Kevin Finisterre: I am 25 years old and a current resident of Columbus, Ohio. I have been publicly active in the computer security scene since around 1998. Most of my research was published through Secure Network Operations, where I served as the Head of Research and Development. Since SNOSoft has dissolved, I have been focusing my time on a project called Digital Munition. My educational background stops with your traditional high-school-level education. After feeling as if I were being spoon-fed at DeVry, I decided to just dive in head first into my career as a Unix sysadmin. My spare time is spent researching various aspects of computer security under a number of platforms.

How long have you been using Macs? How do you think the security model compares to Windows and Linux?

Finisterre: I got my first Mac in 2001. Most of InqTana was actually developed on my Dual USB 2001 iBook and an old G3 333Mhz iMac. I honestly love Mac hardware, but do not care too much for the OS. I have spent a great deal of time on Mac-based hardware developing shell code and learning the ins and outs of exploiting the PPC architecture.

Overall, I do like some of the features that OS X offers, however it is very difficult to compare the different operating systems. Obviously, because it is Unix-based, it is very similar to Linux. To put it simply, however, all three sets of OS developers do some dumb things--this is very unlikely to change in the near future. I really cannot say that which operating system is better than the other, but my personal preference is Mac hardware running the Linux OS.

Ninety percent of my time is spent on the Mac. I would take a PowerPC 4-byte assembly instruction over a single byte Intel instruction any time.

How did you find the original vulnerability in Bluetooth that this worm exploits?

Finisterre: Lots of caffeine and late nights. The real story is that OS X had recently added Bluetooth support and I just had got a new Mac Mini. That alone is the recipe for keeping me up late. My recent fetish with Bluetooth made it an easy and obvious target. I was already in the process of working on a number of other Bluetooth-related issues.

The funny thing is that it actually took some prodding to get Apple to consider this an issue. I originally reported to them that I thought it was a bad idea to share out Bluetooth in a completely open fashion. Shortly after, I discovered the directory transversal attacks which made the default setting that much more "fun." Once this developed, things were obviously taken more seriously.

In your paper, it sounds like both 10.4 and 10.3 were vulnerable, but aren't any longer. Is that right?

Finisterre: The Bluetooth bug that InqTana exploits has been patched for some time now. There was a short period of time that 10.3.x was patched, however, 10.4 silently sat vulnerable. Apple asked me to withhold information about 10.4 being vulnerable until they could get patches out. I happened to find the issue just as 10.4 was just pressed and shipped. Plenty of folks don't update their software, so under vanilla configurations of 10.3 and 10.4--read: no patches--you are vulnerable.

I would assume that if you went to the store right now and came home with a new Mac, it would have a vanilla version of 10.4 installed with Bluetooth enabled by default. [Editor's note: An Apple spokesperson has said that the Macs currently available at retail have had this problem fixed.]

Why did you decide to make a worm out of the vulnerability?

Finisterre: I have heard of so many folks touting that misconception that Macs can't get viruses that I thought it was about time to start a dialog with some of the AV (antivirus) companies and express some of my ideas. In the process of confirming my own concerns, this code was created. I am not one for talking about things in concept form - I like to actually implement and prove a concept.

The idea that Macs can't get viruses is simply absurd and I wanted to highlight that fact. It was pure coincidence that Leap.A had already (been created to) set out to prove that the old wives tale is false.

InqTana was more or less an exercise in proving folks wrong about the possibilities of Mac malware.

Just to be clear, you wrote all three variants of this worm, right?

Finisterre: This is correct. The code that was dubbed as InqTana.A by (researcher) Jarno (Niemelä) of F-Secure was originally completed on Valentine's Day. Once Leap.A was released and I did some reading I came up with InqTana.B by making a slight mod to the Leap technique. InqTana.C was the final demonstration of my concerns and will most likely be the last variant.

Each variant was created to illustrate a specific vector for implanting malware onto OS X. The detail of each one of these techniques was outlined in the paper titled InqTana through the eyes of Dr. Frankenstein.

Which of the three above methods do you think will be used by future worm and virus authors the most? Hopefully Apple will take note and address these areas of concern.

Finisterre: The InputManager technique seems to be very powerful. Using it to hook either - init or for a MethodSwizzle will most definitely be a popular thing to do. The primary reason I think it will be used often is due to the fact that it is portable across major versions of OS X. The launchd and dyld techniques are more specific to a particular version of OS X.

Who did you contact about this and send the worm to? What sort of response did you get?

Finisterre: The original list of folks this was reported to included: F-Secure via both their blog and direct e-mail to (Niemelä) and a submission through their web interface. Symantec has been a great contact of mine for some time now, so I shot an email to a gentleman [...] that I frequently work with. [Editor's note: Symantec is the owner of SecurityFocus.] McAfee was sent an email through a private channel as was Apple. I also forwarded copies to Apple directly through their security mailing list.

