Ricardo L0gan, profile picture
Uploaded byRicardo L0gan
PPTX, PDF2,001 views

Andsec Reversing on Mach-o File

The document presents a talk by Ricardo Logan at the AndSec security conference focused on the Mach-O file format used in macOS, detailing malware analysis and reverse engineering techniques. It includes discussions on various tools for static and dynamic analysis, as well as practical demonstrations involving a crackme and the Keranger ransomware. Logan emphasizes the importance of open source and community contributions in the field of security research.

Embed presentation

Downloaded 17 times
Andsec Security Conference 4th Editon R3MF – R3v3rs1ng on Mach-O File
Ricardo L0gan Security Specialist with over 15 years of experience, malware research enthusiastic, pentest and reverse engineering. I’ve a solid knowledge on topics like network security, hardening and tuning across multiple platforms such as Windows, Linux, OS X and Cisco. Beginner in programming languages as Python, C and Assembly. At the Brazil, I contribute with some security conferences organizations such as SlackShow Community, bSides SP and Hackers to Hackers Conference (H2HC). Member # RTFM 💀 C○||cL/V€ # ### Long live Open Source - Use Linux (Slackware) ### $Whoami
0x00 Motivation of Research 0x01 The Mach-O Format 0x02 Demo I (crackme) 0x03 Tricks for Reversing 0x04 Demo II (malware) 0x05 Conclusions / Q & (MAYBE 0/) A Agenda
0x00 Motivation Of Research For Fun ;) 0/ - malware - crackmes
0x00 Motivation Of Research
0x00 Motivation Of Research .OSA --> ZIP:  PremierOpinion  upgrade.xml Mac.BackDoor.OpinionSpy.3 Names: MacOS_X/OpinionSpy.A (Microsoft), Mac.BackDoor.OpinionSpy.3 (F-Secure), Mac.BackDoor.OpinionSpy.3 (Trend) OSX_KAITEN.A Names: MacOS_X/Tsunami.A (Microsoft), OSX/Tsunami (McAfee), OSX/Tsunami-Gen (Sophos), OSX/Tsunami.A (F-Secure), OSX_CARETO.A Names: MacOS:Appetite-A [Trj] (Avast) OSX/BackDoor.A (AVG) Trojan.OSX.Melgato.a (Kaspersky) OSX/Backdoor-BRE (McAfee) Backdoor:MacOS_X/Appetite.A (Microsoft) OSX/Appetite-A (Sophos) Binary: /tmp/.z itunes212.{BLOCKED}pdt.com
0x01 The Mach-o Format The mach-o is a Universal (fat) binaries (for i386 x86_64 ppc ppc64 armv6 armv7), this format was adopted as the standard in OS X from version 10.6 on. We are currently in version 10.11.5 (El Capitan).
Binary (Linux) Binary (Windows) Binary (OS X) 0x01 The Mach-o Format
0x01 The Mach-o Format Magic Number: File Signatures
0x01 The Mach-o Format
0x01 The Mach-o Format Structs on File: - Code is located in __TEXT section. - Linked libraries in LC_LOAD_DYLIB commands. - The entrypoint is defined at LC_UNIXTHREAD or LC_THREAD.
0x01 The Mach-o Format HEADER
LOAD_COMMANDS 0x01 The Mach-o Format
SECTIONS 0x01 The Mach-o Format
0x01 The Mach-o Format
0x01 The Mach-o Format
0x01 The Mach-o Format
0x01 The Mach-o Format
0x01 The Mach-o Format
0x02 Demo I Demo 01 Crackme Binary: cryptorev Level: easy Detail: cryptorev is a binary mach-o the goal is run binary and found the flag. This demo don’t have protection in your code just UPX (packer) and DEADBEEF in file ;)
