O slideshow foi denunciado.

Latinoware 2015 Mach-O

2

Compartilhar

Próximos SlideShares
Company mobiles
Company mobiles
Carregando em…3
×
1 de 50
1 de 50

Latinoware 2015 Mach-O

2

Compartilhar

Baixar para ler offline

With the advent of large malware in recent years, systems OS X can be vectors of attack using Mach-O binaries.
This presentation will illustrate the dissection of something malicious and also identification,analysis and some possibilities for mitigation.

With the advent of large malware in recent years, systems OS X can be vectors of attack using Mach-O binaries.
This presentation will illustrate the dissection of something malicious and also identification,analysis and some possibilities for mitigation.

Mais Conteúdo rRelacionado

Audiolivros relacionados

Gratuito durante 30 dias do Scribd

Ver tudo

Latinoware 2015 Mach-O

  1. 1. A New Threat Speaker: Ricardo L0gan 12 Conferencia Latino-americana de Software Livreª12 Conferencia Latino-americana de Software Livreª MACH-O
  2. 2. 12 Conferencia Latino-americana de Software Livreª x Mach-O – A New Threat
  3. 3. 12 Conferencia Latino-americana de Software Livreª Ricardo L0gan Security Specialist with over 15 years of experience, enthusiastic in malware research, pen-test and reverse engineering. I’ve a solid knowledge on topics like network security, hardening and tuning across multiple platforms such as Windows, Linux, OS X and Cisco. Beginner in programming languages as Python, C and Assembly. In Brazil I contribute to the Slackware community (Slackshow and Slackzine) and I’m member of the Staff of some events: H2HC, SlackShow and Bsides SP. $Whoam i Mach-O – A New Threat ### Long live Open Source - Use Linux (Slackware) ###
  4. 4. 12 Conferencia Latino-americana de Software Livreª Agenda 0x00 Motivation of Research 0x01 OS X, The New Target 0x02 The Mach-O Format 0x03 Tools For Analysis (Static / Dynamic) 0x04 Current Threats 0x05 Conclusions Mach-O – A New Threat
  5. 5. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x00 - Motivation of Research Windows always gets infected!!! Does Linux ever gets infected?? “Mac OS ever gets infected...”
  6. 6. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x01 – OS X, The New Target Source: www.virustotal.com
  7. 7. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x01 – OS X, The New Target 7-day period in April 2014 Source: www.virustotal.com
  8. 8. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x01 – OS X, The New Target 7-day period in April 2015 Source: www.virustotal.com
  9. 9. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x01 – OS X, The New Target Source: www.virustotal.com
  10. 10. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x01 – OS X, The New Target Source: http:// thehackernews.com/2015/02/vulnerable-operating-system.html
  11. 11. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x01 – OS X, The New Target Source: http:// thehackernews.com/2015/02/vulnerable-operating-system.html
  12. 12. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat Binary (Linux) Binary (Windows) Binary (OS X) 0x02 - The Mach-O Format
  13. 13. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat The mach-o format was adopted as the standard in OS X from version 10.6 on We are currently in version 10.11 (Yosemite El Capitan). 0x02 - The Mach-O Format
  14. 14. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x02 - The Mach-O Format
  15. 15. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x02 - The Mach-O Format
  16. 16. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x02 - The Mach-O Format HEADER
  17. 17. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x02 - The Mach-O Format LOAD COMMANDS
  18. 18. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x02 - The Mach-O Format SECTIONS
  19. 19. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x03 – Tools For Analysis (Static / Dynamic)
  20. 20. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x03 – Tools For Analysis (Static) mach-o FILE
  21. 21. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x03 – Tools For Analysis (Static) STRINGS
  22. 22. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x03 – Tools For Analysis (Static) HEX EDITOR HexEdit wxHexEditor 0xED
