1
00:00:00,000 --> 00:00:03,083
REMY BAUMGARTEN: All right, good afternoon, everybody.

2
00:00:03,459 --> 00:00:05,459
I'm Remy Baumgarten.

3
00:00:05,459 --> 00:00:07,999
I work at ANRC Services, and today I'm going to present

4
00:00:07,999 --> 00:00:11,999
a tool I've been working on for a little while now.

5
00:00:11,999 --> 00:00:14,125
And, you know, I hope you enjoy it.

6
00:00:14,125 --> 00:00:16,417
Some of the contact information is up here.

7
00:00:16,959 --> 00:00:18,459
If you want to take that down.

8
00:00:18,459 --> 00:00:22,167
Otherwise, I'll give you the link to the slides and the link to the tool

9
00:00:22,167 --> 00:00:25,000
at the end of the presentation.

10
00:00:26,042 --> 00:00:28,125
So a little bit about me.

11
00:00:28,334 --> 00:00:30,999
Again, I work for ANRC Services.

12
00:00:30,999 --> 00:00:33,542
I mostly do mobile malware talks.

13
00:00:33,542 --> 00:00:37,375
Here's a few of the cons I've done on my talk set.

14
00:00:37,459 --> 00:00:44,250
Presently I'm doing R&D at ANRC, mostly with iOS Android.

15
00:00:44,626 --> 00:00:48,751
I also do security instruction for the company as well.

16
00:00:48,792 --> 00:00:50,667
Before that, I was a senior consultant

17
00:00:50,667 --> 00:00:53,834
on the malware team at Booz Allen Hamilton.

18
00:00:53,834 --> 00:00:57,999
And before that, I was an intern at Secure DNA.

19
00:00:57,999 --> 00:00:59,125
So why new tool?

20
00:00:59,125 --> 00:01:00,751
There is a lot of new tools out there that are coming

21
00:01:00,751 --> 00:01:03,459
out all the time, especially at DEF CON.

22
00:01:03,501 --> 00:01:06,501
And I believe there is gap that I wanted to fill.

23
00:01:06,751 --> 00:01:11,584
Especially in the area of for Mac and malware analysis.

24
00:01:11,584 --> 00:01:13,876
I also believe that visualization is a great way

25
00:01:13,876 --> 00:01:16,959
to learn how complicated things work.

26
00:01:17,083 --> 00:01:18,918
And that's one of the reasons why we created this tool,

27
00:01:18,918 --> 00:01:20,209
Mach O Viz.

28
00:01:20,417 --> 00:01:22,501
There's also not many security products out there

29
00:01:22,501 --> 00:01:24,834
to analyze Mach O files.

30
00:01:24,834 --> 00:01:25,876
There are a few.

31
00:01:25,876 --> 00:01:27,083
I'm going to show you them.

32
00:01:27,083 --> 00:01:28,250
I'm going to show you the pros and cons and what I'm going

33
00:01:28,250 --> 00:01:31,626
to show you what I'll try to fill the gap in with.

34
00:01:31,709 --> 00:01:35,876
There's also a lack of web based, free reverse engineering tools to use

35
00:01:35,876 --> 00:01:37,626
on any device.

36
00:01:37,999 --> 00:01:42,626
Most of the tools require that you use Windows or Linux or Mac.

37
00:01:42,626 --> 00:01:45,334
In this case, you could use it on the iPad or Android which

38
00:01:45,334 --> 00:01:47,334
is pretty unique.

39
00:01:47,375 --> 00:01:50,959
There's also really strong need, at least from what I hear,

40
00:01:50,959 --> 00:01:53,999
about the ability to quickly identify malicious files

41
00:01:53,999 --> 00:01:57,792
and automatically create snort signatures on the fly, especially

42
00:01:57,792 --> 00:02:00,667
to people without much training.

43
00:02:01,083 --> 00:02:06,501
So some of the tools that I've used that I really enjoy that, you know,

44
00:02:06,501 --> 00:02:10,918
were big inspiration to this project were IDA Pro, otool,

45
00:02:10,918 --> 00:02:15,918
class dump, Mach O View, PTool, otool, NG and Hopper.

46
00:02:16,083 --> 00:02:20,584
A few of these, especially MackOView, have been really, really helpful

47
00:02:20,584 --> 00:02:25,999
in just basically making sure that everything I was doing was correct.

48
00:02:26,375 --> 00:02:30,542
So with this chart, you know, some of it's arguable.

49
00:02:30,542 --> 00:02:32,626
I did the best that I could to my ability.

50
00:02:32,709 --> 00:02:35,667
However, there's five categories right here.

51
00:02:35,667 --> 00:02:38,999
And with Mach O Viz, I tried to basically, I guess, checkmark

52
00:02:38,999 --> 00:02:40,999
in all of them.

53
00:02:40,999 --> 00:02:44,918
And that's making a graphical, having multiple architectures,

54
00:02:44,918 --> 00:02:49,959
making it network security aware, easy to understand and be very easy

55
00:02:49,959 --> 00:02:51,375
to use.

56
00:02:51,709 --> 00:02:54,999
So basically the goal of the project again is to combine

57
00:02:54,999 --> 00:02:59,083
the features of all those programs and speed up the process plus add this

58
00:02:59,083 --> 00:03:02,125
network security element to the mix.

59
00:03:02,209 --> 00:03:04,250
Ultimately, at the end of the day, the goal is to help

60
00:03:04,250 --> 00:03:07,125
the network defender understand the Mach O file format better

61
00:03:07,125 --> 00:03:09,125
and provide an effective and efficient way

62
00:03:09,125 --> 00:03:12,918
to analyze the particular binary for malicious behavior.

63
00:03:12,999 --> 00:03:16,959
So with that, introducing Mach O Viz in beta.

64
00:03:16,999 --> 00:03:21,834
It basically presents the Mach O binary in a visual format.

65
00:03:21,918 --> 00:03:23,626
For those of you that don't know what

66
00:03:23,626 --> 00:03:27,209
a Mach O file is, it's basically the file format used on iOS

67
00:03:27,209 --> 00:03:29,167
and Mac devices.

68
00:03:29,167 --> 00:03:32,959
If you're familiar with Windows, you're going to see PE file format.

69
00:03:32,959 --> 00:03:35,751
And for Linux, it's going to be the L file format.

70
00:03:36,167 --> 00:03:38,999
And so basically, in turn, this makes it easier for anybody

71
00:03:38,999 --> 00:03:42,083
to see visually how the file is constructed.

72
00:03:42,083 --> 00:03:43,999
And it might not be that new of a concept to you

73
00:03:43,999 --> 00:03:46,167
if you've used IDA Pro.

74
00:03:46,167 --> 00:03:48,083
There's a little ribbon band at the top that shows you

75
00:03:48,083 --> 00:03:51,459
the whole entire file structure broken up.

76
00:03:51,459 --> 00:03:53,999
So we took that a step further with this tool, though, and you'll see

77
00:03:53,999 --> 00:03:56,292
in a minute how that works.

78
00:03:56,375 --> 00:03:58,999
So you're going to see the visual representation

79
00:03:58,999 --> 00:04:01,334
from the header through the load commands and

80
00:04:01,334 --> 00:04:04,834
into the corresponding sections and segments.

81
00:04:04,834 --> 00:04:08,709
It's also interactive so you can zoom into the segments for more detail.

82
00:04:11,999 --> 00:04:15,584
In addition to that, we also wanted to create a back end graph

83
00:04:15,584 --> 00:04:18,709
and visualization plus an analytic system for graphing

84
00:04:18,709 --> 00:04:21,999
the binary's disassembly, very similar to what you're going

85
00:04:21,999 --> 00:04:26,083
to see in IDA or Hopper if you're familiar with that.

86
00:04:26,083 --> 00:04:31,250
Currently, we're only supporting these architectures right now; 86, 86/64,

87
00:04:31,250 --> 00:04:33,250
ARM 6 and 7.

88
00:04:33,626 --> 00:04:34,918
Again, that's only for Mach O.

89
00:04:34,918 --> 00:04:38,209
But we have the ability and we'd like to expand it if there

90
00:04:38,209 --> 00:04:41,751
is enough interest to other architectures.

91
00:04:41,999 --> 00:04:43,918
We also wanted to keep this program not only visual

92
00:04:43,918 --> 00:04:46,999
but also accessible again so that means we could use a web browser

93
00:04:46,999 --> 00:04:49,292
and any other type of platform.

94
00:04:49,751 --> 00:04:52,292
Again more design features.

95
00:04:52,501 --> 00:04:56,209
We wanted to keep the back end as Mac as possible.

96
00:04:56,209 --> 00:04:58,584
And by that, I mean that when Apple updates its

97
00:04:58,584 --> 00:05:02,542
specs for the Mach O file format which it hasn't very recently,

98
00:05:02,542 --> 00:05:06,999
the tool's automatically already updated because the system's keeping

99
00:05:06,999 --> 00:05:10,542
up to date with everything Apple is doing.

100
00:05:10,626 --> 00:05:14,999
So it's, the whole entire tool is working in its native environment.

101
00:05:15,918 --> 00:05:19,542
And by that, it's always updating relevant by default.

102
00:05:20,083 --> 00:05:22,626
We also get to gain access to the LLVM assembler

103
00:05:22,626 --> 00:05:27,209
for the most accurate assembly we could feed into our analytics engine.

104
00:05:27,209 --> 00:05:30,999
We also make use of many of the open source utilities app

105
00:05:30,999 --> 00:05:36,250
and many other web open source utilities for this project as well.

106
00:05:36,501 --> 00:05:39,083
So this is a mean page of what the application looks

107
00:05:39,083 --> 00:05:41,751
like when you go to the website.

108
00:05:41,751 --> 00:05:44,417
At the very top, you're going to see a few different things that you

109
00:05:44,417 --> 00:05:46,417
could take a look at.

