Shakacon number 6 is over, it was a blast and I must confess it beat my expectations. Congratulations to everyone involved in making it possible. Definitely recommended if you want to speak or attend, and totally worth the massive jet lag ;-).
My presentation was about reverse engineering HackingTeam’s OS X malware latest known sample. The slide count is 206 and I was obviously not able to present everything. The goal is that you have a nice reference available for this malware and also MPRESS unpacking (technically dumping).
This sample in particular was thought to be a newer version of this malware but I try to show you that I don’t think it’s the case and instead, it’s the oldest version of HackingTeam’s OS X malware. If this theory is true, it means we have a two years knowledge gap about the OS X version. Interesting challenge ahead!
The tool I promised to release will have to wait a couple more days since I need to fix its code to implement the fixes I suggest regarding the file and memory sizes differences. Keep watching this space, github or Twitter.
Update: MPRESS dumper source code now available at Github.
Links to slides (34.3Mb):
ShakaCon6-FuckYouHackingTeam.pdf (Dropbox mirror)
There is no such thing as malware in OS X but last week another sample was spotted and made the “news”. I am talking about CoinThief, a malware designed to hijack Bitcoin accounts and steal everything (I must confess I laughed a bit; I think Bitcoin is just a bullshit pyramid scheme but I digress…).
There are a few samples out there, in different stages of evolution, so this is probably not a very recent operation. Nicholas Ptacek from SecureMac broke the story and did an initial analysis. Check his link here and also ThreatPost for some details about the different infected applications and how it started.
This post will target the initial stage of the malware packed with StealthBit application and a bit into the installed malware browser extensions.
First step is to load the main binary into IDA or Hopper (I still use IDA mostly out of lazyness and habit). We are presented with this nice picture (not all methods shown) of very weird class and method names.
A reader was asking me some questions related to some stuff I used in my crackme and I decided to release its source code. Enough time went by already and I do not think it has many important secrets ;-).
Now, you will have to forgive me but that is one hell of ugly source code! I just cleaned up some dead code and some other minor cleanups. Right now I do not have enough time to fix and clean up the code, even if I really do not like it at all. Maybe I will leave that for Crackme #2 one of these days.
If you have enough patience to read the messy code there are interesting bits and pieces of code that implement interesting things in OS X. Some are probably not the best approaches but the core concepts are there.
Source code contains some auxiliary and test utils to test some of the concepts used in the keygen. The most interesting one is probably the Mach-O header mangler.
Feel free to ask any questions, I will try to help if I can remember it 😉
Source code available here https://github.com/gdbinit/crackme_nr1.
Enjoy and I hope to see soon your own OS X crackmes,
I was lucky enough to get my hands on an updated version of interesting multiplatform virus and decided to reverse the OS X part. The original virus is from 2006 by JPanic and it’s called CAPZLOQ TEKNIQ v1.0. The new version adds support to infect OS X binaries, 32 bits x86 only, although it supports infection of fat binaries (the x86 version only).
Source code for the original version is available here. I just took a peek at a thing or two, mostly to confirm my assumptions, even if code is a bit different. The code is written in assembly, which is more fun to reverse due to the tricks it allows. It is refreshing to see interesting virus code in OS X, for a change :-).
My reversing target is an already infected Mach-O binary, executed in a new environment. What happens is that the infected sample will try to infect other binaries in the new environment. The reason for this is that the original sample I got is the Windows binary, which was used to infect my OS X binary. Since it is multiplatform the virus payload and infection is the same so it is ok to just reverse an infected binary instead of the first generation launcher.
Let’s do as the Lilliputians wanted to and start the house by the top. How can you spot an infected binary?
I did yesterday a presentation about OS X Malware at Confraria SI in Lisbon, a monthly meeting between IT sec professionals and enthusiasts.
The presentation was an update to the HiTCON version, removing some things about old malware and Flashback tricks, adding Crisis slides and small fixes to stuff here and there.
Enjoy it 🙂
Confraria 2012 Presentation.pdf
This chapter was supposed to be about additional methods to detect OS.X/Crisis but I had the evil idea of taking full control of Crisis, and played with this idea for the last couple of days. It’s pretty damm easy to customize the dropper, and at the limit, be able to deploy your own version of Crisis to anyone. This raises some problematic questions, some of which I was fooling around with at Twitter. To make it clear, I have no intent whatsoever to resell Crisis or something. First because it enters in conflict with my values, and second because it enters a potentially big legal minefield.
To me, hacking is all about raising the weird questions, playing with stuff, and experimenting with what others doesn’t see. I would love to have the resources to answer and test the legal minefield just because it’s a curious topic. The world is increasingly dangerous for hacking. It’s sort of a paradox that in a age of fast access to information the trend seems to be running towards making it more difficult to access and spread information. But enough of philosophical questions!
I will keep researching in private if I have time to. My free time status is going to change soon so things will be different. I still have some very cool ideas to try with Crisis and they would probably generate some interesting articles. We’ll have to wait and see if the environment changes.