Friday, January 23, 2015

Shmoocon Notes: Userland Persistence on Mac OS X


Notes from the conf for later

Userland Persistence on Mac OS X

by Josh Pitts @midnite_runr 


Video
https://archive.org/details/joshpitts_shmoocon2015

the backdoor factory
https://github.com/secretsquirrel/the-backdoor-factory

--framework to patch PE, elf, Mach-O binaries

BFDProxy will patch will stuff while it is being downloaded
https://github.com/secretsquirrel/BDFProxy

must have root or equivalent to patch the various programs


Background on OSX Persistence

methods of malware persistence on os x mavericks patrick wardle
https://s3.amazonaws.com/s3.synack.com/Synack_Shakacon_OSX_Malware_Persistence.pdf

userland persistence

-plists (launchd executed similar to init) on boot, onlogon, onsocket

-evil plugins

-startupitems folders (plist or script)

-cronjobs

-/etc/rc.common

-/etc/lanchd.conf

-binary infection (backdoor factory method)

prior work
-infecting Macho-O _PAGEZERO method
-BouBou Library Injection

josh's blog post related to the talk
http://secureallthethings.blogspot.com/2014/08/patching-mach-o-format-simple-and-easy.html

pre-test section infection method-->change entry point to the evil payload, for payload continue to parent process

BDF will automatically unsign a signed binary, OSX doesnt care its not signed, just that the signature is correct

interesting boot processes that were patchable
-/sbin/launchd - the first process
-/usr/libexec/xpcproxy  - almost everything uses it
-/usr/bin/security
-/usr/bin/awk  awk was a boot process
launchd launches a script that launches awk

Demos in the talk

launchd patch
python script from demo: https://gist.github.com/secretsquirrel/2ba497786027472f98dd

xpcproxy

awk


Detection?

Run script on your baseline. Make note of injection candidates and what is signed and take note if at some point it is NOT signed anymore. Should indicate some muckery going on.

CG

No comments: