Cheers, hard-mac
  
  Hardening Your Macintosh
  http://members.lycos.co.uk/hardapple/
  
  
  
  
• Mac OS X Rootkits
  2005-10-13 13:58:41  peterhickman [View]
  
  
  It's true that opener was never really a rootkit (even if it was the nearest that OS X has had to a rootkit scare). It was more of the 'look what we could do if we ever managed to root a system'.
  
  But that said the first hurdle is to gain enough of a foothold on a system to install all the opener type tools in the first place, just because someone has gained access to your system does not mean that they have root. For me an essential part of a rootkit is the ability gain root from any foothold. Any such rootkit is to be truly feared.
  
  Anything that will only work if it is given root on a plate is best described as proof of concept just like the proof of concept OS X viruses.
  
  What you say is right and my go at Togroot was cheap shot but at this point I do not believe that we are facing a real threat.
  
  For me a rootkit will allow a hacker to gain root access and so I see little threat on the horizon if they require root on a plate. Your definition does not require the ability to gain root access so you will be assessing things differently.
  
  Perhaps we need a better taxonomy for rootkits, 'proactive rootkit' for those that can gain root themselves and 'nursery rootkit' for those that get it given to them.
  
  Whatever species of rootkit it is, you wouldn't want it on your Mac.