Rex the Wonder Dog (here and here) is a proof of concept that uses TrustedBSD framework to install kernel level backdoors. Volatility is able to detect these malicious modules with a plugin created by Andrew Case. The plugin works by looking up the TrustedBSD structures and dumping information about the loaded modules. At SyScan360 I presented a “new” trick to bypass this plugin by creating a shadow structure and leaving the legit one untouched....

Our lovely GDB has been declared dead with Xcode 5 release. The new king in town is LLDB, and that also applies to kernel debugging. Change is good, even if we Humans don’t like it, but… there’s still no gdbinit for LLDB and I just love it. Even more important (for kernel debugging), LLDB still has no support (afaik) for VMware GDB stub. This means it’s not possible to do kernel debugging in Mavericks VMs other than KDP....

There is no such thing as malware in OS X but last week another sample was spotted and made the “news”. I am talking about CoinThief, a malware designed to hijack Bitcoin accounts and steal everything (I must confess I laughed a bit; I think Bitcoin is just a bullshit pyramid scheme but I digress). There are a few samples out there, in different stages of evolution, so this is probably not a very recent operation....

Oh this one has been into my head for so long that I finally decided to try and create the code for it. So let’s go! What’s the background story? In August 2011 I reported to Apple a security issue with iTunes. What happens is that iTunes plugins are loaded into iTunes process space so they have full control of iTunes. Evil plugins can do all kinds of things such as stealing iTunes passwords and credit card information, or patching some annoying features as I did with Disable m3u plugin....

New version available at the github repo, compatible with Mavericks and with a Cocoa app to control its features. Mavericks sysent table is modified so previous versions weren’t compatible with it. I updated the sysent table definitions. It’s not the best method to assure future compatibility in case Apple decides to change the structure again. A better way is to find the symbols for the syscalls and replace them directly in the sysent table....