Security News

Multi-Platform Proof of Concept Virus Clapzok.A Examined

Posted on June 4th, 2013 by

A multi-platform virus, named Multi/Clapzok.A, have been released by researcher JPanic. It is written in Assembly, and targets Windows, Linux and OS X 32-bit executables.

This proof of concept is an update of JPanic's Capzloq Tekniq (2006), that targets Windows and Linux operating systems. The OS X infection process is similar to the concept Roy G Biv exposed with MachoMan (2006) on VX Heavens.

Peter Ferrie, Principal Anti-virus Researcher at Microsoft Corporation, has published an analysis in the Virus Bulletin issue of June 2013. While this content is only available to subscribers, well known reverser Fractal Guru also published a technical analysis of the OS X infection on his blog.

In short, when the virus is executed, it looks for other 32-bit executables (either Windows, Linux or OS X native and FAT binaries) to replicate itself.

multi

On OS X, it modifies the __PAGEZERO load command to store its code, then changes the entry point in LC_UNIXTHREAD to trigger its execution. It then restores the original entry point in memory, so the infected program can run normally.

It does not infect 64-bit executables (shellcode is 32-bit) or programs built with the latest Developer Tools, where GCC's LC_UNIXTHREAD has been replaced by LC_MAIN in Clang. Also, fat binaries that contain both i386 and x86_64 architectures, running on a 64-bit machine, won't execute the virus payload. Finally, a code-signed binary would detect the modification.

Despite the significant limitations, this academics research is interesting as it exposes simple caveats Apple hasn't patch since 2006.

JPanic has not published his source code yet, and our malware researchers have not spotted any malicious use of his work.

Intego VirusBarrier with latest Virus Definitions detect Multi/Clapzok.A and similar __PAGEZERO load command abuses.

  • Guy

    So how exactly does one get infected? If this is another, “trick user into infecting himself”, then it really isn’t a virus.

    • LysaMyers

      Hi Guy,
      Please keep in mind that this is a proof of concept – showing that something is possible, not something that people need to be worried about.

      • Guy

        No I understand that, but it shouldn’t be called a virus unless it meets the criteria of one. The people who come here to read the article most likely know what the difference is and unless the delivery method is defined it should be called a more general term like malware

        • LysaMyers

          The definition of a virus is self-replicating code, and this meets that criteria. But since there isn’t a delivery method per se, because this is only a proof of concept, we can’t really speculate on how it would perform in the wild.

          • Guy

            OK I’ll buy that and thank you for your even-tempered replies. Too little of it on the interwebz

        • wily

          show some respect, “guy”, do you have any idea who jpanic is?

Join Our Awesome Email Newsletter

Enter your email address below to start receiving the best Mac Security Updates.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}