O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Bsides SP 2015 - Mach-O - A New Threat

Com o grande advento de malwares nos últimos anos, sistemas com OS X podem ser veto-res de ataques usando binários Mach-O. Esta apresentação ilustra a dissecação de algo malicioso, bem como analise e algumas possibilidades para mitigação.

  • Seja o primeiro a comentar

Bsides SP 2015 - Mach-O - A New Threat

  1. 1. Ricardo Amaral a.k.a L0gan Co0L BSidesSP 2015
  2. 2. $Whoami Mach-O – A New Threat ### Long live Open Source - Use Linux (Slackware) ### Ricardo L0gan Security Specialist with over 15 years of experience, enthusiastic in malware research, pen-test and reverse engineering. I’ve a solid knowledge on topics like network security, hardening and tuning across multiple platforms such as Windows, Linux, OS X and Cisco. Beginner in programming languages as Python, C and Assembly. In Brazil I contribute to the Slackware community (Slackshow and Slackzine) and I’m member of the Staff of some events: H2HC, SlackShow and Bsides SP.
  3. 3. Agenda 0x00 Motivation of Research 0x01 OS X, The New Target 0x02 The Mach-O Format 0x03 Tools For Analysis (Static / Dynamic) 0x04 Current Threats 0x05 Conclusions Mach-O – A New Threat
  4. 4. 0x00 - Motivation of Research Mach-O – A New Threat Windows always gets infected!!! Does Linux ever gets infected?? “Mac OS ever gets infected...”
  5. 5. Source: www.virustotal.com Mach-O – A New Threat 0x01 – OS X, The New Target
  6. 6. Source: www.virustotal.com 7-day period in April 2014 Mach-O – A New Threat 0x01 – OS X, The New Target
  7. 7. Source: www.virustotal.com 7-day period in April 2015 Mach-O – A New Threat 0x01 – OS X, The New Target
  8. 8. Source: www.virustotal.com Mach-O – A New Threat 0x01 – OS X, The New Target
  9. 9. Source: http://thehackernews.com/2015/02/vulnerable- operating-system.html Mach-O – A New Threat 0x01 – OS X, The New Target
  10. 10. Source: http://thehackernews.com/2015/02/vulnerable-operating-system.html 0x01 – OS X, The New Target Mach-O – A New Threat
  11. 11. Binary (Linux) Binary (Windows) Binary (OS X) Mach-O – A New Threat 0x02 - The Mach-O Format
  12. 12. The mach-o format was adopted as the standard in OS X from version 10.6 on We are currently in version 10.11 (Yosemite El Capitan). Mach-O – A New Threat 0x02 - The Mach-O Format
  13. 13. CA FE BA BE - Mach-O Fat Binary FE ED FA CE - Mach-O binary (32-bit) FE ED FA CF - Mach-O binary (64-bit) CE FA ED FE - Mach-O binary (reverse byte 32-bit) CF FA ED FE - Mach-O binary (reverse byte 64-bit) Mach-O – A New Threat 0x02 - The Mach-O Format
  14. 14. Mach-O (Mach Object) HEADER LOAD COMMANDS SECTIONS Architecture of object code ppc ppc64 i386 x86_64 armv6 armv7 armv7s arm64 Mach-O – A New Threat 0x02 - The Mach-O Format
  15. 15. Mach-O – A New Threat 0x02 - The Mach-O Format HEADER
  16. 16. LOAD COMMANDS Mach-O – A New Threat 0x02 - The Mach-O Format
  17. 17. SECTIONS 0x02 - The Mach-O Format Mach-O – A New Threat
  18. 18. 0x03 – Tools For Analysis (Static / Dynamic) Dynamic Analysis - xcode (graphical) - IDA Pro (graphical) - lldb - fseventer - open snoop - activity Monitor (graphical) - procoxp - tcpdump - cocoaPacketAnalyzer (graphical) - wireshark (graphical) - lsock - little Snitch Static Analysis - file - strings - hex editor (graphical) - lipo - otool - nm - codesign - machOView (graphical) - hopper (graphical) - class-dump Mach-O – A New Threat
  19. 19. 0x03 – Tools For Analysis (Static) mach-o FILE Mach-O – A New Threat
  20. 20. STRINGS 0x03 – Tools For Analysis (Static) Mach-O – A New Threat
  21. 21. HEX EDITOR 0xED HexEdit wxHexEditor 0x03 – Tools For Analysis (Static) Mach-O – A New Threat
  22. 22. 0xcafebabe LIPO 0x03 – Tools For Analysis (Static) Mach-O – A New Threat
  23. 23. LIPO 0x03 – Tools For Analysis (Static) Mach-O – A New Threat
  24. 24. OTOOL 0x03 – Tools For Analysis (Static) Mach-O – A New Threat
  25. 25. NM 0x03 – Tools For Analysis (Static) Mach-O – A New Threat
  26. 26. CODESIGN 0x03 – Tools For Analysis (Static) Mach-O – A New Threat
  27. 27. MachOView 0x03 – Tools For Analysis (Static) Mach-O – A New Threat
  28. 28. HOPPER 0x03 – Tools For Analysis (Static) Mach-O – A New Threat
  29. 29. CLASS-DUMP 0x03 – Tools For Analysis (Static) Mach-O – A New Threat
  30. 30. - Keep Virtualization Software Updated - Use System Tools Installed in VM - Network Host-Only mode - If you use Shared Folder(Host) leave it as “read-only” - Disable Gatekeeper (Allow apps downloaded from: Anywhere) VMWARE FUSION / PARALLELS / VIRTUALBOX 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
  31. 31. XCODE 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
  32. 32. IDA PRO 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat also is a static tool
  33. 33. LLDB 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
  34. 34. FSEVENTER 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
  35. 35. OPEN SNOOP 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
  36. 36. ACTIVITY MONITOR 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
  37. 37. PROCXP 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
  38. 38. TCPDUMP 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
  39. 39. COCOA 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
  40. 40. WIRESHARK 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
  41. 41. LSOCK 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
  42. 42. Little Snitch 0x03 – Tools For Analysis (Dynamic) Mach-O – A New Threat
  43. 43. 0x04 – Current Threats Mach-O – A New Threat
  44. 44. Source: www.virustotal.com 0x04 – Current Threats Mach-O – A New Threat
  45. 45. Mac.BackDoor.OpinionSpy.3 Names: MacOS_X/OpinionSpy.A (Microsoft), Mac.BackDoor.OpinionSpy.3 (F-Secure), Mac.BackDoor.OpinionSpy.3 (Trend) .OSA --> ZIP:  PremierOpinion  upgrade.xml Source: http://vms.drweb.com/virus/?i=4354056&lng=en http://news.drweb.com/show/?i=9309&lng=en&c=5 0x04 – Current Threats Mach-O – A New Threat
  46. 46. OSX_KAITEN.A Names: MacOS_X/Tsunami.A (Microsoft), OSX/Tsunami (McAfee), OSX/Tsunami-Gen (Sophos), OSX/Tsunami.A (F-Secure), OSX/Tsunami.A (ESET) Binary: /tmp/.z Source: http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/osx_kaiten.a 0x04 – Current Threats Mach-O – A New Threat
  47. 47. OSX_CARETO.A Names: MacOS:Appetite-A [Trj] (Avast) OSX/BackDoor.A (AVG) MAC.OSX.Backdoor.Careto.A (Bitdefender) OSX/Appetite.A (Eset) MAC.OSX.Backdoor.Careto.A (FSecure) Trojan.OSX.Melgato.a (Kaspersky) OSX/Backdoor-BRE (McAfee) Backdoor:MacOS_X/Appetite.A (Microsoft) OSX/Appetite-A (Sophos) Source: http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/osx_careto.a 0x04 – Current Threats Mach-O – A New Threat
  48. 48. Hacking is a way of life 0x05 – Conclusions Reference: Sarah Edwards REVERSE Engineering Mac Malware - Defcon 22 https://www.defcon.org/images/defcon-22/dc-22-presentations/Edwards/DEFCON-22- Sarah-Edwards-Reverse-Engineering-Mac-Malware.pdf https://developer.apple.com/library/mac/documentation/DeveloperTools/Conceptual/MachO Runtime/index.html http://www.agner.org/optimize/calling_conventions.pdf Mach-O – A New Threat
  49. 49. ricardologanbr@gmail.com @l0ganbr Contact Thanks a Lot Any Questions ? http://www.slideshare.net/l0ganbr

    Seja o primeiro a comentar

    Entre para ver os comentários

  • CleilsonPereira

    May. 4, 2016

Com o grande advento de malwares nos últimos anos, sistemas com OS X podem ser veto-res de ataques usando binários Mach-O. Esta apresentação ilustra a dissecação de algo malicioso, bem como analise e algumas possibilidades para mitigação.

Vistos

Vistos totais

373

No Slideshare

0

De incorporações

0

Número de incorporações

4

Ações

Baixados

7

Compartilhados

0

Comentários

0

Curtir

1

×