New OS X research warns of stealthier Mac attacks
In-memory code injection covers tracks
A computer security researcher has discovered a new way to inject hostile code directly into the memory of machines running Apple's OS X operating system, a technique that makes it significantly harder for investigators to detect Mac attacks using today's forensics practices.
The technique, which Italian researcher Vincenzo Iozzo plans to detail at the Black Hat security conference in Washington next month, makes it possible to carry out stealthy Mac attacks that until now have not been possible. The in-memory injection approach allows unauthorized software to be installed on a Mac without leaving traces of the attack code or other tell-tale signs that the machine has been compromised.
Similar stealth techniques have existed for more than two years for infecting Windows and Linux machines, but until now, researchers knew of no reliable way to cover their tracks when attacking Macs. It's likely only a matter of time until malware developers begin using the method in the wild, said researcher Charles Miller, who has reviewed Iozzo's work.
"The importance is it makes forensics much harder," Miller wrote in an email to The Register. "In the past, you could rely on seeing the trail of the bad guy on the disk, even if they tried cleaning up and deleting their files. This provides a practical method to eliminate that evidence."
Miller said he is in the process of extending the technique to installing unauthorized applications on the iPhone.
Unlike most attacks today, Iozzo's technique allows someone to execute a binary completely within the OS X application or process that's being attacked. That means the operating system doesn't need to open a new process and the exploit code need not ever touch the hard disk of the infected machine. Such activities typically leave a wealth of clues to system administrators trying to tell whether a computer has been compromised.
A student at the Politecnico di Milano, Iozzo was able to fashion the exploit method by carefully monitoring the Mac executable file format known as Mach-O. By mimicking exactly the way OS X lays out executable code in memory, the researcher discovered a way to bypass more traditional ways of loading binaries into the operating system.
Iozzo said OS X's address space layer randomization, which is designed to thwart such attacks by randomizing the memory locations of executable code, can be circumvented by local users. That's because an OS X program known as the dynamic linker is always located at the same address. The dynamic linker in turn allows him to predict the location of other libraries needed to make the attack technique work.
To be clear, attackers who want to use the technique must first have a reliable exploit for an unpatched vulnerability in OS X or in iTunes, Safari, or some other OS X application. The injection method doesn't make it any easier to pierce a Mac's defenses. It only makes it easier for attackers to cover their tracks once they have.
Still, the technique doesn't make attacks completely undetectable. Investigators can still dump the virtual memory and inspect it or detect the attack by using a network intrusion detection system or a host-based anomaly intrusion detection system.
Be that as it may, don't be surprised if it finds its way into real-world attacks in the future.
"It's so easy to use," Miller said. "If I was a bad guy I'd use it. If you care about hiding yourself, it would be stupid not to use it." ®