a worm in the apple
TRANSCRIPT
A Worm in the AppleExploration of Mac malware
Wes Widner@[email protected]
Introduction
Information security engineer by day, malware researcher by night
Also father of 4, so nights tend to be pretty short
Previous talks have been about malware pipelines in general
Macs are secure, right?
Before 2012
After 2012
Flashback
Actually it started in September 2011
Got its name by offering a Flash upgrade
Poor English and other errors gave it away
In February 2012 it changed tactics
Took advantage of an unpatched Java vulnerability
Apple still argues it was Sun’s fault
Claimed 600k (~1%) according to Dr Web
Generated revenue (~$14k) through click fraud
Contained advanced features that weren’t used
Self-encrypting
Flashback part 2
~20k infections as recently as 2014
Tracked by Intego sinkhole
No big deal
In reality Apple spent the rest of the year cleaning up the mess
Apple suddenly found themselves playing catch up
But that was a fluke, right?
Apple and many experts still don’t recommend using protection
Infections are rare
Apple is taking care of it
Perhaps some history will help
Mac malware history1982 Prehistory: Elk Cloner
1987 nVIR
1988 HyperCard
1990 MDEF
1991 German folk tunes
1995 Word macro viruses
1996 Laroux – viruses for Excel
1996 AutoStart 9805 and Sevendust
2004 MW2004 / Renepo, aka Opener / Renepo and Amphimix
2005 Cowhand
2006 Exploit.OSX.Safari, aka OSX.Exploit.Metadata / Leap, aka Oompa Loompa, the first virus for Mac OS X / Inqtana / OSX.Exploit.Launchd / Macarena
2007 RSPlug, aka DNSChanger, aka Jahlav, aka Puper / OpenOffice BadBunny and RSPlug financial malware
2008 MacSweeper, aka Immunizator / AsTHT, aka Hovdy, aka AplS.Saprilt / PokerStealer, aka Corpref / Lamzev, aka Malev / Scareware, backdoors and Jahlav
2009 iServices, aka iWorkServices, aka Krowi / Tored
2010 HellRTS, aka Pinhead, aka Hellraiser / OpinionSpy, aka Premier Opinion, aka Spynion / Koobface, aka Boonana
2011 BlackHole RAT, aka MusMinim, aka DarkHole / MacDefender, aka MacSecurity, aka MacProtector, aka MacGuard, aka MacShield, aka Defma / QHost, also HostMod-A / Revir, aka Imuler, aka Muxler / Flashback, aka Flashfake / DevilRobber, aka Miner-D / FinFisher
2012 FileSteal, Hackback, KitM / Tibet, aka MacControl, aka MaControl, aka MacKontrol / Sabpab, aka Sabpub, aka Mdropper, aka Lamadai, aka Olyx / FkCodec/Codec-M / Maljava / GetShell, aka SET.gen, aka ShellCode, aka MetaData, aka TESrel / Crisis, aka Morcut, aka DaVinci / NetWeird, aka Wirenet / Jacksbot / Dockster / SMSSend
2013 Pintsized / CallMe / Minesteal / KitM / Janicab / ClickAgent / Leverage / Icefog
2014 LaoShu / CoinThief / XSLCmd / iWorm / Ventir / WireLurker, aka Machook / DMA “evil maid” attacks
2015 Lamadai / Kitm / Hackback / LaoShu / Appetite, trojan targeting government organizations / Imuler / Coin Thief / Suspend-resume rootkit
2016 KeRanger, first ransomware / Mokes / Keydnap / USB attack
Apple still actively fights with vendors
iOS is a heavily walled garden
OSX is becoming a walled garden
The Apple fights back
iDroid
2009 XProtect / File Quarantine
2011 Sandboxing
2012 Gatekeeper
2015 System Integrity Protection
2016 XProtect + Yara
Firewall
OSX comes with one one but two firewalls
Application level firewall (alf)
Packet Filter (pf)
Little Snitch
Icefloor - open source GUI pf manager
Software installation
Archives everywhere
Application bundles
DMG
What magic bytes?
FileVault encryption
PKGs
the self-executables of the OSX world
Natively compressed in xar format
Can specify sandbox rules
App Store
Signed and sandboxed
Code signing
XNU
Hybrid
BSD
POSIX interface
Mandatory Access Control Framework
Mach
Microkernel developed at Carnegie MellonFor parallel computing
Released in 1985
Provides the basis for some interesting OSX rootkits
Huxley the Platapus
MachO
Similar to ELF
Biggest difference is native code-signing support
Same magic bytes (0xCAFEBABE) as Java class files
IPC ports
Not network ports
Unix ports but in kernel land
Resource forks
Little Flocker
Boot - in the beginning
UEFI
FAT boot partition
Firmware passwords
Pystar and Rebel EFI
Copyrighted bootloader
Physical attacks
Firewire DMA
Evil USB
kext - Kernel extensions
dyld
Preloaded libraries in
Mac interposes its own malloc function
launchd
.plist
Books worth getting
Thanks for attending!
Mac malware feed: http://ow.ly/O1WM303qAkV
Mac infosec homebrew tap: http://ow.ly/c1LZ303pKwa
OSX Security Awesome: http://ow.ly/uWEj303pKuf
These slides: http://ow.ly/DpNQ305KfPd