SlideShare une entreprise Scribd logo

Appsec rump reverse-i_os_machook

Cyber Security Alliance
Cyber Security Alliance

d

Technologie
1  sur  16
Télécharger pour lire hors ligne
Reversing OSX / iOS malware machook / wirelurker AppSecForum 2014 - RumpSession Julien Bachmann / @milkmix_
intro | appealing late night twitt Like at 1am this morning…
intro | immediate reaction “Maybe it’s more interesting to analyse than Unflod.dylib!” But: original download link for the IPA was not working anymore :( Solution: start from the beginning, aka find original blog post linked with the case
intro | original post
osx | initial infection start.sh unzip FontMap1.cfg deploy machook in /usr/local/machook create LaunchDaemon to persist
osx | machook 64 bits binary only use libimobiledevice to detect when an iOS device is plugged-in com.apple.afc ProductVersion SerialNumber list of installed Apps
osx | machook
osx | machook starts com.apple.afc2 if worked (jailbroken device ) copy [OSX]/usr/local/machook/sfbase.dylib [iOS]Library/MobileSubstrate/DynamicLibraries/sfbase.dylib download signed IPA and push it as well using com.apple.mobile.installation_proxy URL stored in SQLite DB: foundation Enterprise cert means that first execution will bring validation pop-up code not encrypted as not from AppStore globalupdate : loop to check for updates
osx | machook
osx | machook
osx | machook
iOS | sfbase.dylib not signed MobileSubstrate to hook [UIWindow sendEvent] in MobileStorageMounter MobileSafari MobilePhone MobileSMS Preferences also checks for updates
iOS | sfbase.dylib if event is applicationWillResignActive, kill applications What??? Maybe I don’t have the latest version also, dead code to query URL and hide it retrieve some files SMS.db AddressBook.sqlitedb UDID post to saveinfo.php
iOS | sfbase.dylib
iOS | sfbase.dylib
conclusion | maybe not that “new era” did not look at the signed binary for the moment possibilities too limited except if privileges escalation is possible… hooking methods but does not use it targeted at Chinese market but logs in english still some nice functionalities update functionality OSX —> iOS, but already seen in the wild

Recommandé

Ansible meetup-0915
Ansible meetup-0915Ansible meetup-0915
Ansible meetup-0915Pierre Mavro
 
iOS Parallel Automation - Viktar Karanevich - Mobile Test Automation Meetup (...
iOS Parallel Automation - Viktar Karanevich - Mobile Test Automation Meetup (...iOS Parallel Automation - Viktar Karanevich - Mobile Test Automation Meetup (...
iOS Parallel Automation - Viktar Karanevich - Mobile Test Automation Meetup (...Badoo
 
Openstack Vagrant plugin overview
Openstack Vagrant plugin overviewOpenstack Vagrant plugin overview
Openstack Vagrant plugin overviewMarton Kiss
 
Windows Subsystem for Linux .NET Oxford Dec 2018
Windows Subsystem for Linux .NET Oxford Dec 2018Windows Subsystem for Linux .NET Oxford Dec 2018
Windows Subsystem for Linux .NET Oxford Dec 2018Stuart Leeks
 
Docker 101 - DevOps at EMC May 2015
Docker 101 - DevOps at EMC May 2015Docker 101 - DevOps at EMC May 2015
Docker 101 - DevOps at EMC May 2015Jonas Rosland
 
Elixir Deployment Tools
Elixir Deployment ToolsElixir Deployment Tools
Elixir Deployment ToolsAaron Renner
 
presentation-chaos-monkey
presentation-chaos-monkeypresentation-chaos-monkey
presentation-chaos-monkeyMatthew Campbell
 
GitHub Slack Bot
GitHub Slack BotGitHub Slack Bot
GitHub Slack BotPriti Desai
 

Recommandé

Ansible meetup-0915
Ansible meetup-0915Ansible meetup-0915
Ansible meetup-0915Pierre Mavro
 
iOS Parallel Automation - Viktar Karanevich - Mobile Test Automation Meetup (...
iOS Parallel Automation - Viktar Karanevich - Mobile Test Automation Meetup (...iOS Parallel Automation - Viktar Karanevich - Mobile Test Automation Meetup (...
iOS Parallel Automation - Viktar Karanevich - Mobile Test Automation Meetup (...Badoo
 
Openstack Vagrant plugin overview
Openstack Vagrant plugin overviewOpenstack Vagrant plugin overview
Openstack Vagrant plugin overviewMarton Kiss
 