0x03 Tricks for Reversing When talking about malwares we have a lot of techniques to make it difficult to analyze (reversing the sample) like: - Anti-Disassembly - Anti-Debugging - Obfuscation - Anti-Vm
0x03 Tricks for Reversing When an app is launched, the OS X kernel loads the app’s code and data into the address space of a new process. The kernel also loads the dynamic loader ( /usr/lib/dyld ) into the process and passes control to it. Source: https://developer.apple.com/library/mac/documentation/DeveloperTools/Conceptual/DynamicLibraries/100- Articles/OverviewOfDynamicLibraries.html#//apple_ref/doc/uid/TP40001873-SW1
0x03 Tricks for Reversing
Static Analysis file -> determine file type upx / binwalk -> compress or expand executable files strings -> find the printable strings in a object, or other binary, file strip -> remove symbols hexEdit -> hex editor Lipo -> create or operate on universal files otool -> object file displaying tool like a objdump and ldd nm -> display name list (symbol table) codesign -> create and manipulate code signatures machOView -> visual Mach-O file browser class-dump -> utility for examining the Objective-C runtime information stored in Mach-O files. dtrace -> generic front-end to the DTrace facility fs_usage -> report system calls and page faults related to filesystem activity in real-time xattr -> display and manipulate extended attributes 0x03 Tricks for Reversing
0x03 Tricks for Reversing Dynamic Analysis Xcode -> xcode is an (IDE) containing a suite of software development. iDA Pro -> disassembler and debugger. hopper -> tool used for disassemble, and decompile your 32/64bits mach-o file. lldb -> debugger fseventer -> disk activity tool with a good graphical representation and solid filter tool. open snoop -> snoop file opens as they occur. Uses DTrace. activity Monitor -> tool to help you keep your system in good shape. procoxp -> It's a simple tool like a top get information accessible by proc_info tcpdump -> for dump and analisys traffic on a network wireshark -> for dump and analisys traffic on a network lsock -> based on PF_SYSTEM provider, you can get real time notifications of socket activity like TCPView from SysInternals. little Snitch -> network traffic monitoring and control.
On March 2016 appear the first Ransoware writing for mach-o file on OSX System (KeRanger), Distributed by client BitTorrent Transmission (v.2.90) This threat has been fixed in version v.2.91 the client. The latest version Gatekeeper OSX already block this ransoware since the first sample published 0/!!! 0x04 Demo II Demo 02 Ransoware Keranger
Hacking is a way of life Reference REVERSE Engineering Mac Malware - Defcon 22 https://www.defcon.org/images/defcon-22/dc-22- presentations/Edwards/DEFCON-22-Sarah-Edwards-Reverse- Engineering-Mac-Malware.pdf OS X ABI Mach-O File Format Reference https://developer.apple.com/library/mac/documentation/DeveloperT ools/Conceptual/MachORuntime/index.html Calling Convention http://www.agner.org/optimize/calling_conventions.pdf Thanks for my wife and brothers (C00ler, Slayer, Ygor Rogy, RTFM Team)
0x05 Conclusions Question &(MAYBE ;) 0/)Answer Contact: ricardologanbr@gmail.com @l0ganbr Download Presentation on: http://pt.slideshare.net/l0ganbr

More Related Content

PDF
Windows 10 Nt Heap Exploitation (English version)
byAngel Boy
 
PDF
Pwning in c++ (basic)
byAngel Boy
 
PDF
Ekoparty 2017 - The Bug Hunter's Methodology
bybugcrowd
 
PDF
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
byFrans Rosén
 
PPT
PHP - Introduction to PHP AJAX
byVibrant Technologies & Computers
 
PDF
Fantastic Red Team Attacks and How to Find Them
byRoss Wolf
 
PDF
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
byMasato Kinugawa
 
PPT
JavaScript & Dom Manipulation
byMohammed Arif
 
Windows 10 Nt Heap Exploitation (English version)
byAngel Boy
 
Pwning in c++ (basic)
byAngel Boy
 
Ekoparty 2017 - The Bug Hunter's Methodology
bybugcrowd
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
byFrans Rosén
 
PHP - Introduction to PHP AJAX
byVibrant Technologies & Computers
 
Fantastic Red Team Attacks and How to Find Them
byRoss Wolf
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
byMasato Kinugawa
 
JavaScript & Dom Manipulation
byMohammed Arif
 

What's hot

PDF
Docker praktyczne podstawy
bySages
 
PDF
jQuery for beginners
byArulmurugan Rajaraman
 
PDF
26.1.7 lab snort and firewall rules
byFreddy Buenaño
 
ODP
History of JavaScript
byRajat Saxena
 
PDF
MindMap - Forensics Windows Registry Cheat Sheet
byJuan F. Padilla
 
PPT
Javascript
byguest03a6e6
 
PDF
Frans Rosén Keynote at BSides Ahmedabad
bySecurity BSides Ahmedabad
 
PPT
Rust Programming Language
byJaeju Kim
 
PPTX
Directory Traversal & File Inclusion Attacks
byRaghav Bisht
 
PPTX
Waf bypassing Techniques
byAvinash Thapa
 
PDF
JavaScript - Chapter 14 - Form Handling
byWebStackAcademy
 
PDF
MeetBSD2014 Performance Analysis
byBrendan Gregg
 
PPTX
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
bySoroush Dalili
 
PPTX
Selenium Locators
bySatyam Pandey
 
PDF
Pentest with Metasploit
byM.Syarifudin, ST, OSCP, OSWP
 
PDF
The Rust Programming Language: an Overview
byRoberto Casadei
 
PDF
Oracle APEX Cheat Sheet
byDimitri Gielis
 
PDF
How fun of privilege escalation Red Pill2017
byAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
PDF
9: OllyDbg
bySam Bowne
 
PPSX
Javascript variables and datatypes
byVarun C M
 
Docker praktyczne podstawy
bySages
 
jQuery for beginners
byArulmurugan Rajaraman
 
26.1.7 lab snort and firewall rules
byFreddy Buenaño
 
History of JavaScript
byRajat Saxena
 
MindMap - Forensics Windows Registry Cheat Sheet
byJuan F. Padilla
 
Javascript
byguest03a6e6
 
Frans Rosén Keynote at BSides Ahmedabad
bySecurity BSides Ahmedabad
 
Rust Programming Language
byJaeju Kim
 
Directory Traversal & File Inclusion Attacks
byRaghav Bisht
 
Waf bypassing Techniques
byAvinash Thapa
 
JavaScript - Chapter 14 - Form Handling
byWebStackAcademy
 
MeetBSD2014 Performance Analysis
byBrendan Gregg
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
bySoroush Dalili
 
Selenium Locators
bySatyam Pandey
 
Pentest with Metasploit
byM.Syarifudin, ST, OSCP, OSWP
 
The Rust Programming Language: an Overview
byRoberto Casadei
 
Oracle APEX Cheat Sheet
byDimitri Gielis
 
How fun of privilege escalation Red Pill2017
byAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
9: OllyDbg
bySam Bowne
 
Javascript variables and datatypes
byVarun C M
 

Viewers also liked

PPTX
Roadsec 2016 Mach-o A New Threat
byRicardo L0gan
 
PPTX
Why does InfoSec play bass?
byAdrian Sanabria
 
PPTX
Jedi Mind Tricks for Git
byJan Krag
 
PPTX
2014 roadsec-slides-palestra
byAlberto Oliveira
 
PDF
Reverse Engineering iOS apps
byMax Bazaliy
 
PPTX
Aula 1 - Introdução a Segurança da Informação
byCarlos Henrique Martins da Silva
 
