SlideShare a Scribd company logo

OSX From Mass Exploitation to Targeted Attacks

Kurt Baumgartner
Kurt Baumgartner
Technology
1 of 8
From OS X Mass Exploitation to OS X Targeted Attacks A New Season of Apple Malware Incidents Plucking Vulnerable Systems and Users Kurt Baumgartner, Senior Security Researcher Global Research and Analysis Team
Apple’s Mac OS X - Ripe for Infiltration Whoa. What happened? • Flashfake and Mac OS X Mass Exploitation • Large botnet running on infected Mac OS X systems • Mac OS X, Java vulnerable code base and installs • Compromised sites, trickery, Oracle Java exploitation and C2 • Flashfake trojan and relatives • What Next? • What history tells us – rebuilding a better botnet • Apple’s technology and role • Mac OS X Security Best Practices • Taking it a Step Further: The APT and Mac OS X Targeted Attacks • Spearphishing and Client-Side Remote Code Execution • Stealth Mac OS X Backdoors – SabPub, MaControl, Lyser
Flashfake and Mac OS X Mass Exploitation Size and Trending Numbers • Large 700,000+ node botnet running on Mac OS X systems Unique bots over time reporting to sinkholed domains • Mac OS X – Snow Leopard and Lion • Java + Browser Plugins – Delivered/updated by Apple, not Oracle CVE-2008-5353, CVE-2011-3544, Trickery OS X + vulnerable Java installs visiting removal tool download site
Flashfake and Mac OS X Mass Exploitation Massive spread • Compromised sites, trickery, Oracle Java exploitation and C2 • Flashfake trojan and relatives • Search engine traffic hijacker and ad revenues • Comparison to Palevo functionality • Hooking functionality and redirecting interesting traffic *sketchoo http://sketchoo.deviantart.com/
Where are we now? Current botnet operation and cleanup efforts • Flashback sinkhole operations • Early reversing of domain generation algorithm yielded results • Botnet is virtually dead – no exe delivered, global C2 takedown effort in motion, no new exploit distribution sites Unique bots currently checking in over time – cleanup is working and significant with DGA botnets
What Next? Expectations for Flashback gang, Apple, and securing your Mac OS X system • What history tells us – rebuilding a better botnet • Storm/Waledac/Hlux • Apple’s technology and role • Gatekeeper, Java updates • Mac OS X Security Best Practices • 10 Simple Tips http://www.securelist.com/en/blog/208193448/10_Simple_Tips_for_ Boosting_The_Security_Of_Your_Mac
Apple’s Mac OS X and Currently Active Targeted Attacks A Shiny New Target • Spearphishing and Client-Side Remote Code Execution • Exploit.MSWord.CVE-2009-0563.a vs Exploit.Java.CVE-2012-0507 • Mac users can’t hide behind Apple technologies • Stealth Mac OS X Backdoors – SabPub, MaControl, Lyser • Our Goat was harvested! Document theft, network pivots • Mac OS X Security Best Practices • 10 Simple Tips http://www.securelist.com/en/blog/208193448/10_Simple_Tips_for_ Boosting_The_Security_Of_Your_Mac
Thank You Questions about content, and suggestions for Securelist? Kurt Baumgartner, Senior Security Researcher Global Research and Analysis Team kurt.baumgartner@kaspersky.com

Recommended

The ROP Pack
The ROP PackThe ROP Pack
The ROP Pack
Kurt Baumgartner
 
Not-so Passive Sonar - Red October
Not-so Passive Sonar - Red OctoberNot-so Passive Sonar - Red October
Not-so Passive Sonar - Red October
Kurt Baumgartner
 
Billington 2013 IceFog APT
Billington 2013 IceFog APTBillington 2013 IceFog APT
Billington 2013 IceFog APT
Kurt Baumgartner
 
WiFi Insecurity2013
WiFi Insecurity2013WiFi Insecurity2013
WiFi Insecurity2013
Kurt Baumgartner
 
2011 Wintel Targeted Attacks and a Post-Windows Environment APT Toolset
2011 Wintel Targeted Attacks and a Post-Windows Environment APT Toolset2011 Wintel Targeted Attacks and a Post-Windows Environment APT Toolset
2011 Wintel Targeted Attacks and a Post-Windows Environment APT Toolset
Kurt Baumgartner
 
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012
Kurt Baumgartner
 
AntiRE en Masse
AntiRE en MasseAntiRE en Masse
AntiRE en Masse
Kurt Baumgartner
 
Recent Rogueware
Recent RoguewareRecent Rogueware
Recent Rogueware
Kurt Baumgartner
 

Recommended

The ROP Pack
The ROP PackThe ROP Pack
The ROP Pack
Kurt Baumgartner
 
Not-so Passive Sonar - Red October
Not-so Passive Sonar - Red OctoberNot-so Passive Sonar - Red October
Not-so Passive Sonar - Red October
Kurt Baumgartner
 
