Mac Malware - papers.put.as · o dtrace - comprehensive dynamic tracing framework o otool - The...
Transcript of Mac Malware - papers.put.as · o dtrace - comprehensive dynamic tracing framework o otool - The...
![Page 1: Mac Malware - papers.put.as · o dtrace - comprehensive dynamic tracing framework o otool - The otool command displays specified parts of object files or libraries. ... DMG files](https://reader033.fdocuments.in/reader033/viewer/2022042111/5e8cfcdf65a6f62f7f3a07cd/html5/thumbnails/1.jpg)
![Page 2: Mac Malware - papers.put.as · o dtrace - comprehensive dynamic tracing framework o otool - The otool command displays specified parts of object files or libraries. ... DMG files](https://reader033.fdocuments.in/reader033/viewer/2022042111/5e8cfcdf65a6f62f7f3a07cd/html5/thumbnails/2.jpg)
Mac Malware@belogor
![Page 3: Mac Malware - papers.put.as · o dtrace - comprehensive dynamic tracing framework o otool - The otool command displays specified parts of object files or libraries. ... DMG files](https://reader033.fdocuments.in/reader033/viewer/2022042111/5e8cfcdf65a6f62f7f3a07cd/html5/thumbnails/3.jpg)
Your speakers today
Nick Bilogorskiy@belogor
Director of Security Research
Shel SharmaProduct Marketing Director
![Page 4: Mac Malware - papers.put.as · o dtrace - comprehensive dynamic tracing framework o otool - The otool command displays specified parts of object files or libraries. ... DMG files](https://reader033.fdocuments.in/reader033/viewer/2022042111/5e8cfcdf65a6f62f7f3a07cd/html5/thumbnails/4.jpg)
Agenda
o Mac Trends and Stats
o Mac Malware
o Mac Adware
o Wrap-up and Q&A
Cyp
ho
rt L
abs
T-sh
irt
![Page 5: Mac Malware - papers.put.as · o dtrace - comprehensive dynamic tracing framework o otool - The otool command displays specified parts of object files or libraries. ... DMG files](https://reader033.fdocuments.in/reader033/viewer/2022042111/5e8cfcdf65a6f62f7f3a07cd/html5/thumbnails/5.jpg)
Threat Monitoring & Research team
________
24X7 monitoring for malware events
________
Assist customers with their Forensics and Incident Response
We enhance malware detection accuracy
________
False positives/negatives________
Deep-dive research
We work with the security ecosystem
________
Contribute to and learn from malware KB
________
Best of 3rd Party threat data
![Page 6: Mac Malware - papers.put.as · o dtrace - comprehensive dynamic tracing framework o otool - The otool command displays specified parts of object files or libraries. ... DMG files](https://reader033.fdocuments.in/reader033/viewer/2022042111/5e8cfcdf65a6f62f7f3a07cd/html5/thumbnails/6.jpg)
Mac Growth
![Page 7: Mac Malware - papers.put.as · o dtrace - comprehensive dynamic tracing framework o otool - The otool command displays specified parts of object files or libraries. ... DMG files](https://reader033.fdocuments.in/reader033/viewer/2022042111/5e8cfcdf65a6f62f7f3a07cd/html5/thumbnails/7.jpg)
Mac Growth
Gartner's Preliminary U.S. PC Vendor Unit Shipment Estimates for 1Q15 (Thousands of Units)
![Page 8: Mac Malware - papers.put.as · o dtrace - comprehensive dynamic tracing framework o otool - The otool command displays specified parts of object files or libraries. ... DMG files](https://reader033.fdocuments.in/reader033/viewer/2022042111/5e8cfcdf65a6f62f7f3a07cd/html5/thumbnails/8.jpg)
Mac Growth
Apple's U.S. Market Share Trend: 1Q06-1Q15 (Gartner)
![Page 9: Mac Malware - papers.put.as · o dtrace - comprehensive dynamic tracing framework o otool - The otool command displays specified parts of object files or libraries. ... DMG files](https://reader033.fdocuments.in/reader033/viewer/2022042111/5e8cfcdf65a6f62f7f3a07cd/html5/thumbnails/9.jpg)
MAC vs Windows
OPSWAT 2015 data
![Page 10: Mac Malware - papers.put.as · o dtrace - comprehensive dynamic tracing framework o otool - The otool command displays specified parts of object files or libraries. ... DMG files](https://reader033.fdocuments.in/reader033/viewer/2022042111/5e8cfcdf65a6f62f7f3a07cd/html5/thumbnails/10.jpg)
