Feeds

New OS X research warns of stealthier Mac attacks

In-memory code injection covers tracks

Secure remote control for conventional and virtual desktops

A computer security researcher has discovered a new way to inject hostile code directly into the memory of machines running Apple's OS X operating system, a technique that makes it significantly harder for investigators to detect Mac attacks using today's forensics practices.

The technique, which Italian researcher Vincenzo Iozzo plans to detail at the Black Hat security conference in Washington next month, makes it possible to carry out stealthy Mac attacks that until now have not been possible. The in-memory injection approach allows unauthorized software to be installed on a Mac without leaving traces of the attack code or other tell-tale signs that the machine has been compromised.

Similar stealth techniques have existed for more than two years for infecting Windows and Linux machines, but until now, researchers knew of no reliable way to cover their tracks when attacking Macs. It's likely only a matter of time until malware developers begin using the method in the wild, said researcher Charles Miller, who has reviewed Iozzo's work.

"The importance is it makes forensics much harder," Miller wrote in an email to The Register. "In the past, you could rely on seeing the trail of the bad guy on the disk, even if they tried cleaning up and deleting their files. This provides a practical method to eliminate that evidence."

Miller said he is in the process of extending the technique to installing unauthorized applications on the iPhone.

Unlike most attacks today, Iozzo's technique allows someone to execute a binary completely within the OS X application or process that's being attacked. That means the operating system doesn't need to open a new process and the exploit code need not ever touch the hard disk of the infected machine. Such activities typically leave a wealth of clues to system administrators trying to tell whether a computer has been compromised.

A student at the Politecnico di Milano, Iozzo was able to fashion the exploit method by carefully monitoring the Mac executable file format known as Mach-O. By mimicking exactly the way OS X lays out executable code in memory, the researcher discovered a way to bypass more traditional ways of loading binaries into the operating system.

Iozzo said OS X's address space layer randomization, which is designed to thwart such attacks by randomizing the memory locations of executable code, can be circumvented by local users. That's because an OS X program known as the dynamic linker is always located at the same address. The dynamic linker in turn allows him to predict the location of other libraries needed to make the attack technique work.

To be clear, attackers who want to use the technique must first have a reliable exploit for an unpatched vulnerability in OS X or in iTunes, Safari, or some other OS X application. The injection method doesn't make it any easier to pierce a Mac's defenses. It only makes it easier for attackers to cover their tracks once they have.

Still, the technique doesn't make attacks completely undetectable. Investigators can still dump the virtual memory and inspect it or detect the attack by using a network intrusion detection system or a host-based anomaly intrusion detection system.

Be that as it may, don't be surprised if it finds its way into real-world attacks in the future.

"It's so easy to use," Miller said. "If I was a bad guy I'd use it. If you care about hiding yourself, it would be stupid not to use it." ®

Beginner's guide to SSL certificates

More from The Register

next story
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.