OSX malware and exploit collection (~100 files) + links and resources for OSX malware analysis

2019独角兽企业重金招聘Python工程师标准>>>

此文为关于MAC OSX系统的所有攻击脚本和溢出代码的收藏集。附带资源链接和相关讲解文档~mark下

'Tis the season.

Here is a nice collection of ~100 Mac OS malware and Word document exploits carrying MacOS payload (all are CVE-2009-0563) along with links for OSX malware analysis.

Please send your favorite tools for OSX if they are not listed.

CVE-2009-0563

CVE-2009-0563
Stack-based buffer overflow in Microsoft Office Word 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Microsoft Office for Mac 2004 and 2008; Open XML File Format Converter for Mac; Microsoft Office Word Viewer 2003 SP3; Microsoft Office Word Viewer; and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allows remote attackers to execute arbitrary code via a Word document with a crafted tag containing an invalid length field, aka "Word Buffer Overflow Vulnerability."

Links

Some OSX malware analysis tools and links

http://computer-forensics.sans.org/community/papers/gcfa/mac-os-malware-analysis_2286 http://en.wikibooks.org/wiki/Reverse_Engineering/Mac_OS_X http://contagiodump.blogspot.com/2012/12/osxdockstera-and-win32trojanagentaxmo.html
Tools

Activity Monitor (Max OSX Utilities folder) MacMemoryze (support for Mountain Lion) free, Volatility (partial support for Mountain lion) free fseventer (graphical event representation) - works on Mountain lion Wireshark IDA pro OSXpmem (kernel extension) http://osxbook.com/ OSX internals 2009 Mac OS X Malware Analysis Author: Joel Yonts Apple OS X ABI Mach-O File Format Reference FileXray $79 but looks like it is worth it if you do OSX forensics ...let us know what you use

Malware in the provided package - links to research and news articles

OSX_AoboKeylogger http://aobo.cc/ OSX_BackTrack-A OSX_Boonana http://contagiodump.blogspot.com/2010/11/nov-14-javaboonana-facebook-trojan.html OSX_ChatZum http://www.thesafemac.com/chatzum-discovered-in-another-installer/ OSX_Clapzok http://www.intego.com/mac-security-blog/clapzok-a-multi-platform-virus/ OSX_Crisis http://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/ OSX_Dockster_Backdoor http://contagiodump.blogspot.com/2012/12/osxdockstera-and-win32trojanagentaxmo.html OSX_FkCodec http://www.thesafemac.com/osxfkcodec-a-in-action/ OSX_Flashback http://www.symantec.com/security_response/writeup.jsp?docid=2012-041001-0020-99 OSX_Fucobha_IceFog http://www.securelist.com/en/blog/208214064/The_Icefog_APT_A_Tale_of_Cloak_and_Three_Daggers OSX_GetShell http://www.symantec.com/security_response/writeup.jsp?docid=2013-020412-3611-99 OSX_Hacktool_Hoylecann OSX_HellRaiser http://macscan.securemac.com/hellraiser-aka-osxhellrtsd/ OSX_HellRTS http://macscan.securemac.com/hellraiser-aka-osxhellrtsd/ OSX_Hovdy_Backdoor http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/OSX~Hovdy-A.aspx OSX_Inqtana http://www.symantec.com/security_response/writeup.jsp?docid=2006-021715-3051-99&tabid=2 OSX_Iservice http://www.symantec.com/connect/blogs/osxiservice-it-s-not-going-iwork-you OSX_Jahlav http://macscan.securemac.com/osxjahlav-c-dnschanger-trojan-horse/ OSX_Kitmos http://blog.sbarbeau.fr/2013/05/osx-kitmos-analysis.html OSX_Lamadai http://www.welivesecurity.com/2012/03/28/osxlamadai-a-the-mac-payload/ OSX_Leverage_A_Backdoor http://www.alienvault.com/open-threat-exchange/blog/osx-leveragea-analysis OSX_LocalRoot https://www.trustedsec.com/august-2013/osx-10-8-4-local-root-privilege-escalation-exploit/ OSX_Macarena_A http://www.securelist.com/en/analysis/204791948/Mac_OS_X#macarena OSX_MacDefender http://www.intego.com/mac-security-blog/macdefender-rogue-anti-malware-program-attacks-macs-via-seo-poisoning/ OSX_MacKontrol http://www.securelist.com/en/blog/208193616/New_MacOS_X_backdoor_variant_used_in_APT_attacks OSX_Macsweeper http://en.securitylab.ru/viruses/311798.php OSX_Miner_DevilRobber http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/OSX~Miner-D/detailed-analysis.aspx OSX_Olyx_Backdoor http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html OSX_OpinionSpy http://www.f-secure.com/sw-desc/spyware_osx_opinionspy.shtml OSX_PSides OSX_Genieo http://www.thesafemac.com/malicious-genieo-installers-persist/ OSX_PUP_PerfectKeylog http://www.blazingtools.com/mac_keylogger.html OSX_Renepo / Pintsized http://www.intego.com/mac-security-blog/pint-sized-backdoor-for-os-x-discovered/ OSX_Revir http://contagiodump.blogspot.com/2012/11/group-photoszip-osxrevir-osximuler.html OSX_Safari OSX_SniperSpy http://www.sniperspymac.com/download.html OSX_Wirenet http://www.webroot.com/blog/2012/09/14/wirenet-the-password-stealing-trojan-lands-on-linux-and-os-x/ OSX_Yontoo http://www.macrumors.com/2013/03/21/new-yontoo-adware-trojan-targets-major-browsers-on-os-x/ OSXWeapoX http://www.virusradar.com/OSX_Rootkit.Weapox.A/description ------------------------------------ CVE-2009-0563 Word exploit

