Search This Blog

Showing posts with label Mac OS X Hacks. Show all posts

Forensics Vendor Passware warns Mac OS X FileVault 2 easily decrypted

Passware, Inc., a provider of password recovery for law enforcement, issued a warning that its Forensic Tools capable of breaking the Disk encryption security in Mac OS.

FileVault provides 128bit AES encryption of all files located within your home directory of Mac OS X. A master password (and recovery key in 10.7+) is created as a precaution against a user losing their password.

Passware Kit Forensic v11.3: can decrypt the a FileVault-encrypted Mac disk within 40 minutes-regardless of the length or complexity of the password. Passware says its utilities can now easily gain a FileVault encryption key from the target computer memory, which provides full access to the encrypted Mac hard disk.


“Full disk encryption is becoming a major obstacle for digital investigations,” said Dmitry Sumin, president, Passware, Inc. “The latest version of Passware Kit Forensic offers multiple approaches to overcoming this problem, such as live memory analysis and extraction of encryption keys for BitLocker, TrueCrypt, and FileVault. This means forensic experts are better armed to approach investigative
challenges with an effective and efficient solution that significantly reduces decryption time and thus allows investigators to focus on data analysis."

Passware Kit Forensic is available directly from Passware for $995 with one year of free updates. PassWare makes this software primarily available for law enforcement.

A Mac Trojan "DevilRobber" Upgraded to v3 and masquerades as PixelMator



DevilRobber(Backdoor:OSX/DevilRobber) is the Latest Malware that targets Mac OS X users, it is now upgraded and masquerades as PixelMator . Based on the malware's dump.txt file, this latest backdoor is identified as Version 3 (v3).

"The main point of difference in DevilRobberV3 is that it has a different distribution method — the 'traditional' downloader method." F-Secure Researchers says. 

The previous of Version of this Trojan masquerades as some other legitimate Mac Application, this time PixelMator Application.

Previously this Trojan log the number of files that match a certain set of criteria, and also steal the Terminal command history and Bitcoin wallet.  Also they performed the following;
  •  Opens a port where it listens for commands from a remote user.
  •  Installs a web proxy which can be used by remote users as a staging point for other attacks.
  • •Steals information from the infected machine and uploads the details to an FTP server for later retrieval.

Changelog for this Upgraded Trojan (This is first time we are posting changelog for a virus).
  • It no longer captures a screenshot
  • It no longer checks for the existence of LittleSnitch (a firewall application)
  • It uses a different launch point name
  • It harvests the shell command history
  • It harvests 1Password contents (a password manager from AgileBits)
  • It now also harvests the system log file

Unfortunately, It still attempts to steal Bitcoin wallet contents though.

Critical Vulnerability found in Apple Mac OS X Sandbox Mechanisms


CoreLabs Researchers discovered critical Vulnerability in Mac OS X's sandboxing mechanisms.They published the Advisory information on Nov 10,2011.

Vulnerability Description

Several of the default pre-defined sandbox profiles don't properly limit all the available mechanisms and therefore allow exercising part of the restricted functionality. Namely, sending Apple events is possible within the no-network sandbox (kSBXProfileNoNetwork). A compromised application hypothetically restricted by the use of the no-network profile may have access to network resources through the use of Apple events to invoke the execution of other applications not directly restricted by the sandbox.

It is worth mentioning that a similar issue was reported by Charlie Miller in his talk at Black Hat Japan 2008 . He mentioned a few processes sandboxed by default as well as a method to circumvent the protection. Sometime after the talk, Apple modified the mentioned profiles by restricting the use of Apple events but did not modify the generic profiles.

According to the Advisory,Apple Mac OS X 10.7.x,10.6.x,10.5.x are vulnerable .

Apple Mac OS X 10.4 is non-vulnerable.