Troy under seige: update 22 March 2015

Following the previous articles here and here, Patrick Wardle has very kindly got back to me, and I have made corrections to them accordingly: the significant news is that the range of anti-virus products which he tried did not detect his bypassing Gatekeeper. However expect that to change as their developers catch up with this new mode of attack.

If you downloaded an earlier version of his utility DHS (dylib Hijack Scanner), then you should update to version 1.0.3 or later, available now from here, as this fixes some earlier bugs.

Patrick Wardle's DHS version 1.0.3 found rich pickings here.
Patrick Wardle’s DHS version 1.0.3 found rich pickings here.

Running it here on a rich Yosemite installation it picked up what it thought were a couple of hijacks in Microsoft Messenger 8.0.1, which I am sure are not actually dylib hijacks. Patrick is looking into those. However the list of vulnerable apps is very long, and includes:

  • Adobe Dreamweaver CS6
  • Adobe Flash CS6
  • Aperture
  • Bento
  • blender
  • Compressor
  • Deliveries
  • DVDRemaster
  • Final Cut Pro
  • iBooks Author
  • iMovie
  • Inventor Fusion
  • iPhoto
  • JES_Deinterlacer
  • LivescribeDesktop
  • Microsoft Office – almost everything in the new beta of 2015, and 2011
  • Motion
  • Poser Pro 2014
  • Property List Editor
  • Xcode
  • FileMerge
  • OpenGL ES Performance Detective
  • Spin Control
  • Java JDK 1.6.0.

You can see now why this is potentially so serious. Attackers are not stuck for choice of apps with which to perform dylib hijacking.

So the best advice remains only to download and install apps, updates, plugins, and any other executable code from secure connections, and to be extremely cautious about anything that you do download. Don’t just think twice – think at least another time too.

Patrick has identified Disk Image files as a likely means of attack, as they can be mounted and install bogus dylibs which can complete the process. Unfortunately looking inside a Disk Image is not always the easiest of tasks. To make that a bit simpler, I have put together a little Automator app which looks for dylibs and frameworks inside an app or other location on a Disk Image. This is available from here: CheckDMGfolder It comes with a little readme file explaining how to use it. Feel free to modify it to your own requirements, and please post comments etc. to this article.