[ISN] News of a Mac OS X worm incites death threats and intrigue

From: InfoSec News (alerts@private)
Date: Fri Jul 20 2007 - 01:07:28 PDT


By Robert Vamosi
July 19, 2007

A soap opera is playing out on the mailing lists of several security 
newsgroups this morning, complete with people hiding behind pseudonyms, 
people "outing" one another and rumors of death threats against the 
major players. At stake? A possible worm for Apple's Mac OS X operating 

Over the weekend, someone using the name Infosec Sellout posted on the 
BugTraq mailing list news of a worm exploiting a vulnerability in 
mDNSResponder, a component of Apple's Bonjour automatic network service. 
Apple patched the mDNSResponder vulnerability in May, but the author 
claims there remains an unpatched vulnerability. The author also claims 
to have a proof-of-concept worm ready to go, named Rape.osx, but says he 
won't release the worm. In a security vendor blog, McAfee quotes the 
author as saying he was compensated for this work.

As news of the posting and possible worm spread, skepticism grew. The 
author suffered harsh criticism from security colleagues for hiding 
behind a pseudonym, and for not providing any proof of the worm. The 
author also reportedly received death threats in reader posts to his 
blog site. In response, Infosec Sellout says in a blog post that he 
removed all prior postings on his blog site. Is that true? Last night 
someone else claiming to be Infosec Sellout claims the site in question, 
called Security Information, is not the real Infosec Sellout blog site, 
but a hijacked site, hence the lack of prior posts.

The story gets weirder. One of the names thought to be behind the hijack 
of Infosec Sellout is David Maynor of Errata Security, who might be 
using the name "LMH." Last summer, during BlackHat USA, security 
researchers David Maynor and Johnny Cache disclosed a wireless 
vulnerability using an Apple Computer Macbook. The team found that 
malformed network traffic could allow the laptop to be compromised, and 
they provided a video of the attack. The researchers did use a 
third-party wireless card for their video demonstration, but said 
repeatedly that the Apple Airport wireless driver was also vulnerable. 
Two months after BlackHat, Apple quietly released a patch, which, if the 
vulnerability that was fixed had been exploited, could have compromised 
the Airport wireless drivers in MacBooks.

This morning in a post on the Fuzzing mailing list, someone calling 
himself David Maynor responded. In a post called "The Truth," the author 
using the name LMH says he is David Maynor and then proceeds to confess 
that after last summer he needed to hide behind the name "LMH" to get 
the word out about new vulnerablities. Yet if you go over to the Errata 
Security blog site, the real David Maynor says the Fuzzing mailing list 
post is a sham, and cites several factual errors. We took the text and 
put it through Hacker Factor Solutions Gender Guesser and it appears a 
male did indeed write the Fuzzing plot. But based on the words chosen 
and sentence length, the tool also suggests it was a male European who 
wrote it. David Maynor has been based near Atlanta, Ga., for years.

Remember all of this intrigue concerns a proof-of-concept worm that no 
one has seen that supposedly affects a patched vulnerability in 
mDNSResponder on Apple OS X.

Stay tuned for more weirdness. 

Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com

This archive was generated by hypermail 2.1.3 : Fri Jul 20 2007 - 01:21:52 PDT