Rex vs The Romans – Anti Hacking Team Kernel Extension

After surviving the five shots at SyScan’s WhiskeyCon I am finally back home and you get a chance to see the slides and code for the TrustedBSD module I presented there. The goal of REX vs The Romans is to work as detection and prevention tool of Hacking Team’s OS X malware. The TrustedBSD hook allows to detect if the system is already infected, and the Kauth listener to warn about any future infection....

April 8, 2014 · 2 min · 324 words

Teaching Rex another TrustedBSD trick to hide from Volatility

Rex the Wonder Dog (here and here) is a proof of concept that uses TrustedBSD framework to install kernel level backdoors. Volatility is able to detect these malicious modules with a plugin created by Andrew Case. The plugin works by looking up the TrustedBSD structures and dumping information about the loaded modules. At SyScan360 I presented a “new” trick to bypass this plugin by creating a shadow structure and leaving the legit one untouched....

March 18, 2014 · 9 min · 1794 words

Don’t die GDB, we love you: kgmacros ported to Mavericks.

Our lovely GDB has been declared dead with Xcode 5 release. The new king in town is LLDB, and that also applies to kernel debugging. Change is good, even if we Humans don’t like it, but… there’s still no gdbinit for LLDB and I just love it. Even more important (for kernel debugging), LLDB still has no support (afaik) for VMware GDB stub. This means it’s not possible to do kernel debugging in Mavericks VMs other than KDP....

February 21, 2014 · 2 min · 268 words

Analysis of CoinThief/A "dropper"

There is no such thing as malware in OS X but last week another sample was spotted and made the “news”. I am talking about CoinThief, a malware designed to hijack Bitcoin accounts and steal everything (I must confess I laughed a bit; I think Bitcoin is just a bullshit pyramid scheme but I digress). There are a few samples out there, in different stages of evolution, so this is probably not a very recent operation....

February 16, 2014 · 8 min · 1671 words

AppleDoesntGiveAFuckAboutSecurity iTunes Evil Plugin Proof of Concept

Oh this one has been into my head for so long that I finally decided to try and create the code for it. So let’s go! What’s the background story? In August 2011 I reported to Apple a security issue with iTunes. What happens is that iTunes plugins are loaded into iTunes process space so they have full control of iTunes. Evil plugins can do all kinds of things such as stealing iTunes passwords and credit card information, or patching some annoying features as I did with Disable m3u plugin....

February 15, 2014 · 4 min · 678 words