Security researcher Dino Dai Zovi has released a set of advanced rootkit tools for Mac OS X. This follows his recent presentation at Black Hat, which, “covered a number of Mach-based rootkit tools and techniques including user-mode Mach-O bundle injection, Mach RPC proxying, in-kernel RPC server injection/modification, and kernel rootkit detection.”
Dai Zovi says, “These tools are deliberately released as ‘non-hostile’ proof-of-concept tools that meant to demonstrate techniques and are not suitable for use in actual rootkits or attack tools. The IM and SSL logging bundles log to the local system’s disk in an obvious fashion and Machiavelli opens up the controlling host to some obvious attacks. The non-Machiavelli version of inject-bundle, however, is fully functional and useful for a variety of system-level tasks. Using the other tools outside of a closed network or test virtual machine is not recommended.”
While this is true, in the wrong hands such tools can be used for malicious purposes. As is often the case with such “proof-of-concept” tools, you don’t need to go very far to find users who have different goals. We’ll be keeping a close eye on this.