The Italian morons are back! What are they up to this time?

Nothing 😃. HackingTeam was deeply hacked in July 2015 and most of their data was spilled into public hands, including source code for all their sofware and also some 0day exploits. This was an epic hack that shown us their crap internal security but more important than that, their was of doing things and internal and external discussions, since using PGP was too much of an annoyance for these guys (Human biases are a royal pain in the ass, I know! [Read More]

London and Asia EFI monsters tour!

Finally back home from China and Japan tour, so it’s time to finally release the updated slides about EFI Monsters. After Secuinside I updated them a bit, fixing stuff I wasn’t happy with and adding some new content. The updated version was first presented at 44CON London. I had serious reservations about going to the UK (not even in transit!) but Steve Lord and Adrian charm convinced me to give it a try. [Read More]

How to fix rootpipe in Mavericks and call Apple’s bullshit bluff about rootpipe fixes

The rootpipe vulnerability was finally fully disclosed last week after a couple of months of expectation since its first announcement. It was disclosed as a hidden backdoor but it’s really something more related to access control and crap design than a backdoor. Although keep in mind that good backdoors should be hard to distinguish from simple errors. In this case there are a lot of services using this feature so it’s hardly a hidden backdoor that just sits there waiting for some evil purpose. [Read More]

BadXNU, a rotten apple! – CodeBlue 2014, SyScan 2015 slides and source code

The last SyScan is almost here so it’s time to get again into a plane and travel to Singapore. This means that the slides and source code can finally be released. Below you can find the archive with both presentations slides (they are slightly different, SyScan version fixes/upgrades a few things) and full source code for both rootkit/kext loaders. I hope you enjoy them; they are quite fun techniques, in particular the second one which now I sort of regret to disclose because it’s so cool. [Read More]

Analysis of CoinThief/A "dropper"

There is no such thing as malware in OS X but last week another sample was spotted and made the “news”. I am talking about CoinThief, a malware designed to hijack Bitcoin accounts and steal everything (I must confess I laughed a bit; I think Bitcoin is just a bullshit pyramid scheme but I digress). There are a few samples out there, in different stages of evolution, so this is probably not a very recent operation. [Read More]

AppleDoesntGiveAFuckAboutSecurity iTunes Evil Plugin Proof of Concept

Oh this one has been into my head for so long that I finally decided to try and create the code for it. So let’s go! What’s the background story? In August 2011 I reported to Apple a security issue with iTunes. What happens is that iTunes plugins are loaded into iTunes process space so they have full control of iTunes. Evil plugins can do all kinds of things such as stealing iTunes passwords and credit card information, or patching some annoying features as I did with Disable m3u plugin. [Read More]

Linux/HackingTeamRDorks.A, a “new” and improved version of Linux/CDorked.A

Disclaimer: This malware sample is not in any way related to Hacking Team (as far as I know) other than me making some jokes about them related to a future presentation about their OS X malware product. Two months ago (maybe three) I started noticing a sporadic redirect when I accessed these blog pages. It wasn’t anything “malicious” as far as I could evaluate; just a redirect to adult friend finder site. [Read More]

Breaking OS X signed kernel extensions with a NOP

For some reason Apple wants to change external kernel extensions location from /System/Library/Extensions to /Library/Extensions and introduced in Mavericks a code signing requirement for all extensions and/or drivers located in that folder. Extensions will not be loaded if not signed (those located in the “old” folder and not signed will only generate a warning [check my SyScan360 slides]). The signing certificates require a special configuration and to obtain them you need to justify it. [Read More]

OS.X/Boubou – Mach-O infector PoC source code

More than half a year as passed since HITCON’12 and as far as I know no one cared much about implementing some sort of detection/protection against this type of attack (correct me if I’m wrong). As explained in HITCON slides, this trick can be very useful to install backdoors and avoid the usual lame LaunchDaemons type of thing. I did some massive cleanup to the original PoC that I had glued for HITCON but it’s still a bit messy and definitely not “production” ready. [Read More]

Tales from Crisis, Chapter 4: A ghost in the network

This chapter was supposed to be about additional methods to detect OS.X/Crisis but I had the evil idea of taking full control of Crisis, and played with this idea for the last couple of days. It’s pretty damm easy to customize the dropper, and at the limit, be able to deploy your own version of Crisis to anyone. This raises some problematic questions, some of which I was fooling around with at Twitter. [Read More]