OSX malware and exploit collection (~100 files) + links and resources for OSX malware analysis

'Tis the season.

Here is a nice collection of ~100 Mac OS malware and Word document exploits carrying MacOS payload (all are CVE-2009-0563) along with links for OSX malware analysis.

Please send your favorite tools for OSX if they are not listed.

CVE-2009-0563

CVE-2009-0563
Stack-based buffer overflow in Microsoft Office Word 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Microsoft Office for Mac 2004 and 2008; Open XML File Format Converter for Mac; Microsoft Office Word Viewer 2003 SP3; Microsoft Office Word Viewer; and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allows remote attackers to execute arbitrary code via a Word document with a crafted tag containing an invalid length field, aka "Word Buffer Overflow Vulnerability."

Links

Some OSX malware analysis tools and links 

• http://computer-forensics.sans.org/community/papers/gcfa/mac-os-malware-analysis_2286
• http://en.wikibooks.org/wiki/Reverse_Engineering/Mac_OS_X
• http://contagiodump.blogspot.com/2012/12/osxdockstera-and-win32trojanagentaxmo.html

Tools

• Activity Monitor (Max OSX Utilities folder)
• MacMemoryze (support for Mountain Lion) free, 
• Volatility (partial support for Mountain lion) free
• fseventer (graphical event representation) - works on Mountain lion 
• Wireshark
• IDA pro
• OSXpmem (kernel extension)
• http://osxbook.com/ OSX internals
• 2009 Mac OS X Malware Analysis Author: Joel Yonts
• Apple OS X ABI Mach-O File Format Reference  
• FileXray $79 but looks like it is worth it if you do OSX forensics
• ...let us know what you use

Malware in the provided package - links to research and news articles

• OSX_AoboKeylogger http://aobo.cc/
• OSX_BackTrack-A
• OSX_Boonana http://contagiodump.blogspot.com/2010/11/nov-14-javaboonana-facebook-trojan.html
• OSX_ChatZum http://www.thesafemac.com/chatzum-discovered-in-another-installer/
• OSX_Clapzok http://www.intego.com/mac-security-blog/clapzok-a-multi-platform-virus/ 
• OSX_Crisis http://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/
• OSX_Dockster_Backdoor http://contagiodump.blogspot.com/2012/12/osxdockstera-and-win32trojanagentaxmo.html
• OSX_FkCodec http://www.thesafemac.com/osxfkcodec-a-in-action/
• OSX_Flashback http://www.symantec.com/security_response/writeup.jsp?docid=2012-041001-0020-99
• OSX_Fucobha_IceFog http://www.securelist.com/en/blog/208214064/The_Icefog_APT_A_Tale_of_Cloak_and_Three_Daggers
• OSX_GetShell http://www.symantec.com/security_response/writeup.jsp?docid=2013-020412-3611-99
• OSX_Hacktool_Hoylecann
• OSX_HellRaiser http://macscan.securemac.com/hellraiser-aka-osxhellrtsd/
• OSX_HellRTS http://macscan.securemac.com/hellraiser-aka-osxhellrtsd/
• OSX_Hovdy_Backdoor http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/OSX~Hovdy-A.aspx
• OSX_Inqtana http://www.symantec.com/security_response/writeup.jsp?docid=2006-021715-3051-99&tabid=2
• OSX_Iservice http://www.symantec.com/connect/blogs/osxiservice-it-s-not-going-iwork-you
• OSX_Jahlav http://macscan.securemac.com/osxjahlav-c-dnschanger-trojan-horse/
• OSX_Kitmos http://blog.sbarbeau.fr/2013/05/osx-kitmos-analysis.html
• OSX_Lamadai http://www.welivesecurity.com/2012/03/28/osxlamadai-a-the-mac-payload/
• OSX_Leverage_A_Backdoor http://www.alienvault.com/open-threat-exchange/blog/osx-leveragea-analysis
• OSX_LocalRoot https://www.trustedsec.com/august-2013/osx-10-8-4-local-root-privilege-escalation-exploit/
• OSX_Macarena_A http://www.securelist.com/en/analysis/204791948/Mac_OS_X#macarena
• OSX_MacDefender http://www.intego.com/mac-security-blog/macdefender-rogue-anti-malware-program-attacks-macs-via-seo-poisoning/
• OSX_MacKontrol http://www.securelist.com/en/blog/208193616/New_MacOS_X_backdoor_variant_used_in_APT_attacks
• OSX_Macsweeper http://en.securitylab.ru/viruses/311798.php
• OSX_Miner_DevilRobber http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/OSX~Miner-D/detailed-analysis.aspx
• OSX_Olyx_Backdoor http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html
• OSX_OpinionSpy http://www.f-secure.com/sw-desc/spyware_osx_opinionspy.shtml
• OSX_PSides
• OSX_Genieo http://www.thesafemac.com/malicious-genieo-installers-persist/
• OSX_PUP_PerfectKeylog http://www.blazingtools.com/mac_keylogger.html
• OSX_Renepo / Pintsized http://www.intego.com/mac-security-blog/pint-sized-backdoor-for-os-x-discovered/
• OSX_Revir http://contagiodump.blogspot.com/2012/11/group-photoszip-osxrevir-osximuler.html
• OSX_Safari
• OSX_SniperSpy http://www.sniperspymac.com/download.html
• OSX_Wirenet http://www.webroot.com/blog/2012/09/14/wirenet-the-password-stealing-trojan-lands-on-linux-and-os-x/
• OSX_Yontoo http://www.macrumors.com/2013/03/21/new-yontoo-adware-trojan-targets-major-browsers-on-os-x/
• OSXWeapoX http://www.virusradar.com/OSX_Rootkit.Weapox.A/description
• ------------------------------------
• CVE-2009-0563 Word exploit

