Technology Review

Computing

Stealthier Mac Attacks

A new technique lets hackers targeting Apple's OS X cover their tracks more effectively.

  • Wednesday, February 18, 2009
  • By Erica Naone

Fans of Apple computers often boast about superior security. But as Macs have gained in popularity over the past few years, this has brought much more attention from hackers. At a presentation scheduled to take place today at the Black Hat DC computer-security conference in Washington, DC, one security expert will reveal a technique for attacking the Mac operating system--OS X--without leaving a trace.

Similar techniques have targeted both Windows and Linux machines for several years. They allow an attacker to cover her tracks, eliminating vital evidence that an investigator might normally use to prove that a machine has been compromised; they might also allow the investigator to put together details of the incident. Bringing the technique to the Mac, however, required a significantly more sophisticated approach.

The technique that will be outlined at Black Hat DC allows an attacker to remove virtually all trace of an attack against OS X, after compromising the system using another exploit.

Vincenzo Iozzo, a student at the Politecnico di Milano, in Italy, explains that the technique allows an attacker to break into a machine without leaving a trace in its permanent memory, which means that evidence of the attack will disappear as soon as the victim's computer is turned off. Such a technique could be used, for example, in combination with another software flaw to covertly replace a legitimate version of Apple's Safari Web browser with a malicious one that logs the user's keystrokes and sends them to the attacker.

Advertisement

Normally, when a user runs an application, the code runs in various parts of the computer's memory. In OS X, a file format called Mach-O is used to specify where in the computer's memory the application's processes should run. Iozzo studied the Mach-O file format in order to predict in advance where these processes could be found. The technique identifies an active process (such as that for Safari) and injects malicious code into the space in memory where it is running. When the system reads from the expected location, it executes the attacker's code instead of the legitimate program. Since the technique leaves no trace, Iozzo says that it can only be detected using software that watches for intrusions on a network.

Predicting where to inject the malicious code is made more difficult by a security feature in OS X that stores the variables needed to keep the attack untraceable in random locations within memory. However, Iozzo discovered a way to anticipate where the variables would be stored based on pieces of information that remain unchanged.

Print

Related Articles

Stopping Stealthy Downloads

A new tool blocks files that try to install without alerting the user.

A Portal to Your Passwords

A Web browser loophole could make it easier for crooks to scam the unwary.

The Flaw at the Heart of the Internet

Dan Kaminsky discovered a fundamental problem and got people to care in time. We were lucky this time.

Close Comments

To comment, please sign in or register

Forgot my password

Just Some Human

1 Comment

  • 1087 Days Ago
  • 02/18/2009

The missing piece of information is "How does the attacker gain access to the machine"?

Reply

Guest (kstar)

  • 1086 Days Ago
  • 02/19/2009

Re:

Agreed.

This appears to be an article without substance . . . from one of my favorite sites.

Reply

californian

1 Comment

  • 1085 Days Ago
  • 02/20/2009

Re:

Well, the only way a hacker can run an exploit is by having the user run a compromised application. Basically, as long as one knows exactly what he's installing, he should be fine.

Reply

Guest (kstar)

  • 1084 Days Ago
  • 02/21/2009

Re:

Right.

The "attack" mentioned in this article is a trojan, AFAIK.

I guess the meat of the story is the "covering path" element, not the "attack."  Of course, running a story about OS X "attacks" brings a bunch of folks out from the shadows, like us. LOL.

Best,

Kurt

Reply

BuckyOHare

4 Comments

  • 1085 Days Ago
  • 02/20/2009

Whose tracks?

"They allow an attacker to cover her tracks"

Reply

nishant kumar

12 Comments

  • 1084 Days Ago
  • 02/21/2009

Quick Solution are necessary

No assumptions can be made on this sophisticated hacking technique, as there is not enough evidence to support how many mac OS have been affected by it yet. As long as hackers dont get their dirty hands on this technique, apple pc users can still expect to be safe as ever.

However, it would be appreciable if security researchers are pro-active and find a solution to this as soon as possible, especially before the process of the technique is widely spread out for hackers to feast on.

Reply

Guest (kstar)

  • 1084 Days Ago
  • 02/21/2009

Re: Quick Solution are necessary

AFAIK, the "sophisticated hacking technique" of infection is getting the user to run a program, i.e a trojan.

While the method of minimizing or eliminating evidence of the machine being hacked may be sophisticated, infection via trojan is not so sophisticated, IMO.

Best,

Kurt

Reply

Guest (kstar)

  • 1084 Days Ago
  • 02/21/2009

Re: Quick Solution are necessary

The above article could have been improved by stating clearly that Iozzo's technique is only applicable after a machine is compromised.

From Mr. Vincezo Iozzo himself, my emphasis in bold added:

It should be noted that my technique does not allow to break into a machine more easily, but makes it easier the execution of code within the system attacked.

Source: http://www.oneitsecurity.it/22/01/2009/mac-os-x-vulnerability-an-interview-with-vincenzo-iozzo/

FWIW.

Reply

Advertisement

MAGAZINE

Can We Build Tomorrow's Breakthroughs?

Manufacturing in the United States is in trouble. That's bad news not just for the country's economy but for the future of innovation.

Sponsored Content

Technologies from National Instruments

Adding Data Logging
Log measured data to a file and open it in Microsoft Excel

> Click here for more National Instruments Videos <
Whitepaper

Temperature Measurements with Thermocouples: How-To Guide

This document is part of the “How-To Guide for Most Common Measurements” centralized resource portal. This tutorial provides a detailed guide for measurement and device considerations to take temperature measurements using thermocouples. Get an introduction to thermocouples, which are inexpensive sensing devices widely used with PC-based data acquisition systems. Also review some specific thermocouple examples and learn how thermocouples work and ways to integrate them into a data acquisition measurement system.

View full PDF > Listen to story >
Find us on Youtube

Videos

A Robot Recruit that Can Do It All

More

Advertisement

Technology Review Lists

TR50

Our list of the 50 most innovative companies, including the following:

Amyris

eSolar

Applied Materials

Akamai

More

Advertisement

Facebook

Advertisement