SlideShare a Scribd company logo

Bsides SP 2015 - Mach-O - A New Threat

Download as PPTX, PDF
Ricardo L0gan
Ricardo L0gan

Com o grande advento de malwares nos últimos anos, sistemas com OS X podem ser veto-res de ataques usando binários Mach-O. Esta apresentação ilustra a dissecação de algo malicioso, bem como analise e algumas possibilidades para mitigação.

Technology
1 of 49
Ricardo Amaral a.k.a L0gan Co0L BSidesSP 2015
$Whoami Mach-O – A New Threat ### Long live Open Source - Use Linux (Slackware) ### Ricardo L0gan Security Specialist with over 15 years of experience, enthusiastic in malware research, pen-test and reverse engineering. I’ve a solid knowledge on topics like network security, hardening and tuning across multiple platforms such as Windows, Linux, OS X and Cisco. Beginner in programming languages as Python, C and Assembly. In Brazil I contribute to the Slackware community (Slackshow and Slackzine) and I’m member of the Staff of some events: H2HC, SlackShow and Bsides SP.
Agenda 0x00 Motivation of Research 0x01 OS X, The New Target 0x02 The Mach-O Format 0x03 Tools For Analysis (Static / Dynamic) 0x04 Current Threats 0x05 Conclusions Mach-O – A New Threat
0x00 - Motivation of Research Mach-O – A New Threat Windows always gets infected!!! Does Linux ever gets infected?? “Mac OS ever gets infected...”
Source: www.virustotal.com Mach-O – A New Threat 0x01 – OS X, The New Target
Source: www.virustotal.com 7-day period in April 2014 Mach-O – A New Threat 0x01 – OS X, The New Target
Source: www.virustotal.com 7-day period in April 2015 Mach-O – A New Threat 0x01 – OS X, The New Target
Source: www.virustotal.com Mach-O – A New Threat 0x01 – OS X, The New Target
Source: http://thehackernews.com/2015/02/vulnerable- operating-system.html Mach-O – A New Threat 0x01 – OS X, The New Target
Source: http://thehackernews.com/2015/02/vulnerable-operating-system.html 0x01 – OS X, The New Target Mach-O – A New Threat
Binary (Linux) Binary (Windows) Binary (OS X) Mach-O – A New Threat 0x02 - The Mach-O Format
The mach-o format was adopted as the standard in OS X from version 10.6 on We are currently in version 10.11 (Yosemite El Capitan). Mach-O – A New Threat 0x02 - The Mach-O Format
CA FE BA BE - Mach-O Fat Binary FE ED FA CE - Mach-O binary (32-bit) FE ED FA CF - Mach-O binary (64-bit) CE FA ED FE - Mach-O binary (reverse byte 32-bit) CF FA ED FE - Mach-O binary (reverse byte 64-bit) Mach-O – A New Threat 0x02 - The Mach-O Format
Mach-O (Mach Object) HEADER LOAD COMMANDS SECTIONS Architecture of object code ppc ppc64 i386 x86_64 armv6 armv7 armv7s arm64 Mach-O – A New Threat 0x02 - The Mach-O Format
Mach-O – A New Threat 0x02 - The Mach-O Format HEADER
LOAD COMMANDS Mach-O – A New Threat 0x02 - The Mach-O Format
SECTIONS 0x02 - The Mach-O Format Mach-O – A New Threat
0x03 – Tools For Analysis (Static / Dynamic) Dynamic Analysis - xcode (graphical) - IDA Pro (graphical) - lldb - fseventer - open snoop - activity Monitor (graphical) - procoxp - tcpdump - cocoaPacketAnalyzer (graphical) - wireshark (graphical) - lsock - little Snitch Static Analysis - file - strings - hex editor (graphical) - lipo - otool - nm - codesign - machOView (graphical) - hopper (graphical) - class-dump Mach-O – A New Threat
0x03 – Tools For Analysis (Static) mach-o FILE Mach-O – A New Threat
STRINGS 0x03 – Tools For Analysis (Static) Mach-O – A New Threat
HEX EDITOR 0xED HexEdit wxHexEditor 0x03 – Tools For Analysis (Static) Mach-O – A New Threat
0xcafebabe LIPO 0x03 – Tools For Analysis (Static) Mach-O – A New Threat
LIPO 0x03 – Tools For Analysis (Static) Mach-O – A New Threat
OTOOL 0x03 – Tools For Analysis (Static) Mach-O – A New Threat
NM 0x03 – Tools For Analysis (Static) Mach-O – A New Threat
CODESIGN 0x03 – Tools For Analysis (Static) Mach-O – A New Threat
MachOView 0x03 – Tools For Analysis (Static) Mach-O – A New Threat
HOPPER 0x03 – Tools For Analysis (Static) Mach-O – A New Threat
CLASS-DUMP 0x03 – Tools For Analysis (Static) Mach-O – A New Threat
- Keep Virtualization Software Updated - Use System Tools Installed in VM - Network Host-Only mode - If you use Shared Folder(Host) leave it as “read-only” - Disable Gatekeeper (Allow apps downloaded from: Anywhere) VMWARE FUSION / PARALLELS / VIRTUALBOX 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
XCODE 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
IDA PRO 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat also is a static tool
LLDB 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
FSEVENTER 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
OPEN SNOOP 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
ACTIVITY MONITOR 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
PROCXP 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
TCPDUMP 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
COCOA 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
WIRESHARK 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
LSOCK 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
Little Snitch 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
0x04 – Current Threats Mach-O – A New Threat
Source: www.virustotal.com 0x04 – Current Threats Mach-O – A New Threat
Mac.BackDoor.OpinionSpy.3 Names: MacOS_X/OpinionSpy.A (Microsoft), Mac.BackDoor.OpinionSpy.3 (F-Secure), Mac.BackDoor.OpinionSpy.3 (Trend) .OSA --> ZIP:  PremierOpinion  upgrade.xml Source: http://vms.drweb.com/virus/?i=4354056&lng=en http://news.drweb.com/show/?i=9309&lng=en&c=5 0x04 – Current Threats Mach-O – A New Threat
OSX_KAITEN.A Names: MacOS_X/Tsunami.A (Microsoft), OSX/Tsunami (McAfee), OSX/Tsunami-Gen (Sophos), OSX/Tsunami.A (F-Secure), OSX/Tsunami.A (ESET) Binary: /tmp/.z Source: http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/osx_kaiten.a 0x04 – Current Threats Mach-O – A New Threat
OSX_CARETO.A Names: MacOS:Appetite-A [Trj] (Avast) OSX/BackDoor.A (AVG) MAC.OSX.Backdoor.Careto.A (Bitdefender) OSX/Appetite.A (Eset) MAC.OSX.Backdoor.Careto.A (FSecure) Trojan.OSX.Melgato.a (Kaspersky) OSX/Backdoor-BRE (McAfee) Backdoor:MacOS_X/Appetite.A (Microsoft) OSX/Appetite-A (Sophos) Source: http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/osx_careto.a 0x04 – Current Threats Mach-O – A New Threat
Hacking is a way of life 0x05 – Conclusions Reference: Sarah Edwards REVERSE Engineering Mac Malware - Defcon 22 https://www.defcon.org/images/defcon-22/dc-22-presentations/Edwards/DEFCON-22- Sarah-Edwards-Reverse-Engineering-Mac-Malware.pdf https://developer.apple.com/library/mac/documentation/DeveloperTools/Conceptual/MachO Runtime/index.html http://www.agner.org/optimize/calling_conventions.pdf Mach-O – A New Threat
ricardologanbr@gmail.com @l0ganbr Contact Thanks a Lot Any Questions ? http://www.slideshare.net/l0ganbr