MacControl payload http://www.securelist.com/en/blog/208193616/New_MacOS_X_backdoor_variant_used_in_APT_attacks OSX.SabPubpayload http://www.securelist.com/en/blog/208193470/New_Version_of_OSX_SabPub_Confirmed_Mac_APT_attacks OSX/Dockster.A payload http://www.intego.com/mac-security-blog/new-targeted-attack-on-tibetan-activists-using-os-x-discovered/ OSX_Docklight payload http://contagioexchange.blogspot.com/2012/05/019-speechdoc-macosxms09-027a-word.html and http://blogs.technet.com/b/mmpc/archive/2012/04/30/an-interesting-case-of-mac-osx-malware.aspx

Download

Download all files listed below. Please email me if you need the password scheme
OSX_CrisisB_a32e073132ae0439daca9c82b8119009
Additional older downloads

OSX_Docklight payload http://contagioexchange.blogspot.com/2012/05/019-speechdoc-macosxms09-027a-word.html misc OSX malware on contagio http://contagiodump.blogspot.com/search/label/-%20OSX 30 samples of ancient Mac OS malware http://contagiodump.blogspot.com/2012/04/osxflashbackk-sample-mac-os-malware.html

List of files provided in this post

OSX_AoboKeylogger_362D5DDB3924C625589B42030B66CA69 OSX_BackTrack-A_B03276BFBF85CFDD7C8998004C1200DA OSX_Boonana_B3A0B0DA5AA01FF200CEBC8AF359A3C3 OSX_ChatZum_487E5CD581587D63783CDD356DE9CF24 OSX_ChatZum_57A4EB15CAA4FCC0A8F6AFBBD66C4859 OSX_Clapzok_99FE5AD5FF514F5AAEA8E501DDBAF95B OSX_Crisis_04BBDA5B11FA0FD3C767CAF4719D6A4D OSX_Crisis_42C112036E319ED8DF0F55C7F4C0DA85 OSX_CrisisBOSX_CrisisB_a32e073132ae0439daca9c82b8119009 _a32e073132ae0439daca9c82b8119009 OSX_Crisis_59FE83E0AE12E085E0FA301ECCA6776F OSX_Crisis_6F055150861D8D6E145E9ACA65F92822 OSX_Crisis_A32E073132AE0439DACA9C82B8119009_Biglietto Visita OSX_Crisis_ACEC5F00057D3EC94849511F3EDDCB91 OSX_Crisis_FAAB883598C8C379ACFD0B9DCCC93D0C OSX_Dockster_Backdoor_C6CA5071907A9B6E34E1C99413DCD142 OSX_FkCodec_74812C7B6E0A55347284ABFA7D5670BF OSX_FkCodec_74812C7B6E0A55347284ABFA7D5670BF_Codec-M OSX_FkCodec_B4ECE10D1E706B87B065523A654D48A7_download.dmg OSX_FkCodec1C5AE9F1DD9FE6F506EAABD382925CA8_codec-M.safariextz OSX_Flashback_3DCB6D6A9EA8D9755EB61AE057B3D74A OSX_Flashback_9FCFE8EF92F51F1C29A26E1516EF7003_FlashPlayer-11-macos.pkg OSX_Flashback_C2819C3C183BBF7547CF76C6A004EA15_FlashPlayer-11-macos.pkg OSX_Fucobha_IceFog_A615DD792093191E9FC975132A2DB409A_CleanMyMac