O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Roadsec 2016 Mach-o A New Threat

With the advent of large malware in recent years, systems OS X can be vectors of attack us-ing Mach-O binaries. This presentation will illustrate the dissection of something malicious and also identifica-tion,analysis and some possibilities for mitigation.

  • Seja o primeiro a comentar

Roadsec 2016 Mach-o A New Threat

  1. 1. O MAIOR EVENTO DE HACKING, SEGURANÇA E TECNOLOGIA DO BRASIL DO CONTINENTE
  2. 2. Ricardo L0gan Security Specialist with over 15 years of experience, enthusiastic in malware research, pen-test and reverse engineering. I’ve a solid knowledge on topics like network security, hardening and tuning across multiple platforms such as Windows, Linux, OS X and Cisco. Beginner in programming languages as Python, C and Assembly. In Brazil I contribute to the Slackware community (Slackshow and Slackzine) and I’m member of the Staff of some events: H2HC, SlackShow and Bsides SP. ### Long live Open Source - Use Linux (Slackware) ### $Whoami Member # RTFM 💀 C○||cL/V€ #
  3. 3. 0X00 MOTIVATION OF RESEARCH 0X01 OS X, THE NEW TARGET 0X02 THE MACH-O FORMAT 0X03 TOOLS FOR ANALYSIS (STATIC / DYNAMIC) 0X04 CURRENT THREATS 0X05 CONCLUSIONS / Q & (MAYBE 0/) A 29/04/2016 Mach-O – A New Threat 4 Agenda
  4. 4. 529/04/2016 Mach-O – A New Threat 0x00 - Motivation of Research Windows always gets infected!!! Does Linux ever gets infected?? “Mac OS ever gets infected...”
  5. 5. 629/04/2016 Mach-O – A New Threat 0x01 - OS X, The New Target Source: www.virustotal.com
  6. 6. 729/04/2016 Mach-O – A New Threat 0x01 - OS X, The New Target Source: www.virustotal.com
  7. 7. 829/04/2016 Mach-O – A New Threat 0x01 - OS X, The New Target Source: www.virustotal.com
  8. 8. 929/04/2016 Mach-O – A New Threat 0x01 - OS X, The New Target Source: www.virustotal.com
  9. 9. 1029/04/2016 Mach-O – A New Threat 0x01 - OS X, The New Target Source: www.virustotal.com
  10. 10. 1129/04/2016 Mach-O – A New Threat 0x02 - The Mach-O Format Binary (Linux) Binary (Windows) Binary (OS X)
  11. 11. 1229/04/2016 Mach-O – A New Threat 0x02 - The Mach-O Format The mach-o format were adopted as the standard in OS X from version 10.6 on We are currently in version 10.11 (Yosemite El Capitan).
  12. 12. 1329/04/2016 Mach-O – A New Threat 0x02 - The Mach-O Format
  13. 13. 1429/04/2016 Mach-O – A New Threat 0x02 - The Mach-O Format
  14. 14. 1529/04/2016 Mach-O – A New Threat 0x02 - The Mach-O Format HEADER
  15. 15. 1629/04/2016 Mach-O – A New Threat 0x02 - The Mach-O Format LOAD_COMMANDS
  16. 16. 1729/04/2016 Mach-O – A New Threat 0x02 - The Mach-O Format SECTIONS
  17. 17. 1829/04/2016 Mach-O – A New Threat 0x03 – Tools (Static / Dynamic)
  18. 18. 1929/04/2016 Mach-O – A New Threat 0x03 – Tools (Static) FILE mach-o
  19. 19. 2029/04/2016 Mach-O – A New Threat 0x03 – Tools (Static) STRINGS
  20. 20. 2129/04/2016 Mach-O – A New Threat 0x03 – Tools (Static) BINWALK / UPX
  21. 21. 2229/04/2016 Mach-O – A New Threat 0x03 – Tools (Static) Hex Editor HexEdit wxHexEditor 0xED
  22. 22. 2329/04/2016 Mach-O – A New Threat 0x03 – Tools (Static) LIPO 0xcafebabe
  23. 23. 2429/04/2016 Mach-O – A New Threat 0x03 – Tools (Static) LIPO
  24. 24. 2529/04/2016 Mach-O – A New Threat 0x03 – Tools (Static) OTOOL
  25. 25. 2629/04/2016 Mach-O – A New Threat 0x03 – Tools (Static) NM
  26. 26. 2729/04/2016 Mach-O – A New Threat 0x03 – Tools (Static) CODESIGN
  27. 27. 2829/04/2016 Mach-O – A New Threat 0x03 – Tools (Static) MachOView
