![OSX_CARETO.A
Names:
MacOS:Appetite-A [Trj] (Avast)
OSX/BackDoor.A (AVG)
MAC.OSX.Backdoor.Careto.A (Bitdefender)
OSX/Appeti...](https://image.slidesharecdn.com/bsidessp2015-mach-o-151013122030-lva1-app6891/95/bsides-sp-2015-macho-a-new-threat-47-638.jpg?cb=1445191202)
Próximos SlideShares
Bsides SP 2015 - Mach-O - A New Threat
- 1. Ricardo Amaral a.k.a L0gan Co0L BSidesSP 2015
- 2. $Whoami Mach-O – A New Threat ### Long live Open Source - Use Linux (Slackware) ### Ricardo L0gan Security Specialist with over 15 years of experience, enthusiastic in malware research, pen-test and reverse engineering. I’ve a solid knowledge on topics like network security, hardening and tuning across multiple platforms such as Windows, Linux, OS X and Cisco. Beginner in programming languages as Python, C and Assembly. In Brazil I contribute to the Slackware community (Slackshow and Slackzine) and I’m member of the Staff of some events: H2HC, SlackShow and Bsides SP.
- 3. Agenda 0x00 Motivation of Research 0x01 OS X, The New Target 0x02 The Mach-O Format 0x03 Tools For Analysis (Static / Dynamic) 0x04 Current Threats 0x05 Conclusions Mach-O – A New Threat
- 4. 0x00 - Motivation of Research Mach-O – A New Threat Windows always gets infected!!! Does Linux ever gets infected?? “Mac OS ever gets infected...”
- 5. Source: www.virustotal.com Mach-O – A New Threat 0x01 – OS X, The New Target
- 6. Source: www.virustotal.com 7-day period in April 2014 Mach-O – A New Threat 0x01 – OS X, The New Target
- 7. Source: www.virustotal.com 7-day period in April 2015 Mach-O – A New Threat 0x01 – OS X, The New Target
- 8. Source: www.virustotal.com Mach-O – A New Threat 0x01 – OS X, The New Target
- 9. Source: http://thehackernews.com/2015/02/vulnerable- operating-system.html Mach-O – A New Threat 0x01 – OS X, The New Target
- 10. Source: http://thehackernews.com/2015/02/vulnerable-operating-system.html 0x01 – OS X, The New Target Mach-O – A New Threat
- 11. Binary (Linux) Binary (Windows) Binary (OS X) Mach-O – A New Threat 0x02 - The Mach-O Format
- 12. The mach-o format was adopted as the standard in OS X from version 10.6 on We are currently in version 10.11 (Yosemite El Capitan). Mach-O – A New Threat 0x02 - The Mach-O Format
- 13. CA FE BA BE - Mach-O Fat Binary FE ED FA CE - Mach-O binary (32-bit) FE ED FA CF - Mach-O binary (64-bit) CE FA ED FE - Mach-O binary (reverse byte 32-bit) CF FA ED FE - Mach-O binary (reverse byte 64-bit) Mach-O – A New Threat 0x02 - The Mach-O Format
- 14. Mach-O (Mach Object) HEADER LOAD COMMANDS SECTIONS Architecture of object code ppc ppc64 i386 x86_64 armv6 armv7 armv7s arm64 Mach-O – A New Threat 0x02 - The Mach-O Format
- 15. Mach-O – A New Threat 0x02 - The Mach-O Format HEADER
- 16. LOAD COMMANDS Mach-O – A New Threat 0x02 - The Mach-O Format
- 17. SECTIONS 0x02 - The Mach-O Format Mach-O – A New Threat
- 18. 0x03 – Tools For Analysis (Static / Dynamic) Dynamic Analysis - xcode (graphical) - IDA Pro (graphical) - lldb - fseventer - open snoop - activity Monitor (graphical) - procoxp - tcpdump - cocoaPacketAnalyzer (graphical) - wireshark (graphical) - lsock - little Snitch Static Analysis - file - strings - hex editor (graphical) - lipo - otool - nm - codesign - machOView (graphical) - hopper (graphical) - class-dump Mach-O – A New Threat
- 19. 0x03 – Tools For Analysis (Static) mach-o FILE Mach-O – A New Threat
- 20. STRINGS 0x03 – Tools For Analysis (Static) Mach-O – A New Threat
- 21. HEX EDITOR 0xED HexEdit wxHexEditor 0x03 – Tools For Analysis (Static) Mach-O – A New Threat
- 22. 0xcafebabe LIPO 0x03 – Tools For Analysis (Static) Mach-O – A New Threat
- 23. LIPO 0x03 – Tools For Analysis (Static) Mach-O – A New Threat
- 24. OTOOL 0x03 – Tools For Analysis (Static) Mach-O – A New Threat
- 25. NM 0x03 – Tools For Analysis (Static) Mach-O – A New Threat
- 26. CODESIGN 0x03 – Tools For Analysis (Static) Mach-O – A New Threat
- 27. MachOView 0x03 – Tools For Analysis (Static) Mach-O – A New Threat
- 28. HOPPER 0x03 – Tools For Analysis (Static) Mach-O – A New Threat
- 29. CLASS-DUMP 0x03 – Tools For Analysis (Static) Mach-O – A New Threat
- 30. - Keep Virtualization Software Updated - Use System Tools Installed in VM - Network Host-Only mode - If you use Shared Folder(Host) leave it as “read-only” - Disable Gatekeeper (Allow apps downloaded from: Anywhere) VMWARE FUSION / PARALLELS / VIRTUALBOX 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
- 31. XCODE 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
- 32. IDA PRO 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat also is a static tool
- 33. LLDB 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
- 34. FSEVENTER 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
- 35. OPEN SNOOP 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
- 36. ACTIVITY MONITOR 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
- 37. PROCXP 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
- 38. TCPDUMP 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
- 39. COCOA 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
- 40. WIRESHARK 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
- 41. LSOCK 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
- 42. Little Snitch 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
- 43. 0x04 – Current Threats Mach-O – A New Threat
- 44. Source: www.virustotal.com 0x04 – Current Threats Mach-O – A New Threat
- 45. Mac.BackDoor.OpinionSpy.3 Names: MacOS_X/OpinionSpy.A (Microsoft), Mac.BackDoor.OpinionSpy.3 (F-Secure), Mac.BackDoor.OpinionSpy.3 (Trend) .OSA --> ZIP: PremierOpinion upgrade.xml Source: http://vms.drweb.com/virus/?i=4354056&lng=en http://news.drweb.com/show/?i=9309&lng=en&c=5 0x04 – Current Threats Mach-O – A New Threat
- 46. OSX_KAITEN.A Names: MacOS_X/Tsunami.A (Microsoft), OSX/Tsunami (McAfee), OSX/Tsunami-Gen (Sophos), OSX/Tsunami.A (F-Secure), OSX/Tsunami.A (ESET) Binary: /tmp/.z Source: http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/osx_kaiten.a 0x04 – Current Threats Mach-O – A New Threat
- 47. OSX_CARETO.A Names: MacOS:Appetite-A [Trj] (Avast) OSX/BackDoor.A (AVG) MAC.OSX.Backdoor.Careto.A (Bitdefender) OSX/Appetite.A (Eset) MAC.OSX.Backdoor.Careto.A (FSecure) Trojan.OSX.Melgato.a (Kaspersky) OSX/Backdoor-BRE (McAfee) Backdoor:MacOS_X/Appetite.A (Microsoft) OSX/Appetite-A (Sophos) Source: http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/osx_careto.a 0x04 – Current Threats Mach-O – A New Threat
- 48. Hacking is a way of life 0x05 – Conclusions Reference: Sarah Edwards REVERSE Engineering Mac Malware - Defcon 22 https://www.defcon.org/images/defcon-22/dc-22-presentations/Edwards/DEFCON-22- Sarah-Edwards-Reverse-Engineering-Mac-Malware.pdf https://developer.apple.com/library/mac/documentation/DeveloperTools/Conceptual/MachO Runtime/index.html http://www.agner.org/optimize/calling_conventions.pdf Mach-O – A New Threat
- 49. ricardologanbr@gmail.com @l0ganbr Contact Thanks a Lot Any Questions ? http://www.slideshare.net/l0ganbr
Seja o primeiro a comentar
Entre para ver os comentários
-
CleilsonPereira
May. 4, 2016
Com o grande advento de malwares nos últimos anos, sistemas com OS X podem ser veto-res de ataques usando binários Mach-O. Esta apresentação ilustra a dissecação de algo malicioso, bem como analise e algumas possibilidades para mitigação.
Vistos
Vistos totais
373
No Slideshare
0
De incorporações
0
Número de incorporações
4
Ações
Baixados
7
Compartilhados
0
Comentários
0
Curtir
1
Seja o primeiro a comentar