Virus.Org :: New Mac OS X Kernel Rootkit tools released

Main Menu

New Mac OS X Kernel Rootkit tools released

Written by Editor on August 14, 2009

During Blackhat 2009 in Las Vegas in late July security Researcher Dino A. Dai Zovi released details of several new techniques for writing Mac OS X Kernel rootkits. Earlier this week Dino released the paper and tools source code to the public.

The Mac OS X kernel is a hybrid architecture of Mach 3.0 kernel and FreeBSD kernel. The BSD portion takes care of system call handlers, file systems, networking, etc and is ported to run on top of Mach microkernel. Mach is responsible for low-level interprocess communication (IPC), managing tasks and threads, ports and other low level services. Since IPC is of limited use at this level, the Mac kernel provides an additional RPC system on top of Mach IPC to make the system more robust.

Traditionally rootkits used on OS X have been based around Unix rootkits that exploit the BSD elements of OS X and it’s Unix like environment. However, these tools designed by the Dino are entirely based on Mach features in contrast to these traditional Unix rootkits.

The tools released as part of this research include:

inject-bundle - This tool uses injected memory and threads techniques to load a Mach-O bundle into another task. Supplied are a number of bundles that can be injected into iSight, iChat, and Apple Secure Transport API to log information.

Machiavelli - This tool demonstrates using Mach RPC proxying in order to communicate with the host transparently. Also included are versions of ‘ps’ and ‘inject-bundle’ that exploit Machiavelli for remote host control.

uncloak - This tool allows examination of kernel memory regions to identify hidden kernel objects and dump them to disk using kernel-macho-dump.

KRPC - It is a kernel extension to directly modify the 'mig_buckets' table through which Mach IPC messages are dispatched. It can be used to dynamically inject a new in-kernel RPC subsystem.

You can find out more about this work on advanced Mac OS X rootkits from the presentation and paper associated with Dino’s research. Along with the code available here and the blog post describing the tools.