Windows Subsystem for Linux .NET Oxford Dec 2018
Windows Subsystem for Linux .NET Oxford Dec 2018Windows Subsystem for Linux .NET Oxford Dec 2018
Windows Subsystem for Linux .NET Oxford Dec 2018Stuart Leeks
 
Docker 101 - DevOps at EMC May 2015
Docker 101 - DevOps at EMC May 2015Docker 101 - DevOps at EMC May 2015
Docker 101 - DevOps at EMC May 2015Jonas Rosland
 
Elixir Deployment Tools
Elixir Deployment ToolsElixir Deployment Tools
Elixir Deployment ToolsAaron Renner
 
presentation-chaos-monkey
presentation-chaos-monkeypresentation-chaos-monkey
presentation-chaos-monkeyMatthew Campbell
 
GitHub Slack Bot
GitHub Slack BotGitHub Slack Bot
GitHub Slack BotPriti Desai
 
Comment choisir son mot de passe ?
Comment choisir son mot de passe ?Comment choisir son mot de passe ?
Comment choisir son mot de passe ?DBM Technologies
 
ASFWS 2013 - Sécurité et extension d’infrastructure vers le cloud: retour d’e...
ASFWS 2013 - Sécurité et extension d’infrastructure vers le cloud: retour d’e...ASFWS 2013 - Sécurité et extension d’infrastructure vers le cloud: retour d’e...
ASFWS 2013 - Sécurité et extension d’infrastructure vers le cloud: retour d’e...Cyber Security Alliance
 
ASFWS 2013 - Rump session - Un serveur d'authentification forte pour $35! par...
ASFWS 2013 - Rump session - Un serveur d'authentification forte pour $35! par...ASFWS 2013 - Rump session - Un serveur d'authentification forte pour $35! par...
ASFWS 2013 - Rump session - Un serveur d'authentification forte pour $35! par...Cyber Security Alliance
 
Mémoriser facilement son mot de passe
Mémoriser facilement son mot de passeMémoriser facilement son mot de passe
Mémoriser facilement son mot de passeapidesk
 
Étude sur la sécurité du mot de passe GMX 2015
Étude sur la sécurité du mot de passe GMX 2015Étude sur la sécurité du mot de passe GMX 2015
Étude sur la sécurité du mot de passe GMX 2015GMX
 
Wi fi-radius
Wi fi-radiusWi fi-radius
Wi fi-radiusMoïse Guilavogui
 
Windows Azure Multi-Factor Authentication, presentation et cas d’usage
Windows Azure Multi-Factor Authentication, presentation et cas d’usageWindows Azure Multi-Factor Authentication, presentation et cas d’usage
Windows Azure Multi-Factor Authentication, presentation et cas d’usageMicrosoft
 
ASFWS 2011 : Sur le chemin de l’authentification multi-facteurs
ASFWS 2011 : Sur le chemin de l’authentification multi-facteursASFWS 2011 : Sur le chemin de l’authentification multi-facteurs
ASFWS 2011 : Sur le chemin de l’authentification multi-facteursCyber Security Alliance
 
Présentation Master
Présentation Master Présentation Master
Présentation Master Bilel Trabelsi
 
Guide google double authentification
Guide google double authentificationGuide google double authentification
Guide google double authentificationCloud 34
 
Cri iut 2005-wifi_free_radius
Cri iut 2005-wifi_free_radiusCri iut 2005-wifi_free_radius
Cri iut 2005-wifi_free_radiusJames Curtis Camdoum Deudjui
 
Authentification Réseau 802.1X PEAP-MSCHAP-V2
Authentification Réseau 802.1X PEAP-MSCHAP-V2Authentification Réseau 802.1X PEAP-MSCHAP-V2
Authentification Réseau 802.1X PEAP-MSCHAP-V2PRONETIS
 
L'authentification forte ou vers la mort du mot de passe
L'authentification forte ou vers la mort du mot de passeL'authentification forte ou vers la mort du mot de passe
L'authentification forte ou vers la mort du mot de passeAlice and Bob
 
Rapport sécurité
Rapport sécuritéRapport sécurité
Rapport sécuritéMohammed Zaoui
 
Identité Numérique et Authentification Forte
Identité Numérique et Authentification ForteIdentité Numérique et Authentification Forte
Identité Numérique et Authentification ForteSylvain Maret
 
Authentification Forte Cours UNI 2002
Authentification Forte Cours UNI 2002Authentification Forte Cours UNI 2002
Authentification Forte Cours UNI 2002Sylvain Maret
 
L\'authentification forte : Concept et Technologies
L\'authentification forte : Concept et TechnologiesL\'authentification forte : Concept et Technologies
L\'authentification forte : Concept et TechnologiesIbrahima FALL
 
présentation soutenance PFE.ppt
présentation soutenance PFE.pptprésentation soutenance PFE.ppt
présentation soutenance PFE.pptMohamed Ben Bouzid
 
Présentation Soutenance de Mémoire
Présentation Soutenance de MémoirePrésentation Soutenance de Mémoire
Présentation Soutenance de MémoireClaire Prigent
 
Soutenance mémoire de fin d'études
Soutenance mémoire de fin d'étudesSoutenance mémoire de fin d'études
Soutenance mémoire de fin d'étudesFabrice HAUHOUOT
 
Calabash-iOS
Calabash-iOSCalabash-iOS
Calabash-iOSKishan Ravindra http://about.me/ravindra_kishan
 
Deploy your app with one Slack command
Deploy your app with one Slack commandDeploy your app with one Slack command
Deploy your app with one Slack commandFabio Milano
 

Contenu connexe

En vedette

Comment choisir son mot de passe ?
Comment choisir son mot de passe ?Comment choisir son mot de passe ?
Comment choisir son mot de passe ?DBM Technologies
 
ASFWS 2013 - Sécurité et extension d’infrastructure vers le cloud: retour d’e...
ASFWS 2013 - Sécurité et extension d’infrastructure vers le cloud: retour d’e...ASFWS 2013 - Sécurité et extension d’infrastructure vers le cloud: retour d’e...
ASFWS 2013 - Sécurité et extension d’infrastructure vers le cloud: retour d’e...Cyber Security Alliance
 
ASFWS 2013 - Rump session - Un serveur d'authentification forte pour $35! par...
ASFWS 2013 - Rump session - Un serveur d'authentification forte pour $35! par...ASFWS 2013 - Rump session - Un serveur d'authentification forte pour $35! par...
ASFWS 2013 - Rump session - Un serveur d'authentification forte pour $35! par...Cyber Security Alliance
 
Mémoriser facilement son mot de passe
Mémoriser facilement son mot de passeMémoriser facilement son mot de passe
Mémoriser facilement son mot de passeapidesk
 
Étude sur la sécurité du mot de passe GMX 2015
Étude sur la sécurité du mot de passe GMX 2015Étude sur la sécurité du mot de passe GMX 2015
Étude sur la sécurité du mot de passe GMX 2015GMX
 
Windows Azure Multi-Factor Authentication, presentation et cas d’usage
Windows Azure Multi-Factor Authentication, presentation et cas d’usageWindows Azure Multi-Factor Authentication, presentation et cas d’usage
Windows Azure Multi-Factor Authentication, presentation et cas d’usageMicrosoft
 
ASFWS 2011 : Sur le chemin de l’authentification multi-facteurs
ASFWS 2011 : Sur le chemin de l’authentification multi-facteursASFWS 2011 : Sur le chemin de l’authentification multi-facteurs
ASFWS 2011 : Sur le chemin de l’authentification multi-facteursCyber Security Alliance
 
Guide google double authentification
Guide google double authentificationGuide google double authentification
Guide google double authentificationCloud 34
 
Authentification Réseau 802.1X PEAP-MSCHAP-V2
Authentification Réseau 802.1X PEAP-MSCHAP-V2Authentification Réseau 802.1X PEAP-MSCHAP-V2
Authentification Réseau 802.1X PEAP-MSCHAP-V2PRONETIS
 
L'authentification forte ou vers la mort du mot de passe
L'authentification forte ou vers la mort du mot de passeL'authentification forte ou vers la mort du mot de passe
L'authentification forte ou vers la mort du mot de passeAlice and Bob
 
Identité Numérique et Authentification Forte
Identité Numérique et Authentification ForteIdentité Numérique et Authentification Forte
Identité Numérique et Authentification ForteSylvain Maret
 
Authentification Forte Cours UNI 2002
Authentification Forte Cours UNI 2002Authentification Forte Cours UNI 2002
Authentification Forte Cours UNI 2002Sylvain Maret
 
L\'authentification forte : Concept et Technologies
L\'authentification forte : Concept et TechnologiesL\'authentification forte : Concept et Technologies
L\'authentification forte : Concept et TechnologiesIbrahima FALL
 
présentation soutenance PFE.ppt
présentation soutenance PFE.pptprésentation soutenance PFE.ppt
présentation soutenance PFE.pptMohamed Ben Bouzid
 
Présentation Soutenance de Mémoire
Présentation Soutenance de MémoirePrésentation Soutenance de Mémoire
Présentation Soutenance de MémoireClaire Prigent
 
Soutenance mémoire de fin d'études
Soutenance mémoire de fin d'étudesSoutenance mémoire de fin d'études
Soutenance mémoire de fin d'étudesFabrice HAUHOUOT
 

En vedette (20)

Comment choisir son mot de passe ?
Comment choisir son mot de passe ?Comment choisir son mot de passe ?
Comment choisir son mot de passe ?
 