Recommended

Roadsec 2016 Mach-o A New Threat
Roadsec 2016 Mach-o A New ThreatRoadsec 2016 Mach-o A New Threat
Roadsec 2016 Mach-o A New ThreatRicardo L0gan
 
Andsec Reversing on Mach-o File
Andsec Reversing on Mach-o FileAndsec Reversing on Mach-o File
Andsec Reversing on Mach-o FileRicardo L0gan
 
íàìòàð õè÷ýýë
íàìòàð õè÷ýýëíàìòàð õè÷ýýë
íàìòàð õè÷ýýëBuugii_od
 
Globl Warming
Globl WarmingGlobl Warming
Globl WarmingIvancho
 
2 -governanca_de_tic_-_uma_visao_do_mercado_gartner_-_claudio_chauke
2 -governanca_de_tic_-_uma_visao_do_mercado_gartner_-_claudio_chauke2 -governanca_de_tic_-_uma_visao_do_mercado_gartner_-_claudio_chauke
2 -governanca_de_tic_-_uma_visao_do_mercado_gartner_-_claudio_chaukeMayk Campelo
 
Judith A Shaw Resume 12-30-16
Judith A Shaw Resume 12-30-16Judith A Shaw Resume 12-30-16
Judith A Shaw Resume 12-30-16Judy Shaw
 
Evolution of WAF - Stop Worrying About Vulnerabilities
Evolution of WAF - Stop Worrying About VulnerabilitiesEvolution of WAF - Stop Worrying About Vulnerabilities
Evolution of WAF - Stop Worrying About VulnerabilitiesBrian A. McHenry
 
OSPF summary & Differences between OSPF and EIGRP
OSPF summary & Differences between OSPF and EIGRP OSPF summary & Differences between OSPF and EIGRP
OSPF summary & Differences between OSPF and EIGRP NetProtocol Xpert
 

Recommended

Roadsec 2016 Mach-o A New Threat
Roadsec 2016 Mach-o A New ThreatRoadsec 2016 Mach-o A New Threat
Roadsec 2016 Mach-o A New ThreatRicardo L0gan
 
Andsec Reversing on Mach-o File
Andsec Reversing on Mach-o FileAndsec Reversing on Mach-o File
Andsec Reversing on Mach-o FileRicardo L0gan
 
íàìòàð õè÷ýýë
íàìòàð õè÷ýýëíàìòàð õè÷ýýë
íàìòàð õè÷ýýëBuugii_od
 
Globl Warming
Globl WarmingGlobl Warming
Globl WarmingIvancho
 
2 -governanca_de_tic_-_uma_visao_do_mercado_gartner_-_claudio_chauke
2 -governanca_de_tic_-_uma_visao_do_mercado_gartner_-_claudio_chauke2 -governanca_de_tic_-_uma_visao_do_mercado_gartner_-_claudio_chauke
2 -governanca_de_tic_-_uma_visao_do_mercado_gartner_-_claudio_chaukeMayk Campelo
 
Judith A Shaw Resume 12-30-16
Judith A Shaw Resume 12-30-16Judith A Shaw Resume 12-30-16
Judith A Shaw Resume 12-30-16Judy Shaw
 
Evolution of WAF - Stop Worrying About Vulnerabilities
Evolution of WAF - Stop Worrying About VulnerabilitiesEvolution of WAF - Stop Worrying About Vulnerabilities
Evolution of WAF - Stop Worrying About VulnerabilitiesBrian A. McHenry
 
OSPF summary & Differences between OSPF and EIGRP
OSPF summary & Differences between OSPF and EIGRP OSPF summary & Differences between OSPF and EIGRP
OSPF summary & Differences between OSPF and EIGRP NetProtocol Xpert
 
Python + GDB = Javaデバッガ
Python + GDB = JavaデバッガPython + GDB = Javaデバッガ
Python + GDB = JavaデバッガKenji Kazumura
 
Layer 2 switching loop
Layer 2 switching loopLayer 2 switching loop
Layer 2 switching loopNetProtocol Xpert
 
Cyber Security Through the Eyes of the C-Suite (Infographic)
Cyber Security Through the Eyes of the C-Suite (Infographic)Cyber Security Through the Eyes of the C-Suite (Infographic)
Cyber Security Through the Eyes of the C-Suite (Infographic)Radware
 
Munkhbat Jamiyan-CV
Munkhbat Jamiyan-CVMunkhbat Jamiyan-CV
Munkhbat Jamiyan-CVUnuruu Dear
 
[GAMENEXT] 모바일 마케팅 트렌드와 ROI 극대화 방안
[GAMENEXT] 모바일 마케팅 트렌드와 ROI 극대화 방안[GAMENEXT] 모바일 마케팅 트렌드와 ROI 극대화 방안
[GAMENEXT] 모바일 마케팅 트렌드와 ROI 극대화 방안GAMENEXT Works
 
