Story continued from Page 1
Who did you contact about this and send the worm to? What sort of response did you get?
Finisterre: The original list of folks this was reported to included: F-Secure via both their blog and direct e-mail to (Niemelä) and a submission through their web interface. Symantec has been a great contact of mine for some time now, so I shot an email to a gentleman [...] that I frequently work with. [Editor's note: Symantec is the owner of SecurityFocus.] McAfee was sent an email through a private channel as was Apple. I also forwarded copies to Apple directly through their security mailing list.
With regard to the response, I think it kind of sucked. F-secure published information on their blog that was obviously related to emails that I had sent them. However, they never contacted me directly. If you note their blog you will see a Bluetooth-related entry just before Leap.A was found. This entry was the result of an email I had sent them trying to open a dialog about OS X worm potential.
Both private e-mails that went to individuals at McAfee and Apple went unanswered. I did get an autoresponder from Apple on the second e-mail, which was sent directly to their security staff. However, they did not respond either.
Symantec was really the only company to actively respond back to me and I attribute this to [my contacts there]. This is very typical of the responses I have gotten from Symantec in the past--prompt. [My contact] even sent me an e-mail last night to make sure that after the media hype someone had taken the time to follow up with me.
As a researcher in general, I did find it hard to locate someone that was willing to talk about proof-of-concept worm code. I was familiar with WinCE.Dust and was under the impression that it too was a proof-of-concept worm that was released in an academic sense. I wanted InqTana to be handled in the same fashion.
Did any antivirus company acknowledge that this was a lab creation that would have a hard time spreading? Do you think the vendors treated this well or as a marketing ploy?
Finisterre: Although blatantly mentioned in most of the antivirus threat notices, you will find that folks are still implying that the code will actually spread. I think this is a bit misleading. The fact of the matter is that InqTana is not spreading and physically cannot (spread) without a third party making their own variant. Headlines like New Mac Worm Spreads Via Bluetooth and Second Apple worm targeting Macs found are slightly skewed. First, the code is not spreading in any sense of the word nor was it "found" anywhere.
Since most articles are copied and pasted from the same source, you willfind that a number of sources correctly identify this as "proof of concept." Quite a few folks actually mention the fact that it is both time limited and crippled to a specific set of Bluetooth addresses.
Could a worm like this have infected people without any user interaction? Why did the worm that you create require user interaction?
Finisterre: Most definitely. If someone else were to create this worm, it most likely would not have prompted the user to spread. This was done primarily because, although I sought to prove a point, I did not want to cause any real damage.
If someone were to obtain the source and try to modify it for malicious intent, they must first figure out how to make the code connect silently. Beyond that there are plenty of other things that I intentionally broke in the code to prevent if from spreading.
Do you think that worms and viruses will become a problem for Mac users as it has become for Windows users? Is social engineering viruses (mass mailers and the like) as much of a danger?
Finisterre: If Apple is proactive about curbing the behavior that has been recently identified I think they will be taking a step in the right direction. The key will be to identify things like this moving forward and nip them in the bud before they are abused. Macs will continue to attract attention, and by doing so, we are going to see a lot of creative attacks come out. The ultimate outcome is in Apple's hands - how they respond both proactively and reactively will make all the difference.
Do you think that Mac users need antivirus? Would antivirus have caught this in time, if it had been created maliciously?
Finisterre: If you didn't have antivirus on your Mac previously, I think it is about time. Times are changing, and before you know it, the malicious bundles will be sailing. I could easily see someone making an adware package based on the techniques I described combined with the recent ZIP vulnerability in Safari. The time to protect your Mac is not tomorrow - once someone does create something malicious. It is now, today.
I am not familiar enough with the various Mac antivirus packages, but I find it unlikely that this code would have been caught, quite simply because no one else has used these techniques in the past. I would not expect many signatures to exist for malicious bundles and malformed environment.plist files. The next worm, however, will have to make use of something different, because the antivirus companies hopefully learned something from both my code and that of Leap.A.
Do you think you'll code another worm in the future, or having proven your point, will you not?
Finisterre: Most likely not. I will probably be streamlining the InqTana code, so I can use it during talks and demo. I am still concerned about the worming of the old Widcomm issues on iPaqs, so I do have a dialog with Symantec currently open about it. I may provide sample code, if this is something I can take beyond a concept.
For the immediate time being, I do not foresee any more worm code. You could almost classify this sort of thing as a Nematode even - useful worms still have room for discussion in my mind. InqTana definitely crosses over some boundaries that people have in their minds about worms, but in this case, I think InqTana has done more benefit than it ever could harm.
Are you worried about prosecution at all?
Finisterre: Since this code was not maliciously released into the wild, I honestly had only given a little thought to it. I honestly see this being no different than any of the other exploits and full-disclosure-style releases that I do. I had asked a few folks to turn me on to malware specific laws, but I have yet to get any responses.
I was hoping that by being responsible and keeping this limited to proof-of-concept code, it would not come to that. I think it would be a shame to prosecute someone that did not have malicious intent.