Bsides SP 2015 - Mach-O - A New Threat
-
Upload
ricardo-amaral -
Category
Technology
-
view
144 -
download
2
Transcript of Bsides SP 2015 - Mach-O - A New Threat
![Page 1: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/1.jpg)
Ricardo Amaral a.k.a L0gan
Co0L BSidesSP 2015
![Page 2: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/2.jpg)
$Whoami
Mach-O – A New Threat
### Long live Open Source - Use Linux (Slackware) ###
Ricardo L0gan
Security Specialist with over 15 years of experience, enthusiastic in malware research, pen-test and reverse engineering. I’ve a solid knowledge on topics like network security, hardening and tuning across multiple platforms such as Windows, Linux, OS X and Cisco.Beginner in programming languages as Python, C and Assembly.
In Brazil I contribute to the Slackware community (Slackshow and Slackzine) and I’m member of the Staff of some events: H2HC, SlackShow and Bsides SP.
![Page 3: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/3.jpg)
Agenda
0x00 Motivation of Research0x01 OS X, The New Target0x02 The Mach-O Format0x03 Tools For Analysis (Static / Dynamic)0x04 Current Threats0x05 Conclusions
Mach-O – A New Threat
![Page 4: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/4.jpg)
0x00 - Motivation of Research
Mach-O – A New Threat
Windows always gets infected!!!
Does Linux ever gets infected??
“Mac OS ever gets infected...”
![Page 5: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/5.jpg)
Source: www.virustotal.com
Mach-O – A New Threat
0x01 – OS X, The New Target
![Page 6: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/6.jpg)
Source: www.virustotal.com7-day period in April 2014
Mach-O – A New Threat
0x01 – OS X, The New Target
![Page 7: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/7.jpg)
Source: www.virustotal.com
7-day period in April 2015
Mach-O – A New Threat
0x01 – OS X, The New Target
![Page 8: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/8.jpg)
Source: www.virustotal.com
Mach-O – A New Threat
0x01 – OS X, The New Target
![Page 9: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/9.jpg)
Source: http://thehackernews.com/2015/02/vulnerable-operating-system.html
Mach-O – A New Threat
0x01 – OS X, The New Target
![Page 10: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/10.jpg)
Source: http://thehackernews.com/2015/02/vulnerable-operating-system.html
0x01 – OS X, The New Target
Mach-O – A New Threat
![Page 11: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/11.jpg)
Binary (Linux)
Binary (Windows)
Binary (OS X)
Mach-O – A New Threat
0x02 - The Mach-O Format
![Page 12: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/12.jpg)
The mach-o format was adopted as the standard in OS X from version 10.6 on
We are currently in version 10.11 (Yosemite El Capitan).
Mach-O – A New Threat
0x02 - The Mach-O Format
![Page 13: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/13.jpg)
CA FE BA BE - Mach-O Fat BinaryFE ED FA CE - Mach-O binary (32-bit)FE ED FA CF - Mach-O binary (64-bit)CE FA ED FE - Mach-O binary (reverse byte 32-bit)CF FA ED FE - Mach-O binary (reverse byte 64-bit)
Mach-O – A New Threat
0x02 - The Mach-O Format
![Page 14: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/14.jpg)
Mach-O (Mach Object)
HEADERLOAD COMMANDSSECTIONS
Architecture of object code
ppc ppc64 i386 x86_64 armv6 armv7 armv7s arm64
Mach-O – A New Threat
0x02 - The Mach-O Format
![Page 15: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/15.jpg)
Mach-O – A New Threat
0x02 - The Mach-O FormatHEADER
![Page 16: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/16.jpg)
LOAD COMMANDS
Mach-O – A New Threat
0x02 - The Mach-O Format
![Page 17: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/17.jpg)
SECTIONS
0x02 - The Mach-O Format
Mach-O – A New Threat
![Page 18: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/18.jpg)
0x03 – Tools For Analysis (Static / Dynamic)
Dynamic Analysis
- xcode (graphical) - IDA Pro (graphical) - lldb - fseventer - open snoop - activity Monitor (graphical) - procoxp - tcpdump - cocoaPacketAnalyzer (graphical) - wireshark (graphical) - lsock - little Snitch
Static Analysis
- file - strings - hex editor (graphical) - lipo - otool - nm - codesign - machOView (graphical) - hopper (graphical) - class-dump
Mach-O – A New Threat
![Page 19: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/19.jpg)
0x03 – Tools For Analysis (Static)
mach-o
FILE
Mach-O – A New Threat
![Page 20: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/20.jpg)
STRINGS
0x03 – Tools For Analysis (Static)
Mach-O – A New Threat
![Page 21: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/21.jpg)
HEX EDITOR
0xED
HexEdit
wxHexEditor
0x03 – Tools For Analysis (Static)
Mach-O – A New Threat
![Page 22: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/22.jpg)
0xcafebabe
LIPO
0x03 – Tools For Analysis (Static)
Mach-O – A New Threat
![Page 23: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/23.jpg)
LIPO
0x03 – Tools For Analysis (Static)
Mach-O – A New Threat
![Page 24: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/24.jpg)
OTOOL
0x03 – Tools For Analysis (Static)
Mach-O – A New Threat
![Page 25: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/25.jpg)
NM
0x03 – Tools For Analysis (Static)
Mach-O – A New Threat
![Page 26: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/26.jpg)
CODESIGN
0x03 – Tools For Analysis (Static)
Mach-O – A New Threat
![Page 27: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/27.jpg)
MachOView
0x03 – Tools For Analysis (Static)
Mach-O – A New Threat
![Page 28: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/28.jpg)
HOPPER
0x03 – Tools For Analysis (Static)
Mach-O – A New Threat
![Page 29: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/29.jpg)
CLASS-DUMP
0x03 – Tools For Analysis (Static)
Mach-O – A New Threat
![Page 30: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/30.jpg)
- Keep Virtualization Software Updated- Use System Tools Installed in VM- Network Host-Only mode- If you use Shared Folder(Host) leave it as “read-only”- Disable Gatekeeper (Allow apps downloaded from: Anywhere)
VMWARE FUSION / PARALLELS / VIRTUALBOX
0x03 – Tools For Analysis (Dynamic)
Mach-O – A New Threat
![Page 31: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/31.jpg)
XCODE
0x03 – Tools For Analysis (Dynamic)
Mach-O – A New Threat
![Page 32: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/32.jpg)
IDA PRO
0x03 – Tools For Analysis (Dynamic)
Mach-O – A New Threat
also is a static tool
![Page 33: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/33.jpg)
LLDB
0x03 – Tools For Analysis (Dynamic)
Mach-O – A New Threat
![Page 34: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/34.jpg)
FSEVENTER
0x03 – Tools For Analysis (Dynamic)
Mach-O – A New Threat
![Page 35: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/35.jpg)
OPEN SNOOP
0x03 – Tools For Analysis (Dynamic)
Mach-O – A New Threat
![Page 36: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/36.jpg)
ACTIVITY MONITOR
0x03 – Tools For Analysis (Dynamic)
Mach-O – A New Threat
![Page 37: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/37.jpg)
PROCXP
0x03 – Tools For Analysis (Dynamic)
Mach-O – A New Threat
![Page 38: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/38.jpg)
TCPDUMP
0x03 – Tools For Analysis (Dynamic)
Mach-O – A New Threat
![Page 39: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/39.jpg)
COCOA
0x03 – Tools For Analysis (Dynamic)
Mach-O – A New Threat
![Page 40: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/40.jpg)
WIRESHARK
0x03 – Tools For Analysis (Dynamic)
Mach-O – A New Threat
![Page 41: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/41.jpg)
LSOCK
0x03 – Tools For Analysis (Dynamic)
Mach-O – A New Threat
![Page 42: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/42.jpg)
Little Snitch
0x03 – Tools For Analysis (Dynamic)
Mach-O – A New Threat
![Page 43: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/43.jpg)
0x04 – Current Threats
Mach-O – A New Threat
![Page 45: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/45.jpg)
Mac.BackDoor.OpinionSpy.3
Names: MacOS_X/OpinionSpy.A (Microsoft), Mac.BackDoor.OpinionSpy.3 (F-Secure),Mac.BackDoor.OpinionSpy.3 (Trend)
.OSA --> ZIP: PremierOpinion upgrade.xml
Source:http://vms.drweb.com/virus/?i=4354056&lng=enhttp://news.drweb.com/show/?i=9309&lng=en&c=5
0x04 – Current Threats
Mach-O – A New Threat
![Page 46: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/46.jpg)
OSX_KAITEN.A
Names: MacOS_X/Tsunami.A (Microsoft), OSX/Tsunami (McAfee), OSX/Tsunami-Gen (Sophos), OSX/Tsunami.A (F-Secure), OSX/Tsunami.A (ESET)
Binary: /tmp/.z
Source:http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/osx_kaiten.a
0x04 – Current Threats
Mach-O – A New Threat
![Page 47: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/47.jpg)
OSX_CARETO.ANames:MacOS:Appetite-A [Trj] (Avast)OSX/BackDoor.A (AVG)MAC.OSX.Backdoor.Careto.A (Bitdefender)OSX/Appetite.A (Eset)MAC.OSX.Backdoor.Careto.A (FSecure)Trojan.OSX.Melgato.a (Kaspersky)OSX/Backdoor-BRE (McAfee)Backdoor:MacOS_X/Appetite.A (Microsoft)OSX/Appetite-A (Sophos)
Source:http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/osx_careto.a
0x04 – Current Threats
Mach-O – A New Threat
![Page 48: Bsides SP 2015 - Mach-O - A New Threat](https://reader036.fdocuments.us/reader036/viewer/2022062522/5870d5541a28ab64768b6723/html5/thumbnails/48.jpg)
Hacking is a way of life
0x05 – Conclusions
Reference:Sarah EdwardsREVERSE Engineering Mac Malware - Defcon 22https://www.defcon.org/images/defcon-22/dc-22-presentations/Edwards/DEFCON-22-Sarah-Edwards-Reverse-Engineering-Mac-Malware.pdf
https://developer.apple.com/library/mac/documentation/DeveloperTools/Conceptual/MachORuntime/index.html
http://www.agner.org/optimize/calling_conventions.pdf
Mach-O – A New Threat