Notes from the conf for later
Userland Persistence on Mac OS X
by Josh Pitts @
midnite_runr
Video
https://archive.org/details/joshpitts_shmoocon2015
the backdoor factory
https://github.com/secretsquirrel/the-backdoor-factory
--framework to patch PE, elf, Mach-O binaries
BFDProxy will patch will stuff while it is being downloaded
https://github.com/secretsquirrel/BDFProxy
must have root or equivalent to patch the various programs
Background on OSX Persistence
methods of malware persistence on os x mavericks patrick wardle
https://s3.amazonaws.com/s3.synack.com/Synack_Shakacon_OSX_Malware_Persistence.pdf
userland persistence
-plists (launchd executed similar to init) on boot, onlogon, onsocket
-evil plugins
-startupitems folders (plist or script)
-cronjobs
-/etc/rc.common
-/etc/lanchd.conf
-binary infection (backdoor factory method)
prior work
-infecting Macho-O _PAGEZERO method
-BouBou Library Injection
josh's blog post related to the talk
http://secureallthethings.blogspot.com/2014/08/patching-mach-o-format-simple-and-easy.html
pre-test section infection method-->change entry point to the evil payload, for payload continue to parent process
BDF will automatically unsign a signed binary, OSX doesnt care its not signed, just that the signature is correct
interesting boot processes that were patchable
-/sbin/launchd - the first process
-/usr/libexec/xpcproxy - almost everything uses it
-/usr/bin/security
-/usr/bin/awk awk was a boot process
launchd launches a script that launches awk
Demos in the talk
launchd patch
python script from demo:
https://gist.github.com/secretsquirrel/2ba497786027472f98dd
xpcproxy
awk
Detection?
Run script on your baseline. Make note of injection candidates and what is signed and take note if at some point it is NOT signed anymore. Should indicate some muckery going on.