110
00:05:46,417 --> 00:05:48,542
The first is going to be the instructions.

111
00:05:48,542 --> 00:05:51,999
The white paper which I really highly recommend you read if you want

112
00:05:51,999 --> 00:05:55,167
to really see how to use the application.

113
00:05:55,167 --> 00:05:56,999
There's about three malware samples that are

114
00:05:56,999 --> 00:05:59,709
walked through step by step.

115
00:06:00,083 --> 00:06:03,167
And it will show you exactly all the features and how to use it.

116
00:06:03,167 --> 00:06:06,167
I only have 20 minutes today so I can't show you everything.

117
00:06:06,292 --> 00:06:07,999
There's also a fact and contact information,

118
00:06:07,999 --> 00:06:11,417
so essentially, all you need to do is upload your binary and then click

119
00:06:11,417 --> 00:06:13,125
the upload file.

120
00:06:13,125 --> 00:06:16,999
But before you do that, there is something I want to mention to you.

121
00:06:16,999 --> 00:06:19,709
When you actually do do this, if you're not familiar

122
00:06:19,709 --> 00:06:23,167
with how Mach O files work or how Apple packages their

123
00:06:23,167 --> 00:06:27,542
applications, this is an actual diagram of an IPA.

124
00:06:27,918 --> 00:06:31,501
An IPA is iPhone application or iPad application.

125
00:06:31,501 --> 00:06:34,083
Essentially, it's a zip file, so if you change the .IPA

126
00:06:34,083 --> 00:06:37,083
to a zip and then you extract it and then you open

127
00:06:37,083 --> 00:06:39,999
up the pay load folder and then you right click,

128
00:06:39,999 --> 00:06:42,918
you can show package contents.

129
00:06:42,918 --> 00:06:43,584
And then inside that, you're going to see

130
00:06:43,584 --> 00:06:46,167
a whole entire directory containing database files and resources

131
00:06:46,167 --> 00:06:48,667
and then the actual binary itself.

132
00:06:49,667 --> 00:06:53,626
If you run file on one of these binaries, especially for, in this case,

133
00:06:53,626 --> 00:06:57,584
on the iPhone, you're going to see two architectures.

134
00:06:57,584 --> 00:07:00,584
In this case, for Facebook, you're going to see ARM Version 7,

135
00:07:00,584 --> 00:07:03,999
ARM Version 6, both Mach O ARM executables.

136
00:07:06,918 --> 00:07:09,501
So at the very top of the application, it's actually divided

137
00:07:09,501 --> 00:07:11,542
in two different parts.

138
00:07:11,999 --> 00:07:14,083
This is the visual file explorer.

139
00:07:14,083 --> 00:07:15,792
And at the very top, you can see that there's a key that

140
00:07:15,792 --> 00:07:18,999
will show you what all the colors mean along the way.

141
00:07:18,999 --> 00:07:21,542
So at the very top, you're going to see the header, the load commands,

142
00:07:21,542 --> 00:07:24,959
executable code, data, file architecture, objective C, static info

143
00:07:24,959 --> 00:07:26,918
and code signature.

144
00:07:27,459 --> 00:07:29,584
And by clicking in any of these major segments,

145
00:07:29,584 --> 00:07:32,083
you basically could drill down to get further information

146
00:07:32,083 --> 00:07:35,209
about what is going on inside that file format.

147
00:07:35,209 --> 00:07:37,292
So in this example, I clicked on the file header itself,

148
00:07:37,292 --> 00:07:39,417
and you can see the magic number right there

149
00:07:39,417 --> 00:07:40,999
is feed face.

150
00:07:41,459 --> 00:07:47,250
And then the CPU type which is 12 and then the CPU subtype which is 9.

151
00:07:47,250 --> 00:07:50,250
And that basically just stands for ARM Version 7.

152
00:07:50,918 --> 00:07:53,751
In the future, we're going to add documentation pop ups, so

153
00:07:53,751 --> 00:07:57,459
if you could hover over anything, it will basically give you the information,

154
00:07:57,459 --> 00:07:59,999
more information about what exactly you're looking

155
00:07:59,999 --> 00:08:02,375
at in the visual file explorer.

156
00:08:02,792 --> 00:08:05,125
This is just the load commands.

157
00:08:05,125 --> 00:08:07,167
Again, another view of what it looks like when you're drilling

158
00:08:07,167 --> 00:08:10,834
down into different parts of the file format itself.

159
00:08:11,083 --> 00:08:14,459
The second part of the application is the graph visualizer,

160
00:08:14,459 --> 00:08:17,417
and this contains three major areas, the first being

161
00:08:17,417 --> 00:08:20,626
the interactive graph function search, the second being

162
00:08:20,626 --> 00:08:23,083
the security assessment, and the third being

163
00:08:23,083 --> 00:08:25,751
the graph data display pane.

164
00:08:25,751 --> 00:08:28,459
I'm going to show you what all three of those look like.

