A Worm in the AppleExploration of Mac malware

Wes Widner@kai5263499wes@manwe.io

Introduction

Information security engineer by day, malware researcher by night

Also father of 4, so nights tend to be pretty short

Previous talks have been about malware pipelines in general

Macs are secure, right?

Before 2012

After 2012

Flashback

Actually it started in September 2011

Got its name by offering a Flash upgrade

Poor English and other errors gave it away

In February 2012 it changed tactics

Took advantage of an unpatched Java vulnerability

Apple still argues it was Sun’s fault

Claimed 600k (~1%) according to Dr Web

Generated revenue (~$14k) through click fraud

Contained advanced features that weren’t used

Self-encrypting

Flashback part 2

~20k infections as recently as 2014

Tracked by Intego sinkhole

No big deal

In reality Apple spent the rest of the year cleaning up the mess

Apple suddenly found themselves playing catch up

But that was a fluke, right?

Apple and many experts still don’t recommend using protection

Infections are rare

Apple is taking care of it

Perhaps some history will help

Mac malware history1982 Prehistory: Elk Cloner

1987 nVIR

1988 HyperCard

1990 MDEF

1991 German folk tunes

1995 Word macro viruses

1996 Laroux – viruses for Excel

1996 AutoStart 9805 and Sevendust

2004 MW2004 / Renepo, aka Opener / Renepo and Amphimix

2005 Cowhand

2006 Exploit.OSX.Safari, aka OSX.Exploit.Metadata / Leap, aka Oompa Loompa, the first virus for Mac OS X / Inqtana / OSX.Exploit.Launchd / Macarena

2007 RSPlug, aka DNSChanger, aka Jahlav, aka Puper / OpenOffice BadBunny and RSPlug financial malware

2008 MacSweeper, aka Immunizator / AsTHT, aka Hovdy, aka AplS.Saprilt / PokerStealer, aka Corpref / Lamzev, aka Malev / Scareware, backdoors and Jahlav

2009 iServices, aka iWorkServices, aka Krowi / Tored

2010 HellRTS, aka Pinhead, aka Hellraiser / OpinionSpy, aka Premier Opinion, aka Spynion / Koobface, aka Boonana

2011 BlackHole RAT, aka MusMinim, aka DarkHole / MacDefender, aka MacSecurity, aka MacProtector, aka MacGuard, aka MacShield, aka Defma / QHost, also HostMod-A / Revir, aka Imuler, aka Muxler / Flashback, aka Flashfake / DevilRobber, aka Miner-D / FinFisher

2012 FileSteal, Hackback, KitM / Tibet, aka MacControl, aka MaControl, aka MacKontrol / Sabpab, aka Sabpub, aka Mdropper, aka Lamadai, aka Olyx / FkCodec/Codec-M / Maljava / GetShell, aka SET.gen, aka ShellCode, aka MetaData, aka TESrel / Crisis, aka Morcut, aka DaVinci / NetWeird, aka Wirenet / Jacksbot / Dockster / SMSSend

2013 Pintsized / CallMe / Minesteal / KitM / Janicab / ClickAgent / Leverage / Icefog

2014 LaoShu / CoinThief / XSLCmd / iWorm / Ventir / WireLurker, aka Machook / DMA “evil maid” attacks

2015 Lamadai / Kitm / Hackback / LaoShu / Appetite, trojan targeting government organizations / Imuler / Coin Thief / Suspend-resume rootkit

2016 KeRanger, first ransomware / Mokes / Keydnap / USB attack

Apple still actively fights with vendors

iOS is a heavily walled garden

OSX is becoming a walled garden

The Apple fights back

iDroid

2009 XProtect / File Quarantine

2011 Sandboxing

2012 Gatekeeper

2015 System Integrity Protection

2016 XProtect + Yara

Firewall

OSX comes with one one but two firewalls

Application level firewall (alf)

Packet Filter (pf)

Little Snitch

Icefloor - open source GUI pf manager

Software installation

Archives everywhere

Application bundles

DMG

What magic bytes?

FileVault encryption

PKGs

the self-executables of the OSX world

Natively compressed in xar format

Can specify sandbox rules

App Store

Signed and sandboxed

Code signing

XNU

Hybrid

BSD

POSIX interface

Mandatory Access Control Framework

Mach

Microkernel developed at Carnegie MellonFor parallel computing

Released in 1985

Provides the basis for some interesting OSX rootkits

Huxley the Platapus

MachO

Similar to ELF

Biggest difference is native code-signing support

Same magic bytes (0xCAFEBABE) as Java class files

IPC ports

Not network ports

Unix ports but in kernel land

Resource forks

Little Flocker

Boot - in the beginning

UEFI

FAT boot partition

Firmware passwords

Pystar and Rebel EFI

Copyrighted bootloader

Physical attacks

Firewire DMA

Evil USB

kext - Kernel extensions

dyld

Preloaded libraries in

Mac interposes its own malloc function

launchd

.plist

Books worth getting

Thanks for attending!

Mac malware feed: http://ow.ly/O1WM303qAkV

Mac infosec homebrew tap: http://ow.ly/c1LZ303pKwa

OSX Security Awesome: http://ow.ly/uWEj303pKuf

These slides: http://ow.ly/DpNQ305KfPd