Making a custom command and control (C&C) server for another person’s malware has a heap of advantages. If you can take over it a domain, you then may able to fully hijack other hackers’ infected hosts. A more common advantage is speeding up investigation. While programmers and governments might be more inspired by the previous, malware experts can profit by the later.
FruitFly, the main OS X/macOS malware of 2017, is a somewhat interesting example. Specifically focusing on biomedical research foundations, it is thought to have flown under the radar for a long time. In this discussion, we’ll concentrate on the ‘B’ variation of FruitFly that even now, is just recognized by a modest bunch of security items.
This DEFCON talk start by breaking down the malware’s dropper, obfuscated perl script. As this dialect is somewhat antiquated and remarkable in malware droppers, we’ll talk about some investigating methods and completely deconstruct the script.
While this dropper part additionally speaks with the C&C server and backings some essential orders, it drops a twofold payload keeping in mind the end goal to perform more perplexing activities. Be that as it may, rather than completely switching this bit of the malware, the discussion will concentrate on an underlying triage and show how this was adequate for the production of a custom C&C server. With such a server, we can without much of a stretch pressure the malware to uncover it’s full capacities. For instance, the malware summons a modest bunch of low-level mouse and illustrations APIs, going in an assortment of dynamic parameters. Rather than investing hours turning around and investigating this mind boggling code, through the C&C server, we can just send it different orders and watch the impacts.
Obviously this approach relies on the capacity to nearly watch the malware’s activities. In that capacity, Patrick will examine macOS-particular devices that can screen different occasions, and where essential detail the formation of custom ones (e.g. a ‘mouse sniffer’ that locally watches and unravels summons sent from the malware to the OS, keeping in mind the end goal to control the mouse).
While some of this discussion is FruitFly and additionally macOS particular, adroitly it ought to extensively apply to dissecting other malware, even on other operating frameworks.