• MacControl payload  http://www.securelist.com/en/blog/208193616/New_MacOS_X_backdoor_variant_used_in_APT_attacks
• OSX.SabPub payload http://www.securelist.com/en/blog/208193470/New_Version_of_OSX_SabPub_Confirmed_Mac_APT_attacks
• OSX/Dockster.A payload  http://www.intego.com/mac-security-blog/new-targeted-attack-on-tibetan-activists-using-os-x-discovered/
• OSX_Docklight payload  http://contagioexchange.blogspot.com/2012/05/019-speechdoc-macosxms09-027a-word.html and http://blogs.technet.com/b/mmpc/archive/2012/04/30/an-interesting-case-of-mac-osx-malware.aspx

DeepEnd Research: List of malware pcaps, samples, and indicators for the Library of Malware Traffic Patterns

The library of malware traffic patterns have been popular. We found it very useful as well ourselves and we encourage you to send your contributions. I know at some point the spreadsheet will become unwieldy but I personally find it the most easy way (easy sort, search etc)

Currently, most of the samples described have the corresponding samples and pcaps available for download (email Mila @contagio for the password)

such as you see in the links below

http://bit.ly/crimesamples | http://bit.ly/crimepcaps

http://bit.ly/aptsamples | http://bit.ly/aptpcaps

>>>> VIEW OR DOWNLOAD "MALWARE TRAFFIC PATTERNS"   <<<<

Email us at mila [a t ] Deependresearch.org or adimino [a t] deependresearch.org

The current list of malware described (as of Aug. 9, 2013)

Defcon 21 Archives Speaker Materials

Hope it is not a copyright violation and won't cause too much hate. I know Defcon will post better and complete data soon but many / most attendees did not receive the presentation CDs to their great sadness because there were not enough CDs available for all. Many authors and attendees published Defcon and Blackhat presentations online as well -you can track them via Twitter

You can download it here for now. Check Defcon website often, they will post it soon. The list of files of the speaker materials is below. The zip file also includes short stories. Please note that some presentations submitted for the DVD were somewhat / significantly different from what was presented. But better this than nothing, right?


SPEAKER MATERIALS - LIST OF PRESENTATIONS

DeepEnd Research: Under this rock... Vulnerable Wordpress/Joomla sites... Overview of the RFI botnet malware arsenal

Exploits directed at Wordpress and/or Joomla content management systems(CMS) have been increasing at a dramatic rate over the past year. Internet blogs and forums are flooded with posts about hacked CMS installations. Popular jargon refers to the attackers as "hackers", but it is generally understood that these mass compromises are being performed via automated scanners and tools. However, we believe that there is not enough coverage of the actual malware involved.

One such infection scheme is essentially the following:

A downloader trojan  (Mutopy  - Win32) (20a6ebf61243b760dd65f897236b6ad3 Virustotal) instructs the infected host to download:
1) Remote File Injector "Symmi" (Win32) 7958f73daf4b84e3b00e008258ea2e7a Virustotal 
2) SDbot (Win32) - aaee52bfb589f6534c4b51e3b144dc08 Virustotal 
3) PHP scripts for injecting into compromised Wordpress sites. Among them a PHP spambot (victimized site owners often get alerted about copious amount of meds and spam porn emanating from their sites). This is also the source of varied links for spam using thousands of various links redirecting to the same sites (e.g. weightloss, work at home scams, or porn sites)

Read more at DeepEnd Research>>>

Download files (see below)

DeepEnd Research - Library of Malware Traffic Patterns

Update May 6, 2013 We added ability to download corresponding samples and pcaps (when available)

Traffic analysis has been the primary method of malware identification and thousands of IDS signatures developed are the daily proof. Signatures definitely help but ability to visually recognize  malware traffic patterns and see the trends when they change has been always an important skill for anyone tasked with network defense. The number of malware analysis blogs and papers is overwhelming and it is difficult to keep track of malware features if you don't have access to a well designed and constantly updated malware database. This started as "personal notes" spreadsheet with GET and   POST requests for different malware families with information from open sources. We decided others might find it useful too.

>>  read more on DeepEnd Research

CVE-2013-0640 samples listing

This is a detailed MD5 listing of CVE-2013-0640 pdf files that were posted earlier. I got a few requests for samples that were already posted as a pack in this post ( 16,800 clean and 11,960 malicious files for signature testing and research.)  Now you can see them  in all their glory below.
I can post listings for other malware from that large post if there is need and interest.

PDF
MALWARE PDF NEW -170 FILES MALWARE PDF PRE_04-2011_10982_files

• Vinsula. CVE-2013-0640 – Further Investigation into an Adobe PDF Zero-day Malware Attack
• Kaspersky: The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor  

CVE-2013-0804 Novell GroupWise 2012 Multiple Untrusted Pointer Dereferences Exploitation by Brian Mariani & Frédéric Bourla

This is another excellent publication by Brian Mariani & Frédéric Bourla (High Tech Bridge) describing their discovery and research of  CVE-2013-0804 Novell GroupWise 2012 Multiple Untrusted Pointer Dereferences Exploitation

CVE-2013-0804
The client in Novell GroupWise 8.0 before 8.0.3 HP2 and 2012 before SP1 HP1 allows remote attackers to execute arbitrary code or cause a denial of service (incorrect pointer dereference) via unspecified vectors.

You can download it from here: High Tech Bridge Novell GroupWise 2012 Multiple Untrusted Pointer Dereferences Exploitation by Brian Mariani & Frédéric Bourla 

16,800 clean and 11,960 malicious files for signature testing and research.

Signature and security product testing often requires large numbers of sorted malicious and clean files to eliminate false positives and negatives. They are not always easy to find, but here are some that I have.

Clean documents are collected from various open sources. All the copyright rights belong the the authors of each document and file. You must not use the documents for their content but only as samples of particular file types.

