Wednesday 24 September 14:00 - 14:30, Green room.
Patrick Wardle Synack
download slides (PDF)
As Mac OS X continues to increase in popularity, OS X malware, once a rare phenomenon, is now more common than ever. Due to this, it is essential for forensic and malware analysts to possess an in-depth understanding of OS X and how it may be attacked by malicious code. In general, malware on any OS is designed to persist across reboots, ensuring that it is automatically executed whenever an infected system is restarted. This paper presents a detailed analysis of both the boot and logon process of Apple's latest OS; OS X Mavericks. Throughout the analysis, methods that may be abused by malicious adversaries to ensure malware persistence, will comprehensively be identified.
To help illustrate the claims of the analysis, real-world examples of OS X malware will be presented that target portions of the OS in order to gain persistence. For any novel persistence techniques, proof of concept code will be discussed, with the goal of preventing future attacks. Finally, an open-source tool will be demonstrated that can enumerate and display persistent OS X binaries that are set to execute automatically upon reboot.
As a result of reading this paper, or attending its presentation, participants will gain a thorough understanding of the OS X boot and logon process, as well as the components that are targeted by persistent malware. Armed with this knowledge, it is hoped that persistent OS X malware will be readily thwarted.
Patrick Wardle is the Director of Research at Synack, where he leads cyber R&D efforts. Currently, his focus is on the emerging threats of OSX and mobile malware. In addition, Patrick is an experienced vulnerability and exploitation analyst, and has found exploitable 0-days in major operating systems and popular client applications. In his limited spare time, he surfs and writes iOS apps for fun (and hopefully one day, for profit).