Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
OSX From Mass Exploitation to Targeted Attacks
1. From OS X Mass Exploitation to OS X
Targeted Attacks
A New Season of Apple Malware Incidents Plucking
Vulnerable Systems and Users
Kurt Baumgartner, Senior Security Researcher
Global Research and Analysis Team
2. Apple’s Mac OS X - Ripe for Infiltration
Whoa. What happened?
• Flashfake and Mac OS X Mass Exploitation
• Large botnet running on infected Mac OS X systems
• Mac OS X, Java vulnerable code base and installs
• Compromised sites, trickery, Oracle Java exploitation and C2
• Flashfake trojan and relatives
• What Next?
• What history tells us – rebuilding a better botnet
• Apple’s technology and role
• Mac OS X Security Best Practices
• Taking it a Step Further: The APT and Mac OS X Targeted Attacks
• Spearphishing and Client-Side Remote Code Execution
• Stealth Mac OS X Backdoors – SabPub, MaControl, Lyser
3. Flashfake and Mac OS X Mass Exploitation
Size and Trending Numbers
• Large 700,000+ node botnet running
on Mac OS X systems
Unique bots over time
reporting to sinkholed
domains
• Mac OS X – Snow Leopard and Lion
• Java + Browser Plugins – Delivered/updated by Apple, not Oracle
CVE-2008-5353, CVE-2011-3544, Trickery
OS X + vulnerable Java installs visiting removal tool download site
4. Flashfake and Mac OS X Mass Exploitation
Massive spread
• Compromised sites, trickery, Oracle Java exploitation and C2
• Flashfake trojan and relatives
• Search engine traffic hijacker and ad revenues
• Comparison to Palevo functionality
• Hooking functionality and redirecting interesting traffic
*sketchoo
http://sketchoo.deviantart.com/
5. Where are we now?
Current botnet operation and cleanup efforts
• Flashback sinkhole operations
• Early reversing of domain generation algorithm yielded results
• Botnet is virtually dead – no exe delivered, global C2 takedown
effort in motion, no new exploit distribution sites
Unique bots currently checking in over time –
cleanup is working and significant with DGA botnets
6. What Next?
Expectations for Flashback gang, Apple, and securing your Mac OS X system
• What history tells us – rebuilding a better botnet
• Storm/Waledac/Hlux
• Apple’s technology and role
• Gatekeeper, Java updates
• Mac OS X Security Best Practices
• 10 Simple Tips
http://www.securelist.com/en/blog/208193448/10_Simple_Tips_for_
Boosting_The_Security_Of_Your_Mac
7. Apple’s Mac OS X and Currently Active Targeted Attacks
A Shiny New Target
• Spearphishing and Client-Side Remote Code Execution
• Exploit.MSWord.CVE-2009-0563.a vs Exploit.Java.CVE-2012-0507
• Mac users can’t hide behind Apple technologies
• Stealth Mac OS X Backdoors – SabPub, MaControl, Lyser
• Our Goat was harvested! Document theft, network pivots
• Mac OS X Security Best Practices
• 10 Simple Tips
http://www.securelist.com/en/blog/208193448/10_Simple_Tips_for_
Boosting_The_Security_Of_Your_Mac
8. Thank You
Questions about content, and suggestions for
Securelist?
Kurt Baumgartner, Senior Security Researcher
Global Research and Analysis Team
kurt.baumgartner@kaspersky.com