Explore advanced techniques for creating sophisticated OS X malware and learn how to better secure your Mac in this 52-minute Black Hat conference talk. Delve into novel persistence methods, abuse of native OS X components to hinder analysis, and ways to bypass OS X's built-in malware mitigations and third-party security tools. Discover how to remotely bypass Gatekeeper, circumvent Apple's 'rootpipe' patch, and generically bypass popular antivirus and personal firewall products. Gain insights into infection methods, software distribution, binary infection, and self-defense mechanisms employed by malware. Learn about runtime injection, load-time injection, and techniques to exploit vulnerabilities in OS X security features. Conclude with an introduction to free security tools that can detect and prevent advanced OS X threats, empowering you to enhance your Mac's protection against current and future malware.
Overview
Syllabus
Introduction
Overview
Why Care
Mac Malware
XSL CMD
AI Worm
Why
Hacking Teams
Conclusions
Our Goal
Infection
Software Distribution
Persistence
Binary Infection
How Secure Is It
Removing The Signature Block
Dialit Hijacking
Persistence Example
Self Defense
Encryption
Custom Loader
InMemory File Loader
Hiding Die Libraries
Making Malware Harder To Delete
SelfMonitoring
Architecture
Shell Code
Inject
Runtime Injection
Load Time Injection
Gatekeeper
How Gatekeeper Works
How Gatekeeper Doesnt Work
How Gatekeeper Works Again
Popups
XProtect
Hash
Sandbox
Kernel Code Signing
Loading Unsigned Extensions
Root Pipe
Root
Static signatures
Little Snitch
GBGKeychain
iCloud Bypass
Proof of Concept
Testing
Security
KnockKnock
Virus Total Integration
BlockBlock
Task Explorer
El Capitan
Demo
Conclusion
QA
Taught by
Black Hat
