Full Disclosure mailing list archives
rubilyn-0.0.1.tar.gz - Mac OS X rootkit
From: Levent Kayan <levon.kayan () gmail com>
Date: Sat, 06 Oct 2012 13:22:39 +0200
Hi FD, we are bored and wanted to share something with you: name ==== rubilyn description =========== 64bit Mac OS-X kernel rootkit that uses no hardcoded address to hook the BSD subsystem in all OS-X Lion & below. It uses a combination of syscall hooking and DKOM to hide activity on a host. String resolution of symbols no longer works on Mountain Lion as symtab is destroyed during load, this code is portable on all Lion & below but requires re-working for hooking under Mountain Lion. currently supports: * works across multiple kernel versions (tested 11.0.0+) * give root privileges to pid * hide files / folders * hide a process * hide a user from 'who'/'w' * hide a network port from netstat * sysctl interface for userland control * execute a binary with root privileges via magic ICMP ping link ==== http://www.nullsecurity.net/backdoor.html md5 === 4e8726f077ff7d1b0a761ab15d4d8bc9 cheers, noptrix & prdelka -- Name: Levon 'noptrix' Kayan E-Mail: noptrix () nullsecurity net GPG key: 0xDCA45D42 Key fingerprint: 250A 573C CA93 01B3 7A34 7860 4D48 E33A DCA4 5D42 Homepage: http://www.nullsecurity.net/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- rubilyn-0.0.1.tar.gz - Mac OS X rootkit Levent Kayan (Oct 06)