F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Contact Us

F-Secure Worm Information Pages : Inqtana.A

[Summary] | [Disinfection] | [Detailed Description] | [Detection]

Name:Inqtana.A
Category:Worm
Platform:OSX

Summary

OSX/Inqtana.A is a Java based proof of concept bluetooth worm that affects OSX 10.4 (Tiger) systems that have not been patched against vulnerability CAN-2005-1333

Inqtana.A has not been met in the wild and has internal counter that prevents it's operation after 24. February 2006. So it is unlikely that this variant would be a threat to Mac Users.

Inqtana.A arrives to victim system as OBEX Push request, requiring user to accept the data transfer. When the transfer is done Inqtana.A uses directory traversal exploit to copy it's files so that it starts automatically on next reboot.

On reboot the Inqtana.A will activate and look for devices that accept OBEX Push transfers and try to send itself to those devices.

OSX/Inqtana.A affects only Mac OSX 10.4, if you use 10.4 make sure that you have installed latest OS updates from Apple

Disinfection

  1. Patch your system by getting updates from Apple
  2. Delete following files
    • /Users/w0rm-support.tgz
    • /Users/InqTest.class
    • /Users/com.openbundle.plist
    • /Users/com.pwned.plist
    • /Users/libavetanaBT.jnilib
    • /Users/javax
    • /Users/de
    • /Users/[user name]/Library/LaunchAgents/com.pwned.plist
    • /Users/[user name]/Library/LaunchAgents/com.openbundle.plist


Back to the Top


Detailed Description

Bluetooth replication
When Inqtana.A replicates over bluetooth it tries to send three files to any device it finds over bluetooth that supports OBEX push

  • w0rm-support.tgz which contains the worm components
  • com.openbundle.plist and com.pwned.plist are needed for worm start in reboot
The files are pushed with three separate OBEX Push requests which user has to accept, if user accepts the push requests the files copied to special locations using CAN-2005-1333 directory traversal exploit

Startup
The files com.openbundle.plist and com.pwned.plist are dropped into location from where they are called during system startup. The openbundle.plist will unpack the worm components and com.pwned.plist executes the worm main binary.


Back to the Top


Detection

Inqtana.A is detected with the following F-Secure Anti-Virus updates:

[FSAV_Database_Version]

Version = 2006-02-17_02


Back to the Top


Write-up: Jarno Niemelä

Technical Details: Gergely Erdélyi

Description Updated: Jarno Niemelä, February 22, 2006

F-Secure Corporation