OSX malware and exploit collection (~100 files) + links and resources for OSX malware analysis

此文为关于MAC OSX系统的所有攻击脚本和溢出代码的收藏集。附带资源链接和相关讲解文档~mark下

'Tis the season.

Here is a nice collection of ~100 Mac OS malware and Word document exploits carrying MacOS payload (all are CVE-2009-0563) along with links for OSX malware analysis.

Please send your favorite tools for OSX if they are not listed.

CVE-2009-0563

CVE-2009-0563
Stack-based buffer overflow in Microsoft Office Word 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Microsoft Office for Mac 2004 and 2008; Open XML File Format Converter for Mac; Microsoft Office Word Viewer 2003 SP3; Microsoft Office Word Viewer; and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allows remote attackers to execute arbitrary code via a Word document with a crafted tag containing an invalid length field, aka "Word Buffer Overflow Vulnerability."

Links

Some OSX malware analysis tools and links 

  • http://computer-forensics.sans.org/community/papers/gcfa/mac-os-malware-analysis_2286
  • http://en.wikibooks.org/wiki/Reverse_Engineering/Mac_OS_X
  • http://contagiodump.blogspot.com/2012/12/osxdockstera-and-win32trojanagentaxmo.html

Tools
  • Activity Monitor (Max OSX Utilities folder)
  • MacMemoryze (support for Mountain Lion) free, 
  • Volatility (partial support for Mountain lion) free
  • fseventer (graphical event representation) - works on Mountain lion 
  • Wireshark
  • IDA pro
  • OSXpmem (kernel extension)
  • http://osxbook.com/ OSX internals
  • 2009 Mac OS X Malware Analysis Author: Joel Yonts
  • Apple OS X ABI Mach-O File Format Reference  
  • FileXray $79 but looks like it is worth it if you do OSX forensics
  • ...let us know what you use

Malware in the provided package - links to research and news articles

  • OSX_AoboKeylogger http://aobo.cc/
  • OSX_BackTrack-A
  • OSX_Boonana http://contagiodump.blogspot.com/2010/11/nov-14-javaboonana-facebook-trojan.html
  • OSX_ChatZum http://www.thesafemac.com/chatzum-discovered-in-another-installer/
  • OSX_Clapzok http://www.intego.com/mac-security-blog/clapzok-a-multi-platform-virus/ 
  • OSX_Crisis http://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/
  • OSX_Dockster_Backdoor http://contagiodump.blogspot.com/2012/12/osxdockstera-and-win32trojanagentaxmo.html
  • OSX_FkCodec http://www.thesafemac.com/osxfkcodec-a-in-action/
  • OSX_Flashback http://www.symantec.com/security_response/writeup.jsp?docid=2012-041001-0020-99
  • OSX_Fucobha_IceFog http://www.securelist.com/en/blog/208214064/The_Icefog_APT_A_Tale_of_Cloak_and_Three_Daggers
  • OSX_GetShell http://www.symantec.com/security_response/writeup.jsp?docid=2013-020412-3611-99
  • OSX_Hacktool_Hoylecann
  • OSX_HellRaiser http://macscan.securemac.com/hellraiser-aka-osxhellrtsd/
  • OSX_HellRTS http://macscan.securemac.com/hellraiser-aka-osxhellrtsd/
  • OSX_Hovdy_Backdoor http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/OSX~Hovdy-A.aspx
  • OSX_Inqtana http://www.symantec.com/security_response/writeup.jsp?docid=2006-021715-3051-99&tabid=2
  • OSX_Iservice http://www.symantec.com/connect/blogs/osxiservice-it-s-not-going-iwork-you
  • OSX_Jahlav http://macscan.securemac.com/osxjahlav-c-dnschanger-trojan-horse/
  • OSX_Kitmos http://blog.sbarbeau.fr/2013/05/osx-kitmos-analysis.html
  • OSX_Lamadai http://www.welivesecurity.com/2012/03/28/osxlamadai-a-the-mac-payload/
  • OSX_Leverage_A_Backdoor http://www.alienvault.com/open-threat-exchange/blog/osx-leveragea-analysis
  • OSX_LocalRoot https://www.trustedsec.com/august-2013/osx-10-8-4-local-root-privilege-escalation-exploit/
  • OSX_Macarena_A http://www.securelist.com/en/analysis/204791948/Mac_OS_X#macarena
  • OSX_MacDefender http://www.intego.com/mac-security-blog/macdefender-rogue-anti-malware-program-attacks-macs-via-seo-poisoning/
  • OSX_MacKontrol http://www.securelist.com/en/blog/208193616/New_MacOS_X_backdoor_variant_used_in_APT_attacks
  • OSX_Macsweeper http://en.securitylab.ru/viruses/311798.php
  • OSX_Miner_DevilRobber http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/OSX~Miner-D/detailed-analysis.aspx
  • OSX_Olyx_Backdoor http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html
  • OSX_OpinionSpy http://www.f-secure.com/sw-desc/spyware_osx_opinionspy.shtml
  • OSX_PSides
  • OSX_Genieo http://www.thesafemac.com/malicious-genieo-installers-persist/
  • OSX_PUP_PerfectKeylog http://www.blazingtools.com/mac_keylogger.html
  • OSX_Renepo / Pintsized http://www.intego.com/mac-security-blog/pint-sized-backdoor-for-os-x-discovered/
  • OSX_Revir http://contagiodump.blogspot.com/2012/11/group-photoszip-osxrevir-osximuler.html
  • OSX_Safari
  • OSX_SniperSpy http://www.sniperspymac.com/download.html
  • OSX_Wirenet http://www.webroot.com/blog/2012/09/14/wirenet-the-password-stealing-trojan-lands-on-linux-and-os-x/
  • OSX_Yontoo http://www.macrumors.com/2013/03/21/new-yontoo-adware-trojan-targets-major-browsers-on-os-x/
  • OSXWeapoX http://www.virusradar.com/OSX_Rootkit.Weapox.A/description
  • ------------------------------------
  • CVE-2009-0563 Word exploit
  • MacControl payload  http://www.securelist.com/en/blog/208193616/New_MacOS_X_backdoor_variant_used_in_APT_attacks
  • OSX.SabPubpayload http://www.securelist.com/en/blog/208193470/New_Version_of_OSX_SabPub_Confirmed_Mac_APT_attacks
  • OSX/Dockster.A payload  http://www.intego.com/mac-security-blog/new-targeted-attack-on-tibetan-activists-using-os-x-discovered/
  • OSX_Docklight payload  http://contagioexchange.blogspot.com/2012/05/019-speechdoc-macosxms09-027a-word.html and http://blogs.technet.com/b/mmpc/archive/2012/04/30/an-interesting-case-of-mac-osx-malware.aspx



Download

Download all files listed below. Please email me if you need the password scheme
OSX_CrisisB_a32e073132ae0439daca9c82b8119009  
Additional older downloads

  1. OSX_Docklight payload  http://contagioexchange.blogspot.com/2012/05/019-speechdoc-macosxms09-027a-word.html 
  2. misc OSX malware on contagio http://contagiodump.blogspot.com/search/label/-%20OSX
  3. 30 samples of ancient Mac OS malware http://contagiodump.blogspot.com/2012/04/osxflashbackk-sample-mac-os-malware.html

List of files provided in this post

  1. OSX_AoboKeylogger_362D5DDB3924C625589B42030B66CA69
  2. OSX_BackTrack-A_B03276BFBF85CFDD7C8998004C1200DA
  3. OSX_Boonana_B3A0B0DA5AA01FF200CEBC8AF359A3C3
  4. OSX_ChatZum_487E5CD581587D63783CDD356DE9CF24
  5. OSX_ChatZum_57A4EB15CAA4FCC0A8F6AFBBD66C4859
  6. OSX_Clapzok_99FE5AD5FF514F5AAEA8E501DDBAF95B
  7. OSX_Crisis_04BBDA5B11FA0FD3C767CAF4719D6A4D
  8. OSX_Crisis_42C112036E319ED8DF0F55C7F4C0DA85
  9. OSX_CrisisBOSX_CrisisB_a32e073132ae0439daca9c82b8119009 _a32e073132ae0439daca9c82b8119009 
  10. OSX_Crisis_59FE83E0AE12E085E0FA301ECCA6776F
  11. OSX_Crisis_6F055150861D8D6E145E9ACA65F92822
  12. OSX_Crisis_A32E073132AE0439DACA9C82B8119009_Biglietto Visita
  13. OSX_Crisis_ACEC5F00057D3EC94849511F3EDDCB91
  14. OSX_Crisis_FAAB883598C8C379ACFD0B9DCCC93D0C
  15. OSX_Dockster_Backdoor_C6CA5071907A9B6E34E1C99413DCD142
  16. OSX_FkCodec_74812C7B6E0A55347284ABFA7D5670BF
  17. OSX_FkCodec_74812C7B6E0A55347284ABFA7D5670BF_Codec-M
  18. OSX_FkCodec_B4ECE10D1E706B87B065523A654D48A7_download.dmg
  19. OSX_FkCodec1C5AE9F1DD9FE6F506EAABD382925CA8_codec-M.safariextz
  20. OSX_Flashback_3DCB6D6A9EA8D9755EB61AE057B3D74A
  21. OSX_Flashback_9FCFE8EF92F51F1C29A26E1516EF7003_FlashPlayer-11-macos.pkg
  22. OSX_Flashback_C2819C3C183BBF7547CF76C6A004EA15_FlashPlayer-11-macos.pkg
  23. OSX_Fucobha_IceFog_A615DD792093191E9FC975132A2DB409A_CleanMyMac
  24. OSX_Fucobha_IceFog_B4249F9B49A9A177B4D2F4439373029A
  25. OSX_Fucobha_IceFog_CF1815491D41202EB8647341A8695E1E
  26. OSX_GetShell_68078CBD1A34EB7BE8A044287F05CCE4
  27. OSX_GetShell_AC99ACE403D31C7079C938F9B0FD0895
  28. OSX_GetShell_ACC2B4A595939F17F7D07DE2CF75CDC8
  29. OSX_Hacktool_Hoylecann_FED8E22AE6F080F9B05A309C7E48B5EF
  30. OSX_HellRaiser_CA74984601287459AFB7B39EBEBDD394
  31. OSX_HellRTS.AH_KeystrokeRecorder X Pref Editor_C19377D07A234D1585D85F8FA3CF77FB
  32. OSX_HellRTS_F1AD75AEB4B4C2883DF2221C8804DA2A.AH
  33. OSX_Hovdy_Backdoor_FED713CAC7012D25F60B236E6DDCF513
  34. OSX_Inqtana.zip
  35. OSX_Iservice_4C9E7EE7C0F5C19C68B45CA6C81F8D62
  36. OSX_Iservice_E34BA325F3EEB8DF07A09EE9FBF1071D
  37. OSX_Jahlav_12F32EACBB3CD2C5623EE6976A51913A_QuickTime.xpt
  38. OSX_Jahlav_CCB72243EF478EEFE90B5898EC32389B
  39. OSX_Jahlav_D7DDF72D17F889C2C5B302AC0A5FBDC5
  40. OSX_Jahlav_FB79A75A6152EF47BBF88AE8544545CC.pl
  41. OSX_Jahlav_flash.zip
  42. OSX_Kitmos_A_39FAA22EB9D6B750EC345EFCB38189F5
  43. OSX_Kitmos_A_3AA9C558D4D5F1B2A6D3CE47AA26315F
  44. OSX_Kitmos_A_B3D49091875DE190F200110C2F2032D4
  45. OSX_Lamadai_20F0D0CE8A413A51EB16DEE860021E6A
  46. OSX_Lamadai_DE90189F040494E3708D83A33E37E40E
  47. OSX_Leverage_A_Backdoor_C425D2BE8B4AF733A44EC1518F182BE8
  48. OSX_LocalRoot_3DC01743FB42E917E9F9EDE5009F10CD
  49. OSX_Macarena_A_BFC7B7B9D3E1DF9D6E1A31D3E7BED628
  50. OSX_MacDefender_8AE7163C7C3C02564A4C69DF1F7C483E_Archive.pax
  51. OSX_MacDefender_E187F4071723808560E135647245562A_Archive.pax
  52. OSX_MacKontrol_89C35C057655E67580EFD0FF8242D960
  53. OSX_MacKontrol_E88027E4BFC69B9D29CAEF6BAE0238E8_matiriyal.dmg
  54. OSX_Macsweeper_4836CC480796386ED6929C38E5AAD525
  55. OSX_Miner_DevilRobber_417369B713F1A5F3A3DC0DAF76BDCFD6
  56. OSX_Miner_DevilRobber_EE2BA586232007FA41703EB120AC7408
  57. OSX_Miner_F8EBF03E88928EBF91A8420E3D5993FE
  58. OSX_Olyx_Backdoor_93A9B55BB66D0FF80676232818D5952F
  59. OSX_Olyx_Backdoor_93A9B55BB66D0FF80676232818D5952F_Current events 2009 July 5
  60. OSX_OpinionSpy_C98AE54F4BE1082B4E82548D7511077E_Crystal-Clock-screensaver.zip
  61. OSX_OpinionSpy_CC33C95C59372AFCA60A0552A58D0EF8_Crystal-Clock-screensaver.zip
  62. OSX_PSides_32F4792B1141BA259067F9613E2E88B5
  63. OSX_PUP_AABEDBAAB63EF19657A3A82C930CCE18_Genieo_InstallGenieo.dmg
  64. OSX_PUP_PerfectKeylog_1B192319C8F41036A2D6B8E987809D42
  65. OSX_Renepo_80753666A54A8AE97BD6ED3A4E2F3702
  66. OSX_RevirA_FE4AEFE0A416192A1A6916F8FC1CE484_revir-a.dmg
  67. OSX_RevirC_Imuler_7DBA3A178662E7FF904D12F260F0FFF3
  68. OSX_Safari_B24C0E60AF3D3E836FBE8A92FBCC8EB7.dat
  69. OSX_SniperSpy
  70. OSX_Wirenet_50D4F0DA2E38874E417BD13B59F4C067
  71. OSX_Wirenet_B56AD86A4BACEF92EF46D36EABEF6467
  72. OSX_Wirenet_D048F7AE2D244A264E58AF67B1A20DB0
