| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5070147F.10603@gmail.com> Date: Sat, 06 Oct 2012 13:22:39 +0200 From: Levent Kayan <levon.kayan@...il.com> To: full-disclosure@...ts.grok.org.uk Subject: rubilyn-0.0.1.tar.gz - Mac OS X rootkit Hi FD, we are bored and wanted to share something with you: name ==== rubilyn description =========== 64bit Mac OS-X kernel rootkit that uses no hardcoded address to hook the BSD subsystem in all OS-X Lion & below. It uses a combination of syscall hooking and DKOM to hide activity on a host. String resolution of symbols no longer works on Mountain Lion as symtab is destroyed during load, this code is portable on all Lion & below but requires re-working for hooking under Mountain Lion. currently supports: * works across multiple kernel versions (tested 11.0.0+) * give root privileges to pid * hide files / folders * hide a process * hide a user from 'who'/'w' * hide a network port from netstat * sysctl interface for userland control * execute a binary with root privileges via magic ICMP ping link ==== http://www.nullsecurity.net/backdoor.html md5 === 4e8726f077ff7d1b0a761ab15d4d8bc9 cheers, noptrix & prdelka -- Name: Levon 'noptrix' Kayan E-Mail: noptrix@...lsecurity.net GPG key: 0xDCA45D42 Key fingerprint: 250A 573C CA93 01B3 7A34 7860 4D48 E33A DCA4 5D42 Homepage: http://www.nullsecurity.net/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists