Advancing Mac OS X Rootkit Detecron

Advancing Mac OS X Rootkit Detecon

Andrew Case (@attrc)

Volatility Foundation

Golden G. Richard III (@nolaforensix)

University of New Orleans

2 hot research areas State of Aﬀairs more established

Live Forensics and Tradional Storage Memory Analysis Forensics

Digital Forensics

Reverse Engineering Incident Response

Files and Filesystem Applicaon Windows Deleted Files metadata metadata registry

Print spool Hibernaon Temp files Log files files files

Browser Network Slack space Swap ﬁles caches traces

RAM: OS and app data Volale Evidence structures

1 011 01 1 0 1 111 0 11 0 1 0 1 0 10 0

0 1

1 1 0 0 1 0 1 1 0 0 1

Can carve Chaos: ﬁles, but More can't Faster Almost not very accurate Hurray! carve ﬁles well

Tools Manual File type Fragmentaon, appear, Multhreading, hex editor aware damned but have beer design stuﬀ carving, et al spinning disks! issues

Images: hps://easiersaidblogdotcom.ﬁles.wordpress.com/2013/02/hot_dogger.jpg hp://cdn.bigbangﬁsh.com/555/Cow/Cow-6.jpg, hp://f.tqn.com/y/bbq/1/W/U/i/Big_green_egg_large.jpg hp://i5.walmarmages.com/dfw/dce07b8c-bb22/k2-_95ea6c25-e9aa-418e-a3a2-8e48e62a9d2e.v1.jpg Copyright 2015 by Andrew Case and Golden G. Richard III 6 Awesomeness Progression: Memory Forensics

Pioneering Chaos: More, eﬀorts Beyond run more, show great Windows ?? strings? more promise

pt_finder et al More aenon Manual, Mac, … awesome but to malware, run strings, Linux, BSD lile context limited ﬁlling in the gaps funconality

Images: hps://s-media-cache-ak0.pinimg.com/736x/75/5a/37/755a37727586c57a19d42caa650d242e.jpg,, hp://img.photobucket.com/albums/v136/Hell2Pay77/SS-trucks.jpg hp://skateandannoy.com/wp-content/uploads/2007/12/sportsbars.jpg, hp://gainesvillescene.com/wp-content/uploads/2013/03/dog-longboard.jpg Copyright 2015 by Andrew Case and Golden G. Richard III 7 Memory Analysis: 2004

$ grep –i murder /dev/mem

I loved Sally, but I murdered her in the park on… Murder Murderer! Blood is on your shoulders! Murderous You murdered my hamster! Murdered

• strings – essenally no tools besides this, circa 2004 • pt_finder (~2006) – Windows process and thread enumeraon • FACE (~2008) – Memory analysis framework created at UNO – Correlates evidence in memory, network stack, network traces, ﬁlesystem – A bit closer to a framework rather than one-oﬀ tools • … Copyright 2015 by Andrew Case and Golden G. Richard III 9 Memory Analysis: Now

Capture RAM • physical memory dumping tool from live • VM memory snapshot system • VM introspecon

• strings Analyze • carving Memory Dump • Volality • VM introspecon

Expose OS and • to yield useful Applicaon evidence Data Structures

Use plugins to analyze: Running processes Hidden processes Hooks that hide malware Network connecons Encrypon keys Private browsing data Clipboard data Volale registry branches Command history Window hierarchy + "easily" develop new plugins Copyright 2015 by Andrew Case and Golden G. Richard III 11 Detecng Hidden Resource Ulizaon

• Adversary: Direct Kernel Object Manipulaon (DKOM) • Strategy: Deep analysis and cross-correlaon of data kernel data structures to reveal hidden resource ulizaon

PID = 2260

Doubly-linked process list in Windows kernel

Processes connue to run because Windows C:\> fu –ph 2260 scheduler handles threads, not processes

PID = 2260

FU on PID 2260

DKOM Hidden Process Detecon in Volality

• Windows and Linux memory forensics techniques are fairly mature • Lots of funconality • More work to do, but good malware / rootkit detecon • > 115 Windows plugins for Volality • ~60 Mac plugins for Volality – Some tackle the same thing on the BSD / Mach sides • Mac OS X stuﬀ lags behind and we're trying to ﬁx that • Requires OS internals work, which we both like

• Many APIs similar to those on Windows and Linux are commonly abused by malware on other plaorms • Exisng Mac plugins do not check these subsystems • In addion, many Mac-speciﬁc features are vulnerable to abuse by rootkits / malware • These aren't addressed by exisng memory forensics tools, either

• Use: Allows registraon of callbacks to be executed before speciﬁc events occur, e.g., process execuon, system shutdown, hibernaon, et al • Abuse: Prevent security tools from loading, inject code into process before it can start, maintain persistence during reboot or shutdown • Windows API: PsSetCreateProcessNotifyRoutine • Windows detecon plugin: callbacks

• On Mac OS X, IOKit provides an API to register interest in power-related events • Callback is triggered for noﬁcaon – kIOMessageSystemWillPowerOff – kIOMessageSystemWillRestart – kIOMessageSystemWillSleep – kIOMessageDeviceHasPoweredOn – … • Deﬁned in iokit/IOKit/IOMessage.h

• Find root of IOKit device tree • Walk tree and check for power-related interests, stored in IORegistryEntry structures • Enumerate handlers in associated IOCommand structure and verify that handlers are: – in code secon of running kernel --or-- – in address space of a loaded kernel extension • Marked suspicious if not • Importantly: locaon of handler also hints at malware locaon • Can then target speciﬁc regions of memory and examine

• Use: Provide an interface for userland processes to request services from a kernel driver (read, write, change conﬁguraon, etc.) • Abuse: Provides a mechanism for a userland component to hide data, protect ﬁles, communicate with kernel-level malware • Linux API: devfs, ioctl • Linux detecon plugin: linux_check_fop

• Mac OS X provides several mechanisms for drivers to communicate with user space – IOKit APIs that allow userspace to search for interesng devices – devfs • For this talk, look only at devfs • Tradional ﬁlesystem interface • Device registers handlers for open(), close(), read(), write(), ioctl(), etc.

• Patches Acvity Monitor to hide • Takes screenshots • Captures audio • Captures video • Connects to WiFi hotspots to transmit collected data • Basically, all the stuﬀ you're scared malware will do to you

• Legimate device: /dev/pmCPU • "Evil" Crisis device: /dev/pfCPU • Kernel components live behind this device • Userspace components of Crisis use ioctl() calls to communicate with kernel components • Lots of complex hiding mechanisms in Crisis • Quickly locang handlers for kernel module can help direct stac analysis

"Good" mdworker is associated with Spotlight search indexing. This "evil" one can now be dumped and analyzed.

• Use: Register callback to be executed aer a certain amount of me • Abuse: Allow malicious code to run periodically without needing to hook funcons, check persistence, check C&C server status, periodically exﬁltrate data • Windows API: KeSetTimer • Windows detecon plugin: timers

• Timer data is stored in per-CPU variables • Plugin analyzes cpu_data structure for each processor • cpu_data->rtclock_timer maintains queue of mers • For each mer, output: – Registering module – Time to elapse – Address of each parameter – Address of handler funcon – Suspicious? Copyright 2015 by Andrew Case and Golden G. Richard III 26 Facility: Userland Event Monitoring

• Use: Allows userland processes to monitor events on ﬁles, processes, signals, etc. • Abuse: Stop processes from execung, determine when security tools are installed, detect when persistence mechanisms are removed • Windows API: FindFirstChangeNotification, RegNotifyChangeKeyValue – FILE_NOTIFY_CHANGE_FILE_NAME – FILE_NOTIFY_CHANGE_SIZE • Windows/Linux detecon plugins: None (hint)

• Mac OS X facility that dates back to FreeBSD 4.1 • Use: Monitor ﬁle events, process creaon, signals, etc. • Abuse: Prevent processes from loading, react to process terminaon, etc. • Interfaced from userland through kqueue and kevent • man kqueue / man kevent

• Enumerates all kevent structures… • …(data structures kung fu in the paper)… • …in the kernel and reports: – Which processes are being monitored (by PID) and which events are being monitored (fork, exec, exit, etc.) – Which ﬁle descriptor operaons (delete, write, rename, etc.) are being monitored and by whom – … • kqueue/kevent use is pervasive • Burden is largely on the invesgator to ﬁgure out what's cool and what's not • If you have beer ideas, share or hack! Copyright 2015 by Andrew Case and Golden G. Richard III 29 mac_kevents

• Use: Provide an interface for userland processes to request services from a kernel driver (e.g., read X bytes from file Y) • Abuse: Provides a mechanism for a userland component to closely monitor filesystem operaons, hide data, prevent modificaons to data • Windows API: FindFirstChangeNotification • Windows/Linux detecon plugins: None!

• Userland tools can monitor ﬁle system acvity by issuing ioctl() calls against /dev/fsevents • The registered callback will be executed upon ﬁle creaon, deleon, renaming, and more • See: hp://osxbook.com/soware/fslogger/ • Unlike many of the other facilies we've examined, this one is private and intended for use by Spotlight • Limited number of "subscribers" is supported

Copyright 2015 by Andrew Case and Golden G. Richard III 34 Final Thoughts • We now have a solid foundaon in memory forensics, with Volality, Rekall, et al • Focus on mining remaining sources of kernel / applicaon data with a special emphasis on malware migaon • Work like this is largely "minding the gap" hacking, but it's sll important • Be old and have tenure (me) or be famous (Andrew) ﬁrst? • Your choice J ? [email protected] / @nolaforensix [email protected] / @attrc Copyright 2015 by Andrew Case and Golden G. Richard III