Machiavelli Mac OS X rootkit unveiled at Black Hat

By Michael S. Mimoso, Editor, Information Security magazine 30 Jul 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Maybe the machine knew something.

"I haven't even loaded the rootkit yet," Dai Zovi, chief scientist with Atlanta-based Endgame Systems LLC, said to the packed session room.

For three-quarters of an hour, he'd been regaling swooning Mac fanbois with slide after slide of kernel calls and intricate details of the components of his rootkit called Machiavelli. Dai Zovi finally got the machine working but never managed to demonstrate the long-awaited code.

Black Hat 2009 SearchSecurity.com has all the news and newsmakers at the annual hacker conference. Visit our Black Hat 2009 news page.

A noted Mac hacker, Dai Zovi was able to unveil the proof-of-concept Machiavelli with code samples and details on the tool, which he will release shortly.

Machiavelli digs deep into Mac OS X's kernel roots. OS X is a hybrid operating system, Dai Zovi said, a combination of Free BSD and Mach 3.0, which is a microkernel, developed in the early 1990s by researchers at Carnegie Mellon University. Dai Zovi discovered how to bridge the way Mach uses remote procedure calls (RPC), using its inter-process communication (IPC) to own communication between the kernel, and enabling an attacker to make system calls, create kernel threads and tasks.

"Mach IPC made the network transparent; it's a good abstraction for remote host control," Dai Zovi said.

Machiavelli consists of three components, Dai Zovi said: a proxy that receives messages on proxy ports and sends them to a remote agent; an agent that sends messages from the proxy to a local destination and replies only if a reply is expected; and an RPC server, which Dai Zovi called the "glue functionality" holding Machiavelli together.

Dai Zovi said he has only seen proof-of-concept Mac rootkits, and none in the wild. His continued research into the security underpinnings of Mac OS X has given credence to the theory that with more market share, the Mac platform will continue to garner attention from hackers and dent what many Mac enthusiasts believe is an impervious OS.

Rootkits are a series of applications designed to hide malicious code. They have their roots in Unix, but have become an issue in Windows since Joanna Rutkowska's research and Blue Pill rootkit, unveiled at Black Hat in 2006.

"Mach functionality is obscure. When you use obscure functionality, it's less likely to be detected," Dai Zovi said, adding that Machiavelli loads as a kernel extension and removes itself from the kernel module list.

"You're not able to see it. You're not able to unload it," he said.

Earlier in the day, Dai Zovi announced that he had developed a version of Meterpreter, a penetration testing tool, for Mac OS X. Dai Zovi and fellow Mac hacker Charlie Miller developed the attack payload, which is generally used against Windows systems, giving attackers a shell to remotely add code to a system.

Dai Zovi and Miller's Macterpreter could be a game-changer for Mac hackers who have generally been shut out of what Dai Zovi called the "holy grail of Metasploit goodness."

Metasploit, a framework built and managed by hacker H.D. Moore, helps built remote exploit code used by pen testers to find system vulnerabilities.

Macterpreter, Dai Zovi said, will enable attackers to do code injection; he attempted to demonstrate that could own a remote Mac system and take a picture of the victim using the Macbook's built-in camera. Alas, much like his rootkit presentation, this demo didn't work either.

Tags: Malware, Viruses, Trojans and Spyware,  Alternative OS security: Mac, Linux, Unix, etc.,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware Increase in Gumblar backdoors poses FTP credential problems Hackers to sharpen malware, malicious software in 2010 iPhone worm Rickrolls jailbroken phones Israeli Mossad add Trojan Horse to Syrian laptop Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Alternative OS security: Mac, Linux, Unix, etc. How secure is 'Platform as a Service (PaaS)?' Security comparison: Mac OS X vs. Windows Mac OS memory flaws pose challenges for enterprise endpoint protection Rootkit Hunter demo: Detect and remove Linux rootkits Oracle to buy Sun Microsystems for $7.4 billion How to harden Linux operating systems Serious holes in Mac OS X memory, researcher shows What is the best operating system for an FTP server implementation? Black Hat DC 2009: Mac OS attack method New hacking method stealthily attacks Macs with malware Alternative OS security: Mac, Linux, Unix, etc. Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary