It seems there is a trojan or botnet binary for OS X in the wild. Some details available at http://ithreats.wordpress.com/2009/01/22/latest-os-x-threat-iworkservices/. The iWorkservices binary is available here: iWorkServices-trojan.zip A very quick and dirty strings dump and disassembly seems to show a trojan with botnet capabilities. There are references to p2p and that can be the main clue. There are no clear string references to a specific IP address or URL, which nowadays makes sense since most botnet use p2p features to contact the master nodes....

While searching the web for some GDB patches I stumbled upon this fix to assemble function from gdbinit by Tavis Ormandy (good work!). I modified it a little bit to work with Mac OS X. This function allows you to assemble directly (using nasm, Intel format) to running program or just output the correspondent opcodes for your assembly input. Type help assemble. Very useful to get the opcodes you need to patch the binary....

I wanted to recompile GDB so I can modify its source and add some custom patches to enhance its output… Easier said than done! There’s not much information around about this and my first attempt was by downloading GDB source package from Apple and trying to compile it. Didn’t compile out of the box so I had to fix here and there and finally it compiled, but then it didn’t work....

I forgot to mention this previously but there is a mailing list available at http://0x90.org/mailman/listinfo/xso and an IRC channel at irc.freenode.net, #osxre. It’s still a small community but more people are showing up and IRC is always a good communication tool. I’m not administrator of both, but YOU are invited to join 😄. fG!

End of the year is slow and I was a bit inspired so I decided to hack around another features I was missing from gdbinit! First one is about conditional jump display. Original gdbinit doesn’t tell you what will be the decision that will be taken on a conditional jump. You must look at the flags and check that! Well… I can’t memorize this kind of stuff (in reality I can but it’s useless so I refuse to) and computers were created to automate tasks!...