Mac OS X rootkit rubilyn 0.0.1 available

2012.10.07

Credit: Levon 'noptrix' Kayan

Risk: High

Local: Yes

Remote: No

CVE: N/A

CWE: N/A

name
====
rubilyn

description
===========
64bit Mac OS-X kernel rootkit that uses no hardcoded address to hook the
BSD subsystem in all OS-X Lion & below. It uses a combination of syscall
hooking and DKOM to hide activity on a host. String resolution of
symbols no longer works on Mountain Lion as symtab is destroyed during
load, this code is portable on all Lion & below but requires re-working
for hooking under Mountain Lion.

currently supports:

* works across multiple kernel versions (tested 11.0.0+)
* give root privileges to pid
* hide files / folders
* hide a process
* hide a user from 'who'/'w'
* hide a network port from netstat
* sysctl interface for userland control
* execute a binary with root privileges via magic ICMP ping

link
====
http://www.nullsecurity.net/backdoor.html

md5
===
4e8726f077ff7d1b0a761ab15d4d8bc9



cheers,
noptrix & prdelka

-- 
Name: Levon 'noptrix' Kayan
E-Mail: noptrix () nullsecurity net
GPG key: 0xDCA45D42
Key fingerprint: 250A 573C CA93 01B3 7A34  7860 4D48 E33A DCA4 5D42
Homepage: http://www.nullsecurity.net/

References:

http://www.nullsecurity.net/tools/backdoor/rubilyn-0.0.1.tar.gz

http://www.nullsecurity.net/backdoor.html

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Mac OS X rootkit rubilyn 0.0.1 available

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.