Friday, January 23, 2015

Shmoocon Notes: Userland Persistence on Mac OS X

Notes from the conf for later

Userland Persistence on Mac OS X

by Josh Pitts @midnite_runr 


the backdoor factory

--framework to patch PE, elf, Mach-O binaries

BFDProxy will patch will stuff while it is being downloaded

must have root or equivalent to patch the various programs

Background on OSX Persistence

methods of malware persistence on os x mavericks patrick wardle

userland persistence

-plists (launchd executed similar to init) on boot, onlogon, onsocket

-evil plugins

-startupitems folders (plist or script)




-binary infection (backdoor factory method)

prior work
-infecting Macho-O _PAGEZERO method
-BouBou Library Injection

josh's blog post related to the talk

pre-test section infection method-->change entry point to the evil payload, for payload continue to parent process

BDF will automatically unsign a signed binary, OSX doesnt care its not signed, just that the signature is correct

interesting boot processes that were patchable
-/sbin/launchd - the first process
-/usr/libexec/xpcproxy  - almost everything uses it
-/usr/bin/awk  awk was a boot process
launchd launches a script that launches awk

Demos in the talk

launchd patch
python script from demo:




Run script on your baseline. Make note of injection candidates and what is signed and take note if at some point it is NOT signed anymore. Should indicate some muckery going on.


No comments: