SlideShare uma empresa Scribd logo
1 de 49
Baixar para ler offline
Ricardo Amaral a.k.a L0gan
Co0L BSidesSP 2015
$Whoami
Mach-O – A New Threat
### Long live Open Source - Use Linux (Slackware) ###
Ricardo L0gan
Security Specialist with over 15 years of experience,
enthusiastic in malware research, pen-test and reverse
engineering. I’ve a solid knowledge on topics like
network security, hardening and tuning across multiple
platforms such as Windows, Linux, OS X and Cisco.
Beginner in programming languages as Python, C and
Assembly.
In Brazil I contribute to the Slackware community
(Slackshow and Slackzine) and I’m member of the Staff
of some events: H2HC, SlackShow and Bsides SP.
Agenda
0x00 Motivation of Research
0x01 OS X, The New Target
0x02 The Mach-O Format
0x03 Tools For Analysis (Static / Dynamic)
0x04 Current Threats
0x05 Conclusions
Mach-O – A New Threat
0x00 - Motivation of Research
Mach-O – A New Threat
Windows always gets infected!!!
Does Linux ever gets infected??
“Mac OS ever gets infected...”
Source: www.virustotal.com
Mach-O – A New Threat
0x01 – OS X, The New Target
Source: www.virustotal.com
7-day period in April 2014
Mach-O – A New Threat
0x01 – OS X, The New Target
Source: www.virustotal.com
7-day period in April 2015
Mach-O – A New Threat
0x01 – OS X, The New Target
Source: www.virustotal.com
Mach-O – A New Threat
0x01 – OS X, The New Target
Source: http://thehackernews.com/2015/02/vulnerable-
operating-system.html
Mach-O – A New Threat
0x01 – OS X, The New Target
Source: http://thehackernews.com/2015/02/vulnerable-operating-system.html
0x01 – OS X, The New Target
Mach-O – A New Threat
Binary (Linux)
Binary (Windows)
Binary (OS X)
Mach-O – A New Threat
0x02 - The Mach-O Format
The mach-o format was adopted as the
standard in OS X from version 10.6 on
We are currently in version 10.11 (Yosemite El Capitan).
Mach-O – A New Threat
0x02 - The Mach-O Format
CA FE BA BE - Mach-O Fat Binary
FE ED FA CE - Mach-O binary (32-bit)
FE ED FA CF - Mach-O binary (64-bit)
CE FA ED FE - Mach-O binary (reverse byte 32-bit)
CF FA ED FE - Mach-O binary (reverse byte 64-bit)
Mach-O – A New Threat
0x02 - The Mach-O Format
Mach-O (Mach Object)
HEADER
LOAD COMMANDS
SECTIONS
Architecture of object code
ppc ppc64 i386 x86_64 armv6
armv7 armv7s arm64
Mach-O – A New Threat
0x02 - The Mach-O Format
Mach-O – A New Threat
0x02 - The Mach-O Format
HEADER
LOAD COMMANDS
Mach-O – A New Threat
0x02 - The Mach-O Format
SECTIONS
0x02 - The Mach-O Format
Mach-O – A New Threat
0x03 – Tools For Analysis (Static / Dynamic)
Dynamic Analysis
- xcode (graphical)
- IDA Pro (graphical)
- lldb
- fseventer
- open snoop
- activity Monitor (graphical)
- procoxp
- tcpdump
- cocoaPacketAnalyzer (graphical)
- wireshark (graphical)
- lsock
- little Snitch
Static Analysis
- file
- strings
- hex editor (graphical)
- lipo
- otool
- nm
- codesign
- machOView (graphical)
- hopper (graphical)
- class-dump
Mach-O – A New Threat
0x03 – Tools For Analysis (Static)
mach-o
FILE
Mach-O – A New Threat
STRINGS
0x03 – Tools For Analysis (Static)
Mach-O – A New Threat
HEX EDITOR
0xED
HexEdit
wxHexEditor
0x03 – Tools For Analysis (Static)
Mach-O – A New Threat
0xcafebabe
LIPO
0x03 – Tools For Analysis (Static)
Mach-O – A New Threat
LIPO
0x03 – Tools For Analysis (Static)
Mach-O – A New Threat
OTOOL
0x03 – Tools For Analysis (Static)
Mach-O – A New Threat
NM
0x03 – Tools For Analysis (Static)
Mach-O – A New Threat
CODESIGN
0x03 – Tools For Analysis (Static)
Mach-O – A New Threat
MachOView
0x03 – Tools For Analysis (Static)
Mach-O – A New Threat
HOPPER
0x03 – Tools For Analysis (Static)
Mach-O – A New Threat
CLASS-DUMP
0x03 – Tools For Analysis (Static)
Mach-O – A New Threat
- Keep Virtualization Software Updated
- Use System Tools Installed in VM
- Network Host-Only mode
- If you use Shared Folder(Host) leave it as “read-only”
- Disable Gatekeeper (Allow apps downloaded from: Anywhere)
VMWARE FUSION / PARALLELS / VIRTUALBOX
0x03 – Tools For Analysis (Dynamic)
Mach-O – A New Threat
XCODE
0x03 – Tools For Analysis (Dynamic)
Mach-O – A New Threat
IDA PRO
0x03 – Tools For Analysis (Dynamic)
Mach-O – A New Threat
also is a static tool
LLDB
0x03 – Tools For Analysis (Dynamic)
Mach-O – A New Threat
FSEVENTER
0x03 – Tools For Analysis (Dynamic)
Mach-O – A New Threat
OPEN SNOOP
0x03 – Tools For Analysis (Dynamic)
Mach-O – A New Threat
ACTIVITY MONITOR
0x03 – Tools For Analysis (Dynamic)
Mach-O – A New Threat
PROCXP
0x03 – Tools For Analysis (Dynamic)
Mach-O – A New Threat
TCPDUMP
0x03 – Tools For Analysis (Dynamic)
Mach-O – A New Threat
COCOA
0x03 – Tools For Analysis (Dynamic)
Mach-O – A New Threat
WIRESHARK
0x03 – Tools For Analysis (Dynamic)
Mach-O – A New Threat
LSOCK
0x03 – Tools For Analysis (Dynamic)
Mach-O – A New Threat
Little Snitch
0x03 – Tools For Analysis (Dynamic)
Mach-O – A New Threat
0x04 – Current Threats
Mach-O – A New Threat
Source: www.virustotal.com
0x04 – Current Threats
Mach-O – A New Threat
Mac.BackDoor.OpinionSpy.3
Names:
MacOS_X/OpinionSpy.A (Microsoft),
Mac.BackDoor.OpinionSpy.3 (F-Secure),
Mac.BackDoor.OpinionSpy.3 (Trend)
.OSA --> ZIP:
 PremierOpinion
 upgrade.xml
Source:
http://vms.drweb.com/virus/?i=4354056&lng=en
http://news.drweb.com/show/?i=9309&lng=en&c=5
0x04 – Current Threats
Mach-O – A New Threat
OSX_KAITEN.A
Names:
MacOS_X/Tsunami.A (Microsoft),
OSX/Tsunami (McAfee),
OSX/Tsunami-Gen (Sophos),
OSX/Tsunami.A (F-Secure),
OSX/Tsunami.A (ESET)
Binary:
/tmp/.z
Source:
http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/osx_kaiten.a
0x04 – Current Threats
Mach-O – A New Threat
OSX_CARETO.A
Names:
MacOS:Appetite-A [Trj] (Avast)
OSX/BackDoor.A (AVG)
MAC.OSX.Backdoor.Careto.A (Bitdefender)
OSX/Appetite.A (Eset)
MAC.OSX.Backdoor.Careto.A (FSecure)
Trojan.OSX.Melgato.a (Kaspersky)
OSX/Backdoor-BRE (McAfee)
Backdoor:MacOS_X/Appetite.A (Microsoft)
OSX/Appetite-A (Sophos)
Source:
http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/osx_careto.a
0x04 – Current Threats
Mach-O – A New Threat
Hacking is a way of life
0x05 – Conclusions
Reference:
Sarah Edwards
REVERSE Engineering Mac Malware - Defcon 22
https://www.defcon.org/images/defcon-22/dc-22-presentations/Edwards/DEFCON-22-
Sarah-Edwards-Reverse-Engineering-Mac-Malware.pdf
https://developer.apple.com/library/mac/documentation/DeveloperTools/Conceptual/MachO
Runtime/index.html
http://www.agner.org/optimize/calling_conventions.pdf
Mach-O – A New Threat
ricardologanbr@gmail.com
@l0ganbr
Contact
Thanks a Lot
Any Questions ?
http://www.slideshare.net/l0ganbr

Mais conteúdo relacionado

Destaque

Python + GDB = Javaデバッガ
Python + GDB = JavaデバッガPython + GDB = Javaデバッガ
Python + GDB = JavaデバッガKenji Kazumura
 
Cyber Security Through the Eyes of the C-Suite (Infographic)
Cyber Security Through the Eyes of the C-Suite (Infographic)Cyber Security Through the Eyes of the C-Suite (Infographic)
Cyber Security Through the Eyes of the C-Suite (Infographic)Radware
 
Munkhbat Jamiyan-CV
Munkhbat Jamiyan-CVMunkhbat Jamiyan-CV
Munkhbat Jamiyan-CVUnuruu Dear
 
[GAMENEXT] 모바일 마케팅 트렌드와 ROI 극대화 방안
[GAMENEXT] 모바일 마케팅 트렌드와 ROI 극대화 방안[GAMENEXT] 모바일 마케팅 트렌드와 ROI 극대화 방안
[GAMENEXT] 모바일 마케팅 트렌드와 ROI 극대화 방안GAMENEXT Works
 
스타트업의 데이터 분석
스타트업의 데이터 분석스타트업의 데이터 분석
스타트업의 데이터 분석Hyunjong Wi
 
Internet of Things - Iot Solution 73 - 사물인터넷 제품 리뷰 73
Internet of Things - Iot Solution 73 - 사물인터넷 제품 리뷰 73Internet of Things - Iot Solution 73 - 사물인터넷 제품 리뷰 73
Internet of Things - Iot Solution 73 - 사물인터넷 제품 리뷰 73봉조 김
 
IoT 서비스 아키텍처 분석 및 Case Study-Innovation Seminar
IoT 서비스 아키텍처 분석 및 Case Study-Innovation SeminarIoT 서비스 아키텍처 분석 및 Case Study-Innovation Seminar
IoT 서비스 아키텍처 분석 및 Case Study-Innovation Seminar영섭 임
 
그로스 해킹 - Growth Hacking
그로스 해킹 - Growth Hacking그로스 해킹 - Growth Hacking
그로스 해킹 - Growth HackingWooseok Seo
 

Destaque (9)

Python + GDB = Javaデバッガ
Python + GDB = JavaデバッガPython + GDB = Javaデバッガ
Python + GDB = Javaデバッガ
 
Layer 2 switching loop
Layer 2 switching loopLayer 2 switching loop
Layer 2 switching loop
 
Cyber Security Through the Eyes of the C-Suite (Infographic)
Cyber Security Through the Eyes of the C-Suite (Infographic)Cyber Security Through the Eyes of the C-Suite (Infographic)
Cyber Security Through the Eyes of the C-Suite (Infographic)
 
Munkhbat Jamiyan-CV
Munkhbat Jamiyan-CVMunkhbat Jamiyan-CV
Munkhbat Jamiyan-CV
 
[GAMENEXT] 모바일 마케팅 트렌드와 ROI 극대화 방안
[GAMENEXT] 모바일 마케팅 트렌드와 ROI 극대화 방안[GAMENEXT] 모바일 마케팅 트렌드와 ROI 극대화 방안
[GAMENEXT] 모바일 마케팅 트렌드와 ROI 극대화 방안
 
스타트업의 데이터 분석
스타트업의 데이터 분석스타트업의 데이터 분석
스타트업의 데이터 분석
 
Internet of Things - Iot Solution 73 - 사물인터넷 제품 리뷰 73
Internet of Things - Iot Solution 73 - 사물인터넷 제품 리뷰 73Internet of Things - Iot Solution 73 - 사물인터넷 제품 리뷰 73
Internet of Things - Iot Solution 73 - 사물인터넷 제품 리뷰 73
 
IoT 서비스 아키텍처 분석 및 Case Study-Innovation Seminar
IoT 서비스 아키텍처 분석 및 Case Study-Innovation SeminarIoT 서비스 아키텍처 분석 및 Case Study-Innovation Seminar
IoT 서비스 아키텍처 분석 및 Case Study-Innovation Seminar
 
그로스 해킹 - Growth Hacking
그로스 해킹 - Growth Hacking그로스 해킹 - Growth Hacking
그로스 해킹 - Growth Hacking
 

Semelhante a Bsides SP 2015 - Mach-O - A New Threat

Latinoware 2015 Mach-O
Latinoware 2015 Mach-OLatinoware 2015 Mach-O
Latinoware 2015 Mach-ORicardo L0gan
 
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Maksim Shudrak
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Maksim Shudrak
 
Linux binary analysis and exploitation
Linux binary analysis and exploitationLinux binary analysis and exploitation
Linux binary analysis and exploitationDharmalingam Ganesan
 
NYU Hacknight: iOS and OSX ABI
NYU Hacknight: iOS and OSX ABINYU Hacknight: iOS and OSX ABI
NYU Hacknight: iOS and OSX ABIMikhail Sosonkin
 
LO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis
LO-PHI: Low-Observable Physical Host Instrumentation for Malware AnalysisLO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis
LO-PHI: Low-Observable Physical Host Instrumentation for Malware AnalysisPietro De Nicolao
 
Mmw mac malware-mac
Mmw mac malware-macMmw mac malware-mac
Mmw mac malware-macCyphort
 
Próximo passo evolutivo de um DB Scanner
Próximo passo evolutivo de um DB ScannerPróximo passo evolutivo de um DB Scanner
Próximo passo evolutivo de um DB ScannerNelson Brito
 
Ransomware the clock is ticking
Ransomware the clock is tickingRansomware the clock is ticking
Ransomware the clock is tickingManoj Kumar Mishra
 
Securing Open Source Code in Enterprise
Securing Open Source Code in EnterpriseSecuring Open Source Code in Enterprise
Securing Open Source Code in EnterpriseAsankhaya Sharma
 
Análise de malware com suporte de hardware
Análise de malware com suporte de hardwareAnálise de malware com suporte de hardware
Análise de malware com suporte de hardwareMarcus Botacin
 
The AV says: Your Hardware Definitions were Updated!
The AV says: Your Hardware Definitions were Updated!The AV says: Your Hardware Definitions were Updated!
The AV says: Your Hardware Definitions were Updated!Marcus Botacin
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malwarePedro Tavares
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS CommunicationsDigital Bond
 
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)Nelson Brito
 

Semelhante a Bsides SP 2015 - Mach-O - A New Threat (20)

Latinoware 2015 Mach-O
Latinoware 2015 Mach-OLatinoware 2015 Mach-O
Latinoware 2015 Mach-O
 
H2HC - R3MF
H2HC - R3MFH2HC - R3MF
H2HC - R3MF
 
Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Nullbyte 6ed. 2019
Nullbyte 6ed. 2019
 
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
 
Linux binary analysis and exploitation
Linux binary analysis and exploitationLinux binary analysis and exploitation
Linux binary analysis and exploitation
 
NYU Hacknight: iOS and OSX ABI
NYU Hacknight: iOS and OSX ABINYU Hacknight: iOS and OSX ABI
NYU Hacknight: iOS and OSX ABI
 
LO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis
LO-PHI: Low-Observable Physical Host Instrumentation for Malware AnalysisLO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis
LO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis
 
Mmw mac malware-mac
Mmw mac malware-macMmw mac malware-mac
Mmw mac malware-mac
 
Próximo passo evolutivo de um DB Scanner
Próximo passo evolutivo de um DB ScannerPróximo passo evolutivo de um DB Scanner
Próximo passo evolutivo de um DB Scanner
 
