OSX malware and exploit collection (~100 files) + links and resources for OSX malware analysis

此文为关于MAC OSX系统的所有攻击脚本和溢出代码的收藏集。附带资源链接和相关讲解文档~mark下

'Tis the season.

Here is a nice collection of ~100 Mac OS malware and Word document exploits carrying MacOS payload (all are CVE-2009-0563) along with links for OSX malware analysis.

Please send your favorite tools for OSX if they are not listed.

CVE-2009-0563

[b]CVE-2009-0563
Stack-based buffer overflow in Microsoft Office Word 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Microsoft Office for Mac 2004 and 2008; Open XML File Format Converter for Mac; Microsoft Office Word Viewer 2003 SP3; Microsoft Office Word Viewer; and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allows remote attackers to execute arbitrary code via a Word document with a crafted tag containing an invalid length field, aka "Word Buffer Overflow Vulnerability."

Links

Some OSX malware analysis tools and links

http://computer-forensics.sans.org/community/papers/gcfa/mac-os-malware-analysis_2286

http://en.wikibooks.org/wiki/Reverse_Engineering/Mac_OS_X

http://contagiodump.blogspot.com/2012/12/osxdockstera-and-win32trojanagentaxmo.html

Tools

Activity Monitor (Max OSX Utilities folder)

MacMemoryze (support for Mountain Lion) free,

Volatility (partial support for Mountain lion) free

fseventer (graphical event representation) - works on Mountain lion

Wireshark

IDA pro

OSXpmem (kernel extension)

http://osxbook.com/ OSX internals

2009 Mac OS X Malware Analysis Author: Joel Yonts

Apple OS X ABI Mach-O File Format Reference

FileXray $79 but looks like it is worth it if you do OSX forensics

...let us know what you use

Malware in the provided package - links to research and news articles

OSX_AoboKeylogger http://aobo.cc/

OSX_BackTrack-A

OSX_Boonana http://contagiodump.blogspot.com/2010/11/nov-14-javaboonana-facebook-trojan.html

OSX_ChatZum http://www.thesafemac.com/chatzum-discovered-in-another-installer/

OSX_Clapzok http://www.intego.com/mac-security-blog/clapzok-a-multi-platform-virus/

OSX_Crisis http://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/

OSX_Dockster_Backdoor http://contagiodump.blogspot.com/2012/12/osxdockstera-and-win32trojanagentaxmo.html

OSX_FkCodec http://www.thesafemac.com/osxfkcodec-a-in-action/

OSX_Flashback http://www.symantec.com/security_response/writeup.jsp?docid=2012-041001-0020-99

OSX_Fucobha_IceFog http://www.securelist.com/en/blog/208214064/The_Icefog_APT_A_Tale_of_Cloak_and_Three_Daggers

OSX_GetShell http://www.symantec.com/security_response/writeup.jsp?docid=2013-020412-3611-99

OSX_Hacktool_Hoylecann

OSX_HellRaiser http://macscan.securemac.com/hellraiser-aka-osxhellrtsd/

OSX_HellRTS http://macscan.securemac.com/hellraiser-aka-osxhellrtsd/

OSX_Hovdy_Backdoor http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/OSX~Hovdy-A.aspx

OSX_Inqtana http://www.symantec.com/security_response/writeup.jsp?docid=2006-021715-3051-99&tabid=2

OSX_Iservice http://www.symantec.com/connect/blogs/osxiservice-it-s-not-going-iwork-you

OSX_Jahlav http://macscan.securemac.com/osxjahlav-c-dnschanger-trojan-horse/

OSX_Kitmos http://blog.sbarbeau.fr/2013/05/osx-kitmos-analysis.html

OSX_Lamadai http://www.welivesecurity.com/2012/03/28/osxlamadai-a-the-mac-payload/

OSX_Leverage_A_Backdoor http://www.alienvault.com/open-threat-exchange/blog/osx-leveragea-analysis

OSX_LocalRoot https://www.trustedsec.com/august-2013/osx-10-8-4-local-root-privilege-escalation-exploit/

OSX_Macarena_A http://www.securelist.com/en/analysis/204791948/Mac_OS_X#macarena

OSX_MacDefender http://www.intego.com/mac-security-blog/macdefender-rogue-anti-malware-program-attacks-macs-via-seo-poisoning/

