flashback os x malware
play

Flashback OS X Malware Broderick Ian Aquilino September 27, 2012 - PowerPoint PPT Presentation

Feb 16, 2024 •266 likes •618 views

Flashback OS X Malware Broderick Ian Aquilino September 27, 2012 Protecting the irreplaceable | f-secure.com Agenda Infection Vector Installation Main Binary C&C Servers Payload Remaining Binaries

  1. Flashback OS X Malware Broderick Ian Aquilino – September 27, 2012 Protecting the irreplaceable | f-secure.com

  2. Agenda • Infection Vector • Installation • Main Binary • C&C Servers • Payload • Remaining Binaries • Filter/Loader Binary • LaunchAgent Binary September 27, 2 2012

  3. Infection Summary Hacked Distribution Website Website Launch Installer Main Binary Agent Filter / Loader September 27, 3 2012

  4. Infection Vector Hacked Distribution Website Website Launch Installer Main Binary Agent Filter / Loader September 27, 4 2012

  5. Infection Vector September 27, 5 2012

  6. Infection Vector September 27, 6 2012

  7. Infection Vector September 27, 7 2012

  8. Infection Vector • CVE-2008-5353 • CVE-2011-3544 • CVE-2012-0507 September 27, 8 2012

  9. Installation Hacked Distribution Website Website Launch Installer Main Binary Agent Filter / Loader September 27, 9 2012

  10. Main Binary Hacked Distribution Website Website Launch Installer Main Binary Agent Filter / Loader September 27, 10 2012

  11. Main Binary: Update Server • Creates a thread that connects to a set of C&C servers to download updates every 3670 secs (>1hr) Generated list Returned by a based on date Hardcoded list third party (*new variants server only) September 27, 11 2012

  12. Main Binary: Update Program • Response: • %marker1%%encoded_VM_program%%marker2% %encoded_MD5_RSA_signature%%marker3% • Log SHA1 of VM program • {HOME}/Library/Logs/swlog • {HOME}/Library/Logs/vmLog September 27, 12 2012

  13. Main Binary: Payload C&C (Newer Variants) • Same thread will also connect to another set of C&C servers • This time to select a server for executing the payload Updateable list Hardcoded list Generated list (Entry ID (Entry ID based on date 3035856777) 2522550406) September 27, 13 2012

  14. Main Binary: Payload C&C (Old Variants) Hardcoded list (Entry ID 2413278617) • Selected only once - when binary is loaded September 27, 14 2012

  15. Main Binary: Payload C&C Validation • Response • %SHA1_string_of_server_name% | %MD5_RSA_signature% • Use (2 nd – old variant / 1 st – new variant) host in hardcoded list as default server • Use “ localhost ” if configuration entry does not exists (new variant only) September 27, 15 2012

  16. Main Binary: Payload (Old Variants) Outbound Inbound CFWriteStreamWrite CFReadStreamRead send recv September 27, 16 2012

  17. Main Binary: Payload (Old Variants) Outbound Inbound Contains target To Google? string? Pls reply in a format Inject content that is parseable September 27, 17 2012

  18. Demo September 27, 18 2012

  19. Main Binary: Payload (Newer Variants) Browser Command CFWriteStreamWrite and Control Other Modules Destination Google CFReadStreamRead September 27, 19 2012

  20. Main Binary: Payload (Newer) -> Search Browser Command CFWriteStreamWrite and Control Keyword and other info Other Modules Destination Google CFReadStreamRead September 27, 20 2012

  21. Main Binary: Payload (Newer) -> Search Browser Command Original search CFWriteStreamWrite and Control request Redirection data and/or other commands Other Modules Destination Google Google CFReadStreamRead search result September 27, 21 2012

  22. Main Binary: Payload (Newer) -> Click Browser Command Redirection CFWriteStreamWrite and Control info Tracking info Other Modules Destination Google Redirection CFReadStreamRead info September 27, 22 2012

  23. Main Binary: Payload (Newer) -> Click • Google return the request in the response September 27, 23 2012

  24. Main Binary: Payload (Newer) -> Click Browser Command CFWriteStreamWrite and Control Request to new destination Other Modules Destination Google Redirection script CFReadStreamRead September 27, 24 2012

  25. Main Binary: Payload (Newer) -> Click Browser Command CFWriteStreamWrite and Control Request with modified referrer Other Modules Destination Google CFReadStreamRead September 27, 25 2012

  26. Demo September 27, 26 2012

  27. Filter/Loader Binary Hacked Distribution Website Website Launch Installer Main Binary Agent Filter / Loader September 27, 27 2012

  28. Filter/Loader Binary September 27, 28 2012

  29. Filter/Loader Binary September 27, 29 2012

  30. LaunchAgent Binary Hacked Distribution Website Website Launch Installer Main Binary Agent Filter / Loader September 27, 30 2012

  31. LaunchAgent Binary • Stand-alone light version of the updater module found in the main binary • Uses different set of C&C servers Generated list Generated list based on Hardcoded list based on date constants • Similar server validation process • Logs CRC32 of the update/installation program • /tmp/.%crc32_of_VM_program% • Have it’s own instruction set September 27, 31 2012

  32. LaunchAgent Binary - Recent Variant September 27, 32 2012

  33. LaunchAgent Binary - Recent Variant • Taken over the responsibility of installing the malware September 27, 33 2012

  34. Thank you! Please check out the conference paper for more details. broderick.aquilino@f-secure.com

Recommend

Instrumental Technique FLASHBACK ARRESTOR Amitava Srimany 28-12-2013 A flashback arrestor or

Instrumental Technique FLASHBACK ARRESTOR Amitava Srimany 28-12-2013 A flashback arrestor or

Instrumental Technique FLASHBACK ARRESTOR Amitava Srimany 28-12-2013 A flashback arrestor or flame arrestor is a device which stops the flame from burning back up into the gas line and causing damage or explosions. It is most commonly used in

566 views • 7 slides
2012-2015 Flashback Lake Erie Algal Blooms Flashback In the 1960s: Lake Erie was declared

2012-2015 Flashback Lake Erie Algal Blooms Flashback In the 1960s: Lake Erie was declared

LAKE ERIE ECOSYSTEM PRIORITY 2012-2015 Flashback Lake Erie Algal Blooms Flashback In the 1960s: Lake Erie was declared dead Excessive algae In response to public concern and became dominant recommendations by the species

342 views • 23 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

570 views • 22 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Overview Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer immunization Kjell Jrgen Hole Simula@UiB 4. Epidemiological model 5. Malware halting analysis 6. Malware halting method Last updated

672 views • 29 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware malware that evades analysis 2 logistics: LEX homework detect push ret pattern using fmex probably easier than TRICKY 3 upcoming exam next Wednesday

496 views • 48 slides
Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

DeepSec IDSC Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware Adventures Agenda INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 2 1 2 3 4 Android Malware

1.01k views • 64 slides
FORESHADOWING & FLASHBACK Foreshadowing The authors use of clues to hint at what might

FORESHADOWING & FLASHBACK Foreshadowing The authors use of clues to hint at what might

FORESHADOWING & FLASHBACK Foreshadowing The authors use of clues to hint at what might happen later in a story. HELPS TO BUILD SUSPENSE FORESHADOWING THROUGH Dialogue Description Attitudes of characters Reactions of

826 views • 14 slides
Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of Computer and Information Science Linkping University Malware Defense Agenda 2 Two lectures Lecture I : Malware basics, malware on the PC,

621 views • 40 slides
FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for

FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for

FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for Malware Amount of malware is growing exponentially Anti-virus and signature based approaches are reactionary, dont work for novel malware

127 views • 11 slides
CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is

CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is

CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is software that aids in gathering A virus is a computer program that is information about a person or organization capable of making copies of itself

716 views • 56 slides
CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane kaneca@mail.uc.edu January 24, 2017 Why Classification is Important Malware classification helps us in multiple ways. Here are a couple key ways:

787 views • 16 slides
On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware

On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware

On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware Detection The number of new malware exceeds 75 million by the end of 2011, and is still increasing. The number of malware that produced

1.34k views • 91 slides
Introduction to Security Malware Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Learning

Introduction to Security Malware Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Learning

Introduction to Security Malware Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Learning Objectives By the end of this week, you will be able to: Describe types of malware See certain malware behaviors Scan and analyze malware

883 views • 25 slides
Lecture 12 Malware Defenses Stephen Checkoway University of Illinois at Chicago CS 487

Lecture 12 Malware Defenses Stephen Checkoway University of Illinois at Chicago CS 487

Lecture 12 Malware Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Baileys ECE 422 Malware review How does the malware start running? Logic bomb? Trojan horse? Virus?

470 views • 27 slides
Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal and Wenke Lee College of Computing Georgia Institute of Technology Agenda l Background l Defeating Automated Malware Analysis Host

1.28k views • 28 slides
More Malware Last Class Worms: Morris Worm Stuxnet Conficker Web-based

More Malware Last Class Worms: Morris Worm Stuxnet Conficker Web-based

More Malware Last Class Worms: Morris Worm Stuxnet Conficker Web-based malware: Exploit kits Fake AV Ransomware Today (continuation) How Malware Spreads Adware Computer Virus A type of malicious

647 views • 23 slides
Date: 18/08/2016 RBWH HD Clinic History Flashback First set up in 1994 by Psychiatrist Dr

Date: 18/08/2016 RBWH HD Clinic History Flashback First set up in 1994 by Psychiatrist Dr

RBWH HD Clinic and Palliative Care Pathway Presented by: Lily Tang (Clinical Nurse) Date: 18/08/2016 RBWH HD Clinic History Flashback First set up in 1994 by Psychiatrist Dr Lawrence and Neurologist Dr Lander- research focus (HSG data

479 views • 27 slides

More recommend