Technology Review
A new technique lets hackers targeting Apple's OS X cover their tracks more effectively.
Fans of Apple computers often boast about superior security. But as Macs have gained in popularity over the past few years, this has brought much more attention from hackers. At a presentation scheduled to take place today at the Black Hat DC computer-security conference in Washington, DC, one security expert will reveal a technique for attacking the Mac operating system--OS X--without leaving a trace.
Similar techniques have targeted both Windows and Linux machines for several years. They allow an attacker to cover her tracks, eliminating vital evidence that an investigator might normally use to prove that a machine has been compromised; they might also allow the investigator to put together details of the incident. Bringing the technique to the Mac, however, required a significantly more sophisticated approach.
The technique that will be outlined at Black Hat DC allows an attacker to remove virtually all trace of an attack against OS X, after compromising the system using another exploit.
Vincenzo Iozzo, a student at the Politecnico di Milano, in Italy, explains that the technique allows an attacker to break into a machine without leaving a trace in its permanent memory, which means that evidence of the attack will disappear as soon as the victim's computer is turned off. Such a technique could be used, for example, in combination with another software flaw to covertly replace a legitimate version of Apple's Safari Web browser with a malicious one that logs the user's keystrokes and sends them to the attacker.
Normally, when a user runs an application, the code runs in various parts of the computer's memory. In OS X, a file format called Mach-O is used to specify where in the computer's memory the application's processes should run. Iozzo studied the Mach-O file format in order to predict in advance where these processes could be found. The technique identifies an active process (such as that for Safari) and injects malicious code into the space in memory where it is running. When the system reads from the expected location, it executes the attacker's code instead of the legitimate program. Since the technique leaves no trace, Iozzo says that it can only be detected using software that watches for intrusions on a network.
Predicting where to inject the malicious code is made more difficult by a security feature in OS X that stores the variables needed to keep the attack untraceable in random locations within memory. However, Iozzo discovered a way to anticipate where the variables would be stored based on pieces of information that remain unchanged.
A Web browser loophole could make it easier for crooks to scam the unwary.
Dan Kaminsky discovered a fundamental problem and got people to care in time. We were lucky this time.
No assumptions can be made on this sophisticated hacking technique, as there is not enough evidence to support how many mac OS have been affected by it yet. As long as hackers dont get their dirty hands on this technique, apple pc users can still expect to be safe as ever.
However, it would be appreciable if security researchers are pro-active and find a solution to this as soon as possible, especially before the process of the technique is widely spread out for hackers to feast on.
Guest (kstar)
Re: Quick Solution are necessary
AFAIK, the "sophisticated hacking technique" of infection is getting the user to run a program, i.e a trojan.
While the method of minimizing or eliminating evidence of the machine being hacked may be sophisticated, infection via trojan is not so sophisticated, IMO.
Best,
Kurt
Guest (kstar)
Re: Quick Solution are necessary
The above article could have been improved by stating clearly that Iozzo's technique is only applicable after a machine is compromised.
From Mr. Vincezo Iozzo himself, my emphasis in bold added:
It should be noted that my technique does not allow to break into a machine more easily, but makes it easier the execution of code within the system attacked.
Source: http://www.oneitsecurity.it/22/01/2009/mac-os-x-vulnerability-an-interview-with-vincenzo-iozzo/
FWIW.
Manufacturing in the United States is in trouble. That's bad news not just for the country's economy but for the future of innovation.
This document is part of the “How-To Guide for Most Common Measurements” centralized resource portal. This tutorial provides a detailed guide for measurement and device considerations to take temperature measurements using thermocouples. Get an introduction to thermocouples, which are inexpensive sensing devices widely used with PC-based data acquisition systems. Also review some specific thermocouple examples and learn how thermocouples work and ways to integrate them into a data acquisition measurement system.
View full PDF >
Listen to story > 
On Twitter
Become a Fan on Facebook
Subscribe to the Feed
Just Some Human
1 Comment
The missing piece of information is "How does the attacker gain access to the machine"?
Reply
Guest (kstar)
Re:
Agreed.
This appears to be an article without substance . . . from one of my favorite sites.
Reply
californian
1 Comment
Re:
Well, the only way a hacker can run an exploit is by having the user run a compromised application. Basically, as long as one knows exactly what he's installing, he should be fine.
Reply
Guest (kstar)
Re:
Right.
The "attack" mentioned in this article is a trojan, AFAIK.
I guess the meat of the story is the "covering path" element, not the "attack." Of course, running a story about OS X "attacks" brings a bunch of folks out from the shadows, like us. LOL.
Best,
Kurt
Reply