Watching the Apple Fall presented at t2InfoSecCon 2014

by Patrick Wardle,

Summary : “It doesn’t get PC viruses. A Mac isn't susceptible to the thousands of viruses plaguing Windows-based computers.” (
Mac’s recent growth in both the home and enterprise is truly impressive and unlikely to abate. Macs are loved for a variety of reasons, including a perceived security superiority, especially when compared to their Windows-based counterparts. While the naive amongst us may not, those who are wiser do acknowledge the reality of OS X malware, but often still defend Mac’s perceived security superiority. True; Apple’s BSD-core and advanced security mechanisms may exude malware immunity, but in reality a skilled attacker can decimate them, allowing persistent malware to thrive even on Apple’s latest OS - OS X Mavericks.
This talk to will begin with a technical analysis of Apple’s latest security mechanisms, such as XProtect, Gatekeeper, and signed-code requirements (applications and kernel extensions). For each, weaknesses will be identified and attacks will be demonstrated that completely bypass the protection. Since Apple’s security mechanisms may fail to thwart malware, it’s essential to understand where malware may persistently live. With this in mind, the talk will comprehensively identify methods in the boot and logon process of Mavericks that can be abused to provide malware persistence. To ensure a sense of practicality, real-world examples of OS X malware will be presented that target portions of the OS in order to gain persistence, while for novel persistence techniques, proof of concept code will be discussed.
In order to protect against both current and future malware threats, an open-source tool will be demonstrated that can enumerate and display persistent OS X binaries that are set to execute automatically at each boot.
As a result of attending its presentation, participants will gain a deep technical understanding of Apple’s anti-malware security mechanisms (and their weaknesses), the OS X boot and logon process, and components that are, or may be, targeted by persistent malware.
Patrick is currently the Director of Researcher at Synack. He leads R&D efforts, ensuring the company remains on the cutting edge of cyber security.
Patrick began his professional computer science career at NASA, then was hired at the NSA as a global network exploitation and vulnerability analyst. While at the NSA, Patrick received several classified patents and helped lead a team which received NSA’s highest civilian team award. In 2008, Patrick left the NSA to help found Vulnerability Researcher Labs (VRL), which was bought in 2010. Patrick recently joined Synack in 2013.
Patrick has extensive experience analyzing malware and has authored several sophisticated malware detection tools. Currently, his focus has been on the emerging threats of OS X and mobile malware. Besides malware analysis, Patrick is also a skilled vulnerability and exploitation analyst, and has found exploitable 0days in major operating systems such as OS X and Windows and popular applications such as Acrobat Reader.