Inqtana
Inqtana
Type Network worm
Creator Kevin Finisterre
Date Discovered 2006.02.17
Place of Origin Columbus, Ohio, USA
Source Language Java
Platform Mac OSX
File Type(s) .tgz
Infection Length 186,222 bytes

Inqtana was the second worm for Mac OSX. The worm propagates through a vulnerability in unpatched Mac OSX systems. The worm is not wild, having been created by a man who was concerned about Macintosh security. It appeared very shortly after another worm for OSX, Oompa also known as Leap.

Behavior

Inqtana arrives on a computer from three OBEX Push requests. Upon the user accepting these requests, the worm will create three files. The file w0rm-support.tgz contains main worm components. The other two, com.openbundle.plist and com.pwned.plist contain code that allows the worm to execute when the system starts and are copied to the user's launch agent directory.
The worm exploits a directory traversal vulnerability in Bluetooth for Mac OSX to create the files InqTest.class, libavetanaBT.jnilib, javax and de in the /Users folder.

When the computer is restarted, it will search for enabled Bluetooth devices. When it finds one, it will send an OBEX Push request in an attempt to send itself to the other computer.

The worm will not work after 2006.02.24. In addition, it uses a demo version of the Avetana Bluetooth Java library, further hobbling its ability to spread.

Variants

The original Inqtana has two variants both created by Kevin Finisterre. They are also proof of concept viruses that are unlikely to be seen outside of virus/worm labs.

Inqtana.B

In this variant, the file containing the main part of the worm is named w0rms.love.apples.tgz. The startup routine has been modified so that it can affect OS X versions 10.4 and 10.3, where the original could only affect 10.4. This version places files under the Input managers directory. The files are (including their directories under input managers):

*/InqTanaHandler/InqTanaHandler.bundle/aa
*/InqTanaHandler/InqTanaHandler.bundle/Contents/Info.plist
*/InqTanaHandler/InqTanaHandler.bundle/Contents/MacOS/InqTanaHandler

Inqtana.C

This version uses the name applec0re.tgz as its main body's file name. It is designed to start when any application is started.

Creator

The creator of the worm, Kevin Finisterre, says he created the worm to raise awareness for security on Apple computers. It was also created to disprove the idea that Macs cannot get viruses. Inqtana was created entirely to be a proof-of-concept worm, but the creator acknowledges that the worm could have been written by someone with malicious intent and spread silently.

Other Facts

Sophos Antivirus accidentally detected legitimate Microsft Office files on Mac OSX as the variant Inqtana.B, even though that worm had never been detected in the wild. When the Sophos Antivirus program "cleaned" these files, Microsoft Office would no longer work on these systems. Some US universities were affected.

Sources

InqTana Through the eyes of Dr. Frankenstein

Peter Cohen. Macworld, "Second OS X malware emerges, but risk is low". 2006.02.17

Candid Wueest. Symantec.com, "OSX.Inqtana.A"

Robert Lemos. Security Focus, Spreading security awareness for OS X. 2006.02.27

-.-, Triple threat to Mac OS X largely academic. 2006-02-24

Jarno Niemelä, Gergely Erdélyi. F-Secure Antivirus, F-Secure Worm Information Pages : Inqtana.A

-, -. -, F-Secure Worm Information Pages : Inqtana.B

-, -. -, F-Secure Worm Information Pages : Inqtana.C

John Leyden. The Register, "MacOS X Malware Latches onto Bluetooth Vulnerability". 2006.02.17

-.-, Sophos in Mac OS X worm false alarm. 2006.02.23

McAfee Antivirus, OSX/Inqtana.a

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License