  73. OSX_Yontoo_16ACCB0ABC051D667640B1EE4FF3A7A1
  74. OSX_Yontoo_7C433B3AC0E8072BA5E6B57298E1B28B
  75. OSXWeapoX_7FDEBB5FEC63FB3739A79A66265BB765
EXPLOITS
OSX_CVE-2009-0563 targeting Tibetan and Uyghur activists (filenames shortened here)
  1. 0DA957B9B952420241F945A9A2C52A50_C2-alma.apple.cloudns.org_ParticipantsArrivalDeparture.doc
  2. 0E5110493FD197813068310E57467B44_C2-alma.apple.cloudns.org _Uighur Han unrest.doc
  3. 0E945428D07464EC33EBDFF5712FE788_C2-update.googmail.org_Jenwediki yighingha.doc
  4. 1218840F3B66832CC58C33C75AD3D419_C2-update.googmail.org_Uyghur_Xitayning Yengi Rehberlik.doc
  5. 1CE3C4A8907A242250D366586711CBDC_C2-alma.apple.cloudns.org _Rabiye_hanim_bilen_Dolkun_Isa.doc
  6. 2567399683111CFCB838C5DA80DF181D_Tibetan Parliament urges World to take concrete step on Tibet.doc
  7. 28821C5FD38B11EE630D87961C11A3D7_DUQning reyisi namzatlar isimliki.doc
  8. 3D28AE551B9BD4C62FFC6C72F5668D96_Tibet_The United Nations Commission for Human Rights.doc
  9. 3D90D04C09C6B4D5D52888C89BDE9685_Tibetan Parliament urges World.doc
  10. 567ECE88B2D6F4F12F0D0760C30605EE_C2-apple12.crabdance.com_list.doc
  11. 58A0A5824A6B30EA7EEBBB51818AE04B_uYGHUR_Jenwe yinghinining xeweri.doc
  12. 786A7D1A1DCEC50E6A89E3CC8F33A3AE_Uyghur_Dunya Uyghur Qurultayigha iane qilish toghrisida.doc
  13. 7D7A5C530A7DBF24C42145A0EFCC8669_kurban-bayrami.doc
  14. 8618BCCB98F7D20634EBEDC488981E86_C2-update.googmail.org_email73.doc
  15. 908116A30F53EDF9D1749E3F0F267680_Website-TGSL.doc
  16. 9F9F96D5C882528D08315201042647DF_C2-update.googmail.org_Uyghur_The Duke Program.doc
  17. BA76DE3471497A8B1858AF4A8C700AE1_www.uyghurcongress.org.doc
  18. C024E159A96F3292915B257070FC3325_Sartin-TGSL.doc
  19. DD7C486BC17772A5E96425271FA5ED4D_c2-apple12.crabdance.com_10. Jahresgedenktag.doc
  20. E510AE50B0344EFBE1F8888771C7446C_www.tughlan.com.doc
  21. E683339BCCFDEB0F06C7E567F2C284C5_Planning for action.doc
  22. ECE44C00D46BE019AFF38FD5D31B9110_C2-update.googmail.org_UAA 2012 Saylam Komtiti saylam.doc
  23. F81775C93F7337E0664F1D106E13C7B3_C2-update.googmail.org_Uyghur_Human Rights Education.doc
  24. FBE399BF714184ED7FEA313F36A86514_C2-apple12.crabdance.com_Uyghur_Putun Dunyadiki Sherqi.doc
  25. MacOSSabpub-A_43F281076E185E55BECE7EB2F0EC8164.doc

   via@

你可能感兴趣的:(osx,mac,resources,malware,exploit)