OSX_MacKontrol http://www.securelist.com/en/blog/208193616/New_MacOS_X_backdoor_variant_used_in_APT_attacks

OSX_Macsweeper http://en.securitylab.ru/viruses/311798.php

OSX_Miner_DevilRobber http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/OSX~Miner-D/detailed-analysis.aspx

OSX_Olyx_Backdoor http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html

OSX_OpinionSpy http://www.f-secure.com/sw-desc/spyware_osx_opinionspy.shtml

OSX_PSides

OSX_Genieo http://www.thesafemac.com/malicious-genieo-installers-persist/

OSX_PUP_PerfectKeylog http://www.blazingtools.com/mac_keylogger.html

OSX_Renepo / Pintsized http://www.intego.com/mac-security-blog/pint-sized-backdoor-for-os-x-discovered/

OSX_Revir http://contagiodump.blogspot.com/2012/11/group-photoszip-osxrevir-osximuler.html

OSX_Safari

OSX_SniperSpy http://www.sniperspymac.com/download.html

OSX_Wirenet http://www.webroot.com/blog/2012/09/14/wirenet-the-password-stealing-trojan-lands-on-linux-and-os-x/

OSX_Yontoo http://www.macrumors.com/2013/03/21/new-yontoo-adware-trojan-targets-major-browsers-on-os-x/

OSXWeapoX http://www.virusradar.com/OSX_Rootkit.Weapox.A/description

------------------------------------

CVE-2009-0563 Word exploit

MacControl payload http://www.securelist.com/en/blog/208193616/New_MacOS_X_backdoor_variant_used_in_APT_attacks

OSX.SabPubpayload http://www.securelist.com/en/blog/208193470/New_Version_of_OSX_SabPub_Confirmed_Mac_APT_attacks

OSX/Dockster.A payload http://www.intego.com/mac-security-blog/new-targeted-attack-on-tibetan-activists-using-os-x-discovered/

OSX_Docklight payload http://contagioexchange.blogspot.com/2012/05/019-speechdoc-macosxms09-027a-word.html and http://blogs.technet.com/b/mmpc/archive/2012/04/30/an-interesting-case-of-mac-osx-malware.aspx

Download

Download all files listed below. Please email me if you need the password scheme
OSX_CrisisB_a32e073132ae0439daca9c82b8119009
Additional older downloads

OSX_Docklight payload http://contagioexchange.blogspot.com/2012/05/019-speechdoc-macosxms09-027a-word.html

misc OSX malware on contagio http://contagiodump.blogspot.com/search/label/-%20OSX
30 samples of ancient Mac OS malware http://contagiodump.blogspot.com/2012/04/osxflashbackk-sample-mac-os-malware.html

List of files provided in this post

OSX_AoboKeylogger_362D5DDB3924C625589B42030B66CA69

OSX_BackTrack-A_B03276BFBF85CFDD7C8998004C1200DA

OSX_Boonana_B3A0B0DA5AA01FF200CEBC8AF359A3C3

OSX_ChatZum_487E5CD581587D63783CDD356DE9CF24

OSX_ChatZum_57A4EB15CAA4FCC0A8F6AFBBD66C4859

OSX_Clapzok_99FE5AD5FF514F5AAEA8E501DDBAF95B

OSX_Crisis_04BBDA5B11FA0FD3C767CAF4719D6A4D

OSX_Crisis_42C112036E319ED8DF0F55C7F4C0DA85

OSX_CrisisBOSX_CrisisB_a32e073132ae0439daca9c82b8119009 _a32e073132ae0439daca9c82b8119009

