| Inqtana | |
|---|---|
| Type | Network worm |
| Creator | Kevin Finisterre |
| Date Discovered | 2006.02.17 |
| Place of Origin | Columbus, Ohio, USA |
| Source Language | Java |
| Platform | Mac OSX |
| File Type(s) | .tgz |
| Infection Length | 186,222 bytes |
Inqtana was the second worm for Mac OSX. The worm propagates through a vulnerability in unpatched Mac OSX systems. The worm is not wild, having been created by a man who was concerned about Macintosh security. It appeared very shortly after another worm for OSX, Oompa also known as Leap.
Behavior
Inqtana arrives on a computer from three OBEX Push requests. Upon the user accepting these requests, the worm will create three files. The file w0rm-support.tgz contains main worm components. The other two, com.openbundle.plist and com.pwned.plist contain code that allows the worm to execute when the system starts and are copied to the user's launch agent directory.
The worm exploits a directory traversal vulnerability in Bluetooth for Mac OSX to create the files InqTest.class, libavetanaBT.jnilib, javax and de in the /Users folder.
When the computer is restarted, it will search for enabled Bluetooth devices. When it finds one, it will send an OBEX Push request in an attempt to send itself to the other computer.
The worm will not work after 2006.02.24. In addition, it uses a demo version of the Avetana Bluetooth Java library, further hobbling its ability to spread.
Variants
The original Inqtana has two variants both created by Kevin Finisterre. They are also proof of concept viruses that are unlikely to be seen outside of virus/worm labs.
Inqtana.B
In this variant, the file containing the main part of the worm is named w0rms.love.apples.tgz. The startup routine has been modified so that it can affect OS X versions 10.4 and 10.3, where the original could only affect 10.4. This version places files under the Input managers directory. The files are (including their directories under input managers):
*/InqTanaHandler/InqTanaHandler.bundle/aa
*/InqTanaHandler/InqTanaHandler.bundle/Contents/Info.plist
*/InqTanaHandler/InqTanaHandler.bundle/Contents/MacOS/InqTanaHandler
Inqtana.C
This version uses the name applec0re.tgz as its main body's file name. It is designed to start when any application is started.
Creator
The creator of the worm, Kevin Finisterre, says he created the worm to raise awareness for security on Apple computers. It was also created to disprove the idea that Macs cannot get viruses. Inqtana was created entirely to be a proof-of-concept worm, but the creator acknowledges that the worm could have been written by someone with malicious intent and spread silently.
Other Facts
Sophos Antivirus accidentally detected legitimate Microsft Office files on Mac OSX as the variant Inqtana.B, even though that worm had never been detected in the wild. When the Sophos Antivirus program "cleaned" these files, Microsoft Office would no longer work on these systems. Some US universities were affected.
Sources
InqTana Through the eyes of Dr. Frankenstein
Peter Cohen. Macworld, "Second OS X malware emerges, but risk is low". 2006.02.17
Candid Wueest. Symantec.com, "OSX.Inqtana.A"
Robert Lemos. Security Focus, Spreading security awareness for OS X. 2006.02.27
-.-, Triple threat to Mac OS X largely academic. 2006-02-24
Jarno Niemelä, Gergely Erdélyi. F-Secure Antivirus, F-Secure Worm Information Pages : Inqtana.A
-, -. -, F-Secure Worm Information Pages : Inqtana.B
-, -. -, F-Secure Worm Information Pages : Inqtana.C
John Leyden. The Register, "MacOS X Malware Latches onto Bluetooth Vulnerability". 2006.02.17
-.-, Sophos in Mac OS X worm false alarm. 2006.02.23
McAfee Antivirus, OSX/Inqtana.a