Ransomware the clock is ticking
Ransomware the clock is tickingRansomware the clock is ticking
Ransomware the clock is ticking
 
Securing Open Source Code in Enterprise
Securing Open Source Code in EnterpriseSecuring Open Source Code in Enterprise
Securing Open Source Code in Enterprise
 
Análise de malware com suporte de hardware
Análise de malware com suporte de hardwareAnálise de malware com suporte de hardware
Análise de malware com suporte de hardware
 
The AV says: Your Hardware Definitions were Updated!
The AV says: Your Hardware Definitions were Updated!The AV says: Your Hardware Definitions were Updated!
The AV says: Your Hardware Definitions were Updated!
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malware
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - Beginners
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS Communications
 
falconer-sumuri
falconer-sumurifalconer-sumuri
falconer-sumuri
 
Software security
Software securitySoftware security
Software security
 
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
 

Último

Scenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosScenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosErol GIRAUDY
 
EMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? WebinarEMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? WebinarThousandEyes
 
Planetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl
 
Technical SEO for Improved Accessibility WTS FEST
Technical SEO for Improved Accessibility  WTS FESTTechnical SEO for Improved Accessibility  WTS FEST
Technical SEO for Improved Accessibility WTS FESTBillieHyde
 
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024Alkin Tezuysal
 
How to release an Open Source Dataweave Library
How to release an Open Source Dataweave LibraryHow to release an Open Source Dataweave Library
How to release an Open Source Dataweave Libraryshyamraj55
 
The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)codyslingerland1
 
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox
 
UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2DianaGray10
 
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechWebinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechProduct School
 
Introduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationIntroduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationKnoldus Inc.
 
Flow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameFlow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameKapil Thakar
 
Oracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxOracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxSatishbabu Gunukula
 
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxEmil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxNeo4j
 
UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4DianaGray10
 
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfQ4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfTejal81
 
Top 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTop 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTopCSSGallery
 
My key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAIMy key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAIVijayananda Mohire
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
 
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxGraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxNeo4j
 

Último (20)

Scenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosScenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenarios
 
EMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? WebinarEMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? Webinar
 
Planetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile Brochure
 
Technical SEO for Improved Accessibility WTS FEST
Technical SEO for Improved Accessibility  WTS FESTTechnical SEO for Improved Accessibility  WTS FEST
Technical SEO for Improved Accessibility WTS FEST
 
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
 
How to release an Open Source Dataweave Library
How to release an Open Source Dataweave LibraryHow to release an Open Source Dataweave Library
How to release an Open Source Dataweave Library
 
The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)
 
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
 
UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2
 
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechWebinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
 
Introduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationIntroduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its application
 
Flow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameFlow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First Frame
 
Oracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxOracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptx
 
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxEmil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
 
UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4
 
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfQ4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
 
Top 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTop 10 Squarespace Development Companies
Top 10 Squarespace Development Companies
 
My key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAIMy key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAI
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxGraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
 

Bsides SP 2015 - Mach-O - A New Threat

Notas do Editor

  1. http://2015.latinoware.org/ricardo-logan
  2. Com a popularidade do sistemas da apple (iphone / Ipad / Mac book) surgem uma nova e promissora linha usuários (melhores financeiramente falando) que pode ser alvos para novos bankers / malwares. Bot / rootkit / alvos linux (servers)... Ver listas de rootkits .... X-agent (operation pawnstorm)
  3. Neste primeiro gráfico podemos ver que em um período de apenas 7 dias o comparativo de submissões para cada tipo de binário.
  4. Samples mach-o período de 2014 para comparação com 2015 no próximo slide. OK OK parece ser um pouco tendencioso e também mencionar o fato da pesquisa utilizar dados do virustotal por justamente não ser publico pelas empresas de AV.
  5. Neste gráfico já percebe-se um aumento de submissões em binários mach-o comparado com o gráfico do slide anterior.
  6. Detecções de mach-o por vendor. Ai fica a pergunta detectam realmente estes binários ? E realmente efetivo ?
  7. Com todas informações disponibilizadas nos slides anteriores concluímos que o OS X realmente pode ser um plataforma muito explorada. Tanto para malwares quanto para exploração de vulnerabilidades. Mencionar Empresa Hacker Team que tinha ferramentas de interceptação que rodava ate em OSX https://github.com/RookLabs/milano
  8. Neste gráfico o resultado e um pouco tendencioso devido ao fato da plataforma Windows estar divido em varias versões, já na o OS X foi apresentado apenas uma versão. Porem de qualquer forma da pra perceber que o OS X e um sistema potencialmente alvo para pesquisadores de vulnerabilidades.
  9. Explicar rapidamente os binários utilizados em outras distribuições (Windows / Linux).
  10. O Mac OS X roda binários do tipo ELF (Linux) e binários Mach-o. O Nome mach-o vem de Mach Object
  11. Falar do Magic Number, que é um cabeçalho curto e compacto geralmente utilizado para caracterizar seu formato. (ELF/PE/Mach-o/DOS/etc..)
  12. Mach-O, short para formato de arquivo objeto Mach, é um formato de arquivo para arquivos executáveis, código objeto, bibliotecas compartilhadas código dinamicamente-carregado, e core dumps. Também conhecido como binário do tipo FAT que pode ser executado em varias arquiteturas.
  13. O arquivo loader.h contem a estrutura do binário mach-o (header / load_commands / sections).
  14. Existem outras ferramentas como: dtrace, fs_usage, optool, class-dump A Maior parte das tools command line podem ser obtidas via mac ports.
  15. Ferramenta utilizada para determinar o tipo de binário.
  16. O wxHexEditor é de código aberto !!!
  17. Ferramenta utilizada para extração de binário.
  18. Parecido com o objdump e ldd - Utilizado para dump/disassembly de arquivos e bibliotecas.
  19. O comando “nm” lista os símbolos do arquivo objeto
  20. Criar e manipular assinaturas de códigos.
  21. Ferramenta visual para visualização e edição de binários mach-o.
  22. Disassembler (OS X e Linux) utilizado para engenharia reversa do binário.
  23. Ferramenta utilizada para examinar o design de aplicações mach-o suas estruturas e informações em tempo de execução Objective-C. ele gera declarações para as classes, categorias e protocolos. (semelhante ao otool -ov)
  24. Na versão 10.7 a apple inseriu o gatekeeper no OS X como forma de evitar a instalação de softwares oriundos de qualquer origem.
  25. Xcode é um (IDE) que contém um conjunto de ferramentas de desenvolvimento de software desenvolvidos pela Apple para o desenvolvimento de software para OS X e iOS
  26. LLDB é um debugger de alto desempenho padrão no Xcode no Mac OS X e suporta a depuração C, Objective-C e C ++ nos dispositivos de desktop e iOS e simulador.
  27. fseventer é uma ferramenta que monitora as atividades do disco. A exibição de árvore é particularmente interessante, pois mostra os processos em que são criados ou modificados e destaques relacionados caminhos.
  28. ferramenta que rastreia o arquivo aberto exibindo informações como UID,PID caminho do arquivo. (pode ser utilizado com o dtrace)
  29. Parecido com o top e htop.
  30. Deixar claro para o pessoal que o cocoa citado não tem nada a ver com o framework COCOA.
  31. A Detecção do binário pelo AV basicamente(Pattern Comum) se da por hooking das API do SO (criação / leitura / execução).
  32. Surgiu em 2010 e entre 2014/2015 sofreu algumas atualizações. Basicamente ele monitora usuários Mac OS X coletando informações sobre sites, trafego de rede e outras ações maliciosas. O Malware e distribuído a partir de um binário não malicioso que contem o pacote de download e instalação. PremierOpinion e o backdoor propriamente dito com direitos administrativos e funções de Command and Control.
  33. Sample surgiu em setembro de 2014 ele se conecta em um canal IRC para execução de comandos. O Binário em si altera o nome do processo apache2
  34. Sample surgiu em fevereiro de 2014, fui utilizado em um ataque chamado careto, ele foi utilizado para execução de código remoto (de forma criptografada) na maquina alvo.