165
00:08:28,459 --> 00:08:31,667
And then I'm going to give you a demo of the application itself.

166
00:08:31,667 --> 00:08:34,459
So the first is the interactive graph function search.

167
00:08:34,459 --> 00:08:37,167
And at the very top left, I know it's kind of hard to see.

168
00:08:37,167 --> 00:08:38,792
But it says "functions."

169
00:08:38,792 --> 00:08:39,918
And it's basically going to do an analysis

170
00:08:39,918 --> 00:08:42,542
of the whole entire binary and give you a drop down menu

171
00:08:42,542 --> 00:08:45,876
of all the functions in the application itself.

172
00:08:45,876 --> 00:08:47,959
So when you select any of those functions, it's going

173
00:08:47,959 --> 00:08:50,250
to automatically draw that graph for you right

174
00:08:50,250 --> 00:08:52,999
below in the graph pane, okay?

175
00:08:52,999 --> 00:08:55,167
The second one and the third one, the name xrefs

176
00:08:55,167 --> 00:08:58,999
in the strings basically are going to list all the strings

177
00:08:58,999 --> 00:09:02,083
in the cross references for you.

178
00:09:02,083 --> 00:09:04,999
And when you select one of them, it's going to search the binary

179
00:09:04,999 --> 00:09:08,876
and then populate the results into the into the search results which

180
00:09:08,876 --> 00:09:11,999
is the last drop down menu on the right.

181
00:09:11,999 --> 00:09:14,125
So whenever you select the names xrefs through the strings,

182
00:09:14,125 --> 00:09:16,626
remember that the search results is going to contain

183
00:09:16,626 --> 00:09:18,626
all the functions that are going to have any

184
00:09:18,626 --> 00:09:22,709
of those references that you looked at when you did those searches.

185
00:09:24,417 --> 00:09:27,083
The second part is a security assessment.

186
00:09:27,083 --> 00:09:31,083
Right now, the way that we're doing this is we're identified code segments which

187
00:09:31,083 --> 00:09:35,209
are using EPIs and functions flagged as security risks.

188
00:09:35,250 --> 00:09:37,584
We're also identifying an automatically generated network

189
00:09:37,584 --> 00:09:40,709
and static style signatures for the binary.

190
00:09:40,751 --> 00:09:42,999
Basically, we're doing this in two ways.

191
00:09:42,999 --> 00:09:45,542
The first way the network way by detecting network domains,

192
00:09:45,542 --> 00:09:48,083
IP addresses, URLs, web protocols embedded

193
00:09:48,083 --> 00:09:50,334
in the binary itself.

194
00:09:50,334 --> 00:09:52,667
And the second is calculating unique binary signature

195
00:09:52,667 --> 00:09:55,167
for the file itself using the Mach O magic value

196
00:09:55,167 --> 00:10:00,000
in the file's header plus unique 16 bytes from the binary string table.

197
00:10:01,000 --> 00:10:03,000
Using those, we're going to basically get snort signature,

198
00:10:03,000 --> 00:10:05,209
which I will show you in a second.

199
00:10:05,667 --> 00:10:09,459
By selecting a potential security risk, the functions are located continue

200
00:10:09,459 --> 00:10:10,999
the risk.

201
00:10:10,999 --> 00:10:14,834
So this is the security assessment, what it looks like, the pane itself.

202
00:10:16,167 --> 00:10:18,834
And if you see a drop down right here, you can see that I've selected

203
00:10:18,834 --> 00:10:20,709
the system function call.

204
00:10:20,709 --> 00:10:22,709
So by actually selecting that, it's going to fill

205
00:10:22,709 --> 00:10:26,125
in the search results which we saw just a minute ago, and it's going

206
00:10:26,125 --> 00:10:29,834
to show you all the functions in the application that are using that

207
00:10:29,834 --> 00:10:31,999
call in the application.

208
00:10:31,999 --> 00:10:34,542
So you can drill down directly to the places where those potential

209
00:10:34,542 --> 00:10:36,834
security risks will be.

210
00:10:36,834 --> 00:10:40,709
So your analyst can look exactly at what potential malicious behaviors

211
00:10:40,709 --> 00:10:43,626
might be inside that binary.

212
00:10:43,667 --> 00:10:47,042
So when I do that system, it's actually doing

213
00:10:47,042 --> 00:10:49,999
a search right here yeah.

214
00:10:50,209 --> 00:10:53,709
(Laughing)    SPEAKER: You know the drill.

215
00:10:53,709 --> 00:10:54,999
This is how it goes, Right?

216
00:10:54,999 --> 00:10:55,999
What are we doing?

217
00:10:56,000 --> 00:10:57,999
Shot the n00b.

218
00:10:59,542 --> 00:11:01,167
All right.

219
00:11:02,959 --> 00:11:07,918
Do it as fast as we can because we know it's a short talk.

220
00:11:07,918 --> 00:11:08,918
All right.

221
00:11:08,918 --> 00:11:09,209
We need one person from the audience who is new,

222
00:11:09,209 --> 00:11:11,709
first hand right here, yellow shirt, let's go.

223
00:11:11,709 --> 00:11:12,709
Up on stage.

224
00:11:12,709 --> 00:11:16,709
Paul's not having a good time.

225
00:11:19,083 --> 00:11:21,709
Congratulations to all of you for getting up.

226
00:11:21,709 --> 00:11:23,167
How is the speaker doing so far?

227
00:11:34,626 --> 00:11:36,083
Doing okay?

228
00:11:43,999 --> 00:11:56,999
(Applause)    SPEAKER: To our new speaker (Applause)    SPEAKER: We

229
00:11:56,999 --> 00:12:03,709
have two more to do this hour.

230
00:12:04,999 --> 00:12:06,417
All right.

231
00:12:10,250 --> 00:12:12,334
Thanks a lot.

232
00:12:16,125 --> 00:12:19,626
(Applause)    SPEAKER: He said he feels better all of a sudden.

233
00:12:19,999 --> 00:12:24,542
REMY BAUMGARTEN: So yeah, so by clicking that security scan result

234
00:12:24,542 --> 00:12:29,999
system, we're actually you could see this little pop up here.

235
00:12:29,999 --> 00:12:31,876
That's basically looking through the whole entire binary

236
00:12:31,876 --> 00:12:34,918
and finding    SPEAKER: Is he doing a good job?

237
00:12:36,250 --> 00:12:37,709
(Applause).

238
00:12:39,083 --> 00:12:40,751
REMY BAUMGARTEN: Thank you.

239
00:12:40,751 --> 00:12:42,999
So we find our three functions containing the reference system,

240
00:12:42,999 --> 00:12:46,918
and then we update the search results containing that.

241
00:12:46,918 --> 00:12:48,083
So if you look at the search results, you're going

242
00:12:48,083 --> 00:12:51,083
to see three functions where you click on it.

243
00:12:51,334 --> 00:12:53,999
And right here you can see the actual search results.

244
00:12:53,999 --> 00:12:57,626
Those are the functions containing the places you want to look at.

245
00:12:57,626 --> 00:12:58,626
All right.

246
00:12:58,626 --> 00:13:00,667
So the bottom, the last part which is contains most

247
00:13:00,667 --> 00:13:04,999
of the stuff you're going to be looking at is the graph data display pane,

248
00:13:04,999 --> 00:13:07,999
and this is divided into six tabs.

249
00:13:07,999 --> 00:13:11,501
The first being the graph view which is like your IDA like interface.

250
00:13:11,501 --> 00:13:12,999
It's completely interactive.

251
00:13:12,999 --> 00:13:16,584
You can zoom, scale, highlight and a few other things.

252
00:13:16,584 --> 00:13:18,584
You're also going to have your hex view just

253
00:13:18,584 --> 00:13:23,417
like IDA strings, Just Enough C, whether or not it be a class dump.

254
00:13:23,459 --> 00:13:26,083
Disassembly via LLVM disassembly.

255
00:13:26,083 --> 00:13:27,542
And then also network security, which is going

256
00:13:27,542 --> 00:13:29,999
to contain your snort signatures.

257
00:13:30,292 --> 00:13:33,250
So the graph view right here with the view highlights I've

258
00:13:33,250 --> 00:13:38,334
demonstrated, you can see it looks again very similar to IDA Hopper.

259
00:13:38,334 --> 00:13:39,792
How are we doing this?

260
00:13:39,792 --> 00:13:42,542
Basically, we're parsing the otool disassembly of the binary,

261
00:13:42,542 --> 00:13:45,542
and then we're doing a lot of magic.

262
00:13:45,542 --> 00:13:48,417
I don't have too much time to talk about it, but we're turning it

263
00:13:48,417 --> 00:13:51,999
into graph Viz charts, and we're taking those graph Viz charts

264
00:13:51,999 --> 00:13:55,209
into HTML and placing them as SVG with Java script in CSS

265
00:13:55,209 --> 00:13:58,209
to give you all the visual effects.

266
00:13:58,999 --> 00:14:05,083
So the hex view, basically you click on the visual file explorer like this.

267
00:14:05,083 --> 00:14:07,999
So in this case, we're clicking on a dynamic loader info.

268
00:14:07,999 --> 00:14:11,292
And dynamic loader info is basically, if you're going to look at that, it's got

269
00:14:11,292 --> 00:14:14,542
all the information you're going to see for that particular type

270
00:14:14,542 --> 00:14:16,999
of information from the visual file pane is going

271
00:14:16,999 --> 00:14:18,876
to be hex values.

272
00:14:18,876 --> 00:14:22,626
So this is what the hex values for the area looks like.

273
00:14:22,626 --> 00:14:23,876
This is the second pane.

274
00:14:24,083 --> 00:14:25,834
The third pane is the strings.

275
00:14:25,834 --> 00:14:28,083
And the strings are displayed in full and provided with short names

276
00:14:28,083 --> 00:14:31,999
on the left for easier look up references within the code.

277
00:14:32,334 --> 00:14:36,292
This if you look at the disassembly by itself with the tools Apple provides,

278
00:14:36,292 --> 00:14:39,125
it doesn't give you short names.

279
00:14:39,125 --> 00:14:42,250
So we had to develop an algorithm to actually do this and then have it

280
00:14:42,250 --> 00:14:44,334
cross reference to a particular area

281
00:14:44,334 --> 00:14:49,167
within the file format itself where these strings actually existed.

282
00:14:49,167 --> 00:14:51,959
So this is a little bit tougher than it looks.

283
00:14:52,959 --> 00:14:58,125
And for the objective C part, we're using class dump here.

284
00:14:58,125 --> 00:15:01,250
And class dump basically generates headers from Mach O files

285
00:15:01,250 --> 00:15:04,167
if you're not familiar with it.

286
00:15:04,167 --> 00:15:05,626
It's basically a reverse engineer's wet dream

287
00:15:05,626 --> 00:15:08,876
if you're working with Mach O file format.

288
00:15:08,876 --> 00:15:09,876
It's awesome.

289
00:15:09,999 --> 00:15:11,918
And I'll show you an example of how effective that

290
00:15:11,918 --> 00:15:15,667
is when we're looking at one of the samples here in a minute.

291
00:15:15,667 --> 00:15:19,125
The third is the next, the next panel is a disassembly view, and this

292
00:15:19,125 --> 00:15:21,999
is taking from LLVM disassembly.

293
00:15:22,334 --> 00:15:25,250
Again, we're paginating here, so you could basically change how

294
00:15:25,250 --> 00:15:28,959
many lines you want and then just change pages.

295
00:15:28,999 --> 00:15:33,083
The last tab, which is the most useful to the network, network analyst,

296
00:15:33,083 --> 00:15:35,918
is the network security pane.

297
00:15:37,083 --> 00:15:39,834
And here you can see we developed some snort signatures,

298
00:15:39,834 --> 00:15:42,209
and you can see some URLs, and you can basically plug

299
00:15:42,209 --> 00:15:45,167
and play these right into your IDS system.

300
00:15:45,667 --> 00:15:48,626
These are going to contain domains, IP addresses, URLs and protocols,

301
00:15:48,626 --> 00:15:52,375
if you, in fact, find that the file itself is malicious.

302
00:15:52,375 --> 00:15:54,292
The bottom is a file signature.

303
00:15:54,334 --> 00:15:56,999
And again, we're doing that unique 16 bytes

304
00:15:56,999 --> 00:16:00,876
from the string table that I talked about earlier.

305
00:16:01,083 --> 00:16:04,792
So with that, let me give you a demo of two examples

306
00:16:04,792 --> 00:16:08,125
of analyzing different samples.

307
00:16:08,125 --> 00:16:11,667
The first is Yontoo Trojan, and the second is Mac Defender.

308
00:16:11,667 --> 00:16:13,542
A little bit of background about both.

309
00:16:13,542 --> 00:16:16,959
The Yantoo trojan basically infects Chrome, Firefox and Safari

310
00:16:16,959 --> 00:16:18,751
and the Mac.

311
00:16:18,751 --> 00:16:22,250
It uses social engineering to install an HD plug in.

312
00:16:22,751 --> 00:16:25,083
So let me pull up this video.

313
00:16:30,417 --> 00:16:31,751
Okay.

314
00:16:31,751 --> 00:16:33,959
So again, this is the front page, and I'm going to select

315
00:16:33,959 --> 00:16:36,751
the Yantoo Trojan, which is called custom installer,

316
00:16:36,751 --> 00:16:39,083
and I'm going to upload it.

317
00:16:41,292 --> 00:16:44,999
And at this point, it's going to analyze and generate the graphs.

318
00:16:44,999 --> 00:16:47,542
It's going to analyze all the assembly of the file.

319
00:16:47,542 --> 00:16:51,417
It's going to basically break apart all the functions, create the SVG files.

320
00:16:51,417 --> 00:16:54,083
It's going to, then it's going to do some optimization to minimize

321
00:16:54,083 --> 00:16:57,083
the network load over, so when you pull it down, it's going

322
00:16:57,083 --> 00:16:59,125
to be a lot smaller.

323
00:16:59,292 --> 00:17:01,999
Also calculate the entry point right here.

324
00:17:02,999 --> 00:17:07,209
So this is what it looks like, the Yantoo Trojan.

325
00:17:07,209 --> 00:17:09,999
And you could see I'm opening up the header right here.

326
00:17:09,999 --> 00:17:11,999
And you can see a few different values.

327
00:17:11,999 --> 00:17:14,626
There's the magic number, the CPU type and so forth.

328
00:17:14,626 --> 00:17:16,209
Again, I clicked on the top level.

329
00:17:16,209 --> 00:17:17,167
And I'm looking at the load commands, and you can see

330
00:17:17,167 --> 00:17:19,792
all the different load commands here.

331
00:17:19,959 --> 00:17:23,626
And then I'm going to go down to the bottom and quickly look

332
00:17:23,626 --> 00:17:27,876
at the security assessment, and you can see that there's 16 security

333
00:17:27,876 --> 00:17:31,999
risks that we deemed that are essential to look at.

334
00:17:31,999 --> 00:17:35,999
And with that, there's a few things I want to show you.

335
00:17:35,999 --> 00:17:37,459
This is the graph view.

336
00:17:37,459 --> 00:17:38,999
You can see I can move it around.

337
00:17:39,209 --> 00:17:40,959
This is the strings view.

338
00:17:41,417 --> 00:17:44,209
And you can see a bunch of potential interesting URLs

339
00:17:44,209 --> 00:17:47,999
and file locations that are kind of sketchy that might immediately pop

340
00:17:47,999 --> 00:17:49,584
out to you.

341
00:17:55,959 --> 00:17:57,083
And then objective C.

342
00:17:57,083 --> 00:18:00,876
So with objective C, this is again class dump.

343
00:18:00,876 --> 00:18:02,999
So I took a look ahead before and I found

344
00:18:02,999 --> 00:18:07,083
a really interesting method or interface method in here,

345
00:18:07,083 --> 00:18:10,959
and it's called extension installer.

346
00:18:10,959 --> 00:18:12,459
So this one immediately was pointed out, and one

347
00:18:12,459 --> 00:18:16,999
of the methods right here is called "install Safari extension."

348
00:18:16,999 --> 00:18:20,250
So basically what you can see right here is there's an address.

349
00:18:20,375 --> 00:18:23,709
So what I'm going to do is I'm going to copy that address and I'm going

350
00:18:23,709 --> 00:18:26,083
to plug it right into the functions right here,

351
00:18:26,083 --> 00:18:28,792
just paste it right in there, and then it's going

352
00:18:28,792 --> 00:18:32,751
to automatically generate the graph for me and then display this particular

353
00:18:32,751 --> 00:18:35,667
method, so you could take a look at exactly what's going

354
00:18:35,667 --> 00:18:38,709
on in this installation method itself.

355
00:18:38,834 --> 00:18:41,792
So this is a graph view, and I'm going to show you the whole entire size

356
00:18:41,792 --> 00:18:44,542
of the graph view by clicking zoom extents.

357
00:18:44,542 --> 00:18:45,292
This is the whole entire method displayed

358
00:18:45,292 --> 00:18:46,876
right here.

359
00:18:47,999 --> 00:18:49,999
So I'm going to zoom in.

360
00:18:50,334 --> 00:18:53,167
And I'm going to show you a few different things of what exactly

361
00:18:53,167 --> 00:18:56,626
is happening within this installation itself.

362
00:18:56,626 --> 00:19:01,834
The first thing you can see right here is STR library Safari extension.

363
00:19:01,876 --> 00:19:04,250
And that is a short name for the string which you can see

364
00:19:04,250 --> 00:19:06,375
at the bottom right here.

365
00:19:06,375 --> 00:19:07,709
So this is the URL.

366
00:19:07,751 --> 00:19:13,250
You probably can't see it, but it's library Safari extensions.

367
00:19:13,250 --> 00:19:14,751
And that's going to be location of the directory

368
00:19:14,751 --> 00:19:17,999
of where they're going to want to install this.

369
00:19:19,999 --> 00:19:22,209
And that's a highlight right there.

370
00:19:24,209 --> 00:19:26,709
And then the next thing you're going to see

371
00:19:26,709 --> 00:19:29,751
is Safari extension plist short name.

372
00:19:29,751 --> 00:19:32,083
And then I'm going to go ahead and find that string over here

373
00:19:32,083 --> 00:19:34,999
and see exactly what that means.

374
00:19:40,083 --> 00:19:41,918
And you can see that.

375
00:19:41,918 --> 00:19:43,709
It actually is the extension .plist.

376
00:19:43,959 --> 00:19:47,083
So what I can kind of infer right now is they're actually modifying

377
00:19:47,083 --> 00:19:49,918
the extension plist for Safari.

378
00:19:50,083 --> 00:19:54,626
So looking further down in this routine, I'm basically looking

379
00:19:54,626 --> 00:19:57,083
for something else.

380
00:19:57,209 --> 00:19:59,250
Probably they're going to write a value.

381
00:19:59,250 --> 00:20:01,999
So taking a look further into this, I'm going to zoom

382
00:20:01,999 --> 00:20:07,459
in and see that essentially there's going to be a string called STR enabled.

383
00:20:07,459 --> 00:20:09,876
And they're going to be writing a 1 to it.

384
00:20:09,959 --> 00:20:13,250
So we're going to see an LEAQ or load effective address.

385
00:20:23,999 --> 00:20:27,292
And from there, you can basically see that the value

386
00:20:27,292 --> 00:20:29,501
is turned on to 1.

387
00:20:29,709 --> 00:20:31,792
So that's enabled right there.

