From OS X Mass Exploitation to OS XTargeted AttacksA New Season of Apple Malware Incidents PluckingVulnerable Systems and ...
Apple’s Mac OS X - Ripe for InfiltrationWhoa. What happened?• Flashfake and Mac OS X Mass Exploitation    •   Large botnet...
Flashfake and Mac OS X Mass ExploitationSize and Trending Numbers  • Large 700,000+ node botnet running     on Mac OS X sy...
Flashfake and Mac OS X Mass ExploitationMassive spread• Compromised sites, trickery, Oracle Java exploitation and C2• Flas...
Where are we now?Current botnet operation and cleanup efforts   • Flashback sinkhole operations        •   Early reversing...
What Next?Expectations for Flashback gang, Apple, and securing your Mac OS X system• What history tells us – rebuilding a ...
Apple’s Mac OS X and Currently Active Targeted AttacksA Shiny New Target• Spearphishing and Client-Side Remote Code Execut...
Thank You Questions about content, and suggestions for Securelist?Kurt Baumgartner, Senior Security ResearcherGlobal Resea...
Upcoming SlideShare
Loading in...5
×

OSX From Mass Exploitation to Targeted Attacks

261

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
261
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "OSX From Mass Exploitation to Targeted Attacks"

  1. 1. From OS X Mass Exploitation to OS XTargeted AttacksA New Season of Apple Malware Incidents PluckingVulnerable Systems and UsersKurt Baumgartner, Senior Security ResearcherGlobal Research and Analysis Team
  2. 2. Apple’s Mac OS X - Ripe for InfiltrationWhoa. What happened?• Flashfake and Mac OS X Mass Exploitation • Large botnet running on infected Mac OS X systems • Mac OS X, Java vulnerable code base and installs • Compromised sites, trickery, Oracle Java exploitation and C2 • Flashfake trojan and relatives• What Next? • What history tells us – rebuilding a better botnet • Apple’s technology and role • Mac OS X Security Best Practices• Taking it a Step Further: The APT and Mac OS X Targeted Attacks • Spearphishing and Client-Side Remote Code Execution • Stealth Mac OS X Backdoors – SabPub, MaControl, Lyser
  3. 3. Flashfake and Mac OS X Mass ExploitationSize and Trending Numbers • Large 700,000+ node botnet running on Mac OS X systems Unique bots over time reporting to sinkholed domains • Mac OS X – Snow Leopard and Lion • Java + Browser Plugins – Delivered/updated by Apple, not Oracle CVE-2008-5353, CVE-2011-3544, Trickery OS X + vulnerable Java installs visiting removal tool download site
  4. 4. Flashfake and Mac OS X Mass ExploitationMassive spread• Compromised sites, trickery, Oracle Java exploitation and C2• Flashfake trojan and relatives • Search engine traffic hijacker and ad revenues • Comparison to Palevo functionality • Hooking functionality and redirecting interesting traffic *sketchoo http://sketchoo.deviantart.com/
  5. 5. Where are we now?Current botnet operation and cleanup efforts • Flashback sinkhole operations • Early reversing of domain generation algorithm yielded results • Botnet is virtually dead – no exe delivered, global C2 takedown effort in motion, no new exploit distribution sites Unique bots currently checking in over time – cleanup is working and significant with DGA botnets
  6. 6. What Next?Expectations for Flashback gang, Apple, and securing your Mac OS X system• What history tells us – rebuilding a better botnet • Storm/Waledac/Hlux• Apple’s technology and role • Gatekeeper, Java updates• Mac OS X Security Best Practices • 10 Simple Tips http://www.securelist.com/en/blog/208193448/10_Simple_Tips_for_ Boosting_The_Security_Of_Your_Mac
  7. 7. Apple’s Mac OS X and Currently Active Targeted AttacksA Shiny New Target• Spearphishing and Client-Side Remote Code Execution • Exploit.MSWord.CVE-2009-0563.a vs Exploit.Java.CVE-2012-0507 • Mac users can’t hide behind Apple technologies• Stealth Mac OS X Backdoors – SabPub, MaControl, Lyser • Our Goat was harvested! Document theft, network pivots• Mac OS X Security Best Practices • 10 Simple Tips http://www.securelist.com/en/blog/208193448/10_Simple_Tips_for_ Boosting_The_Security_Of_Your_Mac
  8. 8. Thank You Questions about content, and suggestions for Securelist?Kurt Baumgartner, Senior Security ResearcherGlobal Research and Analysis Teamkurt.baumgartner@kaspersky.com

×