SlideShare a Scribd company logo

Bsides SP 2015 - Mach-O - A New Threat

Download as PPTX, PDF
Ricardo L0gan
Ricardo L0gan

Com o grande advento de malwares nos últimos anos, sistemas com OS X podem ser veto-res de ataques usando binários Mach-O. Esta apresentação ilustra a dissecação de algo malicioso, bem como analise e algumas possibilidades para mitigação.

Technology
1 of 49
Ricardo Amaral a.k.a L0gan Co0L BSidesSP 2015
$Whoami Mach-O – A New Threat ### Long live Open Source - Use Linux (Slackware) ### Ricardo L0gan Security Specialist with over 15 years of experience, enthusiastic in malware research, pen-test and reverse engineering. I’ve a solid knowledge on topics like network security, hardening and tuning across multiple platforms such as Windows, Linux, OS X and Cisco. Beginner in programming languages as Python, C and Assembly. In Brazil I contribute to the Slackware community (Slackshow and Slackzine) and I’m member of the Staff of some events: H2HC, SlackShow and Bsides SP.
Agenda 0x00 Motivation of Research 0x01 OS X, The New Target 0x02 The Mach-O Format 0x03 Tools For Analysis (Static / Dynamic) 0x04 Current Threats 0x05 Conclusions Mach-O – A New Threat
0x00 - Motivation of Research Mach-O – A New Threat Windows always gets infected!!! Does Linux ever gets infected?? “Mac OS ever gets infected...”
Source: www.virustotal.com Mach-O – A New Threat 0x01 – OS X, The New Target
Source: www.virustotal.com 7-day period in April 2014 Mach-O – A New Threat 0x01 – OS X, The New Target
Source: www.virustotal.com 7-day period in April 2015 Mach-O – A New Threat 0x01 – OS X, The New Target
Source: www.virustotal.com Mach-O – A New Threat 0x01 – OS X, The New Target
Source: http://thehackernews.com/2015/02/vulnerable- operating-system.html Mach-O – A New Threat 0x01 – OS X, The New Target
Source: http://thehackernews.com/2015/02/vulnerable-operating-system.html 0x01 – OS X, The New Target Mach-O – A New Threat
Binary (Linux) Binary (Windows) Binary (OS X) Mach-O – A New Threat 0x02 - The Mach-O Format
The mach-o format was adopted as the standard in OS X from version 10.6 on We are currently in version 10.11 (Yosemite El Capitan). Mach-O – A New Threat 0x02 - The Mach-O Format
CA FE BA BE - Mach-O Fat Binary FE ED FA CE - Mach-O binary (32-bit) FE ED FA CF - Mach-O binary (64-bit) CE FA ED FE - Mach-O binary (reverse byte 32-bit) CF FA ED FE - Mach-O binary (reverse byte 64-bit) Mach-O – A New Threat 0x02 - The Mach-O Format
Mach-O (Mach Object) HEADER LOAD COMMANDS SECTIONS Architecture of object code ppc ppc64 i386 x86_64 armv6 armv7 armv7s arm64 Mach-O – A New Threat 0x02 - The Mach-O Format
Mach-O – A New Threat 0x02 - The Mach-O Format HEADER
LOAD COMMANDS Mach-O – A New Threat 0x02 - The Mach-O Format
SECTIONS 0x02 - The Mach-O Format Mach-O – A New Threat
0x03 – Tools For Analysis (Static / Dynamic) Dynamic Analysis - xcode (graphical) - IDA Pro (graphical) - lldb - fseventer - open snoop - activity Monitor (graphical) - procoxp - tcpdump - cocoaPacketAnalyzer (graphical) - wireshark (graphical) - lsock - little Snitch Static Analysis - file - strings - hex editor (graphical) - lipo - otool - nm - codesign - machOView (graphical) - hopper (graphical) - class-dump Mach-O – A New Threat
0x03 – Tools For Analysis (Static) mach-o FILE Mach-O – A New Threat
STRINGS 0x03 – Tools For Analysis (Static) Mach-O – A New Threat
HEX EDITOR 0xED HexEdit wxHexEditor 0x03 – Tools For Analysis (Static) Mach-O – A New Threat
0xcafebabe LIPO 0x03 – Tools For Analysis (Static) Mach-O – A New Threat
LIPO 0x03 – Tools For Analysis (Static) Mach-O – A New Threat
OTOOL 0x03 – Tools For Analysis (Static) Mach-O – A New Threat
NM 0x03 – Tools For Analysis (Static) Mach-O – A New Threat
CODESIGN 0x03 – Tools For Analysis (Static) Mach-O – A New Threat
MachOView 0x03 – Tools For Analysis (Static) Mach-O – A New Threat
HOPPER 0x03 – Tools For Analysis (Static) Mach-O – A New Threat
CLASS-DUMP 0x03 – Tools For Analysis (Static) Mach-O – A New Threat
- Keep Virtualization Software Updated - Use System Tools Installed in VM - Network Host-Only mode - If you use Shared Folder(Host) leave it as “read-only” - Disable Gatekeeper (Allow apps downloaded from: Anywhere) VMWARE FUSION / PARALLELS / VIRTUALBOX 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
XCODE 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
IDA PRO 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat also is a static tool
LLDB 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
FSEVENTER 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
OPEN SNOOP 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
ACTIVITY MONITOR 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
PROCXP 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
TCPDUMP 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
COCOA 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
WIRESHARK 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
LSOCK 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
Little Snitch 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
0x04 – Current Threats Mach-O – A New Threat
Source: www.virustotal.com 0x04 – Current Threats Mach-O – A New Threat
Mac.BackDoor.OpinionSpy.3 Names: MacOS_X/OpinionSpy.A (Microsoft), Mac.BackDoor.OpinionSpy.3 (F-Secure), Mac.BackDoor.OpinionSpy.3 (Trend) .OSA --> ZIP:  PremierOpinion  upgrade.xml Source: http://vms.drweb.com/virus/?i=4354056&lng=en http://news.drweb.com/show/?i=9309&lng=en&c=5 0x04 – Current Threats Mach-O – A New Threat
OSX_KAITEN.A Names: MacOS_X/Tsunami.A (Microsoft), OSX/Tsunami (McAfee), OSX/Tsunami-Gen (Sophos), OSX/Tsunami.A (F-Secure), OSX/Tsunami.A (ESET) Binary: /tmp/.z Source: http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/osx_kaiten.a 0x04 – Current Threats Mach-O – A New Threat
OSX_CARETO.A Names: MacOS:Appetite-A [Trj] (Avast) OSX/BackDoor.A (AVG) MAC.OSX.Backdoor.Careto.A (Bitdefender) OSX/Appetite.A (Eset) MAC.OSX.Backdoor.Careto.A (FSecure) Trojan.OSX.Melgato.a (Kaspersky) OSX/Backdoor-BRE (McAfee) Backdoor:MacOS_X/Appetite.A (Microsoft) OSX/Appetite-A (Sophos) Source: http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/osx_careto.a 0x04 – Current Threats Mach-O – A New Threat
Hacking is a way of life 0x05 – Conclusions Reference: Sarah Edwards REVERSE Engineering Mac Malware - Defcon 22 https://www.defcon.org/images/defcon-22/dc-22-presentations/Edwards/DEFCON-22- Sarah-Edwards-Reverse-Engineering-Mac-Malware.pdf https://developer.apple.com/library/mac/documentation/DeveloperTools/Conceptual/MachO Runtime/index.html http://www.agner.org/optimize/calling_conventions.pdf Mach-O – A New Threat
ricardologanbr@gmail.com @l0ganbr Contact Thanks a Lot Any Questions ? http://www.slideshare.net/l0ganbr

Recommended

Roadsec 2016 Mach-o A New Threat
Roadsec 2016 Mach-o A New ThreatRoadsec 2016 Mach-o A New Threat
Roadsec 2016 Mach-o A New ThreatRicardo L0gan
 
Andsec Reversing on Mach-o File
Andsec Reversing on Mach-o FileAndsec Reversing on Mach-o File
Andsec Reversing on Mach-o FileRicardo L0gan
 
íàìòàð õè÷ýýë
íàìòàð õè÷ýýëíàìòàð õè÷ýýë
íàìòàð õè÷ýýëBuugii_od
 
Globl Warming
Globl WarmingGlobl Warming
Globl WarmingIvancho
 
2 -governanca_de_tic_-_uma_visao_do_mercado_gartner_-_claudio_chauke
2 -governanca_de_tic_-_uma_visao_do_mercado_gartner_-_claudio_chauke2 -governanca_de_tic_-_uma_visao_do_mercado_gartner_-_claudio_chauke
2 -governanca_de_tic_-_uma_visao_do_mercado_gartner_-_claudio_chaukeMayk Campelo
 
Judith A Shaw Resume 12-30-16
Judith A Shaw Resume 12-30-16Judith A Shaw Resume 12-30-16
Judith A Shaw Resume 12-30-16Judy Shaw
 
Evolution of WAF - Stop Worrying About Vulnerabilities
Evolution of WAF - Stop Worrying About VulnerabilitiesEvolution of WAF - Stop Worrying About Vulnerabilities
Evolution of WAF - Stop Worrying About VulnerabilitiesBrian A. McHenry
 
OSPF summary & Differences between OSPF and EIGRP
OSPF summary & Differences between OSPF and EIGRP OSPF summary & Differences between OSPF and EIGRP
OSPF summary & Differences between OSPF and EIGRP NetProtocol Xpert
 

Recommended

Roadsec 2016 Mach-o A New Threat
Roadsec 2016 Mach-o A New ThreatRoadsec 2016 Mach-o A New Threat
Roadsec 2016 Mach-o A New ThreatRicardo L0gan
 
Andsec Reversing on Mach-o File
Andsec Reversing on Mach-o FileAndsec Reversing on Mach-o File
Andsec Reversing on Mach-o FileRicardo L0gan
 
íàìòàð õè÷ýýë
íàìòàð õè÷ýýëíàìòàð õè÷ýýë
íàìòàð õè÷ýýëBuugii_od
 
Globl Warming
Globl WarmingGlobl Warming
Globl WarmingIvancho
 
2 -governanca_de_tic_-_uma_visao_do_mercado_gartner_-_claudio_chauke
2 -governanca_de_tic_-_uma_visao_do_mercado_gartner_-_claudio_chauke2 -governanca_de_tic_-_uma_visao_do_mercado_gartner_-_claudio_chauke
2 -governanca_de_tic_-_uma_visao_do_mercado_gartner_-_claudio_chaukeMayk Campelo
 
Judith A Shaw Resume 12-30-16
Judith A Shaw Resume 12-30-16Judith A Shaw Resume 12-30-16
Judith A Shaw Resume 12-30-16Judy Shaw
 
Evolution of WAF - Stop Worrying About Vulnerabilities
Evolution of WAF - Stop Worrying About VulnerabilitiesEvolution of WAF - Stop Worrying About Vulnerabilities
Evolution of WAF - Stop Worrying About VulnerabilitiesBrian A. McHenry
 
OSPF summary & Differences between OSPF and EIGRP
OSPF summary & Differences between OSPF and EIGRP OSPF summary & Differences between OSPF and EIGRP
OSPF summary & Differences between OSPF and EIGRP NetProtocol Xpert
 
Python + GDB = Javaデバッガ
Python + GDB = JavaデバッガPython + GDB = Javaデバッガ
Python + GDB = JavaデバッガKenji Kazumura
 
Layer 2 switching loop
Layer 2 switching loopLayer 2 switching loop
Layer 2 switching loopNetProtocol Xpert
 
Cyber Security Through the Eyes of the C-Suite (Infographic)
Cyber Security Through the Eyes of the C-Suite (Infographic)Cyber Security Through the Eyes of the C-Suite (Infographic)
Cyber Security Through the Eyes of the C-Suite (Infographic)Radware
 
Munkhbat Jamiyan-CV
Munkhbat Jamiyan-CVMunkhbat Jamiyan-CV
Munkhbat Jamiyan-CVUnuruu Dear
 
[GAMENEXT] 모바일 마케팅 트렌드와 ROI 극대화 방안
[GAMENEXT] 모바일 마케팅 트렌드와 ROI 극대화 방안[GAMENEXT] 모바일 마케팅 트렌드와 ROI 극대화 방안
[GAMENEXT] 모바일 마케팅 트렌드와 ROI 극대화 방안GAMENEXT Works
 
스타트업의 데이터 분석
스타트업의 데이터 분석스타트업의 데이터 분석
스타트업의 데이터 분석Hyunjong Wi
 
Internet of Things - Iot Solution 73 - 사물인터넷 제품 리뷰 73
Internet of Things - Iot Solution 73 - 사물인터넷 제품 리뷰 73Internet of Things - Iot Solution 73 - 사물인터넷 제품 리뷰 73
Internet of Things - Iot Solution 73 - 사물인터넷 제품 리뷰 73봉조 김
 
IoT 서비스 아키텍처 분석 및 Case Study-Innovation Seminar
IoT 서비스 아키텍처 분석 및 Case Study-Innovation SeminarIoT 서비스 아키텍처 분석 및 Case Study-Innovation Seminar
IoT 서비스 아키텍처 분석 및 Case Study-Innovation Seminar영섭 임
 
그로스 해킹 - Growth Hacking
그로스 해킹 - Growth Hacking그로스 해킹 - Growth Hacking
그로스 해킹 - Growth HackingWooseok Seo
 
Latinoware 2015 Mach-O
Latinoware 2015 Mach-OLatinoware 2015 Mach-O
Latinoware 2015 Mach-ORicardo L0gan
 
H2HC - R3MF
H2HC - R3MFH2HC - R3MF
H2HC - R3MFRicardo L0gan
 
Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Ricardo L0gan
 
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Maksim Shudrak
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Maksim Shudrak
 
Linux binary analysis and exploitation
Linux binary analysis and exploitationLinux binary analysis and exploitation
Linux binary analysis and exploitationDharmalingam Ganesan
 
NYU Hacknight: iOS and OSX ABI
NYU Hacknight: iOS and OSX ABINYU Hacknight: iOS and OSX ABI
NYU Hacknight: iOS and OSX ABIMikhail Sosonkin
 
LO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis
LO-PHI: Low-Observable Physical Host Instrumentation for Malware AnalysisLO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis
LO-PHI: Low-Observable Physical Host Instrumentation for Malware AnalysisPietro De Nicolao
 
Mmw mac malware-mac
Mmw mac malware-macMmw mac malware-mac
Mmw mac malware-macCyphort
 
Próximo passo evolutivo de um DB Scanner
Próximo passo evolutivo de um DB ScannerPróximo passo evolutivo de um DB Scanner
Próximo passo evolutivo de um DB ScannerNelson Brito
 
Ransomware the clock is ticking
Ransomware the clock is tickingRansomware the clock is ticking
Ransomware the clock is tickingManoj Kumar Mishra
 
Securing Open Source Code in Enterprise
Securing Open Source Code in EnterpriseSecuring Open Source Code in Enterprise
Securing Open Source Code in EnterpriseAsankhaya Sharma
 
Análise de malware com suporte de hardware
Análise de malware com suporte de hardwareAnálise de malware com suporte de hardware
Análise de malware com suporte de hardwareMarcus Botacin
 

More Related Content

Viewers also liked

Python + GDB = Javaデバッガ
Python + GDB = JavaデバッガPython + GDB = Javaデバッガ
Python + GDB = JavaデバッガKenji Kazumura
 
Cyber Security Through the Eyes of the C-Suite (Infographic)
Cyber Security Through the Eyes of the C-Suite (Infographic)Cyber Security Through the Eyes of the C-Suite (Infographic)
Cyber Security Through the Eyes of the C-Suite (Infographic)Radware
 
Munkhbat Jamiyan-CV
Munkhbat Jamiyan-CVMunkhbat Jamiyan-CV
Munkhbat Jamiyan-CVUnuruu Dear
 
[GAMENEXT] 모바일 마케팅 트렌드와 ROI 극대화 방안
[GAMENEXT] 모바일 마케팅 트렌드와 ROI 극대화 방안[GAMENEXT] 모바일 마케팅 트렌드와 ROI 극대화 방안
[GAMENEXT] 모바일 마케팅 트렌드와 ROI 극대화 방안GAMENEXT Works
 
