A Worm in the Apple

Exploration of Mac malware

Wes Widner

@kai5263499

wes@manwe.io

Introduction

Information security engineer by day, malware researcher by night

Also father of 4, so nights tend to be pretty short

Previous talks have been about malware pipelines in general

Macs are secure, right?

Before 2012

After 2012

Flashback

• Actually it started in September 2011
• Got its name by offering a Flash upgrade
• Poor English and other errors gave it away
• In February 2012 it changed tactics
• Took advantage of an unpatched Java vulnerability
• Apple still argues it was Sun’s fault
• Claimed 600k (~1%) according to Dr Web
• Generated revenue (~$14k) through click fraud
• Contained advanced features that weren’t used
• Self-encrypting

Flashback part 2

• ~20k infections as recently as 2014
• Tracked by Intego sinkhole
• No big deal
• In reality Apple spent the rest of the year cleaning up the mess
• Apple suddenly found themselves playing catch up

But that was a fluke, right?

Apple and many experts still don’t recommend using protection

• Infections are rare
• Apple is taking care of it

Perhaps some history will help

​

Mac malware history

• 1982 Prehistory: Elk Cloner
• 1987 nVIR
• 1988 HyperCard
• 1990 MDEF
• 1991 German folk tunes
• 1995 Word macro viruses
• 1996 Laroux – viruses for Excel
• 1996 AutoStart 9805 and Sevendust
• 2004 MW2004 / Renepo, aka Opener / Renepo and Amphimix
• 2005 Cowhand

• 2006 Exploit.OSX.Safari, aka OSX.Exploit.Metadata / Leap, aka Oompa Loompa, the first virus for Mac OS X / Inqtana / OSX.Exploit.Launchd / Macarena
• 2007 RSPlug, aka DNSChanger, aka Jahlav, aka Puper / OpenOffice BadBunny and RSPlug financial malware
• 2008 MacSweeper, aka Immunizator / AsTHT, aka Hovdy, aka AplS.Saprilt / PokerStealer, aka Corpref / Lamzev, aka Malev / Scareware, backdoors and Jahlav
• 2009 iServices, aka iWorkServices, aka Krowi / Tored
• 2010 HellRTS, aka Pinhead, aka Hellraiser / OpinionSpy, aka Premier Opinion, aka Spynion / Koobface, aka Boonana

​

• 2011 BlackHole RAT, aka MusMinim, aka DarkHole / MacDefender, aka MacSecurity, aka MacProtector, aka MacGuard, aka MacShield, aka Defma / QHost, also HostMod-A / Revir, aka Imuler, aka Muxler / Flashback, aka Flashfake / DevilRobber, aka Miner-D / FinFisher
• 2012 FileSteal, Hackback, KitM / Tibet, aka MacControl, aka MaControl, aka MacKontrol / Sabpab, aka Sabpub, aka Mdropper, aka Lamadai, aka Olyx / FkCodec/Codec-M / Maljava / GetShell, aka SET.gen, aka ShellCode, aka MetaData, aka TESrel / Crisis, aka Morcut, aka DaVinci / NetWeird, aka Wirenet / Jacksbot / Dockster / SMSSend
• 2013 Pintsized / CallMe / Minesteal / KitM / Janicab / ClickAgent / Leverage / Icefog
• 2014 LaoShu / CoinThief / XSLCmd / iWorm / Ventir / WireLurker, aka Machook / DMA “evil maid” attacks

​

• 2015 Lamadai / Kitm / Hackback / LaoShu / Appetite, trojan targeting government organizations / Imuler / Coin Thief / Suspend-resume rootkit
• 2016 KeRanger, first ransomware / Mokes / Keydnap / USB attack
• 2017 Quimitchin / Fruitfly backdoor targeting medical research

Apple still actively fights with vendors

• iOS is a heavily walled garden
• OSX is becoming a walled garden

The Apple fights back

iDroid

• 2009 XProtect / File Quarantine
• 2011 Sandboxing
• 2012 Gatekeeper
• 2015 System Integrity Protection
• 2016 XProtect + Yara

Firewall

• OSX comes with one one but two firewalls
• Application level firewall (alf)
• Packet Filter (pf)

Little Snitch

Icefloor - open source GUI pf manager

Software installation

• Archives everywhere
• Application bundles
• DMG
• What magic bytes?
• FileVault encryption
• PKGs
• the self-executables of the OSX world
• Natively compressed in xar format
• Can specify sandbox rules
• App Store
• Signed and sandboxed

Code signing

• XNU
• Hybrid
• BSD
• POSIX interface
• Mandatory Access Control Framework
• Mach
• Microkernel developed at Carnegie Mellon�For parallel computing
• Released in 1985
• Provides the basis for some interesting OSX rootkits

​

Huxley the Platapus

MachO

• Similar to ELF
• Biggest difference is native code-signing support
• Same magic bytes (0xCAFEBABE) as Java class files
• IPC ports
• Not network ports
• Unix ports but in kernel land
• ​
• Resource forks

Little Flocker

Boot - in the beginning

• UEFI
• FAT boot partition
• Firmware passwords
• Pystar and Rebel EFI
• Copyrighted bootloader
• Physical attacks
• Firewire DMA
• Evil USB
• kext - Kernel extensions
• dyld
• Preloaded libraries in
• Mac interposes its own malloc function
• launchd
• .plist

Books worth getting

Thanks for attending!

Mac malware feed: http://ow.ly/O1WM303qAkV

Mac infosec homebrew tap: http://ow.ly/c1LZ303pKwa

OSX Security Awesome: http://ow.ly/uWEj303pKuf

These slides: http://ow.ly/DpNQ305KfPd