ASFWS 2013 - Sécurité et extension d’infrastructure vers le cloud: retour d’e...
ASFWS 2013 - Sécurité et extension d’infrastructure vers le cloud: retour d’e...ASFWS 2013 - Sécurité et extension d’infrastructure vers le cloud: retour d’e...
ASFWS 2013 - Sécurité et extension d’infrastructure vers le cloud: retour d’e...
 
ASFWS 2013 - Rump session - Un serveur d'authentification forte pour $35! par...
ASFWS 2013 - Rump session - Un serveur d'authentification forte pour $35! par...ASFWS 2013 - Rump session - Un serveur d'authentification forte pour $35! par...
ASFWS 2013 - Rump session - Un serveur d'authentification forte pour $35! par...
 
Mémoriser facilement son mot de passe
Mémoriser facilement son mot de passeMémoriser facilement son mot de passe
Mémoriser facilement son mot de passe
 
Étude sur la sécurité du mot de passe GMX 2015
Étude sur la sécurité du mot de passe GMX 2015Étude sur la sécurité du mot de passe GMX 2015
Étude sur la sécurité du mot de passe GMX 2015
 
Wi fi-radius
Wi fi-radiusWi fi-radius
Wi fi-radius
 
Windows Azure Multi-Factor Authentication, presentation et cas d’usage
Windows Azure Multi-Factor Authentication, presentation et cas d’usageWindows Azure Multi-Factor Authentication, presentation et cas d’usage
Windows Azure Multi-Factor Authentication, presentation et cas d’usage
 
ASFWS 2011 : Sur le chemin de l’authentification multi-facteurs
ASFWS 2011 : Sur le chemin de l’authentification multi-facteursASFWS 2011 : Sur le chemin de l’authentification multi-facteurs
ASFWS 2011 : Sur le chemin de l’authentification multi-facteurs
 
Présentation Master
Présentation Master Présentation Master
Présentation Master
 
Guide google double authentification
Guide google double authentificationGuide google double authentification
Guide google double authentification
 
Cri iut 2005-wifi_free_radius
Cri iut 2005-wifi_free_radiusCri iut 2005-wifi_free_radius
Cri iut 2005-wifi_free_radius
 
Authentification Réseau 802.1X PEAP-MSCHAP-V2
Authentification Réseau 802.1X PEAP-MSCHAP-V2Authentification Réseau 802.1X PEAP-MSCHAP-V2
Authentification Réseau 802.1X PEAP-MSCHAP-V2
 
L'authentification forte ou vers la mort du mot de passe
L'authentification forte ou vers la mort du mot de passeL'authentification forte ou vers la mort du mot de passe
L'authentification forte ou vers la mort du mot de passe
 
Rapport sécurité
Rapport sécuritéRapport sécurité
Rapport sécurité
 
Identité Numérique et Authentification Forte
Identité Numérique et Authentification ForteIdentité Numérique et Authentification Forte
Identité Numérique et Authentification Forte
 
Authentification Forte Cours UNI 2002
Authentification Forte Cours UNI 2002Authentification Forte Cours UNI 2002
Authentification Forte Cours UNI 2002
 
L\'authentification forte : Concept et Technologies
L\'authentification forte : Concept et TechnologiesL\'authentification forte : Concept et Technologies
L\'authentification forte : Concept et Technologies
 
présentation soutenance PFE.ppt
présentation soutenance PFE.pptprésentation soutenance PFE.ppt
présentation soutenance PFE.ppt
 
Présentation Soutenance de Mémoire
Présentation Soutenance de MémoirePrésentation Soutenance de Mémoire
Présentation Soutenance de Mémoire
 
Soutenance mémoire de fin d'études
Soutenance mémoire de fin d'étudesSoutenance mémoire de fin d'études
Soutenance mémoire de fin d'études
 

