New hacking method stealthily attacks Macs with malware

By Neil Roiter, Senior Technology Editor, Information Security magazine 19 Feb 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

ARLINGTON, Va. -- The good news, those Macs, especially the notebooks in the C-Suite, are getting very popular. The bad news is the days when it was redundant to say "Mac" and "secure" are probably gone.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Mac vulnerabilities are starting to draw attention. With valuable data on corporate notebooks and with a lot more home Mac users shopping and banking online, they are likely to draw attention from Internet criminals.

They're already drawing attention from Internet security researchers, like Italian researcher Vincenzo Iozzo, who showed a Black Hat crowd Wednesday how to inject malicious code into Mac OS X memory. The method leaves no trace of the code, his presence or any sign the attack occurred, frustrating forensics investigators.

Black Hat DC Briefings: Intel Trusted Execution Technology is flawed, Black Hat researchers show: Security researchers Joanna Rutkowska and colleague Rafal Wojtczuk have discovered new Intel bugs that would allow attackers to bypass Intel Trusted Execution Technology. SSLstrip hacking tool bypasses SSL to trick users, steal passwords Moxie Marlinspike explains how his hacking technique fools Web users into thinking they are on an SSL-protected site, leaving them feeling quite safe, but pwned all the same.

"The OS kernel doesn't know about it," he said. "If we list processes on the victim's computer, you won't see our infected binary. And, this means we can write payloads in a high-level language."

The technique subverts the Mach-O file format, which is used to store OS X binaries on disk. The attack binary changes the protection flags on Mach-O's PAGE_ZERO segment, which is used to store malicious code. Iozzo, a student at the Politecnico di Milano University, said the attack can also overcome the address pace layout randomization for libraries introduced with Leopard. ASLR is designed to defeat attacks like his by randomizing memory locations of executables.

The attack depends on a reliable exploit of an unpatched OS X vulnerability so the malicious binary can be injected.

There are already similar techniques for Windows and most Linux versions.

Iozzo and researcher Charles Miller plan to demonstrate the technique against the Apple iPhone at Black Hat Europe in April.

Tags: Hacker Tools and Techniques: Underground Sites and Hacking Groups,  Alternative OS security: Mac, Linux, Unix, etc.,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Hacker Tools and Techniques: Underground Sites and Hacking Groups Metasploit Project acquisition ups ante for penetration testing market Successful rogue antivirus hinges on social engineering DEFCON survey suggests hacker community on vacation DoD urges less network anonymity, more PKI use New hacker skills optimize revenue Maturing cybercriminal economy buoyed by business savvy hackers Juniper pulls ATM hacking presentation from Black Hat Botnet platform helps cybercriminals bid for zombie PCs Man pleads guilty in online banking hacking scam ATM malware lets attackers take over machines Alternative OS security: Mac, Linux, Unix, etc. Machiavelli Mac OS X rootkit unveiled at Black Hat How secure is 'Platform as a Service (PaaS)?' Security comparison: Mac OS X vs. Windows Mac OS memory flaws pose challenges for enterprise endpoint protection Rootkit Hunter demo: Detect and remove Linux rootkits Oracle to buy Sun Microsystems for $7.4 billion How to harden Linux operating systems Serious holes in Mac OS X memory, researcher shows What is the best operating system for an FTP server implementation? Black Hat DC 2009: Mac OS attack method Alternative OS security: Mac, Linux, Unix, etc. Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary black hat  (SearchSecurity.com) cracker  (SearchSecurity.com) cyberextortion  (SearchSecurity.com) cyberterrorism  (SearchSecurity.com) Echelon  (SearchSecurity.com) hacker  (SearchSecurity.com) man in the middle attack  (SearchSecurity.com) van Eck phreaking  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary