Methods of malware persistence on Mac OS X

Wednesday 24 September 14:00 - 14:30, Green room.

Patrick Wardle Synack

   This paper is available online (HTML, PDF).

  download slides (PDF)

As Mac OS X continues to increase in popularity, OS X malware, once a rare phenomenon, is now more common than ever. Due to this, it is essential for forensic and malware analysts to possess an in-depth understanding of OS X and how it may be attacked by malicious code. In general, malware on any OS is designed to persist across reboots, ensuring that it is automatically executed whenever an infected system is restarted. This paper presents a detailed analysis of both the boot and logon process of Apple's latest OS; OS X Mavericks. Throughout the analysis, methods that may be abused by malicious adversaries to ensure malware persistence, will comprehensively be identified.

To help illustrate the claims of the analysis, real-world examples of OS X malware will be presented that target portions of the OS in order to gain persistence. For any novel persistence techniques, proof of concept code will be discussed, with the goal of preventing future attacks. Finally, an open-source tool will be demonstrated that can enumerate and display persistent OS X binaries that are set to execute automatically upon reboot.

As a result of reading this paper, or attending its presentation, participants will gain a thorough understanding of the OS X boot and logon process, as well as the components that are targeted by persistent malware. Armed with this knowledge, it is hoped that persistent OS X malware will be readily thwarted.

Click here for more details about the conference.

Patrick Wardle

Patrick Wardle

Patrick Wardle is the Director of Research at Synack, where he leads cyber R&D efforts. Currently, his focus is on the emerging threats of OSX and mobile malware. In addition, Patrick is an experienced vulnerability and exploitation analyst, and has found exploitable 0-days in major operating systems and popular client applications. In his limited spare time, he surfs and writes iOS apps for fun (and hopefully one day, for profit).



We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.