Let’s continue our cute story about OS.X/Crisis, this time with the startup flow of the main backdoor module. Please apologize for the delay on this chapter – I had some fun with the rootkit and that diverted me to other things. The first curious detail about the backdoor module (installed as /Users/USERNAME/Library/Preferences/jlc3V7we.app/IZsROY7X.-MP) is that no obfuscation/anti-debugging tricks are used (except one) so its analysis is easier than the dropper. It also uses Objective-C heavily, which is still a bit annoying in IDA but has the advantage of the code being very descriptive....

Mac malware is back to news spotlight, this time with Crisis (insert one of the other thousand names here _____). This malware is nothing more than commercial spy software being sold by a lot of money to governments or something (oh boy, I could make a good living out of this). I’m lucky enough to have a sample of it (thank you, you know who you are!) and also lucky to be able to talk about it (it uses some similar tricks that I knew about)....

This is an IDA plugin to extract Mach-O binaries located in IDA disassembly, either code or data segments. For now it only supports 32 or 64 isolated binaries and not fat binaries. It also expects a normal formatted binary, not something mangled as my crackme for example. I expect to add support for fat binaries soon. Why did I created this plugin? Everyone is talking about the latest OS X malware, Crisis (or whatever other name everyone is using – AV scene is so lame that no one respects the first name given, blah!...

After more than 30h inside planes and airports, I’m finally back home! Asia 2012 tour is over. HITCON was really great and well organized. It was bigger than I expected, with lots of curious and cool people. Went in the mood and took many pictures with everyone – there goes my anonymity! My speaking slot was after lunch, which is a tough one. I could only spot half a dozen sleeping so I might have done a good job....

After 27h flying around the world and hanging at airports I’m finally back home. Secuinside 2012 in Seoul was fantastic! The organization was really great and most of all, exceptionally friendly and awesome hosts. There are minor details to work at for next year but these guys had a very short time frame to organize this one. Lots of hard work behind it! They definitely have the talent required to take it to the next step....