Flashback OS X Malware - Virus Bulletin · Flashback OS X Malware Broderick Ian Aquilino –...
Transcript of Flashback OS X Malware - Virus Bulletin · Flashback OS X Malware Broderick Ian Aquilino –...
![Page 1: Flashback OS X Malware - Virus Bulletin · Flashback OS X Malware Broderick Ian Aquilino – September 27, 2012 . Agenda ... %MD5_RSA_signature% •Use (2nd st– old variant / 1](https://reader034.fdocuments.net/reader034/viewer/2022042319/5f0942817e708231d425f877/html5/thumbnails/1.jpg)
Protecting the irreplaceable | f-secure.com
Flashback OS X Malware
Broderick Ian Aquilino – September 27, 2012
![Page 2: Flashback OS X Malware - Virus Bulletin · Flashback OS X Malware Broderick Ian Aquilino – September 27, 2012 . Agenda ... %MD5_RSA_signature% •Use (2nd st– old variant / 1](https://reader034.fdocuments.net/reader034/viewer/2022042319/5f0942817e708231d425f877/html5/thumbnails/2.jpg)
Agenda
• Infection Vector
• Installation
• Main Binary
• C&C Servers
• Payload
• Remaining Binaries
• Filter/Loader Binary
• LaunchAgent Binary
September 27, 2012
2
![Page 3: Flashback OS X Malware - Virus Bulletin · Flashback OS X Malware Broderick Ian Aquilino – September 27, 2012 . Agenda ... %MD5_RSA_signature% •Use (2nd st– old variant / 1](https://reader034.fdocuments.net/reader034/viewer/2022042319/5f0942817e708231d425f877/html5/thumbnails/3.jpg)
Infection Summary
September 27, 2012
3
Hacked
Website
Distribution
Website
Installer Main Binary
Filter /
Loader
Launch
Agent
![Page 4: Flashback OS X Malware - Virus Bulletin · Flashback OS X Malware Broderick Ian Aquilino – September 27, 2012 . Agenda ... %MD5_RSA_signature% •Use (2nd st– old variant / 1](https://reader034.fdocuments.net/reader034/viewer/2022042319/5f0942817e708231d425f877/html5/thumbnails/4.jpg)
Infection Vector
September 27, 2012
4
Hacked
Website
Distribution
Website
Installer Main Binary
Filter /
Loader
Launch
Agent
![Page 5: Flashback OS X Malware - Virus Bulletin · Flashback OS X Malware Broderick Ian Aquilino – September 27, 2012 . Agenda ... %MD5_RSA_signature% •Use (2nd st– old variant / 1](https://reader034.fdocuments.net/reader034/viewer/2022042319/5f0942817e708231d425f877/html5/thumbnails/5.jpg)
Infection Vector
September 27, 2012
5
![Page 6: Flashback OS X Malware - Virus Bulletin · Flashback OS X Malware Broderick Ian Aquilino – September 27, 2012 . Agenda ... %MD5_RSA_signature% •Use (2nd st– old variant / 1](https://reader034.fdocuments.net/reader034/viewer/2022042319/5f0942817e708231d425f877/html5/thumbnails/6.jpg)
Infection Vector
September 27, 2012
6
![Page 7: Flashback OS X Malware - Virus Bulletin · Flashback OS X Malware Broderick Ian Aquilino – September 27, 2012 . Agenda ... %MD5_RSA_signature% •Use (2nd st– old variant / 1](https://reader034.fdocuments.net/reader034/viewer/2022042319/5f0942817e708231d425f877/html5/thumbnails/7.jpg)
Infection Vector
September 27, 2012
7
![Page 8: Flashback OS X Malware - Virus Bulletin · Flashback OS X Malware Broderick Ian Aquilino – September 27, 2012 . Agenda ... %MD5_RSA_signature% •Use (2nd st– old variant / 1](https://reader034.fdocuments.net/reader034/viewer/2022042319/5f0942817e708231d425f877/html5/thumbnails/8.jpg)
Infection Vector
• CVE-2008-5353
• CVE-2011-3544
• CVE-2012-0507
September 27, 2012
8
![Page 9: Flashback OS X Malware - Virus Bulletin · Flashback OS X Malware Broderick Ian Aquilino – September 27, 2012 . Agenda ... %MD5_RSA_signature% •Use (2nd st– old variant / 1](https://reader034.fdocuments.net/reader034/viewer/2022042319/5f0942817e708231d425f877/html5/thumbnails/9.jpg)
Installation
September 27, 2012
9
Hacked
Website
Distribution
Website
Installer Main Binary
Filter /
Loader
Launch
Agent
![Page 10: Flashback OS X Malware - Virus Bulletin · Flashback OS X Malware Broderick Ian Aquilino – September 27, 2012 . Agenda ... %MD5_RSA_signature% •Use (2nd st– old variant / 1](https://reader034.fdocuments.net/reader034/viewer/2022042319/5f0942817e708231d425f877/html5/thumbnails/10.jpg)
Main Binary
September 27, 2012
10
Hacked
Website
Distribution
Website
Installer Main Binary
Filter /
Loader
Launch
Agent
![Page 11: Flashback OS X Malware - Virus Bulletin · Flashback OS X Malware Broderick Ian Aquilino – September 27, 2012 . Agenda ... %MD5_RSA_signature% •Use (2nd st– old variant / 1](https://reader034.fdocuments.net/reader034/viewer/2022042319/5f0942817e708231d425f877/html5/thumbnails/11.jpg)
Main Binary: Update Server
• Creates a thread that connects to a set of C&C servers to
download updates every 3670 secs (>1hr)
September 27, 2012
11
Hardcoded list Returned by a
third party server
Generated list based on date (*new variants
only)
![Page 12: Flashback OS X Malware - Virus Bulletin · Flashback OS X Malware Broderick Ian Aquilino – September 27, 2012 . Agenda ... %MD5_RSA_signature% •Use (2nd st– old variant / 1](https://reader034.fdocuments.net/reader034/viewer/2022042319/5f0942817e708231d425f877/html5/thumbnails/12.jpg)
Main Binary: Update Program
• Response:
• %marker1%%encoded_VM_program%%marker2%
%encoded_MD5_RSA_signature%%marker3%
• Log SHA1 of VM program
• {HOME}/Library/Logs/swlog
• {HOME}/Library/Logs/vmLog
September 27, 2012
12
![Page 13: Flashback OS X Malware - Virus Bulletin · Flashback OS X Malware Broderick Ian Aquilino – September 27, 2012 . Agenda ... %MD5_RSA_signature% •Use (2nd st– old variant / 1](https://reader034.fdocuments.net/reader034/viewer/2022042319/5f0942817e708231d425f877/html5/thumbnails/13.jpg)
Main Binary: Payload C&C (Newer Variants)
• Same thread will also connect to another set of C&C
servers
• This time to select a server for executing the payload
September 27, 2012
13
Updateable list (Entry ID
3035856777)
Hardcoded list (Entry ID
2522550406)
Generated list based on date
![Page 14: Flashback OS X Malware - Virus Bulletin · Flashback OS X Malware Broderick Ian Aquilino – September 27, 2012 . Agenda ... %MD5_RSA_signature% •Use (2nd st– old variant / 1](https://reader034.fdocuments.net/reader034/viewer/2022042319/5f0942817e708231d425f877/html5/thumbnails/14.jpg)
Main Binary: Payload C&C (Old Variants)
• Selected only once - when binary is loaded
September 27, 2012
14
Hardcoded list (Entry ID
2413278617)
![Page 15: Flashback OS X Malware - Virus Bulletin · Flashback OS X Malware Broderick Ian Aquilino – September 27, 2012 . Agenda ... %MD5_RSA_signature% •Use (2nd st– old variant / 1](https://reader034.fdocuments.net/reader034/viewer/2022042319/5f0942817e708231d425f877/html5/thumbnails/15.jpg)
Main Binary: Payload C&C Validation
• Response
• %SHA1_string_of_server_name% |
%MD5_RSA_signature%
• Use (2nd – old variant / 1st – new variant) host in
hardcoded list as default server
• Use “localhost” if configuration entry does not exists
(new variant only)
September 27, 2012
15
![Page 16: Flashback OS X Malware - Virus Bulletin · Flashback OS X Malware Broderick Ian Aquilino – September 27, 2012 . Agenda ... %MD5_RSA_signature% •Use (2nd st– old variant / 1](https://reader034.fdocuments.net/reader034/viewer/2022042319/5f0942817e708231d425f877/html5/thumbnails/16.jpg)
Main Binary: Payload (Old Variants)
September 27, 2012
16
Outbound
CFWriteStreamWrite
send
Inbound
CFReadStreamRead
recv
![Page 17: Flashback OS X Malware - Virus Bulletin · Flashback OS X Malware Broderick Ian Aquilino – September 27, 2012 . Agenda ... %MD5_RSA_signature% •Use (2nd st– old variant / 1](https://reader034.fdocuments.net/reader034/viewer/2022042319/5f0942817e708231d425f877/html5/thumbnails/17.jpg)
Main Binary: Payload (Old Variants)
September 27, 2012
17
Outbound
To Google?
Pls reply in a format that is parseable
Inbound
Contains target string?
Inject content
![Page 18: Flashback OS X Malware - Virus Bulletin · Flashback OS X Malware Broderick Ian Aquilino – September 27, 2012 . Agenda ... %MD5_RSA_signature% •Use (2nd st– old variant / 1](https://reader034.fdocuments.net/reader034/viewer/2022042319/5f0942817e708231d425f877/html5/thumbnails/18.jpg)
Demo
September 27, 2012
18
![Page 19: Flashback OS X Malware - Virus Bulletin · Flashback OS X Malware Broderick Ian Aquilino – September 27, 2012 . Agenda ... %MD5_RSA_signature% •Use (2nd st– old variant / 1](https://reader034.fdocuments.net/reader034/viewer/2022042319/5f0942817e708231d425f877/html5/thumbnails/19.jpg)
Main Binary: Payload (Newer Variants)
September 27, 2012
19
Browser
CFWriteStreamWrite
CFReadStreamRead
Other Modules
Command
and Control
Google Destination
![Page 20: Flashback OS X Malware - Virus Bulletin · Flashback OS X Malware Broderick Ian Aquilino – September 27, 2012 . Agenda ... %MD5_RSA_signature% •Use (2nd st– old variant / 1](https://reader034.fdocuments.net/reader034/viewer/2022042319/5f0942817e708231d425f877/html5/thumbnails/20.jpg)
Main Binary: Payload (Newer) -> Search
September 27, 2012
20
Browser
CFWriteStreamWrite
CFReadStreamRead
Other Modules
Command
and Control
Google Destination
Keyword and other info
![Page 21: Flashback OS X Malware - Virus Bulletin · Flashback OS X Malware Broderick Ian Aquilino – September 27, 2012 . Agenda ... %MD5_RSA_signature% •Use (2nd st– old variant / 1](https://reader034.fdocuments.net/reader034/viewer/2022042319/5f0942817e708231d425f877/html5/thumbnails/21.jpg)
Main Binary: Payload (Newer) -> Search
September 27, 2012
21
Browser
CFWriteStreamWrite
CFReadStreamRead
Other Modules
Command
and Control
Google Destination
Redirection data and/or
other commands
Original search
request
search result
![Page 22: Flashback OS X Malware - Virus Bulletin · Flashback OS X Malware Broderick Ian Aquilino – September 27, 2012 . Agenda ... %MD5_RSA_signature% •Use (2nd st– old variant / 1](https://reader034.fdocuments.net/reader034/viewer/2022042319/5f0942817e708231d425f877/html5/thumbnails/22.jpg)
Main Binary: Payload (Newer) -> Click
September 27, 2012
22
Browser
CFWriteStreamWrite
CFReadStreamRead
Other Modules
Command
and Control
Google Destination
Tracking info
Redirection
info
Redirection
info
![Page 23: Flashback OS X Malware - Virus Bulletin · Flashback OS X Malware Broderick Ian Aquilino – September 27, 2012 . Agenda ... %MD5_RSA_signature% •Use (2nd st– old variant / 1](https://reader034.fdocuments.net/reader034/viewer/2022042319/5f0942817e708231d425f877/html5/thumbnails/23.jpg)
Main Binary: Payload (Newer) -> Click
• Google return the request in the response
September 27, 2012
23
![Page 24: Flashback OS X Malware - Virus Bulletin · Flashback OS X Malware Broderick Ian Aquilino – September 27, 2012 . Agenda ... %MD5_RSA_signature% •Use (2nd st– old variant / 1](https://reader034.fdocuments.net/reader034/viewer/2022042319/5f0942817e708231d425f877/html5/thumbnails/24.jpg)
Main Binary: Payload (Newer) -> Click
September 27, 2012
24
Browser
CFWriteStreamWrite
CFReadStreamRead
Other Modules
Command
and Control
Google Destination
Redirection
script
Request to
new destination
![Page 25: Flashback OS X Malware - Virus Bulletin · Flashback OS X Malware Broderick Ian Aquilino – September 27, 2012 . Agenda ... %MD5_RSA_signature% •Use (2nd st– old variant / 1](https://reader034.fdocuments.net/reader034/viewer/2022042319/5f0942817e708231d425f877/html5/thumbnails/25.jpg)
Main Binary: Payload (Newer) -> Click
September 27, 2012
25
Browser
CFWriteStreamWrite
CFReadStreamRead
Other Modules
Command
and Control
Google Destination
Request with
modified referrer
![Page 26: Flashback OS X Malware - Virus Bulletin · Flashback OS X Malware Broderick Ian Aquilino – September 27, 2012 . Agenda ... %MD5_RSA_signature% •Use (2nd st– old variant / 1](https://reader034.fdocuments.net/reader034/viewer/2022042319/5f0942817e708231d425f877/html5/thumbnails/26.jpg)
Demo
September 27, 2012
26
![Page 27: Flashback OS X Malware - Virus Bulletin · Flashback OS X Malware Broderick Ian Aquilino – September 27, 2012 . Agenda ... %MD5_RSA_signature% •Use (2nd st– old variant / 1](https://reader034.fdocuments.net/reader034/viewer/2022042319/5f0942817e708231d425f877/html5/thumbnails/27.jpg)
Filter/Loader Binary
September 27, 2012
27
Hacked
Website
Distribution
Website
Installer Main Binary
Filter /
Loader
Launch
Agent
![Page 28: Flashback OS X Malware - Virus Bulletin · Flashback OS X Malware Broderick Ian Aquilino – September 27, 2012 . Agenda ... %MD5_RSA_signature% •Use (2nd st– old variant / 1](https://reader034.fdocuments.net/reader034/viewer/2022042319/5f0942817e708231d425f877/html5/thumbnails/28.jpg)
Filter/Loader Binary
September 27, 2012
28
![Page 29: Flashback OS X Malware - Virus Bulletin · Flashback OS X Malware Broderick Ian Aquilino – September 27, 2012 . Agenda ... %MD5_RSA_signature% •Use (2nd st– old variant / 1](https://reader034.fdocuments.net/reader034/viewer/2022042319/5f0942817e708231d425f877/html5/thumbnails/29.jpg)
Filter/Loader Binary
September 27, 2012
29
![Page 30: Flashback OS X Malware - Virus Bulletin · Flashback OS X Malware Broderick Ian Aquilino – September 27, 2012 . Agenda ... %MD5_RSA_signature% •Use (2nd st– old variant / 1](https://reader034.fdocuments.net/reader034/viewer/2022042319/5f0942817e708231d425f877/html5/thumbnails/30.jpg)
LaunchAgent Binary
September 27, 2012
30
Hacked
Website
Distribution
Website
Installer Main Binary
Filter /
Loader
Launch
Agent
![Page 31: Flashback OS X Malware - Virus Bulletin · Flashback OS X Malware Broderick Ian Aquilino – September 27, 2012 . Agenda ... %MD5_RSA_signature% •Use (2nd st– old variant / 1](https://reader034.fdocuments.net/reader034/viewer/2022042319/5f0942817e708231d425f877/html5/thumbnails/31.jpg)
LaunchAgent Binary
• Stand-alone light version of the updater module found in
the main binary
• Uses different set of C&C servers
• Similar server validation process
• Logs CRC32 of the update/installation program
• /tmp/.%crc32_of_VM_program%
• Have it’s own instruction set September 27, 2012
31
Generated list based on constants
Generated list based on date
Hardcoded list
![Page 32: Flashback OS X Malware - Virus Bulletin · Flashback OS X Malware Broderick Ian Aquilino – September 27, 2012 . Agenda ... %MD5_RSA_signature% •Use (2nd st– old variant / 1](https://reader034.fdocuments.net/reader034/viewer/2022042319/5f0942817e708231d425f877/html5/thumbnails/32.jpg)
LaunchAgent Binary - Recent Variant
September 27, 2012
32
![Page 33: Flashback OS X Malware - Virus Bulletin · Flashback OS X Malware Broderick Ian Aquilino – September 27, 2012 . Agenda ... %MD5_RSA_signature% •Use (2nd st– old variant / 1](https://reader034.fdocuments.net/reader034/viewer/2022042319/5f0942817e708231d425f877/html5/thumbnails/33.jpg)
LaunchAgent Binary - Recent Variant
• Taken over the responsibility of installing the malware
September 27, 2012
33