  28. 28. 2929/04/2016 Mach-O – A New Threat 0x03 – Tools (Static) HOPPER
  29. 29. 3029/04/2016 Mach-O – A New Threat 0x03 – Tools (Static) CLASS-DUMP
  30. 30. 3129/04/2016 Mach-O – A New Threat 0x03 – Tools (Dynamic)
  31. 31. 3229/04/2016 Mach-O – A New Threat 0x03 – Tools (Dynamic) XCODE
  32. 32. 3329/04/2016 Mach-O – A New Threat 0x03 – Tools (Dynamic) IDA PRO Also is Static Tool
  33. 33. 3429/04/2016 Mach-O – A New Threat 0x03 – Tools (Dynamic) LLDB
  34. 34. 3529/04/2016 Mach-O – A New Threat 0x03 – Tools (Dynamic) FSEVENTER
  35. 35. 3629/04/2016 Mach-O – A New Threat 0x03 – Tools (Dynamic) OPEN SNOOP
  36. 36. 3729/04/2016 Mach-O – A New Threat 0x03 – Tools (Dynamic) ACTIVITY MONITOR
  37. 37. 3829/04/2016 Mach-O – A New Threat 0x03 – Tools (Dynamic) PROCXP
  38. 38. 3929/04/2016 Mach-O – A New Threat 0x03 – Tools (Dynamic) TCPDUMP
  39. 39. 4029/04/2016 Mach-O – A New Threat 0x03 – Tools (Dynamic) WIRESHARK
  40. 40. 4129/04/2016 Mach-O – A New Threat 0x03 – Tools (Dynamic) LSOCK
  41. 41. 4229/04/2016 Mach-O – A New Threat 0x03 – Tools (Dynamic) Little Snitch
  42. 42. 4329/04/2016 Mach-O – A New Threat 0x04 – Current Threats .OSA --> ZIP:  PremierOpinion  upgrade.xml Mac.BackDoor.OpinionSpy.3 Names: MacOS_X/OpinionSpy.A (Microsoft), Mac.BackDoor.OpinionSpy.3 (F-Secure), Mac.BackDoor.OpinionSpy.3 (Trend) OSX_KAITEN.A Names: MacOS_X/Tsunami.A (Microsoft), OSX/Tsunami (McAfee), OSX/Tsunami-Gen (Sophos), OSX/Tsunami.A (F-Secure), OSX_CARETO.A Names: MacOS:Appetite-A [Trj] (Avast) OSX/BackDoor.A (AVG) Trojan.OSX.Melgato.a (Kaspersky) OSX/Backdoor-BRE (McAfee) Backdoor:MacOS_X/Appetite.A (Microsoft) OSX/Appetite-A (Sophos) Binary: /tmp/.z itunes212.{BLOCKED}pdt.com
  43. 43. 4429/04/2016 Mach-O – A New Threat 0x04 – Current Threats (MacOS:KeRanger-C) On March 2016 appear the first Ransoware writing for mach-o file on OSX System (KeRanger), Distributed by client BitTorrent Transmission (v.2.90) This threat has been fixed in version v.2.91 the client. The latest version Gatekeeper OSX already block this ransoware since the first sample published 0/!!!
  44. 44. 4529/04/2016 Mach-O – A New Threat 0x04 – Current Threats (MacOS:KeRanger-C)
  45. 45. 4629/04/2016 Mach-O – A New Threat 0x05 - Conclusions Hacking is a way of life
  46. 46. 4729/04/2016 Mach-O – A New Threat Reference Sarah Edwards REVERSE Engineering Mac Malware - Defcon 22 https://www.defcon.org/images/defcon-22/dc-22- presentations/Edwards/DEFCON-22-Sarah-Edwards-Reverse-Engineering- Mac-Malware.pdf https://developer.apple.com/library/mac/documentation/DeveloperTools/ Conceptual/MachORuntime/index.html http://www.agner.org/optimize/calling_conventions.pdf Thanks for my wife and brothers (C00ler,Clandestine, Slayer, Unknow_Antisec, DMR, BSDaemon, Robertux, RTFM Team and OSX_Rev)
  47. 47. #dontstophacking Thanks a Lot Any Questions ? Contact: ricardologanbr@gmail.com @l0ganbr

    Seja o primeiro a comentar

    Entre para ver os comentários

  • CleilsonPereira

    May. 4, 2016
  • SamyrMaciel

    Dec. 18, 2019

With the advent of large malware in recent years, systems OS X can be vectors of attack us-ing Mach-O binaries. This presentation will illustrate the dissection of something malicious and also identifica-tion,analysis and some possibilities for mitigation.

Vistos

Vistos totais

559

No Slideshare

0

De incorporações

0

Número de incorporações

3

Ações

Baixados

20

Compartilhados

0

Comentários

0

Curtir

2

×