OSX malware and exploit collection (~100 files) + links and resources for OSX malware analysis

'Tis the season.

Here is a nice collection of ~100 Mac OS malware and Word document exploits carrying MacOS payload (all are CVE-2009-0563) along with links for OSX malware analysis.

Please send your favorite tools for OSX if they are not listed.

CVE-2009-0563

CVE-2009-0563
Stack-based buffer overflow in Microsoft Office Word 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Microsoft Office for Mac 2004 and 2008; Open XML File Format Converter for Mac; Microsoft Office Word Viewer 2003 SP3; Microsoft Office Word Viewer; and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allows remote attackers to execute arbitrary code via a Word document with a crafted tag containing an invalid length field, aka "Word Buffer Overflow Vulnerability."

Links

Some OSX malware analysis tools and links 

• http://computer-forensics.sans.org/community/papers/gcfa/mac-os-malware-analysis_2286
• http://en.wikibooks.org/wiki/Reverse_Engineering/Mac_OS_X
• http://contagiodump.blogspot.com/2012/12/osxdockstera-and-win32trojanagentaxmo.html

Tools

• Activity Monitor (Max OSX Utilities folder)
• MacMemoryze (support for Mountain Lion) free, 
• Volatility (partial support for Mountain lion) free
• fseventer (graphical event representation) - works on Mountain lion 
• Wireshark
• IDA pro
• OSXpmem (kernel extension)
• http://osxbook.com/ OSX internals
• 2009 Mac OS X Malware Analysis Author: Joel Yonts
• Apple OS X ABI Mach-O File Format Reference  
• FileXray $79 but looks like it is worth it if you do OSX forensics
• ...let us know what you use

Malware in the provided package - links to research and news articles

• OSX_AoboKeylogger http://aobo.cc/
• OSX_BackTrack-A
• OSX_Boonana http://contagiodump.blogspot.com/2010/11/nov-14-javaboonana-facebook-trojan.html
• OSX_ChatZum http://www.thesafemac.com/chatzum-discovered-in-another-installer/
• OSX_Clapzok http://www.intego.com/mac-security-blog/clapzok-a-multi-platform-virus/ 
• OSX_Crisis http://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/
• OSX_Dockster_Backdoor http://contagiodump.blogspot.com/2012/12/osxdockstera-and-win32trojanagentaxmo.html
• OSX_FkCodec http://www.thesafemac.com/osxfkcodec-a-in-action/
• OSX_Flashback http://www.symantec.com/security_response/writeup.jsp?docid=2012-041001-0020-99
• OSX_Fucobha_IceFog http://www.securelist.com/en/blog/208214064/The_Icefog_APT_A_Tale_of_Cloak_and_Three_Daggers
• OSX_GetShell http://www.symantec.com/security_response/writeup.jsp?docid=2013-020412-3611-99
• OSX_Hacktool_Hoylecann
• OSX_HellRaiser http://macscan.securemac.com/hellraiser-aka-osxhellrtsd/
• OSX_HellRTS http://macscan.securemac.com/hellraiser-aka-osxhellrtsd/
• OSX_Hovdy_Backdoor http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/OSX~Hovdy-A.aspx
• OSX_Inqtana http://www.symantec.com/security_response/writeup.jsp?docid=2006-021715-3051-99&tabid=2
• OSX_Iservice http://www.symantec.com/connect/blogs/osxiservice-it-s-not-going-iwork-you
• OSX_Jahlav http://macscan.securemac.com/osxjahlav-c-dnschanger-trojan-horse/
• OSX_Kitmos http://blog.sbarbeau.fr/2013/05/osx-kitmos-analysis.html
• OSX_Lamadai http://www.welivesecurity.com/2012/03/28/osxlamadai-a-the-mac-payload/
• OSX_Leverage_A_Backdoor http://www.alienvault.com/open-threat-exchange/blog/osx-leveragea-analysis
• OSX_LocalRoot https://www.trustedsec.com/august-2013/osx-10-8-4-local-root-privilege-escalation-exploit/
• OSX_Macarena_A http://www.securelist.com/en/analysis/204791948/Mac_OS_X#macarena
• OSX_MacDefender http://www.intego.com/mac-security-blog/macdefender-rogue-anti-malware-program-attacks-macs-via-seo-poisoning/
• OSX_MacKontrol http://www.securelist.com/en/blog/208193616/New_MacOS_X_backdoor_variant_used_in_APT_attacks
• OSX_Macsweeper http://en.securitylab.ru/viruses/311798.php
• OSX_Miner_DevilRobber http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/OSX~Miner-D/detailed-analysis.aspx
• OSX_Olyx_Backdoor http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html
• OSX_OpinionSpy http://www.f-secure.com/sw-desc/spyware_osx_opinionspy.shtml
• OSX_PSides
• OSX_Genieo http://www.thesafemac.com/malicious-genieo-installers-persist/
• OSX_PUP_PerfectKeylog http://www.blazingtools.com/mac_keylogger.html
• OSX_Renepo / Pintsized http://www.intego.com/mac-security-blog/pint-sized-backdoor-for-os-x-discovered/
• OSX_Revir http://contagiodump.blogspot.com/2012/11/group-photoszip-osxrevir-osximuler.html
• OSX_Safari
• OSX_SniperSpy http://www.sniperspymac.com/download.html
• OSX_Wirenet http://www.webroot.com/blog/2012/09/14/wirenet-the-password-stealing-trojan-lands-on-linux-and-os-x/
• OSX_Yontoo http://www.macrumors.com/2013/03/21/new-yontoo-adware-trojan-targets-major-browsers-on-os-x/
• OSXWeapoX http://www.virusradar.com/OSX_Rootkit.Weapox.A/description
• ------------------------------------
• CVE-2009-0563 Word exploit

• MacControl payload  http://www.securelist.com/en/blog/208193616/New_MacOS_X_backdoor_variant_used_in_APT_attacks
• OSX.SabPub payload http://www.securelist.com/en/blog/208193470/New_Version_of_OSX_SabPub_Confirmed_Mac_APT_attacks
• OSX/Dockster.A payload  http://www.intego.com/mac-security-blog/new-targeted-attack-on-tibetan-activists-using-os-x-discovered/
• OSX_Docklight payload  http://contagioexchange.blogspot.com/2012/05/019-speechdoc-macosxms09-027a-word.html and http://blogs.technet.com/b/mmpc/archive/2012/04/30/an-interesting-case-of-mac-osx-malware.aspx

Download

Download. Email me if you need the password
OSX_CrisisB_a32e073132ae0439daca9c82b8119009 
Additional older downloads

1. OSX_Docklight payload  http://contagioexchange.blogspot.com/2012/05/019-speechdoc-macosxms09-027a-word.html 
2. misc OSX malware on contagio http://contagiodump.blogspot.com/search/label/-%20OSX
3. 30 samples of ancient Mac OS malware http://contagiodump.blogspot.com/2012/04/osxflashbackk-sample-mac-os-malware.html

List of files provided in this post

1. OSX_AoboKeylogger_362D5DDB3924C625589B42030B66CA69
2. OSX_BackTrack-A_B03276BFBF85CFDD7C8998004C1200DA
3. OSX_Boonana_B3A0B0DA5AA01FF200CEBC8AF359A3C3
4. OSX_ChatZum_487E5CD581587D63783CDD356DE9CF24
5. OSX_ChatZum_57A4EB15CAA4FCC0A8F6AFBBD66C4859
6. OSX_Clapzok_99FE5AD5FF514F5AAEA8E501DDBAF95B
7. OSX_Crisis_04BBDA5B11FA0FD3C767CAF4719D6A4D
8. OSX_Crisis_42C112036E319ED8DF0F55C7F4C0DA85
9. OSX_CrisisBOSX_CrisisB_a32e073132ae0439daca9c82b8119009 _a32e073132ae0439daca9c82b8119009 
10. OSX_Crisis_59FE83E0AE12E085E0FA301ECCA6776F
11. OSX_Crisis_6F055150861D8D6E145E9ACA65F92822
12. OSX_Crisis_A32E073132AE0439DACA9C82B8119009_Biglietto Visita
13. OSX_Crisis_ACEC5F00057D3EC94849511F3EDDCB91
14. OSX_Crisis_FAAB883598C8C379ACFD0B9DCCC93D0C
15. OSX_Dockster_Backdoor_C6CA5071907A9B6E34E1C99413DCD142
16. OSX_FkCodec_74812C7B6E0A55347284ABFA7D5670BF
17. OSX_FkCodec_74812C7B6E0A55347284ABFA7D5670BF_Codec-M
18. OSX_FkCodec_B4ECE10D1E706B87B065523A654D48A7_download.dmg
19. OSX_FkCodec1C5AE9F1DD9FE6F506EAABD382925CA8_codec-M.safariextz
20. OSX_Flashback_3DCB6D6A9EA8D9755EB61AE057B3D74A
21. OSX_Flashback_9FCFE8EF92F51F1C29A26E1516EF7003_FlashPlayer-11-macos.pkg
22. OSX_Flashback_C2819C3C183BBF7547CF76C6A004EA15_FlashPlayer-11-macos.pkg
23. OSX_Fucobha_IceFog_A615DD792093191E9FC975132A2DB409A_CleanMyMac
24. OSX_Fucobha_IceFog_B4249F9B49A9A177B4D2F4439373029A
25. OSX_Fucobha_IceFog_CF1815491D41202EB8647341A8695E1E
26. OSX_GetShell_68078CBD1A34EB7BE8A044287F05CCE4
27. OSX_GetShell_AC99ACE403D31C7079C938F9B0FD0895
28. OSX_GetShell_ACC2B4A595939F17F7D07DE2CF75CDC8
29. OSX_Hacktool_Hoylecann_FED8E22AE6F080F9B05A309C7E48B5EF
30. OSX_HellRaiser_CA74984601287459AFB7B39EBEBDD394
31. OSX_HellRTS.AH_KeystrokeRecorder X Pref Editor_C19377D07A234D1585D85F8FA3CF77FB
32. OSX_HellRTS_F1AD75AEB4B4C2883DF2221C8804DA2A.AH
33. OSX_Hovdy_Backdoor_FED713CAC7012D25F60B236E6DDCF513
34. OSX_Inqtana.zip
35. OSX_Iservice_4C9E7EE7C0F5C19C68B45CA6C81F8D62
36. OSX_Iservice_E34BA325F3EEB8DF07A09EE9FBF1071D
37. OSX_Jahlav_12F32EACBB3CD2C5623EE6976A51913A_QuickTime.xpt
38. OSX_Jahlav_CCB72243EF478EEFE90B5898EC32389B
39. OSX_Jahlav_D7DDF72D17F889C2C5B302AC0A5FBDC5
40. OSX_Jahlav_FB79A75A6152EF47BBF88AE8544545CC.pl
41. OSX_Jahlav_flash.zip
42. OSX_Kitmos_A_39FAA22EB9D6B750EC345EFCB38189F5
43. OSX_Kitmos_A_3AA9C558D4D5F1B2A6D3CE47AA26315F
44. OSX_Kitmos_A_B3D49091875DE190F200110C2F2032D4
45. OSX_Lamadai_20F0D0CE8A413A51EB16DEE860021E6A
46. OSX_Lamadai_DE90189F040494E3708D83A33E37E40E
47. OSX_Leverage_A_Backdoor_C425D2BE8B4AF733A44EC1518F182BE8
48. OSX_LocalRoot_3DC01743FB42E917E9F9EDE5009F10CD
49. OSX_Macarena_A_BFC7B7B9D3E1DF9D6E1A31D3E7BED628
50. OSX_MacDefender_8AE7163C7C3C02564A4C69DF1F7C483E_Archive.pax
51. OSX_MacDefender_E187F4071723808560E135647245562A_Archive.pax
52. OSX_MacKontrol_89C35C057655E67580EFD0FF8242D960
53. OSX_MacKontrol_E88027E4BFC69B9D29CAEF6BAE0238E8_matiriyal.dmg
54. OSX_Macsweeper_4836CC480796386ED6929C38E5AAD525
55. OSX_Miner_DevilRobber_417369B713F1A5F3A3DC0DAF76BDCFD6
56. OSX_Miner_DevilRobber_EE2BA586232007FA41703EB120AC7408
57. OSX_Miner_F8EBF03E88928EBF91A8420E3D5993FE
58. OSX_Olyx_Backdoor_93A9B55BB66D0FF80676232818D5952F
59. OSX_Olyx_Backdoor_93A9B55BB66D0FF80676232818D5952F_Current events 2009 July 5
60. OSX_OpinionSpy_C98AE54F4BE1082B4E82548D7511077E_Crystal-Clock-screensaver.zip
61. OSX_OpinionSpy_CC33C95C59372AFCA60A0552A58D0EF8_Crystal-Clock-screensaver.zip
62. OSX_PSides_32F4792B1141BA259067F9613E2E88B5
63. OSX_PUP_AABEDBAAB63EF19657A3A82C930CCE18_Genieo_InstallGenieo.dmg
64. OSX_PUP_PerfectKeylog_1B192319C8F41036A2D6B8E987809D42
65. OSX_Renepo_80753666A54A8AE97BD6ED3A4E2F3702
66. OSX_RevirA_FE4AEFE0A416192A1A6916F8FC1CE484_revir-a.dmg
67. OSX_RevirC_Imuler_7DBA3A178662E7FF904D12F260F0FFF3
68. OSX_Safari_B24C0E60AF3D3E836FBE8A92FBCC8EB7.dat
69. OSX_SniperSpy
70. OSX_Wirenet_50D4F0DA2E38874E417BD13B59F4C067
71. OSX_Wirenet_B56AD86A4BACEF92EF46D36EABEF6467
72. OSX_Wirenet_D048F7AE2D244A264E58AF67B1A20DB0
73. OSX_Yontoo_16ACCB0ABC051D667640B1EE4FF3A7A1
74. OSX_Yontoo_7C433B3AC0E8072BA5E6B57298E1B28B
75. OSXWeapoX_7FDEBB5FEC63FB3739A79A66265BB765