스타트업의 데이터 분석
스타트업의 데이터 분석스타트업의 데이터 분석
스타트업의 데이터 분석Hyunjong Wi
 
Internet of Things - Iot Solution 73 - 사물인터넷 제품 리뷰 73
Internet of Things - Iot Solution 73 - 사물인터넷 제품 리뷰 73Internet of Things - Iot Solution 73 - 사물인터넷 제품 리뷰 73
Internet of Things - Iot Solution 73 - 사물인터넷 제품 리뷰 73봉조 김
 
IoT 서비스 아키텍처 분석 및 Case Study-Innovation Seminar
IoT 서비스 아키텍처 분석 및 Case Study-Innovation SeminarIoT 서비스 아키텍처 분석 및 Case Study-Innovation Seminar
IoT 서비스 아키텍처 분석 및 Case Study-Innovation Seminar영섭 임
 
그로스 해킹 - Growth Hacking
그로스 해킹 - Growth Hacking그로스 해킹 - Growth Hacking
그로스 해킹 - Growth HackingWooseok Seo
 
Latinoware 2015 Mach-O
Latinoware 2015 Mach-OLatinoware 2015 Mach-O
Latinoware 2015 Mach-ORicardo L0gan
 
H2HC - R3MF
H2HC - R3MFH2HC - R3MF
H2HC - R3MFRicardo L0gan
 
Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Ricardo L0gan
 
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Maksim Shudrak
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Maksim Shudrak
 
Linux binary analysis and exploitation
Linux binary analysis and exploitationLinux binary analysis and exploitation
Linux binary analysis and exploitationDharmalingam Ganesan
 
NYU Hacknight: iOS and OSX ABI
NYU Hacknight: iOS and OSX ABINYU Hacknight: iOS and OSX ABI
NYU Hacknight: iOS and OSX ABIMikhail Sosonkin
 
LO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis
LO-PHI: Low-Observable Physical Host Instrumentation for Malware AnalysisLO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis
LO-PHI: Low-Observable Physical Host Instrumentation for Malware AnalysisPietro De Nicolao
 
Mmw mac malware-mac
Mmw mac malware-macMmw mac malware-mac
Mmw mac malware-macCyphort
 
Próximo passo evolutivo de um DB Scanner
Próximo passo evolutivo de um DB ScannerPróximo passo evolutivo de um DB Scanner
Próximo passo evolutivo de um DB ScannerNelson Brito
 
Ransomware the clock is ticking
Ransomware the clock is tickingRansomware the clock is ticking
Ransomware the clock is tickingManoj Kumar Mishra
 
Securing Open Source Code in Enterprise
Securing Open Source Code in EnterpriseSecuring Open Source Code in Enterprise
Securing Open Source Code in EnterpriseAsankhaya Sharma
 
Análise de malware com suporte de hardware
Análise de malware com suporte de hardwareAnálise de malware com suporte de hardware
Análise de malware com suporte de hardwareMarcus Botacin
 

More Related Content

Viewers also liked

Python + GDB = Javaデバッガ
Python + GDB = JavaデバッガPython + GDB = Javaデバッガ
Python + GDB = JavaデバッガKenji Kazumura
 
Cyber Security Through the Eyes of the C-Suite (Infographic)
Cyber Security Through the Eyes of the C-Suite (Infographic)Cyber Security Through the Eyes of the C-Suite (Infographic)
Cyber Security Through the Eyes of the C-Suite (Infographic)Radware
 
Munkhbat Jamiyan-CV
Munkhbat Jamiyan-CVMunkhbat Jamiyan-CV
Munkhbat Jamiyan-CVUnuruu Dear
 
[GAMENEXT] 모바일 마케팅 트렌드와 ROI 극대화 방안
[GAMENEXT] 모바일 마케팅 트렌드와 ROI 극대화 방안[GAMENEXT] 모바일 마케팅 트렌드와 ROI 극대화 방안
[GAMENEXT] 모바일 마케팅 트렌드와 ROI 극대화 방안GAMENEXT Works
 
스타트업의 데이터 분석
스타트업의 데이터 분석스타트업의 데이터 분석
스타트업의 데이터 분석Hyunjong Wi
 
Internet of Things - Iot Solution 73 - 사물인터넷 제품 리뷰 73
Internet of Things - Iot Solution 73 - 사물인터넷 제품 리뷰 73Internet of Things - Iot Solution 73 - 사물인터넷 제품 리뷰 73
Internet of Things - Iot Solution 73 - 사물인터넷 제품 리뷰 73봉조 김
 
IoT 서비스 아키텍처 분석 및 Case Study-Innovation Seminar
IoT 서비스 아키텍처 분석 및 Case Study-Innovation SeminarIoT 서비스 아키텍처 분석 및 Case Study-Innovation Seminar
IoT 서비스 아키텍처 분석 및 Case Study-Innovation Seminar영섭 임
 
그로스 해킹 - Growth Hacking
그로스 해킹 - Growth Hacking그로스 해킹 - Growth Hacking
그로스 해킹 - Growth HackingWooseok Seo
 

Viewers also liked (9)

Python + GDB = Javaデバッガ
Python + GDB = JavaデバッガPython + GDB = Javaデバッガ
Python + GDB = Javaデバッガ
 
Layer 2 switching loop
Layer 2 switching loopLayer 2 switching loop
Layer 2 switching loop
 
Cyber Security Through the Eyes of the C-Suite (Infographic)
Cyber Security Through the Eyes of the C-Suite (Infographic)Cyber Security Through the Eyes of the C-Suite (Infographic)
Cyber Security Through the Eyes of the C-Suite (Infographic)
 
Munkhbat Jamiyan-CV
Munkhbat Jamiyan-CVMunkhbat Jamiyan-CV
Munkhbat Jamiyan-CV
 
[GAMENEXT] 모바일 마케팅 트렌드와 ROI 극대화 방안
[GAMENEXT] 모바일 마케팅 트렌드와 ROI 극대화 방안[GAMENEXT] 모바일 마케팅 트렌드와 ROI 극대화 방안
[GAMENEXT] 모바일 마케팅 트렌드와 ROI 극대화 방안
 
스타트업의 데이터 분석
스타트업의 데이터 분석스타트업의 데이터 분석
스타트업의 데이터 분석
 
Internet of Things - Iot Solution 73 - 사물인터넷 제품 리뷰 73
Internet of Things - Iot Solution 73 - 사물인터넷 제품 리뷰 73Internet of Things - Iot Solution 73 - 사물인터넷 제품 리뷰 73
Internet of Things - Iot Solution 73 - 사물인터넷 제품 리뷰 73
 
IoT 서비스 아키텍처 분석 및 Case Study-Innovation Seminar
IoT 서비스 아키텍처 분석 및 Case Study-Innovation SeminarIoT 서비스 아키텍처 분석 및 Case Study-Innovation Seminar
IoT 서비스 아키텍처 분석 및 Case Study-Innovation Seminar
 
그로스 해킹 - Growth Hacking
그로스 해킹 - Growth Hacking그로스 해킹 - Growth Hacking
그로스 해킹 - Growth Hacking
 

Similar to Bsides SP 2015 - Mach-O - A New Threat

Latinoware 2015 Mach-O
Latinoware 2015 Mach-OLatinoware 2015 Mach-O
Latinoware 2015 Mach-ORicardo L0gan
 
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Maksim Shudrak
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Maksim Shudrak
 
Linux binary analysis and exploitation
Linux binary analysis and exploitationLinux binary analysis and exploitation
Linux binary analysis and exploitationDharmalingam Ganesan
 
NYU Hacknight: iOS and OSX ABI
NYU Hacknight: iOS and OSX ABINYU Hacknight: iOS and OSX ABI
NYU Hacknight: iOS and OSX ABIMikhail Sosonkin
 
LO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis
LO-PHI: Low-Observable Physical Host Instrumentation for Malware AnalysisLO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis
LO-PHI: Low-Observable Physical Host Instrumentation for Malware AnalysisPietro De Nicolao
 
Mmw mac malware-mac
Mmw mac malware-macMmw mac malware-mac
Mmw mac malware-macCyphort
 
