Inqtana.A – The OS X Bluetooth Worm

Times are getting interesting for OS X users out there, first we have news of Leap.A, the OS X virus that’s currently doing the rounds, and now we have Inqtana.A, an OS X bluetooth proof-of-concept worm for OS X 10.4 (Tiger).

Inqtana.A has not yet been been seen in the wild, but it is recommended that you install the latest security patches from Apple just to make sure that you’re covered in case this turns into more than just a proof-of-concept. Inqtana.A uses Bluetooth library and this expires on the 24th February, so it is unlikely that this will be seen in the wild in it’s current form, but the PoC is there now, and this leaves opening’s for someone to make use of it.

The CVE number for this worm is CVE-2005-1333
Inqtana.A arrives to victims systems as an OBEX Push request, and the user will be prompted to accept the data transfer. If the user accepts the data transfer Inqtana.A will then use a directory traversal exploit to copy it’s files that so it starts up automatically upon the next reboot. Once the system has been rebooted and Inqtana.A has been activated it will then look for any devices that accept OBEX Push requests and try to copy itself to those devices in the same manner.

Inqtana.A tries to copy 3 files via bluetooth to replicate, the files are:
w0rm-support.tgz – The worm components
com.openbundle.plist – Needed for automatic startup after reboot
om.pwned.plist – Needed for automatic startup after reboot

To remove the worm from your system:
- Apply the latest security patches from Apple
- Remove the following files from your system:
– /Users/w0rm-support.tgz
– /Users/InqTest.class
– /Users/com.openbundle.plist
– /Users/com.pwned.plist
– /Users/libavetanaBT.jnilib
– /Users/javax
– /Users/de
– /Users/[user name]/Library/LaunchAgents/com.pwned.plist
-/Users/[user name]/Library/LaunchAgents/com.openbundle.plist

Thanks once again to the guys at F-Secure for all the info on this one.
It really seems like things are hotting up on the OS X front these days, which could be a good thing, as Apple has always been someone quiet on security patches and exactly what they fix, maybe this will cause them to give a bit more disclosure on the subject. OS X has a reputation for being secure, and it’s one of Apple’s marketing messages, so to keep that Apple are really going to have a lot of work to do on the security front if things start kicking off.