flashback os x malware
play

Flashback OS X Malware Broderick Ian Aquilino September 27, 2012 - PowerPoint PPT Presentation

Feb 16, 2024 •266 likes •618 views

Flashback OS X Malware Broderick Ian Aquilino September 27, 2012 Protecting the irreplaceable | f-secure.com Agenda Infection Vector Installation Main Binary C&C Servers Payload Remaining Binaries

  1. Flashback OS X Malware Broderick Ian Aquilino – September 27, 2012 Protecting the irreplaceable | f-secure.com

  2. Agenda • Infection Vector • Installation • Main Binary • C&C Servers • Payload • Remaining Binaries • Filter/Loader Binary • LaunchAgent Binary September 27, 2 2012

  3. Infection Summary Hacked Distribution Website Website Launch Installer Main Binary Agent Filter / Loader September 27, 3 2012

  4. Infection Vector Hacked Distribution Website Website Launch Installer Main Binary Agent Filter / Loader September 27, 4 2012

  5. Infection Vector September 27, 5 2012

  6. Infection Vector September 27, 6 2012

  7. Infection Vector September 27, 7 2012

  8. Infection Vector • CVE-2008-5353 • CVE-2011-3544 • CVE-2012-0507 September 27, 8 2012

  9. Installation Hacked Distribution Website Website Launch Installer Main Binary Agent Filter / Loader September 27, 9 2012

  10. Main Binary Hacked Distribution Website Website Launch Installer Main Binary Agent Filter / Loader September 27, 10 2012

  11. Main Binary: Update Server • Creates a thread that connects to a set of C&C servers to download updates every 3670 secs (>1hr) Generated list Returned by a based on date Hardcoded list third party (*new variants server only) September 27, 11 2012

  12. Main Binary: Update Program • Response: • %marker1%%encoded_VM_program%%marker2% %encoded_MD5_RSA_signature%%marker3% • Log SHA1 of VM program • {HOME}/Library/Logs/swlog • {HOME}/Library/Logs/vmLog September 27, 12 2012

  13. Main Binary: Payload C&C (Newer Variants) • Same thread will also connect to another set of C&C servers • This time to select a server for executing the payload Updateable list Hardcoded list Generated list (Entry ID (Entry ID based on date 3035856777) 2522550406) September 27, 13 2012

  14. Main Binary: Payload C&C (Old Variants) Hardcoded list (Entry ID 2413278617) • Selected only once - when binary is loaded September 27, 14 2012

  15. Main Binary: Payload C&C Validation • Response • %SHA1_string_of_server_name% | %MD5_RSA_signature% • Use (2 nd – old variant / 1 st – new variant) host in hardcoded list as default server • Use “ localhost ” if configuration entry does not exists (new variant only) September 27, 15 2012

  16. Main Binary: Payload (Old Variants) Outbound Inbound CFWriteStreamWrite CFReadStreamRead send recv September 27, 16 2012

  17. Main Binary: Payload (Old Variants) Outbound Inbound Contains target To Google? string? Pls reply in a format Inject content that is parseable September 27, 17 2012

  18. Demo September 27, 18 2012

  19. Main Binary: Payload (Newer Variants) Browser Command CFWriteStreamWrite and Control Other Modules Destination Google CFReadStreamRead September 27, 19 2012

  20. Main Binary: Payload (Newer) -> Search Browser Command CFWriteStreamWrite and Control Keyword and other info Other Modules Destination Google CFReadStreamRead September 27, 20 2012

  21. Main Binary: Payload (Newer) -> Search Browser Command Original search CFWriteStreamWrite and Control request Redirection data and/or other commands Other Modules Destination Google Google CFReadStreamRead search result September 27, 21 2012

  22. Main Binary: Payload (Newer) -> Click Browser Command Redirection CFWriteStreamWrite and Control info Tracking info Other Modules Destination Google Redirection CFReadStreamRead info September 27, 22 2012

  23. Main Binary: Payload (Newer) -> Click • Google return the request in the response September 27, 23 2012

  24. Main Binary: Payload (Newer) -> Click Browser Command CFWriteStreamWrite and Control Request to new destination Other Modules Destination Google Redirection script CFReadStreamRead September 27, 24 2012

  25. Main Binary: Payload (Newer) -> Click Browser Command CFWriteStreamWrite and Control Request with modified referrer Other Modules Destination Google CFReadStreamRead September 27, 25 2012

  26. Demo September 27, 26 2012

  27. Filter/Loader Binary Hacked Distribution Website Website Launch Installer Main Binary Agent Filter / Loader September 27, 27 2012

  28. Filter/Loader Binary September 27, 28 2012

  29. Filter/Loader Binary September 27, 29 2012

  30. LaunchAgent Binary Hacked Distribution Website Website Launch Installer Main Binary Agent Filter / Loader September 27, 30 2012

  31. LaunchAgent Binary • Stand-alone light version of the updater module found in the main binary • Uses different set of C&C servers Generated list Generated list based on Hardcoded list based on date constants • Similar server validation process • Logs CRC32 of the update/installation program • /tmp/.%crc32_of_VM_program% • Have it’s own instruction set September 27, 31 2012

  32. LaunchAgent Binary - Recent Variant September 27, 32 2012

  33. LaunchAgent Binary - Recent Variant • Taken over the responsibility of installing the malware September 27, 33 2012

  34. Thank you! Please check out the conference paper for more details. broderick.aquilino@f-secure.com

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Instrumental Technique FLASHBACK ARRESTOR Amitava Srimany 28-12-2013 A flashback arrestor or

Instrumental Technique FLASHBACK ARRESTOR Amitava Srimany 28-12-2013 A flashback arrestor or

Instrumental Technique FLASHBACK ARRESTOR Amitava Srimany 28-12-2013 A flashback arrestor or flame arrestor is a device which stops the flame from burning back up into the gas line and causing damage or explosions. It is most commonly used in

566 views • 7 slides
2012-2015 Flashback Lake Erie Algal Blooms Flashback In the 1960s: Lake Erie was declared

2012-2015 Flashback Lake Erie Algal Blooms Flashback In the 1960s: Lake Erie was declared

LAKE ERIE ECOSYSTEM PRIORITY 2012-2015 Flashback Lake Erie Algal Blooms Flashback In the 1960s: Lake Erie was declared dead Excessive algae In response to public concern and became dominant recommendations by the species

341 views • 23 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

568 views • 22 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Overview Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer immunization Kjell Jrgen Hole Simula@UiB 4. Epidemiological model 5. Malware halting analysis 6. Malware halting method Last updated

672 views • 29 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware malware that evades analysis 2 logistics: LEX homework detect push ret pattern using fmex probably easier than TRICKY 3 upcoming exam next Wednesday

496 views • 48 slides
Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

DeepSec IDSC Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware Adventures Agenda INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 2 1 2 3 4 Android Malware

1.01k views • 64 slides
FORESHADOWING & FLASHBACK Foreshadowing The authors use of clues to hint at what might

FORESHADOWING & FLASHBACK Foreshadowing The authors use of clues to hint at what might

FORESHADOWING & FLASHBACK Foreshadowing The authors use of clues to hint at what might happen later in a story. HELPS TO BUILD SUSPENSE FORESHADOWING THROUGH Dialogue Description Attitudes of characters Reactions of

826 views • 14 slides
Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of Computer and Information Science Linkping University Malware Defense Agenda 2 Two lectures Lecture I : Malware basics, malware on the PC,

621 views • 40 slides
FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for

FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for

FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for Malware Amount of malware is growing exponentially Anti-virus and signature based approaches are reactionary, dont work for novel malware

127 views • 11 slides
Broadmap Bro Workshop 2011 NCSA, Urbana-Champaign, IL Bro Workshop 2011 Outline Near- to

Broadmap Bro Workshop 2011 NCSA, Urbana-Champaign, IL Bro Workshop 2011 Outline Near- to

The Bro Network Security Monitor Broadmap Bro Workshop 2011 NCSA, Urbana-Champaign, IL Bro Workshop 2011 Outline Near- to Medium-term Roadmap Current Research Projects Workshop Wrap-Up 2 Bro Workshop 2011 Version 2.0 Final 3 Bro

620 views • 57 slides
INTRODUCE IN-KERNEL SMB3 SERVER CALLED CIFSD Namjae Jeon Samsung Electronics June 5, 2019

INTRODUCE IN-KERNEL SMB3 SERVER CALLED CIFSD Namjae Jeon Samsung Electronics June 5, 2019

INTRODUCE IN-KERNEL SMB3 SERVER CALLED CIFSD Namjae Jeon Samsung Electronics June 5, 2019 About me Linux kernel contributor since 2011 Co-Creator of Samsung internal NTFS Filesystem Introduce collapse and insert range syscall

406 views • 26 slides
Physics S Student Clubs & RSOs Fall 2020 Physics at Illinois Undergraduate Student Organiz

Physics S Student Clubs & RSOs Fall 2020 Physics at Illinois Undergraduate Student Organiz

Physics S Student Clubs & RSOs Fall 2020 Physics at Illinois Undergraduate Student Organiz izatio ions Society for Guidance for Society of Physics PhySAB PhysVan Women in Physics Physics Students Students (SPS) (SWIP) (GPS)

340 views • 9 slides
1 Bertrand Meyer The assistants 7 8 Volkan Arslan Michael Gomez E-mail:

1 Bertrand Meyer The assistants 7 8 Volkan Arslan Michael Gomez E-mail:

German version of lecture slides 1 2 Folien fr diese und alle weiteren Vorlesungseinheiten werden von nun an auch in Deutsch verfgbar sein. Introduction to Programming Sie knnen die deutschen Folien auf der Webseite der Vorlesung

657 views • 12 slides
RTSP Prime (RTSP) semantics very similar to RTSP-00 textual encoding; but: RTSP would

RTSP Prime (RTSP) semantics very similar to RTSP-00 textual encoding; but: RTSP would

OPENSIG 1 RTSP Prime (RTSP) semantics very similar to RTSP-00 textual encoding; but: RTSP would work text or binary works with TCP and UDP re-use of HTTP authentication better fit with MMUSIC conference control, session

593 views • 14 slides
Web browsing support for cross-community activities Tomohiro Oda Agenda cross-community

Web browsing support for cross-community activities Tomohiro Oda Agenda cross-community

Web browsing support for cross-community activities Tomohiro Oda Agenda cross-community activity cross-community activity and DynC difficulties in supporting cross-community activities cSuite: web browsing support tool for cross-

303 views • 19 slides
Simon Cook Ed Jones simon.cook@embecosm.com ed.jones@embecosm.com Current in-tree architectures

Simon Cook Ed Jones simon.cook@embecosm.com ed.jones@embecosm.com Current in-tree architectures

Simon Cook Ed Jones simon.cook@embecosm.com ed.jones@embecosm.com Current in-tree architectures Arch Server Desktop Embedded MCU DSP GPU Hardware Reg size AArch64 64 AMDGPU 32 ARM 32

643 views • 14 slides
Kea An Open-Source DHCP Server Stephen Morris Internet Systems Consortium stephen@isc.org ISC

Kea An Open-Source DHCP Server Stephen Morris Internet Systems Consortium stephen@isc.org ISC

Kea An Open-Source DHCP Server Stephen Morris Internet Systems Consortium stephen@isc.org ISC DHCP Open-Source First version released in 1997 Default DHCP software in many distributions Server/relay/client for IPv4 & IPv6

303 views • 13 slides

More recommend