스타트업의 데이터 분석
스타트업의 데이터 분석스타트업의 데이터 분석
스타트업의 데이터 분석Hyunjong Wi
 
Internet of Things - Iot Solution 73 - 사물인터넷 제품 리뷰 73
Internet of Things - Iot Solution 73 - 사물인터넷 제품 리뷰 73Internet of Things - Iot Solution 73 - 사물인터넷 제품 리뷰 73
Internet of Things - Iot Solution 73 - 사물인터넷 제품 리뷰 73봉조 김
 
IoT 서비스 아키텍처 분석 및 Case Study-Innovation Seminar
IoT 서비스 아키텍처 분석 및 Case Study-Innovation SeminarIoT 서비스 아키텍처 분석 및 Case Study-Innovation Seminar
IoT 서비스 아키텍처 분석 및 Case Study-Innovation Seminar영섭 임
 
그로스 해킹 - Growth Hacking
그로스 해킹 - Growth Hacking그로스 해킹 - Growth Hacking
그로스 해킹 - Growth HackingWooseok Seo
 

Viewers also liked (9)

Python + GDB = Javaデバッガ
Python + GDB = JavaデバッガPython + GDB = Javaデバッガ
Python + GDB = Javaデバッガ
 
Layer 2 switching loop
Layer 2 switching loopLayer 2 switching loop
Layer 2 switching loop
 
Cyber Security Through the Eyes of the C-Suite (Infographic)
Cyber Security Through the Eyes of the C-Suite (Infographic)Cyber Security Through the Eyes of the C-Suite (Infographic)
Cyber Security Through the Eyes of the C-Suite (Infographic)
 
Munkhbat Jamiyan-CV
Munkhbat Jamiyan-CVMunkhbat Jamiyan-CV
Munkhbat Jamiyan-CV
 
[GAMENEXT] 모바일 마케팅 트렌드와 ROI 극대화 방안
[GAMENEXT] 모바일 마케팅 트렌드와 ROI 극대화 방안[GAMENEXT] 모바일 마케팅 트렌드와 ROI 극대화 방안
[GAMENEXT] 모바일 마케팅 트렌드와 ROI 극대화 방안
 
스타트업의 데이터 분석
스타트업의 데이터 분석스타트업의 데이터 분석
스타트업의 데이터 분석
 
Internet of Things - Iot Solution 73 - 사물인터넷 제품 리뷰 73
Internet of Things - Iot Solution 73 - 사물인터넷 제품 리뷰 73Internet of Things - Iot Solution 73 - 사물인터넷 제품 리뷰 73
Internet of Things - Iot Solution 73 - 사물인터넷 제품 리뷰 73
 
IoT 서비스 아키텍처 분석 및 Case Study-Innovation Seminar
IoT 서비스 아키텍처 분석 및 Case Study-Innovation SeminarIoT 서비스 아키텍처 분석 및 Case Study-Innovation Seminar
IoT 서비스 아키텍처 분석 및 Case Study-Innovation Seminar
 
그로스 해킹 - Growth Hacking
그로스 해킹 - Growth Hacking그로스 해킹 - Growth Hacking
그로스 해킹 - Growth Hacking
 

Similar to Bsides SP 2015 - Mach-O - A New Threat

Latinoware 2015 Mach-O
Latinoware 2015 Mach-OLatinoware 2015 Mach-O
Latinoware 2015 Mach-ORicardo L0gan
 
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Maksim Shudrak
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Maksim Shudrak
 
Linux binary analysis and exploitation
Linux binary analysis and exploitationLinux binary analysis and exploitation
Linux binary analysis and exploitationDharmalingam Ganesan
 
NYU Hacknight: iOS and OSX ABI
NYU Hacknight: iOS and OSX ABINYU Hacknight: iOS and OSX ABI
NYU Hacknight: iOS and OSX ABIMikhail Sosonkin
 
LO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis
LO-PHI: Low-Observable Physical Host Instrumentation for Malware AnalysisLO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis
LO-PHI: Low-Observable Physical Host Instrumentation for Malware AnalysisPietro De Nicolao
 
Mmw mac malware-mac
Mmw mac malware-macMmw mac malware-mac
Mmw mac malware-macCyphort
 
Próximo passo evolutivo de um DB Scanner
Próximo passo evolutivo de um DB ScannerPróximo passo evolutivo de um DB Scanner
Próximo passo evolutivo de um DB ScannerNelson Brito
 
Ransomware the clock is ticking
Ransomware the clock is tickingRansomware the clock is ticking
Ransomware the clock is tickingManoj Kumar Mishra
 
Securing Open Source Code in Enterprise
Securing Open Source Code in EnterpriseSecuring Open Source Code in Enterprise
Securing Open Source Code in EnterpriseAsankhaya Sharma
 
Análise de malware com suporte de hardware
Análise de malware com suporte de hardwareAnálise de malware com suporte de hardware
Análise de malware com suporte de hardwareMarcus Botacin
 
The AV says: Your Hardware Definitions were Updated!
The AV says: Your Hardware Definitions were Updated!The AV says: Your Hardware Definitions were Updated!
The AV says: Your Hardware Definitions were Updated!Marcus Botacin
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malwarePedro Tavares
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS CommunicationsDigital Bond
 
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)Nelson Brito
 

Similar to Bsides SP 2015 - Mach-O - A New Threat (20)

Latinoware 2015 Mach-O
Latinoware 2015 Mach-OLatinoware 2015 Mach-O
Latinoware 2015 Mach-O
 
H2HC - R3MF
H2HC - R3MFH2HC - R3MF
H2HC - R3MF
 
Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Nullbyte 6ed. 2019
Nullbyte 6ed. 2019
 
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
 
Linux binary analysis and exploitation
Linux binary analysis and exploitationLinux binary analysis and exploitation
Linux binary analysis and exploitation
 
NYU Hacknight: iOS and OSX ABI
NYU Hacknight: iOS and OSX ABINYU Hacknight: iOS and OSX ABI
NYU Hacknight: iOS and OSX ABI
 
LO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis
LO-PHI: Low-Observable Physical Host Instrumentation for Malware AnalysisLO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis
LO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis
 
Mmw mac malware-mac
Mmw mac malware-macMmw mac malware-mac
Mmw mac malware-mac
 
Próximo passo evolutivo de um DB Scanner
Próximo passo evolutivo de um DB ScannerPróximo passo evolutivo de um DB Scanner
Próximo passo evolutivo de um DB Scanner
 
Ransomware the clock is ticking
Ransomware the clock is tickingRansomware the clock is ticking
Ransomware the clock is ticking
 
Securing Open Source Code in Enterprise
Securing Open Source Code in EnterpriseSecuring Open Source Code in Enterprise
Securing Open Source Code in Enterprise
 
Análise de malware com suporte de hardware
Análise de malware com suporte de hardwareAnálise de malware com suporte de hardware
Análise de malware com suporte de hardware
 
The AV says: Your Hardware Definitions were Updated!
The AV says: Your Hardware Definitions were Updated!The AV says: Your Hardware Definitions were Updated!
The AV says: Your Hardware Definitions were Updated!
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malware
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - Beginners
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS Communications
 
falconer-sumuri
falconer-sumurifalconer-sumuri
falconer-sumuri
 
Software security
Software securitySoftware security
Software security
 
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
 

Recently uploaded

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 

Recently uploaded (20)

