On Nov 25, 2006, at 15:50 , Sûnnet Beskerming wrote:
> Based on the available technical documentation from Apple regarding
> dynamically loading code at application runtime, and in conjunction
> with the limited information released by F-Secure, the most likely
> targeted directory is '/usr/lib'. This would make the malware a
> dynamic library infector (libSystem.B.dylib would provide the most
> consistent activation vector) - sort of equivalent to a malicious
> win32.dll on Windows. Luckily for most users, a default system
> installation will prevent non-admin users from writing to that
> directory (and other critical system library directories). The
> other options for dynamic loading of code at runtime are not as
> likely to result in consistent exploitation across arbitrary
> applications, or are based on binary modification of key system
> applications (considered extremely unlikely based on the limited
> screen capture F-Secure provides).
What about for example DYLD_INSERT_LIBRARIES or some other of the
DYLD_ environment variables?
> Based on the available technical documentation from Apple regarding
> dynamically loading code at application runtime, and in conjunction
> with the limited information released by F-Secure, the most likely
> targeted directory is '/usr/lib'. This would make the malware a
> dynamic library infector (libSystem.B.dylib would provide the most
> consistent activation vector) - sort of equivalent to a malicious
> win32.dll on Windows. Luckily for most users, a default system
> installation will prevent non-admin users from writing to that
> directory (and other critical system library directories). The
> other options for dynamic loading of code at runtime are not as
> likely to result in consistent exploitation across arbitrary
> applications, or are based on binary modification of key system
> applications (considered extremely unlikely based on the limited
> screen capture F-Secure provides).
What about for example DYLD_INSERT_LIBRARIES or some other of the
DYLD_ environment variables?
They are documented in dyld(1).
//Magnus
[ reply ]