A couple of weeks ago there was a bit of buzz in the Anti-Spyware community about something branded as 'iAdware', which was some proof of concept code that could be used in an adware program for OS X. 

Since that initial buzz, the proof of concept code has been made available for download by the author and signatures have been added to various virus scanners. Since the initial release there have been numerous discussions about how the proof of concept code works and if it is a security bug or a feature. It turns out that it is a feature and not a bug. Also many of the discussions centered around if the recent Apple Security Update 2006-007 would do anything to prevent or mitigate any threat posed by the PoC technique.

The code uses the IntputManagers feature of OS X to hook itself into pretty much any application on an OS X system. The example code is amazing simple and could be easily dropped into place by the latest Safari exploit and does not even need administrative privileges to exploit. The malicious bit of code is simply dropped into '~/Library/InputManagers' and it will be executed whenever the user uses an application.

Now as far as the PoC code, it is mostly harmless, if you have Anti-Virus it will likely pick it up and you actually have to infect yourself in order to try it out. So your pretty much safe, however the potential threat will come when the technique used in the PoC code is coupled with an existing or new vulnerability in OS X. The likely candidates would be Safari vulnerabilities that could be exploited in the good old 'drive by' fashion that are now a fact of life for Internet Explorer users.

If you'd like to check out the PoC code you can find it here. Assuming Apple do not look to implement some means to mitigate misuse of this feature, we could be seeing a lot more adware that targets Apple OS X users, plus with Universal Binaries the peddlers of Spyware get to infect users of both PowerPC and Intel OS X.

So watch this space, chances are there will be more malware to follow.... 

Add this page to your favorite Social Bookmarking websites