• Save
OSX From Mass Exploitation to Targeted Attacks
Upcoming SlideShare
Loading in...5
×
 

OSX From Mass Exploitation to Targeted Attacks

on

  • 435 views

 

Statistics

Views

Total Views
435
Views on SlideShare
426
Embed Views
9

Actions

Likes
0
Downloads
0
Comments
0

2 Embeds 9

http://www.linkedin.com 8
https://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

CC Attribution-NoDerivs LicenseCC Attribution-NoDerivs License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

OSX From Mass Exploitation to Targeted Attacks OSX From Mass Exploitation to Targeted Attacks Presentation Transcript

  • From OS X Mass Exploitation to OS XTargeted AttacksA New Season of Apple Malware Incidents PluckingVulnerable Systems and UsersKurt Baumgartner, Senior Security ResearcherGlobal Research and Analysis Team
  • Apple’s Mac OS X - Ripe for InfiltrationWhoa. What happened?• Flashfake and Mac OS X Mass Exploitation • Large botnet running on infected Mac OS X systems • Mac OS X, Java vulnerable code base and installs • Compromised sites, trickery, Oracle Java exploitation and C2 • Flashfake trojan and relatives• What Next? • What history tells us – rebuilding a better botnet • Apple’s technology and role • Mac OS X Security Best Practices• Taking it a Step Further: The APT and Mac OS X Targeted Attacks • Spearphishing and Client-Side Remote Code Execution • Stealth Mac OS X Backdoors – SabPub, MaControl, Lyser
  • Flashfake and Mac OS X Mass ExploitationSize and Trending Numbers • Large 700,000+ node botnet running on Mac OS X systems Unique bots over time reporting to sinkholed domains • Mac OS X – Snow Leopard and Lion • Java + Browser Plugins – Delivered/updated by Apple, not Oracle CVE-2008-5353, CVE-2011-3544, Trickery OS X + vulnerable Java installs visiting removal tool download site
  • Flashfake and Mac OS X Mass ExploitationMassive spread• Compromised sites, trickery, Oracle Java exploitation and C2• Flashfake trojan and relatives • Search engine traffic hijacker and ad revenues • Comparison to Palevo functionality • Hooking functionality and redirecting interesting traffic *sketchoo http://sketchoo.deviantart.com/
  • Where are we now?Current botnet operation and cleanup efforts • Flashback sinkhole operations • Early reversing of domain generation algorithm yielded results • Botnet is virtually dead – no exe delivered, global C2 takedown effort in motion, no new exploit distribution sites Unique bots currently checking in over time – cleanup is working and significant with DGA botnets
  • What Next?Expectations for Flashback gang, Apple, and securing your Mac OS X system• What history tells us – rebuilding a better botnet • Storm/Waledac/Hlux• Apple’s technology and role • Gatekeeper, Java updates• Mac OS X Security Best Practices • 10 Simple Tips http://www.securelist.com/en/blog/208193448/10_Simple_Tips_for_ Boosting_The_Security_Of_Your_Mac
  • Apple’s Mac OS X and Currently Active Targeted AttacksA Shiny New Target• Spearphishing and Client-Side Remote Code Execution • Exploit.MSWord.CVE-2009-0563.a vs Exploit.Java.CVE-2012-0507 • Mac users can’t hide behind Apple technologies• Stealth Mac OS X Backdoors – SabPub, MaControl, Lyser • Our Goat was harvested! Document theft, network pivots• Mac OS X Security Best Practices • 10 Simple Tips http://www.securelist.com/en/blog/208193448/10_Simple_Tips_for_ Boosting_The_Security_Of_Your_Mac
  • Thank You Questions about content, and suggestions for Securelist?Kurt Baumgartner, Senior Security ResearcherGlobal Research and Analysis Teamkurt.baumgartner@kaspersky.com