Próximo passo evolutivo de um DB Scanner
Próximo passo evolutivo de um DB ScannerPróximo passo evolutivo de um DB Scanner
Próximo passo evolutivo de um DB ScannerNelson Brito
 
Ransomware the clock is ticking
Ransomware the clock is tickingRansomware the clock is ticking
Ransomware the clock is tickingManoj Kumar Mishra
 
Securing Open Source Code in Enterprise
Securing Open Source Code in EnterpriseSecuring Open Source Code in Enterprise
Securing Open Source Code in EnterpriseAsankhaya Sharma
 
Análise de malware com suporte de hardware
Análise de malware com suporte de hardwareAnálise de malware com suporte de hardware
Análise de malware com suporte de hardwareMarcus Botacin
 
The AV says: Your Hardware Definitions were Updated!
The AV says: Your Hardware Definitions were Updated!The AV says: Your Hardware Definitions were Updated!
The AV says: Your Hardware Definitions were Updated!Marcus Botacin
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malwarePedro Tavares
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS CommunicationsDigital Bond
 
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)Nelson Brito
 

Similar to Bsides SP 2015 - Mach-O - A New Threat (20)

Latinoware 2015 Mach-O
Latinoware 2015 Mach-OLatinoware 2015 Mach-O
Latinoware 2015 Mach-O
 
H2HC - R3MF
H2HC - R3MFH2HC - R3MF
H2HC - R3MF
 
Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Nullbyte 6ed. 2019
Nullbyte 6ed. 2019
 
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
 
Linux binary analysis and exploitation
Linux binary analysis and exploitationLinux binary analysis and exploitation
Linux binary analysis and exploitation
 
NYU Hacknight: iOS and OSX ABI
NYU Hacknight: iOS and OSX ABINYU Hacknight: iOS and OSX ABI
NYU Hacknight: iOS and OSX ABI
 
LO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis
LO-PHI: Low-Observable Physical Host Instrumentation for Malware AnalysisLO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis
LO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis
 
Mmw mac malware-mac
Mmw mac malware-macMmw mac malware-mac
Mmw mac malware-mac
 
Próximo passo evolutivo de um DB Scanner
Próximo passo evolutivo de um DB ScannerPróximo passo evolutivo de um DB Scanner
Próximo passo evolutivo de um DB Scanner
 
Ransomware the clock is ticking
Ransomware the clock is tickingRansomware the clock is ticking
Ransomware the clock is ticking
 
Securing Open Source Code in Enterprise
Securing Open Source Code in EnterpriseSecuring Open Source Code in Enterprise
Securing Open Source Code in Enterprise
 
Análise de malware com suporte de hardware
Análise de malware com suporte de hardwareAnálise de malware com suporte de hardware
Análise de malware com suporte de hardware
 
The AV says: Your Hardware Definitions were Updated!
The AV says: Your Hardware Definitions were Updated!The AV says: Your Hardware Definitions were Updated!
The AV says: Your Hardware Definitions were Updated!
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malware
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - Beginners
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS Communications
 
