Maybe the machine knew something.
"I haven't even loaded the rootkit yet," Dai Zovi, chief scientist with Atlanta-based Endgame Systems LLC, said to the packed session room.
For three-quarters of an hour, he'd been regaling swooning Mac fanbois with slide after slide of kernel calls and intricate details of the components of his rootkit called Machiavelli. Dai Zovi finally got the machine working but never managed to demonstrate the long-awaited code.
Machiavelli digs deep into Mac OS X's kernel roots. OS X is a hybrid operating system, Dai Zovi said, a combination of Free BSD and Mach 3.0, which is a microkernel, developed in the early 1990s by researchers at Carnegie Mellon University. Dai Zovi discovered how to bridge the way Mach uses remote procedure calls (RPC), using its inter-process communication (IPC) to own communication between the kernel, and enabling an attacker to make system calls, create kernel threads and tasks.
"Mach IPC made the network transparent; it's a good abstraction for remote host control," Dai Zovi said.
Machiavelli consists of three components, Dai Zovi said: a proxy that receives messages on proxy ports and sends them to a remote agent; an agent that sends messages from the proxy to a local destination and replies only if a reply is expected; and an RPC server, which Dai Zovi called the "glue functionality" holding Machiavelli together.
Dai Zovi said he has only seen proof-of-concept Mac rootkits, and none in the wild. His continued research into the security underpinnings of Mac OS X has given credence to the theory that with more market share, the Mac platform will continue to garner attention from hackers and dent what many Mac enthusiasts believe is an impervious OS.
Rootkits are a series of applications designed to hide malicious code. They have their roots in Unix, but have become an issue in Windows since Joanna Rutkowska's research and Blue Pill rootkit, unveiled at Black Hat in 2006.
"Mach functionality is obscure. When you use obscure functionality, it's less likely to be detected," Dai Zovi said, adding that Machiavelli loads as a kernel extension and removes itself from the kernel module list.
"You're not able to see it. You're not able to unload it," he said.
Earlier in the day, Dai Zovi announced that he had developed a version of Meterpreter, a penetration testing tool, for Mac OS X. Dai Zovi and fellow Mac hacker Charlie Miller developed the attack payload, which is generally used against Windows systems, giving attackers a shell to remotely add code to a system.
Dai Zovi and Miller's Macterpreter could be a game-changer for Mac hackers who have generally been shut out of what Dai Zovi called the "holy grail of Metasploit goodness."
Metasploit, a framework built and managed by hacker H.D. Moore, helps built remote exploit code used by pen testers to find system vulnerabilities.
Macterpreter, Dai Zovi said, will enable attackers to do code injection; he attempted to demonstrate that could own a remote Mac system and take a picture of the victim using the Macbook's built-in camera. Alas, much like his rootkit presentation, this demo didn't work either.