1 00:00:04,680 --> 00:00:07,109 so what patrick said we're going to be 2 00:00:07,109 --> 00:00:09,840 talking about my lord behavior you know 3 00:00:09,840 --> 00:00:11,880 we've seen a lot of very heavyweight 4 00:00:11,880 --> 00:00:14,340 talks today so I'm going to give your 5 00:00:14,340 --> 00:00:16,619 brain a little bit of a rest here this 6 00:00:16,619 --> 00:00:20,849 is not going to be really really deep 7 00:00:20,849 --> 00:00:24,029 it's gonna be very high-level come on 8 00:00:24,029 --> 00:00:26,790 so a little bit about myself my name's 9 00:00:26,790 --> 00:00:28,710 going to read for those of you that 10 00:00:28,710 --> 00:00:31,579 don't know I work for malwarebytes and 11 00:00:31,579 --> 00:00:35,340 when I am NOT you know managing products 12 00:00:35,340 --> 00:00:38,670 or reversing malware or what my I am an 13 00:00:38,670 --> 00:00:43,200 avid photographer so let's jump right in 14 00:00:43,200 --> 00:00:47,760 here we got 25 minutes so let's look at 15 00:00:47,760 --> 00:00:50,730 some specific behaviors that malware 16 00:00:50,730 --> 00:00:53,640 generally likes to have so persistence 17 00:00:53,640 --> 00:00:55,710 obviously that's a big one you know if 18 00:00:55,710 --> 00:00:58,470 malware can't stay running what good is 19 00:00:58,470 --> 00:01:01,500 it now in certain cases it's not that 20 00:01:01,500 --> 00:01:03,540 important but the majority of the time 21 00:01:03,540 --> 00:01:06,240 our wants persistence 22 00:01:06,240 --> 00:01:08,610 now we're also often like to make system 23 00:01:08,610 --> 00:01:11,580 configuration changes so we have changes 24 00:01:11,580 --> 00:01:17,610 to various system files posts file and 25 00:01:17,610 --> 00:01:20,340 pseudo response stuff like that 26 00:01:20,340 --> 00:01:23,390 installing system configuration profiles 27 00:01:23,390 --> 00:01:25,159 that sort of thing 28 00:01:25,159 --> 00:01:29,280 Wow malware likes to be hidden as well 29 00:01:29,280 --> 00:01:32,580 obviously so there are a variety of ways 30 00:01:32,580 --> 00:01:35,280 that malware tries to stay hidden on the 31 00:01:35,280 --> 00:01:39,479 system and in malware needs met with 32 00:01:39,479 --> 00:01:41,070 communication as well you know for 33 00:01:41,070 --> 00:01:43,560 downloading additional payloads works 34 00:01:43,560 --> 00:01:47,340 with trading data you know so obviously 35 00:01:47,340 --> 00:01:50,670 those are some pretty important 36 00:01:50,670 --> 00:01:53,840 capabilities that malware has to have 37 00:01:53,840 --> 00:01:57,030 problem is these are also all things 38 00:01:57,030 --> 00:01:59,490 legitimate applications have to be able 39 00:01:59,490 --> 00:02:03,360 to do so where where do you draw the 40 00:02:03,360 --> 00:02:06,869 line like what's what's malware and 41 00:02:06,869 --> 00:02:11,250 what's not so the difference here really 42 00:02:11,250 --> 00:02:13,860 keys off of 43 00:02:13,860 --> 00:02:16,560 that those differences and what kind of 44 00:02:16,560 --> 00:02:19,230 behaviors are suspicious and which ones 45 00:02:19,230 --> 00:02:21,660 are not and sometimes this is a very 46 00:02:21,660 --> 00:02:24,930 blurry line sometimes it's very very 47 00:02:24,930 --> 00:02:27,360 sharp like just depends so we're gonna 48 00:02:27,360 --> 00:02:29,250 look at a whole bunch of these kinds of 49 00:02:29,250 --> 00:02:32,930 suspicious behaviors that you might see 50 00:02:32,930 --> 00:02:35,520 so we're going to start with kind of you 51 00:02:35,520 --> 00:02:40,950 know the easy obvious stuff so launch DT 52 00:02:40,950 --> 00:02:42,930 lists we've talked a lot about launch 53 00:02:42,930 --> 00:02:46,590 agents and launch statements so here's 54 00:02:46,590 --> 00:02:49,770 an example this was found in some 55 00:02:49,770 --> 00:02:53,930 malware that we identify as bad word 56 00:02:53,930 --> 00:02:57,060 that's more because John Lambert who 57 00:02:57,060 --> 00:02:58,980 discovered it didn't really name it and 58 00:02:58,980 --> 00:03:00,450 we had to call it something in our 59 00:03:00,450 --> 00:03:03,750 database so you know that's what we 60 00:03:03,750 --> 00:03:09,180 called it and this malware basically it 61 00:03:09,180 --> 00:03:14,010 was a Microsoft Word macro that there's 62 00:03:14,010 --> 00:03:16,680 sandbox escape and wrote appeals filed 63 00:03:16,680 --> 00:03:21,269 to the system interestingly it actually 64 00:03:21,269 --> 00:03:24,510 stole the code from Adam Chester who 65 00:03:24,510 --> 00:03:26,910 wrote a proof of concept or even the 66 00:03:26,910 --> 00:03:31,940 name of this thing is from his website 67 00:03:31,940 --> 00:03:35,370 so but obviously here you see in this P 68 00:03:35,370 --> 00:03:37,530 list if you can see it back in the back 69 00:03:37,530 --> 00:03:41,330 there's Python code being executed 70 00:03:41,330 --> 00:03:45,600 straight from the feuless file next like 71 00:03:45,600 --> 00:03:47,630 you'll never see that and illegitimate 72 00:03:47,630 --> 00:03:50,310 see what's at least you shouldn't we 73 00:03:50,310 --> 00:03:52,230 would hope he'd never see that in legit 74 00:03:52,230 --> 00:03:55,080 must be less in this case that opened up 75 00:03:55,080 --> 00:03:58,519 laments work through their blackboard 76 00:03:59,090 --> 00:04:01,980 hello sis he launched the affiliates 77 00:04:01,980 --> 00:04:04,440 that are pretending to be apples who 78 00:04:04,440 --> 00:04:07,019 look very common technique it's kind of 79 00:04:07,019 --> 00:04:10,709 a lame technique and I wonder how often 80 00:04:10,709 --> 00:04:13,980 it actually works but I see it all the 81 00:04:13,980 --> 00:04:16,890 time so you can see in its screenshot 82 00:04:16,890 --> 00:04:19,790 here those are just the examples from 83 00:04:19,790 --> 00:04:23,580 eagle egg dark miner and lane pyre all 84 00:04:23,580 --> 00:04:25,919 of which are cleared last year late last 85 00:04:25,919 --> 00:04:27,420 year 86 00:04:27,420 --> 00:04:30,790 so that's highly suspicious the problem 87 00:04:30,790 --> 00:04:33,310 here is that there are few legitimate 88 00:04:33,310 --> 00:04:35,740 con by Apple the duck you lists that 89 00:04:35,740 --> 00:04:38,710 you'll see outside the system folder so 90 00:04:38,710 --> 00:04:40,300 you can't just automatically assume that 91 00:04:40,300 --> 00:04:43,090 every comes out Apple not Felix that you 92 00:04:43,090 --> 00:04:44,680 see in the user is launched against 93 00:04:44,680 --> 00:04:46,510 directory or some somewhere like that 94 00:04:46,510 --> 00:04:49,180 it's automatically back some are 95 00:04:49,180 --> 00:04:54,220 actually legit cron tasks have been 96 00:04:54,220 --> 00:04:57,280 mentioned a couple of times over the 97 00:04:57,280 --> 00:05:00,370 course of the conference here these days 98 00:05:00,370 --> 00:05:03,220 cron tests really are not used much I 99 00:05:03,220 --> 00:05:05,650 think the only thing that I've seen a 100 00:05:05,650 --> 00:05:09,010 contest for in legitimate software 101 00:05:09,010 --> 00:05:13,300 lately was really old versions of super 102 00:05:13,300 --> 00:05:19,270 duper so really if you see a crime task 103 00:05:19,270 --> 00:05:22,950 being used it's probably malicious 104 00:05:22,950 --> 00:05:27,250 unless maybe you set it up yourself so 105 00:05:27,250 --> 00:05:29,790 here we got two different examples 106 00:05:29,790 --> 00:05:34,060 fun-tana cron abuses the top one there's 107 00:05:34,060 --> 00:05:36,520 from some malware that with healthy 108 00:05:36,520 --> 00:05:41,260 search it's also called parrot which was 109 00:05:41,260 --> 00:05:45,280 discussed yesterday and here it's just 110 00:05:45,280 --> 00:05:47,340 running a process called stateliness 111 00:05:47,340 --> 00:05:52,030 that hu nothing suspicious about that at 112 00:05:52,030 --> 00:05:53,530 all 113 00:05:53,530 --> 00:05:55,870 and in the bottom line here was actually 114 00:05:55,870 --> 00:06:01,030 from a old word macro malware and you 115 00:06:01,030 --> 00:06:04,000 can see it calls this you know Apple 116 00:06:04,000 --> 00:06:07,180 script that does a shell script that 117 00:06:07,180 --> 00:06:11,350 writes a file out and loads it up in 118 00:06:11,350 --> 00:06:13,600 cron and then deletes the file so you've 119 00:06:13,600 --> 00:06:16,600 got this task going in all times but 120 00:06:16,600 --> 00:06:18,310 there's no evidence left on the library 121 00:06:18,310 --> 00:06:20,650 but you can still see that the crime 122 00:06:20,650 --> 00:06:26,950 task is there we mentioned sue Delores 123 00:06:26,950 --> 00:06:29,530 file changes as one of the system 124 00:06:29,530 --> 00:06:31,750 configuration changes that Mary likes to 125 00:06:31,750 --> 00:06:34,770 make you can see here two examples from 126 00:06:34,770 --> 00:06:37,450 the malware doc 127 00:06:37,450 --> 00:06:42,040 and proton the top one was from Doc and 128 00:06:42,040 --> 00:06:45,220 what that does is it allows the the 129 00:06:45,220 --> 00:06:47,460 current user which was text in this case 130 00:06:47,460 --> 00:06:50,830 to do anything let's do that without 131 00:06:50,830 --> 00:06:54,340 having to have a passwords the bottom 132 00:06:54,340 --> 00:06:57,490 one there was from Croton and that 133 00:06:57,490 --> 00:07:01,300 basically sets the system so that there 134 00:07:01,300 --> 00:07:04,930 is one single pseudo channel going 135 00:07:04,930 --> 00:07:08,230 so most of the time on mac OS we open up 136 00:07:08,230 --> 00:07:11,560 two terminal windows and you do sudo in 137 00:07:11,560 --> 00:07:13,510 one of them it starts up a timer going 138 00:07:13,510 --> 00:07:16,300 you have certain lifetime to continues 139 00:07:16,300 --> 00:07:17,830 include out before ask you for a 140 00:07:17,830 --> 00:07:20,530 password email the other terminal window 141 00:07:20,530 --> 00:07:22,900 does not have that same timer going you 142 00:07:22,900 --> 00:07:25,900 do sudo in there it takes our two new 143 00:07:25,900 --> 00:07:30,310 timer this actually makes it so that if 144 00:07:30,310 --> 00:07:33,970 you do we go any process anywhere on the 145 00:07:33,970 --> 00:07:36,550 system can then you see that without a 146 00:07:36,550 --> 00:07:39,310 password on see if you can imagine 147 00:07:39,310 --> 00:07:40,690 malware could sit there in the 148 00:07:40,690 --> 00:07:43,030 background just waiting for you on 149 00:07:43,030 --> 00:07:45,100 something of sudo and then pounce on 150 00:07:45,100 --> 00:07:48,840 that and get that privilege isolation 151 00:07:48,840 --> 00:07:51,310 and these would typically be used in 152 00:07:51,310 --> 00:07:54,250 cases where the malware was able to 153 00:07:54,250 --> 00:07:58,390 somehow get root access to write to 154 00:07:58,390 --> 00:08:00,160 these files but maybe didn't have 155 00:08:00,160 --> 00:08:03,100 continued root access to do later 156 00:08:03,100 --> 00:08:06,820 operations and wanted to be able to have 157 00:08:06,820 --> 00:08:09,180 that capability 158 00:08:09,870 --> 00:08:13,230 folks file also only one that's commonly 159 00:08:13,230 --> 00:08:17,080 manipulated most of the time that I see 160 00:08:17,080 --> 00:08:19,030 it manipulated it's actually because 161 00:08:19,030 --> 00:08:21,640 somebody has installed a pirated version 162 00:08:21,640 --> 00:08:25,270 of some what they'll be product so if 163 00:08:25,270 --> 00:08:28,000 you see that it's not malicious but it's 164 00:08:28,000 --> 00:08:30,340 highly suspicious and that machine 165 00:08:30,340 --> 00:08:33,460 probably needs a little once-over just 166 00:08:33,460 --> 00:08:34,929 to make sure the user hasn't it's about 167 00:08:34,929 --> 00:08:37,990 something they shouldn't have but some 168 00:08:37,990 --> 00:08:42,220 malware such as doc which we'll be 169 00:08:42,220 --> 00:08:44,169 referring to repeatedly to dispense of 170 00:08:44,169 --> 00:08:47,050 very interesting things actually use 171 00:08:47,050 --> 00:08:49,210 this to block a whole bunch of Apple 172 00:08:49,210 --> 00:08:51,660 servers as well as virus total 173 00:08:51,660 --> 00:08:55,330 so that's really really suspicious you 174 00:08:55,330 --> 00:08:57,100 should not see either of those getting 175 00:08:57,100 --> 00:09:01,960 blocked in a closed file another 176 00:09:01,960 --> 00:09:04,810 research example here and they're going 177 00:09:04,810 --> 00:09:06,100 to be several these kind of chained 178 00:09:06,100 --> 00:09:10,990 together so research or peer it use the 179 00:09:10,990 --> 00:09:13,270 hidden user so when it installed on the 180 00:09:13,270 --> 00:09:15,370 system it would create a user with an 181 00:09:15,370 --> 00:09:17,650 idea 401 which means that it's totally 182 00:09:17,650 --> 00:09:19,390 hidden doesn't show up in system 183 00:09:19,390 --> 00:09:23,470 preferences or anywhere else you kind of 184 00:09:23,470 --> 00:09:25,450 have to know what you're doing to spot 185 00:09:25,450 --> 00:09:30,790 the user and if this user was used with 186 00:09:30,790 --> 00:09:35,500 a PF rule and it was used to run a proxy 187 00:09:35,500 --> 00:09:38,620 so all the users HTTP traffic is proxy 188 00:09:38,620 --> 00:09:40,870 through process music that was running 189 00:09:40,870 --> 00:09:43,570 under that user so this was a good way 190 00:09:43,570 --> 00:09:47,020 to hide that proxy and keep it from 191 00:09:47,020 --> 00:09:50,140 being notice and it was a good way also 192 00:09:50,140 --> 00:09:53,920 to for research to actually inject that 193 00:09:53,920 --> 00:09:57,970 into your HTTP traffic this could very 194 00:09:57,970 --> 00:09:59,740 easily have been used to sniff your 195 00:09:59,740 --> 00:10:05,260 traffic fortunately it wasn't but in 196 00:10:05,260 --> 00:10:07,360 general a hidden user is a big red flag 197 00:10:07,360 --> 00:10:11,050 and if your systems got PF fools on it 198 00:10:11,050 --> 00:10:12,790 that you don't know where there that's 199 00:10:12,790 --> 00:10:18,040 also a huge red flag another case of 200 00:10:18,040 --> 00:10:22,810 proxy settings is in dot doc you can see 201 00:10:22,810 --> 00:10:26,589 here it raineth proxy through four five 202 00:10:26,589 --> 00:10:30,640 five five five on the localhost and it 203 00:10:30,640 --> 00:10:33,880 did it differently so we've got to kind 204 00:10:33,880 --> 00:10:35,680 of keep an eye on a variety of different 205 00:10:35,680 --> 00:10:38,650 ways that Foxy's can be set up in proxy 206 00:10:38,650 --> 00:10:45,580 settings PF rules etc another way we 207 00:10:45,580 --> 00:10:49,890 proxying is through trusted certificates 208 00:10:49,890 --> 00:10:52,120 so you kind of have to keep an eye on 209 00:10:52,120 --> 00:10:56,350 your keychain and making sure that there 210 00:10:56,350 --> 00:10:58,029 aren't some weird certificates in there 211 00:10:58,029 --> 00:10:59,770 that shouldn't be there 212 00:10:59,770 --> 00:11:02,860 so the dot malware actually installed 213 00:11:02,860 --> 00:11:04,500 this Komodo 214 00:11:04,500 --> 00:11:07,980 certificate here on the right side and 215 00:11:07,980 --> 00:11:10,530 it used that to proxy legislature to 216 00:11:10,530 --> 00:11:15,180 complete with HTTP traffic in that case 217 00:11:15,180 --> 00:11:17,790 the intent was not to inject that but 218 00:11:17,790 --> 00:11:22,380 actually the sniffed of traffic we've 219 00:11:22,380 --> 00:11:25,050 also seen MIT M proxy which is an 220 00:11:25,050 --> 00:11:28,590 open-source proxy tool lately that has 221 00:11:28,590 --> 00:11:32,510 been used in a lot of adware and malware 222 00:11:32,510 --> 00:11:35,910 both for the purposes of injecting ads 223 00:11:35,910 --> 00:11:39,180 and sniffing traffic and as was 224 00:11:39,180 --> 00:11:41,280 mentioned yesterday titania and web 225 00:11:41,280 --> 00:11:43,200 proxy is another one that's now joining 226 00:11:43,200 --> 00:11:47,420 the fray and is being abused by malware 227 00:11:47,420 --> 00:11:49,860 both of those last two they're 228 00:11:49,860 --> 00:11:52,140 completely legitimate open source 229 00:11:52,140 --> 00:11:53,790 there's nothing wrong with them but if 230 00:11:53,790 --> 00:11:56,220 you see them on a system and you don't 231 00:11:56,220 --> 00:12:00,000 think that user has a reason to have 232 00:12:00,000 --> 00:12:01,970 them there that's a huge red flag 233 00:12:01,970 --> 00:12:04,110 probably they're there for malicious 234 00:12:04,110 --> 00:12:10,800 purposes process behavior is another big 235 00:12:10,800 --> 00:12:14,640 thing if you got out of that so for 236 00:12:14,640 --> 00:12:16,380 example anything that's running from 237 00:12:16,380 --> 00:12:18,390 temp if you look at the list of running 238 00:12:18,390 --> 00:12:20,400 processes and something's running from 239 00:12:20,400 --> 00:12:25,290 temp that's a huge red flag Slayer is 240 00:12:25,290 --> 00:12:27,900 just one example here but there are many 241 00:12:27,900 --> 00:12:31,740 many others most adware droppers will do 242 00:12:31,740 --> 00:12:33,810 this sort of thing you know well down 243 00:12:33,810 --> 00:12:35,850 they'll curl something down into the 244 00:12:35,850 --> 00:12:39,390 temp folder and then run it so in this 245 00:12:39,390 --> 00:12:44,480 case Lister shows that it's Slayer was 246 00:12:44,480 --> 00:12:48,180 running a script that curled a file down 247 00:12:48,180 --> 00:12:50,580 into into the temp folder image one and 248 00:12:50,580 --> 00:12:54,180 I think we've seen that code already at 249 00:12:54,180 --> 00:12:59,100 least twice maybe so Slayer has been 250 00:12:59,100 --> 00:13:03,540 well covered at this conference running 251 00:13:03,540 --> 00:13:06,090 from hidden locations that's also 252 00:13:06,090 --> 00:13:08,490 another nono and when I say hidden 253 00:13:08,490 --> 00:13:10,340 locations I don't mean like you know 254 00:13:10,340 --> 00:13:14,040 slash user because that's 255 00:13:14,040 --> 00:13:17,430 it's hidden folder but it seemed fairly 256 00:13:17,430 --> 00:13:19,440 normal for processes to be running out 257 00:13:19,440 --> 00:13:20,640 of there I mean kiddin 258 00:13:20,640 --> 00:13:24,750 as in like some weird folder that starts 259 00:13:24,750 --> 00:13:27,180 the name starts with a period so it's 260 00:13:27,180 --> 00:13:30,420 hidden from the user that's not the way 261 00:13:30,420 --> 00:13:33,390 that Apple typically does things so and 262 00:13:33,390 --> 00:13:35,930 it shouldn't be the way that normal 263 00:13:35,930 --> 00:13:38,070 legitimate software does things either 264 00:13:38,070 --> 00:13:41,390 you can see in this case with evil egg 265 00:13:41,390 --> 00:13:45,920 in this keyless fire it's running a an 266 00:13:45,920 --> 00:13:48,510 executable that is invisible from a 267 00:13:48,510 --> 00:13:51,600 folder that is also invisible and that's 268 00:13:51,600 --> 00:13:55,620 really really suspicious in the case of 269 00:13:55,620 --> 00:13:57,630 real clang spine it was actually an 270 00:13:57,630 --> 00:14:00,240 application that was made invisible and 271 00:14:00,240 --> 00:14:02,510 loaded through a long on a logging item 272 00:14:02,510 --> 00:14:09,170 instead of a launch aging process 273 00:14:09,170 --> 00:14:13,230 behavior here you know this is just 274 00:14:13,230 --> 00:14:15,150 another way that some of these my work 275 00:14:15,150 --> 00:14:17,510 gets installed it's it's through our 276 00:14:17,510 --> 00:14:20,730 Apple script or Automator scripts which 277 00:14:20,730 --> 00:14:23,880 is kind of interesting and it's weird 278 00:14:23,880 --> 00:14:27,390 because all this is is a carrier for a 279 00:14:27,390 --> 00:14:33,060 shell script so in both the case of dart 280 00:14:33,060 --> 00:14:36,030 minor and leng fire automated scripts 281 00:14:36,030 --> 00:14:38,880 were used and their entire purpose was 282 00:14:38,880 --> 00:14:40,850 to do nothing before on a shell script 283 00:14:40,850 --> 00:14:44,070 so this one here this is from Darth 284 00:14:44,070 --> 00:14:47,100 minor you can see that it curls 285 00:14:47,100 --> 00:14:49,790 something down from kind of a weird URL 286 00:14:49,790 --> 00:14:55,010 and then types it the Python and then it 287 00:14:55,010 --> 00:14:58,980 curls something else down and unpacks it 288 00:14:58,980 --> 00:15:04,130 and runs it so that's pretty suspicious 289 00:15:04,130 --> 00:15:07,770 obviously just that behavior itself and 290 00:15:07,770 --> 00:15:09,690 the fact that it's wrapped up in an 291 00:15:09,690 --> 00:15:14,550 automated script is even worse now in 292 00:15:14,550 --> 00:15:17,160 the case of lame Peyer the script was I 293 00:15:17,160 --> 00:15:19,860 it was kind of laying malware but the 294 00:15:19,860 --> 00:15:23,370 script was much more interesting so it 295 00:15:23,370 --> 00:15:26,680 had this long bit of 296 00:15:26,680 --> 00:15:30,640 laid 64 encoded data and it took that 297 00:15:30,640 --> 00:15:34,200 and decoded it and piped it into Python 298 00:15:34,200 --> 00:15:39,100 and then after while that was running it 299 00:15:39,100 --> 00:15:42,490 went into this loop here and it started 300 00:15:42,490 --> 00:15:46,330 doing a screen capture and it did it in 301 00:15:46,330 --> 00:15:48,700 such a way so that that's the sound 302 00:15:48,700 --> 00:15:50,980 wouldn't play so you wouldn't know the 303 00:15:50,980 --> 00:15:54,040 screen capture clip and I saved it and 304 00:15:54,040 --> 00:15:56,980 the temp folder as a file named alloy 305 00:15:56,980 --> 00:16:01,210 dot PNG and Hawaii that file lame and it 306 00:16:01,210 --> 00:16:04,780 used perla upload that to a command and 307 00:16:04,780 --> 00:16:07,000 control server and it be this over and 308 00:16:07,000 --> 00:16:08,950 over and over and over again as fast as 309 00:16:08,950 --> 00:16:11,920 it could so as soon as it's created and 310 00:16:11,920 --> 00:16:14,650 uploaded a screen capture it's doing it 311 00:16:14,650 --> 00:16:15,840 all over again 312 00:16:15,840 --> 00:16:18,640 this was cannon even though I mean 313 00:16:18,640 --> 00:16:20,440 obviously there's this is a lot of web 314 00:16:20,440 --> 00:16:23,290 traffic going out because it's basically 315 00:16:23,290 --> 00:16:26,770 constantly uploading something but even 316 00:16:26,770 --> 00:16:29,140 worse the whole time this was running up 317 00:16:29,140 --> 00:16:31,090 in the menu borrows a little gear icon 318 00:16:31,090 --> 00:16:33,640 for Automator just going around and 319 00:16:33,640 --> 00:16:35,010 around and around 320 00:16:35,010 --> 00:16:37,270 I think somebody mentioned that 321 00:16:37,270 --> 00:16:39,940 yesterday and said that you could make 322 00:16:39,940 --> 00:16:41,740 it so that it would just run for like 323 00:16:41,740 --> 00:16:44,860 half a second and then go away evidently 324 00:16:44,860 --> 00:16:48,400 they didn't know how to do that so it 325 00:16:48,400 --> 00:16:50,320 just would keep going and going and so 326 00:16:50,320 --> 00:16:52,030 it was right there just sort of waving 327 00:16:52,030 --> 00:16:57,910 like a big red flag at you network 328 00:16:57,910 --> 00:16:59,650 connections are another thing to look at 329 00:16:59,650 --> 00:17:02,380 especially network connections to tor 330 00:17:02,380 --> 00:17:06,849 now tor is a legitimate thing it's not 331 00:17:06,849 --> 00:17:09,940 malicious in and of itself but if you 332 00:17:09,940 --> 00:17:12,220 see a weird process that shouldn't be on 333 00:17:12,220 --> 00:17:15,550 the system communicating with tor and 334 00:17:15,550 --> 00:17:19,599 that's a problem in this case doc used 335 00:17:19,599 --> 00:17:22,540 this key list here combine Apple dot 336 00:17:22,540 --> 00:17:25,720 Safari that proxy that plist nothing 337 00:17:25,720 --> 00:17:30,130 suspicious at all they arranged and you 338 00:17:30,130 --> 00:17:32,380 can see here in this code it was 339 00:17:32,380 --> 00:17:35,700 directly running an open source tool and 340 00:17:35,700 --> 00:17:38,909 using that too 341 00:17:38,909 --> 00:17:41,350 Boxey traffic through a dot onion 342 00:17:41,350 --> 00:17:45,700 address so that's like just about 343 00:17:45,700 --> 00:17:48,869 everything about this is the surface but 344 00:17:48,869 --> 00:17:51,549 specifically if we look at that tor 345 00:17:51,549 --> 00:17:54,039 traffic going out through some random 346 00:17:54,039 --> 00:17:56,320 key list file you know a processing 347 00:17:56,320 --> 00:17:59,860 launched by a random PS file that's 348 00:17:59,860 --> 00:18:06,399 that's really sketchy we also have seen 349 00:18:06,399 --> 00:18:11,019 lately a growing number processes signed 350 00:18:11,019 --> 00:18:13,690 not with an apple certificate but with 351 00:18:13,690 --> 00:18:18,820 ad-hoc service I'm kind of shocked that 352 00:18:18,820 --> 00:18:20,619 this still works 353 00:18:20,619 --> 00:18:22,899 I would think that Apple would not want 354 00:18:22,899 --> 00:18:25,629 this to work at all because these are 355 00:18:25,629 --> 00:18:28,179 things that can run because they're not 356 00:18:28,179 --> 00:18:31,179 unsigned but Apple has no control over 357 00:18:31,179 --> 00:18:33,190 the making Apple can't revoke the 358 00:18:33,190 --> 00:18:36,759 certificate so this was done by both 359 00:18:36,759 --> 00:18:40,299 research and some adware that was 360 00:18:40,299 --> 00:18:42,999 otherwise pretty uninteresting that we 361 00:18:42,999 --> 00:18:46,029 call face bump the imitated the face 362 00:18:46,029 --> 00:18:49,210 book down and if you look at the code 363 00:18:49,210 --> 00:18:50,859 sign information for both of those 364 00:18:50,859 --> 00:18:53,999 you'll see team identifier is not set 365 00:18:53,999 --> 00:18:58,119 senators listed is at ha the bundle 366 00:18:58,119 --> 00:19:02,139 identifier can be it can look legitimate 367 00:19:02,139 --> 00:19:04,029 or it can become sticky like that I 368 00:19:04,029 --> 00:19:06,070 don't know what they were thinking with 369 00:19:06,070 --> 00:19:09,249 UPD - some long number that didn't look 370 00:19:09,249 --> 00:19:13,239 at all like I come to life in a fire but 371 00:19:13,239 --> 00:19:15,009 if you see applications that are signed 372 00:19:15,009 --> 00:19:18,460 like this that's a really really big red 373 00:19:18,460 --> 00:19:24,690 flag much JavaScript as an app 374 00:19:24,690 --> 00:19:29,499 executable so you know it's you're used 375 00:19:29,499 --> 00:19:31,570 to seeing a mocker binary in there it's 376 00:19:31,570 --> 00:19:33,789 the executable inside of an app but you 377 00:19:33,789 --> 00:19:36,639 can actually replace that with a shell 378 00:19:36,639 --> 00:19:39,519 script the only time I've ever seen that 379 00:19:39,519 --> 00:19:43,389 then has been with Slayer which I'm not 380 00:19:43,389 --> 00:19:45,940 going to die a more deeply into this 381 00:19:45,940 --> 00:19:47,769 script here because it's already been 382 00:19:47,769 --> 00:19:50,769 discussed at least twice over the course 383 00:19:50,769 --> 00:19:51,040 of the 384 00:19:51,040 --> 00:19:54,160 conference but suffice it to say that if 385 00:19:54,160 --> 00:19:56,590 you follow this sprint through you'll go 386 00:19:56,590 --> 00:19:59,050 down a deeper Abbott hole of repeating 387 00:19:59,050 --> 00:20:01,930 you know och you skated scripts and 388 00:20:01,930 --> 00:20:06,670 curls and etc etc and it all starts off 389 00:20:06,670 --> 00:20:09,550 from this shelf script inside the app 390 00:20:09,550 --> 00:20:13,750 bundle in the contents Mac OS folder 391 00:20:13,750 --> 00:20:17,440 which is really weird so if you see that 392 00:20:17,440 --> 00:20:20,440 that's that's not right no legitimate 393 00:20:20,440 --> 00:20:24,400 software does that and then a couple 394 00:20:24,400 --> 00:20:28,440 more items here regarding installation 395 00:20:28,440 --> 00:20:31,390 so in this case we're talking about 396 00:20:31,390 --> 00:20:35,560 research research and this is kind of an 397 00:20:35,560 --> 00:20:40,000 older version of research we did some 398 00:20:40,000 --> 00:20:42,460 analysis avoidance directly in the 399 00:20:42,460 --> 00:20:45,960 install process so inside the PHP file 400 00:20:45,960 --> 00:20:49,600 it had a pre installed script that pre 401 00:20:49,600 --> 00:20:51,850 installed script I've trimmed out a lot 402 00:20:51,850 --> 00:20:53,140 of it because a lot of it's fairly 403 00:20:53,140 --> 00:20:56,920 uninteresting but if you look here what 404 00:20:56,920 --> 00:21:01,390 is doing is it's calling IRA and it's 405 00:21:01,390 --> 00:21:02,950 getting some information about the 406 00:21:02,950 --> 00:21:04,990 device and then it's typing it through a 407 00:21:04,990 --> 00:21:07,750 whole bunch of sequences of you know off 408 00:21:07,750 --> 00:21:10,330 and graft and whatnot 409 00:21:10,330 --> 00:21:13,480 to try to get the vendor main rather 410 00:21:13,480 --> 00:21:16,750 there and you can see very very clearly 411 00:21:16,750 --> 00:21:19,030 there it's it's not even obfuscated in 412 00:21:19,030 --> 00:21:20,440 any way it's looking for parallels 413 00:21:20,440 --> 00:21:25,900 VirtualBox Oracle and VMware and that 414 00:21:25,900 --> 00:21:28,840 was fairly effective at actually 415 00:21:28,840 --> 00:21:33,130 detecting of the end and bailing out so 416 00:21:33,130 --> 00:21:34,900 you can see there it says is the N 417 00:21:34,900 --> 00:21:40,030 equals 1 is being 2 or N equals 0 and so 418 00:21:40,030 --> 00:21:41,950 if it was in at the end it would play 419 00:21:41,950 --> 00:21:45,670 along after that this was pretty easy to 420 00:21:45,670 --> 00:21:48,130 get around if you have this sample you 421 00:21:48,130 --> 00:21:51,610 just as Jared was talking about you you 422 00:21:51,610 --> 00:21:54,070 expand the package of two pages we you 423 00:21:54,070 --> 00:22:00,370 tell you've changed that if else and you 424 00:22:00,370 --> 00:22:02,320 flatten it again and this wasn't signed 425 00:22:02,320 --> 00:22:03,110 in anyway 426 00:22:03,110 --> 00:22:09,049 worry about a signature so but that kind 427 00:22:09,049 --> 00:22:10,580 that kind of behavior that kind of 428 00:22:10,580 --> 00:22:14,149 analysis avoidance is really really very 429 00:22:14,149 --> 00:22:18,289 common in malware it's not always quite 430 00:22:18,289 --> 00:22:21,110 this obvious you know there has been 431 00:22:21,110 --> 00:22:23,659 some discussion about analysis avoidance 432 00:22:23,659 --> 00:22:26,570 is very sneaky at the conference this is 433 00:22:26,570 --> 00:22:29,350 just blatant and it's easy to spot 434 00:22:29,350 --> 00:22:31,340 unfortunately they're not really doing 435 00:22:31,340 --> 00:22:33,820 it this way anymore it's not going to be 436 00:22:33,820 --> 00:22:37,700 sneakier and you don't see this kind of 437 00:22:37,700 --> 00:22:42,649 obvious analysis avoidance anymore and 438 00:22:42,649 --> 00:22:46,360 then we've got flashback now this is a 439 00:22:46,360 --> 00:22:51,320 this is a flashback to almost a decade 440 00:22:51,320 --> 00:22:54,740 ago at this point so this is very very 441 00:22:54,740 --> 00:22:57,889 old malware and it actually did the 442 00:22:57,889 --> 00:23:01,480 installation in the pre install script 443 00:23:01,480 --> 00:23:07,639 so you run the PKG file and you know 444 00:23:07,639 --> 00:23:09,889 maybe maybe you decide to bail out and 445 00:23:09,889 --> 00:23:12,049 you cancel the installation quickly 446 00:23:12,049 --> 00:23:18,370 installer too late it's already been so 447 00:23:18,370 --> 00:23:21,649 this kind of thing is pretty nasty so 448 00:23:21,649 --> 00:23:24,139 you can see here actually and this takes 449 00:23:24,139 --> 00:23:26,299 the pre-installed script was a makkah 450 00:23:26,299 --> 00:23:30,620 binary which is fairly rare I mean as 451 00:23:30,620 --> 00:23:32,419 was mentioned you couldn't have really 452 00:23:32,419 --> 00:23:35,059 anything as the pre-installed script but 453 00:23:35,059 --> 00:23:37,929 traditionally it's a looks like a bash 454 00:23:37,929 --> 00:23:41,000 sometimes I guess Colibri script or 455 00:23:41,000 --> 00:23:42,669 something like that is Darren mentioned 456 00:23:42,669 --> 00:23:45,620 in this case it was a mock those binary 457 00:23:45,620 --> 00:23:46,940 I think this is the only time I've ever 458 00:23:46,940 --> 00:23:52,549 actually seen that and a hopper on a 459 00:23:52,549 --> 00:23:55,159 screen shot would have been a little bit 460 00:23:55,159 --> 00:23:57,200 too big to really meaningfully displayed 461 00:23:57,200 --> 00:23:59,929 here so it's just sort of stuck there 462 00:23:59,929 --> 00:24:03,529 showing you Springs just to make sure 463 00:24:03,529 --> 00:24:07,190 that you can see it in the back I'll 464 00:24:07,190 --> 00:24:08,870 zoom in a little bit so you can see a 465 00:24:08,870 --> 00:24:11,990 lot of nasty things here you can see a 466 00:24:11,990 --> 00:24:14,230 reference to Little Snitch 467 00:24:14,230 --> 00:24:16,179 so this 468 00:24:16,179 --> 00:24:18,249 script would actually look for the 469 00:24:18,249 --> 00:24:21,399 presence of Little Snitch and if Little 470 00:24:21,399 --> 00:24:24,610 Snitch was present it would bail out it 471 00:24:24,610 --> 00:24:26,409 would not install on any of the stuff 472 00:24:26,409 --> 00:24:29,860 but if any of its payload and the reason 473 00:24:29,860 --> 00:24:31,450 for that is that this was going to 474 00:24:31,450 --> 00:24:34,629 exfiltrate some information and if a 475 00:24:34,629 --> 00:24:36,190 little snitch was there when you get 476 00:24:36,190 --> 00:24:39,909 with you so and you can also see how 477 00:24:39,909 --> 00:24:42,070 number of other nasty things like like 478 00:24:42,070 --> 00:24:44,889 that outline there that it did launch 479 00:24:44,889 --> 00:24:47,679 control load and then accept an 480 00:24:47,679 --> 00:24:51,399 environment variable it set a dynamic 481 00:24:51,399 --> 00:24:54,850 library to be inserted into the system 482 00:24:54,850 --> 00:24:58,659 so lots of nasty stuff there there's a 483 00:24:58,659 --> 00:25:01,869 you know an su command in there there's 484 00:25:01,869 --> 00:25:04,320 I mean all kinds of nasty stuff 485 00:25:04,320 --> 00:25:07,809 it's and this was all done in the free 486 00:25:07,809 --> 00:25:11,200 install script so it happened before you 487 00:25:11,200 --> 00:25:13,059 even it like you would never have 488 00:25:13,059 --> 00:25:15,309 realized that anything has been 489 00:25:15,309 --> 00:25:17,080 installed if you didn't complete the 490 00:25:17,080 --> 00:25:20,049 installation process and that's 491 00:25:20,049 --> 00:25:22,389 something that I'm kind of surprised we 492 00:25:22,389 --> 00:25:25,299 haven't seen more up because the pre 493 00:25:25,299 --> 00:25:28,659 install script is the perfect place to 494 00:25:28,659 --> 00:25:31,649 drop some nasty stuff on your system 495 00:25:31,649 --> 00:25:34,960 yeah because it happened so early in the 496 00:25:34,960 --> 00:25:42,340 process so that is it pretty short and 497 00:25:42,340 --> 00:25:53,189 sweet any questions all right 498 00:25:55,890 --> 00:25:58,510 what's the craziest thing you've seen 499 00:25:58,510 --> 00:26:01,000 recently in the rock so you'd say well 500 00:26:01,000 --> 00:26:02,950 that is mind-boggling the kind of 501 00:26:02,950 --> 00:26:07,030 interests craziest I there really hasn't 502 00:26:07,030 --> 00:26:10,360 been anything really wildly crazy lately 503 00:26:10,360 --> 00:26:12,610 it's actually been kind of quite this 504 00:26:12,610 --> 00:26:14,980 year we've seen a lot of ad rare a lot 505 00:26:14,980 --> 00:26:20,020 of pups the worst stuff we're seeing 506 00:26:20,020 --> 00:26:21,880 right now really comes from the foot 507 00:26:21,880 --> 00:26:25,260 world you know we're seeing things like 508 00:26:25,260 --> 00:26:28,300 lots of it kind of like polymorphism 509 00:26:28,300 --> 00:26:30,960 we're seeing a lot of pups that are 510 00:26:30,960 --> 00:26:34,300 proliferating in numbers and every 511 00:26:34,300 --> 00:26:38,020 single one has a different name and the 512 00:26:38,020 --> 00:26:39,790 one in question here that I'm thinking 513 00:26:39,790 --> 00:26:42,190 of it started out as advanced Mac 514 00:26:42,190 --> 00:26:46,480 cleaner so you guys are probably at 515 00:26:46,480 --> 00:26:47,710 least some of you are probably familiar 516 00:26:47,710 --> 00:26:51,100 with that it'll put up a window and 517 00:26:51,100 --> 00:26:53,350 it'll actually yell at you it'll say you 518 00:26:53,350 --> 00:26:56,110 know your system is I forget the exact 519 00:26:56,110 --> 00:26:57,280 wording something's wrong with your 520 00:26:57,280 --> 00:27:00,580 system after seeing it now so it's 521 00:27:00,580 --> 00:27:03,310 really tried to scare you and then all 522 00:27:03,310 --> 00:27:05,530 these other variants of it are all exact 523 00:27:05,530 --> 00:27:09,310 duplicates of that found well and there 524 00:27:09,310 --> 00:27:11,710 are dozens and dozens of them at this 525 00:27:11,710 --> 00:27:14,500 point and more more caring almost every 526 00:27:14,500 --> 00:27:20,370 day so but yeah like as far as really 527 00:27:20,370 --> 00:27:23,710 cool interesting we're really not seeing 528 00:27:23,710 --> 00:27:25,210 it you know we've got all these 529 00:27:25,210 --> 00:27:27,430 theoretical exploits we've seen some 530 00:27:27,430 --> 00:27:30,880 really great surveys and with this 531 00:27:30,880 --> 00:27:33,160 conference and nobody's using them in 532 00:27:33,160 --> 00:27:33,810 the wild 533 00:27:33,810 --> 00:27:37,120 last year I presented about code signing 534 00:27:37,120 --> 00:27:39,130 and how you could use that to actually 535 00:27:39,130 --> 00:27:42,370 establish persistence by learning and 536 00:27:42,370 --> 00:27:45,340 application and still you know like 537 00:27:45,340 --> 00:27:48,730 nobody's done it my paper is out there 538 00:27:48,730 --> 00:27:50,980 it's at the virus but like if it gets up 539 00:27:50,980 --> 00:27:53,050 on the virus Bolton website you sound 540 00:27:53,050 --> 00:27:53,590 disappointed 541 00:27:53,590 --> 00:27:58,030 and there was yeah I mean all of us in 542 00:27:58,030 --> 00:28:01,300 this room we could do and each and every 543 00:28:01,300 --> 00:28:03,280 one of us could do my work letters in 544 00:28:03,280 --> 00:28:04,530 the malware off 545 00:28:04,530 --> 00:28:06,930 right now and I don't understand why 546 00:28:06,930 --> 00:28:09,240 it's not being done not that not that I 547 00:28:09,240 --> 00:28:12,150 want it but it would make my life more 548 00:28:12,150 --> 00:28:14,360 interesting 549 00:28:17,330 --> 00:28:34,740 yeah do you see soccer wear on my cattle 550 00:28:34,740 --> 00:28:36,600 and what does Malwarebytes 551 00:28:36,600 --> 00:28:39,540 policy for classifying that yeah that's 552 00:28:39,540 --> 00:28:40,590 a good question 553 00:28:40,590 --> 00:28:44,580 we definitely do see stocker where that 554 00:28:44,580 --> 00:28:47,340 has become a big big thing these days 555 00:28:47,340 --> 00:28:51,360 lots of talk about it we have actually 556 00:28:51,360 --> 00:28:55,160 been very strong against soccer where 557 00:28:55,160 --> 00:28:58,410 before it became called soccer where you 558 00:28:58,410 --> 00:29:02,130 know it's we will detect any kind of not 559 00:29:02,130 --> 00:29:04,260 just malicious spy there but you know 560 00:29:04,260 --> 00:29:07,410 so-called legitimate spyware that you 561 00:29:07,410 --> 00:29:11,040 can go to a website and buy which I 562 00:29:11,040 --> 00:29:13,080 guess is what they're referring to when 563 00:29:13,080 --> 00:29:16,470 people say stalker where and will detect 564 00:29:16,470 --> 00:29:18,900 all of that stuff and we have on the Mac 565 00:29:18,900 --> 00:29:21,450 side we have since I've been with the 566 00:29:21,450 --> 00:29:26,010 company basically since the product 567 00:29:26,010 --> 00:29:28,820 first existed