roadsec 2016 mach-o a new threat
TRANSCRIPT
![Page 1: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/1.jpg)
O MAIOR EVENTO DE HACKING, SEGURANÇA E TECNOLOGIA DO BRASIL
DO CONTINENTE
![Page 2: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/2.jpg)
![Page 3: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/3.jpg)
Ricardo L0gan
Security Specialist with over 15 years of experience, enthusiastic in malware research, pen-test and reverse engineering. I’ve a solid knowledge on topics like network security, hardening and tuning across multiple platforms such as Windows, Linux, OS X and Cisco.Beginner in programming languages as Python, C and Assembly.
In Brazil I contribute to the Slackware community (Slackshow and Slackzine) and I’m member of the Staff of some events: H2HC, SlackShow and Bsides SP.
### Long live Open Source - Use Linux (Slackware) ###
$Whoami
Member # RTFM C○|\|cL/\💀V€ #
![Page 4: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/4.jpg)
0X00 MOTIVATION OF RESEARCH0X01 OS X, THE NEW TARGET0X02 THE MACH-O FORMAT0X03 TOOLS FOR ANALYSIS (STATIC / DYNAMIC)0X04 CURRENT THREATS0X05 CONCLUSIONS / Q & (MAYBE \0/) A
29/04/2016 Mach-O – A New Threat
4
Agenda
![Page 5: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/5.jpg)
529/04/2016 Mach-O – A New Threat
0x00 - Motivation of Research
Windows always gets infected!!!
Does Linux ever gets infected??
“Mac OS ever gets infected...”
![Page 6: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/6.jpg)
629/04/2016 Mach-O – A New Threat
0x01 - OS X, The New Target
Source: www.virustotal.com
![Page 7: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/7.jpg)
729/04/2016 Mach-O – A New Threat
0x01 - OS X, The New Target
Source: www.virustotal.com
![Page 8: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/8.jpg)
829/04/2016 Mach-O – A New Threat
0x01 - OS X, The New Target
Source: www.virustotal.com
![Page 9: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/9.jpg)
929/04/2016 Mach-O – A New Threat
0x01 - OS X, The New Target
Source: www.virustotal.com
![Page 10: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/10.jpg)
1029/04/2016 Mach-O – A New Threat
0x01 - OS X, The New Target
Source: www.virustotal.com
![Page 11: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/11.jpg)
1129/04/2016 Mach-O – A New Threat
0x02 - The Mach-O Format
Binary (Linux)
Binary (Windows)
Binary (OS X)
![Page 12: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/12.jpg)
1229/04/2016 Mach-O – A New Threat
0x02 - The Mach-O Format
The mach-o format were adopted as the standard in OS X from version 10.6 on
We are currently in version 10.11 (Yosemite El Capitan).
![Page 13: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/13.jpg)
1329/04/2016 Mach-O – A New Threat
0x02 - The Mach-O Format
![Page 14: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/14.jpg)
1429/04/2016 Mach-O – A New Threat
0x02 - The Mach-O Format
![Page 15: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/15.jpg)
1529/04/2016 Mach-O – A New Threat
0x02 - The Mach-O Format HEADER
![Page 16: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/16.jpg)
1629/04/2016 Mach-O – A New Threat
0x02 - The Mach-O Format LOAD_COMMANDS
![Page 17: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/17.jpg)
1729/04/2016 Mach-O – A New Threat
0x02 - The Mach-O Format SECTIONS
![Page 18: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/18.jpg)
1829/04/2016 Mach-O – A New Threat
0x03 – Tools (Static / Dynamic)
![Page 19: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/19.jpg)
1929/04/2016 Mach-O – A New Threat
0x03 – Tools (Static)FILE
mach-o
![Page 20: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/20.jpg)
2029/04/2016 Mach-O – A New Threat
0x03 – Tools (Static)STRINGS
![Page 21: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/21.jpg)
2129/04/2016 Mach-O – A New Threat
0x03 – Tools (Static) BINWALK / UPX
![Page 22: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/22.jpg)
2229/04/2016 Mach-O – A New Threat
0x03 – Tools (Static)Hex Editor
HexEdit
wxHexEditor
0xED
![Page 23: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/23.jpg)
2329/04/2016 Mach-O – A New Threat
0x03 – Tools (Static)LIPO
0xcafebabe
![Page 24: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/24.jpg)
2429/04/2016 Mach-O – A New Threat
0x03 – Tools (Static) LIPO
![Page 25: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/25.jpg)
2529/04/2016 Mach-O – A New Threat