OSX_Crisis_59FE83E0AE12E085E0FA301ECCA6776F

OSX_Crisis_6F055150861D8D6E145E9ACA65F92822

OSX_Crisis_A32E073132AE0439DACA9C82B8119009_Biglietto Visita

OSX_Crisis_ACEC5F00057D3EC94849511F3EDDCB91

OSX_Crisis_FAAB883598C8C379ACFD0B9DCCC93D0C

OSX_Dockster_Backdoor_C6CA5071907A9B6E34E1C99413DCD142

OSX_FkCodec_74812C7B6E0A55347284ABFA7D5670BF

OSX_FkCodec_74812C7B6E0A55347284ABFA7D5670BF_Codec-M

OSX_FkCodec_B4ECE10D1E706B87B065523A654D48A7_download.dmg

OSX_FkCodec1C5AE9F1DD9FE6F506EAABD382925CA8_codec-M.safariextz

OSX_Flashback_3DCB6D6A9EA8D9755EB61AE057B3D74A

OSX_Flashback_9FCFE8EF92F51F1C29A26E1516EF7003_FlashPlayer-11-macos.pkg

OSX_Flashback_C2819C3C183BBF7547CF76C6A004EA15_FlashPlayer-11-macos.pkg

OSX_Fucobha_IceFog_A615DD792093191E9FC975132A2DB409A_CleanMyMac

OSX_Fucobha_IceFog_B4249F9B49A9A177B4D2F4439373029A

OSX_Fucobha_IceFog_CF1815491D41202EB8647341A8695E1E

OSX_GetShell_68078CBD1A34EB7BE8A044287F05CCE4

OSX_GetShell_AC99ACE403D31C7079C938F9B0FD0895

OSX_GetShell_ACC2B4A595939F17F7D07DE2CF75CDC8

OSX_Hacktool_Hoylecann_FED8E22AE6F080F9B05A309C7E48B5EF

OSX_HellRaiser_CA74984601287459AFB7B39EBEBDD394

OSX_HellRTS.AH_KeystrokeRecorder X Pref Editor_C19377D07A234D1585D85F8FA3CF77FB

OSX_HellRTS_F1AD75AEB4B4C2883DF2221C8804DA2A.AH

OSX_Hovdy_Backdoor_FED713CAC7012D25F60B236E6DDCF513

OSX_Inqtana.zip

OSX_Iservice_4C9E7EE7C0F5C19C68B45CA6C81F8D62

OSX_Iservice_E34BA325F3EEB8DF07A09EE9FBF1071D

OSX_Jahlav_12F32EACBB3CD2C5623EE6976A51913A_QuickTime.xpt

OSX_Jahlav_CCB72243EF478EEFE90B5898EC32389B

OSX_Jahlav_D7DDF72D17F889C2C5B302AC0A5FBDC5

OSX_Jahlav_FB79A75A6152EF47BBF88AE8544545CC.pl

OSX_Jahlav_flash.zip

OSX_Kitmos_A_39FAA22EB9D6B750EC345EFCB38189F5

OSX_Kitmos_A_3AA9C558D4D5F1B2A6D3CE47AA26315F

OSX_Kitmos_A_B3D49091875DE190F200110C2F2032D4

OSX_Lamadai_20F0D0CE8A413A51EB16DEE860021E6A

OSX_Lamadai_DE90189F040494E3708D83A33E37E40E

OSX_Leverage_A_Backdoor_C425D2BE8B4AF733A44EC1518F182BE8

OSX_LocalRoot_3DC01743FB42E917E9F9EDE5009F10CD

OSX_Macarena_A_BFC7B7B9D3E1DF9D6E1A31D3E7BED628

OSX_MacDefender_8AE7163C7C3C02564A4C69DF1F7C483E_Archive.pax

OSX_MacDefender_E187F4071723808560E135647245562A_Archive.pax

OSX_MacKontrol_89C35C057655E67580EFD0FF8242D960

OSX_MacKontrol_E88027E4BFC69B9D29CAEF6BAE0238E8_matiriyal.dmg

OSX_Macsweeper_4836CC480796386ED6929C38E5AAD525

OSX_Miner_DevilRobber_417369B713F1A5F3A3DC0DAF76BDCFD6

OSX_Miner_DevilRobber_EE2BA586232007FA41703EB120AC7408

OSX_Miner_F8EBF03E88928EBF91A8420E3D5993FE

OSX_Olyx_Backdoor_93A9B55BB66D0FF80676232818D5952F

OSX_Olyx_Backdoor_93A9B55BB66D0FF80676232818D5952F_Current events 2009 July 5

OSX_OpinionSpy_C98AE54F4BE1082B4E82548D7511077E_Crystal-Clock-screensaver.zip