falconer-sumuri
falconer-sumurifalconer-sumuri
falconer-sumuri
 
Software security
Software securitySoftware security
Software security
 
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
 

Recently uploaded

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 

Recently uploaded (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 

Bsides SP 2015 - Mach-O - A New Threat

Editor's Notes

  1. http://2015.latinoware.org/ricardo-logan
  2. Com a popularidade do sistemas da apple (iphone / Ipad / Mac book) surgem uma nova e promissora linha usuários (melhores financeiramente falando) que pode ser alvos para novos bankers / malwares. Bot / rootkit / alvos linux (servers)... Ver listas de rootkits .... X-agent (operation pawnstorm)
  3. Neste primeiro gráfico podemos ver que em um período de apenas 7 dias o comparativo de submissões para cada tipo de binário.
  4. Samples mach-o período de 2014 para comparação com 2015 no próximo slide. OK OK parece ser um pouco tendencioso e também mencionar o fato da pesquisa utilizar dados do virustotal por justamente não ser publico pelas empresas de AV.
  5. Neste gráfico já percebe-se um aumento de submissões em binários mach-o comparado com o gráfico do slide anterior.
  6. Detecções de mach-o por vendor. Ai fica a pergunta detectam realmente estes binários ? E realmente efetivo ?
  7. Com todas informações disponibilizadas nos slides anteriores concluímos que o OS X realmente pode ser um plataforma muito explorada. Tanto para malwares quanto para exploração de vulnerabilidades. Mencionar Empresa Hacker Team que tinha ferramentas de interceptação que rodava ate em OSX https://github.com/RookLabs/milano
  8. Neste gráfico o resultado e um pouco tendencioso devido ao fato da plataforma Windows estar divido em varias versões, já na o OS X foi apresentado apenas uma versão. Porem de qualquer forma da pra perceber que o OS X e um sistema potencialmente alvo para pesquisadores de vulnerabilidades.
  9. Explicar rapidamente os binários utilizados em outras distribuições (Windows / Linux).
  10. O Mac OS X roda binários do tipo ELF (Linux) e binários Mach-o. O Nome mach-o vem de Mach Object
  11. Falar do Magic Number, que é um cabeçalho curto e compacto geralmente utilizado para caracterizar seu formato. (ELF/PE/Mach-o/DOS/etc..)
  12. Mach-O, short para formato de arquivo objeto Mach, é um formato de arquivo para arquivos executáveis, código objeto, bibliotecas compartilhadas código dinamicamente-carregado, e core dumps. Também conhecido como binário do tipo FAT que pode ser executado em varias arquiteturas.
  13. O arquivo loader.h contem a estrutura do binário mach-o (header / load_commands / sections).
  14. Existem outras ferramentas como: dtrace, fs_usage, optool, class-dump A Maior parte das tools command line podem ser obtidas via mac ports.
  15. Ferramenta utilizada para determinar o tipo de binário.
  16. O wxHexEditor é de código aberto !!!
  17. Ferramenta utilizada para extração de binário.
  18. Parecido com o objdump e ldd - Utilizado para dump/disassembly de arquivos e bibliotecas.
  19. O comando “nm” lista os símbolos do arquivo objeto
  20. Criar e manipular assinaturas de códigos.
  21. Ferramenta visual para visualização e edição de binários mach-o.
  22. Disassembler (OS X e Linux) utilizado para engenharia reversa do binário.
  23. Ferramenta utilizada para examinar o design de aplicações mach-o suas estruturas e informações em tempo de execução Objective-C. ele gera declarações para as classes, categorias e protocolos. (semelhante ao otool -ov)
  24. Na versão 10.7 a apple inseriu o gatekeeper no OS X como forma de evitar a instalação de softwares oriundos de qualquer origem.
  25. Xcode é um (IDE) que contém um conjunto de ferramentas de desenvolvimento de software desenvolvidos pela Apple para o desenvolvimento de software para OS X e iOS
  26. LLDB é um debugger de alto desempenho padrão no Xcode no Mac OS X e suporta a depuração C, Objective-C e C ++ nos dispositivos de desktop e iOS e simulador.
  27. fseventer é uma ferramenta que monitora as atividades do disco. A exibição de árvore é particularmente interessante, pois mostra os processos em que são criados ou modificados e destaques relacionados caminhos.
  28. ferramenta que rastreia o arquivo aberto exibindo informações como UID,PID caminho do arquivo. (pode ser utilizado com o dtrace)
  29. Parecido com o top e htop.
  30. Deixar claro para o pessoal que o cocoa citado não tem nada a ver com o framework COCOA.
  31. A Detecção do binário pelo AV basicamente(Pattern Comum) se da por hooking das API do SO (criação / leitura / execução).
  32. Surgiu em 2010 e entre 2014/2015 sofreu algumas atualizações. Basicamente ele monitora usuários Mac OS X coletando informações sobre sites, trafego de rede e outras ações maliciosas. O Malware e distribuído a partir de um binário não malicioso que contem o pacote de download e instalação. PremierOpinion e o backdoor propriamente dito com direitos administrativos e funções de Command and Control.
  33. Sample surgiu em setembro de 2014 ele se conecta em um canal IRC para execução de comandos. O Binário em si altera o nome do processo apache2
  34. Sample surgiu em fevereiro de 2014, fui utilizado em um ataque chamado careto, ele foi utilizado para execução de código remoto (de forma criptografada) na maquina alvo.