OSX_Fucobha_IceFog_B4249F9B49A9A177B4D2F4439373029A OSX_Fucobha_IceFog_CF1815491D41202EB8647341A8695E1E OSX_GetShell_68078CBD1A34EB7BE8A044287F05CCE4 OSX_GetShell_AC99ACE403D31C7079C938F9B0FD0895 OSX_GetShell_ACC2B4A595939F17F7D07DE2CF75CDC8 OSX_Hacktool_Hoylecann_FED8E22AE6F080F9B05A309C7E48B5EF OSX_HellRaiser_CA74984601287459AFB7B39EBEBDD394 OSX_HellRTS.AH_KeystrokeRecorder X Pref Editor_C19377D07A234D1585D85F8FA3CF77FB OSX_HellRTS_F1AD75AEB4B4C2883DF2221C8804DA2A.AH OSX_Hovdy_Backdoor_FED713CAC7012D25F60B236E6DDCF513 OSX_Inqtana.zip OSX_Iservice_4C9E7EE7C0F5C19C68B45CA6C81F8D62 OSX_Iservice_E34BA325F3EEB8DF07A09EE9FBF1071D OSX_Jahlav_12F32EACBB3CD2C5623EE6976A51913A_QuickTime.xpt OSX_Jahlav_CCB72243EF478EEFE90B5898EC32389B OSX_Jahlav_D7DDF72D17F889C2C5B302AC0A5FBDC5 OSX_Jahlav_FB79A75A6152EF47BBF88AE8544545CC.pl OSX_Jahlav_flash.zip OSX_Kitmos_A_39FAA22EB9D6B750EC345EFCB38189F5 OSX_Kitmos_A_3AA9C558D4D5F1B2A6D3CE47AA26315F OSX_Kitmos_A_B3D49091875DE190F200110C2F2032D4 OSX_Lamadai_20F0D0CE8A413A51EB16DEE860021E6A OSX_Lamadai_DE90189F040494E3708D83A33E37E40E OSX_Leverage_A_Backdoor_C425D2BE8B4AF733A44EC1518F182BE8 OSX_LocalRoot_3DC01743FB42E917E9F9EDE5009F10CD OSX_Macarena_A_BFC7B7B9D3E1DF9D6E1A31D3E7BED628 OSX_MacDefender_8AE7163C7C3C02564A4C69DF1F7C483E_Archive.pax OSX_MacDefender_E187F4071723808560E135647245562A_Archive.pax OSX_MacKontrol_89C35C057655E67580EFD0FF8242D960 OSX_MacKontrol_E88027E4BFC69B9D29CAEF6BAE0238E8_matiriyal.dmg OSX_Macsweeper_4836CC480796386ED6929C38E5AAD525 OSX_Miner_DevilRobber_417369B713F1A5F3A3DC0DAF76BDCFD6 OSX_Miner_DevilRobber_EE2BA586232007FA41703EB120AC7408 OSX_Miner_F8EBF03E88928EBF91A8420E3D5993FE OSX_Olyx_Backdoor_93A9B55BB66D0FF80676232818D5952F OSX_Olyx_Backdoor_93A9B55BB66D0FF80676232818D5952F_Current events 2009 July 5 OSX_OpinionSpy_C98AE54F4BE1082B4E82548D7511077E_Crystal-Clock-screensaver.zip OSX_OpinionSpy_CC33C95C59372AFCA60A0552A58D0EF8_Crystal-Clock-screensaver.zip OSX_PSides_32F4792B1141BA259067F9613E2E88B5 OSX_PUP_AABEDBAAB63EF19657A3A82C930CCE18_Genieo_InstallGenieo.dmg OSX_PUP_PerfectKeylog_1B192319C8F41036A2D6B8E987809D42 OSX_Renepo_80753666A54A8AE97BD6ED3A4E2F3702 OSX_RevirA_FE4AEFE0A416192A1A6916F8FC1CE484_revir-a.dmg OSX_RevirC_Imuler_7DBA3A178662E7FF904D12F260F0FFF3 OSX_Safari_B24C0E60AF3D3E836FBE8A92FBCC8EB7.dat OSX_SniperSpy OSX_Wirenet_50D4F0DA2E38874E417BD13B59F4C067 OSX_Wirenet_B56AD86A4BACEF92EF46D36EABEF6467 OSX_Wirenet_D048F7AE2D244A264E58AF67B1A20DB0 OSX_Yontoo_16ACCB0ABC051D667640B1EE4FF3A7A1 OSX_Yontoo_7C433B3AC0E8072BA5E6B57298E1B28B OSXWeapoX_7FDEBB5FEC63FB3739A79A66265BB765 EXPLOITS