Mac Not Protected
1 in 6 Macs actively protected by an
antivirus program
![Page 11: Mac Malware - papers.put.as · o dtrace - comprehensive dynamic tracing framework o otool - The otool command displays specified parts of object files or libraries. ... DMG files](https://reader033.fdocuments.in/reader033/viewer/2022042111/5e8cfcdf65a6f62f7f3a07cd/html5/thumbnails/11.jpg)
Mac Malware on the Rise
Kaspersky data
![Page 12: Mac Malware - papers.put.as · o dtrace - comprehensive dynamic tracing framework o otool - The otool command displays specified parts of object files or libraries. ... DMG files](https://reader033.fdocuments.in/reader033/viewer/2022042111/5e8cfcdf65a6f62f7f3a07cd/html5/thumbnails/12.jpg)
Cyphort In-the-Wild Mac Stats
Trojans6%
Adware73%
Unknown21%
Cyphort In-the-Wild Mac Stats
Cyphort Labs data
![Page 13: Mac Malware - papers.put.as · o dtrace - comprehensive dynamic tracing framework o otool - The otool command displays specified parts of object files or libraries. ... DMG files](https://reader033.fdocuments.in/reader033/viewer/2022042111/5e8cfcdf65a6f62f7f3a07cd/html5/thumbnails/13.jpg)
Apple, Facebook Breached by Mac Malware
![Page 14: Mac Malware - papers.put.as · o dtrace - comprehensive dynamic tracing framework o otool - The otool command displays specified parts of object files or libraries. ... DMG files](https://reader033.fdocuments.in/reader033/viewer/2022042111/5e8cfcdf65a6f62f7f3a07cd/html5/thumbnails/14.jpg)
![Page 15: Mac Malware - papers.put.as · o dtrace - comprehensive dynamic tracing framework o otool - The otool command displays specified parts of object files or libraries. ... DMG files](https://reader033.fdocuments.in/reader033/viewer/2022042111/5e8cfcdf65a6f62f7f3a07cd/html5/thumbnails/15.jpg)
Mac Malware Timeline
2012 Lamadai2012 Dockster2012 Crisis/Morcut/Da Vinci2011 Tsunami/Kaiten2011 Imuler/Revir2011 Olyx2011 MacDefender2011 Flashback2011 Devilrobber (Miner)2011 Blackhole/DarkComet2010 HellRaiser2010 OpinionSpy2010 Boonana / Koobface2009 Tored2009 Krowi / IWork
2008 MacSweep2008 Imunizator2008 Lamzev2007 Puper (RSPlug, Jahlav)2006 Inqtana2006 Leap2004 Opener/Renepo
2014 Careto, Mask, Appetite2014 CoinThief2014 Laoshu2014 Ventir2014 XSLCMD aka Belfibod2014 Wirelurker2013 Pintsized2013 Kitmos2013 Icefog2013 Hackback2013 CallMe2013 Leverage2012 Sabpab2012 Rubilyn2012 Maccontrol
![Page 16: Mac Malware - papers.put.as · o dtrace - comprehensive dynamic tracing framework o otool - The otool command displays specified parts of object files or libraries. ... DMG files](https://reader033.fdocuments.in/reader033/viewer/2022042111/5e8cfcdf65a6f62f7f3a07cd/html5/thumbnails/16.jpg)
Boonana - 2010
![Page 17: Mac Malware - papers.put.as · o dtrace - comprehensive dynamic tracing framework o otool - The otool command displays specified parts of object files or libraries. ... DMG files](https://reader033.fdocuments.in/reader033/viewer/2022042111/5e8cfcdf65a6f62f7f3a07cd/html5/thumbnails/17.jpg)
Flashback - 2011
Image by Amanda Stewart, MirCon2014
![Page 18: Mac Malware - papers.put.as · o dtrace - comprehensive dynamic tracing framework o otool - The otool command displays specified parts of object files or libraries. ... DMG files](https://reader033.fdocuments.in/reader033/viewer/2022042111/5e8cfcdf65a6f62f7f3a07cd/html5/thumbnails/18.jpg)
Crisis
o Objective-C used to code OSX.Crisis(2012)
o Rootkit used by governments during targeted attacks
o Collects audio, pictures, screenshots, keystrokes
o Reports everything to a remote server
o Known to be delivered through grey market exploits
![Page 19: Mac Malware - papers.put.as · o dtrace - comprehensive dynamic tracing framework o otool - The otool command displays specified parts of object files or libraries. ... DMG files](https://reader033.fdocuments.in/reader033/viewer/2022042111/5e8cfcdf65a6f62f7f3a07cd/html5/thumbnails/19.jpg)
Ventir
o Ventir contains a keylogger, Trojan and a backdoor
o Discovered in October 2014.
o Similar to OSX/Crisis malware
![Page 20: Mac Malware - papers.put.as · o dtrace - comprehensive dynamic tracing framework o otool - The otool command displays specified parts of object files or libraries. ... DMG files](https://reader033.fdocuments.in/reader033/viewer/2022042111/5e8cfcdf65a6f62f7f3a07cd/html5/thumbnails/20.jpg)
Ventir
![Page 21: Mac Malware - papers.put.as · o dtrace - comprehensive dynamic tracing framework o otool - The otool command displays specified parts of object files or libraries. ... DMG files](https://reader033.fdocuments.in/reader033/viewer/2022042111/5e8cfcdf65a6f62f7f3a07cd/html5/thumbnails/21.jpg)
Ventir
C&C server:
o http://220.175.13.250:82
It issues an HTTP GET request in the following format:
o http://220.175.13.250:82/macsql.php?mode=getcmd&key=1000&udid={MAC ADDRESS}
![Page 22: Mac Malware - papers.put.as · o dtrace - comprehensive dynamic tracing framework o otool - The otool command displays specified parts of object files or libraries. ... DMG files](https://reader033.fdocuments.in/reader033/viewer/2022042111/5e8cfcdf65a6f62f7f3a07cd/html5/thumbnails/22.jpg)
WireLurker
o 467 OS X applications on the Maiyadi App Store
o 356,104 downloads
o Attacks iOS devices through OS X via USB and to install third-party applications on non-jailbroken iOS devices through enterprise provisioning
![Page 23: Mac Malware - papers.put.as · o dtrace - comprehensive dynamic tracing framework o otool - The otool command displays specified parts of object files or libraries. ... DMG files](https://reader033.fdocuments.in/reader033/viewer/2022042111/5e8cfcdf65a6f62f7f3a07cd/html5/thumbnails/23.jpg)
WireLurker
![Page 24: Mac Malware - papers.put.as · o dtrace - comprehensive dynamic tracing framework o otool - The otool command displays specified parts of object files or libraries. ... DMG files](https://reader033.fdocuments.in/reader033/viewer/2022042111/5e8cfcdf65a6f62f7f3a07cd/html5/thumbnails/24.jpg)
WireLurker
![Page 25: Mac Malware - papers.put.as · o dtrace - comprehensive dynamic tracing framework o otool - The otool command displays specified parts of object files or libraries. ... DMG files](https://reader033.fdocuments.in/reader033/viewer/2022042111/5e8cfcdf65a6f62f7f3a07cd/html5/thumbnails/25.jpg)
XSLCMD
o Discovered in 2014
o Ported OSX version of XSLCmdwindows malware
o By “GREF”
![Page 26: Mac Malware - papers.put.as · o dtrace - comprehensive dynamic tracing framework o otool - The otool command displays specified parts of object files or libraries. ... DMG files](https://reader033.fdocuments.in/reader033/viewer/2022042111/5e8cfcdf65a6f62f7f3a07cd/html5/thumbnails/26.jpg)
XSLCMD Capabilities
o Creates a remote shell
o Updates the configuration
o Traverses file systems
o Downloads files
o Creates new processes
o Captures screenshots
o Logs keystrokes
o Steals document files
o Lists applications
o Collects system information
![Page 27: Mac Malware - papers.put.as · o dtrace - comprehensive dynamic tracing framework o otool - The otool command displays specified parts of object files or libraries. ... DMG files](https://reader033.fdocuments.in/reader033/viewer/2022042111/5e8cfcdf65a6f62f7f3a07cd/html5/thumbnails/27.jpg)
Laoshu
o Takes screenshots once a minute
o Signed with a trusted certificate of the developer
o Looks like the virus writers were planning on uploading it to the App Store
![Page 28: Mac Malware - papers.put.as · o dtrace - comprehensive dynamic tracing framework o otool - The otool command displays specified parts of object files or libraries. ... DMG files](https://reader033.fdocuments.in/reader033/viewer/2022042111/5e8cfcdf65a6f62f7f3a07cd/html5/thumbnails/28.jpg)
CoinThief
o First bitcoin-stealing malware for OS X
o Disguises itself as a few open source bitcoin utilities
o Install a malicious browser extension and/or a patched version of bitcoin-qt(an open source utility for mining bitcoins)
![Page 29: Mac Malware - papers.put.as · o dtrace - comprehensive dynamic tracing framework o otool - The otool command displays specified parts of object files or libraries. ... DMG files](https://reader033.fdocuments.in/reader033/viewer/2022042111/5e8cfcdf65a6f62f7f3a07cd/html5/thumbnails/29.jpg)
Mac Malware Trends
o Decoys (Show image while run in the background)
o .App disguised as a JPEG
o Primary focus is on Data Theft
o − Key logging
o − Screen Shots
o − User information
o Adware is very popular