  23. 23. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x03 – Tools For Analysis (Static) LIPO 0xcafebabe
  24. 24. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x03 – Tools For Analysis (Static) LIPO
  25. 25. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x03 – Tools For Analysis (Static) OTOOL
  26. 26. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x03 – Tools For Analysis (Static) NM
  27. 27. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x03 – Tools For Analysis (Static) CODESIGN
  28. 28. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x03 – Tools For Analysis (Static) MachOView
  29. 29. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x03 – Tools For Analysis (Static) HOPPER
  30. 30. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x03 – Tools For Analysis (Static) CLASS-DUMP
  31. 31. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x03 – Tools For Analysis (Dynamic)
  32. 32. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x03 – Tools For Analysis (Dynamic) XCODE
  33. 33. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x03 – Tools For Analysis (Dynamic) IDA PRO also is a static tool
  34. 34. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x03 – Tools For Analysis (Dynamic) LLDB
  35. 35. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x03 – Tools For Analysis (Dynamic) FSEVENTER
  36. 36. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x03 – Tools For Analysis (Dynamic) OPEN SNOOP
  37. 37. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x03 – Tools For Analysis (Dynamic) ACTIVITY MONITOR
  38. 38. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x03 – Tools For Analysis (Dynamic) PROCXP
  39. 39. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x03 – Tools For Analysis (Dynamic) TCPDUMP
  40. 40. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x03 – Tools For Analysis (Dynamic) COCOA
  41. 41. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x03 – Tools For Analysis (Dynamic) WIRESHARK
  42. 42. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x03 – Tools For Analysis (Dynamic) LSOCK
  43. 43. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x03 – Tools For Analysis (Dynamic) Little Snitch
  44. 44. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x04 – Current Threats
  45. 45. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x04 – Current Threats
  46. 46. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x04 – Current Threats Mac.BackDoor.OpinionSpy.3 Names: MacOS_X/OpinionSpy.A (Microsoft), Mac.BackDoor.OpinionSpy.3 (F-Secure), Mac.BackDoor.OpinionSpy.3 (Trend) .OSA --> ZIP: ● PremierOpinion ● upgrade.xml Source: http://vms.drweb.com/virus/?i=4354056&lng=en http://news.drweb.com/show/?i=9309&lng=en&c=5
  47. 47. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x04 – Current Threats OSX_KAITEN.A Names: MacOS_X/Tsunami.A (Microsoft), OSX/Tsunami (McAfee), OSX/Tsunami-Gen (Sophos), OSX/Tsunami.A (F-Secure), OSX/Tsunami.A (ESET) Binary: /tmp/.z Source: http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/osx_kaiten.a
  48. 48. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x04 – Current Threats OSX_CARETO.A Names: MacOS:Appetite-A [Trj] (Avast) OSX/BackDoor.A (AVG) MAC.OSX.Backdoor.Careto.A (Bitdefender) OSX/Appetite.A (Eset) MAC.OSX.Backdoor.Careto.A (FSecure) Trojan.OSX.Melgato.a (Kaspersky) OSX/Backdoor-BRE (McAfee) Backdoor:MacOS_X/Appetite.A (Microsoft) OSX/Appetite-A (Sophos) Source: http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/osx_careto.a
  49. 49. 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat 0x05 – Conclusions Reference: Sarah Edwards REVERSE Engineering Mac Malware - Defcon 22 https://www.defcon.org/images/defcon-22/dc-22-presentations/Edwards/DEFCON-22- Sarah-Edwards-Reverse-Engineering-Mac-Malware.pdf https://developer.apple.com/library/mac/documentation/DeveloperTools/Conceptual/MachO Runtime/index.html http://www.agner.org/optimize/calling_conventions.pdf Hacking is a way of life
  50. 50. Thanks a Lot Any Questions ? Contact: ricardologanbr@gmail.com @l0ganbr 12 Conferencia Latino-americana de Software Livreª Mach-O – A New Threat http://www.slideshare.net/l0ganbr

×