Linux/HackingTeamRDorks.A, a “new” and improved version of Linux/CDorked.A

Disclaimer: This malware sample is not in any way related to Hacking Team (as far as I know) other than me making some jokes about them related to a future presentation about their OS X malware product. Two months ago (maybe three) I started noticing a sporadic redirect when I accessed these blog pages. It wasn’t anything “malicious” as far as I could evaluate; just a redirect to adult friend finder site....

February 5, 2014 · 16 min · 3312 words

Breaking OS X signed kernel extensions with a NOP

For some reason Apple wants to change external kernel extensions location from /System/Library/Extensions to /Library/Extensions and introduced in Mavericks a code signing requirement for all extensions and/or drivers located in that folder. Extensions will not be loaded if not signed (those located in the “old” folder and not signed will only generate a warning [check my SyScan360 slides]). The signing certificates require a special configuration and to obtain them you need to justify it....

November 23, 2013 · 3 min · 523 words

One small patch for GDB, one giant leap for reversers!

One thing that really bothered me for a long time while debugging is the need to calculate the libraries loaded addresses versus the addresses at disk if you want to follow and comment library code in IDA. While the ASLR slide can also be disabled when starting processes (or even attaching by disabling it first in the Mach-O header) sometimes I want to attach to ASLR enabled processes and once again I need to compute values without the slide to follow in IDA....

November 8, 2013 · 3 min · 436 words

Why ESET’s OS X Rootkit Detector is useless...

Last week ESET released a Rootkit Detector tool for OS X. I finally gave a look at it today and as I suspected it is useless (unless rootkit authors are not reading my slides like ESET does not seem to). The only thing it appears to be doing is to check if sysent pointers were modified. Let’s be honest, it’s useless in particular when they mention they have limited visibility into OS X rootkits....

September 30, 2013 · 2 min · 364 words

SyScan360 Beijing slides

Eight days and 10 flights later I am back from SyScan360 in Beijing. It was my first visit to China and I had lots of fun observing many things that I only “knew” from reading. The scale and dimension of everything in Beijing is quite a surprise. No wonder why every Western company wants to be there. We had great food and an awesome visit to the Great Wall. A big thank you to the boys and girls from the organization for all their hard work and dedication....

September 30, 2013 · 2 min · 233 words