PDF
Seguranca da Informação - Conceitos
byLuiz Arthur
 
PPT
Segurança da Informação
byMarco Mendes
 
Roadsec 2016 Mach-o A New Threat
byRicardo L0gan
 
Why does InfoSec play bass?
byAdrian Sanabria
 
Jedi Mind Tricks for Git
byJan Krag
 
2014 roadsec-slides-palestra
byAlberto Oliveira
 
Reverse Engineering iOS apps
byMax Bazaliy
 
Aula 1 - Introdução a Segurança da Informação
byCarlos Henrique Martins da Silva
 
Seguranca da Informação - Conceitos
byLuiz Arthur
 
Segurança da Informação
byMarco Mendes
 

Similar to Andsec Reversing on Mach-o File

PPTX
H2HC - R3MF
byRicardo L0gan
 
PPTX
Bsides SP 2015 - Mach-O - A New Threat
byRicardo L0gan
 
PPT
Mac Memory Analysis with Volatility
byAndrew Case
 
PPTX
Let Your Mach-O Fly, Black Hat DC 2009
byVincenzo Iozzo
 
PDF
Demystifying Binary Reverse Engineering - Pixels Camp
byAndré Baptista
 
PDF
Sniffing Mach Messages
byMikhail Sosonkin
 
PDF
Eusecwest
byzynamics GmbH
 
PDF
Simplest-Ownage-Human-Observed… - Routers
byLogicaltrust pl
 
PDF
Filip palian mateuszkocielski. simplest ownage human observed… routers
byYury Chemerkin
 
PPTX
Malware 101 by saurabh chaudhary
bySaurav Chaudhary
 
PDF
Bh dc09
byzynamics GmbH
 
PDF
Meder Kydyraliev - Mining Mach Services within OS X Sandbox
byDefconRussia
 
PDF
Technical Workshop - Win32/Georbot Analysis
byPositive Hack Days
 
PDF
RDSDataSource: iOS Reverse Engineering for inexperienced
byRAMBLER&Co
 
PDF
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
byElvin Gentiles
 
PDF
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
byRootedCON
 
KEY
Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009
byVincenzo Iozzo
 
PPTX
Nullbyte 6ed. 2019
byRicardo L0gan
 
PPTX
Reverse Engineering 101
byysurer
 
PPTX
Reverse Engineering.pptx
bySameer Sapra
 
H2HC - R3MF
byRicardo L0gan
 
Bsides SP 2015 - Mach-O - A New Threat
byRicardo L0gan
 
Mac Memory Analysis with Volatility
byAndrew Case
 
Let Your Mach-O Fly, Black Hat DC 2009
byVincenzo Iozzo
 
Demystifying Binary Reverse Engineering - Pixels Camp
byAndré Baptista
 
Sniffing Mach Messages
byMikhail Sosonkin
 
Eusecwest
byzynamics GmbH
 
Simplest-Ownage-Human-Observed… - Routers
byLogicaltrust pl
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
byYury Chemerkin
 
Malware 101 by saurabh chaudhary
bySaurav Chaudhary
 
Bh dc09
byzynamics GmbH
 
Meder Kydyraliev - Mining Mach Services within OS X Sandbox
byDefconRussia
 
Technical Workshop - Win32/Georbot Analysis
byPositive Hack Days
 
RDSDataSource: iOS Reverse Engineering for inexperienced
byRAMBLER&Co
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
byElvin Gentiles
 
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
byRootedCON
 
Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009
byVincenzo Iozzo
 
Nullbyte 6ed. 2019
byRicardo L0gan
 
Reverse Engineering 101
byysurer
 
Reverse Engineering.pptx
bySameer Sapra
 

Recently uploaded

PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PPTX
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PPTX
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PDF
AI in the Real World: From University to Industry
byDarvan Shvan
 
PDF
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
PPTX
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
PDF
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PDF
Logical Optimal Actions – Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
 
PDF
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PDF
Founder & Tech Lead | Web Development & Digital Growth Consultant | Helping B...
byShyamal Das
 
PPTX
Critique Prompting: The Secret to High-Quality AI Outputs
bySemantic SEO BD
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
AI in the Real World: From University to Industry
byDarvan Shvan
 
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
Logical Optimal Actions – Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
 
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
Workflow and decision Automation with Flowable
bychakib ch
 
Founder & Tech Lead | Web Development & Digital Growth Consultant | Helping B...
byShyamal Das
 
Critique Prompting: The Secret to High-Quality AI Outputs
bySemantic SEO BD
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 

Andsec Reversing on Mach-o File

  • 1.
    Andsec Security Conference 4thEditon R3MF – R3v3rs1ng on Mach-O File
  • 2.
    Ricardo L0gan Security Specialistwith over 15 years of experience, malware research enthusiastic, pentest and reverse engineering. I’ve a solid knowledge on topics like network security, hardening and tuning across multiple platforms such as Windows, Linux, OS X and Cisco. Beginner in programming languages as Python, C and Assembly. At the Brazil, I contribute with some security conferences organizations such as SlackShow Community, bSides SP and Hackers to Hackers Conference (H2HC). Member # RTFM 💀 C○||cL/V€ # ### Long live Open Source - Use Linux (Slackware) ### $Whoami
  • 3.
    0x00 Motivation ofResearch 0x01 The Mach-O Format 0x02 Demo I (crackme) 0x03 Tricks for Reversing 0x04 Demo II (malware) 0x05 Conclusions / Q & (MAYBE 0/) A Agenda
  • 4.
    0x00 Motivation OfResearch For Fun ;) 0/ - malware - crackmes
  • 5.
  • 6.
    0x00 Motivation OfResearch .OSA --> ZIP:  PremierOpinion  upgrade.xml Mac.BackDoor.OpinionSpy.3 Names: MacOS_X/OpinionSpy.A (Microsoft), Mac.BackDoor.OpinionSpy.3 (F-Secure), Mac.BackDoor.OpinionSpy.3 (Trend) OSX_KAITEN.A Names: MacOS_X/Tsunami.A (Microsoft), OSX/Tsunami (McAfee), OSX/Tsunami-Gen (Sophos), OSX/Tsunami.A (F-Secure), OSX_CARETO.A Names: MacOS:Appetite-A [Trj] (Avast) OSX/BackDoor.A (AVG) Trojan.OSX.Melgato.a (Kaspersky) OSX/Backdoor-BRE (McAfee) Backdoor:MacOS_X/Appetite.A (Microsoft) OSX/Appetite-A (Sophos) Binary: /tmp/.z itunes212.{BLOCKED}pdt.com
  • 7.
    0x01 The Mach-oFormat The mach-o is a Universal (fat) binaries (for i386 x86_64 ppc ppc64 armv6 armv7), this format was adopted as the standard in OS X from version 10.6 on. We are currently in version 10.11.5 (El Capitan).
  • 8.
    Binary (Linux) Binary (Windows) Binary(OS X) 0x01 The Mach-o Format
  • 9.
    0x01 The Mach-oFormat Magic Number: File Signatures
  • 10.
  • 11.
    0x01 The Mach-oFormat Structs on File: - Code is located in __TEXT section. - Linked libraries in LC_LOAD_DYLIB commands. - The entrypoint is defined at LC_UNIXTHREAD or LC_THREAD.
  • 12.
    0x01 The Mach-oFormat HEADER
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
    0x02 Demo I Demo01 Crackme Binary: cryptorev Level: easy Detail: cryptorev is a binary mach-o the goal is run binary and found the flag. This demo don’t have protection in your code just UPX (packer) and DEADBEEF in file ;)
  • 21.
    0x03 Tricks forReversing When talking about malwares we have a lot of techniques to make it difficult to analyze (reversing the sample) like: - Anti-Disassembly - Anti-Debugging - Obfuscation - Anti-Vm
  • 22.
    0x03 Tricks forReversing When an app is launched, the OS X kernel loads the app’s code and data into the address space of a new process. The kernel also loads the dynamic loader ( /usr/lib/dyld ) into the process and passes control to it. Source: https://developer.apple.com/library/mac/documentation/DeveloperTools/Conceptual/DynamicLibraries/100- Articles/OverviewOfDynamicLibraries.html#//apple_ref/doc/uid/TP40001873-SW1
  • 23.
    0x03 Tricks forReversing
  • 24.
    Static Analysis file ->determine file type upx / binwalk -> compress or expand executable files strings -> find the printable strings in a object, or other binary, file strip -> remove symbols hexEdit -> hex editor Lipo -> create or operate on universal files otool -> object file displaying tool like a objdump and ldd nm -> display name list (symbol table) codesign -> create and manipulate code signatures machOView -> visual Mach-O file browser class-dump -> utility for examining the Objective-C runtime information stored in Mach-O files. dtrace -> generic front-end to the DTrace facility fs_usage -> report system calls and page faults related to filesystem activity in real-time xattr -> display and manipulate extended attributes 0x03 Tricks for Reversing
  • 25.
    0x03 Tricks forReversing Dynamic Analysis Xcode -> xcode is an (IDE) containing a suite of software development. iDA Pro -> disassembler and debugger. hopper -> tool used for disassemble, and decompile your 32/64bits mach-o file. lldb -> debugger fseventer -> disk activity tool with a good graphical representation and solid filter tool. open snoop -> snoop file opens as they occur. Uses DTrace. activity Monitor -> tool to help you keep your system in good shape. procoxp -> It's a simple tool like a top get information accessible by proc_info tcpdump -> for dump and analisys traffic on a network wireshark -> for dump and analisys traffic on a network lsock -> based on PF_SYSTEM provider, you can get real time notifications of socket activity like TCPView from SysInternals. little Snitch -> network traffic monitoring and control.
  • 26.
    On March 2016appear the first Ransoware writing for mach-o file on OSX System (KeRanger), Distributed by client BitTorrent Transmission (v.2.90) This threat has been fixed in version v.2.91 the client. The latest version Gatekeeper OSX already block this ransoware since the first sample published 0/!!! 0x04 Demo II Demo 02 Ransoware Keranger
  • 27.
    Hacking is away of life Reference REVERSE Engineering Mac Malware - Defcon 22 https://www.defcon.org/images/defcon-22/dc-22- presentations/Edwards/DEFCON-22-Sarah-Edwards-Reverse- Engineering-Mac-Malware.pdf OS X ABI Mach-O File Format Reference https://developer.apple.com/library/mac/documentation/DeveloperT ools/Conceptual/MachORuntime/index.html Calling Convention http://www.agner.org/optimize/calling_conventions.pdf Thanks for my wife and brothers (C00ler, Slayer, Ygor Rogy, RTFM Team)
  • 28.
    0x05 Conclusions Question &(MAYBE;) 0/)Answer Contact: ricardologanbr@gmail.com @l0ganbr Download Presentation on: http://pt.slideshare.net/l0ganbr

Editor's Notes

  • #3 Hi Guys my nickname is logan today I’m talk about mach-o files.
  • #4 This is a schedule for today
  • #5 I like research on malware but I’m not working in company antivirus or like this. I liked just for fun \0/… and I a member RTFM CTF Team and I like crackmes and solution problem like this.
  • #6 Using VirusTotal as a source for this research I see that in 2014 we don't have binaries submissions mach-o but it from 2015 already had a high number of submitted files and 2016 until the time this number has almost doubled. Now I ask you the virus actually detect and protect your computer against these threats? antivirus works well on windows and linux ? The detection of binary is basically (Common Pattern) whether by hooking the OS API (create / read / execute). This actually works in the x mac? If we think of the amount of malware (with different tricks to bypass) X companies (AV) to researchers working on new threats, we do not have an unfair fight?
  • #7 Here we have 3 goods example the binaries mach-o malware. In the last year i made a research about malware mach-o and this more common today. what is better? Infect host user mac os (problably have money) or infected host user windows don't have money?
  • #8 64 = sixty four 86 = eighty-six 386 = three hundred eighty-six