Feeds

New OS X research warns of stealthier Mac attacks

In-memory code injection covers tracks

SANS - Survey on application security programs

A computer security researcher has discovered a new way to inject hostile code directly into the memory of machines running Apple's OS X operating system, a technique that makes it significantly harder for investigators to detect Mac attacks using today's forensics practices.

The technique, which Italian researcher Vincenzo Iozzo plans to detail at the Black Hat security conference in Washington next month, makes it possible to carry out stealthy Mac attacks that until now have not been possible. The in-memory injection approach allows unauthorized software to be installed on a Mac without leaving traces of the attack code or other tell-tale signs that the machine has been compromised.

Similar stealth techniques have existed for more than two years for infecting Windows and Linux machines, but until now, researchers knew of no reliable way to cover their tracks when attacking Macs. It's likely only a matter of time until malware developers begin using the method in the wild, said researcher Charles Miller, who has reviewed Iozzo's work.

"The importance is it makes forensics much harder," Miller wrote in an email to The Register. "In the past, you could rely on seeing the trail of the bad guy on the disk, even if they tried cleaning up and deleting their files. This provides a practical method to eliminate that evidence."

Miller said he is in the process of extending the technique to installing unauthorized applications on the iPhone.

Unlike most attacks today, Iozzo's technique allows someone to execute a binary completely within the OS X application or process that's being attacked. That means the operating system doesn't need to open a new process and the exploit code need not ever touch the hard disk of the infected machine. Such activities typically leave a wealth of clues to system administrators trying to tell whether a computer has been compromised.

A student at the Politecnico di Milano, Iozzo was able to fashion the exploit method by carefully monitoring the Mac executable file format known as Mach-O. By mimicking exactly the way OS X lays out executable code in memory, the researcher discovered a way to bypass more traditional ways of loading binaries into the operating system.

Iozzo said OS X's address space layer randomization, which is designed to thwart such attacks by randomizing the memory locations of executable code, can be circumvented by local users. That's because an OS X program known as the dynamic linker is always located at the same address. The dynamic linker in turn allows him to predict the location of other libraries needed to make the attack technique work.

To be clear, attackers who want to use the technique must first have a reliable exploit for an unpatched vulnerability in OS X or in iTunes, Safari, or some other OS X application. The injection method doesn't make it any easier to pierce a Mac's defenses. It only makes it easier for attackers to cover their tracks once they have.

Still, the technique doesn't make attacks completely undetectable. Investigators can still dump the virtual memory and inspect it or detect the attack by using a network intrusion detection system or a host-based anomaly intrusion detection system.

Be that as it may, don't be surprised if it finds its way into real-world attacks in the future.

"It's so easy to use," Miller said. "If I was a bad guy I'd use it. If you care about hiding yourself, it would be stupid not to use it." ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.