0x03 – Tools (Static) OTOOL
![Page 26: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/26.jpg)
2629/04/2016 Mach-O – A New Threat
0x03 – Tools (Static) NM
![Page 27: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/27.jpg)
2729/04/2016 Mach-O – A New Threat
0x03 – Tools (Static) CODESIGN
![Page 28: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/28.jpg)
2829/04/2016 Mach-O – A New Threat
0x03 – Tools (Static) MachOView
![Page 29: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/29.jpg)
2929/04/2016 Mach-O – A New Threat
0x03 – Tools (Static)HOPPER
![Page 30: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/30.jpg)
3029/04/2016 Mach-O – A New Threat
0x03 – Tools (Static)CLASS-DUMP
![Page 31: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/31.jpg)
3129/04/2016 Mach-O – A New Threat
0x03 – Tools (Dynamic)
![Page 32: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/32.jpg)
3229/04/2016 Mach-O – A New Threat
0x03 – Tools (Dynamic) XCODE
![Page 33: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/33.jpg)
3329/04/2016 Mach-O – A New Threat
0x03 – Tools (Dynamic) IDA PRO
Also is Static Tool
![Page 34: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/34.jpg)
3429/04/2016 Mach-O – A New Threat
0x03 – Tools (Dynamic) LLDB
![Page 35: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/35.jpg)
3529/04/2016 Mach-O – A New Threat
0x03 – Tools (Dynamic) FSEVENTER
![Page 36: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/36.jpg)
3629/04/2016 Mach-O – A New Threat
0x03 – Tools (Dynamic) OPEN SNOOP
![Page 37: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/37.jpg)
3729/04/2016 Mach-O – A New Threat
0x03 – Tools (Dynamic) ACTIVITY
MONITOR
![Page 38: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/38.jpg)
3829/04/2016 Mach-O – A New Threat
0x03 – Tools (Dynamic) PROCXP
![Page 39: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/39.jpg)
3929/04/2016 Mach-O – A New Threat
0x03 – Tools (Dynamic) TCPDUMP
![Page 40: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/40.jpg)
4029/04/2016 Mach-O – A New Threat
0x03 – Tools (Dynamic) WIRESHARK
![Page 41: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/41.jpg)
4129/04/2016 Mach-O – A New Threat
0x03 – Tools (Dynamic) LSOCK
![Page 42: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/42.jpg)
4229/04/2016 Mach-O – A New Threat
0x03 – Tools (Dynamic) Little Snitch
![Page 43: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/43.jpg)
4329/04/2016 Mach-O – A New Threat
0x04 – Current Threats
.OSA --> ZIP: PremierOpinion upgrade.xml
Mac.BackDoor.OpinionSpy.3Names: MacOS_X/OpinionSpy.A (Microsoft),
Mac.BackDoor.OpinionSpy.3 (F-Secure),
Mac.BackDoor.OpinionSpy.3 (Trend)OSX_KAITEN.ANames: MacOS_X/Tsunami.A (Microsoft),
OSX/Tsunami (McAfee), OSX/Tsunami-Gen (Sophos), OSX/Tsunami.A (F-Secure),
OSX_CARETO.ANames: MacOS:Appetite-A [Trj] (Avast)
OSX/BackDoor.A (AVG)Trojan.OSX.Melgato.a
(Kaspersky)OSX/Backdoor-BRE (McAfee)Backdoor:MacOS_X/Appetite.A
(Microsoft)OSX/Appetite-A (Sophos)
Binary: /tmp/.z
itunes212.{BLOCKED}pdt.com
![Page 44: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/44.jpg)
4429/04/2016 Mach-O – A New Threat
0x04 – Current Threats (MacOS:KeRanger-C)On March 2016 appear the first Ransoware writing for mach-o file on OSX System (KeRanger), Distributed by client BitTorrent Transmission (v.2.90) This threat has been fixed in version v.2.91 the client. The latest version Gatekeeper OSX already block this ransoware since the first sample published \0/!!!
![Page 45: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/45.jpg)
4529/04/2016 Mach-O – A New Threat
0x04 – Current Threats (MacOS:KeRanger-C)
![Page 46: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/46.jpg)
4629/04/2016 Mach-O – A New Threat
0x05 - Conclusions
Hacking is a way of life
![Page 47: Roadsec 2016 Mach-o A New Threat](https://reader035.vdocuments.mx/reader035/viewer/2022070603/5870d5861a28ab64768b679b/html5/thumbnails/47.jpg)
4729/04/2016 Mach-O – A New Threat
ReferenceSarah EdwardsREVERSE Engineering Mac Malware - Defcon 22
https://www.defcon.org/images/defcon-22/dc-22-presentations/Edwards/DEFCON-22-Sarah-Edwards-Reverse-Engineering-Mac-Malware.pdf
https://developer.apple.com/library/mac/documentation/DeveloperTools/Conceptual/MachORuntime/index.html
http://www.agner.org/optimize/calling_conventions.pdf
Thanks for my wife and brothers (C00ler,Clandestine, Slayer, Unknow_Antisec, DMR, BSDaemon, Robertux, RTFM Team and OSX_Rev)