Last-minute paper: A Malicious OS X Cocktail Served from a Tainted Bottle

Presented at VB2016, Oct. 6, 2016, 3 p.m. (30 minutes)

In the last few months, two new *OS X* threats (dubbed OSX/KeRanger and OSX/Keydnap) were distributed as recompiled versions of the otherwise legitimate open source *BitTorrent* client application *Transmission* on the application's official, and therefore trusted, website. Moreover, different legitimate code-signing keys were used to sign the malicious *Transmission* application bundles to be able to bypass *Gatekeeper* protection. The response from the Transmission team was instant in both cases and the malicious bundles were removed instantly from their web server, finally choosing *GitHub* as a file storage. We provide the technical details and the similarities between the two threats, and we investigate clues that might have led to these incidents. The reaction from *OS X* users was very negative and full of anxiety about the possibility of being affected by the threat. To answer their questions, indicators of compromise should have been obtained by using live tools, followed by a careful analysis, and concluded with the manual creation of cleaning scripts. However, there existed also an alternative approach of capturing volatile physical memory data and applying it to the powerful Volatility Framework. Indeed, we performed malware executions in various test environments several times to eliminate randomness and unrelated manifestations, then we collected the outputs from relevant VF plug-ins, compared them with the outputs from the clean state before, we dumped unpacked memory blocks of malicious processes, we produced a final VF plug-in able to detect IoCs on memory dumps of compromised systems and we wrote a script that would clean any such system. Note that all these steps could actually work completely without our interaction. We sketch how this method might lead to automation of malware analysis for a platform like *OS X*.


  • Peter Kálnai - ESET   as Peter Kalnai
    Peter Kálnai Peter Kálnai is a malware researcher at ESET. His job description includes reverse engineering of mainstream cyber threats for alternative platforms like OS X. He is interested in testing the Volatility Framework as a malware analysing tool. He has actively participated in international conferences including Virus Bulletin, RSA Conference, CARO Workshop, Botconf and AVAR. Currently, he is a Ph.D. student in mathematics at Charles University in Prague. In his free time he enjoys playing table football and watching stand-up comedians. @pkalnai
  • Martin Jirkal - ESET
    Martin Jirkal Martin Jirkal is a detection engineer in the ESET virus laboratory. He is responsible for the detection of new threats and education of new ESET talents. He is a co-creator and occasional teacher of reverse engineering classes at Czech Technical University in Prague, from which he graduated. In addition to IT security and reverse engineering, he also loves complex board and role-playing games.


Similar Presentations: