At the Black Hat security conference on last week, security researcher Dino Dai Zovi presented a proof-of-concept rootkit that runs on Apple’s Mac OS X operating system, underscoring the fact that all software has flaws. Dai Zovi’s proof-of-concept rootkit is called Machiavelli, a reference to the Mach kernel that underpins Mac OS X.
“Machiavelli consists of a Mach proxy server on the local controlling host and a number of remote agent servers that run on remote compromised hosts,” Dai Zovi explains in a technical paper that describes his work. “On the controlling host, rootkit management utilities obtain a proxy Mach port from the proxy server and use it just as a normal application would use a local Mach port.”
With his presentation complete, Dai Zovi plans soon to release several Mac software tools related to his research on his Web site. These include: Inject Bundle, for data injection; iChatSpy, code for logging instant messages; SSLSpy, for logging SSL traffic; iSightSpy, for capturing a single frame from any Apple iSight camera; Machiavelli, for remotely controlling a compromised system; and Uncloak, a rootkit identification tool.