With regard to the response, I think it kind of sucked. F-secure published information on their blog that was obviously related to emails that I had sent them. However, they never contacted me directly. If you note their blog you will see a Bluetooth-related entry just before Leap.A was found. This entry was the result of an email I had sent them trying to open a dialog about OS X worm potential.

Both private e-mails that went to individuals at McAfee and Apple went unanswered. I did get an autoresponder from Apple on the second e-mail, which was sent directly to their security staff. However, they did not respond either.

Symantec was really the only company to actively respond back to me and I attribute this to [my contacts there]. This is very typical of the responses I have gotten from Symantec in the past--prompt. [My contact] even sent me an e-mail last night to make sure that after the media hype someone had taken the time to follow up with me.

As a researcher in general, I did find it hard to locate someone that was willing to talk about proof-of-concept worm code. I was familiar with WinCE.Dust and was under the impression that it too was a proof-of-concept worm that was released in an academic sense. I wanted InqTana to be handled in the same fashion.

Did any antivirus company acknowledge that this was a lab creation that would have a hard time spreading? Do you think the vendors treated this well or as a marketing ploy?

Finisterre: Although blatantly mentioned in most of the antivirus threat notices, you will find that folks are still implying that the code will actually spread. I think this is a bit misleading. The fact of the matter is that InqTana is not spreading and physically cannot (spread) without a third party making their own variant. Headlines like New Mac Worm Spreads Via Bluetooth and Second Apple worm targeting Macs found are slightly skewed. First, the code is not spreading in any sense of the word nor was it "found" anywhere.

Since most articles are copied and pasted from the same source, you willfind that a number of sources correctly identify this as "proof of concept." Quite a few folks actually mention the fact that it is both time limited and crippled to a specific set of Bluetooth addresses.

Could a worm like this have infected people without any user interaction? Why did the worm that you create require user interaction?

Finisterre: Most definitely. If someone else were to create this worm, it most likely would not have prompted the user to spread. This was done primarily because, although I sought to prove a point, I did not want to cause any real damage.

If someone were to obtain the source and try to modify it for malicious intent, they must first figure out how to make the code connect silently. Beyond that there are plenty of other things that I intentionally broke in the code to prevent if from spreading.

Do you think that worms and viruses will become a problem for Mac users as it has become for Windows users? Is social engineering viruses (mass mailers and the like) as much of a danger?

Finisterre: If Apple is proactive about curbing the behavior that has been recently identified I think they will be taking a step in the right direction. The key will be to identify things like this moving forward and nip them in the bud before they are abused. Macs will continue to attract attention, and by doing so, we are going to see a lot of creative attacks come out. The ultimate outcome is in Apple's hands - how they respond both proactively and reactively will make all the difference.

Do you think that Mac users need antivirus? Would antivirus have caught this in time, if it had been created maliciously?

Finisterre: If you didn't have antivirus on your Mac previously, I think it is about time. Times are changing, and before you know it, the malicious bundles will be sailing. I could easily see someone making an adware package based on the techniques I described combined with the recent ZIP vulnerability in Safari. The time to protect your Mac is not tomorrow - once someone does create something malicious. It is now, today.

I am not familiar enough with the various Mac antivirus packages, but I find it unlikely that this code would have been caught, quite simply because no one else has used these techniques in the past. I would not expect many signatures to exist for malicious bundles and malformed environment.plist files. The next worm, however, will have to make use of something different, because the antivirus companies hopefully learned something from both my code and that of Leap.A.

Do you think you'll code another worm in the future, or having proven your point, will you not?

Finisterre: Most likely not. I will probably be streamlining the InqTana code, so I can use it during talks and demo. I am still concerned about the worming of the old Widcomm issues on iPaqs, so I do have a dialog with Symantec currently open about it. I may provide sample code, if this is something I can take beyond a concept.

For the immediate time being, I do not foresee any more worm code. You could almost classify this sort of thing as a Nematode even - useful worms still have room for discussion in my mind. InqTana definitely crosses over some boundaries that people have in their minds about worms, but in this case, I think InqTana has done more benefit than it ever could harm.

Are you worried about prosecution at all?

Finisterre: Since this code was not maliciously released into the wild, I honestly had only given a little thought to it. I honestly see this being no different than any of the other exploits and full-disclosure-style releases that I do. I had asked a few folks to turn me on to malware specific laws, but I have yet to get any responses.

I was hoping that by being responsible and keeping this limited to proof-of-concept code, it would not come to that. I think it would be a shame to prosecute someone that did not have malicious intent.