Similaire à Appsec rump reverse-i_os_machook

Deploy your app with one Slack command
Deploy your app with one Slack commandDeploy your app with one Slack command
Deploy your app with one Slack commandFabio Milano
 
[Srijan Wednesday Webinar] Mastering Mobile Test Automation with Appium
[Srijan Wednesday Webinar] Mastering Mobile Test Automation with Appium[Srijan Wednesday Webinar] Mastering Mobile Test Automation with Appium
[Srijan Wednesday Webinar] Mastering Mobile Test Automation with AppiumSrijan Technologies
 
Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010
Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010
Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010SecurityTube.Net
 
Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010
Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010
Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010SecurityTube.Net
 
Ci system part ii
Ci system part iiCi system part ii
Ci system part ii振維 李
 
Cross-platform mobile dev with Mono
Cross-platform mobile dev with MonoCross-platform mobile dev with Mono
Cross-platform mobile dev with MonoCraig Dunn
 
iOS 7 URL Session & Motion FX APIs
iOS 7 URL Session & Motion FX APIsiOS 7 URL Session & Motion FX APIs
iOS 7 URL Session & Motion FX APIsrsebbe
 
Ionic4 quickies and_rx_js_observables
Ionic4 quickies and_rx_js_observablesIonic4 quickies and_rx_js_observables
Ionic4 quickies and_rx_js_observablesPhilipp Höhne
 
State ofappdevelopment
State ofappdevelopmentState ofappdevelopment
State ofappdevelopmentgillygize
 
What is CocoaPods and how to setup?
What is CocoaPods and how to setup?What is CocoaPods and how to setup?
What is CocoaPods and how to setup?Milan Panchal
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application SecurityEgor Tolstoy
 
Calabash Andoird + Calabash iOS
Calabash Andoird + Calabash iOSCalabash Andoird + Calabash iOS
Calabash Andoird + Calabash iOSAnadea
 
(Christian heilman) firefox
(Christian heilman) firefox(Christian heilman) firefox
(Christian heilman) firefoxNAVER D2
 
Security Applications For Emulation
Security Applications For EmulationSecurity Applications For Emulation
Security Applications For EmulationSilvio Cesare
 
MeCab in docker action(OpenWhisk)
MeCab in docker action(OpenWhisk)MeCab in docker action(OpenWhisk)
MeCab in docker action(OpenWhisk)KUNITO Atsunori
 
iOS Development Survival Guide for the .NET Guy
iOS Development Survival Guide for the .NET GuyiOS Development Survival Guide for the .NET Guy
iOS Development Survival Guide for the .NET GuyNick Landry
 
Appium mobile web+dev conference
Appium mobile web+dev conferenceAppium mobile web+dev conference
Appium mobile web+dev conferenceIsaac Murchie
 
Appium Overview - by Daniel Puterman
Appium Overview - by Daniel PutermanAppium Overview - by Daniel Puterman
Appium Overview - by Daniel PutermanApplitools
 

Similaire à Appsec rump reverse-i_os_machook (20)

Calabash-iOS
Calabash-iOSCalabash-iOS
Calabash-iOS
 
Deploy your app with one Slack command
Deploy your app with one Slack commandDeploy your app with one Slack command
Deploy your app with one Slack command
 
[Srijan Wednesday Webinar] Mastering Mobile Test Automation with Appium
[Srijan Wednesday Webinar] Mastering Mobile Test Automation with Appium[Srijan Wednesday Webinar] Mastering Mobile Test Automation with Appium
[Srijan Wednesday Webinar] Mastering Mobile Test Automation with Appium
 
Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010
Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010
Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010
 
Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010
Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010
Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010
 
Ci system part ii
Ci system part iiCi system part ii
Ci system part ii
 
Cross-platform mobile dev with Mono
Cross-platform mobile dev with MonoCross-platform mobile dev with Mono
Cross-platform mobile dev with Mono
 
iOS 7 URL Session & Motion FX APIs
iOS 7 URL Session & Motion FX APIsiOS 7 URL Session & Motion FX APIs
iOS 7 URL Session & Motion FX APIs
 
Ionic4 quickies and_rx_js_observables
Ionic4 quickies and_rx_js_observablesIonic4 quickies and_rx_js_observables
Ionic4 quickies and_rx_js_observables
 
State ofappdevelopment
State ofappdevelopmentState ofappdevelopment
State ofappdevelopment
 
Mobile operating system
Mobile operating systemMobile operating system
Mobile operating system
 
What is CocoaPods and how to setup?
What is CocoaPods and how to setup?What is CocoaPods and how to setup?
What is CocoaPods and how to setup?
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application Security
 
Calabash Andoird + Calabash iOS
Calabash Andoird + Calabash iOSCalabash Andoird + Calabash iOS
Calabash Andoird + Calabash iOS
 
(Christian heilman) firefox
(Christian heilman) firefox(Christian heilman) firefox
(Christian heilman) firefox
 
Security Applications For Emulation
Security Applications For EmulationSecurity Applications For Emulation
Security Applications For Emulation
 
MeCab in docker action(OpenWhisk)
MeCab in docker action(OpenWhisk)MeCab in docker action(OpenWhisk)
MeCab in docker action(OpenWhisk)
 
iOS Development Survival Guide for the .NET Guy
iOS Development Survival Guide for the .NET GuyiOS Development Survival Guide for the .NET Guy
iOS Development Survival Guide for the .NET Guy
 
Appium mobile web+dev conference
Appium mobile web+dev conferenceAppium mobile web+dev conference
Appium mobile web+dev conference
 
Appium Overview - by Daniel Puterman
Appium Overview - by Daniel PutermanAppium Overview - by Daniel Puterman
Appium Overview - by Daniel Puterman
 

Plus de Cyber Security Alliance

Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Cyber Security Alliance
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itCyber Security Alliance
 
Why huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksWhy huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksCyber Security Alliance
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCyber Security Alliance
 
Introducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsIntroducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsCyber Security Alliance
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacksCyber Security Alliance
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fCyber Security Alliance
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Cyber Security Alliance
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupCyber Security Alliance
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...Cyber Security Alliance
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptCyber Security Alliance
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureCyber Security Alliance
 

Plus de Cyber Security Alliance (20)

Bug Bounty @ Swisscom
Bug Bounty @ SwisscomBug Bounty @ Swisscom
Bug Bounty @ Swisscom
 
Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce it
 
Why huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksWhy huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacks
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomware
 
Blockchain for Beginners
Blockchain for Beginners Blockchain for Beginners
Blockchain for Beginners
 
Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16
 
Introducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsIntroducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging apps
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacks
 
Rump : iOS patch diffing
Rump : iOS patch diffingRump : iOS patch diffing
Rump : iOS patch diffing
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 f
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented feature
 
Rump attaque usb_caralinda_fabrice
Rump attaque usb_caralinda_fabriceRump attaque usb_caralinda_fabrice
Rump attaque usb_caralinda_fabrice
 
Operation emmental appsec
Operation emmental appsecOperation emmental appsec
Operation emmental appsec
 

Dernier

unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 

Dernier (20)

unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 

Appsec rump reverse-i_os_machook

  • 1. Reversing OSX / iOS malware machook / wirelurker AppSecForum 2014 - RumpSession Julien Bachmann / @milkmix_
  • 2. intro | appealing late night twitt Like at 1am this morning…
  • 3. intro | immediate reaction “Maybe it’s more interesting to analyse than Unflod.dylib!” But: original download link for the IPA was not working anymore :( Solution: start from the beginning, aka find original blog post linked with the case
  • 5. osx | initial infection start.sh unzip FontMap1.cfg deploy machook in /usr/local/machook create LaunchDaemon to persist
  • 6. osx | machook 64 bits binary only use libimobiledevice to detect when an iOS device is plugged-in com.apple.afc ProductVersion SerialNumber list of installed Apps
  • 8. osx | machook starts com.apple.afc2 if worked (jailbroken device ) copy [OSX]/usr/local/machook/sfbase.dylib [iOS]Library/MobileSubstrate/DynamicLibraries/sfbase.dylib download signed IPA and push it as well using com.apple.mobile.installation_proxy URL stored in SQLite DB: foundation Enterprise cert means that first execution will bring validation pop-up code not encrypted as not from AppStore globalupdate : loop to check for updates
  • 12. iOS | sfbase.dylib not signed MobileSubstrate to hook [UIWindow sendEvent] in MobileStorageMounter MobileSafari MobilePhone MobileSMS Preferences also checks for updates
  • 13. iOS | sfbase.dylib if event is applicationWillResignActive, kill applications What??? Maybe I don’t have the latest version also, dead code to query URL and hide it retrieve some files SMS.db AddressBook.sqlitedb UDID post to saveinfo.php
  • 16. conclusion | maybe not that “new era” did not look at the signed binary for the moment possibilities too limited except if privileges escalation is possible… hooking methods but does not use it targeted at Chinese market but logs in english still some nice functionalities update functionality OSX —> iOS, but already seen in the wild