I love VMware (used it since its first releases) and I love it even more now 馃槃. Yesterday I had the not so crazy idea (and not original) to use VMware for Mac OS X kernel debugging because newest Little Snitch version seems to have a new anti-debug trick and I don鈥檛 have another Mac at hand. After some trial and error I managed to get it working, so let鈥檚 show how it鈥檚 possible....
Hey, today is a slow day and I got a suggestion to write about serial phishing. Someone else suggest an easy target and here it is a tutorial about serial phishing. The target is a very easy one so you should be able to understand everything and practice your GDB skills a little more. Here are the files: serial-phishing.txt macdvix.dmg (SHA1(MacDviX.dmg)= 9eb463acff18d003c4a0d619171ce0cd93bc53e6) (Unfortunately I lost the installer and can鈥檛 find it on my backups 馃槮)....
It seems there is a trojan or botnet binary for OS X in the wild. Some details available at http://ithreats.wordpress.com/2009/01/22/latest-os-x-threat-iworkservices/. The iWorkservices binary is available here: iWorkServices-trojan.zip A very quick and dirty strings dump and disassembly seems to show a trojan with botnet capabilities. There are references to p2p and that can be the main clue. There are no clear string references to a specific IP address or URL, which nowadays makes sense since most botnet use p2p features to contact the master nodes....
While browsing around http://www.apple.com/downloads to check for any interesting software (I really like the Featured 3rd party and latest software sections) I found this well designed CD burning app, Disco (http://www.discoapp.com). I really like their website design (I have a big passion for design although I can鈥檛 design anything myself) and decided to try their app since it fits two characteristics, well designed interface and a software protection! Hurray. Open it, bang, Little Snitch warns about connection attempt and a nice registration dialogue appears....
Here it is with support for Leopard and extended attributes. All calls related to extended attributes are traced and dumped to /var/log/system.log (I find it more useful than fs_usage for this specific calls). Check the .c file for options related to this. For Leopard support you need to edit the .c file and change the define. I鈥檓 still searching for a better way to detect Leopard or Tiger in XCode. Maybe a Makefile flag....