OSX_CVE-2009-0563 targeting Tibetan and Uyghur activists (filenames shortened here)
0DA957B9B952420241F945A9A2C52A50_C2-alma.apple.cloudns.org_ParticipantsArrivalDeparture.doc 0E5110493FD197813068310E57467B44_C2-alma.apple.cloudns.org _Uighur Han unrest.doc 0E945428D07464EC33EBDFF5712FE788_C2-update.googmail.org_Jenwediki yighingha.doc 1218840F3B66832CC58C33C75AD3D419_C2-update.googmail.org_Uyghur_Xitayning Yengi Rehberlik.doc 1CE3C4A8907A242250D366586711CBDC_C2-alma.apple.cloudns.org _Rabiye_hanim_bilen_Dolkun_Isa.doc 2567399683111CFCB838C5DA80DF181D_Tibetan Parliament urges World to take concrete step on Tibet.doc 28821C5FD38B11EE630D87961C11A3D7_DUQning reyisi namzatlar isimliki.doc 3D28AE551B9BD4C62FFC6C72F5668D96_Tibet_The United Nations Commission for Human Rights.doc 3D90D04C09C6B4D5D52888C89BDE9685_Tibetan Parliament urges World.doc 567ECE88B2D6F4F12F0D0760C30605EE_C2-apple12.crabdance.com_list.doc 58A0A5824A6B30EA7EEBBB51818AE04B_uYGHUR_Jenwe yinghinining xeweri.doc 786A7D1A1DCEC50E6A89E3CC8F33A3AE_Uyghur_Dunya Uyghur Qurultayigha iane qilish toghrisida.doc 7D7A5C530A7DBF24C42145A0EFCC8669_kurban-bayrami.doc 8618BCCB98F7D20634EBEDC488981E86_C2-update.googmail.org_email73.doc 908116A30F53EDF9D1749E3F0F267680_Website-TGSL.doc 9F9F96D5C882528D08315201042647DF_C2-update.googmail.org_Uyghur_The Duke Program.doc BA76DE3471497A8B1858AF4A8C700AE1_www.uyghurcongress.org.doc C024E159A96F3292915B257070FC3325_Sartin-TGSL.doc DD7C486BC17772A5E96425271FA5ED4D_c2-apple12.crabdance.com_10. Jahresgedenktag.doc E510AE50B0344EFBE1F8888771C7446C_www.tughlan.com.doc E683339BCCFDEB0F06C7E567F2C284C5_Planning for action.doc ECE44C00D46BE019AFF38FD5D31B9110_C2-update.googmail.org_UAA 2012 Saylam Komtiti saylam.doc F81775C93F7337E0664F1D106E13C7B3_C2-update.googmail.org_Uyghur_Human Rights Education.doc FBE399BF714184ED7FEA313F36A86514_C2-apple12.crabdance.com_Uyghur_Putun Dunyadiki Sherqi.doc MacOSSabpub-A_43F281076E185E55BECE7EB2F0EC8164.doc

via@

转载于:https://my.oschina.net/u/1188877/blog/178936