OSX_OpinionSpy_CC33C95C59372AFCA60A0552A58D0EF8_Crystal-Clock-screensaver.zip

OSX_PSides_32F4792B1141BA259067F9613E2E88B5

OSX_PUP_AABEDBAAB63EF19657A3A82C930CCE18_Genieo_InstallGenieo.dmg

OSX_PUP_PerfectKeylog_1B192319C8F41036A2D6B8E987809D42

OSX_Renepo_80753666A54A8AE97BD6ED3A4E2F3702

OSX_RevirA_FE4AEFE0A416192A1A6916F8FC1CE484_revir-a.dmg

OSX_RevirC_Imuler_7DBA3A178662E7FF904D12F260F0FFF3

OSX_Safari_B24C0E60AF3D3E836FBE8A92FBCC8EB7.dat

OSX_SniperSpy

OSX_Wirenet_50D4F0DA2E38874E417BD13B59F4C067

OSX_Wirenet_B56AD86A4BACEF92EF46D36EABEF6467

OSX_Wirenet_D048F7AE2D244A264E58AF67B1A20DB0

OSX_Yontoo_16ACCB0ABC051D667640B1EE4FF3A7A1

OSX_Yontoo_7C433B3AC0E8072BA5E6B57298E1B28B

OSXWeapoX_7FDEBB5FEC63FB3739A79A66265BB765

EXPLOITS
OSX_CVE-2009-0563 targeting Tibetan and Uyghur activists (filenames shortened here)

0DA957B9B952420241F945A9A2C52A50_C2-alma.apple.cloudns.org_ParticipantsArrivalDeparture.doc

0E5110493FD197813068310E57467B44_C2-alma.apple.cloudns.org _Uighur Han unrest.doc

0E945428D07464EC33EBDFF5712FE788_C2-update.googmail.org_Jenwediki yighingha.doc

1218840F3B66832CC58C33C75AD3D419_C2-update.googmail.org_Uyghur_Xitayning Yengi Rehberlik.doc

1CE3C4A8907A242250D366586711CBDC_C2-alma.apple.cloudns.org _Rabiye_hanim_bilen_Dolkun_Isa.doc

2567399683111CFCB838C5DA80DF181D_Tibetan Parliament urges World to take concrete step on Tibet.doc

28821C5FD38B11EE630D87961C11A3D7_DUQning reyisi namzatlar isimliki.doc

3D28AE551B9BD4C62FFC6C72F5668D96_Tibet_The United Nations Commission for Human Rights.doc

3D90D04C09C6B4D5D52888C89BDE9685_Tibetan Parliament urges World.doc

567ECE88B2D6F4F12F0D0760C30605EE_C2-apple12.crabdance.com_list.doc

58A0A5824A6B30EA7EEBBB51818AE04B_uYGHUR_Jenwe yinghinining xeweri.doc

786A7D1A1DCEC50E6A89E3CC8F33A3AE_Uyghur_Dunya Uyghur Qurultayigha iane qilish toghrisida.doc

7D7A5C530A7DBF24C42145A0EFCC8669_kurban-bayrami.doc

8618BCCB98F7D20634EBEDC488981E86_C2-update.googmail.org_email73.doc

908116A30F53EDF9D1749E3F0F267680_Website-TGSL.doc

9F9F96D5C882528D08315201042647DF_C2-update.googmail.org_Uyghur_The Duke Program.doc

BA76DE3471497A8B1858AF4A8C700AE1_www.uyghurcongress.org.doc

C024E159A96F3292915B257070FC3325_Sartin-TGSL.doc

DD7C486BC17772A5E96425271FA5ED4D_c2-apple12.crabdance.com_10. Jahresgedenktag.doc

E510AE50B0344EFBE1F8888771C7446C_www.tughlan.com.doc

E683339BCCFDEB0F06C7E567F2C284C5_Planning for action.doc

ECE44C00D46BE019AFF38FD5D31B9110_C2-update.googmail.org_UAA 2012 Saylam Komtiti saylam.doc

F81775C93F7337E0664F1D106E13C7B3_C2-update.googmail.org_Uyghur_Human Rights Education.doc

FBE399BF714184ED7FEA313F36A86514_C2-apple12.crabdance.com_Uyghur_Putun Dunyadiki Sherqi.doc

MacOSSabpub-A_43F281076E185E55BECE7EB2F0EC8164.doc

[/b]
via@