EXPLOITS
OSX_CVE-2009-0563 targeting Tibetan and Uyghur activists (filenames shortened here)

1. 0DA957B9B952420241F945A9A2C52A50_C2-alma.apple.cloudns.org_ParticipantsArrivalDeparture.doc
2. 0E5110493FD197813068310E57467B44_C2-alma.apple.cloudns.org _Uighur Han unrest.doc
3. 0E945428D07464EC33EBDFF5712FE788_C2-update.googmail.org_Jenwediki yighingha.doc
4. 1218840F3B66832CC58C33C75AD3D419_C2-update.googmail.org_Uyghur_Xitayning Yengi Rehberlik.doc
5. 1CE3C4A8907A242250D366586711CBDC_C2-alma.apple.cloudns.org _Rabiye_hanim_bilen_Dolkun_Isa.doc
6. 2567399683111CFCB838C5DA80DF181D_Tibetan Parliament urges World to take concrete step on Tibet.doc
7. 28821C5FD38B11EE630D87961C11A3D7_DUQning reyisi namzatlar isimliki.doc
8. 3D28AE551B9BD4C62FFC6C72F5668D96_Tibet_The United Nations Commission for Human Rights.doc
9. 3D90D04C09C6B4D5D52888C89BDE9685_Tibetan Parliament urges World.doc
10. 567ECE88B2D6F4F12F0D0760C30605EE_C2-apple12.crabdance.com_list.doc
11. 58A0A5824A6B30EA7EEBBB51818AE04B_uYGHUR_Jenwe yinghinining xeweri.doc
12. 786A7D1A1DCEC50E6A89E3CC8F33A3AE_Uyghur_Dunya Uyghur Qurultayigha iane qilish toghrisida.doc
13. 7D7A5C530A7DBF24C42145A0EFCC8669_kurban-bayrami.doc
14. 8618BCCB98F7D20634EBEDC488981E86_C2-update.googmail.org_email73.doc
15. 908116A30F53EDF9D1749E3F0F267680_Website-TGSL.doc
16. 9F9F96D5C882528D08315201042647DF_C2-update.googmail.org_Uyghur_The Duke Program.doc
17. BA76DE3471497A8B1858AF4A8C700AE1_www.uyghurcongress.org.doc
18. C024E159A96F3292915B257070FC3325_Sartin-TGSL.doc
19. DD7C486BC17772A5E96425271FA5ED4D_c2-apple12.crabdance.com_10. Jahresgedenktag.doc
20. E510AE50B0344EFBE1F8888771C7446C_www.tughlan.com.doc
21. E683339BCCFDEB0F06C7E567F2C284C5_Planning for action.doc
22. ECE44C00D46BE019AFF38FD5D31B9110_C2-update.googmail.org_UAA 2012 Saylam Komtiti saylam.doc
23. F81775C93F7337E0664F1D106E13C7B3_C2-update.googmail.org_Uyghur_Human Rights Education.doc
24. FBE399BF714184ED7FEA313F36A86514_C2-apple12.crabdance.com_Uyghur_Putun Dunyadiki Sherqi.doc
25. MacOSSabpub-A_43F281076E185E55BECE7EB2F0EC8164.doc