388
00:20:32,334 --> 00:20:34,626
There's a lot easier ways to do this.

389
00:20:34,626 --> 00:20:36,167
I wanted to show you the hard way.

390
00:20:36,167 --> 00:20:38,042
And so how much time left?

391
00:20:38,042 --> 00:20:39,042
Three minutes.

392
00:20:39,042 --> 00:20:40,042
Great.

393
00:20:40,042 --> 00:20:42,042
And for the strings, basically, I could have just gone

394
00:20:42,042 --> 00:20:46,667
to STR Safari extension right here, and it's basically going to show me

395
00:20:46,667 --> 00:20:50,501
the same exact graph that I pulled up before.

396
00:20:50,501 --> 00:20:54,334
So it's basically the reverse of what I was just doing.

397
00:20:58,959 --> 00:21:04,999
So looking down, it's going to show the same graph that I just had.

398
00:21:05,083 --> 00:21:09,459
So let me due to short of time, let me skip forward a little bit.

399
00:21:09,459 --> 00:21:14,083
This is a disassembly view, and this is the snort pane right here.

400
00:21:14,083 --> 00:21:15,999
So, again, we have all our snort signatures

401
00:21:15,999 --> 00:21:21,209
of this Yantoo Trojan that we can plug directly into our IDS system.

402
00:21:21,209 --> 00:21:22,209
All right.

403
00:21:22,209 --> 00:21:24,999
So moving forward, the next one is Mac Defender.

404
00:21:24,999 --> 00:21:27,417
And we're going to build this chart right here.

405
00:21:27,999 --> 00:21:31,250
And right here, I just want to point out that Mac Defender

406
00:21:31,250 --> 00:21:34,292
is actually multiple architectures.

407
00:21:34,292 --> 00:21:36,083
That's why you saw two big blocks.

408
00:21:36,083 --> 00:21:38,999
One of them was x86 and the other one was x64.

409
00:21:39,292 --> 00:21:40,999
For this, this is really interesting

410
00:21:40,999 --> 00:21:44,083
because what we're going to do right here is we're going

411
00:21:44,083 --> 00:21:47,999
to find a method called "is file infected" because what Mac Defender

412
00:21:47,999 --> 00:21:50,250
is is a fake antivirus.

413
00:21:50,250 --> 00:21:52,918
So we're going to look for this interesting method called "is

414
00:21:52,918 --> 00:21:54,751
file infected."

415
00:21:54,876 --> 00:21:57,999
And by pulling this method up right here, we can see

416
00:21:57,999 --> 00:22:03,626
the whole entire routine that is going to be used for the for the actual virus

417
00:22:03,626 --> 00:22:07,999
detection for this application of this malware.

418
00:22:08,167 --> 00:22:14,167
So this is the entire antivirus routine.

419
00:22:21,876 --> 00:22:24,999
So looking closely right here, you can see that, basically, this

420
00:22:24,999 --> 00:22:29,417
is the world's smallest AVI file infection detection team in the world.

421
00:22:29,999 --> 00:22:33,459
It uses a random number generator for scan time,

422
00:22:33,459 --> 00:22:38,417
and that's pretty much that's pretty much it for the, for what this

423
00:22:38,417 --> 00:22:42,250
for what this, the way that this file actually scans

424
00:22:42,250 --> 00:22:44,083
these files.

425
00:22:44,083 --> 00:22:46,125
So just taking a look at one routine, due to shortness of time,

426
00:22:46,125 --> 00:22:48,209
it's very interesting.

427
00:22:48,209 --> 00:22:49,250
The last thing I want to show you today

428
00:22:49,250 --> 00:22:51,501
is the network security.

429
00:22:51,501 --> 00:22:55,834
So this is basically what you get at the end, snort sigs.

430
00:22:55,834 --> 00:22:57,375
These are mostly porn URLs.

431
00:22:57,375 --> 00:22:59,417
So what this application is doing is going to the net and entering

432
00:22:59,417 --> 00:23:01,375
a bunch of porn URLs.

433
00:23:01,375 --> 00:23:04,375
So you can put this all into your snort database right here.

434
00:23:04,375 --> 00:23:11,584
So with that, let me give you the links for this presentation.

435
00:23:12,959 --> 00:23:16,083
At the top, this is the beta URL.

436
00:23:16,667 --> 00:23:19,209
We don't have too much bandwidth capacity, so if you do hit it,

437
00:23:19,209 --> 00:23:22,959
you might have trouble if everybody starts hitting it at once.

438
00:23:22,959 --> 00:23:24,292
Just try it a little later.

439
00:23:24,292 --> 00:23:27,584
And below is a slides URL, too.

440
00:23:27,876 --> 00:23:33,626
The white paper is also listed on these this Mach O Viz beta URL.

441
00:23:33,709 --> 00:23:36,459
And if you have any questions, I'll be over there outside,

442
00:23:36,459 --> 00:23:38,999
and I hope you enjoyed my talk.

443
00:23:38,999 --> 00:23:40,083
Thank you, everybody.