In Phrack #66, ghalen and wowie wrote about interesting OS X kernel rootkit
techniques. That article is almost 4 years old and 4 major OS X releases behind.
Today Mountain Lion is king and many of the presented techniques are not valid
anymore - Apple reacted and closed those "holes".
One hand is enough to count the number of known rootkits targetting Apple's OS.
The most recent public release was Rubylin [2], a simple rootkit that works with
Lion (v10.7) (if you can read Korean there is a very interesting memory
forensics analysis at [3]).
The commercial spyware industry recently leaked DaVinci (aka OS.X/Crisis), a
user/kernel rootkit with some interesting features and flaws [4]. There are
rumours about FinFisher but no OS X leak happened yet. Everything else is too old
and outdated.
The main goal of this article is to update public knowledge and introduce some
"new" techniques so both offensive and defensive sides can improve. It is
focused on the current version at the time of this writing, Mountain Lion,
v10.8.2.
more here........http://phrack.org/papers/revisiting-mac-os-x-kernel-rootkits.html
techniques. That article is almost 4 years old and 4 major OS X releases behind.
Today Mountain Lion is king and many of the presented techniques are not valid
anymore - Apple reacted and closed those "holes".
One hand is enough to count the number of known rootkits targetting Apple's OS.
The most recent public release was Rubylin [2], a simple rootkit that works with
Lion (v10.7) (if you can read Korean there is a very interesting memory
forensics analysis at [3]).
The commercial spyware industry recently leaked DaVinci (aka OS.X/Crisis), a
user/kernel rootkit with some interesting features and flaws [4]. There are
rumours about FinFisher but no OS X leak happened yet. Everything else is too old
and outdated.
The main goal of this article is to update public knowledge and introduce some
"new" techniques so both offensive and defensive sides can improve. It is
focused on the current version at the time of this writing, Mountain Lion,
v10.8.2.
more here........http://phrack.org/papers/revisiting-mac-os-x-kernel-rootkits.html