Billington 2013 IceFog APT
Billington 2013 IceFog APTBillington 2013 IceFog APT
Billington 2013 IceFog APT
Kurt Baumgartner
 
WiFi Insecurity2013
WiFi Insecurity2013WiFi Insecurity2013
WiFi Insecurity2013
Kurt Baumgartner
 
2011 Wintel Targeted Attacks and a Post-Windows Environment APT Toolset
2011 Wintel Targeted Attacks and a Post-Windows Environment APT Toolset2011 Wintel Targeted Attacks and a Post-Windows Environment APT Toolset
2011 Wintel Targeted Attacks and a Post-Windows Environment APT Toolset
Kurt Baumgartner
 
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012
Kurt Baumgartner
 
AntiRE en Masse
AntiRE en MasseAntiRE en Masse
AntiRE en Masse
Kurt Baumgartner
 
Recent Rogueware
Recent RoguewareRecent Rogueware
Recent Rogueware
Kurt Baumgartner
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
apidays
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Zilliz
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
Zilliz
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
apidays
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
apidays
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Juan lago vázquez
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
DianaGray10
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
debabhi2
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
Dropbox
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
MIND CTI
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
The Digital Insurer
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
Product Anonymous
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
Khushali Kathiriya
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Edi Saputra
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
rafiqahmad00786416
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
apidays
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
The Digital Insurer
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 

More Related Content

Recently uploaded

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Recently uploaded (20)

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 

Featured

How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 

Featured (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 

OSX From Mass Exploitation to Targeted Attacks

  • 1. From OS X Mass Exploitation to OS X Targeted Attacks A New Season of Apple Malware Incidents Plucking Vulnerable Systems and Users Kurt Baumgartner, Senior Security Researcher Global Research and Analysis Team
  • 2. Apple’s Mac OS X - Ripe for Infiltration Whoa. What happened? • Flashfake and Mac OS X Mass Exploitation • Large botnet running on infected Mac OS X systems • Mac OS X, Java vulnerable code base and installs • Compromised sites, trickery, Oracle Java exploitation and C2 • Flashfake trojan and relatives • What Next? • What history tells us – rebuilding a better botnet • Apple’s technology and role • Mac OS X Security Best Practices • Taking it a Step Further: The APT and Mac OS X Targeted Attacks • Spearphishing and Client-Side Remote Code Execution • Stealth Mac OS X Backdoors – SabPub, MaControl, Lyser
  • 3. Flashfake and Mac OS X Mass Exploitation Size and Trending Numbers • Large 700,000+ node botnet running on Mac OS X systems Unique bots over time reporting to sinkholed domains • Mac OS X – Snow Leopard and Lion • Java + Browser Plugins – Delivered/updated by Apple, not Oracle CVE-2008-5353, CVE-2011-3544, Trickery OS X + vulnerable Java installs visiting removal tool download site
  • 4. Flashfake and Mac OS X Mass Exploitation Massive spread • Compromised sites, trickery, Oracle Java exploitation and C2 • Flashfake trojan and relatives • Search engine traffic hijacker and ad revenues • Comparison to Palevo functionality • Hooking functionality and redirecting interesting traffic *sketchoo http://sketchoo.deviantart.com/
  • 5. Where are we now? Current botnet operation and cleanup efforts • Flashback sinkhole operations • Early reversing of domain generation algorithm yielded results • Botnet is virtually dead – no exe delivered, global C2 takedown effort in motion, no new exploit distribution sites Unique bots currently checking in over time – cleanup is working and significant with DGA botnets
  • 6. What Next? Expectations for Flashback gang, Apple, and securing your Mac OS X system • What history tells us – rebuilding a better botnet • Storm/Waledac/Hlux • Apple’s technology and role • Gatekeeper, Java updates • Mac OS X Security Best Practices • 10 Simple Tips http://www.securelist.com/en/blog/208193448/10_Simple_Tips_for_ Boosting_The_Security_Of_Your_Mac
  • 7. Apple’s Mac OS X and Currently Active Targeted Attacks A Shiny New Target • Spearphishing and Client-Side Remote Code Execution • Exploit.MSWord.CVE-2009-0563.a vs Exploit.Java.CVE-2012-0507 • Mac users can’t hide behind Apple technologies • Stealth Mac OS X Backdoors – SabPub, MaControl, Lyser • Our Goat was harvested! Document theft, network pivots • Mac OS X Security Best Practices • 10 Simple Tips http://www.securelist.com/en/blog/208193448/10_Simple_Tips_for_ Boosting_The_Security_Of_Your_Mac
  • 8. Thank You Questions about content, and suggestions for Securelist? Kurt Baumgartner, Senior Security Researcher Global Research and Analysis Team kurt.baumgartner@kaspersky.com