Cem Gurkok (Threat Intelligence R&D Manager, Verizon Terremark)

LAB TITLE: Hunting for OS X Rootkits in Memory

LAB ABSTRACT:

The OS X Kernel has been increasingly targeted by malicious players due to the shrinking attack surface.

Currently there are tools that perform rudimentary detection for OS X rootkits, such as executable replacement or direct function interception (e.g. the Rubilyn rootkit). Advanced rootkits will more likely perform harder to detect modifications, such as function inlining, shadow syscall tables, and DTrace hooks.

In this presentation I will be exploring how to attack the OS X syscall table and other kernel functions with these techniques and how to detect these modifications in memory using the Volatility Framework. The presentation will include demonstrations of system manipulation on a live system and the following detection using the new Volatility Framework plugin.

ABOUT CEM GURKOK

Cem Gurkok, CISSP, CISA is the Threat Intelligence R&D Manager at Verizon Terremark. He specializes in cloud computing security, system security architecture, incident response, digital forensics, malware analysis, litigation consulting, research and development of security software. He has worked with various Fortune 500 companies throughout the world. Cem has recently presented at the Open Source Memory Forensics Workshop (OMFW), EuroForensics Conference on Windows Incident Response, has published a paper about automated evidence extraction and malware behavior analysis at the International Security and Cryptology Conference, and has written articles about cloud computing security and incident response for ComputerWorld Online.