o Backdoors and Rootkits are rare but mainly used in targeted attacks
![Page 30: Mac Malware - papers.put.as · o dtrace - comprehensive dynamic tracing framework o otool - The otool command displays specified parts of object files or libraries. ... DMG files](https://reader033.fdocuments.in/reader033/viewer/2022042111/5e8cfcdf65a6f62f7f3a07cd/html5/thumbnails/30.jpg)
![Page 31: Mac Malware - papers.put.as · o dtrace - comprehensive dynamic tracing framework o otool - The otool command displays specified parts of object files or libraries. ... DMG files](https://reader033.fdocuments.in/reader033/viewer/2022042111/5e8cfcdf65a6f62f7f3a07cd/html5/thumbnails/31.jpg)
Toolbar OSX.Conduit
o MD5: dc982d1f0415682e2735d45e83dff17e
o Toolbar, browser hijacker and data stealer
o OSX is not immune – Safari is just as much a target as Windows based browsers
![Page 32: Mac Malware - papers.put.as · o dtrace - comprehensive dynamic tracing framework o otool - The otool command displays specified parts of object files or libraries. ... DMG files](https://reader033.fdocuments.in/reader033/viewer/2022042111/5e8cfcdf65a6f62f7f3a07cd/html5/thumbnails/32.jpg)
OSX – Genieo
o MD5: 11f085fdfca46a4b446760a0e68dc2c3
o Browser Hijacker
![Page 33: Mac Malware - papers.put.as · o dtrace - comprehensive dynamic tracing framework o otool - The otool command displays specified parts of object files or libraries. ... DMG files](https://reader033.fdocuments.in/reader033/viewer/2022042111/5e8cfcdf65a6f62f7f3a07cd/html5/thumbnails/33.jpg)
Secure Your Mac: XProtect
![Page 34: Mac Malware - papers.put.as · o dtrace - comprehensive dynamic tracing framework o otool - The otool command displays specified parts of object files or libraries. ... DMG files](https://reader033.fdocuments.in/reader033/viewer/2022042111/5e8cfcdf65a6f62f7f3a07cd/html5/thumbnails/34.jpg)
Secure Your Mac: GateKeeper
![Page 35: Mac Malware - papers.put.as · o dtrace - comprehensive dynamic tracing framework o otool - The otool command displays specified parts of object files or libraries. ... DMG files](https://reader033.fdocuments.in/reader033/viewer/2022042111/5e8cfcdf65a6f62f7f3a07cd/html5/thumbnails/35.jpg)
Mac Tools
o “File” command - simple way to check architecture
o dtrace - comprehensive dynamic tracing framework
o otool - The otool command displays specified parts of object files or libraries.
o IdaPro - disassembler
o dmg2img - convert DMG files into the standard disk image format, IMG
![Page 36: Mac Malware - papers.put.as · o dtrace - comprehensive dynamic tracing framework o otool - The otool command displays specified parts of object files or libraries. ... DMG files](https://reader033.fdocuments.in/reader033/viewer/2022042111/5e8cfcdf65a6f62f7f3a07cd/html5/thumbnails/36.jpg)
Watch out for these Executable Filetypes
o DMG (App within a HFS container or “disk image”)
o PKG (App within a XAR container and package installer)
o Mach-O ( Binary equivalent to a Windows EXE)
o AppleScripts (Used for Apple inter-application communication)
o Perl/Python/Bash Scripts
o Bourne-again Shell Scripts (Used in BSD based systems)
o Extensions (Safari, Chrome, FireFox)
![Page 37: Mac Malware - papers.put.as · o dtrace - comprehensive dynamic tracing framework o otool - The otool command displays specified parts of object files or libraries. ... DMG files](https://reader033.fdocuments.in/reader033/viewer/2022042111/5e8cfcdf65a6f62f7f3a07cd/html5/thumbnails/37.jpg)
Summary
o Mac share in the enterprise is growing
o Users have a false sense of security
o Some APT attacks added Mac-modules
o Mac Adware is prevalent
o Criminals will take advantage of the increasing popularity of Mac
o Mac Malware is a real threat and cannot be ignored
![Page 38: Mac Malware - papers.put.as · o dtrace - comprehensive dynamic tracing framework o otool - The otool command displays specified parts of object files or libraries. ... DMG files](https://reader033.fdocuments.in/reader033/viewer/2022042111/5e8cfcdf65a6f62f7f3a07cd/html5/thumbnails/38.jpg)
Thank You!Twitter: @belogor
Previous MMW slides on
http://cyphort.com/labs/malwares-wanted/
![Page 39: Mac Malware - papers.put.as · o dtrace - comprehensive dynamic tracing framework o otool - The otool command displays specified parts of object files or libraries. ... DMG files](https://reader033.fdocuments.in/reader033/viewer/2022042111/5e8cfcdf65a6f62f7f3a07cd/html5/thumbnails/39.jpg)