Feeds

New OS X research warns of stealthier Mac attacks

In-memory code injection covers tracks

Secure remote control for conventional and virtual desktops

A computer security researcher has discovered a new way to inject hostile code directly into the memory of machines running Apple's OS X operating system, a technique that makes it significantly harder for investigators to detect Mac attacks using today's forensics practices.

The technique, which Italian researcher Vincenzo Iozzo plans to detail at the Black Hat security conference in Washington next month, makes it possible to carry out stealthy Mac attacks that until now have not been possible. The in-memory injection approach allows unauthorized software to be installed on a Mac without leaving traces of the attack code or other tell-tale signs that the machine has been compromised.

Similar stealth techniques have existed for more than two years for infecting Windows and Linux machines, but until now, researchers knew of no reliable way to cover their tracks when attacking Macs. It's likely only a matter of time until malware developers begin using the method in the wild, said researcher Charles Miller, who has reviewed Iozzo's work.

"The importance is it makes forensics much harder," Miller wrote in an email to The Register. "In the past, you could rely on seeing the trail of the bad guy on the disk, even if they tried cleaning up and deleting their files. This provides a practical method to eliminate that evidence."

Miller said he is in the process of extending the technique to installing unauthorized applications on the iPhone.

Unlike most attacks today, Iozzo's technique allows someone to execute a binary completely within the OS X application or process that's being attacked. That means the operating system doesn't need to open a new process and the exploit code need not ever touch the hard disk of the infected machine. Such activities typically leave a wealth of clues to system administrators trying to tell whether a computer has been compromised.

A student at the Politecnico di Milano, Iozzo was able to fashion the exploit method by carefully monitoring the Mac executable file format known as Mach-O. By mimicking exactly the way OS X lays out executable code in memory, the researcher discovered a way to bypass more traditional ways of loading binaries into the operating system.

Iozzo said OS X's address space layer randomization, which is designed to thwart such attacks by randomizing the memory locations of executable code, can be circumvented by local users. That's because an OS X program known as the dynamic linker is always located at the same address. The dynamic linker in turn allows him to predict the location of other libraries needed to make the attack technique work.

To be clear, attackers who want to use the technique must first have a reliable exploit for an unpatched vulnerability in OS X or in iTunes, Safari, or some other OS X application. The injection method doesn't make it any easier to pierce a Mac's defenses. It only makes it easier for attackers to cover their tracks once they have.

Still, the technique doesn't make attacks completely undetectable. Investigators can still dump the virtual memory and inspect it or detect the attack by using a network intrusion detection system or a host-based anomaly intrusion detection system.

Be that as it may, don't be surprised if it finds its way into real-world attacks in the future.

"It's so easy to use," Miller said. "If I was a bad guy I'd use it. If you care about hiding yourself, it would be stupid not to use it." ®

New hybrid storage solutions

More from The Register

next story
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.