Hunting for OS X Rootkits in Memory presented at HITBSecConf Malaysia 2013

by Cem Gurkok,

Summary : The OS X Kernel has been increasingly targeted by malicious players due to the shrinking attack surface.
Currently there are tools that perform rudimentary detection for OS X rootkits, such as executable replacement or direct function interception (e.g. the Rubilyn rootkit). Advanced rootkits will more likely perform harder to detect modifications, such as function inlining, shadow syscall tables, and DTrace hooks.
In this presentation I will be exploring how to attack the OS X syscall table and other kernel functions with these techniques and how to detect these modifications in memory using the Volatility Framework. The presentation will include demonstrations of system manipulation on a live system and the following detection using the new Volatility Framework plugin.