DarkSeoul - Jokra - MBR wiper samples

If all you needed for happiness is to destroy a few virtual machines, here are the samples for today's headline maker.
The malware overwrites master boot record (MBR) as described here:
* Trojan.Jokra - Symantec
* DarkSeoul: SophosLabs identifies malware used in South Korean internet attack
* South Korean Banks, Media Companies Targeted by Destructive Malware - McAfee
* South Korean Banks and Broadcasting Organizations Suffer Major Damage from Cyber Attack - Symantec.

Mandiant APT1 samples categorized by malware families

Update: May 19, 2018
APT 1 resources
Threat Actor aliases:
Comment Crew, Comment Panda, PLA Unit 61398, TG-8223, APT 1,           BrownFox,Group 3,GIF89a, ShadyRAT, Shanghai Group, Byzantine Candor

http://apt.threattracking.com

• 2010_11_Fireeye_VinSelf - A new backdoor in town! « VinSelf - A new backdoor in town! _ FireEye Inc.pdf
• 2010_12_Guardian_WikiLeaks cables reveal fears over Chinese cyber warfare _ US news _ The Guardian.pdf
• 2011_08_Ira Winkler_ Shady Rat Case Shows Vendors As Big a Problem As APT Itself _ CIO.pdf
• 2011_08_Kaspersky's Thoughts on Operation Shady Rat _ Nota Bene_ Eugene Kaspersky's Official Blog.pdf
• 2011_10_SANS_detailed-analysis-advanced-persistent-threat-malware-33814.pdf
• 2011_Mcafee-operation-shady-rat1.pdf
• 2012_06_Bloomberg_Hackers Linked to China’s Army Seen From EU to D.C. - Bloomberg.pdf
• 2013_02_NYTimes_China’s Army Is Seen as Tied to Hacking Against U.S.pdf
• 2013_03_Fireeye_TABMSGSQL and 44 WEBC2-YAHOO_The Dingo and the Baby « The Dingo and the Baby _ FireEye Inc.pdf
• 2013_05_Fireeye_APT1 Three Months Later.pdf
• 2013_05_Mandiant-APT1_Exposing One of China’s Cyber Espionage Units.pdf
• 2014_05_Fireeye_The PLA and the 8_00am-5_00pm Work Day_ FireEye Confirms DOJ's Findings on APT1 Intrusion Activity « The PLA and the 8_00am-5_00pm Work Day_ FireEye Confirms DOJ's Findings on APT1 Intrusion Activity _ FireEye Inc.pdf
• 2014_06_Crowdstrike_Hat-tribution to PLA Unit 61486 ».pdf
• 2014_12_Vinself now with steganography - Airbus CyberSecurity.pdf
• 2016_BANGAT_malware-signatures_bangat.yara at master · citizenlab_malware-signatures.pdf
• GIF89a_Vinselfdecoder_malwaretracker.com_ Command and Control Decoder - Vinself Trojan.pdf
• PLA Unit 61398 _ Council on Foreign Relations Interactives.pdf

These are the samples described in the Mandiant Report APT1, in the Indicators of Compromise (IOCs). Each file is named according to the malware family, so you can run your own detection and signature tools to see how your naming convention corresponds to the one used by Mandiant.

You can use these binaries to develop signatures, compare to your samples, or study the behavior and evolution of APT1.
I added Contagio samples in several families as well.
The list of binaries and their names, as well as malware families descriptions are provided below for your convenience.

Linux/CentOS SSHd Spam Exploit — libkeyutils.so.1.9 - sample

Someone shared a sample of the Linux rootkit affecting servers running CloudLinux, CentOS & cPanel.

