By Robert Vamosi
July 19, 2007
A soap opera is playing out on the mailing lists of several security
newsgroups this morning, complete with people hiding behind pseudonyms,
people "outing" one another and rumors of death threats against the
major players. At stake? A possible worm for Apple's Mac OS X operating
Over the weekend, someone using the name Infosec Sellout posted on the
BugTraq mailing list news of a worm exploiting a vulnerability in
mDNSResponder, a component of Apple's Bonjour automatic network service.
Apple patched the mDNSResponder vulnerability in May, but the author
claims there remains an unpatched vulnerability. The author also claims
to have a proof-of-concept worm ready to go, named Rape.osx, but says he
won't release the worm. In a security vendor blog, McAfee quotes the
author as saying he was compensated for this work.
As news of the posting and possible worm spread, skepticism grew. The
author suffered harsh criticism from security colleagues for hiding
behind a pseudonym, and for not providing any proof of the worm. The
author also reportedly received death threats in reader posts to his
blog site. In response, Infosec Sellout says in a blog post that he
removed all prior postings on his blog site. Is that true? Last night
someone else claiming to be Infosec Sellout claims the site in question,
called Security Information, is not the real Infosec Sellout blog site,
but a hijacked site, hence the lack of prior posts.
The story gets weirder. One of the names thought to be behind the hijack
of Infosec Sellout is David Maynor of Errata Security, who might be
using the name "LMH." Last summer, during BlackHat USA, security
researchers David Maynor and Johnny Cache disclosed a wireless
vulnerability using an Apple Computer Macbook. The team found that
malformed network traffic could allow the laptop to be compromised, and
they provided a video of the attack. The researchers did use a
third-party wireless card for their video demonstration, but said
repeatedly that the Apple Airport wireless driver was also vulnerable.
Two months after BlackHat, Apple quietly released a patch, which, if the
vulnerability that was fixed had been exploited, could have compromised
the Airport wireless drivers in MacBooks.
This morning in a post on the Fuzzing mailing list, someone calling
himself David Maynor responded. In a post called "The Truth," the author
using the name LMH says he is David Maynor and then proceeds to confess
that after last summer he needed to hide behind the name "LMH" to get
the word out about new vulnerablities. Yet if you go over to the Errata
Security blog site, the real David Maynor says the Fuzzing mailing list
post is a sham, and cites several factual errors. We took the text and
put it through Hacker Factor Solutions Gender Guesser and it appears a
male did indeed write the Fuzzing plot. But based on the words chosen
and sentence length, the tool also suggests it was a male European who
wrote it. David Maynor has been based near Atlanta, Ga., for years.
Remember all of this intrigue concerns a proof-of-concept worm that no
one has seen that supposedly affects a patched vulnerability in
mDNSResponder on Apple OS X.
Stay tuned for more weirdness.
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com