Friday, March 3, 2006

Interview with KF - Creator of the OS X InqTana Worm

SecurityFocus.com has a great interview with Kevin Finisterre, creator of the InqTana worm. He has been an Apple user for a while and created the OS X malware in an attempt to pull back the thin veil that seems to be keeping many OS X users blind to possible threats.

InqTana was designed to be a POC and had built-in methods to reduce its overall threat. Therefore, many AV companies saw it as a "low" threat from the very beginning.

However on Feb 21, Sophos issued a bad IDE for the InqTana.B worm. At around 8am, I found that Sophos was detecting Epson printer drivers, Adobe files and even Microsoft Office 2004 files as the InqTana.B worm. I was 97% sure it was a false positive and reported it to Sophos as quickly as possible...within 45 mines a new IDE was released. Fun Day! =)

Since Sophos isn't big on the "Quarantine" idea, it was deleting files as fast as the clients were automatically updated. While I agree with the general idea, I believe that disabling access to a possible malware file is much better than just deleting it by default. Since Sophos was deleting the files, it make it very hard to get a good sample file to send them...hello, they were deleted.
What is Sophos detects a critical non-running SAP file as malware? This has happened to me and we had to reinstall the SAP client on around 10 workstations...also not a fun day.

Will 2006 be the "Year of the OS X Exploits"??

I hope so for the sake and security of all OS X users. Real threats against Apple have been few and far between...but that trend is starting to change.

Awareness is key.

The Mac Faithful should remember this old Kenyan proverb -

Blind belief is dangerous.

No comments:

Post a Comment