Here are the links:

• Feb 20-18 - Webhostingtalk SSHD Rootkit Rolling around
• Feb 18, 2013  0day Linux/CentOS SSHd Spam Exploit — libkeyutils.so.1.9 http://blog.solidshellsecurity.com/
• Feb 8, 2013 SSHD Spam Rootkit /lib64/libkeyutils.so.1.9

Jan 2013 Shylock (skype version) sample

In January 2013,  Iurii Khvyl and Peter Kruse from CSIS posted analysis of Shylock variant capable of spreading through Skype.

You can read their research here Shylock calling Skype. The sample is below

Jan 2013 - Linux SSHDoor - sample

Just a few accumulated samples here found and shared by others. This one is for Linux SSHDoor malware, which can steal your SSH passwords. ESET covered that in detail in Linux/SSHDoor.A Backdoored SSH daemon that steals passwords ( 24 JAN 2013)

The related Linux.Chapro.A sample was posted earlier this year as well

Manipulating Memory for Fun and Profit by Frédéric Bourla - High-Tech Bridge

I am sure you remember excellent reverse engineering presentations by High-Tech Bridge experts I posted earlier.  High-Tech Bridge presented  at the ISACA event in Luxembourg and you can download their detailed and very interesting presentation:  “Manipulating Memory for Fun and Profit".
The presentation includes detailed memory forensics process using Volatility

by Frédéric BOURLA
Chief Security Specialist
Head of Ethical Hacking & Computer Forensics Departments
High-Tech Bridge SA


Table of Contents
0x00 - About me
0x01 - About this conference
0x02 - Memory introduction
0x03 - Memory manipulation from an offensive angle
0x04 - Memory manipulation from a defensive angle
0x05 - Conclusion


Download the full presentation in PDF 

The text of the presentation (for Google search and to get an idea about the contents:)

Trojan 'Nap" aka Kelihos/Hlux status update by DeepEnd Research and samples

FireEye posted details about the sleep function found in Kelihos/Hlux (An encounter with Trojan Nap), which is interesting, and indeed is present in some of the samples we saw. The trojan, of course, has many more features, and most of them were documented in previous publications online. This post is a quick update on the state of Kelihos/Hlux botnet, along with  the list of known fast flux domains (1500+) associated with with Kelihos distribution or Command&Control. (current > 2012).  The current and most active name servers are pointing to the ns[1-6].boomsco.com, ns[1-6].larstor.com, and ns[1-6].zempakiv.ru which are also fast flux domains. The double fast flux nature of the botnet makes it very difficult to take down, and sinkholing is a temporary measure. Despite the two large attempts to take it down (Sep.2011 and Mar. 2012), the botnet is definitely on the rise again.

Please read the rest of our post here http://www.deependresearch.org/2013/02/trojan-nap-aka-kelihoshlux-feb-2013.html. 

You can download the associated binaries (97 files) and pcap below.

Dec 2012 Batchwiper Samples

Update: Jan 18, 2013 - Here is a nice analysis BatchWiper  Analysis by Emanuele De Lucia
The next time the virus will wake up is Jan 21, 2013. Time to grab it, read and play.

Several people asked for Batchwiper, so here are the samples.
From Maher - Iranian CERT:

Latest investigation have been done by Maher center in cyber space identified a new targeted data wiping malware. Primitive analysis revealed that this malware wipes files on different drives in various predefined times. Despite its simplicity in design, the malware is efficient and can wipe disk partitions and user profile directories without being recognized by anti-virus software. However, it is not considered to be widely distributed. This targeted attack is simple in design and it is not any similarity to the other sophisticated targeted attacks. The identified components of this threat are listed in the following table:

Name	MD5
GrooveMonitor.exe [dropper]	f3dd76477e16e26571f8c64a7fd4a97b
juboot.exe	fa0b300e671f73b3b0f7f415ccbe9d41
jucheck.exe	c4cd216112cbc5b8c046934843c579f6
SLEEP.EXE	ea7ed6b50a9f7b31caeea372a327bd37
WmiPrv.exe	b7117b5d8281acd56648c9d08fadf630