If you suspect that your system running Mac OS X might be infected with a rootkit, you can use ESET Rootkit detector to scan your mac. If the application detects a rootkit on your system, press Cmd + click (or right-click) the threat and then select Show details from the context menu. This allows rootkits to survive major system updates and even reinstallations. In addition to DarkMatter, there is a second project in the CIA EDB documents called QuarkMatter that is also described as a “Mac OS X EFI implant which uses an EFI driver stored on the EFI system partition to provide persistence to an arbitrary kernel implant.”.
Last week ESET released a tool for OS X. I finally gave a look at it today and as I suspected it is useless (unless rootkit authors are not reading my slides like ESET does not seem to). The only thing it appears to be doing is to check if sysent pointers were modified. Let’s be honest, it’s useless in particular when they mention they have limited visibility into OS X rootkits. So the way to improve it is to release a tool that only verifies old tricks from known rootkits. That’s the way to go!
The tool loads a kernel extension that will retrieve some information such as the kernel ASLR slide and sysent table. Just by looking at the code you know this is a fail. It will not work with Mavericks since the sysent structure is different as my SyScan360 slides show. It is also extremely easy to detect using the same trick to attack the memory dumpers (once again, SyScan360 slides). A device called esysent is created by the kernel extension. Just hook devfsmakenode, lookup for this device and when detected play with it.
![2017 2017](/uploads/1/2/5/5/125580097/636390240.gif)
Game over, flawless victory! To prove how useless it is, I just loaded my PoC rootkit using the shadow sysent method and ESET tool says there is no rootkit loaded. The system is safe.
Besides the useless scanning technique used, its design can’t work. It requires a driver to analyse what is happening inside the kernel and that’s is the weakest link. A rootkit can easily control and react to drivers being loaded.
The real problem is no Apple supported interface for interacting with kernel memory in a default install ( kmem can be enabled with a boot parameter, non-default). I doubt Apple will ever restore /dev/kmem by default or implement a secure interface for this kind of stuff because there is no such thing as OS X rootkit(s), right? Conclusion: don’t trust this tool or any other tools that promise point and click rootkit hunting. The game is a bit harder and you can’t win playing it with this kind of tools. ESET, at least read my slides ok? Have fun, fG!
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access with. Demos & src – — Igor Korkin (@IgorKorkin) Modern malware and spyware platforms attack existing antivirus solutions and even Microsoft PatchGuard. To protect users and business systems new technologies developed by Intel and AMD CPUs may be applied. To deal with the new malware we propose monitoring and controlling access to the memory in real time using Intel VT-x with EPT.
We have checked this concept by developing MemoryMonRWX, which is a bare-metal hypervisor. MemoryMonRWX is able to track and trap all types of memory access: read, write, and execute. MemoryMonRWX also has the following competitive advantages: fine-grained analysis, support of multi-core CPUs and 64-bit Windows 10. MemoryMonRWX is able to protect critical kernel memory areas even when PatchGuard has been disabled by malware. Its main innovative features are as follows: guaranteed interception of every memory access, resilience, and low performance degradation.