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 

Bsides SP 2015 - Mach-O - A New Threat

Editor's Notes

  1. http://2015.latinoware.org/ricardo-logan
  2. Com a popularidade do sistemas da apple (iphone / Ipad / Mac book) surgem uma nova e promissora linha usuários (melhores financeiramente falando) que pode ser alvos para novos bankers / malwares. Bot / rootkit / alvos linux (servers)... Ver listas de rootkits .... X-agent (operation pawnstorm)
  3. Neste primeiro gráfico podemos ver que em um período de apenas 7 dias o comparativo de submissões para cada tipo de binário.
  4. Samples mach-o período de 2014 para comparação com 2015 no próximo slide. OK OK parece ser um pouco tendencioso e também mencionar o fato da pesquisa utilizar dados do virustotal por justamente não ser publico pelas empresas de AV.
  5. Neste gráfico já percebe-se um aumento de submissões em binários mach-o comparado com o gráfico do slide anterior.
  6. Detecções de mach-o por vendor. Ai fica a pergunta detectam realmente estes binários ? E realmente efetivo ?
  7. Com todas informações disponibilizadas nos slides anteriores concluímos que o OS X realmente pode ser um plataforma muito explorada. Tanto para malwares quanto para exploração de vulnerabilidades. Mencionar Empresa Hacker Team que tinha ferramentas de interceptação que rodava ate em OSX https://github.com/RookLabs/milano
  8. Neste gráfico o resultado e um pouco tendencioso devido ao fato da plataforma Windows estar divido em varias versões, já na o OS X foi apresentado apenas uma versão. Porem de qualquer forma da pra perceber que o OS X e um sistema potencialmente alvo para pesquisadores de vulnerabilidades.
  9. Explicar rapidamente os binários utilizados em outras distribuições (Windows / Linux).
  10. O Mac OS X roda binários do tipo ELF (Linux) e binários Mach-o. O Nome mach-o vem de Mach Object
  11. Falar do Magic Number, que é um cabeçalho curto e compacto geralmente utilizado para caracterizar seu formato. (ELF/PE/Mach-o/DOS/etc..)
  12. Mach-O, short para formato de arquivo objeto Mach, é um formato de arquivo para arquivos executáveis, código objeto, bibliotecas compartilhadas código dinamicamente-carregado, e core dumps. Também conhecido como binário do tipo FAT que pode ser executado em varias arquiteturas.
  13. O arquivo loader.h contem a estrutura do binário mach-o (header / load_commands / sections).
  14. Existem outras ferramentas como: dtrace, fs_usage, optool, class-dump A Maior parte das tools command line podem ser obtidas via mac ports.
  15. Ferramenta utilizada para determinar o tipo de binário.
  16. O wxHexEditor é de código aberto !!!
  17. Ferramenta utilizada para extração de binário.
  18. Parecido com o objdump e ldd - Utilizado para dump/disassembly de arquivos e bibliotecas.
  19. O comando “nm” lista os símbolos do arquivo objeto
  20. Criar e manipular assinaturas de códigos.
  21. Ferramenta visual para visualização e edição de binários mach-o.
  22. Disassembler (OS X e Linux) utilizado para engenharia reversa do binário.
  23. Ferramenta utilizada para examinar o design de aplicações mach-o suas estruturas e informações em tempo de execução Objective-C. ele gera declarações para as classes, categorias e protocolos. (semelhante ao otool -ov)
  24. Na versão 10.7 a apple inseriu o gatekeeper no OS X como forma de evitar a instalação de softwares oriundos de qualquer origem.
  25. Xcode é um (IDE) que contém um conjunto de ferramentas de desenvolvimento de software desenvolvidos pela Apple para o desenvolvimento de software para OS X e iOS
  26. LLDB é um debugger de alto desempenho padrão no Xcode no Mac OS X e suporta a depuração C, Objective-C e C ++ nos dispositivos de desktop e iOS e simulador.
  27. fseventer é uma ferramenta que monitora as atividades do disco. A exibição de árvore é particularmente interessante, pois mostra os processos em que são criados ou modificados e destaques relacionados caminhos.
  28. ferramenta que rastreia o arquivo aberto exibindo informações como UID,PID caminho do arquivo. (pode ser utilizado com o dtrace)
  29. Parecido com o top e htop.
  30. Deixar claro para o pessoal que o cocoa citado não tem nada a ver com o framework COCOA.
  31. A Detecção do binário pelo AV basicamente(Pattern Comum) se da por hooking das API do SO (criação / leitura / execução).
  32. Surgiu em 2010 e entre 2014/2015 sofreu algumas atualizações. Basicamente ele monitora usuários Mac OS X coletando informações sobre sites, trafego de rede e outras ações maliciosas. O Malware e distribuído a partir de um binário não malicioso que contem o pacote de download e instalação. PremierOpinion e o backdoor propriamente dito com direitos administrativos e funções de Command and Control.
  33. Sample surgiu em setembro de 2014 ele se conecta em um canal IRC para execução de comandos. O Binário em si altera o nome do processo apache2
  34. Sample surgiu em fevereiro de 2014, fui utilizado em um ataque chamado careto, ele foi utilizado para execução de código remoto (de forma criptografada) na maquina alvo.